Text

PG&E Response to NRC Request for Additional Information Regarding License Amendment Request 16-04, Request to Adopt Emergency Action Level Schemes Pursuant to NEI 99-01, Revision 6, 'Development of Emergency Action Levels for Non-Passive ..
	ML17179A019
Person / Time
Site:	Diablo Canyon
Issue date:	06/21/2017
From:	; Pacific Gas & Electric Co
To:	; Office of Nuclear Reactor Regulation
References
	DCL-17-055, LAR 16-04, NEI 99-01, Rev 6
	Download: ML17179A019 (343)
	v • d • e

Enclosure 1 PG&E Letter DCL-17-055 PG&E Response to NRC Request for Additional Information Regarding License Amendment Request 16-04, "Request to Adopt Emergency Action Level Schemes Pursuant to NEl,99-01, Revision 6, 'Development of Emergency Action Levels for Non-Passive Reactors"'

I

Enclosure 1 PG&E Letter DCL-17-055 NRC RAl-DCPP-1 The Basis discussions for the proposed DCPP EAL scheme include an ERO

[Emergency Response Organization] Decision Making Information section and a Background section. This is not consistent with the endorsed guidance; nor is it consistent with the current approved DCPP EAL scheme. There may be a potential that a decision maker could either limit their review to the "ERO Decision Making Information" section or treat information in the background section as less important.

This could result in overlooking information, such as the following: "If the RCS [reactor coolant system] is not INTACT and CONTAINMENT CLOSURE is not established during the event, the SM/SEC/ED should also refer to CA3," which is located in the Background discussipn for DCPP CU3. 1.

Please explain why two sections are required for the basis discussion, as the two sections in the proposed license amendment request (LAR) could impact the timf!Jliness or accuracy of event classifications, or revise accordingly consistent with the endorsed guidance.

PG&E Response A Decision Making Information section and a Background section were included in order to expedite timely and accurate classifications. By bringing the key information forward into the ERO Decision Making Information section, the decision makers can quickly assess applicability of the Initiating Condition/Emergency Action Level. This change was made based on feedback from several decision-makers that much of the background and generic basis information hindered their ability to accomplish timely and accurate classifications.

PG&E has added the following paragraph to Section 3.1 for clarification:

J"ln this Technical Basis Document (TBD), the Basis Section is divided up into two subsections. The first is the ERO Decision Making Information followed by a Background Section. The ERO Decision Making Information section highlights key data and pertinent information that is more likely to immediately assist key decision makers in classification as compared to more generic background information.

However, decision makers (SM/SEC/ED) are still responsible for assessing all TBD information at is pertains to the Emergency Action Level (EAL)."

PG&E performed a complete review of the Background section and moved comments noted by the NRG from the Background section to ERO Decision Making Information section in the following EALs: CU3.1, CU3.2, RA2.1, HU3.4, HA5.1, CU5.1, HS6.1 &

SU7.1.

Page 1 of 28

Enclosure 1 PG&E Letter DCL-17-055 NRC RAl-DCPP-2 Section 4.3 (Instrumentation Used for EALs) of the endorsed guidance states: "Scheme developers should ensure that specific values used as EAL setpoints are within the calibrated range of the referenced instrumentation."

Please confirm that all setpoints and indications used in the proposed DCPP EAL scheme are within the calibrated range(s) of the stated instrumentation and that the resolution of the instrumentation is appropriate for the setpointlindication.

PG&E Response PG&E has confirmed that all setpoints and indications used in the proposed DCPP EAL scheme are within the calibrated range(s) of the stated instrumentation and that the resolution of the instrumentation is appropriate for the setpoint/indication.

NRC RAl-DCPP-3 Section 4. 7 (EAUThreshold References to AOP [Abnormal Operating Procedure] and EOP [Emergency Operating Procedure] Setpoints!Criteria) of the endorsed guidance states: As reflected in the generic guidance, the criteria/values used in several EALs and fission product barrier thresholds may be drawn from a plant's AOPs and EOPs."

The NRG staff expects that changes to AOPs and EOPs will be evaluated in accordance with the provisions of 10 CFR 50.54(q).

Please explain what controls are in place at DCPP to ensure that a subsequent change to an AOP or EOP is screened to determine if an evaluation pursuant to 10 CFR 50.54(q) is required.

PG&E Response PG&E has adequate controls that ensure all changes to procedures (including EOPs and AOPs) go through a screening process for any Emergency Planning (EP) impact which could require a 10 CFR 50.54(q) evaluation.

Diablo Canyon Power Plant (DCPP) Interdepartmental Administrative Procedure TS3.ID2, "Licensing Basis Impact Evaluations," includes steps in the Applicability Determination that requires review to determine whether the change is subject to the 50.54(q) process. The procedure is being enhanced to provide additional guidance to determine if the changes to AOPs and EOPs require a 50.54(q) evaluation.

NRC RAl-DCPP-4 The definitions contained in endorsed guidance for the General Emergency, Site Area Emergency, Alert and Notification of Unusual Event [Unusual Event] classification levels begin with "Events are in progress... " The DCPP definitions in Section 5.0 for a General Page2 of 28

Enclosure 1 PG&E Letter DCL-17-055 Emergency, Site Area Emergency, Alert and Unusual Event begin with "Events are in pro~ess." [Emphasis added.]

Please revise these definitions to reflect the definitions in the endorsed guidance or provide a justification for the difference.

PG&E Response PG&E has corrected the relevant definitions to read "progress." The DCPP definitions now reflect the definitions in the endorsed guidance.

NRC RAl-DCPP-5 The current DCPP Table R-1 (Effluent Monitor Classification Thresholds) has monitors

- 1(2)-RM-24124R, 1(2)-RM-28/28R, 1{2)-RM-71n2n3n4 and O-RM-3 with associated threshold values. The proposed DCPP Table R-1 does not include these monitors, nor are they identified as a change in the LAR.

Please explain why these monitors are not included in the proposed DCPP EAL scheme, or revised accordingly.

PG&E Response

1. Radiation Monitors 1(2)-RM-24/24R are Plant Vent 1-131 isokinetic continuous inline sample low range monitors that constitute the 1-131 (halogen) ch.annels for the plant vent. Radiation Monitors 1(2)-RM-24/24R are in the same sample stream as the 1(2)-RM-14/14R noble gas monitor channels. Radiation Monitors 1(2)-RM-24/24R are not commonly used for accident monitoring as halogens are collected on media and will not accurately represent a release rate for the postulated event used as the basis for the NEI 99-01, Revision 6 EALs (cumulative deposition will progressively over estimate accident releases). While it is possible to mathematically develop an EAL threshold for the halogen channel, it has limited value and is redundant to the noble gas channel as applicable halogen components are factored into the Radiation Monitors 1(2)-RM-14/14R EAL threshold developed by the MIDAS dose assessment model.

2. Radiation Monitors 1(2)-RM-28/28R are Plant Vent particulate isokinetic continuous inline sample low range monitors that constitute the particulate channels for the plant vent. Radiation Monitors 1(2)-RM-28/2eR are in the same sample stream as the 1(2)-RM-14/14R noble gas monitor channels. Radiation Monitors 1(2)-RM-28/28R are not commonly used for accident monitoring as particulates are collected on media and will not accurately represent a release rate for the postulated event used as the basis for the NEI 99-01, Revision 6 EALs (cumulative deposition will progressively over estimate accident releases). While it is possible to mathematically develop an EAL threshold for the particulate channel, it has limited value and is redundant to the noble gas channel as applicable particulate Page 3 of 28

Enclosure 1 PG&E Letter DCL-17-055 components are factored into the Radiation Monitors* 1(2)-RM-14/14R EAL threshold developed by the MIDAS dose assessment model.

3. Radiation Monitors 1(2)-RM-71/72/73/74 are Regulatory Guide (RG) 1.97, Revision 3 main steam line (MSL) gross gamma radiation monitors which are not part of the radioactive effluents program. The use of these area radiation monitors as an indirect means of release rate estimation involve a significant number of fixed assumptions for input variables, such as steam isotopic concentration, steam generator (SG) pressure, RCS leak rate, and valve position. PG&E maintains the capability to input variables necessary to perform dose projections from MSL monitors in the *MIDAS model. However, developing a fixed-value for EAL

thresholds was not included in the EAL scheme change submittal as a single derived value because it is not likely to be representative and potentially could result an incorrect classification.

4. Radiation Monitor O-RM-3 is a leak detection monitor for the oily water separator (OWS) tank, which typically contains no radioactive material. The OWS does not meet the NEI 99-01 criteria of a normally occurring continuous radioactivity release effluent pathway or a planned batch release non-continuous pathway.

Contamination of this system would only occur during a primary-to-secondary leakage and thus is not appropriate for use as an EAL threshold.

This information is included in a new TBD Section 3.3, "Notes on Development,"

to ensure the reason for excluding these rad monitors is documented and readily accessible.

NRC RAl-DCPP-6 The proposed DCPP Table R-1 has threshold values that are different than the current DCPP Table R-1 threshold values and uses different monitors for the Site Area Emergency classification. These changes are not identified in the LAR.

Please explain the basis for the change in these threshold values and the change in radiation monitors for the Site Area Emergency classification.

PG&E Response The threshold value changes are due to using a more accurate dose assessment model and updated calculation assumptions, input changes, and NEI 99-01 Revision 6 guidance.

The current (Revision 4/5) EAL threshold values for Table R-1 are based on:

. QuickDose Dose Assessment program.

Final Safety Analysis Report (FSAR) gap source term derived using Westinghouse Owners Group Letter WOG-84-248 Post Accident Core Damage 'Assessment Page 4 of 28

Enclosure 1 PG&E Letter DCL-17-055 Methodology, November 1984, Revision2, and filter Process Reduction Factors (PRFs) from NUREG 1228.

