ML23291A413

From kanterella
Jump to navigation Jump to search
1 to Updated Final Safety Analysis Report, Chapter 3, Section 3.1, Conformance with NRC General Design Criteria
ML23291A413
Person / Time
Site: Susquehanna  Talen Energy icon.png
Issue date: 10/12/2023
From:
Susquehanna
To:
Office of Nuclear Reactor Regulation
Shared Package
ML23291A105 List: ... further results
References
PLA-8081
Download: ML23291A413 (1)
v  d  e


Text

SSES-FSAR Text Rev. 65 3.1 CONFORMANCE WITH NRC GENERAL DESIGN CRITERIA 3.1.1

SUMMARY

DESCRIPTION This section contains an evaluation of the design bases of the Susquehanna Steam Electric Station Units 1 and 2 as measured against the NRC General Design Criteria for Nuclear Power Plants, Appendix A of 10CFR50.

3.1.2 CRITERION CONFORMANCE 3.1.2.1 Overall Requirements (Group I) 3.1.2.1.1 Quality Standards and Records (Criterion 1)

Criterion Structures, systems, and components important to safety shall be designed, fabricated, erected, and tested to quality standards commensurate with the importance of the safety functions to be performed. Where generally recognized codes and standards are used, they shall be identified and evaluated to determine their applicability, adequacy, and sufficiency, and shall be supplemented or modified as necessary to assure a quality product in keeping with the required safety function. A quality assurance program shall be established and implemented in order to provide adequate assurance that these structures, systems, and components will satisfactorily perform their safety functions. Appropriate records of the design, fabrication, erection, and testing of structures, systems, and components important to safety shall be maintained by or under the control of the nuclear power unit licensee throughout the life of the unit.

Design Conformance Structures, systems, and components important to safety are listed in Table 3.2-1.

The construction quality assurance program and operational quality assurance program are described in Appendix D of the PSAR and Chapter 17 of the FSAR, respectively, and are applied to the documents which are maintained to demonstrate that all the requirements of the quality assurance program are being satisfied. The documentation shows that appropriate codes, standards and regulatory requirements are observed, specified materials are used, correct procedures are utilized, qualified personnel are provided and that the finished parts and components meet the applicable specifications for safe and reliable operation. These records are available so that any desired item of information is retrievable for reference. These records will be maintained during the life of the operating licenses.

The Quality Assurance programs developed by PP&L and its contractors satisfy the requirements of General Design Criterion 1.

FSAR Rev. 71 3.1-1

SSES-FSAR Text Rev. 65 For further discussion, see the following sections:

1) Principal Design Criteria ------------------------------------------------------------------------------ 1.2.1
2) Plant Description --------------------------------------------------------------------------------------- 1.2.2
3) Classification of Structures,Components, and Systems ---------------------------------------- 3.2 3.1.2.1.2 Design Basis for Protection Against Natural Phenomena (Criterion 2)

Criterion Structures, systems, and components important to safety shall be designed to withstand the effects of natural phenomena such as earthquakes, tornadoes, hurricanes, floods, tsunami, and seiches without loss of capability to perform their safety functions. The design bases for these structures, systems, and components shall reflect: (1) appropriate consideration of the most severe of the natural phenomena that have been historically reported for the site and surrounding area, with sufficient margin for the limited accuracy, quantity, and period of time in which the historical data have been accumulated, (2) appropriate combinations of the effects of normal and accident conditions with the effects of the natural phenomena, and (3) the importance of the safety functions to be performed.

Design Conformance All safety related structures, systems, and components are protected from or designed to withstand the effects of natural phenomena such as earthquakes, tornadoes, and floods without loss of capability to perform their safety function. The natural phenomena and their magnitude are selected in accordance with their probability of occurrence at the Susquehanna SES site.

The designs are based upon the most severe of the natural phenomena recorded for the site, with an appropriate margin to account for uncertainties in the historical data. The natural phenomena postulated in the design are presented in Sections 2.3, 2.4, and 2.5. The design criteria for the structures, systems, and components affected by each natural phenomenon are presented in Sections 3.2, 3.3, 3.5, 3.7, and 3.8. Combinations of natural phenomena and plant-originated accidents that are considered in the design are identified in Sections 3.8, 3.9, 3.10, and 3.11.

The design bases for protection against natural phenomena are in accordance with General Design Criterion 2.

3.1.2.1.3 Fire Protection (Criterion 3)

Criterion Structures, systems, and components important to safety shall be designed and located to minimize, consistent with other safety requirements, the probability and effect of fires and explosions. Noncombustible and heat resistant materials shall be used wherever practical throughout the unit, particularly in locations such as the containment and control room. Fire detection and fighting systems of appropriate capacity and capability shall be provided and designed to minimize the adverse effects of fires on structures, systems, and components important to safety. Fire fighting systems shall be designed to assure that their rupture or inadvertent operation does not significantly impair the safety capability of these structures, systems, and components.

FSAR Rev. 71 3.1-2

SSES-FSAR Text Rev. 65 Design Conformance The plant is designed to minimize the occurrence of fire. Plant arrangement allows for isolation of known fire hazards. Nonflammable materials are used to the greatest extent practical to hinder the creation and subsequent spread of fire. Automatic and manual fire protection systems are provided throughout the plant (refer to the Fire Protection Review Report).

The fire protection system is provided with test valves and facilities for periodic testing. All equipment is accessible for periodic inspection.

Structures, systems, and components important to safety are designed to meet the requirements of Criterion 3. Fire protection systems meeting the requirements of General Design Criterion 3 are provided.

A fire protection evaluation, including a fire hazards analysis, has been performed on the fire protection program for Susquehanna SES Units 1 and 2. Results of this evaluation may be found in the Fire Protection Review Report.

3.1.2.1.4 Environmental and Dynamic Effects Design Bases (Criterion 4)

Criterion Structures, systems, and components important to safety shall be designed to accommodate the effects of and to be compatible with the environmental conditions associated with normal operation, maintenance, testing, and postulated accidents, including loss-of-coolant accidents.

These structures, systems, and components shall be appropriately protected against dynamic effects, including the effects of missiles, pipe whipping, and discharging fluids, that may result from equipment failures and from events and conditions outside the nuclear power unit.

However, dynamic effects associated with postulated pipe ruptures in nuclear power units may be excluded from the design basis when analysis reviewed and approved by the commission demonstrate that the probability of fluid system piping rupture is extremely low under conditions consistent with the design basis for the piping.

Design Conformance All safety related structures, systems, and equipment are protected from, or designed to withstand, the effects of and are compatible with the environmental conditions associated with normal operation, maintenance, testing, and postulated accidents, including a LOCA, assuming that non-related events do not occur simultaneously. These structures, systems, and components are appropriately protected against dynamic effects including the effects of missiles, pipe whipping, and discharging fluids that may result from equipment failures and from events and conditions outside the plant.

The electrical equipment instrumentation and associated cables of the protection and engineered safety features systems which are located inside the containment are discussed in the sections listed below indicating the design requirements in terms of the time which each must survive the extreme environmental conditions following a loss-of-coolant accident.

Environmental and missile design bases are in accordance with General Design Criterion 4.

FSAR Rev. 71 3.1-3

SSES-FSAR Text Rev. 65 For further discussion, see the following sections:

1) Meteorology------------------------------------------------------------------------------------------------- 2.3
2) Hydrology---------------------------------------------------------------------------------------------------- 2.4
3) Geology and Seismology -------------------------------------------------------------------------------- 2.5
4) Classification of Structures, Components and Systems----------------------------------------- 3.2
5) Wind and Tornado Design Criteria -------------------------------------------------------------------- 3.3
6) Water Level Design Criteria ---------------------------------------------------------------------------- 3.4
7) Missile Protection Criteria ------------------------------------------------------------------------------- 3.5
8) Criteria for Protection Against Dynamic Effects Associated with a Postulated Rupture of Piping--------------------------------------------------- 3.6
9) Seismic Design -------------------------------------------------------------------------------------------- 3.7
10) Design of Category I Structures ----------------------------------------------------------------------- 3.8
11) Mechanical Systems and Components -------------------------------------------------------------- 3.9
12) Seismic Qualification of Seismic Category I Instrumentation and Electrical Equipment -------------------------------------------------------- 3.10
13) Environmental Design of Mechanical and Electrical Equipment ---------------------------- 3.11
14) Integrity of Reactor Coolant Pressure Boundary -------------------------------------------------- 5.2
15) Engineered Safety Features ---------------------------------------------------------------------------- 6.0
16) Instrumentation and Controls -------------------------------------------------------------------------- 7.0
17) Electric Power ---------------------------------------------------------------------------------------------- 8.0 3.1.2.1.5 Sharing of Structures, Systems, and Components (Criterion 5)

Criterion Structures, systems, and components important to safety shall not be shared among nuclear power units unless it can be shown that such sharing will not significantly impair their ability to perform their safety functions, including, in the event of an accident in one unit, an orderly shutdown and cooldown of the remaining units.

Design Conformance Although Susquehanna SES Units 1 and 2 share certain structures, systems, and components, sharing them does not significantly impair performance of their safety functions.

The following safety related structures are shared between both units:

Control Structure Diesel Generator Buildings ESSW Pumphouse Spray Pond Spent Fuel Pools The safety related structures are designed to remain functional during and following the most severe natural phenomena. Therefore sharing these structures will not impair their ability to perform their safety functions.

Seismic Category I structures which house safety related systems and equipment are discussed in Section 3.8.

FSAR Rev. 71 3.1-4

SSES-FSAR Text Rev. 65 The shared systems which are important to safety are discussed below; a more detailed discussion may be found in the referenced Subsections:

a) Emergency Service Water System (ESWS) ---------------------------------------------------- 9.2.5 b) Residual Heat Removal Service Water (RHRSW) -------------------------------------------- 9.2.6 c) Ultimate Heat Sink (Spray Pond) -------------------------------------------------------- 3.8.4 & 9.2.7 d) Diesel Generators ------------------------------------------------------------------------------------ 8.3.1.4 e) Offsite Power Supplies ---------------------------------------------------------------------------------- 8.2 f) Unit 1 AC Distribution System ---------------------------------------------------------------------- 8.3.1 g) Residual Heat Removal (Fuel Pool Cooling Mode) ------------------------------------ 5.4.7.1.1.6 Emergency Service Water System (ESWS)

The ESWS is designed to:

a) Supply cooling water to the RHR pump room unit coolers and the motor bearing oil cooler of each RHR pump during all modes of operation of the RHR system.

b) Supply cooling water to all the aligned diesel generator heat exchangers, except the governor oil coolers, during emergency operation or diesel testing, whenever the diesel generators are required to operate.

c) Supply cooling water to the room coolers for the core spray pumps, the high pressure coolant injection (HPCI) pumps and the reactor core isolation cooling (RCIC) pumps to support operation of these systems.

d) Supply cooling water to the control structure chiller and the Unit 2 emergency switchgear cooling condensing unit during emergency operation.

e) During a seismic event, ESWS can also supply water to the spent fuel pools to makeup for evaporative losses as needed to support the RHR fuel pool cooling mode, should the normal makeup source be unavailable.

f) Supply cooling water to the non-safety related reactor building closed cooling water heat exchanger (RBCCW) and turbine building closed cooling water heat exchanger (TBCCW), within the limitations described in Section 9.2.5 of the FSAR.

The ESW system starts automatically after the diesel generators receive their start initiation signal. The ESW system can also be started manually from either the main control room or from either of the two remote shutdown panels located in Units 1 and 2. The system consists of two loops each of which is designed to supply 100 percent of the ESW cooling requirements to both units and the common emergency diesel generators simultaneously. The system has sufficient redundancy so that a single failure of any active component, assuming a loss of offsite power, cannot impair the capability of the system to perform its safety related functions.

For additional discussion, see Subsection 9.2.5.

FSAR Rev. 71 3.1-5

SSES-FSAR Text Rev. 65 Residual Heat Removal Service Water System (RHRSW)

The RHRSW System is designed to supply cooling water to the RHR heat exchangers of both units. The system provides a reliable source of cooling water for all operating modes of the RHR system, including heat removal under post-accident conditions, RHR fuel pool cooling following a seismic event and also to provide water to flood the reactor core or the primary containment after an accident, should it be necessary.

The RHRSW pumps are located in the ESSW pumphouse with the ESW pumps. The ESSW pumphouse and the RHRSW system are designed as Seismic Category 1. Each redundant loop of RHRSW provides cooling to one RHR heat exchanger in each unit. The system is designed so that no single failure will prevent it from achieving its safety function.

The RHRSW is a manually operated system. This system can be operated from the control room, or in the event the control room becomes uninhabitable, from the remote shutdown panel in Unit 1 (Loop B) Reactor Building or Unit 2 (Loop A) Reactor Building.

For additional information, see Subsection 9.2.6.

Ultimate Heat Sink (Spray Pond)

The ultimate heat sink provides cooling water to support operation of the ESW and RHRSW systems during system testing, during a normal shutdown and during accident conditions. The ultimate heat sink is capable of providing sufficient cooling water without makeup to the spray pond for at least 30 days to permit simultaneous safe shutdown and cooldown of both reactor units and maintain them in a safe shutdown condition. The spray pond is capable of providing enough cooling water without makeup, for a design basis LOCA in one unit with the simultaneous shutdown of the other unit, for 30 days while assuming a concurrent SSE, single failure and loss of offsite power.

The ultimate heat sink consists of a concrete lined spray pond containing approximately 25 million gallons of water and an ESSW intake structure housing four RHRSW pumps and four ESW pumps which pump the water from the pond through their respective loops and back to the pond through a network of sprays located in the pond. The spray pond is concrete lined and is designed in accordance with seismic category 1 requirements.

For additional information, see Subsections 3.8.4.1 and 9.2.7.

Diesel Generators Diesel Generators A, B, C and D are housed in a Seismic Category I structure. They are separated from each other by concrete walls which provide missile protection. Additionally, a spare diesel generator (Diesel Generator 'E') is provided which can be manually realigned as a replacement for any one of the other four diesel generators. Thus, any one of the other diesel generators (A, B, C or D) can be removed from service for extended maintenance and the Diesel Generator 'E' can be substituted so that there are four operable diesel generators.

Diesel Generator 'E' is housed in its own Seismic Category I structure which also provides missile protection. Loss of one of the four aligned diesel generators will not impair the capability to safely shutdown both units, since this can be done with three diesel generators. For additional discussion, see Subsection 8.3.1.4.

FSAR Rev. 71 3.1-6

SSES-FSAR Text Rev. 65 For descriptions of the Diesel Generator Fuel Oil System, Cooling Water System, Air Starting System, Lube Oil System, and the Intake and Exhaust Systems see Subsections 9.5.4, 9.5.5, 9.5.6, 9.5.7, and 9.5.8 respectively.

For missile protection see Subsection 3.5. Separation is discussed in Sections 3.12 and 8.3.

Offsite Power Supplies The two preferred offsite power supplies are shared by both units. The capacity of each offsite power supply is sufficient to operate the engineered safety features of one unit and safe shutdown loads of the other unit.

For additional discussion, see Section 8.2.

Unit 1 AC Distribution System The Unit 1 AC Distribution System is a shared system between both units, since the common equipment (Emergency Service Water, Standby Gas Treatment System, Control Structure HVAC, etc.) is energized only from the Unit 1 AC Distribution System. There are no Unit 2 specific loads energized from the Unit 1 AC Distribution System. The capacity of the Unit 1 AC Distribution System is sufficient to operate the engineered safety features on one unit and the safe shutdown loads of the other unit.

