Revision 309 to Final Safety Analysis Report, Chapter 3, Design of Structures, Components Equipment and Systems, Section 3.1

ML16256A171
Person / Time
Site:	Waterford
Issue date:	08/25/2016
From:	Entergy Operations
To:	Office of Nuclear Reactor Regulation
Shared Package
ML16256A115	List: ML16256A120 ML16256A121 ML16256A122 ML16256A123 ML16256A124 ML16256A126 ML16256A127 ML16256A128 ML16256A129 ML16256A131 ML16256A132 ML16256A136 ML16256A137 ML16256A138 ML16256A144 ML16256A145 ML16256A150 ML16256A153 ML16256A154 ML16256A155 ML16256A156 ML16256A157 ML16256A159 ML16256A160 ML16256A161 ML16256A162 ML16256A163 ML16256A164 ML16256A165 ML16256A167 ML16256A170 ML16256A171 ML16256A172 ML16256A174 ML16256A175 ML16256A181 ML16256A182 ML16256A183 ML16256A184 ML16256A185 ML16256A186 ML16256A188 ML16256A189 ML16256A190 ML16256A191 ML16256A192 ML16256A193 ML16256A194 ML16256A195 ML16256A196 ... further results
References
W3F1-2016-0053
Download: ML16256A171 (39)
v • d • e

Text

WSES-FSAR-UNIT-33.1-13.0DESIGN OF STRUCTURES, COMPONENTS EQUIPMENT AND SYSTEMS3.1CONFORMANCE WITH NRC GENERAL DESIGN CRITERIAThe following sections discuss conformance with the NRC "General Design Criteria for Nuclear PowerPlants" as specified in Appendix A to 10CFR50 effective May 21, 1971 and subsequently amended July 7, 1971. Based on the content herein, the applicant concludes that Waterford 3 fully satisfies and is in compliance with the General Design Criteria.3.1.1CRITERION 1 - QUALITY STANDARDS AND RECORDSCRITERION:Structures, systems, and components important to safety shall be designed, fabricated, erected, andtested to quality standards commensurate with the importance of the safety functions to be performed.

Where generally recognized codes and standards are used, they shall be identified and evaluated to determine their applicability, adequacy, and sufficiency and shall be supplemented or modified as necessary to assure a quality product in keeping with the required safety function. A quality assurance program shall be established and implemented in order to provide adequate assurance that these structures, systems, and components will satisfactorily perform their safety functions. Appropriate records of the design, fabrication, erection and testing of structures, systems and components important to safety shall be maintained by or under the control of the nuclear power unit licensee throughout the life of the

unit.RESPONSEStructures, systems, and components important to safety are designed, fabricated, erected, and tested toquality standards commensurate with the importance of the safety functions to be performed. The structures, systems, and components important to safety are listed in Table 3.2-1. Recognized codes and standards are applied to the equipment in these classifications as necessary to assure a quality product in keeping with the required safety function. The total quality assurance program is described in the QA Program Manual and is applied to the safety class 1, 2 and 3, and seismic Category I items contained in this table. The intent of the quality assurance program is to assure sound engineering in all phases of design and construction through conformity to regulatory requirements and design bases described in thelicense application. In addition, the program assures adherence to specified standards of workmanshipand implementation of applicable codes and standards in fabrication and construction. It also includes the observance of proper preoperational and operational testing and maintenance procedures (Chapter 14) as well as the documentation of the foregoing by keeping appropriate records. The total quality assurance program of the applicant and its principal contractors meets the quality-related requirements of Appendix B to 10CFR50.Records are maintained which demonstrate that the requirements of the quality assuranceprogram are satisfied. This documentation shows that appropriate codes, standards and regulatory requirements are observed, specified materials are used, correct procedures are utilized, qualifiedpersonnel are provided and that the finished parts and components meet the applicable specifications for safe and reliable operation. These records are available WSES-FSAR-UNIT-33.1-2so that any desired item of information is retrievable for reference. These records of the design,fabrication, erection and testing of structures, systems and components important to safety are maintained as required by the LP&L quality assurance program.3.1.2CRITERION 2 - DESIGN BASES FOR PROTECTION AGAINST NATURALPHENOMENACRITERION:Structures, systems and components important to safety shall be designed to withstand the effects ofnatural phenomena such as earthquakes, tornadoes, hurricanes, floods, tsunami and seiches without loss of capability to perform their safety functions. The design bases for these structures, systems and components shall reflect: (1) Appropriate consideration of the most severe of the natural phenomena that have been historically reported for the site and surrounding area, with sufficient margin for the limited accuracy, quantity, and period of time in which the historical data have been accumulated, (2) appropriate combinations of the effects of normal and accident conditions with the effects of the natural phenomena and, (3) the importance of the safety functions to be performed.RESPONSE:The integrity of systems, structures and components important to safety is included in the reactor facilitiesdesign evaluations. The structures, systems and components important to safety are designed to withstand the effects of natural phenomena without loss of capability to perform their safety functions.

Those structures, systems and components vital to the shutdown capability of the reactor are designed to withstand the maximum probable natural phenomenon expected at the site determined from recorded data for the site vicinity with appropriate margin to account for uncertainties in historical data. Those structures, systems and components vital to the mitigation and control of incident conditions are designed to withstand the effects of a loss-of-coolant accident coincident with the effects of the safe shutdown earthquake. The structures, systems, and components important to safety are listed in Table 3.2-1.For further discussion, see the following sections: 2.3 Meteorology, 2.4 Hydrologic Engineering, 2.5Geology, Seismology and Geotechnical Engineering, 3.2 Classification of Structures, Components and Systems, 3.3 Wind and Tornado Loadings, 3.4 Water Level (Flood) Design, 3.5 Missile Protection, 3.7Seismic Design, 3.8 Design of Category I Structures, 3.9 Mechanical Systems and Components, 3.10 Seismic Qualification of Seismic Category I Instrumentation and Electrical Equipment, and 3.11Environmental Design of Mechanical and Electrical Equipment.

WSES-FSAR-UNIT-33.1-3Revision 11 (05/01)3.1.3CRITERION 3 - FIRE PROTECTIONCRITERION:Structures, systems, and components important to safety shall be designed and located to minimize,consistent with other safety requirements, the probability and effect of fires and explosions. Non-combustible and heat resistant materials shall be used wherever practical throughout the unit, particularly in locations such as the containment and control rooms. Fire detection and fighting systems of appropriate capacity and capability shall be provided and designed to minimize the adverse effects of fires on structures, systems, and components important to safety. Fire fighting systems shall be designed to assure that their rupture or inadvertent operation does not significantly impair the safety capability of these structures, systems, and components.RESPONSE:Non-combustible and fire resistant materials are used wherever practical throughout the facility,particularly in areas containing critical portions of the plant such as containment structure, control room and components of the Engineered Safety Features Systems.Safety-related systems are designed and located to minimize the effect of fires or explosions onredundant components.Facilities for the storage of combustible material are designed to minimize both the probability and theeffects of a fire.Equipment and facilities for fire protection, including detection, alarm and extinguishment are provided toprotect both plant and personnel from fire or explosion and the resultant release of toxic vapors. Both wet and dry type fire-fighting equipment are provided.(DRN 99-1017)Normal fire protection is provided by preaction systems, deluge systems, wet pipe sprinkler systems, hoselines and portable extinguishers.(DRN 99-1017)The Fire Protection System is designed such that a failure of any component of the system will not impairthe ability of redundant equipment to safely shutdown and isolate the reactor or limit the release of radioactivity to the environment in the event of a postulated accident.The Fire Protection Systems are provided with test hose valves for periodic testing. All equipment isaccessible for periodic inspection.Fire protection for cable systems is discussed in Subsection 8.3.3 and the Plant Fire Protection System inSubsection 9.5.1.

WSES-FSAR-UNIT-3 3.1-4 Revision 14 (12/05)3.1.4 CRITERION 4 - ENVIRONMENTAL AND MISSILE DESIGN BASES CRITERION:

Structures, systems and components important to safety shall be designed to accommodate the effects of, and to be compatible with, the environmental conditions associated with normal operation, maintenance, testing, and postulated accidents including Loss-of-Coolant Accidents (LOCA). These structures, systems, and components shall be appropriately protected against dynamic effects, including the effects of missiles, pipe whipping and discharging fluids that may result from equipment failures and

from events and conditions outside the nuclear power unit. (DRN 03-2056, R14)However, dynamic effects associated with postulated pipe ruptures in nuclear power units may be excluded from the design basis when analyses reviewed and approved by the Commission demonstrate that the probability of fluid system piping rupture is extremely low under conditions consistent with the

design basis for the piping. (DRN 03-2056, R14)

RESPONSE: Structures, systems and components important to safety are designed to accommodate the effects and to be compatible with the pressure, temperature, humidity, chemical and radiation conditions associated with normal operation, maintenance, testing, and postulated accidents, including a loss-of-coolant

accident in the area in which they are located. Protective walls and slabs, local missile shielding, or restraining devices are provided to protect the containment and Engineered Safety Features Systems within and without the containment against damage from missiles generated by equipment failures. The concrete enclosing the Reactor Coolant System serves as radiation shielding and as an effective barrier against internal missiles. Local missile

barriers are provided for control element drive mechanisms. Penetrations and piping extending to and including isolation valves are protected from damage due to pipe whipping, and are protected from damage by external missiles, where such protection is necessary to meet the design bases. Non-seismic category piping is arranged or restrained so that failure of any non-seismic category piping will not cause radioactivity to be released to the environment nor prevent essential seismic Category I structures or equipment from mitigating the consequences of such an accident. Seismic Category I piping has been arranged or restrained such that, in the event of rupture of a seismic Category I pipe which causes a loss-of-coolant accident, resulting pipe movement, will not result in loss of containment integrity and adequate Engineered Safety Features Systems operation will be maintained. The containment interior structure is designed to sustain dynamic load which could result from failure in major equipment and piping, such as jet thrust, jet impingement, and local pressure transients, where containment integrity is needed to cope with the conditions. (DRN 00-1172)The external concrete shield protects the steel containment vessel from damage due to external missiles such as tornado propelled missiles. The functional capability of any safety related structures, systems or

components located outdoors (e.g., cooling towers) are designed for protection against externally generated missiles, or shown that their failure is not credible because tornado induced failure modes are

considered improbable as mentioned in section 3.5.1.4.1. (DRN 00-1172) (DRN 03-2056, R14)

In 1987, the Commission modified GDC 4 to allow crediting of a leak-before-break (LBB) technology for an exclusion from the design basis of dynamic effects. Since this time, Waterford 3 has credited the LBB technology for various plant modifications. See Sections 3.6.2 and 3.6.3 of the SAR for additional

discussion of LBB. (DRN 03-2056, R14)

WSES-FSAR-UNIT-3 3.1-5 Revision 305 (11/11)

(EC-19087, R305)

(EC-19087, R305)

For those components which are required to operate under extreme conditions such as design seismic loads or containment post accident environmental conditions, the manufacture rs submit type test, operational or calculational data which subs tantiate this capability of the equipment.