Release duration of 3 hours3.472222e-5 days 8.333333e-4 hours 4.960317e-6 weeks 1.1415e-6 months .

Plant vent flow rate 2.63E+05 cfm.

3

XIQ = 3.87E-6 sec/m - from FSAR TABLE 2.3-2, "Normalized Annual Ground Level Concentrations Downwind From DCPP Site Ground Release."

The Revision 6 EAL threshold values for Table R-1 are based on:

MIDAS Dose Assessment program, which is more accurate than the previously used QuickDose Dose Assessment program.

NUREG 1940 and 1465 gap source term derived using WCAP-14696-A Core Damage Assessment Guidance (CDAG), and PRFs from NUREG 1940 and Response Technical manual (RTM)-96.

Release duration of 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months .

Plant vent flow rate 207,750 cfm. .

X/Q calculated by MIDAS dose assessment program using wind speed and stability from FSAR Section 2.3.3.2.7; 10 mph, FSAR Tables 2.3-42 through 2.3 stability class with the highest frequency is E.

The Revision 6 EAL threshold values for Table F-1 Containment and Fuel Clad losses are based on:

NUREG 1940 and 1465 gap source term derived using WCAP-14696-A CDAG, and PRFs from NUREG 1940 and RTM-96.

The Revision 6 EAL threshold values for SU4.2 and Table F-1 RCS loss are based on:

WECTEC Technical Report 14078104-RADR-001-6, Revision 6, "Implementation of Alternate Source Terms (AST)," Tables 4.2-1 "Primary and Secondary Coolant Technical Specification Activity Concentrations" and 4.2-2 "Primary Coolant Pre-Accident Iodine Spike Concentrations & Equilibrium Iodine Appearance Rates,"

adjusted for an activity equivalent to 10 percent of the Technical Specification (TS) 3.4.16 limit of 60 µCi/g of dose equivalent (DE) 1-131 and 270 µCi/g of DE Xe-133, was used along with WCAP-14696-A CDAG CRM1 release fraction assumptions to develop the site specific source term.

This Revision 6 information is inGluded in a new TBD Section 3.3 that is titled "Notes on Development" to ensure this information is documented and readily accessible.

The basis for the change in radiation monitors is documented in NRC RAl-DCPP-5 response.

Page 5 of 28

Enclosure 1 PG&E Letter DCL-17-055 NRC RAl-DCPP-7 The proposed DCPP EAL RU2. 1 threshold value states, in part: "UNPLANNED rise to low alarm setpoint in corresponding radiation levels as indicated by .... " The NRG staff could not determine what is meant by this condition based on the information provided in the submittal.

Please explain what conditions will meet this threshold value and provide a justification that decision makers can make a timely and accurate assessment using the existing wording, or revise the statement as necessary to clarify consistent with endorsed guidance. (

PG&E Response The word "low" was removed from EAL RU2.1 and its associated basis as it pertains to radiation alarms. This allows for the appropriate elevated radiation alarm to meet this EAL. As revised, the condition is consistent with endorsed guidance.

For clarification of the dual alarm points of the noted radiation monitors, PG&E added the following to the Basis:

"RM-58 and RM-59 each have two Hi Radiation alarm settings.

The lower level Hi Radiation setting is identified as a Trip 1" level indicated by an amber light on the Control Room module located behind the vertical boards on panel PAM 2. On the local area module, this setting is labeled as an "Alert Alarm". A radiation dose level rise to this Trip 1 or Alert level radiation alarm meets the intent of this EAL.

The higher level Hi Radiation alarm setting initiates the Iodine Removal ventilation mode.

Likewise, if a temporarily installed monitor were to have multiple alarm levels, the lower level high radiation alarm would meet the intent of this EAL."

NRC RAl-DCPP-8 The proposed DCPP EAL RA2. 1 shows a classification level of Unusual Event instead of an Alert, which could result in an inaccurate event declaration.

Please revise as necessary to ensure the EAL identifier and classification level are aligned as the proposed EAL RA2. 1.

Page 6 of 28

Enclosure 1 PG&E Letter DCL-17-055 PG&E Response PG&E has changed the classification level cited for DCPP EAL RA2.1 from "Unusual Event" to "Alert."

NRC RAl-DCPP-9 The proposed DCPP Basis for EAL EU1. 1 states:

The values in Table E-1 are derived from /SFSI [independent spent fuel storage installation] FSAR Tables (ref 1, 2). Since the UFSAR Table 7.3-1A are the maximum calculated dose rate values, and are not expected to ever be exceeded, a conservative approach of exceeding the highest possible fuel value dose rates, plus 5 mremlhour, was used as an indication of damage to an Overpack. Note: These values are approximately 2 times the maximum expected dose rate for low bum-up fuel (ref 2).

E-HU1 in the endorsed guidance states:

The technical specification multiple of "2 times", which is also used in Recognition Category 'A' of JC AU1 [RU1.1 for DCPP], is used here to distinguish between non-emergency and emergency conditions. The emphasis for this classification is the degradation in the level of safety of the spent fuel cask and not the magnitude of the associated dose or dose rate.

a. The provided values are significantly below the expected threshold values provided in the endorsed guidance, which could result in an Unusual Event declaration for a dose that is only slightly above the maximum calculated dose rate values. Please ,

explain, why the endorsed guidance of 2 times the technical specification values was not used or revise accordingly.

b. Concerning the above note relating to low bum-up fuel. The NRG staff could not determine the purpose of this note based on the information provided. Please explain if this note is intended to indicate that all current and future spent fuel casks will be only loaded with low bum-up fuel or revise accordingly.

Page 7 of 28

Enclosure 1 PG&E Letter DCL-17-055 PG&E Response EAL EU1 .1, Table E-1 was revised, as shown below, to establish surface dose rates that are two times the Updated Final Safety Analysis Report (UFSAR) Table 7.3-1A, "Surface and 1 Meter Dose Rates for the Overpack with an MPC-32 69,000 MWD/MTU and 5-Year Cooling" Table E-1 ISFS I Radiation Readings Surface Dose Dose Point Locati on Rate (see figure)

(mRem/hour) 1 Base vent 132 2 Mid plane 150 3 Top vent 140 4 Lid-center 34 4a Lid-over top vents 267 PG&E revised the Basis section to reflect that these surface dose rates are two times the UFSAR Table 7.3-1A, consistent with the endorsed guidance.

The note was intended to show how DCPP met NEI 99-01, Revision 6 intent. However, PG&E deleted the reference to UFSAR Table 7.3-1 B dealing with low burn up fuel and the Note which also referenced low burn up fuel.

NRC RAl-DCPP-10 The proposed DCPP EALs CA1.2, CS1.3, and CG1.2 threshold values include a reference to Table C-1 (Sumps/Tanks), which includes several sumps that typically may not provide a level indication that could be used to quantify RCS leakage or typically may contain a sump pump that operates automatically.

Please explain how these sumps can be used to quantify RCS leakage1as needed to provide an indication of core uncovery or revise accordingly. This explanation should address automatic sump pumps, if used, that could limit the effectiveness of the sump as a method to quantify RCS leakage as needed to support a timely and accurate assessment.

PG&E Response The following DCPP sumps/tanks listed in Table C-1 have automatic sump pumps:

containment structure sumps

reactor cavity sump

reactor coolant drain tank

auxiliary building sump Page 8 of 28

Enclosure 1 PG&E Letter DCL-17-055

miscellaneous equipment drain tank

residual heat removal (RHR) room sumps With the exception of the RHR room sumps, each of these sumps, as well as all of the noted tanks (pressure relief tank, componenfcooling water surge tank(s) & refueling water storage tank), are trended by either chart recorders, control room level indication and/or computer inputs. With the ability to trend sump and tank levels, possible leakage sources can be evaluated as to volume and rate of in-leakage.

For the RHR Sumps, with a capacity of about 500 gallons each, these can be evaluated by the frequency of the Hi Alarm/Pump Run alarms that are received in the Control Room.

These indications provide the ability to quantify RCS leakage as needed to support timely and accurate assessment.

For additional. clarification, PG&E added the following information to the TBD:

All of the Table C-1 Tanks are trended by either chart recorders, control room level indication and/or computer inputs, except for the RHR Sumps. The RHR Sumps, with a capacity of about 500 gallons each, can be evaluated by the frequency of the Hi Alarm/Pump Run alarms. Such trending methods should be used to evaluate RCS loss rate versus sump level increases. For reference purposes, the capacity of each tank system is listed below. These are based on Plant Manual Volume 9 Storage Tank Volume Data sheets."

This will allow the SM/SEC/ED to evaluate leaks based on trending of sump or tank levels. This evaluation 'Of trend data will allow the decision maker to assess core uncovery and make timely and accurate decisions.

This information was also added to CU1 .2, which also uses Table C-1.

NRC RAl-DCPP-11 The final paragraph in the ERO Decision Making Information Basis for the proposed DCPP EAL CG1.1 contains a discussion relative to the inability to monitor RCS level.

However, the threshold value for EAL CG1.1 is based on indicated reactor vessel level and is not based on a loss of indication.

Please justify the inclusion of a discussion related to a loss of indication for an EAL that is not based on a loss of level, or revise consistent with endorsed guidance to prevent an inaccurate or delayed assessment.

Page 9 of 28

Enclosure 1 PG&E Letter DCL-17-055 PG&E Response PG&E has deleted the cited paragraph related to inability to monitor RCS level. The revised discussion is consistent with endorsed guidance.

