ML17046A278

From kanterella
Jump to navigation Jump to search
Revision 29 to Updated Final Safety Analysis Report, Section 3.0, Design of Structures, Components, Equipment, and Systems
ML17046A278
Person / Time
Site: Salem  PSEG icon.png
Issue date: 01/30/2017
From:
Public Service Enterprise Group
To:
Office of Nuclear Reactor Regulation
Shared Package
ML17046A230 List: ... further results
References
LR-N17-0034
Download: ML17046A278 (58)


Text

SECTION 3 DESIGN OF STRUCTURES, COMPONENTS, EQUIPMENT, AND SYSTEMS 3.1 CONFORMANCE WITH GENERAL DESIGN CRITERIA 3.1.1 Introduction The general design criteria that were followed in the design of this plant are the Atomic Industrial Forum (AIF) version, as published in a letter to the Atomic Energy Commission from E. A. Wiggin, Atomic Industrial Forum, dated October 2, 1967. The criteria were developed as performance criteria which define or describe safety objectives and procedures, and they provide a guide to the type of plant design information which is included in this report. In addition to the AIF General Design Criteria, the Salem Generating Station (SGS) was designed to comply with Public Service Electric & Gas (PSE&G' s) understanding of the intent of the AEC' s proposed General Design Criteria, as published for comment by the AEC in July, 1967. The application of the AEC' s proposed General Design Criteria to the Salem station is discussed in Section 3.1.2. A comparison of the Salem plant design with lOCFRSO, Appendix A (General Design Criteria for Nuclear Power Plants dated July 7, 1971) is provided in Section 3.1.3. PSE&G's general criteria for the Salem plant are discussed in Section 3 .1. 4. 3.1-1 SGS-UFSAR Revision 12 July 22, 1992 -

3 .1. 2 Conformance with AEC Proposed General Design Criteria (July 1967) Criterion 1 -Quality Standards Those system and components of reactor facilities which are essential to the prevention of accidents which could affect the public health and safety or to mitigation of their consequences shall be identified and then designed, fabricated, and erected to quality standards that reflect the importance of the safety function to be performed. Where generally recognized codes or standards on design, materials, fabrication, and inspection are used, they shall be identified. Where adherence to such codes or standards does not suffice to assure a quality product in keeping with the safety functions, they shall be supplemented or modified as necessary. Quality assurance programs, test procedures, acceptance levels to be used shall be identified. and inspection A showing of sufficiency and applicability of codes, standards, quality assurance programs, test procedures, and inspection acceptance levels used is required. Discussion The systems and components of the facility have been classified according to their importance in the prevention and mitigation of accidents which could cause undue risk to the health and safety of the public. These classifications are described in Section 3.2. A discussion of the codes and standards, test provisions, etc., applying to each system is included in that portion of the report describing that system. The Salem Generating Station Quality Assurance Program is outlined in Section 17. Criterion 2 -Performance Standards Those systems and components of reactor facilities which are essential to the prevention of accidents which could affect the public health and safety or to mitigation of their consequences shall be designed, fabricated and erected to performance standards 3.1-2 SGS-UFSAR Revision 12 July 22, 1992 that will enable the facility to withstand, without loss of the capability to protect the public, the additional forces that might be imposed by natural phenomena such as earthquakes, tornadoes, flooding conditions, winds, ice, and other local site effects. The design bases so established shall reflect: (a) appropriate consideration of the most severe of these natural phenomena that have been recorded for the site and the surrounding area and (b) an appropriate margin for withstanding forces greater than those recorded to reflect uncertainties about the historical data and their suitability as a basis for design. Discussion The systems and components designated Class I are designed to withstand without loss of capability to protect the public, the most severe environmental hazards discussed and analyzed in Sections 2 and 3. The influence of these hazards on various aspects of the plant design is discussed in the sections covering the specific systems and components concerned. Criterion 3 -Fire Protection The reactor facility shall be designed (1) to minimize the probability of events such as fires and explosions and (2) to minimize the potential effects of such events to safety. Noncombustible and fire resistant materials shall be used whenever practical throughout the facility, particularly in areas containing critical portions of the facility such as Containment, control room, and components of engineered safety features. Discussion Primary emphasis is directed at minimizing the risk of fire by use of thermal insulation and adhesives which do not support combustion, flame resistant wiring, adequate overload and short circuit protection, and elimination of combustible trim and furnishings. The facility is equipped with fire protection 3.1-3 SGS-UFSAR Revision 12 July 22,1992 I systems for controlling any fires which might originate in plant equipment. See Section 9.5.1 for a description of the Fire Protection System. The Containment and Auxiliary Building Ventilation Systems can be operated from the control room of the corresponding unit as required to limit the potential consequences of fire. Critical areas of the containment and control room and the areas containing components of engineered safety features have detectors to alert the control room of the possibility of fire so that prompt action may be taken to prevent significant damage. Criterion 4 -Sharing of Systems Reactor facilities shall not share systems or components unless it is shown safety is not impaired by the sharing. Discussion The only systems shared by the two units are Compressed Air, control room area air intake radiation monitoring and parts of the control area ventilation system (see Section 9. 4. 1 for description of the Control Area Ventilation System), Demineralized Water, Bulk Nitrogen Supply, Hot Shutdown Panel Power Supply (see section 9.5.1.4 for description of the Hot Shutdown Panel), Solid Radwaste Packaging System, and portions of the Chemical Volume Control System (see Section 9.3.4 for description of the Chemical Volume Control System Cross-tie). There are a minimum of shared components; chemical drain, laundry hot shower tanks and pumps, and the 20,000 barrel Bulk Fuel Oil Storage Tank are the only components in common, The Control Room area radiation moni taring microprocessors 1/2RlB provide redundant functions common to both control area air intake ducts to support operation of the Unit 1 and Unit 2 control area ventilation isolation system. The Hot Shutdown Panel will share electrical power supply during a control room evacuation. Plant safety is not impaired by these instances of system or component sharing. Criterion 5 -Records Requirements Records of the design, fabrication, and construction of essential components of the plant shall be maintained by the reactor operator or under its control throughout the life of the reactor. Discussion Public Service or its authorized representatives and Westinghouse 3.1-4 SGS-UFSAR Revision 20 May 6, 2003 Electric Corporation plan to maintain, either in their possession or under their control, a complete set of records of the design, fabrication, construction, and testing of essential plant components throughout the life of plant. This criterion is answered in more detail in Section 17. Criterion 6 -Reactor Core Design The reactor core shall be designed to function throughout its design lifetime, without exceeding acceptable fuel damage limits which have been stipulated and justified. The core design, together with reliable process and decay heat removal systems, shall provide for this capability under all expected conditions of normal operation with appropriate margins for uncertainties and for transient situations which can be anticipated, including the effects of the loss of power to recirculation pumps, tripping out of a turbine generator set, isolation of the reactor from its primary heat sink, and loss of all offsite power. Discussion The ability of the core to function throughout its lifetime without exceeding acceptable fuel damage limits is discussed in Section 4. Detailed information on core design and performance is also included in Section 4. The instrumentation and controls associated with the reactor are described in Section 7 while decay heat removal systems are discussed in Sections 5, 6, and 9. Section 15 demonstrates that adequate fuel integrity is maintained under postulated abnormal situations. Criterion 7

