ML16055A228
| ML16055A228 | |
| Person / Time | |
|---|---|
| Site: | Catawba  |
| Issue date: | 02/19/2016 |
| From: | Henderson K Duke Energy Carolinas |
| To: | Office of Nuclear Reactor Regulation |
| Shared Package | |
| ML16055A223 | List: |
| References | |
| CNS-16-010, TAC MF6166, TAC MF6167 | |
| Download: ML16055A228 (106) | |
Text
ATTACHMENT 1 EAL Bases Category: Subcategory:
C -Coid Shutdown / Refueling System Malfunction 3 -NCS Temperature Initiating Condition:
Inability to maintain plant in cold shutdown EAL: CA3.1 Alert UNPLANNED increase in NCS temperature to > 200 0 F for > Table C-3 duration (Notes 1, 9)OR UNPLANNED NCS pressure increase > 10 psig due to a loss of NCS cooling (this does not apply during water-solid plant conditions)
Note 1: The Emergency Coordinator should declare the event promptly upon determining that the applicable time has been exceeded, or will likely be exceeded.Note 9: In the absence of reliable NCS temperature indication caused by the loss of decay heat removal capability, classification should be based on time to bail data when in Mode 5 and 6.Table C-3: NCS Heat-up Duration Thresholds NCS StatusContainment Closure Ha-pDrto NCS Status ~Status Ha-pDrto Intact (but not reduced NA6 i.inventory)
Not intact established 20 mn. *At reduced inventory not established 0 mai.* If an NOS heat removal system is in operation within this time frame and NCS temperature is being reduced, the EAL is not applicable.
Mode Applicability:
5 -Cold Shutdown, 6 -Refueling Definition(s):
CONTAINMENT CLOSURE -The procedurally defined conditions or actions taken to secure Primary or Secondary Containment and its associated structures, systems, and components as a functional barrier to fission product release under shutdown conditions.
As applied to CNS, Containment Closure is established when the requirements of OP/0/A/6100/014 Penetration Control for Modes 5, 6 and NO Mode -Enclosure 4.7 Setting, Maintaining and Securing from Containment Penetration Control are met.UNPLANNED
-. A parameter change or an event that is not 1 ) the result of an intended evolution or 2) an expected plant response to a transient.
The cause of the parameter change or event may be known or unknown.Basis: IRP/0/A/5000/001 Rev. 1 Page 90 of 247I ATTACHMENT 1 EAL Bases Several instruments are capable of providing indication of NCS temperature with respect to the Technical Specification cold shutdown temperature limit (200°F, ref. 1) including both hot leg and cold leg RTDs and core exit T/Cs (ref. 2, 3).A 10 psig RPV pressure increase can be read on various instruments such as NCPT5141 C-Loop N/R, 0 -800 psig and Point #4 on SMCR581 0 (CR chart recorder, 0 -600 psi). (ref. 4, 5).In the absence of reliable NCS temperature indication caused by the loss of decay heat removal capability, classification should be based on the NCS pressure increase criteria when in Mode 5 or based on time to boil data when in Mode 6.RCS reduced inventory condition exists when NCS level is < 16% (ref. 7).This IC addresses conditions involving a loss of decay heat removal capability or an addition of heat to the NCS in excess of that which can currently be removed. Either condition represents an actual or potential substantial degradation of the level of safety of the plant.A momentary UNPLANNED excursion above the Technical Specification cold shutdown temperature limit when the heat removal function is available does not warrant a classification.
The NCS Heat-up Duration Thresholds table addresses an increase in NOS temperature when CONTAINMENT CLOSURE is established but the NCS is not intact, or NCS inventory is reduced (e.g., mid-loop operation).
The 20-minute criterion was included to allow time for operator action to address the temperature increase.The NCS Heat-up Duration Thresholds table also addresses an increase in NCS temperature with the NCS intact. The status of CONTAINMENT CLOSURE is not crucial in this condition since the intact NCS is providing a high pressure barrier to a fission product release. The 60-minute time frame should allow sufficient time to address the temperature increase without a substantial degradation in plant safety.Finally, in the case where there is an increase in NCS temperature, the NCS is not intact or is at reduced inventory, and CONTAINMENT CLOSURE is not established, no heat-up duration is allowed (i.e., 0 minutes).
This is because 1) the evaporated reactor coolant may be released directly into the containment atmosphere and subsequently to the environment, and 2) there is reduced reactor coolant inventory above the top of irradiated fuel.The NCS pressure increase threshold provides a pressure-based indication of NCS heat-up in the absence of NCS temperature monitoring capability.
Escalation of the emergency classification level would be via IC CS1 or RSI.CNS Basis Reference(s):
- 1. CNS Technical Specifications Table 1.1-1 2. CNS UFSAR Section 7.0 Instrumentation and Controls 3. AP/1(2)/A/5500/019 Loss of Residual Heat Removal System 4. IP/1(2)/B/3121/011IA
- 5. IP/l (2)/A/31 22/055A 6. OP/0/A/6100/014 Penetration Control for Modes 5, 6 and NO Mode. Enclosure 4.7 Setting, Maintaining and Securing from Containment Penetration Control SRP/0/A/5000/001 Rev. I Page 91 of 247I ATTACHMENT 1 EAL Bases 7. OP/I1(2)/A/6150/006 Draining the Reactor Coolant System 8. NEI 99-01 CA3 SRP/o1Aooo0oo001 Rev. 1I Page 92 of2471 ATTACHMENT 1 EAL Bases Category:
C -Cold Shutdown / Refueling System Malfunction Subcategory:
4 -Loss of Vital DC Power 'Initiating Condition:
Loss of Vital DC power for 15 minutes or longer i EAL: CU4.1 Unusual Event< 105 VDC bus voltage indications on Technical Specification required 125 VDC buses for> 15 min. (Note 1)Note 1: The Emergency Coordinator should declare the event promptly upon determining that time limit has been exceeded, or will likely be exceeded.Mode Applicability:
5 -Cold Shutdown, 6 -Refueling Definition(s):
None Basis: Four 125 VDC distribution centers are provided for the 1 25VDC Vital Instrumentation and Control Power System. Four distribution centers (EDA, EDC, EDB and EDO), one per load group, supply the four independent channels of vital instrumentation and control, and are each !V powered directly from an independent 125 volt battery and battery charger. Each of the four distribution centers supplies one.DC panel board and one I25VDC-120VAC static inverter (ref.1). , The Class 1E DC loads have an operating voltage range of 105 to 135 volts. The minimum 'battery discharge voltage (requiring opening the degraded battery output breaker) is 105 VDC (ref. 1,2).This EAL is the cold condition equivalent of the hot condition loss of DC power EAL SS7.1.This IC addresses a loss of vital DC power which compromises the ability to monitor and control operable SAFETY SYSTEMS when the plant is in the cold shutdown or refueling mode.In these modes, the core decay heat load has been significantly reduced, and coolant system temperatures and pressures are lower; these conditions increase the time available to restore a vital DC bus to service. Thus, this condition is considered to be a potential degradation of the level of safety of the plant.As used in this EAL, "required" means the vital DC buses necessary to support operation of the in-service, or operable, train or trains of SAFETY SYSTEM equipment.
For example, if Train A is out-of-service (inoperable) for scheduled outage maintenance work and Train B is in-service (operable), then a loss of Vital DC power affecting Train B would require the declaration of an Unusual Event. A loss of Vital DC power to Train A would not warrant an emergency classification.
Fifteen minutes was selected as a threshold to exclude transient or momentary power losses.RP/0/A/5000/001 Rev. 1 Page 93 of 247 ATTACHMENT 1 EAL Bases Depending upon the event, escalation of the emergency classification level would be via IC CA1 or CA3, or an IC in Recognition Category R.CNS Basis Reference(s):
- 1. CNS UFSAR Section 8.0 Electrical Power 2. AP/1 (2)/A/5500/029 Loss of Vital or Aux Control Power 3. NEI 99-01 CU4 IRPIOIA/50001001 Rev. I Page 94 of 247 ATTACHMENT 1 EAL Bases Category:
C -Cold Shutdown / Refueling System Malfunction Subcategory:
5 -Loss of Communications Initiating Condition:
Loss of all onsite or offsite communications capabilities EAL: CU5.1 Unusual Event Loss of all Table C-4 onsite communication methods OR Loss of all Table C-40ORO communication methods OR Loss of all Table C-4 NRC communication methods Table C-4 Communication Methods System Onsite ORO NRC Public Address X Internal Telephones X Onsite Radios X DEMNET X Commercial Telephones X X Satellite Phones X X Cellular Phones X X NRC Emergency Telephone System (ETS) X X Mode Applicability:
5 -Cold Shutdown, 6 -Refueling, 0 -Defueled Definition(s):
None RPIOIAI50001001 Rev. 1I Page 95 of 247 ATTACHMENT 1 EAL Bases Basis: Onsite/offsite communications include one or more of the systems listed in Table C-4 (ref. 1).Public Address System The Catawba Plant public address system provides paging and party line communications between stations located throughout the plant. Inside and outside type wall and desk-mounted stations are used to communicate between roaming personnel and fixed work locations.
Plant-wide instructions are issued using the paging feature.Internal Telephone System The Catawba Site PBX telephone system provides communication capability between telephone stations located within the plant by dialing the four-digit telephone station code.On-site Radio System Radio systems can be used for communication among operators, off-site monitoring teams, the control room, TSC and EOF.DEMNET DEMNET is the primary means of offsite communication.
This circuit allows intercommunication among the EQE, TSC, control room, counties, and states. DEMNET operates as an internet based (VoIP) communications system with a satellite back-up. Should the internet transfer rate become slow or unavailable, the DEMNET will automatically transfer to satellite mode.Commercial Telephones Commercial telephone lines, which supply public telephone communications, are employed by Duke Energy. The local service provider provides primary and secondary power for their lines at the Central Office.Satellite Phones Portable satellite telephones are available which enable communication when all other phone systems are inoperable, e.g. following a major external event. These portable systems can be powered by internal batteries, external DC sources as well as external AC sources.Cellular Phones Cellular phones may be used during emergencies if other communications means are not readily available or are inoperable.
These phones are not expected to be used in the Control Room or Power Block due to interference with plant equipment and loss of signal to the phone.SRPI0/A/5000I001 Rev. 1 Page 96 of 247I ATTACHMENT 1 EAL Bases NRC Emergqency Telephone System The NRC uses a Duke Energy dedicated telephone line which allows direct telephone communications from the plant to NRC regional and national offices. The Duke Energy communications line provides a link independent of the local public telephone network.Telephones connected to this network are located in the Catawba Control Room, Technical Support Center, and Emergency Operations Facility and can be used to establish NRC Emergency Notification System (ENS) and Health Physics Network (HPN) capability.
This EAL is the cold condition equivalent of the hot condition EAL SU7.1.This IC addresses a significant loss of on-site or offsite communications capabilities.
While not a direct challenge to plant or personnel safety, this event warrants prompt notifications to OROs and the NRC.This IC should be assessed only when extraordinary means are being utilized to make communications possible (e.g., use of non-plant, privately owned equipment, relaying of on-site information via individuals or multiple radio transmission points, individuals being sent to offsite locations, etc.).The first EAL condition addresses a total loss of the communications methods used in support of routine plant operations.
The second EAL condition addresses a total loss of the communications methods used to notify all OROs of an emergency declaration.
The OROs referred to here are the State, York, Gaston and Mecklenburg County EOCs The third EAL addresses a total loss of the communications methods used to notify the NRC of an emergency declaration.
CNS Basis Reference(s):
I. CNS Emergency Plan Section F Emergency Communications
C -Cold Shutdown / Refueling System Malfunction Subcategory:
6 -Hazardous Event Affecting Safety Systems Initiating Condition:
Hazardous event affecting a SAFETY SYSTEM needed for the current operating mode EAL: CA6.1 Alert The occurrence of any Table C-5 hazardous event AND EITHER:* Event damage has caused indications of degraded performance in at least one train of a SAFETY SYSTEM needed for the current operating mode* The event has caused VISIBLE DAMAGE to a SAFETY SYSTEM component or structure needed for the current operating mode Table C-5 Hazardous Events* Seismic event (earthquake)
- Internal or external FLOODING event* High winds or tornado strike* FIRE* EXPLOSION* Other events with similar hazard characteristics as determined by the Shift Manager Mode Applicability:
6 -Cold Shutdown, 6 -Refueling Definition(s):
EXPLOSION
-A rapid, violent and catastrophic failure of a piece of equipment due to combustion, chemical reaction or overpressurization.
A release of steam (from high energy lines or components) or an electrical component failure (caused by short circuits, grounding, arcing, etc.) should not automatically be considered an explosion.
Such events require a post-event inspection to determine if the attributes of an explosion are present.FIRE -Combustion characterized by heat and light. Sources of smoke such as slipping drive belts or overheated electrical equipment do not constitute fires. Observation of flame is preferred but is NOT required if large quantities of smoke and heat are observed.RP/0/A/5000/001 Rev. I Page 98 of 247I ATTACHMENT 1 EAL Bases FLOODING -A condition where water is entering a room or area faster than installed equipment is capable of removal, resulting in a rise of water level within the room or area.SAFETY SYSTEM -A system required for safe plant operation, cooling down the plant and/or placing it in the cold shutdown condition, including the EGGS. These are typically systems classified as safety-related (as defined in I0CFR50.2):
Those structures, systems and components that are relied upon to remain functional during and following design basis events to assure: (1) The integrity of the reactor coolant pressure boundary;(2) The capability to shut down the reactor and maintain it in a safe shutdown condition; (3) The capability to prevent or mitigate the consequences of accidents which could result in potential offsite exposures.
VISIBLE DAMAGE -Damage to a component or structure that is readily observable without measurements, testing, or analysis.
The visual impact of the damage is sufficient to cause concern regarding the operability or reliability of the affected component or structure.
Basis:* The significance of seismic events are discussed under EAL HU2.1 (ref. 1).° Internal FLOODING may be caused by events such as component failures, equipment misalignment, or outage activity mishaps (ref. 2).aExternal flooding may be due to high lake level. CNS plant yard elevation is 593.5 ft MSL.The minimum external access elevation for the Auxiliary, Turbine and Service Buildings is 594.0 ft MSL (ref. 1, 3).*Seismic Category I structures are analyzed to withstand a sustained, design wind velocity of at least 95 mph. (ref. 4).*Areas containing functions and systems required for safe shutdown of the plant are identified by fire area in the fire response procedure (ref. 5).*An explosion that degrades the performance of a SAFETY SYSTEM train or visibly damages a SAFETY SYSTEM component or structure would be classified under this EAL.This IC addresses a hazardous event that causes damage to a SAFETY SYSTEM, or a structure containing SAFETY SYSTEM components, needed for the current operating mode.This condition significantly reduces the margin to a loss or potential loss of a fission product barrier, and therefore represents an actual or potential substantial degradation of the level of safety of the plant.The first conditional addresses damage to a SAFETY SYSTEM train that is in service/operation since indications for it will be readily available.
The indications of degraded RP/0/A/5000/001 Rev. 1I Page 99 of 247 ATTACHMENT 1 EAL Bases performance should be significant enough to cause concern regarding the operability or reliability of the SAFETY SYSTEM train.The second conditional addresses damage to a SAFETY SYSTEM component that is not in service/operation or readily apparent through indications alone, or to a structure containing SAFETY SYSTEM components.
Operators will make this determination based on the totality of available event and damage report information.
This is intended to be a brief assessment not requiring lengthy analysis or quantification of the damage.Escalation of the emergency classification level would be via IC CS1 or RSI.CNS Basis Reference(s):
- 1. RP/0/A/5000/007 Natural Disaster and Earthquake
- 2. AP/0/A/5500/030 Plant Flooding 3. UFSAR Section 3.4 Water Level (Flood) Design 4. Updated FSAR Section 3.3.1 Wind Loadings 5. AP/0/A/5500/045 Plant Fire 6. NEI 99-01 CA6 R ev. 1 Page 100 of 247 ATTACHMENT 1 EAL Bases " Category H -Hazards and Other Conditions Affecting Plant Safety EAL Group: ANY (EALs in this category are applicable to any plant condition, hot or cold.)Hazards are non-plant, system-related events that can directly or indirectly affect plant r , , operation, reactor plant safety or personnel safety.1. Security Unauthorized entry attempts into the Protected Area, bomb threats, sabotage attempts, and actual security compromises threatening loss of physical control of the plant.2. Seismic Event Natural events such as earthquakes have potential to cause plant structure or equipment damage of sufficient magnitude to threaten personnel or plant safety.3. Natural or Technoloqy Hazard Other natural and non-naturally occurring events that can cause damage to plant facilities include tornados, FLOODING, hazardous material releases and events restricting site.access warranting classification.
- 4. Fire Fires can pose significant hazards to personnel and reactor safety. Appropriate for classification are fires within the site Protected Area or which may affect operability of " "... :i equipment needed for safe shutdown ,.5. Hazardous Gas Toxic, corrosive, asphyxiant or flammable gas leaks can affect normal plant operations or preclude access to plant areas required to safely shutdown the plant. "" 6. Control Room Evacuation
, Events that are indicative of loss of Control Room habitability.
If the Control Room must be .< ., ., evacuated, additional support for monitoring and controlling plant functions is necessary , ,,, ,: through the emergency response facilities.
SRP/0/A/5000/001 Rev. 1 Page 101 of 247 ATTACHMENT 1 EAL Bases 7. Emergqency Coordinator Judqment The EALs defined in other categories specify the predetermined symptoms or events that are indicative of emergency or potential emergency conditions and thus warrant classification.
While these EALs have been developed to address the full spectrum of possible emergency conditions which may warrant classification and subsequent implementation of the Emergency Plan, a provision for-classification of emergencies based on operator/management experience and judgment is still necessary.
The EALs of this category provide the Emergency Coordinator the latitude to classify emergency conditions consistent with the established classification criteria based upon Emergency Coordinator judgment.SRP/0/A15000/001 Rev. 1 Page 102 of 2471 ATTACHMENT 1 EAL Bases Category: Subcategory:
H -Hazards 1 -Security Initiating Condition:
Confirmed SECURITY CONDITION or threat EAL: HUI.1 Unusual Event I A SECURITY CONDITION that does not involve a HOSTILE ACTION as reported by the Security Shift Supervision Mode Applicability:
All Definition(s):
SECURITY CONDITION
-Any security event as listed in the approved security contingency plan that constitutes a threat/compromise to site security, threat/risk to site personnel, or a potential degradation to the level of safety of the plant. A security condition does not involve a hostile action.HOSTILE ACTION -An act toward CNS or its personnel that includes the use of violent force to destroy equipment, take hostages, and/or intimidate the licensee to achieve an end. This includes attack by air, land, or water using guns, explosives, projectiles, vehicles, or other devices used to deliver destructive force. Other acts that satisfy the overall intent may be included.
Hostile action should not be construed to include acts of civil disobedience or felonious acts that are not part of a concerted attack on CNS. Non-terrorism-based EALs should be used to address such activities (i.e., this may include violent acts between individuals in the owner controlled area).Basis: This EAL is based on the Duke Energy Physical Security Plan for CNS (ref. 1).This IC addresses events that pose a threat to plant personnel or SAFETY SYSTEM equipment, and thus represent a potential degradation in the level of plant safety. Security events which do not meet one of these EALs are adequately addressed by the requirements of 10 CFR § 73.71 or 10 CFR § 50.72. Security events assessed as HOSTILE ACTIONS are classifiable under ICs HAl, HS1 and HG1.Timely and accurate communications between Security Shift Supervision and the Control Room is essential for proper classification of a security-related event (ref. 2, 3, 4).Classification of these events will initiate appropriate threat-related notifications to plant personnel and Offsite Response Organizations.
Security plans and terminology are based on the guidance provided by NEI 03-12, Template for the Security Plan, Training and Qualification Plan, Safeguards Contingency Plan and Independent Spent Fuel Storage Installation Security Program.,This threshold references the Security Shift supervison because these are the individuals trained to confirm that a security event is occurring or has occurred.