For further discussion, refer to the following se ctions: 3.3 Wind and Tornado Loadings, 3.4 Water Level (Flood) Design, 3.5 Missile Protection, 3.6 Protec tion Against Dynamic Effe cts Associated with the Postulated Rupture of Piping, 3.7 Seismic Desi gn, 3.8 Design of Category I Structures, 3.11

Environmental Design of Mechanical and Electrical Equipment, and 6.0

Engineered Safety Features. 3.1.5 CRITERION 5 - SHARING OF STRUCTURES, SYSTEMS AND COMPONENTS CRITERION:

Structures, systems, and components important to safety shall not be shared among nuclear power units unless it can be shown that such sharing will not signi ficantly impair their ability to perform their safety functions including, in the event of an accident in one unit, an orderly shutdown and cooldown of the remaining units.

RESPONSE:

As per the Louisiana Power & Light letter (LPL-362) of October 19, 1971 to Dr P.A. Morris (then with the AEC), Unit No. 4 is no longer being c onsidered for construction; therefore, this criterion is not applicable.

3.1.6 CRITERION 10 - REACTOR DESIGN

CRITERION:

The reactor core and associated coolant, contro l, and protection systems shall be designed with appropriate margin to assure that specified acc eptable fuel design limits are not exceeded during any condition of normal operation, including the e ffects of anticipated operational occurrences.

RESPONSE:

In ANSI N18.2, Nuclear Safety Criterion for t he Design of Pressurized Water Reactor Plants (January 1973), plant conditions are categorized in accordanc e with their anticipated frequency of occurrence and risk to the public, and design requirements are given for each of the four categories. The categories

covered by this criterion are Condition I - Norm al Operation and Condition II - Faults of Moderate Frequency.

WSES-FSAR-UNIT-33.1-6The design requirement for Condition 1 is that margin shall be provided between any plant parameter andthe value of that parameter which would require either automatic or manual protective action. This condition is met by providing an adequate control system (refer to Section 7-7). The design requirement for Condition 11 is that such faults shall be accommodated with, at most, a shutdown of the reactor, with the plant capable of returning to operation after corrective action. On Waterford 3, this condition is met by providing an adequate protective system (refer to Section 7.2 and Chapter 15).Specified acceptable fuel design limits are stated in Subsection 4.4.1.

Operating limits, to ensure specified acceptable fuel design limits are met, are prescribed in the TechnicalSpecifications (limiting conditions for operations) which support Chapters 4 and 15. Operator action, aided by the control systems and monitored by plant instrumentation, maintains the plant within technical specification limitations. For further discussion see the following sections: 4.2.1 Reactor Fuel, 5.0 Reactor Coolant, 5.4.7 Decay Heat Removal, 7.2 Reactor Protective System.3.1.7CRITERION 11 - REACTOR INHERENT PROTECTIONCRITERION:The reactor core and associated coolant systems shall be designed so that in the power operating rangethe net effect of the prompt inherent nuclear feedback characteristics tends to compensate for a rapid increase in reactivity.RESPONSE:In the power operating range, the combined response of the fuel temperature coefficient, the moderatortemperature coefficient, the moderator void coefficient, and the moderator pressure coefficient to an increase in reactor power in the power operating range is a decrease in reactivity, i.e., the inherent nuclearfeedback characteristics, are not positive.The reactivity coefficients for this reactor are listed in Table 4.3-4 and are discussed in detail in Section 4.3.3.1.8CRITERION 12 - SUPPRESSION OF REACTOR POWER OSCILLATIONSCRITERION:The reactor core and associated coolant, control, and protection systems shall be designed to assure thatpower oscillations which can result in conditions exceeding specified acceptable fuel design limits are not possible or can be reliably and readily detected and suppressed.

WSES-FSAR-UNIT-3 3.1-7 Revision 309 (06/16)

RESPONSE:

Power level oscillations will not occur. The effect of the negative power coefficient of reactivity (refer to Criterion 11), together with the coolant temperatur e program maintained by control element assemblies (CEAS) and soluble boron, provide fundamental mode stabilit

y. Power level is monitored continuously by neutron flux detectors (refer to Chapter 7) and by reactor coolant temperature difference measuring devices. (LBDCR 13-014, R309)

Power distribution oscillations are detected by neutron flux detectors.

Axial node oscillations are suppressed by means of CEAS. Radial oscillations are expected to be convergent. It is a design objecti ve that azimuthal xenon oscillations be convergent. Monitoring and protective requirements imposed by Criterion 10 and 20 are discussed in those responses and in Chapter

4. (LBDCR 13-014, R309) 3.1.9 CRITERION 13 - INST RUMENTATION AND CONTROL

CRITERION:

Instrumentation and control shall be provided to m onitor variables and system over their anticipated ranges for normal operation, for anticipated operati onal occurrences, and for accident conditions as appropriate to assure adequate safety, including those variables and systems that can affect the fission process, the integrity of the reactor core, the r eactor coolant pressure boundary, and the containment and its associated systems. Appropriate controls shall be provided to ma intain these variables and systems within prescribed operating ranges.

RESPONSE:

Instrumentation is provided to monitor significant proc ess variables that can affect the fission process, the integrity of the reactor core, the reactor coolant pressure boundary (RCPB), and the containment and its associated systems. Controls are provided for the purpose of maintaini ng these variables within the limits prescribed for safe operation.

The principal process variables to be monitored and controlled are neutron level (reactor power), axial neutron flux shape, CEA position, r eactor coolant temperature, reacto r coolant pump speed, pressurizer liquid level and pressure, and steam generator level and pressure indication is provided for all parameters

required for normal operation and accident conditions.

The Plant Protection System (PPS) consists of the Reac tor Protective System (RPS) and the Engineered Safety Features Actuation System (ESFAS). T he RPS monitors the reactor operating conditions and effects reliable and rapid reactor trip if any monito red variable or combination of monitored variables deviates from the permissible operating range to a degr ee that a safety limit may be reached (refer to Section 7.2). The ESFAS monitors plant operating condi tions and initiates ESF operation in the event of a certain postulated accident (refer to Section 7.3).

WSES-FSAR-UNIT-33.1-8Revision 8 (5/96)The non-nuclear safety grade Core Operating Limit Supervisory System (COLSS) aids the operator withan independent indication of the proximity to specified core operating limits and an alarm when one of these limits is reached.In-core instrumentation is provided to supplement information on core power distribution and to provide ameans for calibration of out-of-core flux detectors.Instrumentation is provided to monitor plant variables and systems under post-accident conditions and tofollow the course of the accident, as described in Section 7.5.The instrumentation and control systems are described in detail in Chapter 7.3.1.10CRITERION 14 - REACTOR COOLANT PRESSURE BOUNDARYCRITERION:The reactor coolant pressure boundary shall be designed, fabricated, erected, and tested so as to have anextremely low probability of abnormal leakage, of rapidly propagating failure, and of gross rupture.RESPONSE:Reactor Coolant System (RCS) components are designed in accordance with ASME Code,Section III,Division 1. The establishment and implementation of operating quality control, inspection, and testing as required by this standard and allowable reactor pressure-temperature operations within allowable limits, ensure the integrity of the RCS.The RCPB accommodates system pressures and temperatures attained under all expected modes of unitoperation including all anticipated transients, and maintains the stresses within applicable stress limits.Piping and equipment pressure parts of the RCPB are usually assembled and erected by welding.Flanged, screwed or compression joints, when used, are in compliance with applicable codes. Welding procedures, are employed which produce welds of complete fusion and free of unacceptable defects. All welding procedures, welders and welding machine operators are qualified in accordance with the requirements of Section IX of the ASME Boiler and Pressure Vessel Code for the materials to be welded.

Qualification records, including the results of procedure and performance qualification tests and identification symbols assigned to each welder are maintained.The pressure boundary has provisions for in-service inspection in accordance with Section XI of theASME Boiler and Pressure Vessel Code, to ensure the continued structural and leaktight integrity of the boundary (see also response to Criterion 32 and Subsection 5.2.4). For the reactor vessel, a materialsurveillance program conforming with the requirements of Appendix H to 10CFR50 is given in Subsection 5.3-1-6.Means are provided to detect significant leakage from the RCPB with monitoring readouts and alarms inthe control room, as discussed in Subsection 5.2.5.

WSES-FSAR-UNIT-33.1-93.1.11CRITERION 15 - REACTOR COOLANT SYSTEM DESIGNCRITERION:The Reactor Coolant System and associated auxiliary, control, and protection systems shall be designedwith sufficient margin to assure that the design conditions of the reactor coolant pressure boundary are not exceeded during any condition of normal operation, including anticipated operation occurrences.RESPONSE:The design criteria and bases for the RCPB are described in the response to Criterion 14.The operating conditions established for normal steady and transient plant operations are discussed inChapter 5. The normal operating limits are selected so that an adequate margin exists between them and the design limits. The plant control systems maintain the plant variables well within the established operating limits. Plant transient response characteristics and pressure and temperature distributionsduring normal operations are considered in the design as well as the accuracy and response of the instruments and controls.These design techniques ensure that a satisfactory margin is maintained between the plant's normaloperating conditions, including design transients, and the design limits for the RCPB.The RPS minimizes the deviation from normal operating limits in the event of anticipated operationaloccurrences, (ANSI N18.2 Condition 11 occurrences). Analyses for this plant show that the design limits for the RCPB are not exceeded in the event of any ANSI N18.2 Condition 11 occurrence: Faults of Moderate Frequency. For further discussion refer to the following sections: 5.2 Integrity of Reactor Coolant Pressure Boundary, 5.4.1 Reactor Coolant Pumps, and 7.2 Reactor Trip System.3.1.12CRITERION 16 - CONTAINMENT DESIGNCRITERION:Reactor containment and associated systems shall be provided to establish an essentially leaktight barrieragainst the uncontrolled release of radioactivity to the environment and to assure that the containment design conditions important to safety are not exceeded for as long as postulated accident conditionsrequire.RESPONSE:The Containment System is designed to provide for protection of the public from theconsequences of a loss-of-coolant accident, based on a postulated break of the reactor coolant piping up to and including a double-ended break of the largest reactor coolant pipe.The containment vessel, Shield Building, and the Engineered Safety Features Systems aredesigned to safely withstand all internal and external environmental conditions that may WSES-FSAR-UNIT-33.1-10reasonably be expected to occur during the life of the plant, including both short and long term effectsfollowing a loss-of-coolant accident. Due consideration has been given to all site factors and local environment as they relate to public health and safety. For further discussion, see the following sections:

3.8.4.1.1 Shield Building, 3.8.2 Design of Steel Containment, 6.2 Containment Systems, 15.0 Accident Analysis.3.1.13CRITERION 17 - ELECTRIC POWER SYSTEMS CRITERION:An onsite electric power system and an offsite electric power system shall be provided to permitfunctioning of structures, systems, and components important to safety. The safety function for each system (assuming the other system is not functioning) shall be to provide sufficient capacity and capability to assure that (1) specified acceptable fuel design limits and design conditions of the reactor coolant pressure boundary are not exceeded as a result of anticipated operational occurrences and (2) the core is cooled and containment integrity and other vital functions are maintained in the event of postulated accidents.The onsite electric power supplies, including the batteries, and the onsite electric distribution system, shallhave sufficient independence, redundancy, and testability to perform their safety functions assuming a single failure.Electric power from the transmission network to the onsite electric distribution system shall be supplied bytwo, physically-independent circuits (not necessarily on separate right-of-ways) designed and located so as to minimize, to the extent practical, the likelihood of their simultaneous failure under operating and postulated accident and environmental conditions. A switchyard common to both circuits is acceptable.