  • Suppression of Power Oscillations The core design, together with reliable controls, shall ensure that power oscillations which could cause damage in excess of acceptable fuel damage limits are not possible or can be readily suppressed. 3.1-5 SGS-UFSAR Revision 12 July 22, 1992 Discussion The inherent ability of the core to prevent and suppress power oscillations and the instrumentation and controls provided to assist in this function is discussed in Sections 4 and 7, respectively. Criterion 8 -Overall Power Coefficient The reactor shall be designed so that the overall power coefficient in the power operating range shall not be positive. Discussion As discussed in Section 4, the overall power coefficient is negative under normal operating conditions throughout core life. Criterion 9 -Reactor Coolant Pressure Boundary The reactor coolant pressure boundary shall be designed and constructed so as to have an exceedingly low probability of gross rupture or significant leakage throughout its design lifetime. Discussion As discussed in detail in Section 5, the reactor coolant pressure boundary materials, design, analysis, fabrication, and testing preclude the possibility of gross rupture or significant leakage throughout its design lifetime. The Reactor Coolant System in conjunction with its control and protective provisions is designed to accommodate the system pressures and temperatures attained under all expected modes of plant operation or anticipated system interactions, and maintain the stresses within applicable code stress limits. 3.1-6 SGS-UFSAR Revision 12 July 22, 1992
  • '-""'. Fabrication of the components which constitute the pressure retaining boundary of the Reactor Coolant System is carried out in strict accordance with the applicable codes. In addition, there are areas where equipment specifications for Reactor Coolant System components go beyond the applicable codes. Details are given in Section 4.5. The materials of construction of the pressure retaining boundary of the Reactor Coolant System are protected by control of coolant chemistry from corrosion phenomena which might otherwise reduce the system structural integrity during its service lifetime, as discussed in Section 9. System conditions resulting from anticipated transients or malfunctions are monitored and appropriate action is automatically initiated to maintain the required cooling capability and to limit system conditions so that continued safe operation is possible, as discussed in Section 7. The system is protected from overpressure by means of pressure relieving devices, as required by Section III of the ASME Boiler and Pressure Vessel Code. Sections of the system which can be isolated are provided with overpressure relieving devices discharging to closed systems such that the system code allowable relief pressure within the protected section is not exceeded. Criterion 10
  • Containment Containment shall be provided. The containment structure shall be designed to sustain the initial effects of gross equipment failures, such as a large coolant boundary break, without loss of required integrity and, together with other engineered safety features as may be necessary, to retain the functional capability to protect the public for as long as the situation requires. 3.1-7 SGS-UFSAR Revision 12 July 22, 1992 Discussion The design of the containment structure and associated auxiliary systems is described in Section 3. 8. Engineered safety features required to limit pressure inside the containment are described in Section 6. Section 15 demonstrates the adequacy of such systems under various accident conditions including a rupture of the largest reactor coolant pipe. Criterion 11 -Control Room The facility shall be provided with a control room from which actions to maintain safe operational status of the plant can be controlled. Adequate radiation protection shall be provided to permit access, even under accident conditions, to equipment in the control room or other areas as necessary to shut down and maintain safe control of the facility without radiation exposures of personnel in excess of 10CFR20 limits. It shall be possible to shut the reactor down and maintain it in a safe condition if access to the control room is lost due to fire or other cause. Discussion Each unit is provided with a control room which contains the controls and instrumentation necessary for operation of each unit's reactor, turbine generator, and auxiliary and emergency systems under normal or accident conditions. The control room is continuously occupied by the operating personnel under all operating conditions. Control room shielding and ventilation are designed such that the occupants of the room shall not receive doses in excess of 5 rem to the whole body, equivalent to any part of the body, during the course loss-of-coolant accident. This includes doses received or its of a during ingress and egress. The Control Room Air Conditioning System is described in Section 9. 3.1-8 Revision 12 July 22, 1992 Hot shutdown control is provided for as discussed in Section 7. Fire hazards in the control room are limited by ita method of construction and outfitting. Criterion 12 -Instrumentation and Control Systems Instrumentation and controls shall be provided as required to monitor and maintain variables within prescribed operating ranges. Discussion As described in detail in Section 7, sufficient instrumentation and controls are provided to monitor and maintain all operationally important reactor operating parameters such as neutron flux, system pressures, flow rates, temperatures, levels, and control rod positions within prescribed operating ranges. The quantities and types of instrumentation provided are adequate for safe and orderly operation of all systems and processes over the full operating range of the plant. Process variables which are required on a continuous basis for the startup, power operation, and shutdown of the plant are indicated in, recorded in, and controlled as necessary from the control room. The operating staff is cognizant and in control of all test, maintenance and calibration work and can fully assess all abnormal plant conditions knowing the extent to which specific and related operating tasks are in process. Additional details on instrumentation and controls are included in sections relating to specific systems and components. Criterion 13 -Fission Process Monitors and Controls Means shall be provided for monitoring and maintaining control over the fission process throughout core life and for all conditions that can reasonably be anticipated to cause variations in reactivity of 3.1-9 SGS-UFSAR Revision 12 July 22, 1992 the core, such as indication of position of control rods and concentration of soluble reactivity control poisons. Discussion The means provided for monitoring the fission process are indicated in Section 7. The means of determining control rod position are described in section 7 while the means of control and determination of boron concentration are detailed in Section 9. Criterion 14 -Core Protection Systems Core protection systems, together with associated equipment, shall be designed to act automatically to prevent or to suppress conditions that could result in exceeding acceptable fuel damage limits. Discussion The instrumentation and controls provided to prevent or suppress conditions which could result in exceeding acceptable fuel damage limits are described in section 7. This criterion as applied to the Reactor Protection system is discussed more fully under Criterion 26, Protection Systems Fail-Safe Design. Criterion 15 -Engineered Safety Features Protection Systems Protection systems shall be provided for sensing accident situations and initiating the operation of necessary engineered safety features. Discussion The facility is provided with adequate instrumentation and controls to sense accident situations and initiate the operation of necessary engineered safeguards systems. These protection systems are described in Sections 6 and 7. 3.1-10 SGS-UFSAR Revision 16 January 31, 1998

'-- Criterion 16 -Monitoring Reactor Coolant Pressure Boundary Means shall be provided for monitoring the reactor coolant pressure boundary to detect leakage. Discussion Positive indications in the control room of leakage of coolant from the Reactor Coolant System to the lower containment compartment are provided by equipment which permits continuous monitoring of the lower containment compartment air activity and humidity, and condensate run-off from the fan coolers. This equipment provides indication of normal background which is indicative of a basic level of leakage from primary systems and components. Any increase in the observed parameters will be an indication of change within the lower containment compartment, and the equipment provided is capable of monitoring this change. The basic design criterion is the detection of deviations from normal containment environmental conditions including air particulate activity, radiogas activity, humidity, condensate, and in addition, in the case of gross leakage, the liquid inventory in the process systems and containment sump. Means of detecting leakage from the Reactor Coolant System is also provided by measuring and indicating changes in makeup requirements and containment sump levels. These leakage detection methods are presented in detail in Section 5. Criterion 17 -Monitoring Radioactivity Releases Means shall be provided for monitoring the containment atmosphere, the facility effluent discharge paths, and the facility environs for radioactivity that could be released from normal operations, from anticipated transients, and from accident conditions. Discussion The facility contains SGS-UFSAR means for 3.1-11 monitoring the containment Revision 12 July 22, 1992 atmosphere, effluent discharge paths, and the facility environs for radioactivity which could be released under any conditions. The details of the effluent discharge path, containment monitoring methods, and environmental radiation monitoring program are described in Section 11. Criterion 18