Training on security event IRPIOIAI50001001 Rev. 1I Page 103 of 247 OR¶1Notification of a credible security threea/directed at the site ¶/OR¶l 1A validated notification from the NRC Iproviding information of an aircraft threat-, Deleted: The first ATTACHMENT 1 EAL Bases confirmation and classification is controlled due to the nature of Safeguards and 10 CFR §2.39 information.,Emergency plans and implementing procedures are public documents; therefore, E ALs should not incorporate Security-sensitive information.
This includes information that may be advantageous to a potential adversary, such as the particulars concerning a specific threat or threat location.
Security-sensitive information should be contained in non-public documents such as the Duke Energy Physical Security Plan for CNS (ref. 1).Escalation of the emergency classification level would be via IC HA1.CNS Basis Reference(s):
- 1. Duke Energy Physical Security Plan for CNS 2. AP/0/A/5500/046 Hostile Aircraft Activity 3. RP/0/B/5000/026 Site Response to a Security Threat 4. API/A/N5500/048 Extensive Damage Mitigation
- 5. NEI 99-01 HU1 Deleted: The second threshold Iaddresses the receipt of a credible security threat. The credibility of the threat is assessed in accordance with the CNS Security Contingency Plan (ref. 1 ).¶The third threshold addresses the thre from the impact of an aircraft on the plant. The NRC Headquarters Operations Officer (HOO) will communicate to the licensee if the threat involves an aircraft.
The status and size of the plane may also be provided by NORAD through the NRC Validation of the threat is performed in accordance with the CNS Security Contingency Plan (ref. 1 ).¶IRP/O/A/5O00/O01 Rev. 1 Page 104 of 247I ATTACHMENT 1 EAL Bases Category:
H -Hazards Subcategory:
1 -Security Initiating Condition:
Confirmed SECURITY CONDITION or threat EAL: HU1.2 Unusual Event Notification of a credible security threat directed at the site Mode Applicability:
All Definition(s):
SECURITY CONDITION
-Any security event as listed in the approved security contingency plan that constitutes a threat/compromise to site security, threat/risk to site personnel, or a potential degradation to the level of safety of the plant. A security condition does not involve a hostile action.Basis: This EAL is based on the Duke Energy Physical Security Plan for CNS (ref. 1 ).This IC addresses events that pose a threat to plant personnel or SAFETY SYSTEM equipment, and thus represent a potential degradation in the level of plant safety. Security events which do not meet one of these EALs are adequately addressed by the requirements of 10 CFR § 73.71 or 10 CFR § 50.72. Security events assessed as HOSTILE ACTIONS are classifiable under ICs HAl, HS1 and HGI.Timely and accurate communications between Security Shift Supervision and the Control Room is essential for proper classification of a security-related event (ref. 2, 3, 4).Classification of these events will initiate appropriate threat-related notifications to plant personnel and Offsite Response Organizations.
Security plans and terminology are based on the guidance provided by NEI 03-12, Template for the Security Plan, Training and Qualification Plan, Safeguards Contingency Plan and Independent Spent Fuel Storage Installation Security Program.This threshold addresses the receipt of a credible security threat. The credibility of the threat is assessed in accordance with the CNS Security Contingency Plan (ref. 1 ).Emergency plans and implementing procedures are public documents; therefore, EALs should not incorporate Security-sensitive information.
This includes information that may be advantageous to a potential adversary, such as the particulars concerning a specific threat or threat location.
Security-sensitive information should be contained in non-public documents such as the Duke Energy Physical Security Plan for CNS (ref. 1 ).Escalation of the emergency classification level would be via IC HAl.CNS Basis Reference(s):
- 1. Duke Energy Physical Security Plan for CNS 2. APIOIN/55001046 Hostile Aircraft Activity IRP/0OA150001001 Rev. 1 Page 105 of 247 ATTACHMENT 1 EAL Bases 3. RP1OIBI50001026 Site Response to a Security' Threat 4. APIO/N55001048 Extensive Damage Mitigation
- 5. NEI 99-01 HU1]RP/O/N50001001
]Rev. 1 Page 106 of 247 ATTACHMENT 1 EAL Bases Category:
H -Hazards Subcategory:
1 -Security Initiating Condition:
Confirmed SECURITY CONDITION or threat EAL: HU1.3 Unusual Event A validated notification from the NRC providing information of an aircraft threat Mode Applicability:
All Definition(s):
SECURITY CONDITION
-Any security event as listed in the approved security contingency plan that constitutes a threatlcompromise to site security, threat/risk to site personnel, or a potential degradation to the level of safety of the plant. A security condition does not involve a hostile action.Basis: This EAL is based on the Duke Energy Physical Security Plan for CNS (ref. 1 ).This IC addresses events that pose a threat to plant personnel or SAFETY SYSTEM equipment, and thus represent a potential degradation in the level of plant safety. Security events which do not meet one of these EALs are adequately addressed by the requirements of 10 CFR § 73.71 or 10 CFR § 50.72. Security events assessed as HOSTILE ACTIONS are classifiable under ICs HA1, HS1 and HG1.Timely and accurate communications between Security Shift Supervision and the Control Room is essential for proper classification of a security-related event (ref. 2, 3, 4).Classification of these events will initiate appropriate threat-related notifications to plant personnel and Offsite Response Organizations.
Security plans and terminology are based on the guidance provided by NEI 03-12, Template for the Security Plan, Training and Qualification Plan, Safeguards Contingency Plan and Independent Spent Fuel Storage Installation Security Program.This threshold addresses the threat from the impact of an aircraft on the plant. The NRC Headquarters Operations Officer (HOO) will communicate to the licensee if the threat involves an aircraft.
The status and size of the plane may also be provided by NORAD through the NRC. Validation of the threat is performed in accordance with the CNS Security Contingency Plan (ref. 1).Emergency plans and implementing procedures are public documents; therefore, EALs should not incorporate Security-sensitive information.
This includes information that may be advantageous to a potential adversary, such as the particulars concerning a specific threat or threat location.
Security-sensitive information should be contained in non-public documents such as the Duke Energy Physical Security Plan for CNS (ref. 1 ).Escalation of the emergency classification level would be via IC HAl.IPQ/ I0/01Rev.
1I Page 107 of 247 ATTACHMENT 1 EAL Bases CNS Basis Reference(s):
- 1. Duke Energy Physical Security Plan for CNS 2. APIO/AI55001046 Hostile Aircraft Activity 3. RPIOIBI50001026 Site Response to a Security Threat 4. APIOI/N55001048 Extensive Damage Mitigation
H -Hazards Subcategory:
1 -Security Initiating Condition:
HOSTILE ACTION within the OWNER CONTROLLED AREA or airborne attack threat EAL: HAl.1 Alert SA HOSTILE ACTION is occurring or has occurred within the OWNER CONTROLLED I AREA as reported by the Security Shift Supervision Mode Applicability:
All Definition(s):
HOSTILE ACTION -An act toward CNS or its personnel that includes the use of violent force to destroy equipment, take hostages, and/or intimidate the licensee to achieve an end. This includes attack by air, land, or water using guns, explosives, projectiles, vehicles, or other devices used to deliver destructive force. Other acts that satisfy the overall intent may be included.
Hostile action should not be construed to include acts of civil disobedience or felonious acts that are not part of a concerted attack on CNS* Non-terrorism-based EALs should be used to address such activities (i.e., this may include violent acts between individuals in the owner controlled area).OWNER CONTROLLED AREA -Area outside the PROTECTED AREA fence that immediately surrounds the plant. Access to this area is generally restricted to those entering on official business.Basis: This IC addresses the occurrence of a HOSTILE ACTION within the OWNER CONTROLLED AREA or notification of an aircraft attack threat. This event will require rapid response and assistance due to the possibility of the attack progressing to the PROTECTED AREA, or the need to prepare the plant and staff for a potential aircraft impact.Timely and accurate communications between the Security Shift Supervision and the Control Room is essential for proper classification of a security-related event (ref. 2, 3, 4).Security plans and terminology are based on the guidance provided by NEI 03-12, Template for the Security Plan, Training and Qualification Plan, Safeguards Contingency Plan and Independent Spent Fuel Storage Installation Security Program.As time and conditions allow, these events require a heightened state of readiness by the plant staff and implementation of onsite protective measures (e~g., evacuation, dispersal or sheltering).
The Alert declaration will also heighten the awareness of Offsite Response Organizations (OROs), allowing them to be better prepared should it be necessary to consider further actions.IRPIO/AI50001001 IRev.l 1 Page 109 of 247.. ele t OR¶* 1A validated notification from NRC of ar Iaircraft attack threat within 30 min. of[.the site ATTACHMENT I ........ !i~! !il!liii i i~ l EAL Bases This IC does not apply to incidents that are accidental events, acts of civil disobedience, or otherwise are not a HOSTILE ACTION perpetrated by a HOSTILE FORCE. Examples include the crash of a small aircraft, shots from hunters, physical disputes between employees, etc.Reporting of these types of events is adequately addressed by other EALs, or the requirements of 10 CFR § 73.71 or 10 CFR § 50.72.~hsthreshold is aplicable for any HOSTILE ACTION occurring or that has occurred, in the > Deleted: The first OWNER CONTROLLED AREA. This includes any action directed against an ISFSI that is located outside the plant PROTECTED AREA.
pl!ans and implementing procedures are public documents; therefore, EALs should not incorporate Security-sensitive information.
This includes information that may be advantageous to a potential adversary, such as the particulars concerning a specific threat or threat location.
Security-sensitive information should be contained in non-public documents such as the Duke Energy Physical Security Plan for CNS (ref. 1).CNS Basis Reference(s):
- 1. Duke Energy Physical Security Plan for CNS 2. AP/0/A/5500/046 Hostile Aircraft Activity 3. RP/0/B/5000/026 Site Response to a Security Threat 4. AP/0/A/5500/048 Extensive Damage Mitigation
- 5. NEI 99-01 HA1 Deleted:" The second threshold addresses the threat from the impact o an aircraft on the plant, and the anticipated arrival time is within 30 minutes. The intent of this EAL is to ensure that threat-related notifications are made in a timely manner so that plant personnel and OROs are in a heightened state of readiness.
This EAL is met when the threat-related information has been validated in accordance with site-specific security proceduresl¶ The NRC Headquarters Operations Officer (HOO) will communicate to the licensee if the threat involves an aircraft.
The status and size of the plane may be provided by NORAD through the NRC.¶In some cases, it may not be readily apparent if an aircraft impact within the OWNER CONTROLLED AREA was intentional (i.e., a HOSTILE ACTION).It is expected, although not certain, tha notification by an appropriate Federal agency to the site would clarify this point. In this case, the appropriate federal agency is intended to be NORAD, FBI, FAA or NRC. The emergency declaration, including one based on other ICs/EALs, should not b unduly delayed while awaiting notification by a Federal agency.¶r IRPIOIA/5000/O01 Rev. 1I Page 110 of 247 ATTACHMENT 1 EAL Bases Category:
H -Hazards Subcategory:
1 -Security Initiating Condition:
HOSTILE ACTION within the OWNER CONTROLLED AREA or airborne attack threat EAL: HA1.2 Alert A validated notification from NRC of an aircraft attack threat within 30 min. of the site Mode Applicability:
All Definition(s):
HOSTILE ACTION -An act toward CNS or its personnel that includes the use of violent force to destroy equipment, take hostages, and/or intimidate the licensee to achieve an end. This includes attack by air, land, or water using guns, explosives, projectiles, vehicles, or other devices used to deliver destructive force. Other acts that satisfy the overall intent may be included.
Hostile action should not be construed to include acts of civil disobedience or felonious acts that are not part of a concerted attack on CNS. Non-terrorism-based EALs should be used to address such activities (i.e., this may include violent acts between individuals in the owner controlled area).OWNER CONTROLLED AREA -Area outside the PROTECTED AREA fence that immediately surrounds the plant. Access to this area is generally restricted to those entering on official business.Basis: This IC addresses the occurrence of a HOSTILE ACTION within the OWNER CONTROLLED AREA or notification of an aircraft attack threat. This event will require rapid response and assistance due to the possibility of the attack progressing to the PROTECTED AREA, or the need to prepare the plant and staff for a potential aircraft impact.Timely and accurate communications between the Security Shift Supervision and the Control Room is essential for proper classification of a security-related event (ref. 2, 3, 4).Security plans and terminology are based on the guidance provided by NEI 03-12, Template for the Security Plan, Training and Qualification Plan, Safeguards Contingency Plan and Independent Spent Fuel Storage Installation Security Program.As time and conditions allow, these events require a heightened state of readiness by the plant staff and implementation of onsite protective measures (e.g., evacuation, dispersal or sheltering).
The Alert declaration will also heighten the awareness of Offsite Response Organizations (OROs), allowing them to be better prepared should it be necessary to consider further actions.This IC does not apply to incidents that are accidental events, acts of civil disobedience, or otherwise are not a HOSTILE ACTION perpetrated by a HOSTILE FORCE. Examples include the crash of a small aircraft, shots from hunters, physical disputes between employees, etc.PIO/100/0 ev ag 1Io 4 ATTACHMENT 1 EAL Bases Reporting of these types of events is adequately addressed by other EALs, or the requirements of 10 CFR § 73.71 or 10 CFR § 50.72.This threshold addresses the threat from the impact of an aircraft on the plant, and the anticipated arrival time is within 30 minutes. The intent of this EAL is to ensure that threat-related notifications are made in a timely manner so that plant personnel and OROs are in a heightened state of readiness.
This EAL is met when the threat-related information has been validated in accordance with site-specific security procedures.
The NRC Headquarters Operations Officer (HOO) will communicate to the licensee if the threat involves an aircraft.
The status and size of the plane may be provided by NORAD through the NRC.In some cases, it may not be readily apparent if an aircraft impact within the OWNER CONTROLLED AREA was intentional (i.e., a HOSTILE ACTION). It is expected, although not certain, that notification by an appropriate Federal agency to the site would clarify this point. In this case, the appropriate federal agency is intended to be NORAD, FBI, FAA or NRC. The emergency declaration, including one based on other ICs/EALs, should not be unduly delayed while awaiting notification by a Federal agency.Emergency plans and implementing procedures are public documents; therefore, EALs should not incorporate Security-sensitive information.
This includes information that may be advantageous to a potential adversary, such as the particulars concerning a specific threat or threat location.
Security-sensitive information should be contained in non-public documents such as the Duke Energy Physical Security Plan for CNS (ref. 1 ).CNS Basis Reference(s):
- 1. Duke Energy Physical Security Plan for CNS 2. AP/O/A15500/046 Hostile Aircraft Activity 3. RP/0/B/5000/026 Site Response to a Security Threat 4. AP/O/A15500/048 Extensive Damage Mitigation
H -Hazards Subcategory:
1 -Security Initiating Condition:
Hostile Action within the Protected Area EAL: HSI.1 Site Area Emergency A HOSTILE ACTION is occurring or has occurred within the PROTECTED AREA as reported by the Security Shift Supervision Mode Applicability:
All Definition(s):
HOSTILE ACTION -An act toward CNS or its personnel that includes the use of violent force to destroy equipment, take hostages, and/or intimidate the licensee to achieve an end. This includes attack by air, land, or water using guns, explosives, projectiles, vehicles, or other devices used to deliver destructive force. Other acts that satisfy the overall intent may be included.
Hostile action should not be construed to include acts of civil disobedience or felonious acts that are not part of a concerted attack on CNS. Non-terrorism-based EALs should be used to address such activities (i.e., this may include violent acts between individuals in the owner controlled area).PROTECTED AREA -An area encompassed by physical barriers and to which access is controlled.
The Protected Area refers to the designated security area around the process buildings and is depicted in CNS UFSAR Figure 1-20 Plot Plan.Basis: These individuals are the designated on-site personnel qualified and trained to confirm that a security event is occurring or has occurred.
Training on security event classification confirmation is closely controlled due to the strict secrecy controls placed on the Duke Energy Physical Security Plan for CNS (Safeguards) information. (ref. 1)This IC addresses the occurrence of a HOSTILE ACTION within the PROTECTED AREA.This event will require rapid response and assistance due to the possibility for damage to plant equipment.
Timely and accurate communications between Security Shift Supervision and the Control Room is essential for proper classification of a security-related event (ref. 2, 3).Security plans and terminology are based on the guidance provided by NEI 03-12, Template for the Security Plan, Training and Qualification Plan, Safeguards Contingency Plan and Independent Spent Fuel Storage Installation Security Program.As time and conditions allow, these events require a heightened state of readiness by the plant staff and implementation of onsite protective measures (e.g., evacuation, dispersal or sheltering).
The Site Area Emergency declaration will mobilize Offsite Response Organization (ORO) resources and have them available to develop and implement public protective actions in the unlikely event that the attack is successful in impairing multiple safety functions.
IRPIOIA/50001 001 Rev. 1 Page 113 of 247 ATTACHMENT 1 EAL Bases This IC does not apply to a HOSTILE ACTION directed at an ISFSI PROTECTED AREA located outside the plant PROTECTED AREA; such an attack should be assessed using IC HA1. It also does not apply to incidents that are accidental events, acts of civil disobedience, or otherwise are not a HOSTILE ACTION perpetrated by a HOSTILE FORCE. Examples include the crash of a small aircraft, shots from hunters, physical disputes between employees, etc. Reporting of these types of events is adequately addressed by other EALs, or the requirements of 10 CFR § 73.71 or 10 CFR § 50.72.Emergency plans and implementing procedures are public documents; therefore, EALs should not incorporate Security-sensitive information.
This includes information that may be advantageous to a potential adversary, such as the particulars concerning a specific threat or threat location.
Security-sensitive information should be contained in non-public documents such as the Duke Energy Physical Security Plan for CNS (ref. 1).Escalation of the emergency classification level would be via IC HG1.CNS Basis Reference(s):
- 1. Duke Energy Physical Security Plan for CNS 2. RP/0/B/5000/026 Site Response to a Security Threat 3. AP/OIA/55001048 Extensive Damage Mitigation
- 4. NEI 99-01 HS1[RP/O/A/5000/O001 Rev. 1 Page 114 of 247 ATTACHMENT 1 EAL Bases Category: Subcategory:
H -Hazards 1 -Security Initiating Condition:
Hostile Action resulting in loss of physical control of the facility EAL: HG1.1 General Emergency A HOSTILE ACTION is occurring or has occurred within the PROTECTED AREA as reported by the Security Shift Supervisor AND EITHER of the following has occurred: Any of the following safety functions cannot be controlled or maintained
- Reactivity
- Core cooling* NCS heat removal OR Damage to spent fuel has occurred or is IMMINENT Mode Applicability:
All Definition(s):
HOSTILE ACTION -An act toward CNS or its personnel that includes the use of violent force to destroy equipment, take hostages, and/or intimidate the licensee to achieve an end. This includes attack by air, land, or water using guns, explosives, projectiles, vehicles, or other devices used to deliver destructive force. Other acts that satisfy the overall intent may be included.
Hostile action should not be construed to include acts of civil disobedience or felonious acts that are not part of a concerted attack on CNS. Non-terrorism-based EALs should be used to address such activities (i.e., this may include violent acts between individuals in the owner controlled area).IMMINENT -The trajectory of events or conditions is such that an EAL will be met within a relatively short period of time regardless of mitigation or corrective actions PROTECTED AREA -An area encompassed by physical barriers and to which access is controlled.
The Protected Area refers to the designated security area around the process buildings and is depicted in CNS UFSAR Figure 1-20 Plot Plan.Basis: This IC addresses an event in which a HOSTILE FORCE has taken physical control of the facility to the extent that the plant staff can no longer operate equipment necessary to maintain key safety functions.