Residual Heat Removal (Fuel Pool Cooling Mode)

With the Spent Fuel Pools cross-tied, one unit's RHR system can be used to cool stored spent fuel in both spent fuel pools. In the cross-tied configuration, the RHRFPC mode of one unit will draw suction from that unit's skimmer surge tank and return the cooled flow to the bottom of the unit's fuel pool. No direct flow to or from the opposite unit's fuel pool will be accomplished. With the pools cross-tied and RHRFPC in operation on one of the units, adequate cooling of both pools will be achieved. For further discussions see Subsections 5.4.7.1.1.6, 5.4.7.1.4, 9.1.3.1, and 9.1.3.3.

3.1.2.2 Protection by Multiple Fission Product Barriers (Group II) 3.1.2.2.1 Reactor Design (Criterion 10)

Criterion The reactor core and associated coolant, control, and protection systems shall be designed with appropriate margin to assure that specified acceptable fuel design limits are not exceeded during any condition of normal operation, including the effects of anticipated operational occurrences.

Design Conformance The reactor core components consist of fuel assemblies, control rods, in-core ion chambers, neutron sources, and related items. The mechanical design is based on conservative application of stress limits, operating experience, and experimental test results. The fuel is designed to provide high integrity over a complete range of power levels including transient conditions. The core is sized with sufficient heat transfer area and coolant flow to ensure that FSAR Rev. 71 3.1-7

SSES-FSAR Text Rev. 65 fuel design limits are not exceeded under normal conditions or anticipated operational occurrences.

The reactor protection system is designed to monitor certain reactor parameters, sense abnormalities, and to scram the reactor, thereby preventing fuel design limits from being exceeded when trip points are exceeded. Trip set points are selected on operating experience and by the safety design basis. There is no case in which the trip set points allow the core to exceed the thermal-hydraulic safety limits. Power for the reactor protection system is supplied by two independent high inertia AC power supplies which override short duration disturbances in the power system. Alternate power is available to each reactor protection system bus.

An analysis and evaluation has been made of the effects upon core fuel following adverse plant operating conditions. The results of abnormal operational transients are presented in Chapter 15 and show that the minimum critical power ratio (MCPR) does not fall below the transient MCPR limit, thereby satisfying the transient design basis.

The reactor core and associated coolant, control, and protection systems are designed to ensure that the specified fuel design limits are not exceeded during conditions of normal or abnormal operation and, therefore, meet the requirements of Criterion 10.

For further discussion, see the following sections:

1) Principal Design Criteria ------------------------------------------------------------------------------ 1.2.1
2) Plant Description --------------------------------------------------------------------------------------- 1.2.2
3) Fuel Mechanical Design --------------------------------------------------------------------------------- 4.2
4) Nuclear Design -------------------------------------------------------------------------------------------- 4.3
5) Thermal and Hydraulic Design ------------------------------------------------------------------------ 4.4
6) Reactor Recirculation System ---------------------------------------------------------------------- 5.4.1
7) Reactor Core Isolation Cooling System ---------------------------------------------------------- 5.4.6
8) Residual Heat Removal System ------------------------------------------------------------------- 5.4.7
9) Accident Analysis --------------------------------------------------------------------------------------- 15.0 3.1.2.2.2 Reactor Inherent Protection (Criterion 11)

Criterion The reactor core and associated coolant systems shall be designed so that in the power operating range the net effect of the prompt inherent nuclear feedback characteristics tends to compensate for a rapid increase in reactivity.

Design Conformance The reactor core is designed to have a reactivity response that regulates or damps changes in power level and spatial distributions of power production to a level consistent with safe and efficient operation.

The inherent dynamic behavior of the core is characterized in terms of: (a) fuel temperature or Doppler coefficient, (b) moderator void coefficient, and (c) moderator temperature coefficient.

The combined effect of these coefficients in the power range is termed the power coefficient.

FSAR Rev. 71 3.1-8

SSES-FSAR Text Rev. 65 Doppler reactivity feedback occurs simultaneously with a change in fuel temperature and opposes the power change that caused it; it contributes to system stability. Since Doppler reactivity opposes load changes, it is desirable to maintain a large ratio of moderator void coefficient to Doppler coefficient for optimum load-following capability. The boiling water reactor (BWR) has an inherently large moderator-to-Doppler coefficient ratio that permits use of coolant flow rate for load following.

In a BWR, the moderator void coefficient is of importance during operation at power. Nuclear design requires the void coefficient inside the fuel channel to be negative. The negative void reactivity coefficient provides an inherent negative feedback during power transients. Because of the large negative moderator coefficient of reactivity, the BWR has inherent advantages, such as:

a) The use of coolant flow as opposed to control rods for load following, b) The inherent self-flattening of the radial power distribution, c) The ease of control, and d) The spatial xenon stability.

The reactor is designed so that the moderator temperature coefficient is small and positive in the cold condition; however, the overall power reactivity coefficient is negative. Typically, the power coefficient at full power is about -0.04 ( k/k)/( P/P) at the beginning of life and about -

0.3( k/k)/( P/P) at 10,000 MWd/T. These values are well within the range required for adequate damping of power and spatial xenon disturbances.

The reactor core and associated coolant system are designed so that, in the power operating range, prompt inherent dynamic behavior tends to compensate for any rapid increase in reactivity in accordance with Criterion 11.

For further discussion, see the following sections:

1) Principal Design Criteria ------------------------------------------------------------------------------ 1.2.1
2) Nuclear Design -------------------------------------------------------------------------------------------- 4.3
3) Thermal and Hydraulic Design ------------------------------------------------------------------------ 4.4 3.1.2.2.3 Suppression of Reactor Power Oscillations (Criterion 12)

Criterion The reactor core and associated coolant, control, and protection systems shall be designed to assure that power oscillations which can result in conditions exceeding specified acceptable fuel design limits are not possible or can be reliably and readily detected and suppressed.

Design Conformance The LaSalle instability event described in NRC Information Notice 88-39 demonstrated that reactor instability events have the potential to violate the MCPR safety limit.

The Oscillation Power Range Monitors (OPRM) provide a detection and suppression function for reactor thermal-hydraulic instabilities as described in 10 CFR 50 Appendix A, Criteria 10 and 12; BWROG reports NEDO-31960-A, NEDO-31960-A Supplement 1, and NEDO-32465-A; Additional OPRM detection and suppression descriptions are outlined in NEDC-32410P-A and FSAR Rev. 71 3.1-9

SSES-FSAR Text Rev. 65 NEDC-32410P-A Supplement 1. The OPRMs monitor local groups of adjacent LPRMs in "cells" as defined in NEDO-32465-A. The OPRM RPS trip function will scram the reactor when there is a reactor core thermal-hydraulic instability to ensure that the MCPR Safety Limit is not violated for anticipated instability events.

3.1.2.2.4 Instrumentation and Control (Criterion 13)

Criterion Instrumentation shall be provided to monitor variables and systems over their anticipated ranges for normal operation, for anticipated operational occurrences, and for accident conditions as appropriate to assure adequate safety, including those variables and systems that can affect the fission process, the integrity of the reactor core, the reactor coolant pressure boundary, and the containment and its associated systems. Appropriate controls shall be provided to maintain these variables and systems within prescribed operating ranges.

Design Conformance The fission process is monitored and controlled for all conditions from source range through power operating range. The intermediate and power ranges of the neutron monitoring system detect core conditions that threaten the overall integrity of the fuel barrier due to excess power generation and provide a signal to the reactor protection system. Fission detectors, located in the core, are used for neutron detection. The detectors are located to provide optimum monitoring in the intermediate and power ranges.

The intermediate range monitor (IRM) monitors neutron flux from the upper portion of the source range monitor (SRM) to the lower portion of the local power range monitor (LPRM) subsystem.

The IRM is capable of generating a trip signal to scram the reactor.

The local power range monitor (LPRM) subsystem consists of fission chambers located throughout the core, the signal conditioning equipment, and trip functions. LPRM signals are also used to block rod withdrawal and to generate the necessary trip signal for reactor scram (APRM). The average power range monitors also provide post accident neutron flux information.

The reactor protection system (RPS) protects the fuel barriers and the nuclear process barrier by monitoring plant parameters and causing a reactor scram when predetermined set points are exceeded. Separation of the scram and normal rod control function prevents failures in the reactor manual control circuitry from affecting the scram circuitry.

To provide protection against the consequences of accidents involving the release of radioactive materials from the fuel and reactor coolant pressure boundary, the containment and reactor vessel isolation control system initiates automatic isolation of appropriate pipelines whenever monitored variables exceed preselected operational limits.

Nuclear system leakage limits are established so that appropriate action can be taken to ensure the integrity of the reactor coolant pressure boundary. Nuclear system leakage rates are classified as identified and unidentified, which corresponds, respectively, to the flow to the equipment drain and floor drain sumps. The permissible total leakage rate limit to these sumps is based upon the makeup capabilities of various reactor component systems. Flow integrators and recorders are used to determine the leakage flow pumped from the drain sumps. The FSAR Rev. 71 3.1-10

SSES-FSAR Text Rev. 65 unidentified leakage rate as established in Chapter 5 is less than the value that has been conservatively calculated to be a minimum leakage from a crack large enough to propagate rapidly, but which still allows time for identification and corrective action before integrity of the process barrier is threatened.

The process radiation monitoring system monitors radiation levels of various processes and provides trip signals to the reactor protection system and containment and reactor vessel isolation control system whenever pre-established limits are exceeded.

As noted above, adequate instrumentation has been provided to monitor system variables in the reactor core, reactor coolant pressure boundary, and reactor containment. Appropriate controls have been provided to maintain the variables in the operating range and to initiate the necessary corrective action in the event of abnormal operational occurrence or accident. These instrumentation and controls meet the requirements of Criterion 13.

For further discussion, see the following sections:

1) Principal Design Criteria ------------------------------------------------------------------------------ 1.2.1
2) Reactivity Control System ------------------------------------------------------------------------------- 4.1
3) Reactor Coolant Pressure Boundary Leakage Detection System ---------------------------- 5.2
4) Main Steamline Isolation Valves ---------------------------------------------------------------------- 5.4
5) Containment System ------------------------------------------------------------------------------------- 6.2
6) Reactor Protection System ----------------------------------------------------------------------------- 7.2
7) Primary Containment and Reactor Vessel Isolation Control System ------------------------ 7.3
8) Neutron Monitoring System ----------------------------------------------------------------------------- 7.6
9) Reactor Vessel - Instrumentation and Control ----------------------------------------------------- 7.5
10) Process Computer System ----------------------------------------------------------------------------- 7.5
11) Reactor Manual Control System ---------------------------------------------------------------------- 7.7
12) Recirculation Flow Control System ------------------------------------------------------------------- 7.7 3.1.2.2.5 Reactor Coolant Pressure Boundary (Criterion 14)

Criterion The reactor coolant pressure boundary shall be designed, fabricated, erected, and tested so as to have an extremely low probability of abnormal leakage, of rapidly propagating failure, and of gross rupture.

Design Conformance All NSSS components within the reactor coolant pressure boundary (RCPB) are classified as Quality Group A or ASME Code Class 1 as applicable in compliance with the codes and standards rule section 50.55a of 10 CFR 50, or as a minimum, are classified Quality Group B if the components meet the exclusion requirements 10 CFR Part 50.55a.

The piping and equipment pressure parts within the RCPB through the outer isolation valve(s) are designed, fabricated, erected, and tested to provide a high degree of integrity throughout the plant lifetime. Section 3.2 classifies systems and components within the RCPB as Quality Group A or B. The design requirements and codes and standards applied to this quality group ensure a quality product in keeping with the safety functions to be performed.

FSAR Rev. 71 3.1-11

SSES-FSAR Text Rev. 65 In order to minimize the possibility of brittle fracture within the RCPB, the fracture toughness properties and the operating temperature of ferritic materials are controlled to ensure adequate toughness. Subsection 5.2.3 describes the methods utilized to control toughness properties.

Materials are impact tested in accordance with ASME Boiler and Pressure Vessel Code,Section III, where applicable. Where RCPB piping penetrates the primary containment, the fracture toughness temperature requirements of the RCPB materials apply.

Piping and equipment pressure parts of the RCPB are assembled and erected by welding unless applicable codes permit flanged or screwed joints. Welding procedures are employed which produce welds of complete fusion and free of unacceptable defects. All welding procedures, welders, and welding machine operators used in producing pressure-containing welds are qualified in accordance with the requirements of Section IX of the ASME Boiler and Pressure Vessel Code for the materials to be welded. Qualification records, including the results of procedure and performance qualification tests and identification symbols assigned to each welder are maintained.

Section 5.2 contains the detailed material and examination requirements for the piping and equipment of the RCPB prior to and after its assembly and erection. Leakage testing and surveillance is accomplished as described in Criterion 30 design conformance.

The design, fabrication, erection, and testing of the RCPB ensure a low probability of failure or abnormal leakage, thus satisfying the requirements of Criterion 14.

For further discussion, see the following sections:

1) Principal Design Criteria ------------------------------------------------------------------------------ 1.2.1
2) Design Criteria - Structures, Components, Equipment, and Systems ----------------------- 3.1
3) Overpressurization Protection ------------------------------------------------------------------------- 5.2
4) Reactor Vessel and Appurtenances ------------------------------------------------------------------ 5.3
5) Reactor Recirculation System ------------------------------------------------------------------------- 5.4
6) Accident Analysis---------------------------------------------------------------------------------------- 15.0
7) Quality Assurance Program -------------------------------------------------------------------------- 17.0 3.1.2.2.6 Reactor Coolant System Design (Criterion 15)

Criterion The reactor coolant system and associated auxiliary, control, and protection systems shall be designed with sufficient margin to assure that the design conditions of the reactor coolant pressure boundary are not exceeded during any condition of normal operation, including anticipated operational occurrences.

Design Conformance The reactor coolant system consists of the reactor vessel and appurtenances, the reactor recirculation system, the nuclear system pressure relief system, the main steamlines, the reactor core isolation cooling (RCIC) system, and the residual heat removal (RHR) system.

These systems are designed, fabricated, erected, and tested to stringent quality requirements and appropriate codes and standards, which ensure high integrity of the RCPB throughout the plant lifetime. The reactor coolant system is designed and fabricated to meet the requirements of the ASME Boiler and Pressure Vessel Code,Section III as indicated in Chapter 3.

FSAR Rev. 71 3.1-12

SSES-FSAR Text Rev. 65 The auxiliary, control, and protection systems associated with the reactor coolant system act to provide sufficient margin to ensure that the design conditions of the RCPB are not exceeded during any condition of normal operation, including anticipated operational occurrences. As described in Subsection 3.1.2.2.4, instrumentation is provided to monitor essential variables to ensure that they are within prescribed operating limits. If the monitored variables exceed their predetermined settings, the auxiliary, control, and protection systems automatically respond to maintain the variables and systems within allowable design limits.

An example of the integrated protective action scheme, which provides sufficient margin to ensure that the design conditions of the RCPB are not exceeded, is the automatic initiation of the nuclear system pressure relief system upon receipt of an overpressure signal. To accomplish overpressure protection, a number of pressure-operated relief valves are provided to discharge steam from the nuclear system to the suppression pool. The nuclear system pressure relief system also provides for automatic depressurization of the nuclear system in the event of a LOCA in which the vessel is not depressurized by the accident. The depressurization of the nuclear system in this situation allows operation of the low pressure emergency core cooling systems (ECCS) to supply enough cooling water to adequately cool the core. Similarly, other auxiliary, control, and protection systems provide assurance that the design conditions of the RCPB are not exceeded during any conditions of normal operation, including anticipated operational occurrences.