Each of these circuits shall be designed to be available in sufficient time following a loss of all onsite alternating current power supplies and the other offsite electric power circuit, to assure that specified acceptable fuel design limits and design conditions of the reactor coolant pressure boundary are not exceeded. One of these circuits shall be designed to be available within a few seconds following a loss-of-coolant accident to assure that core cooling, containment integrity, and other vital safety functions are maintained.Provisions shall be included to minimize the probability of losing electric power from any of the remainingsupplies as a result of, or coincident with, the loss of power from the transmission network, or the loss of power from the onsite electric power supplies.RESPONSE:A summary description of the electric power system is provided in Section 8.1. Full descriptions of theoffsite and onsite power systems are included in Sections 8.2 and 8.3, respectively. All onsite emergency and vital equipment, as required to meet the safety function defined above, is redundant, with eachdivision fed from separate and independent engineered safety feature (ESF) buses.

WSES-FSAR-UNIT-33.1-11 Revision 11-A (02/02)

Alternate power systems are provided as follows:a)Several 230 kV transmission lines, any of which is capable of supplying power for the engineered safety features in the event of loss of auxiliary transformer power.b)Two half-capacity auxiliary transformers directly connected to the main generator 25 kV isolatedphase bus to supply power for the unit under normal operating conditions. The transformers also

provide auxiliary power to the unit when the main generator is disconnected from the 230 kV system

and the unit is carrying its own auxiliaries.c)Two half-capacity start-up transformers to provide start-up power and full capacity standby auxiliaries service (engineered safety features loads) from the 230 kV switchyard.d)Two independent on-site diesel generator sources are each capable of supplying 100 percent power for one of the two redundant Engineered Safety Features System trains in the event of a loss of

auxiliary transformer power and start-up transformer power.(DRN 00-1121)

The Transmission System will provide reliable sources of offsite power for supplying the station auxiliary power system for plant start-up, shutdown, or at any time that power is unavailable from the station main generator. All transmission lines approach the plant along a common right-of-way, on independent structure. Although in the same right-of-way, the two lines are spaced sufficiently far apart that a falling

transmission tower cannot involve the other line.(DRN 00-1121)

In the event of a loss of all offsite power sources, standby onsite diesel generators and station batteries provide the necessary power for safe shutdown or, in the event of an incident, to restrict the consequences to within acceptable limits. Both the onsite ESF dc and standby ac power systems consist of redundant

and independent power sources and distribution systems such that a single failure will not prevent either

system from performing its safety functions.

A review of systems stability is performed to confirm that a very small probability exists of losing electricpower from any of the remaining supplies as a result of, or coincident with, the loss of power generated by

the nuclear power unit, the loss of power from the transmission network, or the loss of power from the onsite

electric power supplies.

3.1.14CRITERION 18 - INSPECTION AND TESTING OF ELECTRICAL POWER SYSTEMS CRITERION:

Electrical power systems important to safety shall be designed to permit appropriate periodic inspection and testing of important areas and features such as wiring, insulation, connections, and switchboards to assess the continuity of the systems and the condition of their components. The systems shall be designed with a capability to test periodically (1)

the operability and functional performance of the components of the systems such as onsite WSES-FSAR-UNIT-33.1-12 Revision 11-A (02/02) power sources, relays, switches, and buses, and (2) the operability of the systems as a whole and, under conditions as close to design as practical, the full operation sequence that brings the systems into

operation, including operation of applicable portions of the protection system, and the transfer of power

among the nuclear power unit, the offsite power system, and the onsite power system.

RESPONSE: Electrical power systems important to safety are designed to permit appropriate periodic inspection andtesting of important areas and features such as wiring, insulation, connections, and switchboards to assess the continuity of the systems and to detect deterioration, if any, of their components. Capability is provided to periodically test the operability and functional performance of the components of the systems. The diesel

generators are started and loaded periodically on a routine basis and relays, switches, and buses are

inspected and tested for operation and availability on an individual basis.(DRN 00-1121)

Transfers from normal to emergency sources of power are made to check the operability of the systems and the full operational sequence that brings the systems into operation.(DRN 00-1121)

For those components which are required to operate under extreme conditions, such as design earthquake seismic loads or containment post-accident environment parameters, the manufacturers submit type test, operational or calculational data which substantiates this capability of the equipment (refer to Sections 3.10and 3.11).

For further discussion, refer to the following Subsections: 8.3.1.2 Analysis of AC Power Systems, 8.3.2.2 Analysis of DC Power Systems, Technical Specification (Emergency Power System Periodic Tests).

3.1.15 CRITERION 19 - CONTROL ROOM CRITERION:

A control room shall be provided from which actions can be taken to operate the nuclear power unit safely under normal conditions and to maintain it in a safe condition under accident conditions, including loss-of-coolant accidents. Adequate radiation protection shall be provided to permit access and occupancy of the control room under accident conditions without personnel receiving radiation exposures in excess of 5 rem whole body, or its equivalent to any part of the body, for the duration of the accident.

Equipment at appropriate locations outside the control room shall be provided (1) with a design capability for prompt hot shutdown of the reactor, including necessary instrumentation and controls to maintain the unit in a safe condition during hot shutdown, and (2) with a potential capability for subsequent cold shutdown of the

reactor through the use of suitable procedures.

WSES-FSAR-UNIT-3 3.1-13 Revision 14 (12/05)

RESPONSE:Following proven power plant design philosophy, all control stations, switches, controllers and indicators necessary to operate and shut down the nuclear unit and maintain safe control of the facility are located

in one common control room. (DRN 99-1095, R11; 00-1032, R11-A; 00-1121, R11-A)The design of the main control room (Section 6.4) permits safe occupancy during abnormal conditions without personnel receiving radiation exposure in excess of five rem whole body or its equivalent.

Shielding is designed to maintain tolerable radiation exposure levels (see Section 12.1) in the main control room for postulated accident conditions, including a loss-of-coolant accident. The main control

room is pressurized relative to the outside atmosphere following the occurrence of a radiological accident. Food, water and other habitability systems are provided for main control room personnel for the duration of any postulated accident. Positive air pressure is maintained in the main control room after receipt of a safety injection actuation signal or a high radiation signal. The Main Control Room Air Conditioning System is provided with radiation and toxic chemical detectors and alarms. The main control room is isolated during a postulated toxic chemical accident. Provisions are made for main control room air to be recirculated through high-efficiency particulate and charcoal filters following any accident. Emergency lighting is provided (see Subsection 9.5.3). (DRN 99-1095, R11; 00-1032, R11-A; 00-1121, R11-A)

Alternate controls and instruments at a location outside the main control room are available for those items of equipment required to bring the plant to, and maintain it in, a hot standby condition. It is also possible to reach a cold shutdown condition from locations outside of the main control room in a reasonable period of time through the use of suitable procedures (see Subsection 7.4.1). 3.1.16 CRITERION 20 - PROTECTION SYSTEM FUNCTIONS

CRITERION:The protection system shall be designed (1) to initiate automatically the operation of appropriate systems including the reactivity control systems, to assure that specified acceptable fuel design limits are not exceeded as a result of anticipated operational occurrences and (2) to sense accident conditions and to

initiate the operation of systems and components important to safety.

RESPONSE:(DRN 04-1095, R14) A Plant Protection System (PPS) is provided to monitor reactor and plant operating conditions and automatically initiate a reactor trip when the monitored variable or combination of variables approach specified limiting safety system settings. These limiting safety system settings are selected to ensure that the design basis anticipated operational occurrences do not cause acceptable fuel design limits (peak fuel centerline temperature and departure from nucleate boiling ratio (DNBR)) to be exceeded. Section 7.2 describes specific reactor trips and provides the list of anticipated operational occurrences

accommodated.(DRN 04-1095, R14)

WSES-FSAR-UNIT-3 3.1-14 Revision 14 (12/05)Reactor trip is accomplished by de-energizing the control element drive mechanism (CEDM) holding latch coils through the interruption of the CEDM power supply. The control element assemblies (CEAS) are thus released to drop into the core, rapidly inserting negative reactivity to shut down the reactor. The

CEDMs are described in Subsection 3.9.4. The PPS also functions to monitor certain accident conditions and automatically initiate various required Engineered Safety Features Systems and their support systems when the monitored variables reach their

set points. The parameters that automatically actuate ESF are described in Section 7.3. Controls are

provided for manual actuation of ESF. (DRN 04-1095, R14)

The specified acceptable fuel design limits on peak fuel centerline temperature and DNBR are intended to enforce the principal thermal hydraulic design basis given in Subsection 4.4.1, i.e., the avoidance of thermally-induced fuel damage during normal steady-state operation and during anticipated operational occurrences. The specified acceptable fuel design limit on peak fuel centerline temperature is specifically

intended to prevent fuel melting. Clad strain limits are not explicitly addressed by the specified acceptable fuel design limits on peak fuel centerline temperature and minimum DNBR. However, the specified acceptable fuel design limits, in conjunction with the limiting conditions for operation, define possible reactor operating conditions that are

considered in the calculation of clad strain. (DRN 04-1095, R14) 3.1.17 CRITERION 21 - PROTECTION SYSTEM RELIABILITY AND TESTABILITY CRITERION:The protection system shall be designed for high functional reliability and in-service testability commensurate with the safety functions to be performed. Redundancy and independence designed into the protection system shall be sufficient to assure that (1) no single failure results in loss of the protection function and (2) removal from service of any component or channel does not result in loss of the required minimum redundancy unless the acceptable reliability of operation of the protection system can be otherwise demonstrated. The protection system shall be designed to permit periodic testing of its functioning when the reactor is in operation, including a capability to test channels independently to

determine failures and losses of redundancy that may have occurred.