NRC RAl-DCPP-12 The proposed DCPP Basis for EALs CU2.1, SU1.1 and SA 1.1 state:

For emergency classification purposes, "capability" means that, whether or not the buses are actually powered from it, an AC [alternating current]

power source(s) can be aligned to the vital buses within 15 minutes:

By a clear procedure path, And

Breakers and equipment are readily available to power up the bus within the allotted time frame.

The endorsed guidance recognizes that vital alternating current (AC) buses are typically energized from a single power supply with the capability to align the vital AC bus to an alternate power supply. DCPP has included the above basis discussion to clarify the term "capability." However, this clarification could imply that the licensee .has 15 minutes to attempt to energize at least one vital bus at which time the licensee could have an additional 15 minutes to classify the event.* Considering that the de-

. energization of vital AC buses would require an Alert declaration pursuant to EAL CA2. 1 or a Site Area Emergency pursuant to SS1.1 within 15 minutes, the additional time potentially implied by the DCPP discussion relative to "capability" could delay an accurate and timely assessment of EAL CU2. 1 or SA 1. 1.

The clarification for the term "capability" is not consistent with endorsed guidance; nor is it identified as a "difference" in Attachment 1, "EAL Comparison Matrix."

Please remove or revise the clarification for the meaning of "capability" in the respective bases discussions, or explain how the addition of this condition could not potentially delay or prevent classification of a loss of vital AC power to emergency buses.

PG&E Response PG&E has updated the TBD as follows:

For emergency classification purposes, "capability" means that, whether or not the buses are actually powered from it, an AC power source(s) can be aligned to the vital buses within 15 minutes. This is determined by:

Use of a clear procedure path, and Page 10 of 28 (

Enclosure 1 PG&E Letter DCL-17-055

Breakers and equipment are readily available to power up the bus within the

. allotted time frame. ;

and

Power potential indication (power available white status light) from any Table S-1 (C-3) source is illumin~ted.

The 15 minute declaration time runs concurrently with determining AC power capability and aligning the source to the buses. Therefore, this EAL does NOT provide for 15 minutes to ascertain capability and another 15 minutes to declare. In other words, you must either meet the AC power capability for the source of power OR declar~ within 15 minutes.

This EAL describes a significant degradation of offsite and onsite AC power sources such that any additional single failure would result in a loss of all AC power to SAFETY SYSTEMS. In this condition, the sole AC power source may be powering one, or more than one, train of safety-related equipment. In other words, a loss of this AC power source will result in a loss of all AC.

Additionally, Table C-3 was updated for clarity.

NRC RAl-DCPP-13 DCPP EALs CA2.1, SS1.1, SG1.1 and SG2.1 state:

Loss of all offsite and all onsite AC power capability .... [Emphasis added]

Additionally, the DCPP Basis for EALs CA2.1, SS1.1: SG1.1 and SG2.1 state:

For emergency classification purposes, "capability" means that, whether or not the buses are actually powered from it, an AC power source(s) can be aligned to the vital buses within 15 minutes:

By a clear procedure path, And

Breakers and equipment are readily available to power up the bus within*the allotted time frame.

The intent of these EALs is to ensure that an EAL is declared upon a total loss of AC power that compromises the performance of all systems requiring electric power for emergency core cooling, containment heat removal/pressure control, spent fuel heat removal, and the ultimate heat sink. This additional criteria could prevent the EAL from being declared in a condition where the AC power sources are available, but not connected to the emergency buses. The NRG staff considers the addition of this criteria to the EALs, and the definition in the basis, to be a deviation from endorsed guidance.

Page 11 of 28

Enclosure 1 PG&E Letter DCL-17-055 Please explain how the addition of this condition could not potentially delay or prevent classification of a Joss of AC power to emergency buses, or revise accordingly to remove the term "capability" in the EALs listed above and the clarification for the meaning of "capability" in the respective bases.

PG&E Response PG&E has removed the term " ... capability... " from EALs CA2.1, SS1 .1, SG1 .1 and SG2.1. ,

PG&E has removed the clarification for the meaning of "capability" in the respective basis discussions for EALs CA2.1, SS1 .1, SG1 .1 and SG2.1.

As revised, the discussion is consistent with endorsed guidance.

NRC RAl-DCPP-14 The threshold values for proposed DCPP EALs CA2.1, SS1.1, SG1.1 and SG2.1 include a reference to a table of power supplies. The intent of these EALs is to ensure that an EAL is declared upon a total loss of AC power that compromises the perform~nce of all systems requiring electric power for emergency core cooling, containment heat removal/pressure control, spent fuel heat removal, and the ultimate heat sink. A list of readily available power sources f!lay lead to event declarations when mitigative strategies are effective in reestablishing emergency power to these buses. In other words, if a list of power sources is provided for these EALs, and those sources are unavailable, then 9n EAL decision-maker would be compelled to declare events even if mitigative strategies using other power sources are effective. It is not necessary to document these power sources for these EALs, as the EAL is not concerned with the power source as much as the power Joss to the emergency bus. (Ref: EPFAQ 2015-015.)

Please remove the tables from these EALs, or provide a justification for the difference from endorsed guidance.

PG&E Response PG&E has removed the AC Power Capability Tables (C-3/S-1) from EALs CA2.1, SS1 .1, SG1 .1 and SG2.1 to be consistent with endorsed guidance.

NRC RAl-DCPP-15

a. In proposed DCPP EALs CU5.1 and SU7.1, the Table C-5 or S-4 (Communication Methods) for onsite communications include an extensive list of communication methods. The intent of onsite communications is to support normal operations and all Table S-4 onsite communication methods have to be Jost to satisfy declaration criteria. The NRG staff could not determine how either the Unit 1, Unit 2 and Page 12 of 28

Enclosure 1 PG&E Letter DCL-17-055 Technical Support Center (TSC) radio consoles, or the Hot Shutdown Panel radio consoles, by themselves, could support onsite communications. For example, how would onsite communications occur if the only method of onsite communication available was the Hot Shutdown Panel radio console?

Additionally, onsite notification methods include portable radio equipment, the operations radio system, the security radio system, mobile radios, and satellite phones. The NRG staff could not determine if these were redundant systems or, if they were redundant systems, how these various systems could be used as necessary to support routine plant operations. For example, how would various members of the plant staff obtain radios and/or satellite phones as needed to conduct plant operations?

Please explain how the proposed communication methods for onsite communication can be completed with any single method provided by Table C-5 or S-4 for onsite communications. This explanation should include the accessibility to redundant equipment and how communications would be completed without requiring the relaying of information.

b. In proposed DCPP EAL CU5. 1 and SU7. 1, the Table G-5 or S-4 (Communication Methods) for offsite communications include the Central Alarm Station (GAS) and the Secondary Alarm Station (SAS) consoles, and the Hot Shutdown Panel radio consoles.

Please explain how the proposed communication methods for offsite communication can be completed with any single method provided by Table C-5 or S-4 for offsite communications. This explanation should include how communications would be completed without requiring the relaying of information.

PG&E Response PG&E has consolidated Tables C-5 and S-4 to make them more concise and to support the following conclusions that any onsite, offsite, or NRG communication method can support normal operation:

Note: Each of the methods below is direct, and does not require the relaying of information.

At DCPP, for onsite communications:

The radio system is robust, having multiple base station consoles in the Control Room, with additional consoles at each unit's hot shutdown panel. This allows for direct contact with field personnel that carry portable handheld radios. DCPP has a cache of portable ~adios available, and all field operators carry one during the course of their watch standing shift.

Page 13 of 28

Enclosure 1 PG&E Letter DCL-17-055

The telephone system is robust, with hundreds of phones located throughout the plant to facilitate direct communications for operational purposes.

The public address (PA) system is a plant site wide system that allows for broadcasts from the Control Room as well as other key locations. Additionally, if needed, the PA system can be accessed through the plant phone system.

Satellite phones are a backup system. Approximately 30 *satellite phones are available, located in the Operations offices, as well as in pre-staged emergency

equipment locations.

At DCPP, for offsite communications:

The telephone system is robust, with hundreds of phones located throughout the plant to facilitate direct offsite communications for operational purposes.

Satellite phones. are a backup system. Approximately 30 satellite phones are available, located in the Operations offices, as well as in pre-staged emergency equipment locations.

Direct lines (tie lines) to the County and to the State allow for direct communications with the offsite response organizations (OROs).

At DCPP, for NRC communications:

The telephone system is robust, with hundreds of phones located throughout the plant to facilitate direct NRC communications.

Satellite phones are a backup system, available in the Operations offices as well as in pre-staged emergency equipment locations.

Direct lines (tie lines via the NRC Federal Telecommunications System) to the NRC allow for direct communications with the NRC.

PG&E added the following to the ERO Decision Making Information to clarify what is meant by the DCPP Radio System:

"For the onsite DCPP Radio System to be considered lost, communications between Control Room (or HSDP if it in control) and field personnel (i.e. operators, maintenance personnel, etc.) is Jost.

NO TE: The plant radio system is not considered for Offsite Communication methods since it does not connect to the State OES, which is part of the OROs.

Loss of the Security radio system should be evaluated by the Watch Commander in

accordance with Security procedures. In this case refer to Security related EALs."

NRC RAl-DCPP-16 The ERO Decision Making Information section of the basis discussion for proposed DCPP EALs CA6.1 and SA9. 1 states:

Page 14 of 28

Enclosure 1 PG&E Letter DCL-17-055 With respect to event damage caused by an equipment failure resulting in

a FIRE or EXPLOSION, no emergency classification is required in response to a FIRE or EXPLOSION resulting from an equipmeht failure if the only safety system equipment affected by the event is that upon which the failure occurred. An emergency classification is required if a FIRE or EXPLOSION caused by an equipment failure damages safety system equipment that was otherwise functional or operable (i.e., equipment that ~'

was not the source/location of the failure). For example, if a FIRE or EXPLOSION resulting from the failure of a piece of safety system equipment causes damage to the other train of the affected safety system or another safety system, then an emergency declaration is required in accordance with this IC [initiating condition] and EAL.