The application of appropriate codes and standards and high quality requirements to the reactor coolant system and the design features of its associated auxiliary, control, and protection systems, ensure that the requirements of Criterion 15 are satisfied. For further discussion, see the following sections:

1) Principal Design Criteria ------------------------------------------------------------------------------ 1.2.1
2) Design Criteria - Structures, Components, Equipment, and Systems ----------------------- 3.1
3) Overpressurization Protection ------------------------------------------------------------------------- 5.2
4) Reactor Coolant Pressure Boundary Leakage Detection System ---------------------------- 5.2
5) Reactor Vessel --------------------------------------------------------------------------------------------- 5.3
6) Reactor Recirculation System ------------------------------------------------------------------------- 5.4
7) Accident Analysis---------------------------------------------------------------------------------------- 15.0 3.1.2.2.7 Containment Design (Criterion 16)

Criterion Reactor containment and associated systems shall be provided to establish an essentially leaktight barrier against the uncontrolled release of radioactivity to the environment and to assure that the containment design conditions important to safety are not exceeded for as long as postulated accident conditions require.

Design Conformance The primary containment system, which includes the drywell and suppression chamber, is designed, fabricated, and erected to accommodate, without failure, the pressures and temperatures resulting from the double-ended rupture or equivalent failure of any coolant pipe within the primary containment. The reactor building encompassing the primary containment provides secondary containment. The two containment systems and their associated safety systems are designed and maintained so that offsite doses, which could result from postulated FSAR Rev. 71 3.1-13

SSES-FSAR Text Rev. 65 design basis accidents, remain below the guideline values stated in 10 CFR 50.67 when calculated by the methods of Regulatory Guide 1.183 (July 2000). Refer to Section 3.13.1 for Regulatory Guide 1.183 compliance. Sections 6.2 and 15.1 have detailed information which demonstrates compliance with Criterion 16.

3.1.2.2.8 Electric Power Systems (Criterion 17)

Criterion An onsite electric power system and an offsite electric power system shall be provided to permit functioning of structures, systems, and components important to safety. The safety function for each system (assuming the other system is not functioning) shall be to provide sufficient capacity and capability to assure that (1) specified acceptable fuel design limits and design conditions of the reactor coolant pressure boundary are not exceeded as a result of anticipated operational occurrences and (2) the core is cooled and containment integrity and other vital functions are maintained in the event of postulated accidents.

The onsite electric power supplies, including the batteries, and the onsite electric distribution system shall have sufficient independence, redundancy, and testability to perform their safety functions, assuming a single failure.

Electric power from the transmission network to the onsite electric distribution system shall be supplied by two physically independent circuits (not necessarily on separate rights of way),

designed and located so as to minimize to the extent practical the likelihood of their simultaneous failure under operating and postulated accident and environmental conditions. A switchyard common to both circuits is acceptable. Each of these circuits shall be designed to be available in sufficient time following a loss of all onsite alternating current power supplies and the other offsite electric power circuit, to assure that specified acceptable fuel design limits and design conditions of the reactor coolant pressure boundary are not exceeded. One of these circuits shall be designed to be available within a few seconds following a loss-of-coolant accident to assure that core cooling, containment integrity, and other vital safety functions are maintained.

Provisions shall be included to minimize the probability of losing electric power from any of the remaining supplies as a result of, or coincident with, the loss of power generated by the nuclear power unit, the loss of power from the transmission network, or the loss of power from the onsite electric power supplies.

Design Conformance Two offsite power transmission systems and four onsite standby diesel generators (A, B, C and D) with their associated battery systems are provided. Either of the two offsite transmission power systems or any three of the four onsite standby diesel generator systems have sufficient capability to operate safety related equipment for cooling the reactor core and maintaining primary containment integrity and other vital functions in the event of a postulated accident in one unit with a safe shutdown of the other unit.

Additionally, a fifth diesel generator 'E' with its associated battery system is provided as a replacement and has the capability of supplying the emergency loading for any one of the other four diesel generators (A, B, C or D). Diesel generator 'E' must be manually aligned to replace any one of the other four diesel generators in the event of a failure.

FSAR Rev. 71 3.1-14

SSES-FSAR Text Rev. 65 The two independent offsite power systems supply electric power to the onsite power distribution system via the 230 kV transmission grid. Each of the offsite power sources is supplied from a transmission line which terminates in switchyards (or Substations) not common to the other transmission line. The two transmission lines are on separate rights-of-way. These two transmission circuits are physically independent and are designed to minimize the possibility of their simultaneous failure under operating and postulated accident and environment conditions.

Each offsite power source can supply all Engineered Safety Feature (ESF) buses through the associated transformers. Power is available to the ESF buses from their preferred offsite power source during normal operation and from the alternate offsite power source if the preferred power is unavailable. Each diesel generator (A, B, C, or D) supplies standby power to one of the four ESF buses in each unit. Loss of both offsite power sources to an ESF bus results in automatic starting and connection of the associated diesel generator (A, B, C, or D) within 10 seconds. Loads are progressively and sequentially added to avoid generator instabilities.

There are four independent AC load groups provided to assure independence and redundancy of equipment function. These meet the safety requirements assuming a single failure since any three of the four load groups have sufficient capacity to supply the minimum loads required to safely shut down the unit. Independent routing of the preferred and alternate offsite power source circuits to the ESF buses are provided to meet the single failure safety requirements.

For each of the four AC load groups there is an independent 125 V battery which furnishes DC control power for the corresponding load group. The four load groups are subgrouped to form two divisions to meet the design basis of one out of two ESF load requirements. For each of the two AC divisions there is an independent 250 V battery that supplies DC load power for the corresponding division.

The reactor protection system is powered from the two independent high inertia AC power supplies which override short duration disturbances in the power system.

The power systems as designed meet the requirements of Criterion 17.

For further discussion, see the following sections:

1) General Plant Description ------------------------------------------------------------------------------- 1.2
2) Seismic Qualification Design of Seismic Category I Instrumentation and Electrical Equipment -------------------------------------------------------- 3.10
3) Environmental Design of Mechanical and Electrical Equipment ---------------------------- 3.11
4) Offsite Power System ------------------------------------------------------------------------------------ 8.2
5) Onsite A-C Power Systems ----------------------------------------------------------------------------- 8.3
6) Onsite D-C Power Systems----------------------------------------------------------------------------- 8.3 3.1.2.2.9 Inspection and Testing of Electric Power Systems (Criterion 18)

Criterion Electric power systems important to safety shall be designed to permit appropriate periodic inspection and testing of important areas and features, such as wiring, insulation, connections, and switchboards, to assess the continuity of the systems and the conditions of their components. The systems shall be designed with a capability to test periodically (1) the FSAR Rev. 71 3.1-15

SSES-FSAR Text Rev. 65 operability and functional performance of the components of the systems, such as onsite power sources, relays, switches, and buses, and (2) the operability of the systems as a whole and, under conditions as close to design as practical, the full operation sequence that brings the systems into operation including operation of applicable portions of the protection system, and the transfer of power among the nuclear power unit, the offsite power system, and the onsite power system.

Design Conformance The onsite power systems, consisting of the standby diesel generators with their associated switchgear assemblies and battery systems that supply power to safety related equipment, are designed and arranged for periodic testing of each system independently. During refueling shutdowns, a test is conducted to prove the operability of the automatic starting and load sequencing capability of the standby diesel generators. The testing procedure simulates a loss of bus voltage or a safety injection signal to start each standby diesel generator and connect it to its bus. The normal loading sequence is carried out.

Full load testing of each standby diesel generator can be performed while the plant is at power by manually starting each standby generator and by manual synchronization to the normal power supply.

These tests prove the operability of the electric power systems under conditions as close to design as practical, to assess the continuity of these systems and condition of the components.

Inspection and testing of electric power systems, described in Chapters 8 and 16, conform with Criterion 18.

3.1.2.2.10 Control Room (Criterion 19)

Criterion A control room shall be provided from which actions can be taken to operate the nuclear power unit safely under normal conditions and to maintain it in a safe condition under accident conditions, including loss-of-coolant accidents. Adequate radiation protection shall be provided to permit access and occupancy of the control room under accident conditions without personnel receiving radiation exposures in excess of 5 rem whole body, or its equivalent to any part of the body, for the duration of the accident.

Equipment at appropriate locations outside the control room shall be provided (1) with a design capability for prompt hot shutdown of the reactor, including necessary instrumentation and controls to maintain the unit in a safe condition during hot shutdown, and (2) with a potential capability for subsequent cold shutdown of the reactor through the use of suitable procedures.

Design Conformance A control room is provided and equipped to operate the plant safely under normal and accident conditions. Control room shielding and ventilation are designed to permit operator occupancy of the control room for the duration of a design basis accident (DBA). The Criterion 19 dose limit to an individual in the control room has been revised in accordance with 10 CFR 50.67 and will not exceed 5 Rem TEDE under all accident conditions.

FSAR Rev. 71 3.1-16

SSES-FSAR Text Rev. 65 A remote shutdown panel for each unit is located in each reactor building, with equipment, controls, and instrumentation, provided to bring each reactor to hot standby or a cold shutdown in a safe manner. The remote shutdown panels and adjacent controls are located in areas that are physically isolated from the control room so that any event causing the main control room to become inaccessible would have no effect on the availability of the remote shutdown panels and adjacent controls. Also, equipment, controls, and instrumentation are located throughout the units to provide capability for a subsequent cold shutdown through the use of suitable procedures. The main control room and the remote shutdown panels conform with Criterion 19.

Ventilation of the main control room is described in Section 9.4, and habitability of the main control room is described in Section 6.4. Remote shutdown is discussed in Subsection 7.4.1.4.

3.1.2.3 Protection and Reactivity Control Systems (Group III) 3.1.2.3.1 Protection System Functions (Criterion 20)

Criterion The protection system shall be designed (1) to initiate automatically the operation of appropriate systems including the reactivity control systems, to assure that specified acceptable fuel design limits are not exceeded as a result of anticipated operational occurrences, and (2) to sense accident conditions and to initiate the operation of systems and components important to safety.

Design Conformance The reactor protection system is designed to provide timely protection against the onset and consequences of conditions that threaten the integrity of the fuel barrier and the RCPB barrier.

Fuel damage is prevented by initiation of an automatic reactor shutdown if monitored nuclear system variables exceed pre-established limits during anticipated operational occurrences. Trip settings are selected and verified to be far enough above or below operating levels to provide proper protection but not be subject to spurious scrams. The reactor protection system includes the high inertia motor-generator power system, sensors, bypass circuitry, and switches that signal the control rod system to scram and shut down the reactor. The scrams initiated by neutron monitoring system variables, nuclear system high pressure, turbine stop valve closure, turbine control valve fast closure, main steamline isolation valve closure, and reactor vessel low water level will prevent fuel damage following abnormal operational transients. Specifically, these process parameters initiate a scram in time to prevent the core from exceeding thermal-hydraulic safety limits during abnormal operational transients. Additional scram trips are initiated by drywell high pressure and scram discharge volume high water level. Response by the reactor protection system is prompt and the total scram time is short. Control rod scram motion starts in about 200 milliseconds after the high flux set point is exceeded.

In addition to the reactor protection system, which provides for automatic shutdown of the reactor to prevent fuel damage, protection systems are provided to sense accident conditions and initiate automatically the operation of other systems and components important to safety.

Systems such as the ECCS are initiated automatically to limit the extent of fuel damage following a LOCA. Other systems automatically isolate the reactor vessel or the primary containment to prevent the release of significant amounts of radioactive materials from the fuel and the RCPB. The controls and instrumentation for the ECCS and the isolation systems are initiated automatically when monitored variables exceed preselected operational limits.

FSAR Rev. 71 3.1-17

SSES-FSAR Text Rev. 65 The design of the protection system satisfies the functional requirements as specified in Criterion 20.

For further discussion, see the following sections:

1) Principal Design Criteria ------------------------------------------------------------------------------ 1.2.1
2) Reactivity Control Mechanical Design --------------------------------------------------------------- 4.1
3) Control Rod Drive Housing Supports ---------------------------------------------------------------- 4.5
4) Overpressurization Protection ------------------------------------------------------------------------- 5.2
5) Main Steam Line Isolation Valves --------------------------------------------------------------------- 5.4
6) Emergency Core Cooling System --------------------------------------------------------------------- 6.3
7) Reactor Protection System ----------------------------------------------------------------------------- 7.2
8) Primary Containment and Reactor Vessel Isolation Control System ------------------------ 7.3
9) Emergency Core Cooling Systems - Instrumentation and Control --------------------------- 7.3
10) Neutron Monitoring System ----------------------------------------------------------------------------- 7.6
11) Process Radiation Monitoring System ------------------------------------------------------------- 11.5
12) Reactor Coolant Pressure Boundary Leakage Detection System -

Instrumentation and Controls -------------------------------------------------------------------------- 7.6

13) Accident Analysis---------------------------------------------------------------------------------------- 15.0 3.1.2.3.2 Protection System Reliability and Testability (Criterion 21)

Criterion The protection system shall be designed for high functional reliability and in-service testability commensurate with the safety functions to be performed. Redundancy and independence designed into the protection system shall be sufficient to assure that, (1) no single failure results in loss of the protection function, and (2) removal from service of any component or channel does not result in loss of the required minimum redundancy unless the acceptable reliability of operation of the protection system can be otherwise demonstrated. The protection system shall be designed to permit periodic testing of its functioning when the reactor is in operation, including a capability to test channels independently to determine failures and losses of redundancy that may have occurred. see Section 8.2.

Design Conformance Reactor protection trip system design provides assurance that, through redundancy, each channel has sufficient reliability to fulfill the single-failure criterion. No single component failure, intentional bypass, maintenance operation, calibration operation, or test to verify operational availability will impair the ability of the system to perform its intended safety function.

Additionally, the system design ensures that when a scram trip point is exceeded, there is a high scram probability. However, should a scram not occur, other monitored components will scram the reactor if their trip points are exceeded. There is sufficient electrical and physical separation between channels and between trip logics monitoring the same variable to prevent environmental factors, electrical transients, and physical events from impairing the ability of the system to respond correctly.

The reactor protection trip system includes design features that permit in-service testing. This ensures the functional reliability of the system should the reactor variable exceed the corrective action set point.

FSAR Rev. 71 3.1-18

SSES-FSAR Text Rev. 65 The reactor protection (trip) system initiates an automatic reactor shutdown if the monitored plant variables exceed pre-established limits. Each trip system has two trip channels. An automatic or manual trip in either or both trip channels constitutes a trip system trip. A scram results when both trip systems have tripped. This logic scheme is called a one-out-of-two taken twice arrangement. The reactor protection (trip) system can be tested during reactor operation.

Manual scram testing is performed by operating one of the four manual scram controls. Two manual scram controls are associated with each trip system, one in each trip channel.

Operating one manual scram control tests one trip channel and one trip system. The total test verifies the ability to de-energize the scram pilot valve solenoids. Indicating lights verify that the actuator contacts have opened. This capability for a thorough testing program significantly increases reliability.

Control rod drive operability can be tested during normal reactor operation. Drive position indicators and in-core neutron detectors are used to verify control rod movement. Each control rod can be withdrawn one notch and then reinserted to the original position without significantly perturbing the nuclear system at most power levels. One control rod is tested at a time. Control rod mechanism overdrive demonstrates rod-to-drive coupling integrity. Hydraulic supply subsystem pressures can be observed on control room instrumentation. More importantly, the hydraulic control unit scram accumulator and the scram discharge volume level are continuously monitored.