It also addresses a HOSTILE ACTION leading to a loss of physical control that results in actual or IMMINENT damage to spent fuel due to 1 ) damage to a spent fuel pool cooling system (e.g., pumps, heat exchangers, controls, etc.) or, 2) loss of spent fuel pool integrity such that sufficient water level cannot be maintained.
IRP/0/5o00/001I Rev. 1 IPage 115 of 247I ATTACHMENT 1 EAL Bases Timely and accurate communications between Security Shift Supervision and the Control Room is essential for proper classification of a security-related event (ref. 2, 3).Security plans and terminology are based on the guidance provided by NEI 03-12, Template for the Security Plan, Training and Qualification Plan, Safeguards Contingency Plan and Independent Spent Fuel Storage Installation Security Program.Emergency plans and implementing procedures are public documents; therefore, EALs should not incorporate Security-sensitive information.
This includes information that may be advantageous to a potential adversary, such as the particulars concerning a specific threat or threat location.
Security-sensitive information should be contained in non-public documents such as the Duke Energy Physical Security Plan for CNS (ref. 1).CNS Basis Reference(s):
- 1. Duke Energy Physical Security Plan for CNS 2. RP/0/B/5000/026 Site Response to a Security Threat 3. AP/0/A/5500/048 Extensive Damage Mitigation
- 4. AP/1 (2)/A/5500/01 7 Loss of Control Room 5. NEI 99-01 HG1[RPIOIAI50001001 Rev. 1 Page 116 of 247 ATTACHMENT 1 EAL Bases Category:
H -Hazards and Other Conditions Affecting Plant Safety Subcategory:
2 -Seismic Event Initiating Condition:
Seismic event greater than OBE levels EAL: HU2.1 Unusual Event Seismic event > OBE as indicated by OBE EXCEEDED alarm on lAD-4, B/8 Mode Applicability:
All Definition(s):
None Basis: Ground motion acceleration of 0.08g horizontal or 0.053g vertical is the Operating Basis Earthquake for CNS (ref. 1).Five strong motion accelerographs are installed within Unit 1 structures.
The seismic instrumentation system also consists of a network control center (NCC), which is used for rapid interrogation of the accelerograph data and for data transfer to a dedicated system computer for subsequent data processing and analysis.
The time-history recorded at each accelerograph location can be analyzed to determine its corresponding peak acceleration values and to verify that site Operating Basis Earthquake (OBE) limits have not been exceeded.
Immediate control room alarm indication of an earthquake of 0.08 g horizontal or 0.053 g vertical or greater is annunciated through the system's network control center (NCC), following seismic trigger actuation by at least two accelerographs (ref. 2).RP/OIA/50001007 Natural Disaster and Earthquake provides the guidance for determining if the OBE earthquake threshold is exceeded and any required response actions. (ref. 3)To avoid inappropriate emergency classification resulting from spurious actuation of the seismic instrumentation or felt motion not attributable to seismic activity, an offsite agency (USGS, National Earthquake Information Center) can confirm that an earthquake has occurred in the area of the plant. Such confirmation should not, however, preclude a timely emergency declaration based on receipt of the OBE alarm. The NEIC can be contacted by calling (303)273-8500.
Select option #1 and inform the analyst you wish to confirm recent seismic activity in the vicinity of CNS. Provide the analyst with the following CNS coordinates:
350 03' 04" north latitude, 810 04' 10" west longitude (ref. 4). Alternatively, near real-time seismic activity can be accessed via the NEIC website: http://earthqukusgs.gov/eqcenter/
This IC addresses a seismic event that results in accelerations at the plant site greater than those specified for an Operating Basis Earthquake (OBE). An earthquake greater than an OBE but less than a Safe Shutdown Earthquake (SSE) should have no significant impact on safety-related systems, structures and components; however, some time may be required for the plant staff to ascertain the actual post-event condition of the plant (e.g., performs walk-ATTACHMENT 1 EAL Bases downs and post-event inspections).
Given the time necessary to perform walk-downs and inspections, and fully understand any impacts, this event represents a potential degradation of the level of safety of the plant.Event verification with external sources should not be necessary during or following an OBE.Earthquakes of this magnitude should be readily felt by on-site personnel and recognized as a seismic event (e.g., lateral accelerations in excess of 0.08g). The Shift Manager or Emergency Coordinator may seek external verification if deemed appropriate (e.g., a call to the USGS, check internet news sources, etc.); however, the verification action must not preclude a timely emergency declaration.
Depending upon the plant mode at the time of the event, escalation of the emergency classification level would be via IC CA6 or SA9.CNS Basis Reference(s):
- 1. Updated FSAR Section 3.1 Conformance with General Design Criteria 2. Updated FSAR Section 3.7.4.2 Location and Description of Instrumentation
- 3. RP/0/A/5000/007 Natural Disaster and Earthquake
- 4. Updated FSAR section 2.1.1.1 Specification of Location (Unit 1 )5. NEI 99-01 HU2 IRP/O/AI5000/O01 Rev. 1 Page 118 of 247I ATTACHMENT 1 EAL Bases Category:
H -Hazards and Other Conditions Affecting Plant Safety Subcategory:
3 -Natural or Technological Hazard Initiating Condition:
Hazardous event EAL: HU3.1 Unusual Event A tornado strike within the PROTECTED AREA Mode Applicability:
All Definition(s):
PROTECTED AREA -An area encompassed by physical barriers and to which access is controlled.
The Protected Area refers to the designated security area around the process buildings and is depicted in CNS UFSAR Figure 1-20 Plot Plan.Basis: Response actions associated with a tornado onsite is provided in RP/0/A/5000/007 .2 Tornado Warning Issued for York County or Tornado On-Site (ref. 1).If damage is confirmed visually or by other in-plant indications, the event may be escalated to an Alert under EAL CA6.1 or SA9 ..A tornado striking (touching down) within the PROTECTED AREA warrants declaration of an Unusual Event regardless of the measured wind speed at the meteorological tower. A tornado is defined as a violently rotating column of air in contact with the ground and extending from the base of a thunderstorm.
This IC addresses hazardous events that are considered to represent a potential degradation of the level of safety of the plant.EAL HU3.1 addresses a tornado striking (touching down) within the PROTECTED AREA.Escalation of the emergency classification level would be based on ICs in Recognition Categories R, F, S or C.CNS Basis Reference(s):
- 1. RP/0/A/5000/007 Natural Disaster and Earthquake
H -Hazards and Other Conditions Affecting Plant Safety Subcategory:
3 -Natural or Technological Hazard Initiating Condition:
Hazardous event EAL: HU3.2 Unusual Event Internal room or area FLOODING of a magnitude sufficient to require manual or automatic electrical isolation of a SAFETY SYSTEM component needed for the current operating mode Mode Applicability:
All Definition(s):
FLOODING -A condition where water is entering a room or area faster than installed equipment is capable of removal, resulting in a rise of water level within the room or area.SAFETY SYSTEM -A system required for safe plant operation, cooling down the plant and/or placing it in the cold shutdown condition, including the ECCS. These are typically systems classified as safety-related (as defined in 10CFR50.2):
Those structures, systems and components that are relied upon to remain functional during and following design basis events to assure: (1) The integrity of the reactor coolant pressure boundary;(2) The capability to shut down the reactor and maintain it in a safe shutdown condition; (3) The capability to prevent or mitigate the consequences of accidents which could result in potential offsite exposures.
Basis: Areas susceptible to internal flooding are Turbine/Service Buildings and Auxiliary/Diesel Buildings from the following systems: Condenser Circulating Water, Fire protection, Nuclear and Conventional Service Water and Condensate Storage (ref.1). Refer to EAL CA6.1 for internal flooding affecting one or more SAFETY SYSTEM trains.This IC addresses hazardous events that are considered to represent a potential degradation of the level of safety of the plant.This EAL addresses FLOODING of a building room or area that results in operators isolating power to a SAFETY SYSTEM component due to water level or other wetting concerns.Classification is also required if the water level or related wetting causes an automatic isolation of a SAFETY SYSTEM component from its power source (e.g., a breaker or relay trip). To warrant classification, operability of the affected component must be required by Technical Specifications for the current operating mode.Escalation of the emergency classification level would be based on ICs in Recognition Categories R, F, S orC.CNS Basis Reference(s):
ATTACHMENT 1 EAL Bases 1. AP/0/A/5500/030 Plant Flooding 2. NEI 99-01 HU3 SRP/oIA oo/ ool100 Rev. 1 IPage 121 of 2471 ATTACHMENT 1 EAL Bases Category:
H -Hazards and Other Conditions Affecting Plant Safety Subcategory:
3 -Natural or Technological Hazard Initiating Condition:
Hazardous event EAL: HU3.3 Unusual Event Movement of personnel within the PROTECTED AREA is IMPEDED due to an offsite event involving hazardous materials (e.g., an offsite chemical spill or toxic gas release)Mode Applicability:
All Definition(s):
IMPEDE(D)
-Personnel access to a room or area is hindered to an extent that extraordinary measures are necessary to facilitate entry of personnel into the affected room/area (e.g., requiring use of protective equipment, such as SCBAs, that is not routinely employed).
PROTECTED AREA -An area encompassed by physical barriers and to which access is controlled.
The Protected Area refers to the designated security area around the process buildings and is depicted in CNS UFSAR Figure 1-20 Plot Plan.Basis: As used here, the term "offsite" is meant to be areas external to the CNS PROTECTED AREA.This IC addresses hazardous events that are considered to represent a potential degradation of the level of safety of the plant.This EAL addresses a hazardous materials event originating at an offsite location and of sufficient magnitude to impede the movement of personnel within the PROTECTED AREA.Escalation of the emergency classification level would be based on ICs in Recognition Categories R, F, S or C.CNS Basis Reference(s):
H -Hazards and Other Conditions Affecting Plant Safety Subcategory:
3 -Natural or Technological Hazard Initiating Condition:
Hazardous event EAL: HU3.4 Unusual Event A hazardous event that results in on-site conditions sufficient to prohibit the plant staff from accessing the site via personal vehicles (Note 7)Note 7: This EAL does not apply to routine traffic impediments such as fog, snow, ice, or vehicle breakdowns or accidents.
Mode Applicability:
All Definition(s):
None Basis: This IC addresses hazardous events that are considered to represent a potential degradation of the level of safety of the plant.This EAL addresses a hazardous event that causes an on-site impediment to vehicle movement and significant enough to prohibit the plant staff from accessing the site using personal vehicles.
Examples of such an event include site FLOODING caused by a hurricane, heavy rains, up-river water releases, dam failure, etc., or an on-site train derailment blocking the access road.This EAL is not intended apply to routine impediments such as fog, snow, ice, or vehicle breakdowns or accidents, but rather to more significant conditions such as the Hurricane Andrew strike on Turkey Point in 1992, the flooding around the Cooper Station during the Midwest floods of 1993, or the flooding around Ft. Calhoun Station in 2011.Escalation of the emergency classification level would be based on ICs in Recognition Categories R, F, S or C.CNS Basis Reference(s):
- 1. NEI 99-01 HU3 SRP/0/A/5000/001 Rev. I Page 123 of 247 ATTACHMENT 1 EAL Bases H -Hazards and Other Conditions Affecting Plant Safety 4 -Fire Category: Subcategory:
Initiating Condition:
FIRE potentially degrading the level of safety of the plant EAL: HU4.1 Unusual Event A FIRE is not extinguished within 15 mm., of any of the following FIRE detection indications (Note 1):* Report from the field (i.e., visual observation)
- Receipt of multiple (more than 1) fire alarms or indications
- Field verification of a single fire alarm AND The FIRE is located within any Table H-I area Note 1: The Emergency Coordinator should declare the event promptly upon determining that time limit has been exceeded, or will likely be exceeded.Table H-I Fire Areas* Reactor Building (Containment)
- Auxiliary Building* Diesel Generator Rooms* RN Pump House* Dog Houses* Standby Shutdown Facility (SSF)Mode Applicability:
All Definition(s):
FIRE -Combustion characterized by heat and light. Sources of smoke such as slipping drive belts or overheated electrical equipment do not constitute fires. Observation of flame is preferred but is NOT required if large quantities of smoke and heat are observed.Basis: The 15 minute requirement begins with a credible notification that a fire is occurring, or receipt of multiple valid fire detection system alarms or field validation of a single fire alarm. The alarm is to be validated using available Control Room indications or alarms to prove that it is not spurious, or by reports from the field.Table H-i Fire Areas are based on CNS-1465.00-00-0006 Design Basis Specification for the Plant Fire Protection and AP1O1A155001045 Plant Fire. Table H-I Fire Areas include those!RP/0/A/5000/001 Rev. 1 Page 124 of 247 ATTACHMENT 1 EAL Bases structures containing functions and systems required for safe shutdown of the plant (SAFETY SYSTEMS) (ref. 1, 2).This IC addresses the magnitude and extent of FIRES that may be indicative of a potential degradation of the level of safety of the plant.For EAL HU4.1 the intent of the 15-minute duration is to size the FIRE and to discriminate against small FIRES that are readily extinguished (e.g., smoldering waste paper basket). In addition to alarms, other indications of a FIRE could be a drop in fire main pressure, automatic activation of a suppression system, etc.Upon receipt, operators will take prompt actions to confirm the validity of an initial fire alarm, indication, or report. For EAL assessment purposes, the emergency declaration clock starts at the time that the initial alarm, indication, or report was received, and not the time that a subsequent verification action was performed.
Similarly, the fire duration clock also starts at the time of receipt of the initial alarm, indication or report.CNS Basis Reference(s):
- 1. CNS-1465.00-00-0006 Design Basis Specification for the Plant Fire Protection
- 2. AP/0/A/5500/045 Plant Fire 3. NEI 99-01 HU4 IRP/0/A/5000/001 Rev. 1I Page 125 of 247 ATTACHMENT I EAL Bases Category: H -Hazards and Other Conditions Affecting Plant Safety Subcategory:
4 -Fire Initiating Condition:
FIRE potentially degrading the level of safety of the plant EAL: HU4.2 Unusual Event Receipt of a single fire alarm (i.e., no other indications of a FIRE)AND The fire alarm is indicating a FIRE within any Table H-i area AND The existence of a FIRE is not verified within 30 min. of alarm receipt (Note I)Note 1: The Emergency Coordinator should declare the event promptly upon determining that time limit has been exceeded, or will likely be exceeded.Table H-I Fire Areas* Reactor Building (Containment)
- Auxiliary Building* Diesel Generator Rooms* RN Pump House* Dog Houses* Standby Shutdown Facility (SSF)Mode Applicability:
All Definition(s):
FIRE -Combustion characterized by heat and light. Sources of smoke such as slipping drive belts or overheated electrical equipment do not constitute fires. Observation of flame is preferred but is NOT required if large quantities of smoke and heat are observed.Basis: The 30 minute requirement begins upon receipt of a single valid fire detection system alarm.The alarm is to be validated using available Control Room indications or alarms to prove that it is not spurious, or by reports from the field. Actual field reports must be made within the 30 minute time limit or a classification must be made. If a fire is verified to be occurring by field report, classification shall be made based on EAL HU4.1.Table H-I Fire Areas are based on CNS-1465.00-00-0006 Design Basis Specification for the Plant Fire Protection and API0/A/5500/045 Plant Fire. Table H-I Fire Areas include those structures containing functions and systems required for safe shutdown of the plant (SAFETY SYSTEMS) (ref. 1, 2).IRP/0/A/5000/00l Rev. I Page 126 of 247I ATTACHMENT 1 EAL Bases This IC addresses the magnitude and extent of FIRES that may be indicative of a potential degradation of the level of safety of the plant.This EAL addresses receipt of a single fire alarm, and the existence of a FIRE is not verified (i.e., proved or disproved) within 30-minutes of the alarm. Upon receipt, operators will take prompt actions to confirm the validity of a single fire alarm. For EAL assessment purposes, the 30-minute clock starts at the time that the initial alarm was received, and not the time that a subsequent verification action was performed.
A single fire alarm, absent other indication(s) of a FIRE, may be indicative of equipment failure or a spurious activation, and not an actual FIRE. For this reason, additional time is allowed to verify the validity of the alarm. The 30-minute period is a reasonable amount of time to determine if an actual FIRE exists; however, after that time, and absent information to the contrary, it is assumed that an actual FIRE is in progress.If an actual FIRE is verified by a report from the field, then HU4.1 is immediately applicable, and the emergency must be declared if the FIRE is not extinguished within 15-minutes of the report. If the alarm is verified to be due to an equipment failure or a spurious activation, and this verification occurs within 30-minutes of the receipt of the alarm, then this EAL is not applicable and no emergency declaration is warranted.
Basis-Related Reqiuirements from Appendix R Appendix R to 10 CFR 50, states in part: Criterion 3 of Appendix A to this part specifies that 'Structures, systems, and components important to safety shall be designed and located to minimize, consistent with other safety requirements, the probability and effect of fires and explosions." When considering the effects of fire, those systems associated with achieving and maintaining safe shutdown conditions assume major importance to safety because damage to them can lead to core damage resulting from loss of coolant through boil-off.Because fire may affect safe shutdown systems and because the loss of function of systems used to mitigate the consequences of design basis accidents under post-fire conditions does not per se impact public safety, the need to limit fire damage to systems required to achieve and maintain safe shutdown conditions is greater than the need to limit fire damage to those systems required to mitigate the consequences of design basis accidents.
In addition, Appendix R to 10 CFR 50, requires, among other considerations, the use of 1-hour fire barriers for the enclosure of cable and equipment and associated non-safety circuits of one redundant train (G.2.c). As used in this EAL, the 30-minutes to verify a single alarm is well within this worst-case 1-hour time period.Depending upon the plant mode at the time of the event, escalation of the emergency classification level would be via IC CA6 or SAP.CNS Basis Reference(s):
- 1. CNS-1465.00-00-0006 Design Basis Specification for the Plant Fire Protection
- 2. AP/0/A/5500/045 Plant Fire 3. NEI 99-01 HU4 IRP/0/A/5000/001 Rev. 1 Page 127 of 247I ATTACHMENT I EAL Bases , ..........
.........
....... .... ]SRP/o/Aoo/500oo1 Rev. 1 Page 128 of 2471 ATTACHMENT 1 EAL Bases Category:
H -Hazards and Other Conditions Affecting Plant Safety Subcategory:
4 -Fire Initiating Condition:
FIRE potentially degrading the level of safety of the plant EAL: HU4.3 Unusual Event A FIRE within the plant PROTECTED AREA not extinguished within 60 min. of the initial report, alarm or indication (Note 1 )Note 1: The Emergency Coordinator should declare the event promptly upon determining that time limit has been exceeded, or will likely be exceeded.Mode Applicability:
All Definition(s):
FIRE -Combustion characterized by heat and light. Sources of smoke such as slipping drive belts or overheated electrical equipment do not constitute fires. Observation of flame is preferred but is NOT required if large quantities of smoke and heat are observed.PROTECTED AREA -An area encompassed by physical barriers and to which access is controlled.
The Protected Area refers to the designated security area around the process buildings and is depicted in CNS UFSAR Figure 1-20 Plot Plan.Basis: This IC addresses the magnitude and extent of FIRES that may be indicative of a potential degradation of the level of safety of the plant.In addition to a FIRE addressed by EAL HU4.1 or HU4.2, a FIRE within the plant PROTECTED AREA not extinguished within 60-minutes may also potentially degrade the level of plant safety.Depending upon the plant mode at the time of the event, escalation of the emergency classification level would be via IC CA6 or SA9.CNS Basis Reference(s):
H -Hazards and Other Conditions Affecting Plant Safety Subcategory:
4 -Fire Initiating Condition:
FIRE potentially degrading the level of safety of the plant EAL: HU4.4 Unusual Event A FIRE within the plant PROTECTED AREA that requires firefighting support by an offsite fire response agency to extinguish Mode Applicability:
All Definition(s):
FIRE -Combustion characterized by heat and light. Sources of smoke such as slipping drive belts or overheated electrical equipment do not constitute fires. Observation of flame is preferred but is NOT required if large quantities of smoke and heat are observed.PROTECTED AREA -An area encompassed by physical barriers and to which access is controlled.