  • Monitorin& Fuel and Waste Storage Monitoring and alarm instrumentation shall be provided for fuel and waste storage and handling areas for conditions that might contribute to loss of continuity in decay heat removal and to radiation exposures. Discussion Sufficient monitoring and alarm instrumentation is provided in waste and fuel storage areas to detect conditions which might contribute to loss of cooling for decay heat removal or abnormal radiation releases. Details of the monitoring systems are included in Sections 9 and 11. Criterion 19 -Protection Systems Reliability Protection systems shall be designed for high functional reliability and in*service testability commensurate with the safety functions to be performed. Discussion All protection systems are designed for the utmost in reliability based on extensive testing in the shop and many years of actual operating experience. Sufficient redundancy of such systems is provided to enable test of instrumentation channels during plant operation without jeopardizing reactor safety. Detailed descriptions of various portions of the systems are included in Sections 6 and 7. 3.1-12 SGS-UFSAR Revision 12 July 22, 1992 Criterion 20 -Protection Systems Redundancy and Independence Redundancy and independence designed into protection systems shall be sufficient to assure that no single failure or removal from service of any component or channel of a system will result in loss of the protection function. as a minimum, two channels function to be served. Discussion The redundancy provided shall include, of protection for each protection As detailed in Section 7, sufficient redundancy and independence is designed into the protection systems to assure that no single failure nor removal from service of any component or channels results in loss of the protection function. In addition, the design of the protection systems conform to IEEE Standard 279-1971, "IEEE Standard Criteria for Protection Systems for Nuclear Power Generating Stations," April 5, 1972 of the Institute of Electrical and Electronic Engineers. Criterion 21 -Sin&le Failure Definition Multiple failures resulting from a single event shall be treated as a single failure. Discussion When evaluating the control, protection, engineered safeguards, and other systems of the facility, multiple failures resulting from a single event are treated as a single failure. The ability of each system to perform its function with a single failure is discussed in the sections describing the individual systems. 3.1-13 SGS-UFSAR Revision 12 July 22, 1992 Criterion 22
  • Separation of Protection and Control Instrumentation Systems Protection systems shall be separated from control instrumentation systems to the extent that failure or removal from service of any control instrumentation system component or channel, or of those common to control instrumentation and protection circuitry, leaves intact a system satisfying all requirements for the protection channels. Discussion Protection and control channels in the facility protection systems are designed in accordance with the IEEE Standard 279-1971, "IEEE Standard Criteria for Protection Systems for Nuclear Power Generating Stations," April 5, 1972. The coincident trip philosophy is also employed to prevent a single failure from causing a spurious trip or from defeating the function of any channel. In general, reactor trip circuits are designed so that the trip occurs upon deenergization of the circuit; and open circuit or loss of power to a channel will, therefore, result in the channel going into its trip mode. An exception to this is the solid state protection systems' automatic shunt trip which requires 125 V de to operate the shunt trip coil on the reactor trip breakers. Redundancy within each channel provides reliability and independence of operation. Channel independence is carried throughout the system from the sensor to the relay providing the logic. In some cases, however, it is desirable to employ a common sensor for both a control and protection channel. Both functions are fully isolated in the remainder of the channel, control being derived from the primary safety signal path through an isolation amplifier. As such, a failure in the control circuitry does not 3.1-14 SGS-UFSAR Revision 12 July 22, 1992 adversely affect the safety channel. Those reactor trips requiring energy to trip are arranged such that single power supply failures cannot prevent a trip if required. Criterion 23 -Protection A&ainst Multiple Disability For Protection Systems The effects of adverse conditions to which redundant channels or protection systems might be exposed in common, either under normal conditions or those of an accident, shall not result in loss of the protection function. Discussion Protection system components are designed and arranged so that the mechanical and thermal environment accompanying any emergency situation in which the components are required to function does not interfere with that function. Details of this protection are provided in the appropriate portions of Section 7. Criterion 24 -Emergency Power for Protection Systems In the event of loss of all offsite power, sources of power shall be provided to functioning of the protection systems. Discussion sufficient alternate permit the required The facility is supplied with normal and emergency power supplies to provide for the required functioning of the protection systems. Emergency power for each unit is supplied by three emergency diesel-generators, as described in Sections 7 and 8, with two diesels being capable of supplying all the emergency power requirements of one unit. 3.1-15 SGS-UFSAR Revision 12 July 22, 1992 In addition to the emergency diesel*generators, the instrumentation and controls portions of the protection systems may be supplied from the 125 V de station batteries as detailed in Section 8. Therefore, adequate sources of emergency power are available for all protection systems in the event of a loss of offsite power. Criterion 25 -Demonstration of functional Operability of Protection Systems Means shall be included for testing protection systems while the reactor is in operation to demonstrate that no failure or loss of redundancy has occurred. Discussion Each protection channel in service at power is capable of being calibrated and tested at power to verify its operation. Details of the means used to test protection system instrumentation are included in Section 7. Criterion 26 -Protection Systems Fail-Safe Design The protection systems shall be designed to fail into a safe state or into a state established as tolerable on a defined basis if conditions such as disconnection of the system, loss of energy (e.g., electrical power, instrument air), or adverse environments (e.g., extreme heat or cold, fire, steam, or water) are experienced. Discussion The details of the design and failure modes of the various protection channels are to be found in portions of Section 7 concerned with those channels. 3.1-16 SGS-UFSAR Revision 12 July 22, 1992 -

Criterion 27 -Redund&ncy of Reactivity Control At least two independent reactivity control systems, preferably of different principles, shall be provided. Discussion Two independent reactivity control systems, rod cluster control assemblies, and boric acid dissolved in the reactor coolant, are employed in the facility. Details of the construction and operation of the rod cluster control system are included in Sections 4 and 7. Means of controlling the boric acid concentration are included in Section 9. Criterion 28 -Reactivity Hot Shutdown Capability At least two of the reactivity control systems provided shall be independently capable of making and holding the core subcri tical from any hot standby or hot operation condition including those resulting from power changes, sufficiently fast to prevent exceeding acceptable fuel damage limits. Discussion The rod cluster control system is capable of making and holding the core subcritical from all operating and hot shutdown conditions sufficiently fast to prevent exceeding acceptable fuel damage limits. The chemical shim control is also capable of making and holding the core subcritical, but at a slower rate, and is not employed as a means of compensating for rapid reactivity transients. The rod cluster control system is, therefore, used in protecting the core from such transients. Details of the operation and effectiveness of these systems are included in Sections 4 and 9. 3.1-17 SGS-UFSAR Revision 12 July 22, 1992 Criterion 29

  • Reactivity Shutdown Capability At least one of the reactivity control systems provided shall be capable of making the core subcritical under any condition (including anticipated operational transients) sufficiently fast to prevent exceeding acceptable fuel damage limits. Shutdown margins greater than the maximum worth of the most effective control rod when fully withdrawn shall be provided. Discussion As detailed in Section 4, the reactor may be made subcritical by the rod cluster control system sufficiently fast to prevent exceeding acceptable fuel damage limits, under all anticipated conditions even with the most reactive rod control cluster fully withdrawn. Criterion 30 -Reactivity Holddown Capability At least one of the reactivity control systems provided shall be capable of making and holding the core subcritical under any conditions with appropriate margins for contingencies. Discussion The facility is provided with the means of making and holding the core subcritical under any anticipated conditions and with appropriate margin for contingencies. These means are discussed in detail in Sections 4 and 9. Combined use of the Rod Cluster Control System and the Chemical Shim Control System permit the necessary shutdown margin to be maintained during long-term xenon decay and plant cooldown. 3.1-18 SGS-UFSAR Revision 12 July 22, 1992 Criterion 31
  • Reactivity Control Systems' Malfunction The reactivity control systems shall be capable of sustaining any single malfunction, such as, unplanned continuous withdrawal (not ejection) of a control rod, without causing a reactivity transient which could result in exceeding acceptable fuel damage limits. Discussion The facility reactivity control systems are such that acceptable fuel damage limits (DNBR 2! 1. 3) will not be exceeded even in the event of a single malfunction of either system. An analysis of the effects of postulated malfunctions is presented in Section 15. Criterion 32 -Maximum Reactivity Worth of Control Rods Limits, which include considerable margin, shall be placed on the maximum reactivity worth of control rods or elements and on rates at which reactivity can be increased to ensure that the potential effects of a sudden or large change of reactivity cannot (a) rupture the reactor coolant pressure boundary or (b) disrupt the core, its support structure, or other vessel internals sufficiently to impair the effectiveness of emergency core cooling. Discussion The maximum reactivity worth of control rods and the maximum rates of reactivity insertion employing both control rods and boron removal are limited to values which prevent rupture of the coolant pressure boundary or disrupt the core or vessel internals to a degree which could impair the effectiveness of emergency core cooling. Details of rod worths, reactivity insertion rates, and their relationship to plant safety are included in Sections 4 and 15. 3.1-19 SGS*UFSAR Revision 12 July 22, 1992 Criterion 33
  • Reactor Coolant Pressure Boundary Capability The reactor coolant pressure boundary shall be capable of accommodating without rupture, and with only limited allowance for energy absorption through plastic deformation, the static and dynamic loads imposed on any boundary component as a result of any inadvertent and sudden release of energy to the coolant. As a design reference, this sudden release shall be taken as that which would result from a sudden reactivity insertion such as rod ejection (unless prevented by positive mechanical means), rod dropout, or cold water addition. Discussion The primary coolant boundary is designed to accommodate static and dynamic loads associated with sudden reactivity insertions {e.g., rod ejection) without failure. Details of the design may be found in Sections 4 and 5 and an analysis of the effects of such incidents as rod ejection is included in Section 15. The operation of the reactor is such that the severity of an ejection accident is inherently limited. Since control rod clusters are used to control load variations only and core depletion is followed with boron dilution, only the rod cluster control assemblies in the controlling groups are inserted in the core at power, and at full power these rods are only partially inserted. A rod insertion limit monitor is provided as an administrative aid to the operator to assure that this condition is met. By using the flexibility in the selection of control rod groupings, radial locations and position as a function of load, the design limits the maximum fuel temperature for the highest worth ejected rod to a value which precludes any resultant damage to the Reactor Coolant System pressure boundary, i.e., gross fuel dispersion in the coolant and possible excessive pressure surges. 3.1-20 SGS-UFSAR Revision 12 July 22, 1992 -