The main steamline isolation valves may be tested during full reactor operation. Individually, they can be closed to 90 percent of full open position without affecting the reactor operation. If reactor power is reduced sufficiently, the isolation valves may be fully closed one at a time.

During refueling operation, valve leakage rates can be determined.

RHR system testing can be performed during normal operation. Main system pumps can be evaluated by taking suction from the suppression pool and discharging through test lines back to the suppression pool. System design and operating procedures also permit testing the discharge valves to the reactor recirculation loops. The low pressure coolant injection (LPCI) mode can be tested after reactor shutdown.

Each active component of the ECCS provided to operate in a design basis accident (DBA) is designed to be operable for test purposes during normal operation of the nuclear system.

The high functional reliability, redundancy, and in-service testability of the protection system satisfy the requirements specified in Criterion 21.

For further discussion, see the following sections:

1) Principal Design Criteria ------------------------------------------------------------------------------ 1.2.1
2) Reactivity Control System ------------------------------------------------------------------------------ 4.1
3) Main Steamline Isolation Valves ---------------------------------------------------------------------- 5.4
4) Residual Heat Removal System ---------------------------------------------------------------------- 5.4
5) Containment Systems ----------------------------------------------------------------------------------- 6.2
6) Emergency Core Cooling Systems ------------------------------------------------------------------- 6.3
7) Reactor Protection System ----------------------------------------------------------------------------- 7.2
8) Engineered Safety Feature Systems ----------------------------------------------------------------- 7.3
9) Accident Analysis --------------------------------------------------------------------------------------- 15.0 FSAR Rev. 71 3.1-19

SSES-FSAR Text Rev. 65 3.1.2.3.3 Protection System Independence (Criterion 22)

Criterion The protection system shall be designed to assure that the effects of natural phenomena, and of normal operating, maintenance, testing, and postulated accident conditions on redundant channels do not result in loss of the protection function, or shall be demonstrated to be acceptable on some other defined basis. Design techniques, such as functional diversity or diversity in component design and principles of operation, shall be used to the extent practical to prevent loss of the protection function.

Design Conformance The components of protection systems are designed so that the mechanical and thermal environment resulting from any emergency situation in which the components are required to function will not interfere with the operation of that function. Wiring for the reactor protection system outside of the control room enclosures is run in rigid metallic wireways except beneath the reactor vessel as stated in Section 8.1.6.1 (Regulatory Guide 1.75 (1/75), Part 15). No other wiring is run in these wireways. The wires from duplicate sensors on a common process tap are run in separate wireways. The system sensors are electrically and physically separated. Only one trip actuator logic circuit from each trip system is run in the same wireway.

The reactor protection system is designed to permit maintenance and diagnostic work while the reactor is operating without restricting the plant operation or hindering the output of their safety functions. The flexibility in design afforded the protection system allows operational system testing by the use of an independent trip channel for each trip logic input. When an essential monitored variable exceeds its scram trip point, it is sensed by at least two independent sensors in each trip system. Maintenance operation, calibration operation, or test unless manually bypassed will result in a single channel trip. This leaves at least two trip channels per monitored variable capable of initiating a scram. Thus, the arrangement of two trip channels per trip system ensures that a scram will occur as each monitored variable exceeds its scram setting.

The protection system meets the design requirements for functional and physical independence as specified in Criterion 22. For further discussion, see the following sections:

1) Principal Design Criteria ------------------------------------------------------------------------------ 1.2.1
2) Main Steamline Isolation Valves ---------------------------------------------------------------------- 5.4
3) Residual Heat Removal System ---------------------------------------------------------------------- 5.4
4) Emergency Core Cooling Systems ------------------------------------------------------------------- 6.3
5) Reactor Protection System ----------------------------------------------------------------------------- 7.2
6) Engineered Safety Feature Systems ----------------------------------------------------------------- 7.3
7) Accident Analysis --------------------------------------------------------------------------------------- 15.0 3.1.2.3.4 Protection System Failure Modes (Criterion 23)

Criterion The protection system shall be designed to fail into a safe state or into a state demonstrated to be acceptable on some other defined basis if conditions such as disconnection of the system, loss of energy (e.g., electric power, instrument air), or postulated adverse environments (e.g., extreme heat or cold, fire, pressure, steam, water, and radiation) are experienced.

FSAR Rev. 71 3.1-20

SSES-FSAR Text Rev. 65 Design Conformance The reactor protection system is designed to fail into a safe state. Use of an independent trip channel for each trip logic allows the system to sustain any trip channel failure without preventing other sensors monitoring the same variable from initiating a scram. A single sensor or trip channel failure will cause a channel trip. Only one trip channel in each trip system must be actuated to initiate a scram. Maintenance operation, calibration operation, or test unless manually bypassed will result in a single channel trip. A failure of any one reactor protection system input or subsystem component will produce a trip in one of two channels. This condition is insufficient to produce a reactor scram, but the system is ready to perform its protective function upon another trip.

This criterion does not apply to the Alternate Rod Injection (ARI) System. A failure of a single component can prevent the ARI system from completing its function of initiating control rod injection. Failure of the ARI system or any of its components can not prevent the RPS trip system from performing its safety related function.

The environmental conditions in which the instrumentation and equipment of the reactor protection system must operate were considered in establishing the component specifications.

Instrumentation specifications are based on the worst expected ambient conditions in which the instruments must operate.

The failure modes of the protection system are such that it will fail into a safe state as required by Criterion 23.

For further discussion, see the following sections:

1) Principal Design Criteria ------------------------------------------------------------------------------ 1.2.1
2) Emergency Core Cooling Systems ------------------------------------------------------------------- 6.3
3) Reactor Protection System ----------------------------------------------------------------------------- 7.2
4) Engineered Safety Feature Systems ----------------------------------------------------------------- 7.3 3.1.2.3.5 Separation of Protection and Control Systems (Criterion 24)

Criterion The protection system shall be separated from control systems to the extent that failure of any single control system component or channel, or failure or removal from service of any single protection system component or channel which is common to the control and protection systems leaves intact a system satisfying all reliability, redundancy, and independence requirements of the protection system. Interconnection of the protection and control systems shall be limited so as to assure that safety is not significantly impaired.

Design Conformance There is separation between the reactor protection system and the process control systems.

Sensors, trip channels, and trip logics of the reactor protection system are not used directly for automatic control of process systems. Therefore, failure in the controls and instrumentation of process systems cannot induce failure of any portion of the protection system. High scram reliability is designed into the reactor protection system and hydraulic control unit for the control rod drive. The scram signal and mode of operation override all other signals.

FSAR Rev. 71 3.1-21

SSES-FSAR Text Rev. 65 The primary containment and reactor vessel isolation control systems are designed so that any one failure, maintenance operation, calibration operation, or test to verify operational availability will not impair the functional ability of the isolation control system to respond to essential variables.

Process radiation monitoring is provided on process liquid and gas lines that may serve as discharge routes for radioactive materials. Four instrumentation channels are used to prevent an inadvertent scram and isolation as a result of instrumentation malfunctions. The output trip signals from each channel are combined in such a way that two channels must signal high radiation to initiate scram and main steam isolation.

The protection system is separated from control systems as required in Criterion 24.

For further discussion, see the following sections:

1) Principal Design Criteria ------------------------------------------------------------------------------ 1.2.1
2) Emergency Core Cooling System -------------------------------------------------------------------- 6.3
3) Reactor Protection System ----------------------------------------------------------------------------- 7.2
4) Engineered Safety Feature Systems ----------------------------------------------------------------- 7.3 3.1.2.3.6 Protection System Requirements for Reactivity Control Malfunctions (Criterion 25)

Criterion The protection system shall be designed to assure that specified acceptable fuel design limits are not exceeded for any single malfunction of the reactivity control systems, such as accidental withdrawal (not ejection or dropout) of control rods.

Design Conformance The reactor protection system provides protection against the onset and consequences of conditions that threaten the integrity of the fuel barrier and the RCPB. Any monitored variable which exceeds the scram set point will initiate an automatic scram and not impair the remaining variables from being monitored, and if one channel fails, the remaining portions of the reactor protection system shall function.

The reactor manual control system is designed so that no single failure can negate the effectiveness of a reactor scram. The circuitry for the manual control system is independent of the circuitry controlling the scram valves. This separation of the scram and normal rod control functions prevents failures in the reactor manual control circuitry from affecting the scram circuitry. Because each control rod is controlled as an individual unit, a failure that results in energizing any of the insert or withdraw solenoid valves can affect only one control rod. The effectiveness of a reactor scram is not impaired by the malfunctioning of any one control rod.

The design of the protection system ensures that specified acceptable fuel limits are not exceeded for any single malfunction of the reactivity control systems as specified in Criterion 25.

FSAR Rev. 71 3.1-22

SSES-FSAR Text Rev. 65 For further discussion, see the following sections:

1) Principal Design Criteria ------------------------------------------------------------------------------ 1.2.1
2) Reactivity Control System ------------------------------------------------------------------------------- 4.1
3) Nuclear Design--------------------------------------------------------------------------------------------- 4.3
4) Thermal and Hydraulic Design ------------------------------------------------------------------------- 4.4
5) Reactor Protection System ----------------------------------------------------------------------------- 7.2
6) Reactor Manual Control System ---------------------------------------------------------------------- 7.7
7) Accident Analysis---------------------------------------------------------------------------------------- 15.0 3.1.2.3.7 Reactivity Control System Redundancy and Capability (Criterion 26)

Criterion Two independent reactivity control systems of different design principles shall be provided. One of the systems shall use control rods, preferably including a positive means for inserting the rods, and shall be capable of reliably controlling reactivity changes to assure that under conditions of normal operation, including anticipated operational occurrences, and with appropriate margin for malfunctions such as stuck rods, specified acceptable fuel design limits are not exceeded. The second reactivity control system shall be capable of reliably controlling the rate of reactivity changes resulting from planned, normal power changes (including xenon burnout) to assure acceptable fuel design limits are not exceeded. One of the systems shall be capable of holding the reactor core subcritical under cold conditions.

Design Conformance Two independent reactivity control systems utilizing different design principles are provided.

The normal method of reactivity control employs control rod assemblies which contain boron carbide (B4C) powder only or B4C and hafnium as neutron absorbing material. Positive insertion of these control rods is provided by means of the control rod drive hydraulic system. The control rods are capable of reliably controlling reactivity changes during normal operation (e.g., power changes, power shaping, xenon burnout, normal startup and shutdown) via operator-controlled insertions and withdrawals. The control rods are also capable of maintaining the core within acceptable fuel design limits during anticipated operational occurrences via the automatic scram function. The unlikely occurrence of a limited number stuck rods during a scram will not adversely affect the capability to maintain the core within fuel design limits.

The circuitry for manual insertion or withdrawal of control rods is completely independent of the circuitry for reactor scram. This separation of the scram and normal rod control functions prevents failures in the reactor manual control circuitry from affecting the scram circuitry. Two sources of scram energy (accumulator pressure and reactor vessel pressure) provide needed scram performance over the entire range of reactor pressure, i.e., from operating conditions to cold shutdown. The design of the control rod system includes appropriate margin for malfunctions such as stuck rods in the highly unlikely event that they do occur. Control rod withdrawal sequences and patterns are selected prior to operation to achieve optimum core performance, and simultaneously, low individual rod worths. Because of the carefully planned and regulated rod withdrawal sequence, prompt shutdown of the reactor can be achieved with the insertion of a small number of the many independent control rods. In the event that a reactor scram is necessary, the unlikely occurrence of a limited number of stuck rods will not hinder the capability of the control rod system to render the core subcritical.

FSAR Rev. 71 3.1-23

SSES-FSAR Text Rev. 65 The second independent reactivity control system is provided by the reactor coolant recirculation system. By varying reactor flow, it is possible to affect the type of reactivity changes necessary for planned, normal power changes (including xenon burnout). In the unlikely event that reactor flow is suddenly increased to its maximum value (pump runout), the core will not exceed fuel design limits because the power flow map defines the allowable initial operating states such that the pump runout will not violate these limits.

The control rod system is capable of holding the reactor core subcritical under cold conditions, even when the control rod of highest worth is assumed to be stuck in the fully withdrawn position. This shutdown capability of the control rod system is made possible by designing the fuel with burnable poison (Gd2O3) to control the high reactivity of fresh fuel. In addition, the Standby Liquid Control System is available to add soluble boron to the core and render it subcritical, as discussed in Subsection 3.1.2.3.8.

The redundancy and capabilities of the reactivity control systems for the BWR satisfy the requirements of Criterion 26.

For further discussion, see the following sections:

1) Principal Design Criteria ------------------------------------------------------------------------------ 1.2.1
2) Reactivity Control System ------------------------------------------------------------------------------ 4.1
3) Engineered Safety Feature System ------------------------------------------------------------------ 7.3
4) Standby Liquid Control System - Instrumentation and Control -------------------------------- 7.4
5) Reactor Manual Control System ---------------------------------------------------------------------- 7.7 3.1.2.3.8 Combined Reactivity Control Systems Capability (Criterion 27)

Criterion The reactivity control systems shall be designed to have a combined capability, in conjunction with poison addition by the emergency core cooling system, of reliably controlling reactivity changes to assure that under postulated accident conditions and with appropriate margin for stuck rods the capability to cool the core is maintained.

Design Conformance There is no credible event applicable to the BWR which requires combined capability of the control rod system and poison additions by the emergency core cooling network. The BWR design is capable of maintaining the reactor core subcritical, including allowance for a stuck rod, without addition of any poison to the reactor coolant. The primary reactivity control system for the BWR during postulated accident conditions is the control rod system. Abnormalities are sensed, and, if protection system limits are reached, corrective action is initiated through automatic insertion of control rods. High integrity of the protection system is achieved through the combination of logic arrangement, actuator redundancy, power supply redundancy, and physical separation. High reliability of reactor scram is further achieved by separation of scram and manual control circuitry, individual control units for each control rod, and fail-safe design features built into the rod drive system. Response by the reactor protection system is prompt and the total scram time is short.

FSAR Rev. 71 3.1-24

SSES-FSAR Text Rev. 65 In the very unlikely event that more than one control rod fails to insert, and the core cannot be maintained in a subcritical condition by control rods alone as the reactor is cooled down subsequent to initial shutdown, the Standby Liquid Control System (SLCS) will be actuated to insert soluble boron into the reactor core. The SLCS has sufficient capacity to ensure that the reactor can always be maintained subcritical; and hence, only decay heat will be generated by the core which can be removed by the Residual Heat Removal System, thereby ensuring that the core will always be coolable.

The design of the reactivity control systems assures reliable control of reactivity under postulated accident conditions with appropriate margin for stuck rods. Anticipated Transients without scram are discussed in Section 15.8. The capability to cool the core is maintained under all postulated accident conditions; thus, Criterion 27 is satisfied.

For further discussion, see the following sections:

1) Principal Design Criteria ------------------------------------------------------------------------------ 1.2.1
2) Reactivity Control System ------------------------------------------------------------------------------ 4.1
3) Nuclear Design--------------------------------------------------------------------------------------------- 4.3
4) Thermal and Hydraulic Design ------------------------------------------------------------------------- 4.4
5) Reactor Protection System ----------------------------------------------------------------------------- 7.2
6) Reactor Manual Control System ---------------------------------------------------------------------- 7.7
7) Accident Analysis---------------------------------------------------------------------------------------- 15.0 3.1.2.3.9 Reactivity Limits (Criterion 28)

Criterion The reactivity control systems shall be designed with appropriate limits on the potential amount and rate of reactivity increase to assure that the effects of postulated reactivity accidents can neither (1) result in damage to the reactor coolant pressure boundary greater than limited local yielding nor (2) sufficiently disturb the core, its support structures or other reactor pressure vessel internals to impair significantly the capability to cool the core. These postulated reactivity accidents shall include consideration of rod ejection (unless prevented by positive means), rod dropout, steamline rupture, changes in reactor coolant temperature and pressure, and cold water addition.