The Protected Area refers to the designated security area around the process buildings and is depicted in CNS UFSAR Figure 1-20 Plot Plan.Basis: This IC addresses the magnitude and extent of FIRES that may be indicative of a potential degradation of the level of safety of the plant.If a FIRE within the plant PROTECTED AREA is of sufficient size to require a response by an offsite firefighting agency (e.g., a local town Fire Department), then the level of plant safety is potentially degraded.
The dispatch of an offsite firefighting agency to the site requires an emergency declaration only if it is needed to actively support firefighting efforts because the fire is beyond the capability of the Fire Brigade to extinguish.
Declaration is not necessary if the agency resources are placed on stand-by, or supporting post-extinguishment recovery or investigation actions.Depending upon the plant mode at the time of the event, escalation of the emergency classification level would be via IC CA6 or SA9.CNS Basis Reference(s):
- 1. NEI 99-01 HU4 SRP/0/A/000o01 Rev. 1 Page 130 of 2471 ATTACHMENT 1 EAL Bases Category: Subcategory:
Initiating Condition:
H -Hazards and Other Conditions Affecting Plant Safety 5 -Hazardous Gases Gaseous release IMPEDING access to equipment necessary for normal plant operations, cooldown or shutdown EAL: HA5.1 Alert Release of a toxic, corrosive, asphyxiant or flammable gas into any Table H-2 rooms or areas AND Entry into the room or area is prohibited or IMPEDED (Note 5)Note 5: If the equipment in the listed room or area was already inoperable or out-of-service before the event occurred, then no emergency classification is warranted.
Table H-2 Safe Operation
& Shutdown Rooms/Areas Bldg. Elevation Unit I Room/Area Unit 2 Room/Area Mode Rm 478 (1EMXA) Rm 469 (2EMXA) 4 Rm 496 (1 ETA) Rm 486 (2ETA) 4 Auiir 7' Rm 496 (1 EMXS) Rmn 486 (2EMXS) 4 AB-577', J J-57 (1 MXK) AB-577', J J-57 (2MXK) 4 Rmn 330 (1EMXJ) Rm 320 (2EMXJ) 4 Auxiliary 560' Rrn 372 (1ETB) Rmn 362 (2ETB) 4 Rm 372 (1EMXD) Rm 362 (2EMXD) 4 Mode Applicability:
4 -Hot Shutdown Definition(s):
/MPEDE(D)
-Personnel access to a room or area is hindered to an extent that extraordinary measures are necessary to facilitate entry of personnel into the affected room/area (e.g., requiring use of protective equipment, such as SCBAs, that is not routinely employed).
Basis: If the equipment in the listed room or area was already inoperable, or out-of-service, before the event occurred, then no emergency should be declared since the event will have no adverse impact beyond that already allowed by Technical Specifications at the time of the event.The list of plant rooms or areas with entry-related mode applicability identified specify those rooms or areas that contain equipment which require a manual/local action as specified in operating procedures used for normal plant operation, cooldown and shutdown.
Rooms or areas in which actions of a contingent or emergency nature would be performed (e.g., an action to address an off-normal or emergency condition such as emergency repairs, corrective measures or emergency operations) are not included.
In addition, the list specifies the plant R///00O 1Rev. 1 Page 131 of 247, ATTACHMENT 1 EAL Bases mode(s) during which entry would be required for each room or area (ref. 1).This IC addresses an event involving a release of a hazardous gas that precludes or impedes access to equipment necessary to maintain normal plant operation, or required for a normal plant cooldown and shutdown.
This condition represents an actual or potential substantial degradation of the level of safety of the plant.An Alert declaration is warranted if entry into the affected room/area is, or may be, procedurally required during the plant operating mode in effect at the time of the gaseous release. The emergency classification is not contingent upon whether entry is actually necessary at the time of the release.Evaluation of the IC and EAL do not require atmospheric sampling; it only requires the Emergency Coordinator's judgment that the gas concentration in the affected room/area is sufficient to preclude or significantly impede procedurally required access. This judgment may be based on a variety of factors including an existing job hazard analysis, report of ill effects on personnel, advice from a subject matter expert or operating experience with the same or similar hazards. Access should be considered as impeded if extraordinary measures are necessary to facilitate entry of personnel into the affected room/area (e.g., requiring use of protective equipment, such as SCBAs, that is not routinely employed).
An emergency declaration is not warranted if any of the following conditions apply:* The plant is in an operating mode different than the mode specified for the affected room/area (i.e., entry is not required during the operating mode in effect at the time of the gaseous release).
For example, the plant is in Mode 1 when the gaseous release occurs, and the procedures used for normal operation, cooldown and shutdown do not require entry into the affected room until Mode 4.* The gas release is a planned activity that includes compensatory measures which address the temporary inaccessibility of a room or area (e.g., fire suppression system testing).* The action for which room/area entry is required is of an administrative or record keeping nature (e.g., normal rounds or routine inspections).
- The access control measures are of a conservative or precautionary nature, and would not actually prevent or impede a required action.* If the equipment in the listed room or area was already inoperable, or out-of-service, before the event occurred, then no emergency should be declared since the event will have no adverse impact beyond that already allowed by Technical Specifications at the time of the event.An asphyxiant is a gas capable of reducing the level of oxygen in the body to dangerous levels. Most commonly, asphyxiants work by merely displacing air in an enclosed environment.
This reduces the concentration of oxygen below the normal level of around 19%, which can lead to breathing difficulties, unconsciousness or even death.This EAL does not apply to firefighting activities that automatically or manually activate a fire suppression system in an area.______________________________
Escalation of the emergency classification level would be via Recognition Category R, C or F ICs.IRP/0/A/5000/001 Rev. 1I Page 132 of 247 ri ieed ATTACHMENT 1 EAL Bases NOTE: IC HA5 mode applicability has been limited to the applicable modes identified in Table H-2 Safe Operation
& Shutdown Rooms/Areas.
If due to plant operating procedure or plant configuration changes, the applicable plant modes specified in Table H-2 are changed, a corresponding change to Attachment 3 'Safe Operation
& Shutdown Areas Tables R-2 & H-2 Bases' and to IC HA5 mode applicability is required.CNS Basis Reference(s):
- 1. Attachment 3 Safe Operation
& Shutdown Rooms/Areas Tables R-2 & H-2 Bases 2. NEI 99-01 HA5 RPIO0AI5000/001 IRev. I Page 133 of2471 ATTACHMENT 1 EAL Bases H -Hazards and Other Conditions Affecting Plant Safety 6 -Control Room Evacuation Category: Subcategory:
Initiating Condition:
Control Room evacuation resulting in transfer of plant control to alternate locations EAL: HA6.1 Alert An event has resulted in plant control being transferred from the Control Room to the Auxiliary Shutdown Panels or Standby Shutdown Facility Mode Applicability:
All Definition(s):
None Basis: The Shift Manager (SM) determines if the Control Room is inoperable and requires evacuation.
Control Room inhabitability may be caused by fire, dense smoke, noxious fumes, bomb threat in or adjacent to the Control Room, or other life threatening conditions (Ref. 1, 2).Inability to establish plant control from outside the Control Room escalates this event to a Site Area Emergency per EAL HS6.1.This IC addresses an evacuation of the Control Room that results in transfer of plant control to alternate locations outside the Control Room. The loss of the ability to control the plant from the Control Room is considered to be a potential substantial degradation in the level of plant safety.Following a Control Room evacuation, control of the plant will be transferred to alternate shutdown locations.
The necessity to control a plant shutdown from outside the Control Room, in addition to responding to the event that required the evacuation of the Control Room, will present challenges to plant operators and other on-shift personnel.
Activation of the ERO and emergency response facilities will assist in responding to these challenges.
Escalation of the emergency" classification level would be via ic HSf IRPo/ o oA/500oo1 Rev. 1 Page 13 of 247 ATTACHMENT 1 EAL Bases CNS Basis Reference(s):
- 1. AP/1(2)/AN5500/017 Loss of Control Room 2. OP/1 (2)/ A/6100/004 Shutdown Outside the Control Room From Hot Standby to Cold Shutdown.3. NEI 99-01 HA6 IRPIOIAI50001001 Rev. 1 IPage 135 of 247I ATTACHMENT 1 EAL Bases Category:
H -Hazards and Other Conditions Affecting Plant Safety Subcategory:
6 -Control Room Evacuation Initiating Condition:
Inability to control a key safety function from outside the Control Room EAL: HS6.1 Site Area Emergency An event has resulted in plant control being transferred from the Control Room to the Auxiliary Shutdown Panels or Standby Shutdown Facility AND Control of any of the following key safety functions is not reestablished within 15 mai.(Note 1 ):* Reactivity (Modes 1, 2 and 3 only)* Core Cooling* NCS heat removal Note 1: The Emergency Coordinator should declare the event promptly upon determining that time limit has been exceeded, or will likely be exceeded.Mode Applicability:
1 -Power Operations, 2 -Startup, 3 -Hot Standby, 4 -Hot Shutdown, 5 -Cold Shutdown, 6 -R efueling , ......................
..Definition(s):
None Basis: The Shift Manager determines if the Control Room is inoperable and requires evacuation.
Control Room inhabitability may be caused by fire, dense smoke, noxious fumes, bomb threat in or adjacent to the Control Room, or other life threatening conditions (Ref. 1, 2).This IC addresses an evacuation of the Control Room that results in transfer of plant control to alternate locations, and the control of a key safety function cannot be reestablished in a timely manner. The failure to gain control of a key safety function following a transfer of plant control to alternate locations is a precursor to a challenge to one or more fission product barriers within a relatively short period of time.The determination of whether or not 'control" is established at the remote safe shutdown location(s) is based on Emergency Coordinator judgment.
The Emergency Coordinator is expected to make a reasonable, informed judgment within 15 minutes whether or not the operating staff has control of key safety functions from the remote safe shutdown location(s).
Escalation of the emergency classification level would be via IC FG1 or CGI CNS Basis Reference(s):
- 1. AP/1 (2)/AN5500/01 7 Loss of Control Room Dly e ted:, All ..
ATTACHMENT 1 EAL Bases 2. OP/1(2)/A/6100/004 Shutdown Outside the Control Room From Hot Standby to Cold Shutdown.3. NEI 99-01 HS6:, [RP/0/A/5000/001 Rev. 1 Page 137 of 247 ATTACHMENT 1 ,:,, EAL Bases Category:
H -Hazards and Other Conditions Affecting Plant Safety Subcategory:
7 -Emergency Coordinator Judgment !...Initiating Condition:
Other conditions existing that in the judgment of the Emergency
- ... .. * , Coordinator warrant declaration of a UE ": EAL: " .." ' '. ..i HU7.1 Unusual Event ,,,: Other conditions exist which in the judgment of the Emergency Coordinator indicate that events are in progress or have occurred which indicate a potential degradation of the level.. ..of safety of the plant or indicate a security threat to facility protection has been initiated.
No releases of radioactive material requiring offsite response or monitoring are expected, ,:.. .unless further degradation of SAFETY SYSTEMS occurs.Mode A ll .. ... .Definition(s):
SAFETY SYSTEM -A system required for safe plant operation, cooling down the plant and/or placing it in the cold shutdown condition, including the ECCS. These are typically systems classified as safety-related (as defined in 10CFR50.2):
Those structures, systems and components that are relied upon to remain functional during :... , and following design basis events to assure: (1) The integrity of the reactor coolant pressure boundary;
,, *(2) The capability to shut down the reactor and maintain it in a safe shutdown condition;
.(3) The capability to prevent or mitigate the consequences of accidents which could result in potential offsite exposures.,, :., Basis: The Emergency Coordinator is the designated onsite individual having the responsibility and ', ,,: authority for implementing the CNS Emergency Response Plan. The Operations Shift Manager (SM) initially acts in the capacity of the Emergency Coordinator and takes actions as outlined .... , ... ,, in the Emergency Plan implementing procedures.
If required by the emergency classification or if deemed appropriate by the Emergency Coordinator, emergency response personnel are :.. ... ..notified and instructed to report to their emergency response locations.
In this manner, the individual usually in charge of activities in the Control Room is responsible for initiating the necessary emergency response, but Plant Management is expected to manage the emergency response as soon as available to do so in anticipation of the possible wide-ranging responsibilities associated with managing a major emergency (ref. 1). :: ....': : This IC addresses unanticipated conditions not addressed explicitly elsewhere but that warrant declaration of an emergency because conditions exist which are believed by the Emergency
..Coordinator to fall under the emergency classification level description for an Unusual Event ...CNS Basis Reference(s):
RP/0/A/5000/001 Rev. 1 Page 138 of 247 ATTACHMENT 1 EAL Bases I. CNS Emergency Pian section 3.0 Site Emergency Organization Section B.2 Emergency Coordinator
H -Hazards and Other Conditions Affecting Plant Safety Subcategory:
7 -Emergency Coordinator Judgment Initiating Condition:
Other conditions exist that in the judgment of the Emergency Coordinator warrant declaration of an Alert EAL: HA7.1 Alert Other conditions exist which, in the judgment of the Emergency Coordinator, indicate that events are in progress or have occurred which involve an actual or potential substantial degradation of the level of safety of the plant or a security event that involves probable life threatening risk to site personnel or damage to site equipment because of HOSTILE ACTION. Any releases are expected to be limited to small fractions of the EPA Protective Action Guideline exposure levels.Mode Applicability:
All Definition(s):
HOSTILE ACTION -An act toward CNS or its personnel that includes the use of violent force to destroy equipment, take hostages, and/or intimidate the licensee to achieve an end. This includes attack by air, land, or water using guns, explosives, projectiles, vehicles, or other devices used to deliver destructive force. Other acts that satisfy the overall intent may be included.
Hostile action should not be construed to include acts of civil disobedience or felonious acts that are not part of a concerted attack on CNS. Non-terrorism-based EALs should be used to address such activities (i.e., this may include violent acts between individuals in the owner controlled area).Basis: The Emergency Coordinator is the designated onsite individual having the responsibility and authority for implementing the CNS Emergency Response Plan. The Operations Shift Manager (SM) initially acts in the capacity of the Emergency Coordinator and takes actions as outlined in the Emergency Plan implementing procedures.
If required by the emergency classification or if deemed appropriate by the Emergency Coordinator, emergency response personnel are notified and instructed to report to their emergency response locations.
In this manner, the individual usually in charge of activities in the Control Room is responsible for initiating the necessary emergency response, but Plant Management is expected to manage the emergency response as soon as available to do so in anticipation of the possible wide-ranging responsibilities associated with managing a major emergency (ref.1).RP/0/AI5000/001 Rev. 1 Page 140 of 247 ATTACHMENT 1 EAL Bases This IC addresses unanticipated conditions not addressed explicitly elsewhere but that warrant declaration of an emergency because conditions exist which are believed by the Emergency Coordinator to fall under the emergency classification level description for an Alert.CNS Basis Reference(s):
- 1. CNS Emergency Plan section 3.0 Site Emergency Organization Section B.2 Emergency Coordinator
- 2. NEI 99-01 HA7)ii t}i* : ,. !* ... ., {],[" f4 , i]RP/O/A/5000/01 1 Rev. I Page 141 of 247I ATTACHMENT 1I...EAL Bases , Category:
H -Hazards and Other Conditions Affecting Plant Safety........
Subcategory:
7 -Emergency Coordinator Judgment.....,,.
.., Initiating Condition:
Other conditions existing that in the judgment of the Emergency
'Coordinator warrant declaration of a Site Area Emergency
....EAL:... " HS7.1 Site Area Emergency' Other conditions exist which in the judgment of the Emergency Coordinator indicate that events are in progress or have occurred which involve actual or likely major failures of , plant functions needed for protection of the public or HOSTILE ACTION that results in :..intentional damage or malicious acts, (1) toward site personnel or equipment that could lead to the likely failure of or, (2) that prevent effective access to equipment needed for the *, protection of the public. Any releases are not expected to result in exposure levels which ....exceed EPA Protective Action Guideline exposure levels beyond the SITE BOUNDARY.
...Mode Applicability:
,...,'All Definition(s):
HOSTILE ACTION -An act toward CNS or its personnel that includes the use of violent force .. ..to destroy equipment, take hostages, and/or intimidate the licensee to achieve an end. This " ....*includes attack by air, land, or water using guns, explosives, projectiles, vehicles, or other ': .....devices used to deliver destructive force. Other acts that satisfy the overall intent may be , :..included.
Hostile action should not be construed to include acts of civil disobedience or felonious acts that are not part of a concerted attack on CNS. Non-terrorism-based EALs should be used to address such activities (i.e., this may include violent acts between ... ... ..individuals in the owner controlled area).SITE BOUNDARY-Area as depicted in CNS-SLC-16.11-16 Figure 16.11-16-1 Unrestricted
, Area and Site Boundary for Radioactive Effluents.
.. ..." Basis:, The Emergency Coordinator is the designated onsite individual having the responsibility and .. .... ...authority for implementing the CNS Emergency Response Plan. The Operations Shift Manager:, (SM) initially acts in the capacity of the Emergency Coordinator and takes actions as outlined ......, in the Emergency Plan implementing procedures.
If required by the emergency classification or.... .. .if deemed appropriate by the Emergency Coordinator, emergency response personnel are , notified and instructed to report to their emergency response locations.
In this manner, the ' .. ..individual usually in charge of activities in the Control Room is responsible for initiating the" " necessary emergency response, but Plant Management is expected to manage the ..emergency response as soon as available to do so in anticipation of the possible wide-ranging
.. ... ...*, responsibilities associated with managing a major emergency (ref. 1) .. ..This IC addresses unanticipated conditions not addressed explicitly elsewhere but that warrant °'...declaration of an emergency because conditions exist which are believed by the Emergency
' Coordinator to fall under the emergency classification level description for a Site Area ' ...." , Emergency.
.. .. ..IRP/0/A/5000/001 Rev. I Page 142 of 247I ATTACHMENT 1 EAL Bases CNS Basis Reference(s):
- 1. CNS Emergency Plan section 3.0 Site Emergency Organization Section B.2 Emergency Coordinator
- 2. NEI 99-01 HS7 SRP/0/A/5000/
001 Rev. 1I Page 143 of 247 ATTACHMENT 1 EAL Bases Category:
H -Hazards and Other Conditions Affecting Plant Safety Subcategory:
7 -Emergency Coordinator Judgment Initiating Condition:
Other conditions exist which in the judgment of the Emergency Coordinator warrant declaration of a General Emergency EAL: HG7.1 General Emergency Other conditions exist which in the judgment of the Emergency Coordinator indicate that events are in progress or have occurred which involve actual or IMMINENT substantial core degradation or melting with potential for loss of containment integrity or HOSTILE ACTION that results in an actual loss of physical control of the facility.
Releases can be reasonably expected to exceed EPA Protective Action Guideline exposure levels offsite for more than the immediate site area Mode Applicability:
All Definition(s):
HOSTILE ACTION -An act toward CNS or its personnel that includes the use of violent force to destroy equipment, take hostages, and/or intimidate the licensee to achieve an end. This includes attack by air, land, or water using guns, explosives, projectiles, vehicles, or other devices used to deliver destructive force. Other acts that satisfy the overall intent may be included.
Hostile action should not be construed to include acts of civil disobedience or felonious acts that are not part of a concerted attack on CNS. Non-terrorism-based EALs should be used to address such activities (i.e., this may include violent acts between individuals in the owner controlled area).IMMINENT-The trajectory of events or conditions is such that an EAL will be met within a relatively short period of time regardless of mitigation or corrective actions.Basis: The Emergency Coordinator is the designated onsite individual having the responsibility and a~uthority for implementing the CNS Emergency Response Plan. The Operations Shift Manager(SM) initially acts in the capacity of the Emergency Coordinator and takes actions as outlined in the Emergency Plan implementing procedures.