The failure of a rod mechanism housing causing a rod cluster to be rapidly ejected from the core is evaluated as a theoretical, though not a credible accident. 'While limited fuel damage could result from this hypothetical event, the fission products are confined to the Reactor Coolant System and the reactor containment. The environmental consequences of rod ejection are less severe than from the hypothetical loss-of-coolant, for which public health and safety is shown to be adequately protected. Criterion 34 -Reactor Coolant Pressure Boundary Rapid Propagation Failure Prevention The reactor coolant pressure boundary shall be designed to minimize the probability of rapidly propagating type failures. Consideration shall be given (a) to the notch-toughness properties of materials extending to the upper shelf of the Charpy transition curve, (b) to the state of stress of materials under static and transient loadings, (c) to the quality control specified for materials and component fabrication to limit flaw sizes, and (d) to the provisions for control over service temperature and irradiation effects which may require operational restrictions. Discussion As detailed in Section 5, the reactor coolant pressure boundary is designed to minimize the probability of rapidly propagating type failures. To fulfill these requirements, the selection of materials for the system and the fabrication of components are closely controlled and inspected. The details of the material selection and inspection procedures are contained in Section 5. The reactor coolant pressure boundary is designed to reduce to an acceptable level the probability of a rapidly propagating type failure. In the core region of the reactor vessel it is expected that the notch toughness of the material will change as a result of fast 3.1-21 SGS-UFSAR Revision 12 July 22, 1992 neutron exposure. This change is evidence as a shift in the nil ductility transition (NOT) temperature which is factored into the operaLing procedures in such a manner that full operating pressure is not obtained until the affected vessel material is above the design transition temperature (DTT) and in the ductile material The pressure during and shutdown at the temperature below NOT is maintained below the threshold of concern for safe operation. The OTT is a minimum of NOT plus 60°F and dictates the procedures to be followed in the hydrostatic test and in station operations to avoid excessive cold stress. The value of the OTT is increased during the life of the as by the shift in NOT, and as confirmed by the data obtained from irradiated of reactor vessel materials the plant lifetime. Further details are given in Section 5. Under conditions where reactor coolant pressure boundary systems' components constructed of ferritic materials may be subjected to such as a reactivity-induced loading, service temperatures shall be at least 120°F above the NDT temperature of the component material if the resulting energy release is expected to be absorbed by plastic deformation, or 60°F above the NDT temperature of the component material if the energy release is to be absorbed within the elastic strain energy range. Discussion Sufficient testing and analysis of materials employed in Reactor Coolant Systems' components will be performed to ensure that the required NOT limits specified in the criterion are met. Removable test capsules will be installed in the reactor vessel and removed 3.1-22 SGS-UFSAR Revision 25 October 26, 2010

  • "-"'. and tested at various times in the plant lifetime to determine the effects of operation on system materials. Details of the testing and analysis programs are included in Section 5. Criterion 36 -Reactor Coolant Pressure Boundary Surveillance Reactor coolant pressure boundary components shall have provisions for inspection, testing, and surveillance by appropriate means to assess the structural and leaktight integrity of the boundary components during service lifetime. For the reactor vessel, a material surveillance program conforming with ASTM-E-185-66 shall be provided. Discussion Provision has been made in the Reactor Coolant System design for adequate inspection testing and surveillance during the facility's service lifetime. The vessel inspection program will conform to ASTM-E-185-66. These provisions are discussed in detail in Section 5. Monitoring of the RTNDT temperature properties of the core region, weldments, and associated heat treated zones are performed in accordance with ASTM E-185-70 (Recommended Practice for Surveillance Tests for Nuclear Reactor Vessels). Samples of reactor vessel plate materials are retained and cataloged in case future engineering development shows the need for further testing. The material properties' surveillance program includes not only the conventional tensile and impact tests, but also fracture mechanics specimens. The fracture mechanics specimens are the Wedge Opening Loading (WOL) type specimens. The observed shifts in RTNDT of the core region materials with irradiation will be used to confirm the calculated limits to start up and shut down transients. 3.1-23 SGS-UFSAR Revision 12 July 22, 1992 Criterion 37
  • Engineered Safety Features Basis for Design Engineered safety features shall be provided in the facility to back up the safety provided by the core design, the reactor coolant pressure boundary, and their protection systems. As a minimum, such engineered safety features shall be designed to cope with any size reactor coolant pressure boundary break up to and including the circumferential rupture of any pipe in that boundary assuming unobstructed discharge from both ends. Discussion The containment structure, the Containment Ventilation System, the Emergency Core Cooling System, and the Containment Spray System comprise the engineered safety features for the facility. These systems and their supporting systems (Component Cooling System and Service Water System) are designed to cope with any size reactor coolant pressure boundary break up to and including rupture of the largest reactor coolant pipe. The design bases for each system are included in the appropriate portions of Sections 6 and 9. An analysis of the performance of the safeguards is presented in Section 15. Criterion 38 -Reliability and Testability of Engineered Safety Features All engineered safety features shall be designed to provide high functional reliability and ready testability. In determining the suitability of a facility for proposed site, the degree of reliance upon and acceptance of the inherent and engineered safety afforded by the systems, including engineered safety features, will be influenced by the known and the demonstrated performance capability and reliability of the systems, and by the extent to which the operability of such systems can be tested and inspected where appropriate during the life of the plant. SGS-UFSAR Revision 12 July 22, 1992 Discussion components were installation at tested in the facility the to All engineered safety features manufacturers' shop and after demonstrate their reliability. Provision has also been made in the system design for periodic testing of engineered safety features during the plant lifetime. Details of the test to be performed and the basis for the determination of system reliability are included in Section 6 for the Containment, Containment Ventilation System, Containment Isolation Systems, and for the remaining engineered safety features. Criterion 39 -Emergency Power for Engineered Safety Features Alternate power systems shall be provided and designed with adequate independency, redundancy, capacity, and testability to permit the functioning required of the engineered safety features. As a minimum, the onsite power system and the offsite power system shall each, independently, provide this capacity assuming a failure of a single active component in each power system. Discussion Reliability of electric power supply is ensured through several independent connections to the system grid, and redundant source of emergency power for each unit from three diesel-generators. Power to the engineered safety features is assured even with the failure of a single active component in each system. The facility electrical systems, including network interconnections and the emergency power system, are described in Section 8. 3.1-25 SGS-UFSAR Revision 12 July 22, 1992 Criterion 40 -Missile Protection Protection for engineered safety features shall be provided against dynamic effects and missiles that might result from plant equipment failures. Discussion All engineered safety features are protected against dynamic effects and missiles resulting from equipment failures, to ensure that their safety function is not impaired. The means for accomplishing this protection are described more fully in Section 3.5. Criterion 41 -Safety Features Performance Capability Engineered safety features such as Emergency Core Cooling and Containment Heat Removal Systems shall provide sufficient performance capability to accommodate partial loss of installed capacity and still fulfill the required safety function. As a minimum, each engineered safety feature shall provide this required safety function assuming a failure of a single active component. Discussion Sufficient redundancy and duplication is incorporated into the design of the engineered safety features to ensure that they may perform their function adequately even with the loss of a single active component. Details of the capability of these systems under normal and component malfunction conditions are included in Sections 6 and 9. An analysis of the adequacy of these systems to perform their functions is included in Section 15. Criterion 42 -Engineered Safety Features Components Capability Engineered safety features shall be designed so that the capability of each component and system to perform its required function is not impaired by the effects of a loss-of-coolant accident. 3.1-26 SGS-UFSAR Revision 12 July 22, 1992 Discussion The design of the engineered safety features, the materials selected for fabrication of these systems, and the layout of the various portions of the systems combine to ensure that the performance of the engineered safety features are not impaired by the effects of a loss-of-coolant accident. Details of the design and construction of the engineered safety features are included in Sections 6 and 9. The ability of these features to perform their functions is analyzed in Section 15. Criterion 43 -Accident A&&ravation Prevention Engineered safety features shall be designed so that any action of the engineered safety features which might accentuate the adverse after effects of the loss of normal cooling is avoided. Discussion The operation of the engineered safety features will not accentuate the after effects of a loss-of-coolant accident. These considerations are detailed in Sections 6 and 15. Criterion 44 -Emergency Core Coolin& Systems' Capability At least two emergency core cooling systems, preferably of different design principles, each with a capability of accomplishing abundant emergency core cooling, shall be provided. Each emergency core cooling system and the core shall be designed to prevent fuel and clad damage that would interfere with the emergency core cooling function and to limit the clad metal-water reaction to negligible amounts for all sizes of breaks in the reactor coolant pressure boundary, including the double-ended rupture of the largest pipe. The performance of each emergency core cooling system shall be evaluated conservatively in each area of uncertainty. The systems shall not share active components and shall not share other features SGS-UFSAR Revision 12 July 22, 1992 or components unless it can be demonstrated that (a) the capability of the shared feature or component to perform its required function can be readily ascertained during reactor operation, (b) failure of the shared feature or component does not initiate a loss-of-coolant accident, and (c) capability of the shared feature or component to perform its required function is not impaired by the effects of a loss-of-coolant accident and is not lost during the entire period this function is required following the accident. Discussion By combining the use of passive accumulators with two independent high pressure pumping systems and two independent low pressure pumping systems, abundant emergency core cooling is provided even if there should be a failure of any component in any system. A description of the system and its operation is contained in Section 6 and an analysis of the operation of the system under accident conditions is included in Section 15. Criterion 45 -Inspection of Emergency Core Cooling Systems Design provisions shall be made to facilitate physical inspection of all critical parts of the emergency core cooling systems, including reactor vessel internals and water injection nozzles. Discussion The design of the emergency core cooling system is such that critical portions are accessible for examination by visual, optical, or other nondestructive means. Details of the inspection program for the reactor vessel internals are included in Section 4 while inspection of the remaining portions of the system is discussed in Section 6. 3.1-28 SGS-UFSAR Revision 12 July 22, 1992 --