Design Conformance The control rod system design incorporates appropriate limits on the potential amount and rate of reactivity increase. Control rod withdrawal sequences and patterns are selected to achieve optimum core performance and low individual rod worths. The rod worth minimizer system prevents withdrawal other than by the preselected rod withdrawal pattern. The rod worth minimizer system function assists the operator with an effective backup control rod monitoring routine that enforces adherence to established startup, shutdown, and low power level operations control rod procedures.

The control rod mechanical design incorporates a hydraulic velocity limiter in the control rod which prevents rapid rod ejection. This engineered safety feature protects against a high reactivity insertion rate by limiting the control rod velocity to less than or equal to 3.11 fps.

Normal rod movement is limited to 6 in. increments and the rod withdrawal rate is limited through the hydraulic valve to 3 in./sec.

FSAR Rev. 71 3.1-25

SSES-FSAR Text Rev. 65 The accident analysis (Chapter 15) evaluates the postulated reactivity accidents as well as abnormal operational transients. Analyses are included for rod dropout, steamline rupture, changes in reactor coolant temperature and pressure, and cold water addition. The initial conditions, assumptions, calculational models, sequences of events, and anticipated results of each postulated occurrence are covered in detail. The results of these analyses indicate that none of the postulated reactivity transients or accidents results in damage to the RCPB. In addition, the integrity of the core, its support structures, or other reactor pressure vessel internals are maintained so that the capability to cool the core is not impaired for any of the postulated reactivity accidents described in the accident analysis.

The design features of the reactivity control system, which limit the potential amount and rate of reactivity increase, ensure that Criterion 28 is satisfied for all postulated reactivity accidents.

For further discussion, see the following sections:

1) Principal Design Criteria ------------------------------------------------------------------------------ 1.2.1
2) Control Rod Drive Systems -------------------------------------------------------------------------- 3.9.4
3) Reactor Core Support Structures and Internals Mechanical Design ------------------------- 4.2
4) Reactivity Control System ------------------------------------------------------------------------------ 4.1
5) Nuclear Design -------------------------------------------------------------------------------------------- 4.3
6) Control Rod Drive Housing Supports ---------------------------------------------------------------- 4.5
7) Overpressurization Protection ------------------------------------------------------------------------- 5.2
8) Reactor Vessel and Appurtenances ------------------------------------------------------------------ 5.3
9) Main Steam Line Flow Restrictor --------------------------------------------------------------------- 5.4
10) Main Steam Line Isolation Valves -------------------------------------------------------------------- 5.4
11) Process Computer System ----------------------------------------------------------------------------- 7.5
12) Accident Analysis --------------------------------------------------------------------------------------- 15.0 3.1.2.3.10 Protection Against Anticipated Operational Occurrences (Criterion 29)

Criterion The protection and reactivity control systems shall be designed to assure an extremely high probability of accomplishing their safety functions in the event of anticipated operational occurrences.

Design Conformance The high functional reliability of the protection and reactivity control systems is achieved through the combination of logic arrangement, redundancy, physical and electrical independence, functional separation, fail-safe design, and in-service testability. These design features are discussed in detail in Subsections 3.1.2.3.2, 3.1.2.3.3, 3.1.2.3.4, 3.1.2.3.5 and 3.1.2.3.7.

An extremely high reliability of timely response to anticipated operational occurrences is maintained by a thorough program of in-service testing and surveillance. Active components can be tested or removed from service for maintenance during reactor operation without compromising the protection or reactivity control functions even in the event of a subsequent single failure. Components important to safety, such as control rod drives, main steamline isolation valves, RHR pumps, are tested during normal reactor operation. Functional testing and calibration schedules are developed using available failure rate data, reliability analyses, and operating experience. These schedules represent an optimization of protection and FSAR Rev. 71 3.1-26

SSES-FSAR Text Rev. 65 reactivity control system reliability by considering, on one hand, the failure probabilities of individual components and, on the other hand, the reliability effects during individual component testing on the portion of the system not undergoing test. The capability for in-service testing ensures the high functional reliability of protection and reactivity control systems should a reactor variable exceed the corrective action set point.

The capabilities of the protection and reactivity control systems to perform their safety functions in the event of anticipated operational occurrences are satisfied in agreement with the requirements of Criterion 29.

For further discussion, see the following sections:

1) Principal Design Criteria ------------------------------------------------------------------------------ 1.2.1
2) Main Steam Line Isolation Valves -------------------------------------------------------------------- 5.4
3) Residual Heat Removal System ---------------------------------------------------------------------- 5.4
4) Containment Systems ----------------------------------------------------------------------------------- 6.2
5) Emergency Core Cooling Systems ------------------------------------------------------------------- 6.3
6) Reactor Protection System ----------------------------------------------------------------------------- 7.2
7) Engineered Safety Feature Systems ----------------------------------------------------------------- 7.3
8) Accident Analysis --------------------------------------------------------------------------------------- 15.0 3.1.2.4 Fluid Systems (Group IV) 3.1.2.4.1 Quality of Reactor Coolant Pressure Boundary (Criterion 30)

Criterion Components which are part of the reactor coolant pressure boundary shall be designed, fabricated, erected, and tested to the highest quality standards practical. Means shall be provided for detecting and, to the extent practical, identifying the location of the source of reactor coolant leakage.

Design Conformance By utilizing conservative design practices and detailed quality control procedures, the pressure retaining components of the RCPB are designed and fabricated to retain their integrity during normal and postulated accident conditions. Accordingly, components that comprise the RCPB are designed, fabricated, erected, and tested in accordance with recognized industry codes and standards listed in Chapter 5. Furthermore, product and process planning is provided as described in Chapter 17 (operation phase) and Appendix D of the PSAR (construction phase) to ensure conformance with the applicable codes and standards, and to retain appropriate documented evidence verifying compliance. Because the subject matter of this criterion deals with aspects of the RCPB, further discussion on this subject is treated in the response to Subsection 3.1.2.2.5.

Means are provided for detecting reactor coolant leakage. The leak detection system consists of sensors and instruments to detect, annunciate, and in some cases, isolate the RCPB from potentially hazardous leaks before predetermined limits are exceeded. Small leaks are detected by temperature and pressure changes, increased frequency of sump pump operation, and by measuring fission product concentration. In addition to these means of detection, large leaks are detected by changes in flow rates in process lines, and changes in reactor water level.

FSAR Rev. 71 3.1-27

SSES-FSAR Text Rev. 65 The allowable leakage rates have been based on the predicted and experimentally determined behavior of cracks in pipes, the ability to make up coolant system leakage, the normally expected background leakage due to equipment design, and the detection capability of the various sensors and instruments. The total leakage rate limit is established so that, in the absence of normal AC power with a loss of feedwater supply, makeup capabilities are provided by the RCIC system. While the RCIC system provides protection from small leaks, the ECCS network provides protection for the complete range of discharges from ruptured pipes. Thus, protection is provided for the full spectrum of possible discharges.

The RCPB and the leak detection system are designed to meet the requirements of Criterion 30.

For further discussion, see the following sections:

1) Principal Design Criteria ------------------------------------------------------------------------------ 1.2.1
2) Design Criteria - Structure, Components, Equipment, and Systems------------------------- 3.1
3) Overpressurization Protection ------------------------------------------------------------------------- 5.2
4) Reactor Coolant Pressure Boundary Leakage Detection System ---------------------------- 5.2
5) Reactor Vessel and Appurtenances ------------------------------------------------------------------ 5.3
6) Reactor Recirculation System ------------------------------------------------------------------------- 5.4
7) Reactor Vessel - Instrumentation and Control ----------------------------------------------------- 7.3
8) Reactor Coolant Pressure Boundary Leakage Detection System - Instrumentation and Control -------------------------------------------------- 7.6
9) Quality Control System -------------------------------------------------------------------------------- 17.0 3.1.2.4.2 Fracture Prevention of Reactor Coolant Pressure Boundary (Criterion 31)

Criterion The reactor coolant pressure boundary shall be designed with sufficient margin to assure that when stressed under operating, maintenance, testing, and postulated accident conditions (1) the boundary behaves in a nonbrittle manner and (2) the probability of rapidly propagating fracture is minimized. The design shall reflect consideration of service temperatures and other conditions of the boundary material under operating, maintenance, testing, and postulated accident conditions and the uncertainties in determining (1) material properties, (2) the effects of irradiation on material properties, (3) residual, steady-state and transient stresses, and (4) size of flaws.

Design Conformance Brittle fracture control of pressure retaining ferritic materials is provided to ensure protection against nonductile fracture. To minimize the possibility of brittle fracture failure of the reactor pressure vessel, the reactor pressure vessel is designed to meet the requirements of ASME Code,Section III, Appendix G, which consider material properties, steady-state and transient stresses, and the size of flaws.

The nil-ductility transition (NDT) temperature is defined as the temperature below which ferritic steel breaks in a brittle rather than ductile manner. The NDT temperature increases as a function of neutron exposure at integrated neutron exposures greater than about 1 x 1017 nvt with neutrons of energies in excess of 1 MeV.

FSAR Rev. 71 3.1-28

SSES-FSAR Text Rev. 65 The reactor assembly design provides an annular space from the outermost fuel assemblies to the inner surface of the reactor vessel that serves to attenuate the fast neutron flux incident upon the reactor vessel wall. This annular volume contains the core shroud, jet pump assemblies, and reactor coolant. Assuming plant operation at rated power and availability of 100 percent for the plant lifetime, the neutron fluence at the inner surface of the vessel causes a slight shift in the transition temperature. Expected shifts in transition temperature during design life as a result of environmental conditions, such as neutron flux, are considered in the design.

Operational limitations assume that NDT temperature shifts are accounted for in the reactor operation.

The RCPB is designed, maintained, and tested such that adequate assurance is provided that the boundary will behave in a nonbrittle manner throughout the life of the plant. Therefore, the RCPB is in conformance with Criterion 31.

For further discussion, see the following sections:

1) Design Criteria - Structures, Components, Equipment, and Systems ----------------------- 3.1
2) Material Considerations --------------------------------------------------------------------------------- 5.2
3) Reactor Vessel and Appurtenances ------------------------------------------------------------------ 5.3 3.1.2.4.3 Inspection of Reactor Coolant Pressure Boundary (Criterion 32)

Criterion Components which are part of the reactor coolant pressure boundary shall be designed to permit (1) periodic inspection and testing of important areas and features to assess their structural and leaktight integrity, and (2) an appropriate material surveillance program for the reactor pressure vessel.

Design Conformance The reactor pressure vessel design and engineering effort includes provisions for in-service inspection. Removable plugs in the reactor shield and/or removable panels in the insulation provide access for examination of the vessel and its appurtenances. Also, removable insulation is provided on the reactor coolant system safety relief valves, recirculation system, and on the main steam and feedwater systems extending out to and including the first isolation valve outside the containment. Inspection of the RCPB is in accordance with the ASME Boiler and Pressure Vessel Code,Section XI. Subsection 5.2.4 defines the in-service inspection plan, access provisions, and areas of restricted access.

The reactor recirculation piping and main steam piping are hydrostatically tested, with the reactor pressure vessel at a test pressure that is in accordance with Section III of the ASME Code.

Vessel material surveillance samples are located within the reactor pressure vessel. The program includes specimens of the base metal, weld metal, and heat affected zone metal.

The plant testing and inspection program ensure that the requirements of Criterion 32 will be met.

FSAR Rev. 71 3.1-29

SSES-FSAR Text Rev. 65 For further discussion, see the following sections:

1) Design Criteria - Structures, Components, Equipment, and Systems ----------------------- 3.1
2) Reactor Coolant Pressure Boundary Leakage Detection System ---------------------------- 5.2
3) In-service Inspection ---------------------------------------------------------------------------------- 5.2.4
4) Reactor Vessel and Appurtenances ------------------------------------------------------------------ 5.3
5) Reactor Recirculation System ------------------------------------------------------------------------- 5.4 3.1.2.4.4 Reactor Coolant Makeup (Criterion 33)

Criterion A system to supply reactor coolant makeup for protection against small breaks in the reactor coolant pressure boundary shall be provided. The system safety function shall be to assure that specified acceptable fuel design limits are not exceeded as a result of reactor coolant loss due to leakage from the reactor coolant pressure boundary and rupture of small piping or other small components which are part of the boundary. The system shall be designed to assure that for onsite electric power system operation (assuming offsite power is not available) and for offsite electric power system operation (assuming onsite power is not available) the system safety function can be accomplished using the piping, pumps, and valves used to maintain coolant inventory during normal reactor operation.

Design Conformance The plant is designed to provide ample reactor coolant makeup for protection against small leaks in the RCPB for anticipated operational occurrences and postulated accident conditions.

The design of these systems meets the requirements of Criterion 33.

For further discussion, see the following sections:

1) Reactor Coolant Pressure Boundary Leakage Detection Systems -------------------------- 5.2
2) Emergency Core Cooling System -------------------------------------------------------------------- 6.3
3) Reactor Vessel - Instrumentation and Control ----------------------------------------------------- 7.3
4) Makeup Demineralizer System ------------------------------------------------------------------------ 9.2
5) Condensate Storage and Transfer System--------------------------------------------------------- 9.2 3.1.2.4.5 Residual Heat Removal (Criterion 34)

Criterion A system to remove residual heat shall be provided. The system safety function shall be to transfer fission product decay heat and other residual heat from the reactor core at a rate such that specified acceptable fuel design limits and the design conditions of the reactor coolant pressure boundary are not exceeded.

Suitable redundancy in components and features, and suitable interconnections, leak detection, and isolation capabilities shall be provided to assure that for onsite electric power system operation (assuming offsite power is not available) and for offsite electric power system operation (assuming onsite power is not available) the system safety function can be accomplished, assuming a single failure.

FSAR Rev. 71 3.1-30

SSES-FSAR Text Rev. 65 Design Conformance RHR system provides the means to remove decay heat and residual heat from the nuclear system so that refueling and nuclear system servicing can be performed.

Major RHR system equipment consists of two heat exchangers and four main system pumps.

The equipment is connected by associated valves and piping, and the controls and instrumentation are provided for proper system operation.

Two independent loops are located in separate protected areas.

The RHR system is designed for four modes of operation:

a) Shutdown cooling b) Suppression pool cooling (also containment spray) c) Low pressure coolant injection d) Fuel Pool Cooling Both normal AC power and the auxiliary onsite power system provide adequate power to operate all the auxiliary loads necessary for plant operation. The power sources for the plant auxiliary power system are sufficient in number, and of such electrical and physical independence that no single probable event could interrupt all auxiliary power at one time.

However, in the event of a loss of offsite power, all normal AC power and auxiliary onsite power will be interrupted.

The plant auxiliary buses supplying power to engineered safety features and reactor protection systems and auxiliaries required for safe shutdown are connected by appropriate switching to the four aligned standby diesel-driven generators located in the plant. Each power source, up to the point of its connection to the auxiliary power buses, is capable of complete and rapid isolation from any other source.

Loads important to plant operation and safety are split and diversified between switchgear sections, and means are provided for detection and isolation of system faults.

The plant layout is designed to effect physical separation of essential bus sections, standby generators, switchgear, interconnections, feeders, power centers, motor control centers, and other system components.