If required by the emergency classification or if deemed appropriate by the Emergency Coordinator, emergency response personnel are notified and instructed to report to their emergency response locations.
In this manner, the individual usually in charge of activities in the Control Room is responsible for initiating the necessary emergency response, but Plant Management is expected to manage the emergency response as soon as available to do so in anticipation of the possible wide-ranging responsibilities associated with managing a major emergency (ref. 1).Releases can reasonably be expected to exceed EPA PAG plume exposure levels outside the Site Boundary.This IC addresses unanticipated conditions not addressed explicitly elsewhere but that warrant declaration of an emergency because conditions exist which are believed by the Emergency IRP/0/A/5000/001 Rev. I Page 144 of 247I ATTACHMENT 1 EAL Bases Coordinator to fall under the emergency classification level description for a General Emergency.
CNS Basis Reference(s):
- 1. CNS Emergency Plan section 3.0 Site Emergency Organization Section B.2 Emergency Coordinator
- 2. NEI 99-01 HG7{ , -, .. .. , .,", / o t f _ , o?}i= .,-,-,.;o*," i,?}t I -i , , f SRP/0/A/5000/001 Rev. 1 Page 145 of 247I ATTACHMENT 1 EAL Bases Category S -System Malfunction EAL Group: Hot Conditions (NCS temperature
> 200°F); EALs in this category are applicable only in one or more hot operating modes.Numerous system-related equipment failure events that warrant emergency classification have been identified in this category.
They may pose actual or potential threats to plant safety.The events of this category pertain to the following subcategories:
- 1. Loss of Essential AC Power Loss of emergency electrical power can compromise plant safety system operability including decay heat removal and emergency core cooling systems which may be necessary to ensure fission product barrier integrity.
This category includes loss of onsite and offsite sources for 4160 V essential buses.2. Loss of Vital DC Power Loss of emergency electrical power can compromise plant safety system operability including decay heat removal and emergency core cooling systems which may be necessary to ensure fission product barrier integrity.
This category includes loss of vital plant 125 VDC power sources.3. Loss of Control Room Indications Certain events that degrade plant operator ability to effectively assess plant conditions within the plant warrant emergency classification.
Losses of indicators are in this subcategory.
- 4. NCS Activity During normal operation, reactor coolant fission product activity is very low. Small concentrations of fission products in the coolant are primarily from the fission of tramp uranium in the fuel clad or minor perforations in the clad itself. Any significant increase from these base-line levels (2% -5% clad failures) is indicative of fuel failures and is covered under the Fission Product Barrier Degradation category.
However, lesser amounts of clad damage may result in coolant activity exceeding Technical Specification limits. These fission products will be circulated with the reactor coolant and can be detected by coolant sampling.5. NCS Leaka~qe The reactor vessel provides a volume for the coolant that covers the reactor core. The reactor pressure vessel and associated pressure piping (reactor coolant system) together provide a barrier to limit the release of radioactive material should the reactor fuel clad integrity fail. Excessive NCS leakage greater than Technical Specification limits indicates potential pipe cracks that may propagate to an extent threatening fuel clad, NCS and containment integrity.
- 6. RPS Failure This subcategory includes events related to failure of the Reactor Protection System (RPS)to initiate and complete reactor trips. In the plant licensing basis, postulated failures of the RPS to complete a reactor trip comprise a specific set of analyzed events referred to as!RP/0/A/5000/001 Rev. 1 Page 146 of 247I ATTACHMENT 1 EAL Bases Anticipated Transient Without Scram (ATWS) events. For EAL classification, however, ATWS is intended to mean any trip failure event that does not achieve reactor shutdown.
If RPS actuation fails to assure reactor shutdown, positive control of reactivity is at risk and could cause a threat to fuel clad, NCS and containment integrity.
- 7. Loss of Communications Certain events that degrade plant operator ability to effectively communicate with essential personnel within or external to the plant warrant emergency classification.
- 8. Containment Isolation Failure Failure of containment isolation capability (under conditions in which the containment is not currently challenged) warrants emergency classification.
- 9. Hazardous Event Affectingq Safety Systems Various natural and technological events that result in degraded plant safety system performance or significant visible damage warrant emergency classification under this subcategory.
SRP/0/A/5000/001 Rev. 1 Page 147 of 247 ATTACHMENT 1 EAL Bases S -System Malfunction 1 -Loss of Essential AC Power Category: Subcategory:
Initiating Condition:
Loss of all offsite AC power capability to essential buses for 15 minutes or longer EAL: SUl.1 Unusual Event Loss of all offsite AC power capability, Table S-i, to essential 41 60V buses 1 (2)ETA and 1(2)ETB for> 15 mmn (Note 1 )Note 1: The Emergency Coordinator should declare the event promptly upon determining that time limit has been exceeded, or will likely be exceeded.Table S-I AC Power Sources Offsite:* ATC (Train A)* SATA (Train A) (if already aligned)* ATD (Train B)* SATB (Train B) (if already aligned)Onsite:* D/G A(Train A)* DIG B (Train B)Mode Applicability:
1 -Power Operation, 2 -Startup, 3 -Hot Standby, 4 -Hot Shutdown Definition(s): None Basis: The 4160 VAC System provides the power requirements for operation and safe shutdown of the plant. The essential switchgear are buses ETA (Train A) and ETB (Train B) (ref. 1).The essential buses are normally powered from the 6.9KV offsite power system through their respective 6.9KV14160V Normal Auxiliary Transformers (ATC & ATD). Additionally, a standby source of power to each 41 60V essential bus is provided from the 6.9KV offsite power system via two separate and independent 6.9KV/4160V transformers (SATA & SATB). These transformers are shared between the two units (ref. 1, 2). However, alignment of SATA or SATB to an essential bus takes longer than 15 minutes and therefore should only be credited if already aligned.i Each essential bus has a dedicated diesel generator (DIG A & D/G B) to supply an onsitei emergency source of power to safe shutdown loads in the event of a loss of the normal power RPOA50001Rev.
1 Page 148 of 247 ATTACHMENT 1 EAL Bases source or loss of off-site power. The DIGs will automatically start and tie onto the essential buses if the normal power source or off-site power is lost (ref. 1).The 15-minute interval was selected as a threshold to exclude transient or momentary power losses.This IC addresses a prolonged loss of offsite power. The loss of offsite power sources renders the plant more vulnerable to a complete loss of power to AC essential buses. This condition represents a potential reduction in the level of safety of the plant.For emergency classification purposes, "capability" means that an offsite AC power source(s)is available to the essential buses, whether or not the buses are powered from it.,Escalation of the emergency classification level would be via IC SA1.CNS Basis Reference(s):
- 1. UFSAR Section 8.0 Electric Power 2. AP/1 (2)/A/5500/007 Loss of Normal Power 3. NEI 99-01 SUl-[ Deleted:" Fifteen minutes was selectei as a threshold to exclude transient or momentary losses of offsita power.¶1¢SRP/0/A/5000/001 Rev. 1 Page 149 of 247 ATTACHMENT 1 EAL Bases Category:
S -System Malfunction Subcategory:
I -Loss of Emergency AC Power Initiating Condition:
Loss of all but one AC power source to essential buses for 15 minutes or longer EAL: SA1.1 Alert AC power capability, Table S-1, to essential 41 60V buses 1 (2)ETA and I (2)ETB reduced to a single power source for > 15 min. (Note 1)AND Any additional single power source failure will result in loss of all AC power to SAFETY SYSTEMS Note 1: The Emergency Coordinator should declare the event promptly upon determining that time limit has been exceeded, or will likely be exceeded.Table S-I AC Power Sources Offsite:* ATC (Train A)* SATA (Train A) (if already aligned)* ATD (Train B)* SATB (Train B) (if already aligned)Onsite:* DIG A (Train A)* D/G B (Train B)Mode Applicability:
1 -Power Operation, 2 -Startup, 3 -Hot Standby, 4 -Hot Shutdown Definition(s):
SAFETY SYSTEM -A system required for safe plant operation, cooling down the plant and/or placing it in the cold shutdown condition, including the ECCS. These are typically systems classified as safety-related (as defined in 10CFR5O.2):
Those structures, systems and components that are relied upon to remain functional during and following design basis events to assure: (1) The integrity of the reactor coolant pressure boundary;(2) The capability to shut down the reactor and maintain it in a safe shutdown condition; (3) The capability to prevent or mitigate the consequences of accidents which could result in potential offsite exposures.
Basis: RPIO/AI50001001 Rev. 1 }Page 150 of 247 ATTACHMENT 1 EAL Bases Basis: For emergency classification purposes, "capability" means that an AC power source is _available to the essential buses, whether or not the buses are powered from it.-The 4160 VAC System provides the power requirements for operation and safe shutdown of the plant. The essential switchgear are buses ETA (Train A) and ETB (Train B) (ref. 1).The essential buses are normally powered from the 6.9KV offsite power system through their respective 6.9KV/41 60V Normal Auxiliary Transformers (ATC & ATD). Additionally, a standby source of power to each 41 60V essential bus is provided from the 6.9KV offsite power system via two separate and independent 6.9KV/4160V transformers (SATA & SATB). These transformers are shared between the two units (ref. 1, 2). However, alignment of SATA or SATB to an essential bus takes longer than 15 minutes and therefore should only be credited if already aligned.Each essential bus has a dedicated diesel generator (DIG A & DIG B) to supply an onsite emergency source of power to safe shutdown loads in the event of a loss of the normal power source or loss of off-site power. The DIGs will automatically start and tie onto the essential
...buses if the normal power source or off-site power is lost (ref. 1).The 15-minute interval was selected as a threshold to exclude transient or momentary power losses. If the capability of a second source of emergency bus power is not restored within 15 minutes, an Alert is declared under this EAL.This IC describes a significant degradation of offsite and onsite AC power sources such that any additional single failure would result in a loss of all AC power to SAFETY SYSTEMS. In this condition, the sole AC power source may be powering one, or more than one, train of safety-related equipment.
This IC provides an escalation path from IC SUl.An "AC power source" is a source recognized in AOPs and EOPs, and capable of supplying required power to an emergency bus. Some examples of this condition are presented below.* A loss of all offsite power with a concurrent failure of all but one emergency power source (e.g., an onsite diesel generator).
- A loss of all offsite power and loss of all emergency power sources (e.g., onsite diesel generators) with a single train of emergency buses being back-fed from the unit main generator.
- A loss of emergency power sources (e.g., onsite diesel generators) with a single train of emergency buses being fed from an offsite power source.*Escalation of the emergency classification level would be via IC SS1. eee:Ffenminutes was selecte, CSBasis Reference(s):
[momentary losses of power.¶T 1. UFSAR Section 8.0 Electric Power 2. AP/1 (2)/A/5500/007 Loss of Normal Power !3. NEI 99-01 SAl RP/0/A/5000/001 Rev. 1 Page 151 of 247 ATTACHMENT 1 I EAL Bases Category:
S -System Malfunction Subcategory:
1 -Loss of Emergency AC Power Initiating Condition:
Loss of all offsite power and all onsite AC power to essential buses for 15 minutes or longer EAL:$81.1 Site Area Emergency Loss of all offsite and all onsite AC power capability, o essential 41 60V buses 1 (2)ETA and J 1(2)ETB for > 15 min. (Note 1 )Note 1: The Emergency Coordinator should declare the event promptly upon determining that time limit has been exceeded, or will likely be exceeded.Mode Applicability:
1 -Power Operation, 2 -Startup, 3 -Hot Standby, 4 -Hot Shutdown Definition(s):
None Basis: This EAL is indicated by the loss of all offsite and onsite AC power capability (Table S-1) to 4160V essential buses ETA and ETB. The essential switchgear are buses ETA (Train A) and !ETB (Train B) (ref. 1). For emergency classification purposes, "capability" means that an AC !power source is available to the essential buses, whether or not the buses are powered from it.The essential buses are normally powered from the 6.9KV offsite power system through their respective 6.9KV/41 60V Normal Auxiliary Transformers (ATC & ATD). Additionally, a standby source of power to each 4160V essential bus is provided from the 6.9KV offsite power system via two separate and independent 6.9KV/4160V transformers (SATA & SATB). These !transformers are shared between the two units (ref. 1, 2). However, alignment of SATA or SATB to an essential bus takes longer than 15 minutes and therefore should only be credited if already aligned. : Each essential bus has a dedicated diesel generator (DIG A & D/G B) to supply an onsite emergency source of power to safe shutdown loads in the event of a loss of the normal power : source or loss of off-site power. The D/Gs will automatically start and tie onto the essential buses if the normal power source or off-site power is lost (ref. 1).The 15-minute interval was selected as a threshold to exclude transient or momentary power losses. The interval begins when both offsite and onsite AC power capability are lost.!This IC addresses a total loss of AC power that compromises the performance of all SAFETY i SYSTEMS requiring electric power including those necessary for emergency core cooling, i containment heat removal/pressure control, spent fuel heat removal and the ultimate heat sink. 'In addition, fission product barrier monitoring capabilities may be degraded under these conditions.
This IC represents a condition that involves actual or likely major failures of plant functions needed for the protection of the public. IRP/0/A/5000/001 IRev. 1I Page 152 of 247I !Deleted: ,Table S-1, Deleted: ¶1 STable S-I AC Power Sources ATTACHMENT 1 EAL Bases Delete: Fifteen minutes was selecte, i as a threshold to exclude transient or Smomentary power losses.Escalation of the emergency classification level would be via ICs RG1, FG1 or SGI.CNS Basis Reference(s):
- 1. UFSAR Section 8.0 Electric Power 2. AP/1 (2)1A15500/007 Loss of Normal Power 3, ECA-0,0 EP/1 (2)/5000/ECA-0.0 Loss of All AC Power 4. NEI 99-01 SS1[RPIOIAI5000I100 Rev. 1 Page 153 of 247 ATTACHMENT 1 EAL Bases Category: Subcategory:
Initiating Condition:
EAL: S -System Malfunction 1 -Loss of Essential AC Power Prolonged loss of all offsite and all onsite AC power to essential buses SGI.1 General Emergency Loss of all offsite and all onsite AC power capability~o essential 41 60V buses 1 (2ETA and 1(2)ETB AND SSF fails to supply NC pump seal injection OR CA supply to SGs AND EITHER:* Restoration of at least one essential bus in < 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> is not likely (Note 1)* Core Cooling RED PATH conditions met Deleted: , Table S-I Note 1: The Emergency Coordinator should declare the event promptly upon determining that time limit has been exceeded, or will likely be exceeded.Mode Applicability:
1 -Power Operation, 2 -Startup, 3 -Hot Standby, 4 -Hot Shutdown Definition(s):
NoneDeleted: ¶STable S-i AC Power Sources r IRP/O/A/5000/O01 Rev. 1 Page 154 of 247 ATTACHMENT 1 EAL Bases Basis: This EAL is indicated by the extended loss of all offsite and onsite AC power capability to 4160V emergency buses ETA and ETB either for greater then the CNS Station Blackout (SBO)coping analysis time (4 hrs.) (ref. 1 ) or that has resulted in indications of an actual loss of adequate core cooling.The SSF is capable of providing the necessary functions (reactor coolant pump seal injection and auxiliary feedwater supply to the steam generators) to maintain a hot shutdown condition for up to 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. No fission product barrier degradation would be expected if the SSF is functioning as intended.Indication of continuing core cooling degradation is manifested by CSFST Core Cooling RED PATH conditions being met. (ref. 2).The essential buses are normally powered from the 6.9KV offsite power system through their respective 6.9KV/41 60V Normal Auxiliary Transformers (ATC & ATD). Additionally, a standby source of power to each 4160V essential bus is provided from the 6.9KV offsite power system via two separate and independent 6.9KV/4160V transformers (SATA & SATB). These transformers are shared between the two units (ref. 1, 2).Each essential bus has a dedicated diesel generator (DIG A & D/G B) to supply an onsite emergency source of power to safe shutdown loads in the event of a loss of the normal power source or loss of off-site power. The D/Gs will automatically start and tie onto the essential buses if the normal power source or off-site power is lost (ref. 3).Four hours is the station blackout coping time (ref 2).Indication of continuing core cooling degradation must be based on fission product barrier monitoring with particular emphasis on Emergency Coordinator judgment as it relates to imminent Loss or Potential Loss of fission product barriers and degraded ability to monitor fission product barriers.
Indication of continuing core cooling degradation is manifested by CSFST Core Cooling RED PATH conditions being met (ref. 2.This IC addresses a prolonged loss of all power sources to AC essential buses. A loss of all AC power compromises the performance of all SAFETY SYSTEMS requiring electric power including those necessary for emergency core cooling, containment heat removal/pressure control, spent fuel heat removal and the ultimate heat sink. A prolonged loss of these buses will lead to a loss of one or more fission product barriers.
In addition, fission product barrier monitoring capabilities may be degraded under these conditions.
The EAL should require declaration of a General Emergency prior to meeting the thresholds for IC FGI. This will allow additional time for implementation of offsite protective actions.Escalation of the emergency classification from Site Area Emergency will occur if it is projected that power cannot be restored to at least one AC essential bus by the end of the analyzed station blackout coping period. Beyond this time, plant responses and event trajectory are subject to greater uncertainty, and there is an increased likelihood of challenges to multiple fission product barriers.The estimate for restoring at least one essential bus should be based on a realistic appraisal of the situation.