Criterion 46 -Testing of Emergency Core Cooling System Components Design provisions shall be made so that active components of the emergency core cooling systems, such as pumps and valves, can be tested periodically for operability and required functional performance. Discussion The Emergency Core Cooling System design permits periodic testing of active components for operability and required functional performance. The test procedures are described in Section 6. Criterion 47 -Testing of Emergency Core Cooling Systems A capability shall be provided to test periodically the delivery capability of the Emergency Core Cooling Systems at a location as close to the core as is practical. Discussion By recirculation to the refueling water storage tank, the Emergency Core Cooling System delivery capability can be tested periodically. The system can be so tested to the last valve before the piping enters the reactor coolant piping. Details of the system tests are included in Section 6. Criterion 48 -Testing of Operational Seguence of Emergency Core Cooling Systems A capability shall be provided to test under conditions as close to design as practical, the full operational sequence that would bring the Emergency Core Cooling Systems into action, including the transfer to alternate power source, SGS-UFSAR Revision 12 July 22, 1992 Piscussion Provision has been made in the Emergency Core Cooling System design for testing the sequence of operation including transfer to alternate power sources. The details of these tests are included in Section 6, and the switching sequence from normal to emergency power is described in Section 7. Criterion 49 -Containment Design Basis The containment structure, including access openings and penetrations, and any necessary containment heat removal systems shall be designed so that the containment structure can accommodate without exceeding the design leakage rate the pressures and temperatures resulting from the largest credible energy release following a loss-of-coolant accident, including a considerable margin for effects from metal-water or other chemical reactions, that could occur as a consequence of failure of Emergency Core Cooling Systems. Discussion The containment structure and its contained Heat Removal Systems are designed to accommodate the pressures and temperatures associated with a loss-of-coolant accident without exceeding the design leak rate. A considerable margin for unidentified energy sources has been included in the design. Containment structural design is also based on the following: 1. Leak tightness and testing requirements 2. Seismic requirements 3. Tornado requirements 4. Shielding requirements S. Design basis accident requirements 6. Flood conditions due to maximum probable hurricane 7. Internal missile generation SGS-UFSAR Revision 12 July 22, 1992 __ .... -

The loadings and energy sources considered in the design and the stress and loading criteria are described in Section 3. An analysis of the performance of the containment during a loss-of-coolant accident is included in Section 15. The Heat Removal Systems are described in Sections 5 and 6. Design of the Containment Building is given in Section 6 and Section 3.8. Criterion 50

  • NOT Requirement for Containment Material Principal load carrying components of ferritic materials exposed to the external environment shall be selected so that their temperatures under normal operating and testing conditions are not less than 30°F above NDT temperature. Discussion As stated in Section 5, all principal containment load carrying components of ferritic materials exposed to the external environment are selected to ensure that their temperature under normal operating and testing conditions will be at least Jo*r above NOT temperature. Criterion 51 -Reactor Coolant Pressure Boundary Outside Containment If part of the reactor coolant pressure boundary is outside the containment, appropriate features as necessary shall be provided to protect the health and safety of the public in case of an accidental rupture in that part. Determination of the appropriateness of features such as isolation valves and additional containment shall include consideration of the environmental and population conditions surrounding the site. Discussion The reactor coolant SGS-UFSAR pressure 3.1-31 boundary is defined as those Revision 12 July 22, 1992 piping systems and components which contain reactor coolant at design pressure and temperature. With the exception of the reactor coolant sampling lines, the entire reactor coolant pressure boundary, as defined above, is located entirely within the containment structure. All sampling lines are provided with remotely operated valves for isolation in the event of a failure. These valves also close automatically on a containment isolation signal. Sampling lines can be readily isolated. All other piping and components which may contain reactor coolant are low pressure, low temperature systems which would yield minimal environmental doses in the event of failure. The Sampling System and low pressure systems are described in Section 9. Criterion 52 -Containment Heat Removal Systems Where active Heat Removal Systems are needed under accident conditions to prevent exceeding containment design pressure, at least two systems, preferably of different principles, each with full capacity, shall be provided. Discussion The containment heat removal system consists of two subsystems, containment spray (two trains) and containment fan cooling units (five cooling coils). The two subsystems are separate, are operated independently, and are of different design principles, but perform a similar containment heat removal function. The containment heat removal system provides adequate margin for maintaining an acceptable post-accident containment atmospheric pressure and thereby meets the intent of the above criterion. In addition, the containment heat removal system meets the requirements of General Design Criteria 38. The design and performance of containment spray and the containment fan cooling units are discussed in sections 6.2.2.1, 6.2.2.2, and 15.4. Criterion 53 -Containment Isolation Valves Penetrations that require closure for the containment function shall be protected by redundant valving and associated apparatus. 3.1-32 SGS-OFSAR Revision 20 May 6, 2003 Discussion At least two barriers are provided between the atmosphere outside the containment and the containment atmosphere, the Reactor Coolant System, or closed systems which are assumed vulnerable to accident forces. The valving installed on the various systems penetrating the containment and the other barriers employed in the design are described in Section 5. Criterion 54 -Containment Leakage Rate Testing Containment shall be designed so that integrated leakage rate testing can be conducted at design pressure after completion and installation of all penetrations and the leakage rate measured over a sufficient period of time to verify its conformance with required performance. Discussion Provision is included in the containment design for integrated leak rate testing after completion of construction. The test program and procedures are described in Section 6.2 and are formulated to demonstrate that leakage is below the design value of 0.1 percent per day. Criterion 55 -Containment Periodic Leakage Rate Testing The containment shall be designed so that integrated leakage rate testing can be done periodically at design pressure during plant lifetime. Discussion Provision for full integrated leakage rate testing is incorporated into the design. The testing program and procedures are described in Section 6.2. 3.1-33 SGS-UFSAR Revision 12 July 22, 1992 Criterion 56 -Provision for Testin& of Penetrations Provisions shall be made for testing penetrations which have resilient seals or expansion bellows to permit leak tightness to be demonstrated at design pressure at any time. Discussion The Containment Penetration Pressurization System provides a means to test the leak tightness of penetrations at any time. This system is described in Section 6.2 and the leak testing program is described in Section 6.3. Criterion 57 -Provision for Testin& of Isolation Valves Capability shall be provided for testing functional operability of valves and associated apparatus essential to the containment function for establishing that no failure has occurred and for determining that valve leakage does not exceed acceptable limits. Discussion Provisions have been made in the plant design for testing the functional operability of containment isolation valves. The Containment Isolation System is described in Section 6.2. Criterion 58 -Inspection of Containment Pressure-Reducing Systems Design provisions shall be made to facilitate the periodic physical inspection of all important components of the containment pressure-reducing systems, such as, pumps, valves, spray nozzles, torus, and sumps. SGS-UFSAR Revision 12 July 22, 1992 Discussion The design of the Containment Ventilation System and the Containment Spray System includes provision for physical inspection of vital components. The inspectability of these systems is discussed in Sections 5 and 6. Criterion 59 -Testing of Containment Pressure-Reducing Systems' Components The containment pressure-reducing systems shall be designed so that active components, such as pumps and valves, can be tested periodically for operability and required functional performance. Discussion Component testing of the Containment Spray System is discussed in detail in Section 6. Containment ventilation testing is discussed in Sections 5 and 6. Criterion 60 -Testing of Containment Spray Systems A capability shall be provided to periodically test the delivery capability of the Containment Spray System at a position as close to the spray nozzles as is practical. Discussion All active portions of the Containment Spray System may be tested. The delivery capacity may be tested up to the last valve before the spray header. Details of the Containment Spray System are included in Section 6. 3.1-35 SGS-UFSAR Revision 12 July 22, 1992 Criterion 61 -Testing of Operational Seguence of Containment Pressure-Reducing Systems A capability shall be provided to test under conditions as close to the design as practical, the full operational sequence that would bring the containment pressure-reducing systems into action, including the transfer to alternate power sources. Discussion Capability for testing of the operational sequence of the Containment Spray System is incorporated into the system design. Provision is also included for testing the Containment Ventilation System. Details of the Containment Spray System are included in Section 6. described The switching sequence from normal to emergency power is in Section 7. The Containment Ventilation System is described in Section 6. Criterion 62 -Inspection of Air Cleanup Systems Design provisions shall be made to facilitate physical inspection of all critical parts of the containment air cleanup systems, such as ducts, filters, fans, and dampers. Discussion The containment ventilation systems, consisting of 5 fan coolers and high-efficiency particulate air filters serves as an air cleanup system for the containment. Section 6.2 discusses the inspection of the Containment Fan Cooler System. 3.1-36 SGS*UFSAR Revision 12 July 22, 1992 -