Four standby diesel generators (A, B, C, and D) and a spare diesel generator (E), which can be manually realigned as a replacement for any one of the other four diesel generators are provided. These diesel generators supply a source of electrical power which is self-contained within the plant and is not dependent on external sources of supply. The standby generators produce AC power at a voltage and frequency compatible with the normal bus requirements for essential equipment within the plant. The standby diesel generator system is highly reliable.

Any three aligned diesel generators are adequate to start and carry the essential loads required for a safe and orderly shutdown.

The RHR system is adequate to remove residual heat from the reactor core to ensure fuel and RCPB design limits are not exceeded. Two RHR cooling loops are designed to provide the normal RHR shutdown cooling (SDC) function. When operating in this mode, both of the SDC loops take suction from the reactor vessel via the reactor recirculation system (RRS)

FSAR Rev. 71 3.1-31

SSES-FSAR Text Rev. 65 Loop B" suction piping. Either loop is capable of bringing the reactor to a safe shutdown condition. In the event of a loss of the normal SDC suction flow path from the RRS "B" Loop, an alternate SDC function of RHR can be aligned to bring the unit to safe shutdown. Refer to Section 5.4 of the FSAR for additional information.

Use of RHR in the Fuel Pool Cooling mode will not adversely impact the ability of RHR to perform reactor core cooling functions as discussed in Subsections 5.4.7.1.1.6, 5.4.7.2.6c, 9.1.3.1c and 9.1.3.3. Redundant onsite electric power systems are provided. The design of the RHR system, including its power supply, meets the requirements of Criterion 34.

For further discussion, see the following sections:

1) Residual Heat Removal System ---------------------------------------------------------------------- 5.4
2) Emergency Core Cooling Systems ------------------------------------------------------------------- 6.3
3) Emergency Core Cooling Systems - Instrumentation and Control --------------------------- 7.3
4) Auxiliary Power System --------------------------------------------------------------------------------- 8.3
5) Standby AC Power Supply and Distribution -------------------------------------------------------- 8.3
6) ESW and RHRSW ---------------------------------------------------------------------------------------- 9.2
7) Accident Analysis --------------------------------------------------------------------------------------- 15.0 3.1.2.4.6 Emergency Core Cooling (Criterion 35)

Criterion A system to provide abundant emergency core cooling shall be provided. The system safety function shall be to transfer heat from the reactor core following any loss of reactor coolant at a rate such that (1) fuel and clad damage that could interfere with continued effective core cooling is prevented and (2) clad metal-water reaction is limited to negligible amounts.

Suitable redundancy in components and features, and suitable interconnections, leak detection, isolation, and containment capabilities shall be provided to assure that for onsite electric power system operation (assuming offsite power is not available) and for offsite electric power system operation (assuming onsite power is not available) the system safety function can be accomplished, assuming a single failure.

Design Conformance The Emergency Core Cooling Systems (ECCS) consist of the following:

a) High Pressure Coolant Injection (HPCI) System b) Automatic Depressurization System (ADS) c) Core Spray (CS) System d) Low Pressure Coolant Injection (LPCI) (an operating mode of the RHR system)

The ECCS are designed to limit fuel cladding temperature over the complete spectrum of design break sizes in the RCPB, including a complete and sudden circumferential rupture of the largest pipe connected to the reactor vessel.

The HPCI system consists of a steam turbine, a constant-flow pump, system piping, valves, controls and instrumentation. The HPCI system is provided to ensure that the reactor core is adequately cooled to prevent excessive fuel clad temperatures for breaks in the nuclear system FSAR Rev. 71 3.1-32

SSES-FSAR Text Rev. 65 that do not result in rapid depressurization of the reactor vessel. A source of water is available from either the condensate storage tank or the suppression pool.

The Automatic Depressurization System functions to reduce the reactor pressure so that flow from LPCI and CS enters the reactor vessel in time to cool the core and prevent excessive fuel clad temperature. The Automatic Depressurization System uses several of the nuclear system pressure relief valves to relieve the high pressure steam to the suppression pool.

Each of two Core Spray Systems consists of two centrifugal pumps that can be powered by normal auxiliary power or the standby a-c power system; a spray sparger in the reactor vessel, piping and valves to convey water from the suppression pool to the sparger; and associated controls and instrumentation. In case of low water level in the reactor vessel or high pressure in the drywell and low reactor vessel pressure, the core spray system automatically sprays water onto the top of the fuel assemblies in time and at a sufficient flow rate to cool the core and prevent excessive fuel temperature. The LPCI system starts from the same signals which initiate the CS System and operates independently to achieve the same objective by flooding the reactor vessel.

In case of low water level in the reactor or high pressure in the drywell and low reactor vessel pressure, the LPCI mode of operation of the RHR System pumps water into the reactor vessel in time to flood the core and prevent excessive fuel temperature. Protection provided by LPCI extends to a small break, where the Automatic Depressurization System operates to lower the reactor vessel pressure.

Results of the performance of the ECCS for the entire spectrum of line breaks are discussed in Section 6.3. Peak cladding temperatures are below the 2200°F design basis.

Also provided in Section 6.3 is an analysis to show that the ECCS conform to 10 CFR 50, Appendix K. This analysis shows complete compliance with the final acceptance criteria with the following results:

a) Peak clad temperatures are below the 2200°F NRC acceptability limit, b) The amount of fuel cladding reacting with steam is below the 1 percent acceptability limit, c) The clad temperature transient is terminated while core geometry is amenable to cooling, and d) The core temperature is reduced and the decay heat can be removed for an extended period.

The redundancy and capability of the onsite electrical power systems for the ECCS are represented in Subsection 3.1.2.4.5.

The ECCS provided are adequate to prevent fuel and clad damage that could interfere with effective core cooling and to limit clad metal-water reaction to a negligible amount. The design of the ECCS, including their power supply, meets the requirements of Criterion 35.

FSAR Rev. 71 3.1-33

SSES-FSAR Text Rev. 65 For further discussion, see the following sections:

1) Residual Heat Removal System ---------------------------------------------------------------------- 5.4
2) Suppression Pool ----------------------------------------------------------------------------------------- 6.2
3) Emergency Core Cooling Systems ------------------------------------------------------------------- 6.3
4) Emergency Core Cooling Systems - Instrumentation and Control --------------------------- 7.3
5) Auxiliary Power Systems -------------------------------------------------------------------------------- 8.3
6) Standby AC Power Supply and Distribution -------------------------------------------------------- 8.3
7) ESW and RHRSW Systems ---------------------------------------------------------------------------- 9.2
8) Accident Analysis --------------------------------------------------------------------------------------- 15.0 3.1.2.4.7 Inspection of Emergency Core Cooling System (Criterion 36)

Criterion The emergency core cooling system shall be designed to permit appropriate periodic inspection of important components, such as spray rings in the reactor pressure vessel, water injection nozzles, and piping, to assure the integrity and capability of the system.

Design Conformance The ECCS discussed in Subsection 3.1.2.4.6 include in-service inspection considerations. The spray spargers within the vessel are accessible for inspection during each refueling outage.

The primary shield wall and RPV insulation allow access for examination of nozzles.

Removable insulation is provided on the ECCS piping out to and including the first isolation valve outside the primary containment. Inspection of the ECCS is in accordance with the intent of Section XI of the ASME Code. Section 5.2 defines the in-service inspection plan, access provisions, and areas of restricted access.

During plant operations, the pumps, valves, piping, instrumentation, wiring, and other components outside the drywell can be visually inspected at any time. Components inside the drywell can be inspected when the drywell is open for access. When the reactor vessel is open, for refueling or other purposes, the spargers and other internals can be inspected. Portions of the ECCS that are part of the RCPB are designed to specifications for in-service inspection, to detect defects that might affect the cooling performance. Particular attention will be given to the reactor nozzles, CS, and feedwater spargers. The design of the reactor vessel and internals for in-service inspection, and the plant testing and inspection program ensures that the requirements of Criterion 36 will be met.

For further discussion, see the following sections:

1) Reactor Core Support Structures and Internals Mechanical Design ------------------------- 4.2
2) In-service Inspection Program (RCPB) -------------------------------------------------------------- 5.2
3) Reactor Vessel and Appurtenances ------------------------------------------------------------------ 5.3
4) Emergency Core Cooling Systems ------------------------------------------------------------------- 6.3
5) In-service Inspection of Class 2 and 3 Components --------------------------------------------- 6.6 FSAR Rev. 71 3.1-34

SSES-FSAR Text Rev. 65 3.1.2.4.8 Testing of Emergency Core Cooling System (Criterion 37)

Criterion The ECCS shall be designed to permit appropriate periodic pressure and functional testing to assure (1) the structural and leaktight integrity of its components, (2) the operability and performance of the active components of the system, and (3) the operability of the system as a whole and, under conditions as close to design as practical, the performance of the full operational sequence that brings the system into operation, including operation of applicable portions of the protection system, the transfer between normal and emergency power sources, and the operation of the associated cooling water system.

Design Conformance The ECCS consists of the HPCI system, ADS, LPCI mode of the RHR system, and CS system.

Each of these systems is provided with sufficient test connections and isolation valves to permit appropriate periodic pressure testing to ensure the structural and leaktight integrity of its components.

The HPCI, CS, LPCI, and the ADS are designed to permit periodic testing to ensure the operability and performance of the active components of each system.

The pumps and valves of these systems will be tested periodically to verify operability. Flow rate tests will be conducted on CS, LPCI, and HPCI systems.

All the ECCS will be tested to verify the performance of the full operational sequence that brings each system into operation. The operation of the associated cooling water systems is discussed in Subsection 3.1.2.4.15. It is concluded that the requirements of Criterion 37 are met.

For further discussion, see the following sections:

1) In-service Testing of Pumps and Valves ------------------------------------------------------------ 3.9
2) Overpressurization Protection ------------------------------------------------------------------------- 5.2
3) ECCS Inspection and Testing ------------------------------------------------------------------------- 6.3
4) ECCS - Instrumentation and Control ----------------------------------------------------------------- 7.3
5) Standby AC Power System ----------------------------------------------------------------------------- 8.3
6) Technical Specifications ------------------------------------------------------------------------------- 16.0 3.1.2.4.9 Containment Heat Removal (Criterion 38)

Criterion A system to remove heat from the reactor containment shall be provided. The system safety function shall be to reduce rapidly, consistent with the functioning of other associated systems, the containment pressure and temperature following any loss-of-coolant accident and maintain them at acceptably low levels.

Suitable redundancy in components and features, and suitable interconnections, leak detection, isolation, and containment capabilities shall be provided to assure that for onsite electric power system operation (assuming offsite power is not available) and for offsite electric power system FSAR Rev. 71 3.1-35

SSES-FSAR Text Rev. 65 operation (assuming onsite power is not available) the system safety function can be accomplished, assuming a single failure.

Design Conformance In the event of a LOCA the pressure suppression system will rapidly condense the steam to prevent containment overpressure. The containment feature of pressure suppression employs two separate compartmented sections of the primary containment: the drywell that houses the nuclear system, and the suppression chamber containing a large volume of water. Any increase in pressure in the drywell from a leak in the nuclear system is relieved below the surface of the suppression pool by connecting vent lines, thereby condensing steam being released or formed by flashing, in the drywell. The pressure buildup in the suppression chamber is equalized with the drywell by a vent line and vacuum breaker arrangement. Cooling systems remove heat from the reactor core, the drywell, and the suppression pool during accident conditions, and thus provide continuous cooling of the primary containment.

The ECCS is actuated to provide core cooling in the event of a LOCA. Low water level in the reactor vessel or high pressure in the drywell will initiate the ECCS to prevent excessive fuel temperature. Sufficient water is provided in the suppression pool to accommodate the initial energy that can transiently be released into the drywell from the postulated pipe failure.

The suppression chamber is sized to contain this water plus the water displaced from the reactor primary system together with the free air initially contained in the drywell.

Either or both RHR heat exchangers can be manually activated to remove energy from the containment. The redundancy and capability of the offsite and onsite electrical power systems for the residual heat removal system are presented in Criterion 34 design conformance.

The pressure suppression system is capable of rapid containment pressure and temperature reduction following a LOCA so that design limits are not exceeded. Redundant offsite and onsite electrical power systems ensure that system safety functions can be accomplished. The design of the containment heat removal system meets the requirements of Criterion 38.

For further discussion, see the following sections:

1) Residual Heat Removal System ---------------------------------------------------------------------- 5.4
2) Containment Systems ----------------------------------------------------------------------------------- 6.2
3) Emergency Core Cooling Systems ------------------------------------------------------------------- 6.3
4) Emergency Core Cooling Systems Control and Instrumentation ----------------------------- 7.3
5) Auxiliary Power System --------------------------------------------------------------------------------- 8.3
6) Standby AC Power Supply and Distribution -------------------------------------------------------- 8.3
7) ESW and RHRSW Systems ---------------------------------------------------------------------------- 9.2
8) Accident Analysis --------------------------------------------------------------------------------------- 15.0 3.1.2.4.10 Inspection of Containment Heat Removal System (Criterion 39)

Criterion The containment heat removal system shall be designed to permit appropriate periodic inspection of important components, such as the torus, sumps, spray nozzles, and piping to assure the integrity and capability of the system.

FSAR Rev. 71 3.1-36

SSES-FSAR Text Rev. 65 Design Conformance Provisions are made to facilitate periodic inspections of active components and other important equipment of the containment heat removal system. During plant operations, the pumps, valves, piping, instrumentation, wiring, and other components outside the primary containment can be visually inspected at any time and will be inspected periodically. The testing frequencies of most components will be correlated with the component inspection.

The pressure suppression pool is designed to permit appropriate periodic inspection. Space is provided for inspection and maintenance.

The containment heat removal system is designed to permit periodic inspection of major components. This design meets the requirements of Criterion 39.

For further discussion, see the following sections:

1) Residual Heat Removal System ---------------------------------------------------------------------- 5.4
2) Containment Systems ----------------------------------------------------------------------------------- 6.2
3) Emergency Core Cooling Systems ------------------------------------------------------------------- 6.3
4) ESW and RHRSW Systems ---------------------------------------------------------------------------- 9.2 3.1.2.4.11 Testing of Containment Heat Removal System (Criterion 40)

Criterion The containment heat removal system shall be designed to permit appropriate periodic pressure and functional testing to assure (1) the structural and leaktight integrity of its components, (2) the operability and performance of the active components of the system, and (3) the operability of the system as a whole, and, under conditions as close to the design as practical, the performance of the full operational sequence that brings the system into operation, including operation of applicable portions of the protection system, the transfer between normal and emergency power sources, and the operation of the associated cooling water system.

Design Conformance The containment heat removal function is accomplished by the containment cooling mode of the RHR system.

The RHR system is provided with sufficient test connections and isolation valves to permit periodic pressure and flow rate testing.

The pumps and valves of the RHR will be operated periodically to verify operability. The containment cooling mode is not automatically initiated, but operation of the components is periodically verified. The operation of associated cooling water systems is discussed in Subsection 9.2.5 and 9.2.6. It is concluded that the requirements of Criterion 40 are met.

FSAR Rev. 71 3.1-37

SSES-FSAR Text Rev. 65 3.1.2.4.12 Containment Atmosphere Cleanup (Criterion 41)

Criterion Systems to control fission products, hydrogen, oxygen, and other substances which may be released into the reactor containment shall be provided as necessary to reduce, consistent with the functioning of other associated systems, the concentration and quality of fission products released to the environment following postulated accidents, and to control the concentration of hydrogen or oxygen and other substances in the containment atmosphere following postulated accidents to assure that containment integrity is maintained.