The statement above would indicate that an EAL declaration pursuant to EAL CA6. 1 or SA9. 1 would not be required if a FIRE or EXPLOSION damages safety system equipment that was not the source of the fire and that equipment was in service at the time of the event. This statement is consistent with the proposed NRG response to EPFAQ 2016-002,--which is currently available for public comment. However, the example provided in the above statement could imply that an EAL declaration pursuant to EAL CA6. 1 or SA9. 1 would only be required if two safety trains are affected. The first being the on the system that is the source of the FIRE or EXPLOSION, and the second being the second train of equipment that is damaged by the FIRE or EXPLOSION. The provided example appears to be more in alignment with the EPFAQ 2016-002 response to a second, but related, question relative to the impact of FIRE or EXPLOSION damage to a safety system (or component) that was out of service at the time of the event.

a. Please remove or revise the example provided in the statement quoted above as necessary to avoid a potential misclassification under EALs CA6.1 or SA9.1.

b. The basis discussion for the statement quoted above provides information that could modify declarations based on a FIRE or EXPLOSION. Please add a note to the threshold values for EALs CA6.1 and SA9.1 that clearly indicates that an emergency classification is required if a FIRE or EXPLOSION caused by an equipment failure damages safety system equipment that was otherwise functional or operable, or explain how decision makers will be able to perform timely and accurate assessments of EALs CA6. 1 or SA9. 1.

PG&E Response PG&E has revised EALs CA6.1 and SA9.1, consistent with the currently proposed NRG EP FAQ 2016-002, as follows:

"The occurrence of any Table C-6 hazardous event AND Page 15 of 28

Enclosure 1 PG&E Letter DCL-17-055 Event damage has caused indications of degraded performance on one trf;lin of a SAFETY SYSTEM needed for thf} current operating mode AND EITHER:

Event damage has caused indications of degraded performance to a second train of a SAFETY SYSTEM needed for the current operating mode, or

Event damage has resulted in VISIBLE DAMAGE to a second train of a SAFETY SYSTEM needed for the current operating mode (Notes 13, 14)"

PG&E has added new notes 13 and 14 as follows:

"Note 13: If the affected SAFETY SYSTEM train was already inoperable or out of service before the hazardous event occurred, then emergency classification is not warranted.

Note 14: If the event results in VISIBLE DAMAGE, with no indications of degraded performance to any SAFETY SYSTEM train, then this emergency classification is not warranted."

PG&E has revised the EAL CA6.1 and SA9.1 basis and definition of VISIBLE DAMAGE to support the revised EAL wording consistent with the proposed NRG response to EP FAQ 2016-002.

PG&E revised the definition of Visible Damage in the Section 5 and any TBD location that used the definition (Categories C & S, CA6.1 & SA9.1 ).

NRC RAl-DCPP-17 The ERO Decision Making Information sections of the basis discussions for the proposed DCPP EALs HU1. 1, HA 1. 1 and HS1. 1 include security event categories.

However, it appears the specific categories are not required by the EAL threshold values. Additionally, this information could potentially delay or prevent a security classification if a decision maker were to assume that only events identified by these codes would require an EAL declaration.

Please consider removing the reference to security event categories, or explain how this information would not potentially delay or prevent the declaration of a security related event.

PG&E Response PG&E has deleted the.cited security event categories from EAL HU1 .1, HA1 .1, and HS1 .1 basis.

NRC RAl-DCPP-18 The proposed DCPP EAL HU2. 1 includes the following note:

Page 16 of 28

Enclosure 1 PG&E Letter DCL-17-055 Note 11: If the Earthquake Force Monitor (EFM) is out of service, refer to GP M-4 Earthquake for alternative methods to assess earthquakes.

Sufficient information relative to GP M-4 was not provided for NRG staff review. As such, the NRG staff could not determine if a decision maker could make a timely and accurate assessment of a seismic event using GP M-4.

Please provide addition information or explain how a decision maker can petform a timely and accurate assessment of a seismic condition using GP M-4.

PG&E Response PG&E has added the following to the EAL, which is the same wording from the current DCPP Revision4/5 EALs:

"EFM Alarm or GP M-4 determination indicates ... "

PG&E DCPP Casualty Procedure (CP) M-4, "Earthquake," allows for timely and accurate determination of an earthquake's impact to the plant and this emergency declaration, regardless if reading the Earthquake Force Monitor (EFM) or local indication. This is because the EFM is in the Control Room. If the EFM is out of service, in the event of a seismic event, operators are briefed each shift on obtaining an immediate reading of the local indication. Past practice has shown this occurs in less than five minutes.

Additionally, PG&E deleted Note 11.

NRC RAl-DCPP-19 The areas listed in Table H-1 (Fire Areas) in proposed DGPP EALs HU4.1 and HU4.2 seem to be vague or too all-encompassing. The endorsed guidance states: "the 'site-specific' list of plant room should specify these rooms or areas that contain SAFETY SYSTEM equipment."

Please explain if the listed areas are restricted to only the areas that contain equipment needed for safe operation, safe shutdown and safe cool-down, or revise accordingly consistent with endorsed guidance.

PG&E Response PG&E has revised Table H-1 to contain only the areas that contain equipment needed for safe operation, safe shutdown, and safe cool-down. PG&E added a plant drawing identifying plant areas by the alpha numeric designations used in Table H-1.

Page 17 of 28

Enclosure 1 PG&E Letter DCL-17-055 NRC RAI-DCPP-20 The ERO Decision Making Information section of the basis discussion for the proposed DGPP EAL HU4.2 states:

An "Incipient Alarm" meets the intent of a "single fire alarm." A pre-alarm" does not meet the intent of a "single fire alarm."

The key difference in the fire alarms associated with DGPP EALs HU4. 1 and HU4.2 is that a single fire alarm provides a verification time of 30 minutes. No distinction is made relative to the type of fire alarm. DGPP EAL HU4.2 includes two additional types of alarms that are not addressed in DGPP EAL HU4. 1. The NRG staff could not determine if the "incipient alarm" is an indication of a fire or if an "incipient alarm" represented a fire that may occur in hours or days following the alarm.

Please provide additional information for the NRG staff to determine whether or not an incipient alarm is equivalent to an actual fire alarm. If an incipient alarm is equivalent to a fire alarm, please include a note in HU4.1 and HU4.2 to provide the decision maker with sufficient information to make a timely and accurate assessment.

PG&E Response At DCPP, the incipient detection system is a "Very Early Warning" fire detection system that does not necessarily indicate a fire. It measures the products given off by insulation or components when they overheat. If any detector/zone alarms at its Low Level, System Trouble or Pre-Alarm Level in a fire zone, it actuates in the Control Room on Main Annunciator PK10-15 "Fire Alarm Trouble."

If any incipient detector/zone alarms at a higher level, which would mean it is sensing smoke or flames, it actuates in the Control Room on Main Annunciator PK10-10, "Fire Detected" and requires a determination within 15 minutes of whether or not a fire exists.

PG&E has replaced the cited basis statement with the following:

"Fire alarms or indications include, but are not limited to, smoke detectors, flame detectors, sprinkler and deluge alarms and flow switches that trigger main annunciator PK10-10 'Fire Detected.'

An 'incipient alarm' meets the intent of a 'single fire alarm' if it triggers at its high level and actuates the annunciator PK 10-10 'Fire Detected.'

However, for this EAL a 'pre-alarm' or an 'incipient alarm' that triggers main annunciator PK10-15 'Fire Alarm Trouble' does not meet the intent of a single fire alarm."

The above statement has also been a.dded to the HU4.1 basis.

Page 18 of 28

Enclosure 1 PG&E Letter DCL-17-055 NRC RAl-DCPP-21 The ERO Decision Making Information section of the basis discussion for the proposed DCPP EAL HS6. 1 states:

The determination of whether or not "control" is established at the remote safe shutdown location(s) is based on SM/SEC/ED judgment. The SM/SEC/ED is expected to make a reasonable, informed judgment within 15 minutes whether or not the operating staff has control of key safety functions from the remote safe shutdown Jocation(s). The 15 minute clock starts once plant control has been transferred to the Hot Shutdown Area (OP AP-BA Attachment 4 4BOV Bus Alignment and Appendix F Electrical System Actions).

The explanation provided above implies that completion of the identified step is the start time of the 15 minute declaration clock rather than transferring control from the control room to the hot shutdown area. This could delay the declaration of HS6. 1 in a timely manner. A licensee can typically transfer control to their site-specific remote control stations and implement their site-specific procedures within 15 minutes. If, in the judgement of the decision maker, control of the applicable HS6. 1 safety functions will not be able to establish, then a declaration of HS6. 1 is expected within 15 minutes.

Please remove the discussion that could add an extended or indeterminate amount of time to the EAL declaration start time, or explain how the requiring the completion of the identified steps will not delay a timely EAL declaration.

PG&E Response PG&E has added the following to the EAL for consistency with the Basis:

"SM/SEC/ED determination that control ..... " of any of the following key safety functions is not re-established within 15 minutes.

PG&E has replaced the EAL HS6.1 basis statements with the same wording as in EAL HA6.1, which states the following:

"For the purpose of this EAL the 15 minute classification clock starts when the last licensed operator leaves the Control Room:"

PG&E has added the following to the EAL HS6.1 basis statements:

"Jn making this determination, the SM/SEC/ED must be working through the procedures to establish control and have:

Page 19 of 28

Enclosure 1 PG&E Letter DCL-17-055

the required people to gain control of the key safety functions AND

an understanding that there are no known impediments that will prevent successfully taking control of the key safety functions."