Mitigation actions with a low probability of success should not be used as a basis IRPIO/A/50001001 Rev. I Page 155 of 247 ATTACHMENT 1 EAL Bases for delaying a classification upgrade. The goal is to maximize the time available to prepare for, and implement, protective actions for the public.The EAL will also require a General Emergency declaration if the loss of AC power results in parameters that indicate an inability to adequately remove decay heat from the core.CNS Basis Reference(s):
- 1. UFSAR Section 8.4.2 Station Blackout Duration 2. EP/1/A/5000/F-0 Critical Safety Function Status Tress -Core Cooling 3. UFSAR Section 8.0 Electric Power 4. AP/1 (2)/A/5500/007 Loss of Normal Power 5. ECA-0.0 EP/I (2)/5000/ECA-0.0 Loss of All AC Power 6. NEI 99-01 SG1 IRP/O/AI5000/O01 Rev. 1 Page 156 of 247I ATTACHMENT 1 EAL Bases Category: Subcategory:
Initiating Condition:
EAL: S -System Malfunction 1 -Loss of Essential AC Power Loss of all AC and vital DC power sources for 15 minutes or longer SG1 .2 General Emergency Loss of all offsite and all onsite AC power capability, to essential 41 60V buses 1 (2)ETA and 1(2)ETB for-> 15 min AND Loss of all 125 VDC power based on battery bus voltage indications
< 105 VDC on all vital DC buses EDA, EDD, EDB and EDC for -> 15 min.(Note 1 )Note 1: The Emergency Coordinator should declare the event promptly upon determining that time limit has been exceeded, or will likely be exceeded.1 Deleted: ,table S-i Deleted: ¶Table S-I AC Power Sources Mode Applicability:
I -Power Operation, 2 -Startup, 3 -Hot Standby, 4 -Hot Shutdown RPIO/A1O000,O01 IRev., 1 Page 17 of,247 ATTACHMENT 1 EAL Bases Definition(s):
None Basis: This EAL is indicated by the loss of all offsite and onsite emergency AC power capability to 41 60V emergency buses ETA and ETB for greater than 15 minutes in combination with degraded vital DC power voltage. This EAL addresses operating experience from the March 2011 accident at Fukushima Daiichi.The essential buses are normally powered from the 6.9KV offsite power system through their respective 6.9KV/4160V Station Auxiliary Transformers (1ATC & 1ATD). Additionally, a standby source of power to each 4160V essential bus is provided from the 6.9KV offsite power system via two separate and independent 6.9KV/41 60V transformers (SATA & SATB). These transformers are shared between the two units (ref. 1, 2). However, alignment of SATA or SATB to an essential bus takes longer than 15 minutes and therefore should only be credited if already aligned.Each essential bus has a dedicated diesel generator (D/G A & D/G B) to supply an onsite emergency source of power to safe shutdown loads in the event of a loss of the normal power, source or loss of off-site power. The D/Gs will automatically start and tie onto the essential
..buses if the normal power source or off-site power is lost (ref. 1).An Alternate AC power source, the Standby Shutdown Diesel Generator, which provides power to the Standby Shutdown System, is located in the Safe Shutdown Facility (SSF). This AC power source must be started locally from the SSF Control Room. The SSF Diesel Generator has sufficient capability to operate equipment necessary to maintain a safe shutdown condition for the 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> SBO event (ref. 1).Four 125 VDC distribution centers are provided for the 1 25VDC Vital Instrumentation and Control Power System. Four distribution centers (EDA, EDD, EDB and EDC), one per load group, supply the four independent channels of vital instrumentation and control, and are each " powered directly from an independent 125 volt battery and battery charger. Each of the four distribution centers supplies one DC panel board and one 125VDC-120VAC static inverter (ref.1, 3).The Class lE DC loads have an operating voltage range of 105 to 135 volts. The minimum battery discharge voltage (requiring opening the degraded battery output breaker) is 105 VDC (ref. 1, 3).This IC addresses a concurrent and prolonged loss of both essential AC and Vital DC power. i A loss of all essential AC power compromises the performance of all SAFETY SYSTEMS requiring electric power including those necessary for emergency core cooling, containment i heat removal/pressure control, spent fuel heat removal and the ultimate heat sink. A loss of i vital DC power compromises the ability to monitor and control SAFETY SYSTEMS. A !sustained loss of both essential AC and vital DC power will lead to multiple challenges to fission product barriers.Fifteen minutes was selected as a threshold to exclude transient or momentary power losses.The 15-minute emergency declaration clock begins at the point when both EAL thresholds are : met. I IRP/°/A/5°°°/°°l1 Rev. 1 Page 158 of 2471 ATTACHMENT 1 EAL Bases CNS Basis Reference(s):
- 1. UFSAR Section 8.0 Electric Power 2. AP/1(2)/A/5500/007 Loss of Normal Power 3 AP/1 (2)/A/5500/029 Loss of Vital or Aux Control Power 4. ECA-0.0 EP/I(2)/5000/ECA-0.0 Loss of All AC Power 5. NEI 99-01 SG8 SRP/0/A/5000/001 Rev. 1I Page 159 of 247 ATTACHMENT 1 EAL Bases Category:
S -System Malfunction Subcategory:
2 -Loss of Vital DC Power Initiating Condition:
Loss of all vital DC power for 15 minutes or longer EAL: SS2.1 Site Area Emergency Loss of all 125 VDC power based on battery bus voltage indications
< 105 VDC on all vital DC buses EDA, EDC, EDB, EDO and for> 15 min. (Note 1)Note 1: The Emergency Coordinator should declare the event promptly upon determining that time limit has been exceeded, or will likely be exceeded.Mode Applicability:
I -Power Operation, 2 -Startup, 3 -Hot Standby, 4 -Hot Shutdown Definition(s):
None Basis: Four 125 VDC distribution centers are provided for the 1 25VDC Vital Instrumentation and Control Power System. Four distribution centers (EDA, EDC, EDB and EDD), one per load group, supply the four independent channels of vital instrumentation and control, and are each powered directly from an independent 125 volt battery and battery charger. Each of the four distribution centers supplies one DC panel board and one 125VDC-I20VAC static inverter (ref.1, 2).The Class lE DC loads have an operating voltage range of 105 to 135 volts. The minimum battery discharge voltage (requiring opening the degraded battery output breaker) is 105 VDC (ref. 1,2).This IC addresses a loss of vital DC power which compromises the ability to monitor and control SAFETY SYSTEMS. In modes above Cold Shutdown, this condition involves a major failure of plant functions needed for the protection of the public.Fifteen minutes was selected as a threshold to exclude transient or momentary power losses.Escalation of the emergency classification level would be via ICs RGI, FGI or SGI.IRP/0/A/5000/001 Rev. 1 Page 160 of 247.
ATTACHMENT I EAL Bases CNS Basis Reference(s):
- 1. UFSAR Section 8.0 Electric Power 2 AP/1 (2)/A/5500/029 Loss of Vital or Aux Control Power 3. NEI 99-01 SS8 SRP/0/A/5000/001 Rev. 1I Page 161 of 247 ATTACHMENT 1 EAL Bases S -System Malfunction 3 -Loss of Control Room Indications Category: Subcategory:
Initiating Condition:
UNPLANNED loss of Control Room indications for 15 minutes or longer EAL: SU3.1 Unusual Event An UNPLANNED event results in the inability to monitor one or more Table S-2 parameters from within the Control Room for > 15 min. (Note 1 )Note 1: The Emergency Coordinator should declare the event promptly upon determining that time limit has been exceeded, or will likely be exceeded.Table S-2 Safety System Parameters1
- Level in at least one SIG* Auxiliary or emergency feed flow in at least one S/G Mode Applicability:
1 -Power Operation, 2 -Startup, 3 -Hot Standby, 4 -Hot Shutdown Definition(s):
UNPLANNED
-A parameter change or an event that is not 1 ) the result of an intended evolution or 2) an expected plant response to a transient.
The cause of the parameter change or event may be known or unknown.Basis: SAFETY SYSTEM parameters listed in Table S-I are monitored in the Control Room through a combination of hard control panel indicators as well as computer based information systems.The Operator Aid Computer (OAC), which displays SPDS required information, serves as a redundant compensatory indicator which may be utilized in lieu of normal Control Room indicators (ref. 1,2).This IC addresses the difficulty associated with monitoring normal plant conditions without the ability to obtain SAFETY SYSTEM parameters from within the Control Room. This condition is a precursor to a more significant event and represents a potential degradation in the level of safety of the plant.As used in this EAL, an 'inability to monitor" means that values for one or more of the listed parameters cannot be determined from within the Control Room. This situation would require a loss of all of the Control Room sources for the given parameter(s).
For example, the reactor IRP/0/A/5000/001 Rev. 1 Page 162 of 247I ATTACHMENT 1 EAL Bases power level cannot be determined from any analog, digital and recorder source within the Control Room.An event involving a loss of plant indications, annunciators and/or display systems is evaluated in accordance with 10 CFR 50.72 (and associated guidance in NUREG-1 022) to determine if an NRC event report is required.
The event would be reported if it significantly impaired the capability to perform emergency assessments.
In particular, emergency assessments necessary to implement abnormal operating procedures, emergency operating procedures, and emergency plan implementing procedures addressing emergency classification, accident assessment, or protective action decision-making.
This EAL is focused on a selected subset of plant parameters associated with the key safety 'functions of reactivity control, core cooling and NCS heat removal. The loss of the ability to ,:, determine one or more of these parameters from within the Control Room is considered to be more significant than simply a reportable condition.
In addition, if all indication sources for one, or more of the listed parameters are lost, then the ability to determine the values of other *' .SAFETY SYSTEM parameters may be impacted as well. For example, if the value for reactor vessel level cannot be determined from the indications and recorders on a main control board,, the SPDS or the plant computer, the availability of other parameter values may be compromised as well.Fifteen minutes was selected as a threshold to exclude transient or momentary losses of indication.
Escalation of the emergency classification level would be via IC SA3.CNS Basis Reference(s):
- 1. UFSAR Section 7.5 Safety-Related Display Instrumentation
- 2. OP/i1(2)/A/6700/003 Operation With the Operator Aid Computer Out of Service 3. NEI 99-01 SU2 SRP/0/A/5000/001 Rev. 1 Page 163 of 247 ATTACHMENT 1 EAL Bases Category:
S -System Malfunction Subcategory:
3 -Loss of Control Room Indications Initiating Condition:
UNPLANNED loss of Control Room indications for 15 minutes or longer with a significant transient in progress EAL: SA3.1 Alert An UNPLANNED event results in the inability to monitor one or more Table S-2 parameters from within the Control Room for - 15 mai. (Note 1)AND Any significant transient is in progress, Table S-3 been exceeded, or will likely be exceeded.Table S-2 Safety System Parameters
- Level in at least one SIG* Auxiliary or emergency feed flow in at least one SIG Table S-3 Significant Transients
- Reactor trip* Runback > 25% thermal power* Electrical load rejection
> 25%electrical load*Safety injection actuation Mode Applicability:
1 -Power Operation, 2 -Startup, 3 -Hot Standby, 4 -Hot Shutdown Definition(s):
UNPLANNED
-A parameter change or an event that is not 1 ) the result of an intended evolution or 2) an expected plant response to a transient.
The cause of the parameter change or event may be known or unknown.Basis: SRP/0/AI5000/001 Rev. 1 Page 164 of 247I........ J ATTACHMENT 1 EAL Bases SAFETY SYSTEM parameters listed in Table S-1 are monitored in the Control Room through a combination of hard control panel indicators as well as computer based information systems.The Operator Aid Computer (OAC), which displays SPDS required information, serves as a redundant compensatory indicator which may be utilized in lieu of normal Control Room indicators (ref. 1,2).Significant transients are listed in Table S-2 and include response to automatic or manually initiated functions such as reactor trips, runbacks involving greater than 25% thermal power change, electrical load rejections of greater than 25% full electrical load or SI injection actuations.
This IC addresses the difficulty associated with monitoring rapidly changing plant conditions during a transient without the ability to obtain SAFETY SYSTEM parameters from within the Control Room. During this condition, the margin to a potential fission product barrier challenge is reduced. It thus represents a potential substantial degradation in the level of safety of the plant.As used in this EAL, an "inability to monitor" means that values for one or more of the listed parameters cannot be determined from within the Control Room. This situation would require a loss of all of the Control Room sources for the given parameter(s).
For example, the reactor power level cannot be determined from any analog, digital and recorder source within the Control Room.An event involving a loss of plant indications, annunciators and/or display systems is evaluated in accordance with 10 CFR 50.72 (and associated guidance in NUREG-1 022) to determine if an NRC event report is required.
The event would be reported if it significantly impaired the capability to perform emergency assessments.
In particular, emergency assessments necessary to implement abnormal operating procedures, emergency operating procedures, and emergency plan implementing procedures addressing emergency classification, accident assessment, or protective action decision-making.
This EAL is focused on a selected subset of plant parameters associated with the key safety functions of reactivity control, core cooling and NCS heat removal. The loss of the ability to determine one or more of these parameters from within the Control Room is considered to be more significant than simply a reportable condition.
In addition, if all indication sources for one or more of the listed parameters are lost, then the ability to determine the values of other SAFETY SYSTEM parameters may be impacted as well. For example, if the value for reactor vessel level cannot be determined from the indications and recorders on a main control board, the SPDS or the plant computer, the availability of other parameter values may be compromised as well.Fifteen minutes was selected as a threshold to exclude transient or momentary losses of indication.
Escalation of the emergency classification level would be via ICs FS1 or IC RS1.CNS Basis Reference(s):
- 1. UFSAR Section 7.5 Safety-Related Display Instrumentation
- 2. OP/i (2)/A/6700/003 Operation with the Operator Aid Computer Out of Service 3. NEI 99-01 SA2 P///0/01Rev.
1 Page 165 of 247 ATTACHMENT 1 EAL Bases Rev. 1 Page 166 of2471 ATTACHMENT 1 EAL Bases Category:
S -System Malfunction Subcategory:
4 -NCS Activity Initiating Condition:
Reactor coolant activity greater than Technical Specification allowable limits EAL: SU4.1 Unusual Event NCS activity > Technical Specification 3.4.16 limits or Facility Operating License limits (1 51/1 59), whichever is more restrictive Mode Applicability:
1 -Power Operation, 2 -Startup, 3 -Hot Standby, 4 -Hot Shutdown Definition(s):
None Basis: Technical Specification Section 3.4.16, as modified in the Facility Operating License, limits NC System Dose Equivalent 1-131 to -< 0.46 pCi/gm or 26 pCi/gm Dose Equivalent 1-131 instantaneous.
Technical Specification Section 3.4.16 also limits NC System Dose Equivalent Xe-i133 to -280 pCi/gm. (ref 1, 2).This IC addresses a reactor coolant activity value that exceeds an allowable limit specified in Technical Specifications.
This condition is a precursor to a more significant event and represents a potential degradation of the level of safety of the plant.Escalation of the emergency classification level would be via ICs FA1 or the Recognition Category R ICs.CNS Basis Reference(s):
- 1. CNS Technical Specifications section 3.4.16 RCS Specific Activity 2. Facility Operating License Attachment B 3. NEI 99-01 SU3 IRP/O/A150001001 Rev. 1I Page 167 of 247 ATTACHMENT 1 EAL Bases Category:
S -System Malfunction Subcategory:
5 -NCS Leakage Initiating Condition:
NCS leakage for 15 minutes or longer EAL: SU5.1 Unusual Event NCS unidentified or pressure boundary leakage ' 10 gpm for -> 15 mai.OR NCS identified leakage > 25 gpm for 15 mai.OR Leakage from the NCS to a location outside containment
> 25 gpm for -> 15 mai.(Note 1 )Note 1: The Emergency Coordinator should declare the event promptly upon determining that time limit has been exceeded, or will likely be exceeded.Mode Applicability:
1 -Power Operation, 2 -Startup, 3 -Hot Standby, 4 -Hot Shutdown Definition(s):
None Basis: Identified leakage includes leakage such as that from pump seals or valve packing (except reactor coolant pump (RCP) seal water injection or leakoff), that is captured and conducted to collection systems or a sump or collecting tank, leakage into the containment atmosphere from sources that are both specifically located and known either not to interfere with the operation of leakage detection systems or not to be pressure boundary leakage; or NCS leakage through a steam generator to the secondary system (ref. 1 ).Unidentified leakage is all leakage (except RCP seal water injection or leakoff) that is not identified leakage (ref. 1 ).Pressure Boundary leakage is leakage (except SG leakage) through an unisolable fault in an NCS component body, pipe wall, or vessel wall (ref. 1)NCS leakage outside of the containment that is not considered identified or unidentified leakage per Technical Specifications includes leakage via interfacing systems such as NCS to the Component Cooling Water (KG), or systems that directly see NCS pressure outside containment such as Chemical & Volume Control System (NV), Nuclear Sampling system (NM) and Residual Heat Removal (ND) system (when in the shutdown cooling mode) (ref. 2)Escalation of this EAL to the Alert level is via Category F, Fission Product Barrier Degradation, EAL FA1.1.This IC addresses NCS leakage which may be a precursor to a more significant event. In this case, NCS leakage has been detected and operators, following applicable procedures, have IRPIOIA150001001 Rev. 1 Page 168 of 247 ATTACHMENT 1 EAL Bases been unable to promptly isolate the leak. This condition is considered to be a potential degradation of the level of safety of the plant.The first and second EAL conditions are focused on a loss of mass from the NCS due to"unidentified leakage", "pressure boundary leakage" or "identified leakage" (as these leakage types are defined in the plant Technical Specifications).
The third condition addresses an NCS mass loss caused by an UNISOLABLE leak through an interfacing system. These conditions thus apply to leakage into the containment, a secondary-side system (e.g., steam generator tube leakage) or a location outside of containment.
The leak rate values for each condition were selected because they are usually observable with normal Control Room indications.
Lesser values typically require time-consuming calculations to determine (e.g., a mass balance calculation).
The first condition uses a lower value that reflects the greater significance of unidentified or pressure boundary leakage.The release of mass from the NCS due to the as-designed/expected operation of a relief valve does not warrant an emergency classification.
An emergency classification would be required if a mass loss is caused by a relief valve that is not functioning as designed/expected (e.g., a relief valve sticks open and the line flow cannot be isolated).
The 15-minute threshold duration allows sufficient time for prompt operator actions to isolate the leakage, if possible.Escalation of the emergency classification level would be via ICs of Recognition Category R or F.CNS Basis Reference(s):
- 1. CNS Technical Specifications Definitions section 1 .1 2. UFSAR Section 5.2.5.2.1 Intersystem Leakage 3. NEI 99-01 SU4' i t i,"" Y "i* ',:': o, SRP/0/A/5000/001 Rev. 1 Page 169 of 247I ATTACHMENT 1 EAL Bases Category:
S -System Malfunction Subcategory:
6 -RPS Failure Initiating Condition:
Automatic or manual trip fails to shut down the reactor EAL: SU6.1 Unusual Event An automatic trip did not shut down the reactor as indicated by reactor power_> 5% after any RPS setpoint is exceeded AND A subsequent automatic trip or manual trip action taken at the reactor control console (manual reactor trip switches or turbine manual trip) is success in shutting down the reactor as indicated by reactor power < 5% (Note 8)Note 8:. A manual trip action is any operator action, or set of actions, which causes the control rods to be rapidly inserted into the core, and does not include manually driving in control rods or implementation of boron injection strategies.
Mode Applicability:
1 -Power Operation Definition(s):
None Basis: The first condition of this EAL identifies the need to cease critical reactor operations by actuation of the automatic Reactor Protection System (RPS) trip function.
A reactor trip is automatically initiated by the RPS when certain continuously monitored parameters exceed predetermined setpoints (ref. 1).Following a successful reactor trip, rapid insertion of the control rods occurs. Nuclear power promptly drops to a fraction of the original power level and then decays to a level several decades less with a negative startup rate. The reactor power drop continues until reactor power reaches the point at which the influence of source neutrons on reactor power starts to be observable.
A predictable post-trip response from an automatic reactor trip Signal should therefore consist of a prompt drop in reactor power as sensed by the nuclear instrumentation and a lowering of power into the source range. A successful trip has therefore occurred when there is sufficient rod insertion from the trip of RPS to bring the reactor power below the immediate shutdown decay heat level of 5% (ref. 2, 3, 4).For the purposes of emergency classification, successful manual trip actions are those which can be quickly performed from the reactor control console (i.e., manual trip switches or turbine trip). Reactor shutdown achieved by use of other trip actions specified in EP/I(2)/A/5000/FR-S.1 Response to Nuclear Power Generation/ATWS (such as depressing manual pushbutton on turbine control panel, emergency boration or manually driving control rods) do not constitute a successful manual trip (ref. 4).SRP/0/A/5000/001 fRev. 1 Page 170 of 247 ATTACHMENT 1 EAL Bases Following any automatic RPS trip signal, EP/I(2)/A/5000/E-0 (ref. 2) and EP/I(2)/A/5000/FR-S.1 (ref. 3) prescribe insertion of redundant manual trip signals to back up the automatic RPS trip function and ensure reactor shutdown is achieved.
Even if the first subsequent manual trip signal inserts all control rods to the full-in position immediately after the initial failure of the automatic trip, the lowest level of classification that must be declared is an Unusual Event (ref.4).In the event that the operator identifies a reactor trip is imminent and initiates a successful manual reactor trip before the automatic RPS trip setpoint is reached, no declaration is required.