Each system shall have suitable redundancy in components and features, and suitable interconnections, leak detection, isolation, and containment capabilities to assure that for onsite electrical power system operation (assuming offsite power is not available) and for offsite electric power system operation (assuming onsite power is not available) its safety function can be accomplished, assuming a single failure.

Design Conformance Fission products, hydrogen, oxygen, and other substances released from the reactor are contained within the primary containment. Leakage from the primary containment during normal plant operation enters the reactor building (secondary containment). This leakage is discharged from the reactor building through the exhaust system during normal operation. Leakage from the primary containment following the LOCA is limited by the Standby Gas Treatment System (SGTS) (Subsection 6.5.1) and the Main Steam Isolation Valve - Leakage Isolated Condenser Treatment Method (Section 6.7) such that the dose guidelines of 10 CFR 50.67 are not exceeded. Leakage from primary containment which bypasses secondary containment is maintained within the dose analysis limits as discussed in Subsection 6.2.3.2.3. An air recirculation system is provided to cool and mix the drywell atmosphere during normal operation, and mix the drywell air following a LOCA. The containment atmosphere is also inerted during normal plant operation.

The air recirculation system has sufficient redundancy to be able to withstand a single failure and is operable from either onsite or offsite power.

The SGTS system has redundancy and will meet the single failure criteria imposed by Regulatory Guide 1.52, Design, Testing, and Maintenance Criteria for Engineering-Safety-Feature Atmosphere Cleanup system Air Filtration and Adsorption Units of Light-Water-Nuclear Cooled Power Plants, Revision 1 with either onsite or offsite power.

3.1.2.4.13 Inspection of Containment Atmosphere Cleanup Systems (Criterion 42)

Criterion The containment atmosphere cleanup systems shall be designed to permit appropriate periodic inspection of important components, such as filter frames, ducts, and piping to assure the integrity and capability of the systems.

FSAR Rev. 71 3.1-38

SSES-FSAR Text Rev. 65 Design Conformance The SGTS and purge systems are designed to permit appropriate periodic inspection of the important components (Subsections 6.5.1 and 6.2.5, respectively).

3.1.2.4.14 Testing of Containment Atmosphere Cleanup Systems (Criterion 43)

Criterion The containment atmosphere cleanup systems shall be designed to permit appropriate periodic pressure and functional testing to assure (1) the structural and leaktight integrity of its components, (2) the operability and performance of the active components of the systems such as fans, filters, dampers, pumps, and valves, and (3) the operability of the systems as a whole and, under conditions as close to design as practical, the performance of the full operational sequence that brings the systems into operation, including operation of applicable portions of the protection system, the transfer between normal and emergency power sources, and the operation of the associated systems.

Design Conformance The SGTS and purge systems are designed to permit periodic pressure and functional testing of their components (Subsections 6.5.1 and 6.2.5, respectively).

3.1.2.4.15 Cooling Water (Criterion 44)

Criterion A system to transfer heat from structures, systems, and components important to safety to an ultimate heat sink shall be provided. The system safety function shall be to transfer the combined heat load of these structures, systems, and components under normal operating and accident conditions.

Suitable redundancy in components and features, and suitable interconnections, leak detection, and isolation capabilities shall be provided to assure that for onsite electric power system operation (assuming offsite power is not available) and for offsite electric power operation (assuming onsite power is not available) the system's safety function can be accomplished, assuming a single failure.

Design Conformance The emergency safeguard service water system, which comprises both the Emergency Service Water system and the Residual Heat Removal Service Water system, provides cooling water for the removal of excess heat from structures, systems, and components which are necessary to maintain safety during all abnormal and accident conditions. These include the standby diesel generators, the RHR pump motor bearing oil coolers, the core spray pump room unit coolers, RCIC pump room unit coolers, the HPCI pump room unit coolers, the RHR heat exchangers, RHR pump room unit coolers, Unit 2 DX Unit, and the control structure chiller. It also provides water to the RHR pump motor bearing oil coolers and above mentioned room unit coolers during a Seismic Event to support operation of the RHR Fuel Pool Cooling (RHR FPC) mode.

Make-up water to the Spent Fuel Pool (SFP) is provided during a seismic event in order to make FSAR Rev. 71 3.1-39

SSES-FSAR Text Rev. 65 up for evaporative losses and filling of the SFP in support of RHRFPC. RHRSW provides the cooling water to the RHR heat exchangers for the RHRFPC mode.

The engineered safeguard service water system is designed to Seismic Category I requirements. Redundant safety related components served by the engineered safeguard service water system are supplied through redundant supply headers and returned through redundant discharge or return lines. Electric power for operation of redundant safety related components of this system is supplied from separate independent offsite and redundant onsite standby power sources. No single failure renders these systems incapable of performing their safety functions.

Referenced Subsections are as follows:

1) AC Power Systems ------------------------------------------------------------------------------------ 8.3.1
2) Emergency Service Water System ---------------------------------------------------------------- 9.2.5
3) RHR Service Water System ------------------------------------------------------------------------- 9.2.6
4) Ultimate Heat Sink ------------------------------------------------------------------------------------- 9.2.7 3.1.2.4.16 Inspection of Cooling Water System (Criterion 45)

Criterion The cooling water system shall be designed to permit appropriate periodic inspection of important components, such as heat exchangers and piping, to assure the integrity and capability of the system.

Design Conformance The engineered safeguard service water systems (ESW and RHRSW Systems) are designed to permit appropriate periodic inspection in order to ensure the integrity of system components.

Referenced Subsections are as follows:

1) Emergency Service Water System ---------------------------------------------------------------- 9.2.5
2) RHR Service Water System ------------------------------------------------------------------------- 9.2.6 3.1.2.4.17 Testing of Cooling Water System (Criterion 46)

Criterion The cooling water system shall be designed to permit appropriate periodic pressure and functional testing to assure (1) the structural and leaktight integrity of its components, (2) the operability and performance of the active components of the system, and (3) the operability of the system as a whole and, under conditions as close to design as practical, the performance of the full operational sequence that brings the system into operation for reactor shutdown and for loss-of-coolant accidents, including operation of applicable portions of the protection system and the transfer between normal and emergency power sources.

FSAR Rev. 71 3.1-40

SSES-FSAR Text Rev. 65 Design Conformance The emergency safeguard service water system is in operation during normal shutdown. The system is tested once per month when the diesel generators are tested. These systems are designed to the extent practicable to permit demonstration of operability of the systems as required for operation during a LOCA or a loss of offsite power.

Referenced Subsections are as follows:

1) Emergency Service Water System ---------------------------------------------------------------- 9.2.5
2) RHR Service Water System ------------------------------------------------------------------------- 9.2.6 3.1.2.5 Reactor Containment (Group V) 3.1.2.5.1 Containment Design Basis (Criterion 50)

Criterion The reactor containment structure, including access openings, penetrations, and the containment heat removal system, shall be designed so that the containment structure and its internal compartments can accommodate, without exceeding the design leakage rate and with sufficient margin, the calculated pressure and temperature conditions resulting from any loss-of-coolant accident. This margin shall reflect consideration of (1) the effects of potential energy sources which have not been included in the determination of the peak conditions, such as energy in steam generators and, as required by 10 CFR 50.44, energy from metal-water and other chemical reactions that may result from degradation, but not total failure, of emergency core cooling functioning, (2) the limited experience and experimental data available for defining accident phenomena and containment responses, and (3) the conservatism of the calculational model and input parameters.

Design Conformance The primary containment structure, including access openings, penetrations and the containment heat removal system, is designed so that the containment structure and its internal compartments can withstand, without exceeding the design leakage rate, the peak accident pressure and temperature that could occur during any postulated LOCA. Sections 3.8 and 6.2 have detailed information that demonstrates compliance with Criterion 50.

3.1.2.5.2 Fracture Prevention of Containment Pressure Boundary (Criterion 51)

Criterion The reactor containment boundary shall be designed with sufficient margin to assure that under operating, maintenance, testing, and postulated accident conditions (1) its ferritic materials behave in a nonbrittle manner and (2) the probability of rapidly propagating fracture is minimized. The design shall reflect consideration of service temperatures and other conditions of the containment boundary material during operation, maintenance, testing, and postulated accident conditions, and the uncertainties in determining (1) material properties, (2) residual, steady state, and transient stresses, and (3) size of flaws.

FSAR Rev. 71 3.1-41

SSES-FSAR Text Rev. 65 Design Conformance The primary containment boundary is designed to the load combination shown in Section 3.8, which covers the operational, testing, and postulated accident conditions. Each condition results in a stress level that is related to its corresponding temperature and is the basis for comparison with the allowable limits.

The ferritic steel used for the primary containment boundary is specified so that the toughness of the material meets the above established conditions. Adequate toughness at 0°F or lower has been verified by drop weight tear testing or by Charpy V-notch testing to demonstrate minimum energy absorption of ASME III, Table N-421. This will ensure nonbrittle behavior and minimize the probability of a rapidly propagating fracture under the above established conditions.

The weld procedure qualification ensures that the toughness of the weld metal and heat affected zones follow the same criteria as for the base metal.

Since the primary containment is located within the reactor building the possibility of brittle fracture of ferritic material under low temperature is considerably reduced.

Additional information on compliance with GDC 51 has been provided in letters from Mr. N. W. Curtis to Mr. A. Schwencer (NRC) dated June 16 and July 16, 1981.

3.1.2.5.3 Capability for Containment Leakage Rate Testing (Criterion 52)

Criterion The reactor containment and other equipment which may be subjected to containment test conditions shall be designed so that periodic integrated leakage rate testing can be conducted at containment design pressure.

Design Conformance The primary containment structure and related equipment, which are subjected to containment test conditions, are designed so that periodic integrated leakage rate testing, as described in Subsection 6.2.6, can be conducted at containment design pressure.

3.1.2.5.4 Provisions for Containment Testing and Inspection (Criterion 53)

Criterion The reactor containment shall be designed to permit (1) appropriate periodic inspection of all important areas such as penetrations, (2) an appropriate surveillance program, and (3) periodic testing at containment design pressure of the leak tightness of penetrations which have resilient seals and expansion bellows.

Design Conformance The primary containment is designed to permit appropriate periodic inspection of all penetrations. The design includes provisions for periodic testing at containment design pressure of the leaktightness of all electrical penetrations, the drywell head and access hatches, FSAR Rev. 71 3.1-42

SSES-FSAR Text Rev. 65 as described in Subsection 6.2.6. The process line penetrations are of welded steel construction without expansion bellows, gaskets, or sealing compounds and are an integral part of the construction. They are tested during the containment integrated leak rate tests. Separate leak tests of the process line penetrations are therefore not considered necessary.

The above design provisions, in conjunction with the leakage monitoring system as described in Subsection 6.2.6, allows appropriate surveillance of the leaktight conditions inside the primary containment.

3.1.2.5.5 Piping Systems Penetrating Containment (Criterion 54)

Criterion Piping systems penetrating primary reactor containment shall be provided with leak detection, isolation, and containment capabilities having redundancy, reliability and performance capabilities which reflect the importance to safety of isolating these piping systems. Such piping systems shall be designed with a capability to test periodically the operability of the isolation valves and associated apparatus and to determine if valve leakage is within acceptable limits.

Design Conformance Piping systems penetrating the primary containment are provided with isolation valves. The only exception is the penetration for instrument piping associated with the containment pressure monitors. Compliance for these instrument lines is discussed in Subsection 6.2.4.3.5.

Provisions, as described in Subsection 6.2.1, are made to permit leakage testing of the isolation valves. Isolation valves are discussed in Sections 7.3 and 6.2.4.

By increased temperature, radiation, and/or drain sump flow, major leaks in the pipes are located. Isolation signals are discussed in Section 7.3.

3.1.2.5.6 Reactor Coolant Pressure Boundary Penetrating Containment (Criterion 55)

Criterion Each line that is part of the reactor coolant pressure boundary and that penetrates primary reactor containment shall be provided with containment isolation valves as follows, unless it can be demonstrated that the containment isolation provisions for a specific class of lines, such as instrument lines, are acceptable on some other defined basis:

1) One locked closed isolation valve inside and one locked closed isolation valve outside containment; or
2) One automatic isolation valve inside and one locked closed isolation valve outside containment; or
3) One locked closed isolation valve inside and one automatic isolation valve outside containment. A simple check valve may not be used as the automatic isolation valve outside containment; or FSAR Rev. 71 3.1-43

SSES-FSAR Text Rev. 65

4) One automatic isolation valve inside and one automatic isolation valve outside containment. A simple check valve may not be used as the automatic isolation valve outside containment.

Isolation valves outside containment shall be located as close to the containment as practical and, upon loss of actuating power, automatic isolation valves shall be designed to take the position that provides greater safety.

Other appropriate requirements to minimize the probability or consequences of an accidental rupture of these lines or of lines connected to them shall be provided as necessary to assure adequate safety. Determination of the appropriateness of these requirements, such as higher quality in design, fabrication, and testing, additional provisions for in-service inspection, protection against more severe natural phenomena, and additional isolation valves and containment, shall include consideration of the population density, use characteristics, and physical characteristics of the site environs.

Design Conformance The reactor coolant pressure boundary (as defined in 10 CFR 50, Section 50.2) consists of the reactor pressure vessel, pressure retaining appurtenances attached to the vessel, valves and pipes which extend from the reactor pressure vessel up to and including the outermost containment isolation valve. The lines of the reactor coolant pressure boundary which penetrate the containment have suitable isolation valves capable of isolating the containment thereby precluding any significant release of radioactivity. Similarly for lines which do not penetrate the containment but which form a portion of the reactor coolant pressure boundary, the design ensures that isolation of the reactor coolant pressure boundary can be achieved.

The design of the isolation systems detailed in the sections listed below meets the requirements of Criterion 55.

For further discussion, see the following sections:

1) Integrity of Reactor Coolant Pressure Boundary -------------------------------------------------- 5.2
2) Containment Isolation Systems ----------------------------------------------------------------------- 6.2
3) Instrumentation and Controls -------------------------------------------------------------------------- 7.0
4) Accident Analysis --------------------------------------------------------------------------------------- 15.0
5) Technical Specifications ------------------------------------------------------------------------------- 16.0 3.1.2.5.7 Primary Containment Isolation (Criterion 56)

Criterion Each line that connects directly to the containment atmosphere and penetrates primary reactor containment shall be provided with containment isolation valves as follows, unless it can be demonstrated that the containment isolation provisions for a specific class of lines, such as instrument lines, are acceptable on some other defined basis:

1) One locked closed isolation valve inside and one locked closed isolation valve outside containment, or FSAR Rev. 71 3.1-44

SSES-FSAR Text Rev. 65

2) One automatic isolation valve inside and one locked closed isolation valve outside containment, or
3) One locked closed isolation valve inside and one automatic isolation valve outside containment. A simple check valve may not be used as the automatic isolation valve outside containment, or
4) One automatic isolation valve inside and one automatic isolation valve outside containment. A simple check valve may not be used as the automatic isolation valve outside containment.

Isolation valves outside containment shall be located as close to the containment as practical and upon loss of actuating power, automatic isolation valves shall be designed to take the position that provides greater safety.

Design Conformance The system-by-system conformance to the requirements of Criterion 56 is presented in Subsection 6.2.4.

3.1.2.5.8 Closed System Isolation Valves (Criterion 57)

Criterion Each line that penetrates primary reactor containment and is neither part of the reactor coolant pressure boundary nor connected directly to the containment atmosphere shall have at least one containment isolation valve which shall be either automatic, locked closed, or capable of remote manual operation. This valve shall be outside containment and located as close to the containment as practical. A simple check valve may not be used as the automatic isolation valve.