NRC RAl-DCPP-22 The 3rd bullet in Table S-3 (Significant Transients) for the proposed DCPP EAL SA3. 1 states: "Electrical load rejection ;::: 25% electrical load." This is inconsistent with the endorsed guidance that states: "Electrical load rejection ;::: 25% full electrical load."

[Emphasis added]

Additionally, the DCPP basis for this EAL lists load rejections of greater than 25% full electrical load as a significant transient.

Please revise the EAL in alignment with the endorsed guidance, or provide a justification for this difference.

PG&E Response PG&E has revised the Table S-3, third bullet to include the word " ... full ... "

Note: The endorsed guidance (NEI 99-01 R6 ECL SA2, page 166) states this should be "greater than"(>), and not "greater than or equal to"(;:::). The Table S-3 statement now meets the endorsed guidance and reads "Electrical load rejection > 25% full electrical load."

NRC RAl-DCPP-23 The ERO Decision Making Information section of the basis discussion for the proposed DCPP EAL SU4. 1 states:

This EAL would be met if TS 3.4.16 Required Action C.1 (place plant in Mode 3 in 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months ) or C. 2 (place plant in Mode 5 in 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months ) were not met.

This statement indicates that a declaration would not be required if the plant were shut down in the designated amount of time. This is not consistent with endorsed guidance which states:

This IC addresses a reactor coolant activity value that exceeds an allowable limit specified in Technical Specifications. [Emphasis added]

Please revise the EAL in alignment with the endorsed guidance, or provide a justification for this difference.

Page 20 of 28

Enclosure 1 PG&E Letter DCL-17-055 PG&E Response When the Limiting Condition for Operation for TS 3.4.16 is not met and TS 3.4.16 Condition C is applicable, Required Actions C.1 (place plant in Mode 3 in 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months ) and C.2 (place plant in Mode 5 in 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months ) must be met. PG&E believes that entry into the EAL should not be required while in compliance with the TS Required Actions. Not having an overlap between meeting the TS requirements and EAL entry criteria allows for more consistent training and timely and accurate classification.

NRC RAl-DCPP-24 For the proposed DCPP EALs SU6.1, SU6.2, SA6.1 and SS6.1, a power level (greater than or equal to 5%) was added to the EALs. The intent of the endorsed guidance is to align the EAL classifications with site-specific EOP criteria for a successful reactor shutdown, which would benefit the decision makers by providing consistent criteria.

The power level provided in the developer notes in the endorsed guidance is an example that represents one typical EOP indication for a generic power plant and was not intended to be a complete list of EOP indications for any specific power plant. The Reactor Trip or Safety Injection Action/Expected Response for Typical Westinghouse plants, such as DCPP, include reactor power decreasing and rod insertion indications to determine if the anticipated transient without a scram (A TWS) response procedure should be initiated. Additionally, the subcriticality critical safety function status trees (CSFSTs) for typical Westinghouse plants include both power and startup rate to determine whether or not an A TWS has occurred. The proposed A TWS EALs for DCPP appear to rely solely on a reactor power of 5% as an indication of a reactor trip.

Please revise to reflect the EOP reactor shutdown criteria in the EOPs, or use wording similar to endorsed guidance as necessary to support timely and accurate assessment of DCPP EALs SU6.1, SU6.2, SA6.1 and SS6.1.

PG&E Response PG&E has removed statements "as indicated by reactor power >5%" from the EALs SU6.1, SU6.2, SA6.1, and SS6.1.

The following was added to the Basis of EALs SU6.1, SU6.2, and SA6.1 for clarification: .

", which are outlined in EOP E-0 'Reactor Trip or Safety Injection,"'

For EAL SA6.1, the background information h.as been revised to state:

"If a reactor trip could NOT be accomplished from the Control Room panels, this EAL applies."

Page 21 of 28

Enclosure 1 PG&E Letter DCL-17-055 NRC RAl-DCPP-25 For the proposed DCPP EALs SA6. 1 and SS6. 1, the basis discussions include discussions that imply that if power were below a system design heat removal capacity, then an immediate response is not required for a reactor that has not been shutdown following a either the initiation of an automatic or manual trip. This is not consistent with endorsed guidance. Note: The basis discussions for SA6. 1 and SS6. 1 are similar enough to allow using only the below discussion for SA6.1 The Background discussion of the Basis for the proposed DCPP EAL SA6. 1 (Alert) states:

This IC addresses a failure of the RTS [reactor trip system] to initiate or complete an automatic or manual reactor trip that results in a reactor shutdown, and subsequent operator manual actions taken at the reactor control consoles to shut down the reactor are also unsuccessfu[. This condition represents an actual or potential substantial degradation of the level of safety of the plant. An emergency declaration is required even if the reactor is subsequently shutdown by an action taken away from the reactor control consoles since this event entails a significant failure of the RTS.

This discussion is consistent with both the basis discussion for an automatic or manual.

trip that failed to shut down the reactor and the definition of an Alert that is included in endorsed guidance. However, Background discussion of the Basis for the proposed DCPP EAL SA6. 1 also states:

This EAL addresses any automatic or manual reactor trip signal that fails to shut down the reactor (reactor power< 5%) followed by a subsequent manual trip that fails to shut down the reactor to an extent the reactor is producing energy in excess of the heat load for which the SAFETY SYSTEMS were designed (ref. 1).

On the power range scale 5% rated power is a minimum reading on the power range scale that indicates continued power production. It also approximates the decay heat which the shutdown systems were designed to remove and is indicative of a condition requiring immediate response to prevent subsequent core damage. Below 5%, plant response will be -

similar to that observed during a normal shutdown. Nuclear instrumentation can be used to determine if reactor power is greater than 5% power (ref. 3, 4).

The above paragraphs could imply that as long as you are less than 5% power, than no actual or potential 'degradation of the level of safety of the plant exists. Considering that a failure of the RTS would most likely become apparent during transient conditions that either initiated an automatic reactor trip signal or were of sufficient magnitude for the Page 22 of 28

Enclosure 1 PG&E Letter DCL-17-055 operators to attempt a manual reactor trip, a failure of the RTS to shut down the reactor would represent an actual or potential substantial degradation of the level of safety of the plant. As such, an Alert should be declared if the reactor was not subcritic'al following an event involving a failure of the RTS to shut down the reactor whether or not reactor power was currently above 5% at the time of EAL assessment.

Additionally, the above paragraphs could imply that the actual or potential substantial degradation of the level of safety of the plant is based in system design rather than the reactor producing energy in excess of the existing heat load capability.

Please revise the basis discussion to clearly indicate that an Alert or Site Area Emergency, as appropriate, should be declared when an automatic or manual trifJ failed to shut down the reactor and manual trip actions at the control room panels were not successful in shutting down the reactor, or explain how the proposed wording will not cause delays or misclassifications for DCPP EAL SA6. 1 and SS6. 1 as appropriate.

PG&E Response PG&E has removed statements "as indicated by reactor power >5%" from EALs SA6.1 and SS6.1.

The background information has been revised to add clarifications to the Basis as noted in NRC RAl-DCPP-24.

NRC RAl-DCPP-26 For DCPP EAL SS6. 1, the licensee is proposing to add RCS bleed and feed criteria to the CSFST heat sink red path condition being met. In addition to being a deviation from endorsed guidance, the addition of RCS bleed and feed criteria does not appear to be consistent with the endorsed guidance. [Note: The RCS bleed and feed criteria was also added to the fission product barrier matrix. This is discussed in a separate RA/ that is specific to the fission product barriers.]

The proposed DCPP EAL SS6. 1 adds the condition AND bleed and feed criteria met" to the CSFST Heat Sink RED path conditions met threshold value. The licensee has provided Attachment 'A' of Attachment 1 to the DCPP LAR as justification. The proposed DCPP EAL SS6. 1 basis discussion states:

This IC addresses a failure of the RTS to initiate or complete an automatic or manual reactor trip that results in a reactor shutdown, all subsequent operator actions to manually shut down the reactor are unsuccessful, and continued power generation is challenging the capability to adequately remove heat from the core and/or the RCS. This condition will lead to fuel damage if additional mitigation actions are unsuccessful and thus warrants the declaration of a Site Area Emergency.

Page 23 of 28

Enclosure 1 PG&E Letter DCL-17-055 The above discussion is consistent with both the basis discussion for an automatic or manual trip that failed to shut down the reactor and all manual actions to shut down the reactor are not successful and the definition of a Site Area Emergency that is included in endorsed guidance.

The endorsed guidance developer notes for EAL SSS, which corresponds to DCPP SS6. 1, states:

Insert site-specific parameters associated with inadequate RCS heat removal via the steam generators. These parameters should be identical to those used for the Inadequate Heat Removal threshold Fuel Clad Barrier Potential Loss 2.B and threshold RCS Barrier Potential Loss 2.A in the PWR EAL Fission Product Barrier Table.

Although. both DCPP SS6. 1 and the and the fission product barrier use the same criteria as described above, the basis discussion for DCPP SS6. 1 does not typically provide a discussion that contains the same level of detail that is found in the fission product barrier basis discussion. As such, the following fission product table discussions are included to provide details relative to the heat sink red path conditions that are used as assessment criteria for DCPP SS6. 1.

Enter the site-specific parameters and values that define an extreme challenge to the ability to remove heat from the RCS via the steam generators. These will typically be parameters and values that would require operators to take prompt action to address this condition.

For plants that have implemented Westinghouse Owners Group Emergency Response Guidelines, enter the parameters and values used in the Heat Sink Red path.

Additionally, the CSFST Rules of Usage for typical Westinghouse plants, such as DCPP, identify that under an extreme 9hallenge condition, typically identified as red path, that the operator shall immediately stop the procedure in effect and initiate functional restoration of the safety function under extreme challenge.