RESPONSE:The PPS is designed to provide high functional reliability and in-service testability. The protection system is designed to comply with the requirements of IEEE Standard 279-1971. No single failure will result in

the loss of the protection function. The protection channels are independent, e.g., with respect to piping, wire routing, mounting, and supply of power. This independence permits testing and the removal from service of any component or channel without loss of the protection function. Each channel of the PPS, from the sensors up to the final actuation device, is capable ofbeing checked by comparison of outputs of similar channels that are presented on indicators and/or recorders on the control board. Trip units and logic are tested by inserting a signal into the measurement channel ahead of the readout and, upon application of trip level input, observing that a signal passes through the trip unit and the logic to the logic output relays. The logic output relays are tested individually for initiation of trip WSES-FSAR-UNIT-33.1-15action. The parallel trip circuit breakers that supply power to the CEDM holding coils may be tested duringreactor operation without effecting a reactor trip.The benefit of a system that includes four independent and redundant channels is that the system can beoperated, if need be, with up to two channels out of service (one bypassed and another tripped) and still meet the single failure criteria. The only operating restriction while in this condition (effectively one-out-of-two logic) is that no provision is made to bypass another channel for periodic testing or maintenance. Thesystem logic must be restored to at least a two-out-of-three condition prior to removing another channelfor maintenance or testing.Plant Protection System reliability and testability are discussed in Subsections 7.2.2 and 7.3.2.3.1.18CRITERION 22 - PROTECTION SYSTEM INDEPENDENCE CRITERION:The protection system shall be designed to assure that the effects of natural phenomena, and of normaloperating, maintenance, testing, and postulated accident conditions on redundant channels do not result in loss of the protection function, or basis. Design techniques, such as functional diversity or diversity incomponent design and principles of operation, shall be used to the extent practical to prevent loss of theprotection function.RESPONSE:The PPS conforms to the provisions of IEEE Standard 279-1971. Four independent measurementchannels complete with sensors, sensor power supplies, signal conditioning units, and bistable trip units are provided for each protective parameter monitored by the protection systems. The measurement channels are provided with a high degree of independence by separate connections of the channel sensors to the process systems. Power to the channels is provided by independent nuclear instrumentation buses (see Chapter 7).Functional diversity is incorporated in the system design to the extent that is practical to prevent loss of theprotection function.The PPS is functionally tested to ensure satisfactory operation prior to installation in the plant.Environmental and seismic qualifications are also performed utilizing type tests and specific equipment tests as discussed in Sections 3.10 and 3.11.3.1.19CRITERION 23 - PROTECTION SYSTEM FAILURE MODESCRITERION:The protection system shall be designed to fail into a safe state or into a state demonstrated to beacceptable on some other defined basis if conditions such as disconnection of the system, loss of energy (e.g., electric power, instrument air), or postulated adverse environments (e.g., extreme heat or cold, fire,pressure, steam, water, and radiation) are experienced.

WSES-FSAR-UNIT-33.1-16 Revision 12 (10/02)

RESPONSE: PPS trip channels are designed to fail into a safe state or into a state established as acceptable in the eventof loss of power supply or disconnection of the system. A loss of power to the CEDM holding coils results in insertion of all CEAs by gravity into the core. Redundancy, channel independence, and separation are

incorporated in the PPS design to minimize the possibility of the loss of protection function under adverse

environmental conditions (see Chapter 7 and the response to Criterion 22).

3.1.20 CRITERION 24 - SEPARATION OF PROTECTION AND CONTROL SYSTEMS CRITERION:

The protection system shall be separated from control systems to the extent that failure of any single control system component or channel, or failure or removal from service of any single protection system

component or channel which is common to the control and protection systems leaves intact a system

satisfying all reliability, redundancy, and independence requirements of the protection system.

Interconnection of the protection and control systems shall be limited so as to assure that safety is not

significantly impaired.

RESPONSE: The PPS is separated from the control instrumentation systems so that failure or removal from service ofany control instrumentation system component or channel does not inhibit the function of the PPS and will leave intact a protection system satisfying all reliability, redundancy and independence requirements of the

protective system (refer to Section 7.2).3.1.21CRITERION 25 - PROTECTION SYSTEM REQUIREMENTS FOR REACTIVITY CONTROL MALFUNCTIONS CRITERION:

The protection system shall be designed to assure that specified acceptable fuel design limits are not exceeded for any single malfunction of the reactivity control systems, such as accidental withdrawal (not

ejection or dropout) of control rods.

RESPONSE: Shutdown of the reactor is accomplished by opening of the reactor trip breakers that interrupt power to theCEDM holding coils. Actuation of the trip breakers is independent of any existing control signals.(DRN 01-1102; 02-1476)

The protection system is designed such that specified acceptable fuel design limits are not exceeded forspecified single malfunctions of the reactivity control systems, including the withdrawal of a single CEA. A

definition of the specified single malfunctions of the reactivity control systems accommodated by the

protection system design is included in Section 7.2. Analyses of specified control malfunctions are provided in Chapter 15.(DRN 01-1102; 02-1476)

WSES-FSAR-UNIT-33.1-173.1.22CRITERION 26 - REACTIVITY CONTROL SYSTEM REDUNDANCY AND CAPABILITYCRITERION:Two independent reactivity control systems of different design principles shall be provided. One of thesystems shall use control rods, preferably including a positive means for inserting the rods, and shall be capable of reliably controlling reactivity changes to assure that under conditions of normal operation, including anticipated operational occurrences, and with appropriate margin for malfunctions such as stuck rods, specified acceptable fuel design limits are not exceeded. The second reactivity control system shall be capable of reliably controlling the rate of reactivity changes resulting from planned, normal power changes, (including xenon burnout) to assure that acceptable fuel design limits are not exceeded. One of the systems shall be capable of holding the reactor core subcritical under cold conditions.RESPONSE:Two independent reactivity control systems of different design principles are provided. The first system,using CEAS, includes a positive means (gravity) for inserting CEAS, and is capable of reliably controlling reactivity changes to ensure that under conditions of normal operation, including anticipated operational occurrences, specified acceptable fuel design limits are not exceeded. The CEAs can be mechanically driven into the core. The appropriate margin for stuck rods is provided by assuming in the analyses of anticipated operational occurrences that the highest worth CEA is stuck out of the core.The second system, the Chemical and Volume Control System (CVCS), uses neutron absorbing solubleboron and is capable of reliably compensating for the rate of reactivity changes resulting from planned normal power changes (including xenon burnout) such that acceptable fuel design limits are not exceeded. This system is capable of holding the reactor subcritical under cold conditions. For a furtherdescription, see Subsection 9.3-4.Either system is capable of making the core subcritical from a hot operating condition, and holding itsubcritical in the hot standby condition.For further discussion, see Sections 7.4 and 7.7.

3.1.23CRITERION 27 - COMBINED REACTIVITY CONTROL SYSTEMS CAPABILITY CRITERION:The reactivity control systems shall be designed to have a combined capability, in conjunction with poisonaddition by the Emergency Core Cooling System, of reliably controlling reactivity changes to assure that under postulated accident conditions and with appropriate margin for stuck rods the capability to cool the core is maintained.

WSES-FSAR-UNIT-33.1-18 Revision 12 (10/02)

RESPONSE: The reactivity control systems, which provide the means for making and holding the core subcritical under postulated accident conditions, are discussed in Section 4.3 and Subsection 9.3.4. Combined use of CEAs and chemical shim control by the Chemical and Volume Control System (CVCS) provides the shutdown

margin required for plant cooldown and long-term xenon decay, assuming the highest worth CEA is stuck out of the core.

During an accident, the Safety Injection System injects concentrated boric acid into the Reactor CoolantSystem for long-term and short-term cooling and for reactivity control. Details of the system are given in

Section 6.3.

3.1.24 CRITERION 28 - REACTIVITY LIMITS CRITERION:

The reactivity control systems shall be designed with appropriate limits on the potential amount and rate of reactivity increase to assure that the effects of postulated reactivity accidents can neither (1) result in damage to the reactor coolant pressure boundary greater than limited local yielding nor (2) sufficiently disturb the core, its support structures or other reactor pressure vessel internals to impair significantly the capability to cool the core. These postulated reactivity accidents shall include consideration of rod ejection (unless prevented by positive means), rod dropout, steam line rupture, changes in reactor coolant

temperature and pressure, and cold water addition.

RESPONSE:(DRN 01-1102; 02-1476)

The bases for CEA design include ensuring that the reactivity worth of any one CEA is not greater than apreselected maximum value. The CEAs are divided into two sets: a shutdown set, and a regulating set.These sets are further subdivided into groups as necessary. Administrative procedures and control interlocks ensure that the amount and are withdrawn only after the shutdown groups are fully withdrawn.

The regulating groups are programmed to move in sequence and within limits which prevent the rate of

reactivity addition and the worth of individual CEAs from exceeding limiting values. For the specified list of design bases anticipated operational occurrences, the CEA positions are monitored by the RPS, and a trip

is initiated in the event that specified acceptable fuel design limits are approached (see Sections 4.3 and

7.7).(DRN 01-1102; 02-1476)

The maximum rate of reactivity addition that is produced by the CVCS is too low to induce any significant pressure forces that might rupture the RCPB or disturb the reactor vessel internals.The RCPB (refer to Chapter 5) and the reactor internals (refer to Chapter 4) are designed to appropriatecodes (refer to the response to Criterion 14). They can accommodate the static and dynamic loads

associated with an inadvertent, sudden release of energy, such as that resulting from a CEA ejection or a

steam line break, without rupture and with limited deformation that will not impair the capability of cooling

the core.