Criterion 63 -Testin& of Air Cleanup Systems' Components Design provisions shall be made so that active components of the air cleanup systems, such as fans and damper, can be tested periodically for operability and required functional performance. Discussion Testing of the Containment Fan Cooler and Containment Spray Systems' Components is discussed in detail in Section 6.2. Criterion 64 -Testins of Air Cleanup Systems A capability shall be provided for in situ periodic testing and surveillance of the air cleanup systems to ensure (a) filter bypass paths have not developed and (b) filter and trapping materials have not deteriorated beyond acceptable limits. Discussion Testing of the Containment Fan Cooler System and Containment Spray System is discussed in detail in Section 6.2. Criterion 65 -Testing of Operational Sequence of Air Cleanup Systems A capability shall be provided to test under conditions as close to design as practical, the full operational sequence that would bring the air cleanup systems into action, including the transfer to alternate power sources and the design air flow delivery capability. Discussion A discussion of the operational sequence testing of the Containment Fan Cooler System and Containment Spray System is included in Section 6.2. 3.1-37 SGS-UFSAR Revision 12 July 22, 1992 Criterion 66 -Prevention of fuel Storage Criticality Criticality in new and spent fuel storage shall be prevented by physical systems or processes. Such means as geometrically safe configurations shall be emphasized over procedural controls. Discussion Criticality in new and spent fuel storage areas is prevented both by physical separation of new and spent fuel elements and the presence of borated water in the spent fuel storage pool. Criticality prevention in fuel storage areas is discussed in Section 9. Criterion 67 -Fuel and Waste Storage Decay Heat Reliable decay heat removal systems shall be designed to prevent damage to the fuel in storage facilities that could result in radioactivity release to plant operating areas or the public environs. Discussion The Spent Fuel Pool Cooling System provides decay heat removal for the spent fuel pool. In addition, the water in the pool is sufficient to absorb the decay heat produced from 1 1/3 spent cores. Details of the Spent Fuel Pool Cooling System and fuel handling facilities are described in Section 9. Criterion 68 -fuel and Waste Storaee Radiation Shielding Shielding for radiation protection shall be provided in the design of spent fuel and waste storage facilities as required to meet the requirements of 10CFR20. 3.1-38 SGS-UFSAR Revision 12 July 22, 1992 Shielding is provided for fuel handling and waste storage areas to lower radiation doses to levels below limits in 10CFR20. for these areas and other Section 12. shielding requirements and criteria are included in Criterion 69 -Protection Against Radioactivity Release From Spent Fuel and Waste Storage Containment of fuel and waste storage shall be provided if accidents could lead to release of undue amounts of radioactivity to the public environs. All fuel storage and waste storage facilities are designed to prevent the undue release of radioactivity to the public. Fuel storage facilities are described in Section 9; waste storage facilities are described in Section 11 and analysis of postulated accidents is included in Section 15. The shall include those means necessary to maintain control over the plant radioactive whether gaseous, liquid, or solid. Appropriate holdup capacity shall be provided for retention of gaseous, liquid, or solid effluents, particularly where unfavorable environmental conditions can be expected to require operational limitations upon the release of radioactive effluents to the environment. In all cases, the design for radioactivity control shall be justified (a) on the basis of 10CFR20 requirements for normal operaLions and for any transient situation that might reasonably be anticipated to occur and (b) on the basis of 10CFR50. 67 dosage level for reactor accidents of SGS-UFSAR 3.1-39 Revision 25 October 26, 2010 exceedingly low probability of occurrence except that reduction of the recommended dosage levels may be required where high population densities or very cities can be affected by the radioactive effluents. Discussion Provision is included in the facility design for storage and processing of radioactive waste and the release of such wastes under controls adequate to prevent exceeding the limits of 10CFR20. The facility also includes provision to prevent radioactivity releases during accidents from exceeding the guidelines of 10CFR50. 67. A description of the Radioactive Waste Disposal System is included in Section 11. The effects of accidents, including a loss-of-coolant accident, are 3.1-39a SGS-UFSAR in Section 15. Revision 25 October 26, 2010

  • .-.. SGS-UFSAR THIS PAGE INTENTIONALY LEFT BLANK 3.1-39b R.evbion 12 July 22, 1992

3.1.3 Conformance

with AEC General Design Criteria {July 1971) The Salem Plant design conforms with the intent of "General Design Criteria for Nuclear Power Plants," dated July 7, 1971, with the of those items listed below. Criterion 4