Based on the above, CSFST Heat Sink Red path conditions represent an extreme challenge to the ability to remove RCS heat via the steam generators (SGs). As such, the addition of the condition AND bleed and feed criteria met" to Heat Sink Red path conditions is not consistent with endorsed guidance.

)

Please remove the AND bleed and feed criteria met" from the proposed SS6. 1 or provide justification, in addition to that provided in Attachment A of Attachment 1 of the LAR, that supports this deviation from endorsed guidance.

Page 24 of 28

Enclosure 1 PG&E Letter DCL-17-055 PG&E Response PG&E has deleted the wording, "AND bleed and feed criteria mef' from EAL SS6.1 to be consistent with endorsed guidance. Therefore, Attachment A of Attachment 1 is no longer pertinent:

EAL SS6.1 has been revised, related to the heat sink threshold, to read:

CSFST Heat Sink-RED path conditions met AND Heat sink is required" The phrase "AND heat sink is required' was added to preclude the need for classification for conditions in which RCS pressure is less than SG pressure or Heat Sink-RED path entry was created through operator action directed by an EOP.

PG&E also added a new Note 11: *

"Note 11: In accordance with EOPs, there may be unusu.al accident conditions during

'which operators intentionally reduce the heat removal capability of the steam generators; during these conditions, classification using this EAL threshold is not warranted."

NRC RAl-DCPP-27 The proposed Potential Loss Threshold 1, for RCS or Steam Generator (SG) Tube Leakage, in the DCPP Fuel Clad Fission Barrier, states: "CSFST Integrity-Red PE!th conditions met," under the DCPP RCS Barrier. This is not consistent with the DCPP bases, which states: "CSFST RCS Integrity-Red Path." [Emphasis added]

Please revise accordingly to address inconsistency, or explain how a decision maker can make a timf?IY and accurate assessment without providing the same title that is used in, the CSFST title for RCS Integrity.

PG&E Response PG&E has revised RCS Potential Loss A.2 to read:

"CSFST RCS Integrity-RED path conditions met."

Table F-1 was also updated to reflect this change.

NRC RAl-DCPP-28 The.proposed DCPP fission product barriers: B.2 for Fuel Cladding, and B.1 for the RCS, add the condition AND bleed and,feed criteria met" to the CSFST Heat Sink RED Page 25 of 28

Enclosure 1 PG&E Letter DCL-17-055 path conditions met threshold value. The licensee has provided Attachment 'A' of of the DCPP LAR as justification for this "difference." Note: DCPP considers the proposed change to be a "difference." (However, the NRG staff considers the proposed change as a "deviation" from endorsed guidance.)

The endorsed guidance for fission product barriers: B. 2 for Fuel Cladding, and B. 1 for the RCS, state:

Enter the site-specific parameters and values that define an extreme challenge to the ability to remove heat from the RCS via the steam generators. These will typically be parameters and values that would require operators to take prompt action to address this condition.

For plants that have implemented Westinghouse Owners Group Emergency Response Guidelines, enter the parameters and values used 1

in the Heat Sink Red path.

Additionally, the CSFST Rules of Usage for typical Westinghouse plants, such as DCPP, identify that under an extreme challenge condition, typically identified as red path, that the operator shall immediately stop the procedure in effect and initiate functional restoration of the safety function under extreme challenge. As such, CSFST heat sink red path represents an extreme challenge to the ability to remove RCS heat via the SGs.

Please remove the AND bleed and feed criteria met" from the proposed fission product barriers or provide justification, in addition to that provided in Attachment A of of the LAR, that supports this deviation from endorsed guidance. Note:

The NRG staff does not consider the proposed wording to be consistent with a standard EAL scheme.

PG&E Response PG&E has deleted the wording "AND bleed and feed criteria mef' from Fuel Clad Potential Loss B.2 and RCS Potential Loss B.1.

Fuel Clad Potential Loss B.2 and RCS Potential Loss B.1 have been revised to read:

"CSFST Heat Sink-RED path conditions met AND Heat sink is required' Table F-1 was also updated to reflect this change.

The phrase "AND heat sink is required' was added to preclude the need for classification for conditions in which RCS pressure is less than SG pressure or Heat Sink-RED path entry was cr~ated through operator action directed by an EOP.

Page 26 of 28

Enclosure 1 PG&E Letter DCL-17-055 PG&E also added a new Note 11:

"Note 11: In accordance with EOPs, there may be unusual accident conditions during which operators intentionally reduce the heat removal capability of the steam generators; during these conditions, classification using this EAL threshold is not warranted."

NRC RAl-DCPP-29 For the proposed fuel clad and RCS fission product barriers, RED entry conditions for the heat sink CSFST are used as a threshold for a potential loss of either of these barriers. However, the endorsed guidance states: ,

In accordance with EOPs, there may be unusual accident conditions during which operators intentionally reduce the heat removal capability of the steam generators; during these conditions, classification using threshold is not warranted.

This guidance is included in the barrier threshold basis discussions; however, it is not included in the relevant barrier thresholds.

(

Please explain why the endorsed guidance concerning making classifications for heat sink conditions when operators intentionally reduce heat removal capability, in accordance with EOPs, is not included in the fission product barrier thresholds as this could result in an inaccurate EAL declaration, or revise accordingly.

PG&E Response PG&E has revised Fuel Clad Potential Loss B.2 and RCS Potential Loss B.1 to read:

"CSFST Heat Sink-RED path conditions met AND Heat sink is required

Table F-1 was also updated to reflect this change.

The phrase "AND heat sink is required was added to preclude the need for classification for conditions in which RCS pressure is less than SG pressure or Heat Sink-RED path entry was created through operator" action directed by an EOP.

PG&E also added a new Note 1.1:

"Note 11: In accordance withi EOPs, there may be unusual accident conditions during which operators intentionally reduce the heat removal capability of the steam generators; during these conditions, classification using threshold is not warranted."

Page 27 of 28

Enclosure 1 PG&E Letter DCL-17-055 NRC RAl-DCPP-30 All of the proposed DCPP Fission Product Barriers Loss bases for Em,ergency Director Judgement include the following bulleted statement:

Barrier monitoring capability is decreased if there is a Joss or Jack of reliable indicators. This assessment should include instrumentation operability concerns, readings from portable instrumentation and consideration of offsite monitoring results.

The Fission Product Barrier Potential Loss bases for Emergency Director Judgement in the endorsed guidance states:

The Emergency Director should also consider whether or not to declare the barrier potentially Jost in* the event that barrier status cannot be monitored.

The statement in the DCPP Fission Product Barriers Loss bases may cause a delay in classification due to confusion as to application of the Joss or potential Joss of the barrier in question. In addition, the three bulleted items appearing in the DCPP bases for the Joss or potential Joss are identical and may confuse the decision maker in differentiating between a Joss and a potential Joss.

Please revise the proposed Fission Product Barrier Emergency Director Judgement, Loss andlorPotential Loss bases to remove any wording that could either bound and/or modify the judgement of the Emergency Director concerning a loss, or potential Joss, of a fission product barrier, or explain how this wording will not potentially inhibit the judgement of the Emergency Director.

PG&E Response PG&E has deleted the cited basis related to barrier monitoring capability from Fuel Clad Loss E.1, RCS Loss E.1 and Containment Loss E.1.

Page 28 of 28

Enclosure 2 PG&E Letter DCL-17-055

\

PG&E Emergency Action Level Changes not Associated with Request for Additional Information Responses

- *--------~--------

TBD EAL# Description '

Change?

1. 3.1.1 Yes Added to Section for clarification:

Time based EALs should be evaluated upon first indication of the conditions. If someone is working to mitigate the condition in less than the time required, the declaration can*wait to see if they are successful within the time constraints. If there is indication that the threshold will be exceeded for the time period, the declaration should immediately be declared, regardless of the time remaining. In the case of leaks, the exceeded threshold will take some additional period of time to lower and must be taken into account.

When assessing an EAL that specifies a time duration for the off-normal condition, the "clock" for the EAL time duration runs concurrently with the emergency classification process "clock."

2. Definitions Yes Added defined term:

Offsite Response Organization (ORO)

Acronyms The State of California Office of Emergency Services and the County of San Luis Obispo Office of Emergency Services.

Added acronym:

SGBD ........ Steam Generator Slowdown

3. RA1.1 Yes Added to Basis Section for clarification:

RS1.1 Use Table R-1 only until dose assessment using currently approved software is available.

RG1.1 If a threshold value is met in Table R-1 for a classification, there is a 15 minute time limit to make the classification(##). If Dose Assessment software is available, it should be used instead (#1/.) since it is more accurate than the values in Table R-1. However, the Dose Assessment personnel must be able to calculate results within 15 minutes of the Table R-1 value being exceeded OR the classification should be made using Table R-1 (##).

Page 1of4

TBD EAL# Description Change?

4. RA1.3 Yes Added to EAL for consistency to align EAL wording with the approved IC:

"gaseous or' Added to Basis Section for consistency:

This EAL is determined by a gaseous or liquid sample.

analysis by the Count Room.

5. RA1.4 Yes Added to Basis Section for clarification:

RS1.3 This IC is based solely on field monitoring team results without performing calculations using the dose RG1.3 assessment software.

6. RA2.2 Yes Added to Basis Section for clarification:

EU1.1 Cask is sealed when welding is complete.

7. EU1.1 Yes Added missing definitions:

ISFSI and ISFSI PROTECTED AREA Added clarification concerning ISFSI location:

"and is inside the ISFSI PROTECTED AREA."