WSES-FSAR-UNIT-33.1-193.1.25CRITERION 29 - PROTECTION AGAINST ANTICIPATED OPERATIONAL OCCURRENCESCRITERION:The protection and reactivity control systems shall be designed to ensure an extremely high probability ofaccomplishing their safety functions in the event of anticipated operational occurrences.RESPONSE:The design bases anticipated operational occurrences considered in the design of the RPS and thereactivity control systems are defined in Section 7.2. Consideration of redundancy, independence, and testability in the design, coupled with careful component selection, overall system testing, and adherence to detailed quality assurance, ensure an extremely high probability that safety functions are accomplished in the event of anticipated operational occurrences (refer to Chapters 4, 7 and 9).3.1.26CRITERION 30 - QUALITY OF REACTOR COOLANT PRESSURE BOUNDARY CRITERION:Components which are part of the reactor coolant pressure boundary shall be designed, fabricated,erected, and tested to the highest quality standards practical. Means shall be provided for detecting and, to the extent practical, identifying the location of the source of reactor coolant leakage.RESPONSE:The RCPB components are designed, fabricated, erected, and tested in accordance with the ASME Code,Section III. All major components are classified safety class I as specified in Subsection 3.2.2.

Accordingly, they receive all of the quality assurance measures appropriate to that classification.Detection and identification of reactor coolant leakage is discussed in Subsection 5.2.5. The system isdesigned to detect and, to the extent practical, identify the source of reactor coolant leakage.Further discussion relating to quality of the RCPB is contained in Section 5.2.3.1.27CRITERION 31 - FRACTURE PREVENTION OF REACTOR COOLANT PRESSURE BOUNDARYCRITERION:The reactor coolant pressure boundary shall be designed with sufficient margin to assurethat when stressed under operating, maintenance, testing, and postulated accident conditions (1) the boundary behaves in a nonbrittle manner and (2) the probability of rapidlypropagating fracture is minimized. The design shall reflect consideration of servicetemperatures and other conditions of the boundary material under operating, maintenance, testing, and postulated accident conditions and the uncertainties in determining (1)

WSES-FSAR-UNIT-33.1-20material properties, (2) the effects of irradiation on material properties, (3) residual, steady-state and transient stresses, and (4) size of flaws.RESPONSE:All RCPB components are designed and constructed in accordance with ASME Code,Section III andcomply with the test and inspection requirements of these codes. These requirements ensure that flaw sizes are limited so that the probability of failure by rapid propagation is extremely remote. Particular emphasis is placed upon the quality control applied to the reactor vessel, on which tests and inspections exceeding ASME code requirements are performed. These tests and inspections are summarized in Sections 5.2, and 5.4.Carbon and low-alloy steel materials that form part of the pressure boundary are assessed for fracturetoughness in accordance with Branch Technical Position MTEB 5-2, Fracture Toughness Requirements.

Through this approach, the available test data is used to estimate fracture toughness in the same terms as the new requirements set forth by Appendix G of 10CFR50.Excessive neutron-induced changes of the reactor vessel material due to neutron radiation is preventedby providing an annulus of coolant water between the reactor core and the vessel. In addition, to minimize the effects of irradiation on material toughness properties on core beltline materials, restrictions are placed on upper limits for those residual chemical elements that directly influence the nil ductility transition temperature (NDTT) shifts. This is accomplished through material specifications for the plates anddeposited welds. Specifically, upper limits are placed on copper, phosphorous, sulfur and vanadium.The maximum integrated fast neutron flux exposure of the reactor vessel wall opposite the midplane ofthe core is less than 3.68 x 10 19 nvt. This value assumes a 40 year vessel design life, with the plant atthe design power level 80 percent of the time. The maximum expected increase in transition temperatureis about 160 F. The actual change in material toughness properties due to irradiation are verifiedperiodically during plant lifetime by a material surveillance program conforming to the requirements of ASTM-E-185 as revised in 1982. Based on the reference nil ductility temperature (RT NDT), operatingrestrictions are applied as necessary to limit vessel stresses.The thermal stresses induced by the injection of cold water into the vessel, following a LOCA, wereexamined. The test results and analysis show that there is no gross yielding across the vessel wall using the minimum specified yield strength in the ASME Boiler and Pressure Vessel Code,Section III, Division

1.3.1.28CRITERION 32 - INSPECTION OF REACTOR COOLANT PRESSURE BOUNDARYCRITERION:Components which are part of the reactor coolant pressure boundary shall be designed to permit (1)periodic inspection and testing of important areas and features to assess their structural and leaktight integrity, and (2) an appropriate material surveillance program for the reactor pressure vessel.

WSES-FSAR-UNIT-33.1-21Revision 10 (10/99)RESPONSE:Provisions are made in the design for inspection, testing and surveillance of the RCS boundary asrequired by ASME Boiler and Pressure Vessel Code Section XI and Section 111, Division 1, as applicable.The reactor vessel surveillance program conforms with ASTM-E-185, "Standard Recommended Practicefor Surveillance Tests for Nuclear Reactor Vessels," as revised in 1982. The details of the reactor surveillance program are given in Section 5.2. Sample pieces taken from the same shell plate material used in fabrication of the beltline region of the reactor vessel are installed between the core and the vessel inside wall. These samples are removed and tested at intervals during vessel life to provide an indicationof the extent of the neutron-induced changes in mechanical properties at the vessel wall. Charpy tests are performed for the samples to develop a Charpy transition curve. By comparison of this curve with the Charpy curve and drop weight tests for specimens taken at the beginning of the vessel life, the change of RT NDT is determined and operating procedures adjusted as required.The surveillance program described in Section 5.3 includes provisions that comply with the NRCregulation, Reactor Vessel Material Surveillance Program Requirements, 10CFR50, Appendix H.3.1.29CRITERION 33 - REACTOR COOLANT MAKEUPCRITERION:A system to supply reactor coolant makeup for protection against small breaks in the reactor coolantpressure boundary shall be provided. The system safety function shall be to assure that specified acceptable fuel design limits are not exceeded as a result of reactor coolant loss due to leakage from thereactor coolant pressure boundary and rupture of small piping or other small components which are part of the boundary. The system shall be designed to assure that for onsite electric power system operation (assuming offsite power is not available) and for offsite electric power system operation (assuming onsitepower is not available) the system safety function can be accomplished using the piping, pumps, and valves used to maintain coolant inventory during normal reactor operation.

WSES-FSAR-UNIT-33.1-22RESPONSE:Reactor coolant makeup during normal operation is provided by the Chemical and Volume Control System(CVCS). The design incorporates a high degree of functional reliability by provision of redundant components and an alternate path for charging. The charging pumps can be powered from either onsite or offsite power sources, including the onsite emergency diesel generators.There are three charging pumps associated with the CVCS. One of these pumps is normally in operationbalancing the letdown purification flow and the reactor coolant pump controlled bleed-off flow rate. A complete system functional description is provided in Subsection 9.3.4.It is not the primary function of the CVCS to provide protection against small breaks; this safety function isprovided by the Safety Injection System (SIS). The CVCS does have the capability, with only one charging pump available, to supplement the HPSI pump injection flow for a certain range of small breaks; additionally, the CVCS is capable of replacing the flow loss to the Reactor Coolant System for leaks in thereactor coolant piping up to 0.50 inch equivalent diameter.3.1.30CRITERION 34 - RESIDUAL HEAT REMOVAL CRITERION:A system to remove residual heat shall be provided. The system safety function shall be to transfer fissionproduct decay heat and other residual heat from the reactor core at a rate such that specified acceptable fuel design limits and the design conditions of the reactor coolant pressure boundary are not exceeded.Suitable redundancy in components and features, and suitable interconnections, leak detection, andisolation capabilities shall be provided to assure that for onsite electric power system operation (assuming offsite power is not available) and for offsite electric power system operation (assuming onsite power is not available) the system safety function can be accomplished, assuming a single failure.RESPONSE:The Shutdown Cooling System provides residual heat removal for reactor coolant temperature of less than 350° F. For temperatures greater than 350

° F, the steam generators provide this function. Thedesign incorporates sufficient redundancy, interconnections, leak detection, and isolation capability to ensure that residual heat removal is accomplished, assuming failure of a single active component. Either system removes fission product decay heat at a rate that prevents violation of acceptable fuel design limits and the design conditions of the RCPB.The Shutdown Cooling System and the steam generator auxiliaries are designed to operate either fromoffsite or onsite power sources.

WSES-FSAR-UNIT-33.1-23Further discussion is included in Subsection 9.3.6 for the Shutdown Cooling System and in Chapter 10 forthe Steam and Power Conversion System.3.1.31CRITERION 35 - EMERGENCY CORE COOLING CRITERION:A system to provide abundant emergency core cooling shall be provided. The system safety function shallbe to transfer heat from the reactor core following any loss of reactor coolant at a rate such that (1) fuel and clad damage that could interfere with continued effective core cooling is prevented and (2) clad metal-water reaction is limited to negligible amounts.Suitable redundancy in components and features, and suitable interconnections, leak detection, isolation,and containment capabilities shall be provided to assure that for onsite electric power system operation (assuming offsite power is not available) and for offsite electric power system operation (assuming onsitepower is not available) the system safety function can be accomplished, assuming a single failure.RESPONSE:Emergency core cooling is provided by the Safety Injection System (SIS) described in Section 6.3. Thissystem provides adequate borated cooling water to remove heat at a rate sufficient to maintain the fuel in a coolable geometry and to ensure that zirconium-water reaction is limited to a negligible amount (less than one percent). Detailed analysis is performed to verify that the system performance is adequate to satisfy the new NRC Acceptance Criteria for ECCS for Light Water Power Reactors (10CFR50, Appendix K, January 4, 1974). Details of this analysis are provided in Subsection 6.2.1.5, Section 6.3, and Chapter

15.The system design including adequate provisions to assure that the required safety functions are providedwith single active failure of any component and with either onsite or offsite electrical power system operation.3.1.32CRITERION 36 - INSPECTION OF EMERGENCY CORE COOLING SYSTEM CRITERION:The Emergency Core Cooling System shall be designed to permit appropriate periodic inspection ofimportant components, such as spray rings in the reactor pressure vessel, water injection nozzles, and piping to assure the integrity and capability of the system.RESPONSE:The Safety Injection System layout arrangement and design facilitates access to all critical components.All pumps, valves, and piping external to the Reactor Building are readily accessible for periodic inspection to ensure system leaktight integrity. Valves, piping, and tanks inside the Reactor Building are inspectedfor leaktightness during plant shutdowns for refueling and maintenance.