  • Environmental and Missile Design Basis The design of Salem Unit 1 complies with General Design Criteria 4 (GDC 4) with respect to protection against the dynamic effects associated with the postulated failure of piping. The PSE&G approach to evaluating high-energy line break consequences is described in Section 3. 6 of the UFSAR and is consistant with the guidance provided by A. Giambusso, Atomic Energy Commission (AEC), to all licensees in his letter dated December 1972, "General Information Required for Consideration of the Effects of a Piping System Break Outside Containment." For Unit 1, high energy piping systems are those whose temperature exceeds 200°F and whose pressure exceeds 275 psig, coincidentally, during normal operation. Design basis cracks only are postulated for those systems whose pressure is more than 275 psig or whose temperature is more than 200*F. The design of Salem Unit 2 also complies with GDC 4 with respect to protection against the dynamic effects associated with the postulated failure of piping. However, for Unit 2, the criteria are provided by Branch Technical Position APCSB 3-1, "Protection Against Postulated Piping Failures in Fluid Systems Outside Containment." For Unit 2, high-energy piping systems are those whose temperature exceeds 2oo*p or 275 psig during normal operation. This revised criteria resulted in three additional Unit 2 systems requiring analysis as high-energy. Those systems were: CVC charging and Reactor Coolant Pump seal injection, Heating Steam, and Heating Yater. In addition to the revised temperature and pressure criteria, NRC required that a Moderate Energy Break Analysis (MEBA) be performed for Unit 2. 3.1-40 SGS-UFSAR Revision 12 July 22, 1992 ** *
  • Criterion 55 -Reactor Coolant Pressure Boundary Penetrating Containment Criterion 56 -Primary Containment Isolation Criterion 57 -Closed System Isolation Valves Valving arrangements which do not conform with these criteria are discussed in Section 6.2.4. 3.1.4 PSE&G General Criteria Quality and Performance Standards Those features of the reactor facility which are essential to the prevention of accidents which could affect the public health and safety or the mitigation of their consequences are designed, fabricated, and erected to: 1. 2. SGS-UFSAR Quality standards that reflect the importance of the safety function to be performed. Recognized codes and standards are used when appropriate to the application. Performance standards that will enable the facility to withstand, without loss of the capability to protect the public, the additional forces imposed by the most severe 3.1-40a Revision 7 July 22, 1987 THIS PAGE INTENTIONALLY BLANK 3.1-40b SGS-UFSAR Revision 7 July 22, 1987 earthquakes, flooding conditions, winds, ice, or other natural phenomena characteristic of the Salem site. Features of the facility essential to accident prevention and mitigation are the fuel, reactor coolant, and containment barriers; the controls and emergency cooling system whose function is to maintain the integrity of these three barriers; systems which depressurize and reduce the radioactivity level in the containment; power supplies and essential services to the above features; and the components employed to safely convey and store radioactive wastes and spent reactor fuel. Quality standards for material selection, design, fabrication, and inspection governing the above features conform to the applicable provisions of recognized codes and standards. The concrete structure of the reactor containment conforms to the applicable portions of ACI-318-63. Further elaboration on quality standards for the reactor containment is presented in Section 5. Vessels comply with the ASME Boiler and Pressure Vessel Code under the specific classification dictated by their use, or other appropriate codes. The principles of this code, or equivalent guidelines, are employed where the code is not strictly applicable but where the safety function calls for an equivalent assurance of quality. In the same manner, piping conforms to the requirements of the USA Standard Code for Pressure Piping (ANSI B31.1) and Nuclear Code Cases N-7 and N-10. Particular emphasis is placed on the assurance of quality of the reactor vessel by obtaining material whose properties are uniformly within tolerances appropriate to the application of the design methods of the Code. The fatigue usage factor is less than that at which propagation of material defects would occur. Design margin and material surveillance assure that the vessel will be operated well within the ductile range of temperatures when vessel stresses are above 10,000 psi. The reactor vessel size is within the range of previous experience of the manufacturer and of the nuclear plant designer. Further discussion of quality assurance for the reactor vessel is presented in Section 4. 3.1-41 SGS-UFSAR Revision 6 February 15, 1987 All piping components and supporting structures of the reactor and safety-related systems are designed disturbance predictable for the site. to withstand any seismic The dynamic response of the structure-to-ground acceleration, based on appropriate spectral characteristics of the site foundation and on the damping of the foundation and structure, is included in the design analysis. Structural, equipment, and piping materials used in both the containment and Auxiliary Building have been selected for their compatibility with normal and accident environments. For those items located inside the containment which are required for controlling the design basis accident, the effect of the spray chemical additive (NaOH) has been considered as well as radiation levels, pressure, and temperature. Material compatibility has been discussed in detail in the Indian Point Unit 2 FSAR (Docket No. 50-247). Fire Protection Fire protection facilities are provided in accordance with the recognized guidelines of the Nuclear Energy Property Insurance Association, National Underwriters Laboratory. Fire Protection Association, and Protective features such as fire doors and closed ventilation systems are provided to minimize the possibility of fire or smoke in the control room. The control room is designed and equipped to assure continuous occupancy. Section 9 outlines the basic design and operational features of the plant Fire Protection System. Records Requirements PSE&G (or its authorized representatives) and Westinghouse have retained complete documentation of the design, fabrication, and construction of all essential plant components. 3. 1-42 SGS-UFSAR Revision 6 February 15, 1987 These records are available to verify performance standards applicable to components. the high quality and all essential plant Protection by Multiple Fission Product Barriers Physical barriers are provided by the fuel pellet, fuel cladding, Reactor Coolant System pressure boundary and containment structure to protect the public from the release of fission products produced within the fuel assemblies. The specific details and design basis for each barrier are identified and discussed in Sections 3, 4, and 5. The design of the fuel cladding, core, related structural equipment, and control and protective systems ensures that fuel damage in excess of acceptable limits is not likely, or can be readily suppressed in the unlikely event of its occurrence. The Reactor Coolant System, including the reactor pressure vessel, is designed to accommodate the system pressure and temperatures attained under all expected modes of plant operation, and maintain the stress within applicable code stress limits. Its materials of construction are protected from corrosion phenomena by control of coolant chemistry. It is protected from overpressure by means of relieving devices. High-pressure equipment in the Reactor Coolant System is surrounded by barriers to prevent a missile, generated from the Reactor Coolant System in a loss-of-coolant accident, from reaching either the containment liner or the containment cooling equipment, and from imparing the function of the engineered safety features. The principal missile barriers are the concrete operating floor and the reinforced concrete shield wall enclosing the reactor coolant loops. The pressurizer is protected by a completely enclosed concrete and steel plant compartment constructed above the operating floor. A steel and concrete structure is also provided over the control rod drive mechanisms 3.1-43 SGS-UFSAR Revision 6 February 15, 1987 to block a missile generated from fracture of the mechanism housing. The Reactor Coolant and reactor vessel are enclosed within the containment structure. The containment structure itself is designed to withstand the temperature and pressure conditions associated with the severance of a reactor coolant pipe coincident with a seismic occurrence. Essentially no leakage of radioactive materials to the environment will result under these conditions. Monitoring potentially radioactive areas and operation of the reactor protection and reactor control and turbine the control room from which all actions operational status of the plant are centered. is in to maintain the safe Radiation protection is provided to permit access to equipment in the control room, even under accident conditions, as necessary to shut down and maintain safe control of the facility without radiation exposures to personnel in excess of Code of Federal Regulations' limits. The control room is equipped with those controls which are necessary for monitoring and maintaining control over the fission process and for all conditions that could be to cause variations in core In addition to instrumentation and controls which are required to maintain variables within operating ranges, means are provided to monitor fuel and waste storage handling areas, reactor coolant pressure boundary leakage, containment atmosphere, and all potentially contaminated facility effluent discharge paths. Core protection systems automatically sense accident situations, initiate the operation of necessary engineered safety features that prevent or suppress conditions that could result in 3.1-44 SGS-UFSAR Revision 25 October 26, 2010

-......-fuel damage limits. This combination of monitoring and core protection systems provides the assurance that any radioactive releases are maintained well below established Federal regulatory limits for normal operations, anticipated transients, and possible accident conditions. Positive indications in the control room of leakage of coolant from the Reactor Coolant System to the containment are provided by equipment which permits continuous monitoring of the containment air activity and humidity. The basic design criterion is the detection of deviations from normal containment environmental conditions, including air particulate activity, radiogas activity, humidity, and in addition, in the case of gross leakage, the liquid inventory in the process systems and containment sump. The containment atmosphere, Fuel Handling Building, plant vent, containment fan coolers, steam generator blowdown, the condenser vacuum pump exhaust, and the Waste Disposal System liquid effluent are monitored for radioactivity concentration during all normal operations, anticipated transients, and accident conditions. For the case of leakage from the reactor containment under accident conditions, the plant area Radiation Monitoring System, supplemented by portable survey equipment stored in the control room, provides adequate monitoring of releases during an accident. Monitoring and alarm instrumentation are provided for fuel and waste storage and handling areas to detect inadequate cooling and to detect excessive radiation levels. Radiation monitors are provided to maintain surveillance over the release of radioactive gases and liquids. A controlled ventilation system removes gaseous radioactivity from the atmosphere of the fuel storage and waste treating areas of the Auxiliary Building and discharges it to the atmosphere via the unit vent. Radiation monitors are in continuous service in these 3. 1-45 SGS-UFSAR Revision 6 February 15, 1987 areas to actuate high-activity alarms on the overhead annunciator in the control room, as described in Section 11. Reliability and Testability of Protection Systems Protection systems are designed with a degree of functional reliability and in-service testability which is commensurate with the safety functions to be performed. System design incorporates such features as emergency power availability, preferred failure mode design, redundancy, and isolation between control systems and protective systems. In addition, the protection systems are designed such that no single failure will prevent proper system action when required. For design purposes, multiple failures which result from a single event are considered single failures. The proposed criteria of the Institute of Electrical and Electronic Engineers for nuclear power plant protection (IEEE-279) have been utilized in the design of protective systems. The plant variables monitored and the sensors utilized are identified and discussed at length in Westinghouse proprietary reports submitted in support of this application, and referenced in Section 7. The coincident trip philosophy is carried out to provide a safe and reliable Reactor Protection System since a single failure will not defeat its function nor cause a spurious reactor trip. Channel independence originates at the process sensor and continues back through the field wiring and containment penetrations to the analog protection racks. The power supplies to the protection sets are fed from instrumentation buses which are capable of being powered from the diesel-generators. Two reactor trip breakers are provided to interrupt power to the rod drive mechanisms. The breaker main contacts are connected in series. Opening either breaker will interrupt power to all mechanisms, causing all rods to fall by gravity into the core. Manual trip also actuates the shunt trip breakers. Each 3.1-46 SGS-UFSAR Revision 6 February 15, 1987 protection channel feeds two logic matrices, one for each undervoltage trip circuit. In general reactor trip circuits are designed so that a trip occurs when the circuit is de-energized; an open circuit or loss of channel power therefore would cause the affected circuits to go into a trip mode. Reliability and independence is obtained by redundancy within each channel, except for backup reactor trips such as the reactor coolant pump breaker. Reactor trip is implemented by interrupting power to each control rod drive mechanism, allowing the rod clusters to be inserted by gravity. The protection system is thus inherently safe in the event of a loss of rod control power. Those trips requiring energy to operate are arranged such that single power failures cannot prevent a reactor trip if required. The components of the protection system are designed and laid out so that the mechanical and thermal environment accompanying any emergency situation in which the components are required to function will not interfere with that function. The actuation of the engineered safety features provided for loss-of-coolant accidents, e.g., Emergency Core Cooling System pumps, reactor containment fan coolers, and Containment Spray Systems, is accomplished from redundant signals derived from the Reactor Coolant System, steam flow, and containment instrumentation. Channel independence originates at the process sensor and is carried through the analog protection racks. The initiation signal for containment spray comes from a high-high containment pressure signal. De-energizing a channel will cause that channel to go into its tripped mode, with the exception of containment spray which is energized to actuate. A comprehensive program of plant testing has been formulated for equipment vital to the functioning of engineered safety systems. The program consists of performance tests of individual pieces of equipment in the manufacturer's shop, integrated tests of the 3.1-47 SGS-UFSAR Revision 6 February 15, 1987 system as a whole, and periodic tests of the actuation circuitry and the performance of mechanical components to assure reliable performance upon demand throughout the plant lifetime. The following series of periodic tests and checks can be conducted to assure that the systems can perform their design functions whenever they should be called on during the plant lifetime: 1. Integrated Test Actuation Circuits and Motor-Operated Valves The automatic actuation circuitry, valves, and pump breakers can be checked during integrated system tests performed during each planned cooldown of the Reactor Coolant System for refueling. 2. Accumulator Tanks The accumulator tank pressure and level are continuously monitored during plant operation, and flow from the tanks can be checked at any time using test lines. 3. Safety Injection, Residual Heat Removal, Containment Spray and Charging Pumps The safety injection and containment spray pumps can be tested periodically during plant operation using the minimum flow recirculation lines provided. The residual heat removal pumps are used every time the residual heat removal loop is put into operation and can be tested periodically on minimum flow. The charging pumps are normally run during plant operation. All remote operated valves can be exercised and actuation circuits can be tested periodically during plant operation or routine maintenance. 4. Reactor Containment Fan Coolers 3.1-48 SGS-UFSAR Revision 6 February 15, 1987 The reactor containment fan coolers and the service water pumps operate routinely, and no additional periodic test is required. 5. Boric Acid Concentration in the Accumulators The accumulators and lines are charged with borated water at refueling water concentration of at least 2200 ppm while the plant is in operation. This concentration is checked periodically by sampling. 6. Boron Injection Tank The boron in this tank is maintained at or below the maximum concentration allowable for the RWST (2500 ppm). There is no minimum boric acid concentration. The accident assume 0-ppm boric acid concentration in the BIT. 7. Chemical Concentration in the Spray Additive Tank The concentration of chemical solution in this tank is maintained at approximately 30 weight percent NaOH. 8. Emergency Power Sources The sets can be started from the control room. The of the units to start and accept 13 seconds is checked. in 9. Containment Penetrations Penetrations are designed with double seals and the large access openings such as the equipment hatch and personnel air locks are equipped with double seals. Double seals are so that air leak B) tests can be conducted. 10. Instrumented Protection Channels 3.1-49 SGS-UFSAR Revision 25 October 26, 2010 SGS-UFSAR All reactor protection channels, with the exception of backup reactor trips, are supplied in sets which provide the capability for channel calibration and test. Bypass removal of a trip circuit is used only in 2/4 logic which then becomes 2/3 logic, except for special 1/2 logic such as startup trips which become 1/1 logic. Reactor Protection System protection channels in service at power are capable of being tested to verify operation. The operability of a reactor trip channel can be determined conveniently and without ambiguity. A complete channel test can be performed through and including the final trip breakers, excluding the sensor. Actuation of the engineered safety features including containment isolation also employs coincidence circuits which allow checking of the operability of one channel at a time. Removal or bypass of one signal channel places that circuit in the tripped mode. The normal on-line test procedure (exceptions noted above) consists of tripping the channel downstream of the on-off controller (process control) or superimposing the test signal on the transmitted signal (NIS Power Range). In the process control equipment, the 2/4 logic goes to 1/3 remaining, and 2/3 logic goes to 1/2 remaining. The transmitted signal is disconnected and a precise simulated signal is injected. The trip points are then checked against the precise signal. In the Nuclear Instrumentation System (NIS) power range equipment, a precise signal is superimposed on the exis-ting input signal and the trip point is checked against the combined signal. Sensors are checked by comparing their outputs to each other. 3.1-50 Revision 6 February 15, 1987 Two independent reactivity control systems, of different design in the reactor system These are neutron control rods and chemical of the reactor coolant with boron. The react worth of the worth control rod is less than that to achieve criticality with that rod out of the core and all the remaining control rods fully inserted in the core. The Reactor Coolant System has been designed so that static and dynamic loads on boundary as a result of any inadvertent and sudden release of energy to the coolant will not cause rupture of the pressure boundary. In order to continually guard any weakness the reactor coolant pressure containing components have provisions for inspection and testing to assess the structural and leaktight integrity of the boundary components during their service lifetime. The features provided in this have sufficient redundancy of components and power sources so that even under the conditions of the design basis accident, the systems can, even when with effectiveness, maintain the required integrity of fission product barriers to keep exposure of the public well within the guidelines of 10CFR50.67 (Code of Federal Regulations). A general explanation of each of the engineered safety features follows. Specific details on system design and operation are covered in Section 6. 1. A steel lined concrete containment structure reliable final barrier the escape of 3.1-51 SGS-UFSAR an Revision 25 October 26, 2010