Design Conformance The system-by-system conformance to the requirements of Criterion 57 is presented in Subsection 6.2.4.

3.1.2.6 Fuel and Radioactivity Control (Group VI) 3.1.2.6.1 Control of Releases of Radioactive Materials to the Environment (Criterion 60)

Criterion The nuclear power unit design shall include means to control suitably the release of radioactive materials in gaseous and liquid effluents and to handle radioactive solid wastes produced during normal reactor operation, including anticipated operational occurrences. Sufficient holdup capacity shall be provided for retention of gaseous and liquid effluents containing radioactive materials, particularly where unfavorable site environmental conditions can be expected to impose unusual operational limitations upon the release of such effluents to the environment.

FSAR Rev. 71 3.1-45

SSES-FSAR Text Rev. 65 Design Conformance In all cases, the design for radioactivity control is (a) on the basis of the requirements of 10 CFR 20, 10 CFR 50, and applicable regulations for normal operations and for any transient situation that might reasonably be anticipated to occur and (b) on the basis of 10 CFR 50.67 dosage level guidelines for potential accidents of exceedingly low probability of occurrences. All releases are expected to be reported consistent with Regulatory Guide 1.21 (Refer to Section 3.13.1 for Regulatory Guide 1.21 compliance).

The activity level of waste gas effluents is substantially reduced by differential holdup of noble gases from the offgas system in charcoal decay beds and filtration of particulates before release at the plant exhaust duct.

Control of liquid waste effluents is maintained by batch processing of all liquids, sampling before discharge, and controlled rate of release. Liquid effluents are monitored for radioactivity and rate of flow. Radioactive liquid waste system tankage and evaporator capacity are sufficient to handle any expected transient in the processing of liquid waste volume.

Solid wastes are prepared for offsite disposal by approved procedures. Solid wastes are prepared for shipment by placement in shielded and reinforced containers which meet applicable NRC and Department of Transportation requirements (Section 11.5).

The reference sections are:

1) Liquid Waste System ----------------------------------------------------------------------------------- 11.2
2) Gaseous Waste Systems ----------------------------------------------------------------------------- 11.3
3) Process and Effluent Radiological Monitoring System ---------------------------------------- 11.5
4) Solid Waste System ------------------------------------------------------------------------------------ 11.4
5) Accidents Analysis -------------------------------------------------------------------------------------- 15.0 3.1.2.6.2 Fuel Storage and Handling and Radioactivity Control (Criterion 61)

Criterion The fuel storage and handling, radioactive waste, and other systems which may contain radioactivity shall be designed to assure adequate safety under normal and postulated accident conditions. These systems shall be designed, (1) with a capability to permit appropriate periodic inspection and testing of components important to safety, (2) with suitable shielding for radiation protection, (3) with appropriate containment, confinement, and filtering systems, (4) with a residual heat removal capability having reliability and testability that reflects the importance to safety of decay heat and other residual heat removal, and (5) to prevent significant reduction in fuel storage coolant inventory under accident conditions.

Design Conformance New Fuel Storage New fuel is placed in dry storage in the new fuel storage vault that is located inside the reactor building. The storage vault within the reactor building provides adequate shielding for radiation protection. Storage racks preclude accidental criticality (see Subsection 3.1.2.6.3). The new FSAR Rev. 71 3.1-46

SSES-FSAR Text Rev. 65 fuel storage racks do not require any special inspection and testing for nuclear safety purposes.

However, the racks are accessible for periodic inspection.

Spent Fuel Handling and Storage Irradiated fuel is stored submerged in the spent fuel storage pool located in the reactor building.

Fuel pool water is circulated through the fuel pool cooling and cleanup system to maintain fuel pool water temperature, purity, water clarity, and water level. Storage racks preclude accidental criticality (see Subsection 3.1.2.6.3).

Reliable decay heat removal is provided by the fuel pool cooling and cleanup system. The pool water is circulated through the system with suction taken from the pool and is discharged through diffusers at the bottom of the fuel pool. Pool water temperature is maintained below 125°F when removing the Maximum Normal Heat Load (MNHL) from the pool with the service water temperature at its maximum design value. The RHR system with its substantially larger heat removal capacity can be used as a backup for fuel pool cooling when heat loads larger than the capability of the Fuel Pool Cooling System(s) are in the Spent Fuel Pool(s).

RHR also provides reliable decay heat removal to the spent fuel pool(s) in the event the normal fuel pool cooling system is lost due to a seismic event. Operation of RHR Fuel Pool Cooling (RHRFPC) mode will provide Seismic Category I, Class 1E cooling to the spent fuel pool(s) so that boiling of the Spent Fuel Pool(s) does not occur as a result of a seismic event. ESW provides Seismic Category I, Class 1E make-up in support of RHRFPC.

High and low level switches indicate pool water level changes in the main control room. Fission product concentration in the pool water is minimized by use of the filters and demineralizer.

This minimizes the release from the pool to the reactor building.

The reactor building ventilation system and the secondary containment are designed to limit the release of radioactive materials to the environs and ensure that offsite doses are less than the limiting values specified in 10 CFR 50.67 during operation and all accident conditions.

No special tests of the fuel pool cooling and cleanup system are required, because at least one pump and heat exchanger are continuously in operation while fuel is stored in the pool.

Duplicate units are operated periodically to handle high heat loads or to replace a unit for servicing. Routine visual inspection of the system components, instrumentation, and trouble alarms are adequate to verify system operability. Testing of the RHRFPC mode is accomplished through routine testing of the pumps and heat exchangers in support of other modes of RHR. The valves supporting the RHRFPC mode are routinely stroked to confirm proper operation of the valves for their RHRFPC mission.

Independent Spent Fuel Storage Facility An additional on site spent fuel storage facility is provided for storage requirements in excess of the capacity of the Spent Fuel Storage Pools. The Independent Spent Fuel Storage Installation (ISFSI) is designed, constructed, and licensed in accordance with the requirements of 10 CFR 72. The ISFSI is the NUHOMS Dry Storage System along with the Holtec HI-STORM FW Dry Fuel Storage System as described in Section 11.7. Handling of spent fuel stored at the ISFSI is in the Reactor Building and is designed to preclude criticality and to maintain adequate shielding and cooling for spent fuel.

FSAR Rev. 71 3.1-47

SSES-FSAR Text Rev. 65 Radioactive Waste Systems The radioactive waste systems provide all equipment necessary to collect, process, and prepare for disposal all radioactive liquids, gases, and solid waste produced as a result of reactor operation.

Liquid radwastes are classified, contained, and treated as high or low conductivity, chemical, detergent, sludges, or concentrated wastes. Processing includes filtration, ion exchange, analysis, and dilution. Liquid wastes are also evaporated and sludge is accumulated for disposal as solid radwaste. Wet solid wastes are solidified and packaged in steel liners and high integrity containers. Dry solid radwastes are compressed and packaged in steel drums.

Gaseous radwastes are monitored, processed, recorded, and controlled, and released such that radiation doses to persons outside the controlled area are below those allowed by applicable regulations.

Accessible portions of the spent fuel pool area and radwaste building have sufficient shielding to maintain dose rates within the limits set forth in 10 CFR 20 and 10 CFR 50. The radwaste building is designed to preclude accidental release of radioactive materials to the environs above those allowed by the applicable regulations.

The radwaste systems are used on a routine basis and do not require specific testing to ensure operability. Performance is monitored by radiation monitors during operation.

The fuel storage and handling, and radioactive waste systems are designed to ensure adequate safety under normal and postulated accident conditions. The design of these systems meets the requirements of Criterion 61.

For further discussion, see the following sections:

1) Residual Heat Removal System ---------------------------------------------------------------------- 5.4
2) Containment Systems ----------------------------------------------------------------------------------- 6.2
3) New Fuel Storage ----------------------------------------------------------------------------------------- 9.1
4) Spent Fuel Storage --------------------------------------------------------------------------------------- 9.1
5) Fuel Pool Cooling and Cleanup System ------------------------------------------------------------ 9.1
6) Air Conditioning, Heating, Cooling and Ventilation Systems ----------------------------------- 9.4
7) Radioactive Waste Management ------------------------------------------------------------------- 11.0
8) Radiation Protection ------------------------------------------------------------------------------------ 12.0
9) Independent Spent Fuel Storage Installation (ISFSI) ------------------------------------------ 11.7 3.1.2.6.3 Prevention of Criticality in Fuel Storage and Handling (Criterion 62)

Criterion Criticality in the fuel storage and handling system shall be prevented by physical systems or processes, preferably by use of geometrically safe configurations.

Design Conformance Appropriate plant fuel handling and storage facilities are provided to preclude accidental criticality for new and spent fuel. Criticality in the new fuel storage vault is prevented by the geometrically safe configuration of the storage rack. Criticality in the spent fuel pool is FSAR Rev. 71 3.1-48

SSES-FSAR Text Rev. 65 prevented by poison cans containing Boral slabs between adjacent fuel assemblies. The new and spent fuel racks are Seismic Category I structures.

The dry storage of spent fuel in a Dry Shielded Canister (DSC) in a Horizontal Storage Module (HSM) or in a Holtec Multi-Purpose Canister (MPC) in a HI-STORM FW overpack at the Independent Spent Fuel Storage Installation (ISFSI) meets the requirements of 10 CFR 72.124, i.e., nuclear criticality safety criteria.

New fuel is placed in dry storage in the top-loaded new fuel storage vault. This vault contains a drain to prevent the accumulation of water. The new fuel storage vault racks (located inside the secondary containment) are designed to prevent an accidental critical array, even if the vault becomes flooded or subjected to seismic loadings. The center to center new fuel assembly spacing limits the effective multiplication factor (k-eff) of the array to less than or equal to 0.95 for dry or fully flooded conditions.

Spent fuel is stored under water in the spent fuel storage pool and is stored dry at the ISFSI.

New fuel can be stored in the spent fuel pool in a dry or wet condition. The top loading racks which store spent and new fuel assemblies, are designed and arranged to ensure subcriticality in the storage pool racks. Spent and new fuel is maintained at a subcritical multiplication factor (k-eff) of less than 0.95 under normal and abnormal conditions. Abnormal conditions may result from an earthquake, accidental dropping of equipment, or damage caused by the horizontal movement of fuel handling equipment without first disengaging the fuel from the hoisting equipment.

Refueling interlocks include circuitry which senses conditions of the refueling equipment and the control rods. These interlocks reinforce operational procedures that prohibit making the reactor critical. The fuel handling system is designed to provide a safe, effective means of transporting and handling fuel and is designed to minimize the possibility of mishandling or maloperation.

The use of geometrically safe configurations for new and spent fuel storage, the design of fuel handling systems and the poison control method of the spent fuel storage racks precludes accidental criticality in accordance with Criterion 62.

For further discussion, see the following sections:

1) Refueling Interlocks -------------------------------------------------------------------------------------- 7.6
2) New Fuel Storage Racks -------------------------------------------------------------------------------- 9.1
3) Spent Fuel Storage Racks ------------------------------------------------------------------------------ 9.1
4) Independent Spent Fuel Storage Installation (ISFSI) ------------------------------------------ 11.7 3.1.2.6.4 Monitoring Fuel and Waste Storage (Criterion 63)

Criterion Appropriate systems shall be provided in fuel storage and radioactive waste systems and associated handling areas, (1) to detect conditions that may result in loss of residual heat removal capability and excessive radiation levels, and (2) to initiate appropriate safety actions.

FSAR Rev. 71 3.1-49

SSES-FSAR Text Rev. 65 Design Conformance Appropriate systems have been provided to meet the requirements of this criterion. A malfunction of the fuel pool cooling and cleanup system that could result in loss of residual heat removal capability and excessive radiation levels is alarmed in the main control room. Alarmed conditions include high/low fuel pool level and high fuel pool temperature. The refueling floor ventilation exhaust radiation monitoring system detects abnormal amounts of radioactivity and initiates appropriate action to control the release of radioactive material to the environs.

The dry storage of spent fuel in a Dry Shielded Canister (DSC) in a Horizontal Storage Module (HSM) or in a Holtec Multi-Purpose Canister (MPC) in a HI-STORM FW overpack at the Independent Spent Fuel Storage Installation (ISFSI) meets the requirements of 10 CFR 72.125, i.e., radiological protection criteria and 10 CFR 72.126, i.e., criteria for spent fuel, high-level radioactive waste and other radioactive waste storage and handling.

Area radiation and sump levels are monitored and alarmed to give indication of conditions that may result in excessive radiation levels in radioactive waste system areas. These systems satisfy the requirements of Criterion 63.

For further discussion, see the following sections:

1) Fuel Storage and Handling ----------------------------------------------------------------------------- 9.1
2) Liquid Waste Systems --------------------------------------------------------------------------------- 11.2
3) Gaseous Waste Systems ----------------------------------------------------------------------------- 11.3
4) Solid Waste Systems ---------------------------------------------------------------------------------- 11.4
5) Process Radiation Monitoring ------------------------------------------------------------------------ 11.5
6) Low Level Radwaste Holding Facility (LLRWHF) ----------------------------------------------- 11.6
7) Independent Spent Fuel Storage Installation (ISFSI) ------------------------------------------ 11.7 3.1.2.6.5 Monitoring Radioactivity Releases (Criterion 64)

Criterion Means shall be provided for monitoring the reactor containment atmosphere, spaces containing components for recirculation of loss-of-coolant accident fluids, effluent discharge paths, and the plant environs for radioactivity that may be released from normal operations, including anticipated operational occurrences, and from postulated accidents.

Design Conformance Means have been provided for monitoring radioactivity releases resulting from normal and anticipated operational occurrences. The following station releases are monitored:

a) Liquid discharge to the discharge pipe b) Reactor building ventilation c) Radwaste building ventilation d) Turbine building ventilation e) SGTS vent The drywell atmosphere is continuously monitored during normal and transient operations, using a continuous airborne radioactivity monitoring system (Section 12.3). In the event of an FSAR Rev. 71 3.1-50

SSES-FSAR Text Rev. 65 accident, samples of drywell atmosphere are obtained from the drywell air sample vacuum pump line to provide data on existing airborne radioactivity concentrations inside the drywell.

The areas contiguous to the secondary containment, such as the turbine building, are monitored by ventilation air sample particulate and gas monitors. Radioactivity levels in the normal plant effluent discharge paths and in the environs are continuously monitored during normal and accident conditions by the various radiation monitoring systems (Sections 12.3 and 11.4) and by the offsite radiological monitoring programs.

The Radioactive Effluent Release Report covering the operation of the unit during the previous year shall be submitted prior to May 1 of each year in accordance with 10 CFR 50.36a. The report shall include a summary of the quantities of radioactive liquid and gaseous effluents and solid waste released from the unit. The material provided shall be consistent with the objectives outlined in the ODCM and Process Control Program and in conformance with 10 CFR 50.36a and 10 CFR Part 50, Appendix I, Section IV.B.1.

For further discussion of the means and equipment used for monitoring radioactivity releases, see the following sections:

1) Reactor Coolant Pressure Boundary Leakage Detection System ---------------------------- 5.2
2) Containment and Reactor Vessel Isolation Control System ----------------------------------- 7.3
3) Radioactive Waste Management ------------------------------------------------------------------- 11.0
4) Airborne Radioactivity Monitoring ------------------------------------------------------------------- 12.3 FSAR Rev. 71 3.1-51
Retrieved from "https://kanterella.com/w/index.php?title=ML23291A413&oldid=3646696"