WSES-FSAR-UNIT-33.1-24Reactor vessel internal structures, reactor coolant piping, and safety injection nozzles are accessible forvisual inspection for wear due to erosion, corrosion, or vibration and nondestructive inspection techniques in accordance with the requirements of Section XI of the ASME Boiler and Pressure Vessel Code.Details of the inspection program are described in Chapters 5, 6 and 16, as appropriate.3.1.33CRITERION 37 - TESTING OF EMERGENCY CORE COOLING SYSTEM CRITERION:The Emergency Core Cooling System shall be designed to permit appropriate periodic pressure andfunctional testing to assure (1) the structural and leaktight integrity of its components, (2) the operability and performance of the active components of the system, and (3) the operability of the system as a whole and, under conditions as close to design as practical, the performance on the full operational sequence that brings the system into operation, including operation of applicable portions of the protection system, the transfer between normal and emergency power sources, and the operation of the associated cooling water system.RESPONSEThe Safety Injection System provides the testing capability required to demonstrate system andcomponent operability. Testing is conducted during normal plant operation with the test facilities arranged so that they will not interfere with performance of the systems or with the initiation of control circuits, as described in Subsection 6.3.4.The SIS permits periodic testing of the delivery capability up to a location as close to the core aspracticable. Periodic injection into the RCS from the SIS during normal operation is not practical.During normal operation, RCS pressure exceeds high pressure safety injection (HPSI) pump shutoff head.Periodic pressure testing of the HPSI System to assure system integrity is possible using the cross connection from the charging pumps in the CVCS.With the plant at operating pressure, operation of high and low pressure safety injection pumps is verifiedby recirculation back to the refueling water storage pool (RWSP). This permits verification of flow pathcontinuity in the high pressure injection lines and suction lines from the RWSP.In addition, the low pressure safety injection pumps are used as shutdown cooling pumps during normalplant cooldown. The pumps discharge into the safety injection header via the shutdown cooling heatexchangers and the low pressure injection lines.Borated water from the safety injection tanks is bled through the recirculation test line to verify flow pathcontinuity from each tank to its associated main safety injection header.

WSES-FSAR-UNIT-33.1-25During refueling, blowdown tests provide additional evidence of safety injection tank operability.Inadvertent HPSI pump actuation at the beginning of plant cooldown does not cause RCS heatup/cooldown limitations to be exceeded. Relief valves on the shutdown cooling (SDC) lines provide protection from accidental HPSI pump operation during SDC. Thus, no tests are required to cover this particular aspect.The operational sequence that brings the Safety Injection System into action, including the transfer toalternate power sources, can be tested in parts as described in Section 6.3, Subsection 7.3.2 and Section 8.3.3.1.34CRITERION 38 - CONTAINMENT HEAT REMOVAL CRITERION:A system to remove heat from the reactor containment shall be provided. The system safety functionshall be to reduce rapidly, consistent with the functioning of other associated systems, the containment pressure and temperature following any loss-of-coolant accident and maintain them at acceptably lowlevels.Suitable redundancy in components and features, and suitable interconnections, leak detection, isolation,and containment capabilities shall be provided to assure that for onsite electric power system operation (assuming offsite power is not available) and for offsite electric power system operation (assuming onsite power is not available) the system safety function can be accomplished, assuming a single failure.RESPONSE:The Containment Spray System, consisting of two pumps and two shutdown heat exchangers, and theContainment Cooling System, consisting of four fan coolers, function as emergency containment heat removal systems. Each of these systems has the full heat removal capability required for the most severepostulated loss-of-coolant accident.The systems are provided with the emergency onsite power necessary for their operation assuming a lossof offsite power. The systems taken together provide the necessary capability for containment heat removal assuming a single failure in either system or in the emergency onsite power supply.The Containment Spray System and the Containment Cooling System are described in Subsection 6.2.2.3.1.35CRITERION 39 - INSPECTION OF CONTAINMENT HEAT REMOVAL SYSTEM CRITERION:The containment heat removal system shall be designed to permit appropriate periodic inspections ofimportant components, such as the torus, sumps, spray nozzles and piping to assure the integrity and capacity of the system.

WSES-FSAR-UNIT-33.1-26 Revision 11-A (02/02)

RESPONSE: The Containment Spray System essential equipment except for risers, distribution header piping, spray nozzles and the safety injection system sump are located outside of the containment.The safety injection system sump, spray piping, and nozzles may be inspected for leaktightness duringplant shutdowns for refueling and maintenance. Piping, pumps, heat exchangers, and valves external to the

containment structure are readily accessible for periodic inspection to check system leaktight integrity.(DRN 00-0583)

Portions of the Containment Cooling System entirely within the containment can be inspected at theappropriate intervals during refueling shutdowns. Cooling water systems external to the containment which

service the Containment Cooling System are accessible for inspection at any time during plant operation.(DRN 00-0583)

In-service inspections of the Containment Spray System and Containment Cooling System are performed as indicated in Section 6.6.

3.1.36CRITERION 40 - TESTING OF CONTAINMENT HEAT REMOVAL SYSTEM CRITERION:

The containment heat removal system shall be designed to permit appropriate periodic pressure andfunctional testing to assure (1) the structural and leaktight integrity of its components (2) the operability and

performance of the active components of the system as a whole, and under conditions as close to design as

practical, the performance of the full operational sequence that brings the system into operation of

applicable portions of the protection system, the transfer between normal and emergency power sources

and the operation of the associated cooling water system.

RESPONSE: System piping, valves, pumps, fans, heat exchangers, and other components of the containment heatremoval system are designed to permit appropriate periodic testing to assure their structural and leaktight integrity. The components are arranged so that each component can be tested periodically for operability

and required functional performance.Three of the four containment cooling units are normally in operation. The fourth unit will be rotated inservice with the other three for normal containment cooling. Transfer to alternate power sources can also be

tested.The operational sequence that would bring the Containment Spray System into action, including the transferto alternate power sources, can be tested. With the plant at operating pressure, the containment spray

pumps and valves may be operated by recirculation back to the refueling water storage pool. This will permit verification of flow path continuity in the spray lines and suction lines from the refueling water storage pool

up to and including the first isolation valve outside the containment.

WSES-FSAR-UNIT-3 3.1-27 Revision 301 (09/07)

Testing of the Containment Spray System and Containment Cooling Syst em is performed as indicated in Subsection 6.2.2. 3.1.37 CRITERION 41 - CONTAINMENT ATMOSPHERE CLEANUP

CRITERION:

Systems to control fission products, hydrogen, oxygen, and other substances which may be released into the reactor containment shall be provided as necessary to reduce, consistent with the functioning of other associated systems, the concent ration and quality of fission products released to the environment following postulated accidents and to control the concentration of hydrogen or oxygen and other substances in the containment atmosphere following postulated accidents to assure that containment

integrity is maintained.

Each system shall have suitable redundancy in co mponents and features and suitable interconnections, leak detection, and containment capabilities to assure that for onsite electric power system operation (assuming offsite is not available) and for offsite el ectric power system operation (assuming onsite power is not available), its safety function c an be accomplished, assuming a single failure.

RESPONSE:

The Shield Building Ventilation System (SBVS), wh ich consists of two fu ll capacity redundant fan and filter systems, is designed consist ent with the functioning of other associated systems, to reduce the concentration and quantity of fission products released to the environment following postulated accidents, including a loss-of-coolant accident. This is established by maintaining a subatmospheric pressure within

the Shield Building annulus to ensure that post accident activity leakage from the steel containment is routed through the filter system. This sy stem is described in Subsection 6.2.3.

(EC-5000082443, R301)

When containment pressures have been reduced to approximately atmospheric, the Containment Atmosphere Release System (CARS) can be started to purge containment.

The Containment Atmosphere Release System (CARS) prevents the buildup of dangerous concentrations of hydrogen in the containment fo llowing a loss-of-coolant accident. Operation will normally be initiated when the hydrogen concentration within the containment reaches a predetermined

set point as determined by containment air sampling. (EC-5000082443, R301)

The Containment Spray System, discussed in Subsection 6.5.2, provides for the removal of iodine from the containment atmosphere following a LOCA. The operation is initiated by the containment spray actuation signal.

(EC-5000082443, R301)

The Shield Building Ventilation System, the C ontainment Atmosphere Release System, Hydrogen Analyzer System and Containment Spray System have suitable redundancy to assure that for onsite electrical power system operation only, or for offsite electrical power system operation only, their safety functions can be accomplished, assuming a single failure.

(EC-5000082443 R301)

WSES-FSAR-UNIT-3 3.1-28 Revision 301 (09/07) 3.1.38 CRITERION 42 - INSPECTION OF CONTAINMENT ATMOSPHERE CLEANUP SYSTEMS

CRITERION:

The containment atmosphere cleanup systems shall be designed to permit appropriate periodic

inspection of important components, such as filter frames, ducts, and piping to assure the integrity and capability of the systems.

RESPONSE:

The only components of the containment atmosphere cleanup systems inside the Shield Building are the ductwork of the SBVS, hydrogen recombiners and the containment spray nozzles and piping. These can

be inspected during shutdown. The balance of equipment is located in the Reactor Auxiliary Building, where it is accessible for physical inspection.

Ducts, plenums, and casings will be provided with a ccess doors for internal inspection at appropriate times.

(EC-5000082443, R301)

Specific inspection programs are discu ssed in Subsection 6.5.1.4 for the filter systems that are required to perform a safety related function following a design basis accident and Subsection 6.5.2.4 for the Containment Spray System. (EC-5000082443, R301) 3.1.39 CRITERION 43 - TESTING OF ATMOSPHERE CLEANUP SYSTEMS

CRITERION:

The containment atmosphere cleanup systems shall be designed to permit appropriate periodic pressure and functional testing to assure (1) the structural and leaktight integrity of its components, (2) the operability and performance of the active components of the systems, such as fans, filters, dampers, pumps, and valves, and (3) the operability of the system s as a whole and, under conditions as close to design as practical, the performance of the full operational sequence that brings the systems into operation, including operation of applicable portions of the protection system, the transfer between normal and emergency power sources, and t he operation of asso ciated systems.

RESPONSE:

The Shield Building Ventilation System is desi gned and constructed to permit periodic pressure and functional testing. For purpose of periodically te sting the retentive capabilit y of the carbon filter (adsorber) system, test canisters are placed in the filter housing in locations which allow the canisters to be subjected to the same air currents as the charc oal beds. These canisters are periodically removed and tested.

High efficiency particulate (HEPA) and carbon filters, associated with the Shield Building Ventilation System, are located outside the containment for convenience for testing and inspection. Periodic tests are described in Subsection 6.5.1.4.