The successful manual trip of the reactor before it reaches its automatic trip setpoint-or reactor trip signals caused by instrumentation channel failures do not lead to a potential fission product barrier loss. However, if subsequent manual reactor trip actions fail to reduce reactor power below 5%, the event escalates to the Alert under EAL SA6.1.If by procedure, operator actions include the initiation of an immediate manual trip following receipt of an automatic trip signal and there are no clear indications that the automatic trip failed (such as a time delay following indications that a trip setpoint was exceeded), it may be difficult to determine if the reactor was shut down because of automatic trip or manual actions.If a subsequent review of the trip actuation indications reveals that the automatic trip did not cause the reactor to be shut down, then consideration should be given to evaluating the fuel for potential damage, and the reporting requirements of 50.72 should be considered for the transient event.This IC addresses a failure of the RPS to initiate or complete an automatic or manual reactor trip that results in a reactor shutdown, and either a subsequent Operator manual action taken at the reactor control consoles or an automatic trip is successful in shutting down the reactor.This event is a precursor to a more significant condition and thus represents a potential degradation of the level of safety of the plant.Following thefailure on an automatic reactor trip, operators will promptly initiate manual actions at the reactor control consoles to shutdown the reactor (e.g., initiate a manual reactor trip ). If these manual actions are successful in shutting down the reactor, core heat generation will quickly fall to a level within the capabilities of the plant's decay heat removal systems.If an initial manual reactor trip is unsuccessful, operators will promptly take manual action at another location(s) on the reactor control consoles to shutdown the reactor (e.g., initiate a manual reactor trip ) using a different switch). Depending upon several factors, the initial or subsequent effort to manually trip the reactor, or a concurrent plant condition, may lead to the generation of an automatic reactor trip signal. If a subsequent manual or automatic trip is successful in shutting down the reactor, core heat generation will quickly fall to a level within the capabilities of the plant's decay heat removal systems.A manual action at the reactor control consoles is any operator action, or set of actions, which causes the control rods to be rapidly inserted into the core (e.g., initiating a manual reactor trip). This action does not include manually driving in control rods or implementation of boron injection strategies.
Actions taken at back-panels or other locations within the Control Room, or any location outside the Control Room, are not considered to be "at the reactor control consoles".
RPOA5000lRev.
1 IPage 171 of 247 ATTACHMENT I EAL Bases The plant response to the failure of an automatic or manual reactor trip will vary based upon several factors including the reactor power level prior to the event, availability of the condenser, performance of mitigation equipment and actions, other concurrent plant conditions, etc. If subsequent operator manual actions taken at the reactor control consoles are also unsuccessful in shutting down the reactor, then the emergency classification level will escalate to an Alert via IC SA6. Depending upon the plant response, escalation is also possible via IC FAl. Absent the plant conditions needed to meet either IC SA6 or FAl, an Unusual Event declaration is appropriate for this event.A reactor shutdown is determined in accordance with applicable Emergency Operating Procedure criteria.Should a reactor trip signal be generated as a result of plant work (e.g., RPS setpoint testing), the following classification guidance should be applied.* If the signal causes a plant transient that should have included an automatic reactor trip and the RPS fails to automatically shutdown the reactor, then this IC and the EALs are applicable, and should be evaluated.
- If the signal does not cause a plant transient and the trip failure is determined through other means (e.g., assessment of test results), then this IC and the EALs are not applicable and no classification is warranted.
CNS Basis Reference(s):
- 1. CNS Technical Specifications section 3.3.1 Reactor Trip System (RTS) Instrumentation
- 2. EP/I1(2)/AI5000/E-O Reactor Trip or Safety Injection 3. EP/1(2)/A/5000/F-0 Critical Safety Function Status Trees -Subcriticality
- 4. EP/I(2)/A/5000/FR-S.1 Response to Nuclear Power Generation/ATWS
- 5. NEI 99-01 SU5 IRP/0/A/5000/001 Rev. 1I Page 172 of 247 ATTACHMENT 1 EAL Bases S -System Malfunction 6 -RPS Failure Category: Subcategory:
Initiating Condition:
Automatic or manual trip fails to shut down the reactor EAL: SU6.2 Unusual Event A manual trip did not shut down the reactor as indicated by reactor power>_ 5% after any manual trip action was initiated AND A subsequent automatic trip or manual trip action taken at the reactor control console (manual reactor trip switches or turbine manual trip) is success in shutting down the reactor as indicated by reactor power < 5% (Note 8)Note 8: A manual trip action is any operator action, or set of actions, which causes the control rods to be rapidly inserted into the core, and does not include manually driving in control rods or implementation of boron injection strategies.
Mode Applicability:
1 -Power Operation Definition(s):
None Basis: This EAL addresses a failure of a manually initiated trip in the absence of having exceeded an automatic RPS trip setpoint and a subsequent automatic or manual trip is successful in shutting down the reactor (reactor power < 5%). (ref. 1 ).Following a successful reactor trip, rapid insertion of the control rods occurs. Nuclear power promptly drops to a fraction of the original power level and then decays to a level several decades less with a negative startup rate. The reactor power drop continues until reactor power reaches the point at which the influence of source neutrons on reactor power starts to be observable.
A predictable post-trip response from a manual reactor trip signal should therefore consist of a prompt drop in reactor power as sensed by the nuclear instrumentation and a lowering of power into the source range. A successful trip has therefore occurred when there is sufficient rod insertion from the trip of RPS to bring the reactor power below the immediate shutdown decay heat level of 5% (ref. 2, 3 4).For the purposes of emergency classification, successful manual trip actions are those which can be quickly performed from the reactor control console (i.e., manual trip switches or turbine trip). Reactor shutdown achieved by use of other trip actions specified in EP/1I(2)/A/5000/FR-S.1 Response to Nuclear Power Generation/ATWS (such as depressing manual pushbutton on turbine control panel, emergency boration or manually driving control rods) do not constitute a successful manual trip (ref. 4).* ;* ,° o , .RP/0/A/5000/001 Rev. 1I Page 173 of 247 ATTACHMENT 1 EAL Bases If both subsequent automatic and subsequent manual reactor trip actions in the Control Room fail to reduce reactor power below the power associated with the safety system design (< 5%)following a failure of an initial manual trip, the event escalates to an Alert under EAL SA6.1 This IC addresses a failure of the RPS to initiate or complete an automatic or manual reactor trip that results in a reactor shutdown, and either a subsequent operator manual action taken at the reactor control consoles or an automatic trip is successful in shutting down the reactor.This event is a precursor to a more significant condition and thus represents a potential degradation of the level of safety of the plant.Following the failure on an automatic reactor trip , operators will promptly initiate manual actions at the reactor control consoles to shutdown the reactor (e.g., initiate a manual reactor trip ). If these manual actions are successful in shutting down the reactor, core heat generation will quickly fall to a level within the capabilities of the plant's decay heat removal systems.If an initial manual reactor trip is unsuccessful, operators will promptly take manual action at another location(s) on the reactor control consoles to shutdown the reactor (e.g., initiate a manual reactor trip ) using a different switch). Depending upon several factors, the initial or subsequent effort to manually the reactor, or a concurrent plant condition, may lead to the generation of an automatic reactor trip signal. If a subsequent manual or automatic trip is successful in shutting down the reactor, core heat generation will quickly fall to a level within the capabilities of the plant's decay heat removal systems.A manual action at the reactor control consoles is any operator action, or set of actions, which causes the control rods to be rapidly inserted into the core (e.g., initiating a manual reactor trip). This action does not include manually driving in control rods or implementation of boron injection strategies.
Actions taken at back-panels or other locations within the Control Room, or any location outside the Control Room, are not considered to be "at the reactor control consoles".
The plant response to the failure of an automatic or manual reactor trip will vary based upon several factors including the reactor power level prior to the event, availability of the condenser, performance of mitigation equipment and actions, other concurrent plant conditions, etc. If subsequent operator manual actions taken at the reactor control consoles are also unsuccessful in shutting down the reactor, then the emergency classification level will escalate to an Alert via IC SA6. Depending upon the plant response, escalation is also possible via IC FA1. Absent the plant conditions needed to meet either IC SA6 or FA1, an Unusual Event declaration is appropriate for this event.A reactor shutdown is determined in accordance with applicable Emergency Operating Procedure criteria.Should a reactor trip signal be generated as a result of plant work (e.g., RPS setpoint testing), the following classification guidance should be applied.* If the signal causes a plant transient that should have included an automatic reactor trip and the RPS fails to automatically shutdown the reactor, then this IC and the EALs are applicable, and should be evaluated.
- If the signal does not cause a plant transient and the trip failure is determined through other means (e.g., assessment of test results), then this IC and the EALs are not[RP/0/A/5000/001 Rev. 1 Page 174 of 247 ATTACHMENT 1 EAL Bases applicable and no classification is warranted.
CNS Basis Reference(s):
- 1. CNS Technical Specifications section 3.3.1 Reactor Trip System (RTS) Instrumentation
- 2. EP/I (2)/A/5000O/E-0 Reactor Trip or Safety Injection 3. EP/I (2)IA/5000IF-0 Critical Safety Function Status Trees -Subcriticality
- 4. EP/I (2)/A/5000/FR-S.1 Response to Nuclear Power Generation/ATWS
- 5. NEI 99-01 SU5 i *i!* !o q}* , , g* ... .. ; "$, , * *RP/0/A/5000/001 Rev. 1 Page 175 of 247 ATTACHMENT 1 EAL Bases Category:
S -System Malfunction Subcategory:
2 -RPS Failure Initiating Condition:
Automatic or manual trip fails to shut down the reactor and subsequent manual actions taken at the reactor control consoles are not successful in shutting down the reactor EAL: 8A6.1 Alert An automatic or manual trip fails to shut down the reactor as indicated by reactor power> 5%AND Manual trip actions taken at the reactor control console (manual reactor trip switches or turbine manual trip) are not successful in shutting down the reactor as indicated by reactor power >_ 5% (Note 8)Note 8: A manual trip action is any operator action, or set of actions, which causes the control rods to be rapidly inserted into the core, and does not include manually driving in control rods or implementation of boron injection strategies.
Mode Applicability:
1 -Power Operation Definition(s):
None Basis: This EAL addresses any automatic or manual reactor trip signal that fails to shut down the reactor followed by a subsequent manual trip that fails to shut down the reactor to an extent the reactor is producing energy in excess of the heat load for which the safety systems were designed.For the purposes of emergency classification, successful manual trip actions are those which can be quickly performed from the reactor control console (i.e., manual trip switches or turbine trip). Reactor shutdown achieved by use of other trip actions specified in EP/1 (2)/A/5000/FR-S.1 Response to Nuclear Power GenerationlATWS (such as depressing manual pushbutton on turbine control panel, emergency boration or manually driving control rods) do not constitute a successful manual trip (ref. 4).5% rated power is a minimum reading on the power range scale that indicates continued power production.
It also approximates the decay heat which the shutdown systems were designed to remove and is indicative of a condition requiring immediate response to prevent subsequent core damage. Below 5%, plant response will be similar to that observed during a normal shutdown.
Nuclear instrumentation can be used to determine if reactor power is greater than 5 % power (ref. 1).Escalation of this event to a Site Area Emergency would be under EAL SS6.1 or Emergency Coordinator judgment.IRP/0/A/5000/001 Rev. 1 Page 176 of 247 ATTACHMENT 1 EAL Bases This IC addresses a failure of the RTS to initiate or complete an automatic or manual reactor trip that results in a reactor shutdown, and subsequent operator manual actions taken at the reactor control consoles to shutdown the reactor are also unsuccessful.
This condition represents an actual or potential substantial degradation of the level of safety of the plant. An emergency declaration is required even if the reactor is subsequently shutdown by an action taken away from the reactor control consoles since this event entails a significant failure of the RTS.A manual action at the reactor control console is any operator action, or set of actions, which causes the control rods to be rapidly inserted into the core (e.g., initiating a manual reactor trip). This action does not include manually driving in control rods or implementation of boron injection strategies.
If this action(s) is unsuccessful, operators would immediately pursue additional manual actions at locations away from the reactor control console (e.g., locally opening breakers).
Actions taken at backpanels or other locations within the Control Room, or any location outside the Control Room, are not considered to be "at the reactor control console".The plant response to the failure of an automatic or manual reactor trip will vary based upon several factors including the reactor power level prior to the event, availability of the condenser, performance of mitigation equipment and actions, other concurrent plant conditions, etc. If the failure to shut down the reactor is prolonged enough to cause a challenge to the core cooling or NCS heat removal safety functions, the emergency classification level will escalate to a Site Area Emergency via IC SS6. Depending upon plant responses and symptoms, escalation is also possible via IC FS1. Absent the plant conditions needed to meet either IC SS6 or FS1, an Alert declaration is appropriate for this even~t.It is recognized that plant responses or symptoms may also require an Alert declaration in accordance with the Recognition Category F ICs; however, this IC and EAL are included to ensure a timely emergency declaration.
A reactor shutdown is determined in accordance with applicable Emergency Operating Procedure criteria.CNS Basis Reference(s):
- 1. CNS Technical Specifications section 3.3.1 Reactor Trip System (RTS) Instrumentation
- 2. EP/I(2)/AI5000/E-0 Reactor Trip or Safety Injection 3. EP/I(2)/AI5000/F-0 Critical Safety Function Status Trees -Subcriticality
- 4. EP/I (2)IA/5000/FR-S.1 Response to Nuclear Power Generation/ATWS
S -System Maifunction Subcategory:
2 -RPS Failure Initiating Condition:
Inability to shut down the reactor causing a challenge to core cooling or NCS heat removal EAL: SS6.1 Site Area Emergency An automatic or manual trip fails to shut down the reactor as indicated by reactor power> 5%AND All actions to shut down the reactor are not successful as indicated by reactor power>5%AND EITHER:* Core Cooling RED PATH conditions met* Heat Sink RED PATH conditions met Mode Applicability:
1 -Power Operation Definition(s):
None Basis: This EAL addresses the following:
- Any automatic reactor trip signal followed by a manual trip that fails to shut down the reactor to an extent the reactor is producing energy in excess of the heat load for which the safety systems were designed (EAL SA6.1), and* Indications that either core cooling is extremely challenged or heat removal is extremely challenged.
The combination of failure of both front line and backup protection systems to function in response to a plant transient, along with the continued production of heat, poses a direct threat to the Fuel Clad and NCS barriers.Reactor shutdown achieved by use of EP/I(2)/A/5000/FR-S.1 Response to Nuclear Power Generation/ATWS (such as depressing manual pushbutton on turbine control panel, emergency boration or manually driving control rods) are also credited as a successful manual trip provided reactor power can be reduced below 5% before indications of an extreme challenge to either core cooling or heat removal exist (ref. 1, 4).5% rated power is a minimum reading on the power range scale that indicates continued power production.
It also approximates the decay heat which the shutdown systems were designed to remove and is indicative of a condition requiring immediate response to prevent subsequent core damage. Below 5%, plant response will be similar to that observed during a IRP/OIAN5000/100 Rev. 1 Page 178 of 247 ATTACHMENT 1 EAL Bases normal shutdown.
Nuclear instrumentation can be used to determine if reactor power is greater than 5 % power (ref. 1, 4).Indication of continuing core cooling degradation is manifested by CSFST Core Cooling RED PATH conditions being met (ref. 2).Indication of inability to adequately remove heat from the NCS is manifested by CSFST Heat Sink RED PATH conditions being met (ref. 3).This IC addresses a failure of the RTS to initiate or complete an automatic or manual reactor trip that results in a reactor shutdown, all subsequent operator actions to manually shutdown the reactor are unsuccessful, and continued power generation is challenging the capability to adequately remove heat from the core and/or the NCS. This condition will lead to fuel damage if additional mitigation actions are unsuccessful and thus warrants the declaration of a Site Area Emergency.
In some instances, the emergency classification resulting from this IC/EAL may be higher than that resulting from an assessment of the plant responses and symptoms against the Recognition Category F ICs/EALs.
This is appropriate in that the Recognition Category F ICs/EALs do not address the additional threat posed by a failure to shut down the reactor. The inclusion of this IC and EAL ensures the timely declaration of a Site Area Emergency in response to prolonged failure to shutdown the reactor.A reactor shutdown is determined in accordance with applicable Emergency Operating Procedure criteria.Escalation of the emergency classification level would be via IC RG1 or FG1.CNS Basis Reference(s):
- 1. EP/1(2)/A/5000/F-0 Critical Safety Function Status Trees -Subcriticality
- 2. EPII(2)IAI5OOO/F-O Critical Safety Function Status Tress -Core Cooling 3. EPII (2)/AlI5OOOIF-O Critical Safety Function Status Tress -Heat Sink 4. EP/I(2)/A/5000/FR-S.1 Response to Nuclear Power Generation/ATWS
- 5. NEI 99-01 SS5 Category:
S -System Malfunction Subcategory:
7 -Loss of Communications Initiating Condition:
Loss of all onsite or offsite communications capabilities EAL:[RPIOINI5000I100 Rev. 1I Page 179 of 247 ATTACHMENT 1 EAL Bases SU7.1 Unusual Event Loss of all Table S-4 onsite communication methods OR Loss of all Table S-40ORO communication methods OR Loss of all Table S-4 NRC communication methods Table S-4 Communication Methods System Onsite ORO NRC Public Address X Internal Telephones X Onsite Radios X DEMNET X Commercial Telephones X X Satellite Phones X X Cellular Phones X X NRC Emergency Telephone System (ETS) X X Mode Applicability:
1 -Power Operation, 2 -Startup, 3 -Hot Standby, 4 -Hot Shutdown Definition(s):
None RP/o/N5o000oo0 1 Rev. I Page 180 of2471 ATTACHMENT 1 EAL Bases Basis: Onsite/offsite communications include one or more of the systems listed in Table S-4 (ref. 1 ).Public Address System The Catawba Plant public address system provides paging and party line communications between stations located throughout the plant. Inside and outside type wall and desk-mounted stations are used to communicate between roaming personnel and fixed work locations.
Plant-wide instructions are issued using the paging feature.Internal Telephone System The Catawba Site PBX telephone system provides communication capability between telephone stations located within the plant by dialing the four-digit telephone station code.On-site Radio System Radio systems can be used for communication among operators, off-site monitoring teams, the control room, TSC and EOF.DEMNET DEMNET is the primary means of offsite communication.
This circuit allows intercommunication among the EOF, TSC, control room, counties, and states. DEMNET operates as an internet based (VoIP) communications system with a satellite back-up. Should the internet transfer rate become slow or unavailable, the DEMNET will automatically transfer to satellite mode.Commercial Telephones Commercial telephone lines, which supply public telephone communications, are employed by Duke Energy. The local service provider provides primary and secondary power for their lines at the Central Office.Satellite Phones A portable satellite telephones are available which enable communication when all other phone systems are inoperable, e.g. following a major external event. These portable systems can be powered by internal batteries, external DC sources as well as external AC sources.Cellular Phones Cellular phones may be used during emergencies if other communications means are not readily available or are inoperable.
These phones are not expected to be used in the Control Room or Power Block due to interference with plant equipment and loss of signal to the phone.IRPI/01A50001001 Rev. 1I Page 181 of 247 ATTACHMENT 1 EAL Bases NRC Emer~qency Telephone System The NRC uses a Duke Energy dedicated telephone line which allows direct telephone communications from the plant to NRC regional and national offices. The Duke Energy communications line provides a link independent of the local public telephone network.Telephones connected to this network are located in the Catawba Control Room, Technical Support Center, and Emergency Operations Facility and can be used to establish NRC Emergency Notification System (ENS) and Health Physics Network (HPN) capability.
This EAL is the hot condition equivalent of the cold condition EAL CU5.1.This IC addresses a significant loss of on-site or offsite communications capabilities.
While not a direct challenge to plant or personnel safety, this event warrants prompt notifications to OROs and the NRC.This IC should be assessed only when extraordinary means are being utilized to make communications possible (e.g., use of non-plant, privately owned equipment, relaying of on-site information via individuals or multiple radio transmission points, individuals being sent to offsite locations, etc.).The first EAL condition addresses a total loss of the communications methods used in support of routine plant operations.
The second EAL condition addresses a total loss of the communications methods used to notify all OROs of an emergency declaration.
The OROs referred to here are the State, York, Gaston and Mecklenburg County EOCs The third EAL addresses a total loss of the communications methods used to notify the NRC of an emergency declaration.