2. fission openings products. Containment penetrations, including are provided with double access and ventilation ducts, seals. the containment which could become a to the environment following the basis accident are provided with isolation valves. An Core Cooling is to deliver borated water to the core, in the event of a loss-of-coolant accident, in three modes: accumulator active injection, and residual heat removal circulation. The design provides for periodic testing of active components for operability and required provisions to components. functional facilitate performance physical as well inspection as of incorporates all critical 3. Active heat ::::emoval systems are provided within the containment to fuel contained lOCFRlOO. cool the containment atmosphere under design basis accident conditions. Two systems of different design are the Containment and the Reactor Containment Fan Cooler the worst-case active failure under basis accident conditions, these systems have sufficient redundancy of components to maintain an acceptable post-accident containment pressure. The Containment: Spray System is also instrumental in the removal of elemental iodine from a post-LOCA atmosphere, thus reducing the concentration of halogen fission products. Further details regarding the iodine scrubbing ability of the containment spray system are discussed in section 5.2.3.1. storage in the fuel and waste facilities are and the is such that accidental releases of to the will not exceed the limits of Refer to Section 9. 7. Separate fuel storage facilities are provided for each unit. An Independent Spent Fuel Storage Installation ( ISFSI), which for additional storage of both Salem and Hope Creek spent fuel in a dry configuration, is located on site, north of the Hope Creek Generating Station. See Section 9.1.4.5 for additional pertaining to the ISFSI. 3.1-52 SGS-UFSAR Revision 25 October 26, 2010 During the refueling of the reactor, all operations are conducted with the spent fuel under water (see Section 9.7). This provides visual control of the at all times and also maintains low radiation levels. The borated re water assures at all times and also for the fuel during transfer. fuel is taken from the reactor and transferred to the canal and in the Fuel Transfer System. Rod cluster control assembly transfer from a spent fuel assembly to a new fuel assembly is accomplished prior to transferring the spent fuel to a spent fuel storage pool. Each spent fuel storage pool is supplied with a cooling system for the removal of the decay heat of the spent fuel prior to storage at the ISFS: or shipment from the site. Racks are provided to accom..rnodate the of a total of 6 cores. The pools are filled with borated water at a concentration to match that used in the reactor and canal during The spent fuel is stored in a vertical array with sufficient center-to-center distance between assemblies to assure subcriticality (kef£ <0.95) even if unborated water were introduced into the The racks are designed so that it is to insert assemblies in other than the in the pool will sufficient area by Each locations. to fuel The water level maintained normal occupancy of the pool is also with systems to maintain water cleanliness and to indicate pool water level. Gamma radiation is continuously monitored in the Auxiliary Building and a high level is annunciated in the control room. Water removed from the pools must be pumped out as there are no gravity drains. or leakage of any from waste handling facilities go to floor drains which flow to sumps. Postulated accidents the release of from the fuel and waste storage and facilities are shown in Section 14.3 to result in exposures well within the guidelines of 10CFR50.67. The reactor refueling cavity, refueling canals and the spent fuel storage pools are reinforced concrete structures with stainless 3.1-53 SGS-UFSAR Revision 25 October 26, 2010 steel liners. These structures are designed to withstand the anticipated earthquake loadings so that the liner will prevent gross leakage. The transfer tubes which connect the canals and the spent fuel and form part of the reactor containment are provided with valves and blind which close off the transfer tubes when not in use. Effluents Gaseous, liquid, and solid waste disposal faci:ities are designed so that discharge of effluents and offsite shipments shall be in accordance wiLh government regulations. Process and streams are monitored and features are to releases in excess of the limits of 10CFR20. Environmental conditions do not operational radioactive effluents entering the Waste Disposal System any restrictions on the normal release of to the atmosphere. Radioactive fluids are collected in analysis tanks until the course of subsequent treatment is determined. Radioactive gases are pumped by compressors through a manifold to one of the waste gas tanks where are held a sui table of time for decay. Tanks are provided for the normal operations of filling, isolation for decay, and discharge. During normal operation decayed gases are discharged intermittently at a controlled rate from the tanks through the monitored plant vent. All solid wastes are placed in sui table containers and stored onsite until shipment offsite for disposal. wastes are to remove most of the radioactive material. The spent resins from the demineralizers, the filter and the concentrate from the evaporators are and stored onsite until offsite for disposal. The processed water, from which most of the radioactive material has been removed, is discharged through a monitored line into the condenser discharge. 3.1-54 SGS-UFSAR Revision 25 26, 2010