WSES-FSAR-UNIT-33.1-29Active components of the Shield Building Ventilation System, Containment Atmosphere Release System,Hydrogen Recombiner System, Hydrogen Analyzer System and Containment Spray System can be tested periodically for operability and required functional performance.The full operational sequence that would bring the SBVS, CARS, hydrogen recombiners and ContainmentSpray System into action, including the transfer to alternate power sources and the design capability, can be tested. Testing provisions are discussed in Subsections 6.2.5.4, 6.5.1.4 and 6.5.2.4.3.1.40CRITERION 44 - COOLING WATERCRITERION:A system to transfer heat from structures, systems, and components important to safety, to an ultimateheat sink shall be provided. The system safety function shall be to transfer the combined heat load of these structures, systems and components under normal operating and accident conditions.Suitable redundancy in components and features, and suitable interconnections, leak detection, andisolation capabilities shall be provided to assure that for onsite electrical power system operation (assuming offsite power is not available) and for offsite electrical power system (assuming onsite power is not available) the system safety function can be accomplished, assuming a single failure.RESPONSE:The Component Cooling Water System (CCWS) and the Auxiliary Component Cooling Water System(ACCWS) are designed to transfer heat from structures, systems and components important to safety, to the cooling towers. Two redundant, completely independent trains are provided, each of which is capable of removing the heat associated with normal operation or accident conditions.The Component Cooling Water System is a closed loop cooling water system that includes three fullcapacity pumps, two heat exchangers and two dry cooling towers. The cooling water is pumped by the component cooling water pumps, through the dry cooling towers and the tube side of the CCW heat exchangers, through the components being cooled and back to the pumps.The Auxiliary Component Cooling Water System: removes heat, if required, from the CCWS via the CCWheat exchangers and dissipates it to the atmosphere. The ACCWS consists of two independent loops which include two CCWS heat exchangers (shell side), two full capacity pumps, two wet type, mechanicaldraft cooling towers and two cooling tower basins, each of which store sufficient water to complete a safeshutdown based upon the occurrence of a LOCA and minimum safeguards operation.The piping, valves, pumps and heat exchangers in each system are arranged so that the system safetyfunctions can be performed assuming a single system failure. The essential headers of each system willeach be automatically isolated from the nonessential headers during emergency mode of operation.

WSES-FSAR-UNIT-33.1-30Each system is normally pressurized permitting leakage detection by routine surveillance or monitoringinstrumentation.Electric power for the operation of each system may be supplied from offsite or onsite emergency powersources, with distribution arranged such that a single failure will not prevent the system from performing its safety function.The CCWS and ACCWS are discussed in Subsection 9.2.2.

3.1.41CRITERION 45 - INSPECTION OF COOLING WATER SYSTEM CRITERION:The cooling water system shall be designed to permit appropriate periodic inspection of importantcomponents, such as heat exchangers and piping, to assure the integrity and-capability of the system.RESPONSE:The CCWS and ACCWS are designed to permit the required periodic inspections of heat exchangers andpiping. Three CCW pumps are provided, two of which serve the two system loops used in normal operation. The third pump can operate on either loop, allowing inspection and maintenance of a pump while maintaining redundant system capability.In-service inspection of the CCWS and ACCWS is performed as discussed in Section 6.6.3.1.42CRITERION 46 - TESTING OF COOLING WATER SYSTEM CRITERION:The cooling water system shall be designed to permit appropriate periodic pressure and functional testingto assure (1) the structural and leaktight integrity of its components, (2) the operability and the performance of the active components of the system, and (3) the operability of the system as a whole and,under conditions as close to design as practical, the performance of the full operational sequence thatbrings the system into operation for reactor shutdown and for loss-of-coolant accidents, including operation of applicable portions of the protection system and the transfer between normal and emergency power sources.RESPONSE:Two CCW pumps are normally operating, one per loop. Normally, both dry towers are continuouslyoperated. Therefore, the structural and leaktight integrity of the components and the operability of their active components are demonstrated in this way. Data is taken periodically during normal plant operation to confirm heat transfer characteristics.The ACCW pumps, wet towers and CCW heat exchangers are operated periodically to ensure theiroperability and to confirm performance requirements.

WSES-FSAR-UNIT-33.1-31The systems are designed to permit testing of system operability, encompassing simulation of emergencyreactor shutdown or LOCA conditions including the transfer between normal and emergency power sources.The testing procedures are discussed in Subsection 9.2.2.

3.1.43CRITERION 50 - CONTAINMENT DESIGN BASIS CRITERION:The reactor containment structure, including access openings, penetrations, and the containment heatremoval system shall be designed so that the containment structure and its internal compartments can accommodate, without exceeding the design leakage rate and, with sufficient margin, the calculated pressure and temperature conditions resulting from any loss-of-coolant accident. This margin shall reflect consideration of (1) the effects of potential energy sources which have not been included in the determination of the peak conditions such as energy in steam generators and energy from metal-water-and other chemical reactions that may result from degraded emergency core cooling functioning, (2) the limited experience and experimental data available for defining accident phenomena and containmentresponses, and (3) the conservatism of the calculational model and input parameters.RESPONSE:The containment structure, including access openings and penetrations, is designed with sufficientconservatism to accommodate, without exceeding the design leak rate, the transient peak pressure and temperature associated with a postulated reactor coolant piping break, up to and including a double-endedrupture of the largest reactor coolant pipe. The containment design basis is discussed in Subsection

6.2.1.1.The containment structure and Engineered Safety Features Systems are evaluated for variouscombinations of energy release. The analysis accounts for system thermal and chemical energy, and fornuclear decay heat. The cooling capacity of containment heat removal systems is adequate to preventoverpressurization of the structure, and to return the containment to near atmospheric pressure as discussed in Subsection 6.2.2.3.1.44CRITERION 51 - FRACTURE PREVENTION OF CONTAINMENT PRESSURE BOUNDARYCRITERION:The reactor containment boundary shall be designed with sufficient margin to assure that under operating,maintenance, testing and postulated accident conditions (1) its ferritic materials behave in a nonbrittle manner and (2) the probability of rapidly propagating fracture is minimized. The design shall reflectconsideration of service temperatures and other conditions of the containment boundary material duringoperation, maintenance, testing, and postulated accident conditions and the uncertainties in determining (1) material properties, (2) residual steady-state and transient stresses, and (3) size of flaws.

WSES-FSAR-UNIT-33.1-32RESPONSE:The containment vessel material (ASTM-SA516 Grade 70) is normalized to refine the grain structure,which results in improved ductility. In addition, the actual mechanical and chemical properties of the material are documented and are within the limits for minimum ductility defined in ASTM-A516.The containment vessel is built to Subsection NE of Section III of the ASME Boiler and Pressure VesselCode which requires that materials shall be impact-tested at a temperature at least 30 F below the lowest metal service temperature. These tests do not determine the nil-ductility transition temperature of the material but ensure that this temperature is at or below the test temperature.The design of the vessel reflects consideration of all ranges of temperature and loading conditions whichapply to the vessel during operation, maintenance, testing and postulated accident conditions.Because this vessel is post weld heat treated, residual stresses from welding are minimal. Steady stateand transient stresses are calculated in accordance with accepted methods.All pressure boundary double butt welds that comprise the containment vessel are 100 percentradiographed and the acceptance standard of the radiographs ensures that flaws in welds do not exceedthe maximum allowed by ASME Code.Containment boundary design is discussed in Subsection 3.8.2.

3.1.45CRITERION 52 - CAPABILITY FOR CONTAINMENT LEAKAGE RATE TESTINGCRITERION:The reactor containment and other equipment which may be subjected to containment test conditionsshall be designed so that periodic integrated leakage rate testing can be conducted at containment design pressure.RESPONSE:The containment vessel is designed so that initial integrated leakage rate testing can be performed atdesign pressure after completion and installation of penetrations and equipment.Provisions are made in the containment design to permit periodic leakage rate tests, at reduced or peakpressure, to verify the continued leaktight integrity of the containment.Periodic integrated leakage rate testing will be carried out in accordance with the requirements ofAppendix J to 10CFR50.A description of the periodic integrated leakage rate testing is provided in Subsection 6.2.6.

WSES-FSAR-UNIT-33.1-333.1.46CRITERION 53 - PROVISIONS FOR CONTAINMENT TESTING AND INSPECTIONCRITERION:The reactor containment shall be designed to permit (1) appropriate periodic inspection of all importantareas such as penetrations, (2) an appropriate surveillance program, and (3) periodic testing at containment design pressure of the leaktightness of penetrations which have resilient seals and expansion bellows.RESPONSE:The absence of insulation on the containment vessel permits appropriate periodic inspection of theaccessible interior and exterior surfaces of the vessel. The lower portions of the containment vessel are totally encased in concrete and will not be accessible for inspection after the acceptance testing. Therewill be no need for any special in-service surveillance program due to the rigorous design, fabrication,inspection and pressure testing the containment vessel receives prior to operation. Visual inspection of the accessible interior and exterior surface of the containment vessel will be made.Provisions are made to permit periodic testing of penetrations which have resilient seals or expansionbellows to allow leaktightness to be demonstrated at containment design pressure. Inspection and testing of the containment is carried out in accordance with Appendix J of 1OCFR5O.Provisions for testing and inspection are discussed in Subsection 6.2.6.3.1.47CRITERION 54 - PIPING SYSTEMS PENETRATING CONTAINMENTCRITERION:Piping systems penetrating primary reactor containment shall be provided with leak detection, isolation,and containment capabilities which reflect the importance to safety of isolating these piping systems.

Such piping systems shall be designed with a capability to test periodically the operability of the isolation valves and associated apparatus to determine if valve leak-off is within acceptable limits.RESPONSE:Piping penetrating the containment vessel shell is designed to withstand at least a pressure equal to thecontainment vessel maximum internal pressure. The design bases require a double barrier on all of the above systems not required to limit the consequences of accidents, so that no single failure or malfunctionof an active component can result in loss of isolation or intolerable leakage. Valves are designed to a maximum allowable leakage of 1/10 of a standard cubic foot of air per hour per inch of diameter ofnominal valve size at containment design pressure.

WSES-FSAR-UNIT-3 3.1-34 Revision 15 (03/07)

Valves isolating penetrations serving Engineered Safety Feature Systems will not automatically close with the containment isolation actuation signal (CIAS), but may be closed by remote manual operation from the main control room to isolate any Engineered Safety Feature System when required. Proper valve

closing times are achieved by appropriate selection of valve, operator type, and operator size. To ensure

continued integrity of the containment isolation system, periodic closure and leakage rate tests will be performed to insure that leakage will be within specified limits based upon maintaining post accident site

boundary doses within acceptable guidelines.

Design and isolation requirements for piping systems penetrating the containment are provided in

Subsection 6.2.4.