CNS Basis Reference(s):
- 1. CNS Emergency Plan Section F Emergency Communications
S -System Malfunction Subcategory:
8 -Containment Failure Initiating Condition:
Failure to isolate containment or loss of containment pressure control.EAL: SU8.1 Unusual Event EITHER: AnY(NtPenetrationl ) is not isolated within 15 min. of a VALID containment isolation signal (Note 1 OR Containment pressure > 3 psig with < one full train of containment cooling operating per design for > 15 min. (Notes 1, 10)* .Deleted: (Note 1)Note 1: The Emergency Coordinator should declare the event promptly upon determining that time limit has been exceeded, or will likely be exceeded.Note 10: If the loss of containment coaling threshold is exceeded due to loss of both trains of VX-CARF, this EAL only applies if at least one train of VX-CARF is not operating, per design, after the 10 minute actuation delay for greater than or equal to 15 minutes.Mode Applicability:
1 -Power Operation, 2 -Startup, 3 -Hot Standby, 4 -Hot Shutdown Definition(s):
VALID -An indication, report, or condition, is considered to be valid when it is verified by (1) an instrument channel check, or (2) indications on related or redundant indicators, or (3) by direct observation by plant personnel, such that doubt related to the indicator's operability, the condition's existence, or the report's accuracy is removed. Implicit in this definition is the need for timely assessment.
Basis: The containment Phase B pressure setpoint (3 psig, ref. 1, 2) is the pressure at which the containment cooling systems should actuate and begin performing their function.One full train of containment cooling operating per design is considered (ref. 1, 2):* One train of Containment Air Return Fan System (VX-CARF), and* One train of Containment Spray System (NS)Once the Residual Heat Removal system is taking suction from the containment sump, with containment pressure greater than 3 psig and procedural guidance, one train of containment spray is manually aligned to the containment sump. If unable to place one NS train in service or without an operating train of VX-CARF (the CARF with a 10-minute delay) within 15 minutes this EAL has been exceeded.
At this point a significant portion of the ice in the ice condenser RPIOIAI5000/O01 IRev. 1 IPage 183 of 247I ATTACHMENT 1 EAL Bases would have melted and the NS system would be needed for containment pressure control.The Unusual Event threshold applies after automatic or manual alignment of the containment spray system has been attempted with containment pressure greater than 3 psig and less than one full train of NS is operating for greater than or equal to 15 minutes.The Unusual Event threshold also applies if containment pressure is greater than 3 psig and at least one train of VX-CARF is not operating after a 10 minute delay for greater than or equal to 15 minutes. Without a single train of VX-CARF in service following actuation, the Unusual Event should be declared regardless of whether ECCS is in injection or sump recirculation mode after 15 minutes.This EAL addresses a failure of one or more containment penetrations to automatically isolate (close) when required by an actuation signal. It also addresses an event that results in high containment pressure with a concurrent failure of containment pressure control systems.Absent challenges to another fission product barrier, either condition represents potential degradation of the level of safety of the plant.For the first condition, the containment isolation signal must be generated as the result on an off-normal/accident condition (e.g., a safety injection or high containment pressure);
a failure resulting from testing or maintenance does not warrant classification.
The determination of containment and penetration status -isolated or not isolated -should be made in accordance with the appropriate criteria contained in the plant AOPs and EOPs. The 15-minute criterion is included to allow operators time to manually isolate the required penetrations, if possible.The second condition addresses a condition where containment pressure is greater than the setpoint at which containment energy (heat) removal systems are designed to automatically actuate, and less than one full train of equipment is capable of operating per design. The 15-minute criterion is included to allow operators time to manually start equipment that may not have automatically started, if possible.
The inability to start the required equipment indicates that containment heat removal/depressurization systems (e.g., containment sprays or ice condenser fans) are either lost or performing in a degraded manner.This event would escalate to a Site Area Emergency in accordance with IC FS1 if there were a concurrent loss or potential loss of either the Fuel Clad or NCS fission product barriers.CNS Basis Reference(s):
- 1. CNS Technical Specification 3.6.6 2. CNS Technical Specification
3.6.6 Bases
- 3. CNS Technical Specification 3.3.2 4. UFSAR Section 6.2 Containment Systems 5. NEI 99-01 SU7 IRP/OIAI5000/O01 Rev. 1I Page 184 of 247I ATTACHMENT 1 EAL Bases Category: Subcategory:
Initiating Condition:
S -System Malfunction 9 -Hazardous Event Affecting Safety Systems Hazardous event affecting a SAFETY SYSTEM needed for the current operating mode EAL: SA9.1 Alert The occurrence of any Table S-5 hazardous event AND EITHER:* Event damage has caused indications of degraded performance in at least one train of a SAFETY SYSTEM needed for the current operating mode* The event has caused VISIBLE DAMAGE to a SAFETY SYSTEM component or structure needed for the current operating mode Table S-5 Hazardous Events* Seismic event (earthquake)
- Internal or external FLOODING event* High winds or tornado strike* FIRE* EXPLOSION* Other events with similar hazard characteristics as determined by the Shift Manager Mode Applicability:
1 -Power Operation, 2 -Startup, 3 -Hot Standby, 4 -Hot Shutdown Definition(s):
EXPLOSION
-A rapid, violent and catastrophic failure of a piece of equipment due to combustion, chemical reaction or overpressurization.
A release of steam (from high energy lines or components) or an electrical component failure (caused by short circuits, grounding, arcing, etc.) should not automatically be considered an explosion.
Such events require a post-event inspection to determine if the attributes of an explosion are present.FIRE -Combustion characterized by heat and light. Sources of smoke such as slipping drive belts or overheated electrical equipment do not constitute fires. Observation of flame is preferred but is NOT required if large quantities of smoke and heat are observed.FLOODING -A condition where water is entering a room or area faster than installed equipment is capable of removal, resulting in a rise of water level within the room or area.SAFETY SYSTEM -A system required for safe plant operation, cooling down the plant and/or placing it in the cold shutdown condition, including the ECCS. These are typically systems IRPIOIAI50001001 IRev. 1I Page 185 of 247 ATTACHMENT 1 EAL Bases classified as safety-related (as defined in 10CFR50.2):
Those structures, systems and components that are relied upon to remain functional during and following design basis events to assure: (1) The integrity of the reactor coolant pressure boundary;(2) The capability to shut down the reactor and maintain it in a safe shutdown condition; (3) The capability to prevent or mitigate the consequences of accidents which could result in potential offsite exposures.
VISIBLE DAMAGE -Damage to a component or structure that is readily observable without measurements, testing, or analysis.
The visual impact of the damage is sufficient to cause concern regarding the operability or reliability of the affected component or structure.
Basis:* The significance of seismic events are discussed under EAL HU2.1 (ref. 1).* Internal FLOODING may be caused by events such as component failures, equipment misalignment, or outage activity mishaps (ref. 2).*External flooding may be due to high lake level. CNS plant yard elevation is 593.5 ft MSL.The minimum external access elevation for the Auxiliary, Turbine and Service Buildings is 594.0 ft MSL (ref. 1, 3).*Seismic Category I structures are analyzed to withstand a sustained, design wind velocity of at least 95 mph. (ref. 4).*Areas containing functions and systems required for safe shutdown of the plant are identified by fire area in the fire response procedure (ref. 5).*An explosion that degrades the performance of a SAFETY SYSTEM train or visibly damages a SAFETY SYSTEM component or structure would be classified under this EAL.This IC addresses a hazardous event that causes damage to a SAFETY SYSTEM, or a structure containing SAFETY SYSTEM components, needed for the current operating mode.This condition significantly reduces the margin to a loss or potential loss of a fission product barrier, and therefore represents an actual or potential substantial degradation of the level of safety of the plant.The first condition addresses damage to a SAFETY SYSTEM train that is in service/operation since indications for it will be readily available.
The indications of degraded performance should be significant enough to cause concern regarding the operability or reliability of the SAFETY SYSTEM train.The second condition addresses damage to a SAFETY SYSTEM component that is not in service/operation or readily apparent through indications alone, or to a structure containing SAFETY SYSTEM components.
Operators will make this determination based on the totality of available event and damage report information.
This is intended to be a brief assessment not requiring lengthy analysis or quantification of the damage.Escalation of the emergency classification level would be via IC FS1 or RSl.CNS Basis Reference(s):
IRP/O/N5000/O01 IRev. 1 IPage 186 of 247 1.2.3.4.5.6.ATTACHMENT 1 EAL Bases RP/OIAI5000I007 Natural Disaster and Earthquake APIOIAI55001030 Plant Flooding UFSAR Section 3.4 Water Level (Flood) Design Updated FSAR Section 3.3.1 Wind Loadings APIOIAI55001045 Plant Fire NEI 99-01 SA9 IRP/OIAI50001001 Rev. 1 Page 187 of 247 ATTACHMENT 1 EAL Bases Category E -Independent Spent Fuel Storage Installation (ISFSl)EAL Group: ANY (EALs in this category are applicable to any plant condition, hot or cold)An independent spent fuel storage installation (ISFSI) is a complex that is designed and constructed for the interim storage of spent nuclear fuel and other radioactive materials associated with spent fuel storage. A significant amount of the radioactive material contained within a cask/canister must escape its packaging and enter the biosphere for there to be a significant environmental effect resulting from an accident involving the dry storage of spent nuclear ful/An Unusual Event is declared on the basis of the occurrence of an event of sufficient magnitude that a loaded cask CONFINEMENT BOUNDARY is damaged or violated.The CNS ISFSI is contained wholly within the plant Protected Area. Therefore a security eventlrelated to the ISFSI would be applicable to EALs HU1.1, HA1I.land HS1.1,[Minor surface damage that does not affect storage cask/canister boundary is excluded from the scope of these EALs.{J- Deleted: Formal offsite planning is nolrequired because the postulated worst Icase accident involvng an ISFS1 haslinsignificant consequences to the publi ( health and safety.I Deee:Ahsiescrt vnt that Sleads to a potential loss in the level of safety of the ISFSI is a classifiable Sevent under Security category EAL SHS1.1.IRP/OIA/50001001 IRev. 1 Page 188 of 247 ATTACHMENT 1 EAL Bases Category:
E -ISFES!Sub-category:
None Initiating Condition:
Damage to a loaded cask CONFINEMENT BOUNDARY EAL: EUl.1 Notification of Unusual Event Damage to a loaded canister CONFINEMENT BOUNDARY as indicated by an on-contact radiation reading on the surface of a loaded Vertical Storage Cask (VSC) > any of the following:
- 100 mrem/hr (neutron + gamma) on the side of the VSC* 100 mrem/hr (neutron + gamma) on the top of the VSC* 200 mrem/hr (neutron + gamma) at the air inlets or outlets of the VSC Mode Applicability:
All Definition(s):
CONFINEMENT BOUNDARY-The barrier(s) between spent fuel and the environment once the spent fuel is processed for dry storage. As related to the CNS ISFSI, Confinement Boundary is defined as the Transportable Storage Canister (TSC) for both NAC-UMS and MAGNASTOR storage systems.Basis: The CNS ISFSI utilizes two designs for dry spent fuel storage:* The NAC-UMS dry spent fuel storage system* The MAGNASTOR dry spent fuel storage system Both systems consist of a Transportable Storage Canister (TSC) and concrete Vertical Storage Cask (VSC). The TSC is the CONFINEMENT BOUNDARY for both systems. The TSC is welded and designed to provide confinement of all radionuclides under normal, off-normal, and accident conditions (ref. 1, 2).Confinement boundary is defined as the barrier(s) between spent fuel and the environment once the spent fuel is processed for dry storage. Therefore, damage to a confinement boundary must be a confirmed physical breach between the spent fuel and the environment for the TSC.The values shown represent 2 times the limits specified in the ISFES! Certificate of Compliance Technical Specification for radiation external to a loaded VSC for a NAC-UMS canister (ref. 1).The specified ISESI dose limits are based on surveys taken consistent with the locations specified in the associated Technical Specification (ref. 1, 2).This IC addresses an event that results in damage to the CONFINEMENT BOUNDARY of a storage cask containing spent fuel. It applies to irradiated fuel that is licensed for dry storage beginning at the point that the loaded storage cask is sealed. The issues of concern are the creation of a potential or actual release path to the environment, degradation of one or more IRP/0/A/5000/001 Rev. 1 Page 189 of 247 ATTACHMENT 1 EAL Bases fuel assemblies due to environmental factors, and configuration changes which could cause challenges in removing the cask or fuel from storage.The existence of 'damage" is determined by radiological survey. The technical specification multiple of "2 times", which is also used in Recognition Category R IC RU1, is used here to distinguish between non-emergency and emergency conditions.
The emphasis for this classification is the degradation in the level of safety of the spent fuel cask and not the magnitude of the associated dose or dose rate. It is recognized that in the case of extreme damage to a loaded cask, the fact that the 'on-contact" dose rate limit is exceeded may be determined based on measurement of a dose rate at some distance from the cask.Security-related events for ISFSIs are covered under ICs HU1 and HAl.CNS Basis Reference(s):
- 1. NAC-UMS Certificate of Compliance
- 1015 Technical Specifications
- 2. MAGNASTOR Certificate of Compliance
- 1 031 Technical Specifications
- 3. NEl 99-01 E-HU1 SRP/0/A/5000/001
'Rev. I Page 190 of 247I ATTACHMENT 1 EAL Bases Category F -Fission Product Barrier Degradation EAL Group: Hot Conditions (NCS temperature
> 200°F); EALs in : this category are applicable only in one or more hot .- ..operating modes.EALs in this category represent threats to the defense in depth design concept that precludes the release of highly radioactive fission products to the environment.
This concept relies on multiple physical barriers any one of which, if maintained intact, precludes the release of significant amounts of radioactive fission products to the environment.
The primary fission product barriers are: A. Fuel Clad (FC)l: The Fuel Clad Barrier consists of the cladding material that contains the fuel pellets.B. Reactor Coolant System (NCS): The NCS Barrier includes the NCS primary side and its connections up to and including the pressurizer safety and relief valves, and other connections up to and including the primary isolation valves.C. Containment (CMT): The Containment Barrier includes the containment building and connections up to and including the outermost containment isolation valves. This barrier also includes the main steam, feedwater, and blowdown line extensions outside the containment building up to and including the outermost secondary side isolation valve.Containment Barrier thresholds are used as criteria for escalation of the ECL from Alert to a Site Area Emergency or a General Emergency.
The EALs in this category require evaluation of the loss and potential loss thresholds listed in the fission product barrier matrix of Table F-i (Attachment 2). 'Loss" and "Potential Loss" signify the relative damage and threat of damage to the barrier. "Loss" means the barrier no longer assures containment of radioactive materials. "Potential Loss' means integrity of the barrier is threatened and could be lost if conditions continue to degrade. The number of barriers that are lost or potentially lost and the following criteria determine the appropriate emergency classification level: Alert: Any loss or any potential loss of either Fuel Clad or NCS Site Area Emergency:
Loss or potential loss of any two barriers General Emerqency:...
Loss of any two barriers and loss or potential loss of third barrier The logic used for emergency classification based on fission product barrier monitoring should reflect the following considerations:
- The Fuel Clad Barrier and the NCS Barrier are weighted more heavily than the Containment Barrier.*Unusual Event ICs associated with NCS and Fuel Clad Barriers are addressed under System Malfunction ICs.* For accident conditions involving a radiological release, evaluation of the fission product barrier thresholds will need to be performed in conjunction with dose assessments to SRP/0/A/5000/001
.Rev. 1 Page 191 of 247 ATTACHMENT 1 EAL Bases ensure correct and timely escalation of the emergency classification.
For example, an evaluation of the fission product barrier thresholds may result in a Site Area Emergency classification while a dose assessment may indicate that an EAL for General Emergency IC RG1 has been exceeded.*The fission product barrier thresholds specified within a scheme reflect plant-specific CNS design and operating characteristics.
- As used in this category, the term NCS leakage encompasses not just those types defined in Technical Specifications but also includes the loss of NCS mass to any location-inside the primary containment, an interfacing system, or outside of the primary containment.
The release of liquid or steam mass from the NOS due to the as-designed/expected operation of a relief valve is not considered to be NCS leakage.*At the Site Area Emergency level, EAL users should maintain cognizance of how far present conditions are from meeting a threshold that would require a General Emergency declaration.
For example, if the Fuel Clad and NCS fission product barriers were both lost, then there should be frequent assessments of containment radioactive inventory and integrity.
Alternatively, if both the Fuel Clad and NCS fission product barriers were potentially lost, the Emergency Coordinator would have more assurance that there was no immediate need to escalate to a General Emergency.
]RP/0/A/5000/001 Rev. 1 IPage 192 of 247 ATTACHMENT 1 EAL Bases Category:
Fission Product Barrier Degradation Subcategory:
N/A Initiating Condition:
Any loss or any potential loss of either Fuel Clad or NCS EAL: FA1.1 Alert Any loss or any potential loss of either Fuel Clad or NCS (Table F-I )Mode Applicability:
I -Power Operation, 2 -Startup, 3 -Hot Standby, 4 -Hot Shutdown Definition(s):
None Basis: Fuel Clad, NCS and Containment comprise the fission product barriers.
Table F-i (Attachment
- 2) lists the fission product barrier thresholds, bases and references.
At the Alert classification level, Fuel Clad and NCS barriers are weighted more heavily than the Containment barrier. Unlike the Containment barrier, loss or potential loss of either the Fuel Clad or NCS barrier may result in the relocation of radioactive materials or degradation of core cooling capability.
Note that the loss or potential loss of Containment barrier in combination with ioss or potential loss of either Fuel Clad or NCS barrier results in declaration of a Site Area Emergency under EAL FS1 .1 CNS Basis Reference(s):
Fission Product Barrier Degradation Subcategory:
N/A Initiating Condition:
Loss or potential loss of any two barriers EAL: FSI .1 Site Area Emergency Loss or potential loss of any two barriers (Table F-i)Mode Applicability:
1 -Power Operation, 2 -Startup, 3 -Hot Standby, 4 -Hot Shutdown Definition(s):
None Basis: Fuel Clad, NCS and Containment comprise the fission product barriers.
Table F-i (Attachment
- 2) lists the fission product barrier thresholds, bases and references.
At the Site Area Emergency classification level, each barrier is weighted equally. A Site Area Emergency is therefore appropriate for any combination of the following conditions:
- One barrier loss and a second barrier loss (i.e., loss -loss)* One barrier loss and a second barrier potential loss (i.e., loss -potential loss)* One barrier potential loss and a second barrier potential loss (i.e., potential loss -potential loss)At the Site Area Emergency classification level, the ability to dynamically assess the proximity of present conditions with respect to the threshold for a General Emergency is important.
For example, the existence of Fuel Clad and NCS Barrier loss thresholds in addition to offsite dose assessments would require continual assessments of radioactive inventory and Containment integrity in anticipation of reaching a General Emergency classification.
Alternatively, if both Fuel Clad and NCS potential loss thresholds existed, the Emergency Coordinator would have greater assurance that escalation to a General Emergency is less imminent.CNS Basis Reference(s):
- 1. NEI 99-01 FS1 SRP/0/A/5000/001
[Rev. I Page 194 of 247 ATTACHMENT 1 [ .: " : EAL Bases ! .., : , , Category:
Fission Product Barrier Degradation
- - ....,.Subcategory
N/A ..,:: " Initiating Condition:
Loss of any two barriers and loss or potential loss of third barrier EAL: ......: , FGI.1 General Emergency Loss of any two barriers AND Loss or potential loss of third barrier (Table F-i)Mode Applicability:
1 -Power Operation, 2 -Startup, 3 -Hot Standby, 4 -Hot Shutdown Definition(s):
None Basis: Fuel Clad, NCS and Containment comprise the fission product barriers.
Table F-I (Attachment
- 2) lists the fission product barrier thresholds, bases and references.
At the General Emergency classification level each barrier is weighted equally. A General Emergency is therefore appropriate for any combination of the following conditions:
- Loss of Fuel Clad, NCS and Containment barriers .* Loss of Fuel Clad and NCS barriers with potential loss of Containment barrieri* Loss of NCS and Containment barriers with potential loss of Fuel Clad barrier* Loss of Fuel Clad and Containment barriers with potential loss of NCS barrier CNS Basis Reference(s):
- 1. NEI 99-01 FG1" SRP/0/A/5000/001 IRev. I Page 195 of 247