8. RA2.3 Yes Corrected typo and added clarification RS2.1 "- includes a 1 foot instrument indication uncertainty error margin" RG2.1

9. CU3.1 Yes Added to Basis Section for clarification:

CU3.2 The most limiting temperature indication (the highest valid reading temperature indication) should be used.

Page 2of4

TBD EAL# Description

. Change?

10. HU4.1 Yes Added to Basis Section for clarification:

HU4.2 *The Shift Manager needs to ask some specific que~tions to ensure they have the information needed to evaluate the situation.

Is there visible flame?

Are there copious quantities of smoke still being generated?

A smoked component (subject to overheating) should show blackened areas or signs that the component itself had been very hot (e.g., paint peeling). It can be expected to generate some lower level of smoke.

If there is so much smoke present that entry to inspect I the component is not possible without an SCBA, that would be an indication that a fire existed and determine if EAL HAS. 1 is applicable.

If a breaker truly suffered a fault local to the breaker, the damage and fire ball would be such that consideration of the Hazardous Event EAL SA9. 1 would be recommended, if a required Safety System was affected.

If indications of failing safety related equipment are attributable to the fire, consider Hazardous Event EAL SA9.1 In the case of a fire alarm in Containment, procedure OP K-2C should be followed to determine the existence of a fire in containme.nt.

Failure to declare an actual fire or an untimely _

declaration will be an NRG violation. The important thing is to make the initial declaration timely with respect to the time of the, initial indication. In all cases, document the indications considered for the decision made.

11. HU4.3 Yes Added in word omitted in Definitions:

PLANT PROTECTED AREA Corrected wording in ERO Decision Making Information to be consistent with Definitions

12. SU5.1 Yes Added to Basis Section for clarification:

If the leak is isolated, the RCS barrier was never lost.

Page 3of4

TBD EAL# Description Change?

13. SU8.1 Yes Edit Basis for clarification:

For the first condition, the containment isolation signal (i.e. Phase A, Phase B, CV/, SI, Main Steam Isolation) is required as the result on an off-normal/accident condition (e,g., a safety injection or high containment pressure), regardless if the signal actuated or not; a ,,

failure resulting from testing or maintenance does not warrant classification.

14. Table F-1 Yes Edit to match approved Basis statements to the EAL to state:

RCS PL With letdown isolated ...

A.1

15. RCS PL Yes Deleted site specific wording in Basis that was causing end A.1 user confusion with change #14 above.

16. Numerous Yes Made minor spelling, grammar, punctuation & reference changes/additions/deletions to various EALs

17. SU4.2 & Yes Updated background and reference based on most recent RCS FPB calculation to align source terms for SU4.2 & RCS FPB Loss Loss C.1 C.1

18. RA2.2 Yes Updated information to clarify which alarm setting applies to this EAL based on changes made to RU2.1 for RAI #7:

RM-58 and RM-59 each have two alarm settings.

The higher level alarm Hi Radiation setting initiates the Iodine Removal ventilation mode, and this alarm level meets the intent of this EAL.

The lower level Hi Radiation setting is identified as a "Trip 1" level indicated by an amber light on the Control Room module located behind the vertical boards on panel PAM 2. On the local area module, this setting is labeled as an Alert Alarm." A radiation dose level rise to this Trip 1 or Alert /eve/ radiation alarm does NOT meet the intent of this EAL. If RM-58 or 59 alarms at this setting, review RU2. 1 for applicability.

Page 4 of 4

Enclosure 3 PG&E Letter DCL-17-055 Diablo Canyon Power Plant Emergency Plan, Appendix D - Emergency Action level Technical Basis Document

Diablo Canyon Power Plant Emergency Plan Appendix D - Emergency Action Level Technical Basis Document I [Document No.] Rev. [X] Page 1 of 3081

Diablo Canyon Power Plant Emergency Plan TABLE OF CONTENTS SECTION *PAGE 1.0 PURPOSE ...........................................................................................................................................8 2.0 DISCUSSION ......................................................................................................................................8 2.1 Background ..............................................................................................................................9 2.2 Fission Product Barriers ...........................................................................................................9 2.3 Fission Product Barrier Classification Criteria ..........................................................................9 2.4 EAL Organization ...................................................................................................................1O 2.5 Technical Bases Information ..................................................................................................12 2.6 Operating Mode Applicability ................................................................................................ 13 3.0 GUIDANCE ON MAKING EMERGENCY CLASSIFICATIONS ......................................................... 14 3.1 General Considerations ........................................................................................................ 14 3.2 Classification Methodology ................................................................................................... 16 3.3 Notes on Development ......................................................................................................... 19

4.0 REFERENCES

....................................................................................................................:............ 20 4.1 Developmental...................................................................................................................... 20 4.2 Implementing .......................................................................................................................... 20 5.0 DEFINITIONS, ACRONYMS & ABBREVIATIONS ........................................................................... 21 6.0 DCPP TO NEI 99-01 Rev. 6 EAL CROSS-REFERENCE ................................................................. 32 7.0 ATTACHMENTS ...............................................................................................................................36

1. Emergency Action Level Technical Bases ........................................................................ 37 Category R Abnormal Rad Release I Rad Effluent ................................................... 37 Radiological Effluents RU1.1 ................................................................................................ 38 RU1 .2 ........................................ '. ...................................................... 40 RA1.1 ...............................................................................................42 RA1.2 ................................................................................................45 RA1.3 .................................................................*.............................. 47 RA1.4 ............................................................................................... 49 RS1 .1 ............................................................................................... 51 1

RS1.2 ............................... ***************************************************************** 54 RS1.3 ............................................................................................... 56 RG1.1 ............................................................................................... 58 RG1.2 ................................................................................................ 60 RG1 .3 .................................. :............................................................ 62 (continued)

I [Document No.] Rev. [X] Page 2 of 3081

Diablo Canyon Power Plant Emergency Plan Irradiated Fuel Events (continued)

RU2.1 ............................................................................................... 64 RA2.1 ............................................................................................... 67 RA2.2 ............................................................................................... 69 RA2.3 ............................................................................................... 71 RS2,1 ............................................................................................... 73

~

RG2.1 ............................................................................................... 75 Ar~a Radiation Levels RA3.1 .......................................................................~ ....................... 76 RA3.2 .~ ............................................................................................. 78 Category E ISFSl. ..................................................................................................... 81 ISFSI ................................................................................................ 82 Category C Cold Shutdown I Refueling System Malfunction .................................... 86 RCS Level CU1.1 ............................................................................................... 88 CU1.2 ................................................................................................ 90 CA1 .1 ........................................ ~ ...................................................... 94 CA1.2 ........................................................................................ :....... 96 CS1.1 ............................................................................................... 99 CS1.2 ............................................................................................. 101 CS1 .3 ............................................................................................. 103 CG1.1 ............................................................................................. 106 CG1.2 ............................................................................................. 110 Loss of Vital AC Power115 CU2.1 ............................................................................................. 115 CA2.1 ............................................................................................. 119 RCS Temperature CU3.1 ..................................... ~ ....................................................... 122 CU3.2 ................................................................................... :......... 124 CA3.1 ............................................................................................. 126 Loss of Vital DC Power CU4.1 ............................................................................................. 129 Loss of Communications CU5.1 ............................................................................................. 131 Hazardous Event Affecting Safety System CA6.1 ............................................................................................. 133 (continued)

I [Document No.] Rev. [X] Page 3 of 3081

Diablo Canyon Power Plant .Emergency Plan Category H Hazards ...........................................................*.................................... 136 Security HU1.1 ............................................................................................. 138 HA1.1 ............................................................................................. 141 HS1 .1 ............................................................................................. 144 Seismic Event HU2.1 ............................................................................................. 147 Natural or Technical Hazard HU3.1 ............................................................................................. 150 HU3.2 ............................................................................................. 151 HU3.3 ............................................................................................. 153 HU3.4 ............................................................................................. 154 Fire HU4.1 .... :........................................................................................ 155 HU4.2 ............................................................................................. 160 HU4.3 ............................................................................................. 166 HU4.4 ............................................................................................. 167 Hazardous Gases r-.

HA5.1 ............................................................................................. 169 Control Room Evacuation HA6.1 ............................................................................................. 174

HS6.1 ............................................................................................. 176 SM/SEC/ED Judgment HU7.1 ........................................ :.................................................... 177 HA7.1 ............................................................................................. 179 HS7.1 .............................................................................................. 181 HG7.1 ............................................................................................. 183 (continued)

I [Document No.] Rev. [X] Page 4 of 3081

Diab lo, Canyon Power Plant Emergency Plan

. Category S System Malfunction ............................................................................. 184 Loss of Vital AC Power SU1.1 ............................................................................................. 186 SA1 .1 ............................................................................................. 189 SS1 .1 ............................................................................................. 193 SG1 .1 ............................................................................................. 196 Loss of Vital DC Power SS2.1 ............................................................................................. 200

SG2.1 ............................................................................................. 202 Loss of Control Room Indication SU3.1 ............................................................................................. 205 SA3.1 ............................................................................................. 207 RCS Activity SU4.1 ............................................................................................. 210 SU4.2 ............................................................................................. 211 RCS Leakage SU5.1 .............................................................'................................ 212 RTS Failure SU6.1 ............................................................................................. 215 SU6.2 ............................................................................................. 218 SA6.1 .............................................................................................. 221 SS6.1 ..... :....................................................................................... 224 Loss of Communications SU7.1 ............................................................................................. 227 Containment Failure SU8.1 ............................................ ,.....-............................................. 229 Hazardous Event Affecting Safety Systems SA9.1 ............................................................................................. 231 Category F Fission Product Barrier Degradation .................................................... 234 FA1 .1 ............................................................................................... 236 FS1 .1 .............................................................................................. 237 FG1 .1 ............................................................................................. 238 (continued)

L~ocument No.] Rev. [X] Page 5 of 3081

Diablo Canyon Power Plant Emergency Plan

2. Fission Product Barrier Loss I Potential Loss Matrix and Bases ................................... 239 Table F-1 Fuel Cla.d (FC) Barrier ............................................................................... 241 A. RCS or SG Tube Leakage Loss 1 (none) ................................................................................ 242 Potential Loss 1 (none) ................................................................. 243 B. Inadequate Heat Removal

Loss 1 ........................*..................................................................... 244 Potential Loss 1 .............................................................................. 245 Potential Loss 2 .............................................................................. 246 C. GMT Radiation I RCS Activity Loss 1 ........................................ :.................................................... 249 Loss 2 ............................................................................................. 250.