3.1.48 CRITERION 55 - REACTOR COOLANT PRESSURE BOUNDARY PENETRATION CONTAINMENT

CRITERION:

Each line that is part of the reactor coolant pressure boundary and that penetrates primary reactor containment shall be provided with containment isolation valves as follows, unless it can be demonstrated that the containment isolation provisions for a specific class of lines, such as instrument lines, are

acceptable on some other defined basis:

a) One locked closed isolation valve inside and one locked closed isolation valve outside containment or, b) One automatic isolation valve inside and one locked closed isolation valve outside containment or,

c) One locked closed isolation valve inside and one automatic isolation valve outside containment. A simple check valve may not be used as the automatic isolation valve outside containment or, d) One automatic isolation valve inside and one automatic isolation valve outside containment. A simple check valve may not be used as the automatic isolation valve outside containment.

Isolation valves outside containment shall be located as close to containment as practical and upon loss of actuating power, automatic isolation valves shall be designed to take the position that provides greater

safety.

(DRN 06-870, R15)

Other appropriate requirements to minimize the probability or consequences of an accidental rupture of these lines or of lines connected to them shall be provided as necessary to assure adequate safety.

Determination of the appropriateness of these requirements such as higher quality in design, fabrication, and testing, additional provisions for in-service inspection, protection against more severe natural phenomena, and additional isolation valves and containment, shall include consideration of the

population density, use characteristics, and physical characteristics of the site environs. (DRN 06-870, R15)

WSES-FSAR-UNIT-33.1-35RESPONSE:Except for the safety injection and CVCS charging lines, the reactor coolant pressure boundary as definedin 10CFR50 is located within the containment. The safety injection and CVCS charging lines are closed seismic Category I piping systems outside containment with isolation valves that meet the isolation criteria of GDC 55. Isolation valves are located as close to the containment as practical.Valves covered by the above criterion are described in Subsection 6.2-4.

3.1.49CRITERION 56 - PRIMARY CONTAINMENT ISOLATIONCRITERION:Each line that connects directly to the containment atmosphere and penetrates primary reactorcontainment shall be provided with containment isolation valves as follows, unless it can be demonstrated that the containment isolation provisions for a specific class of lines, such as instrument lines, are acceptable on some other defined basis:a)One locked closed isolation valve inside and one locked closed valve outside containment or,b)One automatic isolation valve inside and one locked closed isolation valve outside containment or,c)One locked closed isolation valve inside and one automatic isolation valve outside containment.A simple check valve may not be used as the automatic isolation valve outside containment or,d)One automatic valve inside and one automatic isolation valve outside containment. A simplecheck valve may not be used as the automatic valve outside containment.Isolation valves outside the containment shall be located as close to the containment as practical andupon loss of actuating power, automatic isolation valves shall be designed to take the position thatprovides the greater safety.RESPONSE:The lines which connect directly to the containment atmosphere and penetrate the primary containmentare provided with two valves in series where they penetrate the containment, so that failure of one active component will not prevent isolation. Each of these lines meet the isolation criteria of GDC 56.

WSES-FSAR-UNIT-33.1-36As described in Subsection 6.2.4, the safety injection system sump penetrations contain valves outsidethe containment which are never open during normal operation. In addition, the lines form a closed seismic Category I system outside of containment and, after a LOCA, the suction portion of these lines inside containment are covered by water.Valves covered by the above criterion are described in Subsection 6.2.4.

3.1.50CRITERION 57 - CLOSED SYSTEMS ISOLATION VALVES CRITERION:Each line that penetrates the primary reactor containment, and is neither part of the reactor coolantpressure boundary nor connected directly to the containment atmosphere, shall have at least one containment isolation valve which shall be either automatic, or locked closed, or capable of remote manual operation. This valve shall be outside the containment and located as close to the containment as practical. A simple check valve may not be used as the automatic isolation valve.RESPONSE:Each line that penetrates the reactor containment, and is neither part of the reactor coolant pressureboundary nor connected directly to the containment atmosphere, has at least one containment isolation valve located outside the containment as close to the containment as practical. Each of these lines meet the isolation criteria of GDC 57.Valves covered by the above criterion are described in Subsection 6.2.4.

3.1.51CRITERION 60 - CONTROL OF RELEASES OF RADIOACTIVE MATERIALS TO THE ENVIRONMENTCRITERION:The nuclear power unit design shall include means to control suitably the release of radioactive materialsin gaseous and liquid effluents and to handle radioactive solid wastes produced during normal reactor operation, including anticipated operational occurrences. Sufficient holdup capacity shall be provided forretention of gaseous and liquid effluents containing radioactive materials, particularly where unfavorable site environmental conditions can be expected to impose unusual operational limitations upon the releaseof such effluents to the environment.RESPONSE:The facility controls the release of radioactive materials in gaseous and liquid effluentsand handles radioactive solid wastes produced during normal reactor operation, including anticipated operational occurrences. The radioactive waste management systems minimize thepotential for an inadvertent release of radioactivity from the facility and ensure that thedischarge of radioactive wastes is maintained in accordance with the limits 10CFR50, Appendix I. Radioactive materials which do not meet release limits will not be discharged to WSES-FSAR-UNIT-33.1-37 Revision 11-A (02/02)the environment. The Waste Management System is designed with sufficient holdup capacity and flexibility for processing of wastes to ensure that releases are as low as reasonably achievable.

The Solid Radwaste System is capable of handling all radioactive solid wastes produced by the plant for shipment offsite.

The Radioactive Waste Processing System, the design criteria, and the amounts of estimated releases of radioactive effluents to the environment are described in Chapter 11.

3.1.52 CRITERION 61 - FUEL STORAGE AND HANDLING AND RADIOACTIVITY CONTROL CRITERION:(DRN 00-1032)

The fuel storage and handling, radioactive waste, and other systems which may contain radioactivity shallbe designed to assure adequate safety under normal and postulated accident conditions. These systems

shall be designed (1) with a capability to permit appropriate periodic inspection and testing of components

important to safety, (2) with suitable shielding for radiation protection, (3) with appropriate containment, confinement, and filtering systems, (4) with a residual heat removal, capability having reliability and

testability that reflects the importance to safety of decay heat and other residual heat removal, and (5) to

prevent significant reduction in fuel storage coolant inventory under accident conditions.(DRN 00-1032)

RESPONSE: The Fuel Pool Cooling System, Fuel Handling System (FHS), and Radioactive Waste Processing Systemensure adequate safety under normal and postulated accident conditions.

The Fuel Pool Cooling System provides cooling to remove residual heat from the fuel stored in the spent fuelpool. Data is taken periodically during normal plant operation to confirm heat transfer capabilities and differential across components. The Fuel Pool Cooling System is described in Subsection 9.1.3.

The spent fuel pool meets seismic Category I requirements and is protected against postulated missiles so that no postulated accident could cause excessive loss-of-coolant inventory.

Most of the components and systems in this category are in frequent use and no special testing is required.These systems and components important to safety which are not normally operating are tested periodically

at appropriate intervals.

The spent fuel storage racks are covered by water which provides sufficient shielding over stored fuelassemblies to limit radiation at the surface of the water to no more than 2.5 mr/hr during the storage period.

The exposure time during refueling is limited so that the integrated dose to operating personnel does not exceed the limits of 1OCFR20. Adequate shielding is provided as described in Section 12.3. Radiation

monitoring is provided as discussed in Sections 11.5 and 12.3.

WSES-FSAR-UNIT-33.1-38Individual components that contain radioactivity are located in confined areas and are ventilated throughappropriate filtering systems as discussed in Subsection 9.4.2.3.1.53CRITERION 62 - PREVENTION OF CRITICALITY IN FUEL STORAGE AND HANDLING CRITERION:Criticality in the fuel storage and handling system will be prevented by physical systems or processes,preferably by use of geometrically safe configurations.RESPONSE:A safe geometric spacing is provided for both new and spent fuel assemblies which are stored in racks inparallel rows. An edge-to-edge spacing employed for the new fuel storage racks results in a keff of 0.98or less utilizing dry storage. The edge-to-edge spacing for the spent fuel storage racks results in keff of0.95 or less without taking credit for the boron in the fuel pool water. New and spent fuel storage is described in Section 9.1.3.1.54CRITERION 63 - MONITORING FUEL AND WASTE STORAGE CRITERION:Appropriate systems shall be provided in fuel storage and radioactive waste systems and associatedhandling areas (1) to detect conditions that may result in loss of residual heat removal capability and excessive radiation levels and (2) to initiate appropriate safety actions.RESPONSE:Monitoring and alarm instrumentation are provided for fuel and waste storage and handling areas forconditions that might contribute to a loss of continuity in decay heat removal and to radiation exposure.

Area radiation monitors described in Section 12.3 are provided to detect and alarm excessive radiation levels in the Fuel Handling Building and Waste Management System areas.The heat generated in the waste storage facilities is low and therefore does not require a specific heatremoval system. The normal area ventilating systems are sufficient.Control room alarms are provided to alert the operator to high and low liquid level and high temperature inthe fuel pool. A low pressure alarm on the fuel pool pumps' discharge header is provided to warn of interruption of the cooling flow. Instrumentation is discussed in Subsection 9.1.3.

WSES-FSAR-UNIT-33.1-393.1.55CRITERION 64 - MONITORING RADIOACTIVITY RELEASESCRITERION:Means shall be provided for monitoring the reactor containment atmosphere, spaces containingcomponents for recirculation of loss-of-coolant accident fluids and the plant environs for radioactivity that may be released from normal operations, including anticipated operational occurrences, and from postulated accidents.RESPONSE:Provisions are made for monitoring the containment atmosphere, the facility effluent discharge paths, theoperating areas within the plant and the facility environs for radioactivity that could be released from normal operations, from anticipated operational occurrences and from postulated accidents.Those liquid and gaseous wastes containing radioactive matter are processed by the Waste ManagementSystem which functions to remove radioactive material from these wastes by filtration, ion exchange or distillation prior to discharge. In the event of high radiation, the wastes will be stored until the radioactivity has decayed sufficiently to permit discharge.Liquid wastes are grab sampled, and if the contained activity meets applicable limits they may be releasedwith continuous monitoring to the circulating water discharge.Gaseous wastes are compressed and stored in the gas decay tanks. The gas is sampled to determineradioactivity concentration to assure release limits are not exceeded, and is monitored during releasethrough the plant vent.Solid wastes that are produced will be packaged in licensed shipping containers and transported offsite fordisposal. Radioactivity of the contents of containers will be monitored.Area radiation monitors are discussed in Section 12.3.

Instrumentation is provided to monitor plant variables and systems under post accident conditions and tofollow the course of the accident, as described in Section 7.5.