Potential Loss 1 (none) ................................................................. 251 D. GMT Integrity or Bypass Loss 1 (none) ................................................................................ 252 Potential Loss 1 (none) ................................................................. 253 E. SM/SEC/ED Judgment Loss 1 ............................................................................................. 254 Potential Loss 1 .............................................................................. 256 Reactor Coolant System (RCS) Barrier A. RCS or SG Tube Leakage Loss 1............................................................................................. 258

Potential Loss 1 .............................................................................. 260 Potential Loss 2 .............................................................................. 262 B. Inadequate Heat Removal Loss 1 (none) .............. :.................................................................. 263 Potential Loss 1 .............................................................................. 264 C. GMT Radiation I RCS Activity Loss 1 ............................................................................................. 266 Potential Loss 1 (none) ................................................................. 267 D. GMT Integrity or Bypass Loss 1 (none) .... *............................................................................ 268 Potential Loss 1 (none) ................................................................. 269 E. SM/SEC/ED Judgment Loss 1 ............................................................................................. 270 Potential Loss 1 .............................................................................. 272 (continued)

I [Document No.] Rev. [X] Page 6 of 3081

Diablo Canyon Power Plant Emergency Plan Containment (GMT) Barrier A. RCS or SG Tube Leakage Loss 1.............................................................................................. 274 Potential Loss 1 (none) ................................................................. 276 B. Inadequate Heat Removal Loss 1 (none) ................................................................................ 277 Potential Loss 1 .............................................................................. 278 C. GMT Radiation I RCS Activity Loss 1 (none) ................................................................................ 280 Potential Loss 1 .............................................................................. 281 D. GMT Integrity or Bypass Loss 1 ............................ -~-............................................................... 282 Loss 2 ............................................................................................. 286 Potential Loss 1 .............................................................................. 290 Potential Loss 2 .............................................................................. 291 Potential Loss 3 .............................................................................. 292 E. SM/SEC/ED Judgment Loss 1............................................................................................. 294 Potential Loss 1 .............................................................................. 296

3. Safe Operation & Shutdown Areas Tables R-2 & H-2 Bases ........................................ 298 I [Document No.] Rev. [X] Page 7 of 3081 J

1.0 PURPOSE This document provides an explanation and rationale for each Emergency Action Level (EAL) included in the EAL Upgrade Project for Diablo Canyon Power Plant (DCPP). It should be used to facilitate review of the DCPP EALs and provide historical documentation for future reference. Decision-makers (Shift Manager/Site Emergency Coordinator/Emergency Director (SM/SEC/ED)) responsible for implementation of EP G-1 Emergency Classification and Emergency Plan Activation, may use this document as a technical reference in support of EAL interpretation. This information may assist the SM/SEC/ED in making classifications, particylarly those involving judgment or multiple events. The basis information may also be usefuf in training and for explaining event classifications to off-site officials.

Because the information in a basis document can affect emergency classification decision-making (e.g., the SM/SEC/ED refers to it during an event), the NRG staff expects that changes to the basis document will be evaluated in accordance with the provisions of 10 CFR 50.54(q).

2.0 DISCUSSION 2.1 Background EALs are the plant-specific indications, conditions or instrument readings that are utilized to classify emergency conditions defined in the DCPP Emergency Plan.

In 1992, the NRG endorsed NUMARC/NESP-007 "Methodology for Development of Emergency Adion Levels" as an alternative to NUREG-0654 EAL guidance.

NEI 99-01 (NUMARC/NESP~007) Revisions 4 and 5 were subsequently issued for industry implementation. Enhancements over earlier revisions included:

Consolidating the system malfunction initiating conditions and example emergency action levels which address conditions that may be postulated to occur during plant shutdown conditions.

/

Initiating conditions and example emergency action levels that fully address conditions that may be postulated to occur at permanently Defueled Stations and 'Independent Spent Fuel Storage Installations (ISFSls).

Simplifying the fission product barrier EAL threshold for a Site Area Emergency.

Subsequently, Revision 6 of NEI 99-01 has been issued which incorporates resolutions to numerous implementation issues including the NRG EAL Frequently Asked Questions (FAQs).

Using NEI 99-01 Revision 6, "Methodology for the Development of Emergency Action Levels for Non-Passive Reactors," November 2012 (ref. 4.1.1), DCPP conducted an EAL implementation upgrade project that produced the EALs discussed herein.

I [Document No.] Rev. [X] Page 8 of 3081

2.2 Fission Product Barriers ,

Fission product barrier thresholds represent threats to the defense in depth design concept that l?recludes the release of radioactive fission products to the environment. This concept relies on multiple physical barriers, any one of which, if maintained intact, precludes the

release of significant amounts of radioactive fission products to the environment.

Many of the EALs derived from the NEI methodology are fission product barrier threshold based. That is, the conditions that define the EALs are b,ased upon thresholds that represent the loss or potential loss of one or more of the three fission product barriers. "Loss" and "Potential Loss" signify the relative damage and threat of damage to the barrieL A "Loss" threshold means the barrier no longer assures containment of radioactive materials. A "Potential Loss" threshold implies an increased probability of barrier loss and decreased certainty of maintaining the barrier.

The primary fission product barriers are:

A. Fuel Clad (FC): The Fuel Clad Barrier consists of the cladding material that contains the fuel pellets.

B. Reactor Coolant System (RCS): The RCS Barrier includes the RCS primary side and its connections up to and including the pressurizer safety and relief valves, and other connections up to and including the primary isolation valves.

C. Containment (CMT): The Containment Barrier includes the containment building and connections up to and including the outermost containment isolation valves. This barrier also includes the main steam, feedwater, and blowdown line extensions outside the containment building up to and including the outermost secondary side isolation valve.

Containment Barrier thresholds are used as criteria for escalation of the ECL from Alert to a Site Area Emergency or a General Emergency 2.3 Fission Product Barrier Classification Criteria The following criteria are the bases for event classification related to fission product barrier loss or potential loss:

Alert:

Any loss or any potential loss of either Fuel Clad or RCS barrier Site Area Emergency:

Loss or potential loss of any two barriers General Emergency:

Loss of any two barriers and loss or potential loss of the third barrier I [Document No.] Rev. [X] Page 9 of 3081

2.4 EAL Organization The DCPP EAL scheme includes the follov:-iing features:

Division of the EAL set"into three broad groups:

o EALs applicable under any plant operating modes - This group would be reviewed by the EAL-user any time emergency classification is considered.

o EALs applicable only under hot operating modes - This group would only be reviewed by the EAL-user when the plant is in Hot Shutdown, Hot Standby, Startup, or Power Operation mode.

o EALs applicable only under cold operating modes - This group would only be reviewed by the EAL-user when the plant is in Cold Shutdown, Refueling or Defueled mode.

The purpose of the groups is to avoid review of hot condition EALs when the plant is in a cold condition and avoid review of cold condition EALs when the plant is in a hot condition. This approach significantly minimizes the total number of EALs that must be reviewed by the EAL-user for a given plant condition, reduces EAL-user reading burden and, thereby, speeds identification of the EAL that applies to the emergency.

Within each group, assignment of EALs to categories and subcategories:

Category and subcategory titles are selected to represent conditions that are operationally significant to the EAL-user. The DCPP EAL categories are aligned to and represent the NEI 99-01"Recognition Categories." Subcategories are used in the DCPP scheme as necessary to further divide the EALs of a category into logical sets of possible emergency classification thresholds. The DCPP EAL categories and subcategories are listed below.

I [Document No.] Rev. [X] Page 10 of 3081

EAL Groups, Categories and Subcategories EAL Group/Category EAL Subcategory I

Any Operating Mode:

R - Abnormal Rad Levels I Rad Effluent 1 - Radiological Effluent 2 - Irradiated Fuel Event 3 - Area Radiation Levels H - Hazards and Other Conditions 1 - Security Affecting Plant Safety 2 - Seismic Event 3 - Natural or Technological Hazard 4- Fire 5 - Hazardous Gas 6 - Control Room Evacuation 7 - SM/SEC/ED Judgment E-ISFSI' 1 - Confinement Boundary Hot Conditions:

S - System Malfunction 1- Loss of Emergency AC Power 2- Loss of Vital DC Power 3- Loss of Control Room Indications 4- RCS Activity 5- RCS Leakage 6- RTS Failure 7- Loss of Communications 8- Containment Failure 9- Hazardous Event Affecting Safety Systems F - Fission Product Barrier Degradation None Cold Conditions:

C - Cold Shutdown I Refueling System 1- RCS Level Malfunction 2- Loss of Emergency AC Power 3- RCS Temperature 4- Loss of Vital DC Power 5- Loss of Communications 6- Hazardous Event Affecting Safety Systems The primary tool for determining the emergency classification level is the EAL Classification Wall Chart. The user of the EAL Classification Wall Chart may (but is not required to) consult the EAL Technical Bases Document in order to obtain additional information concerning the EALs under classification consideration. The user should consult Section 3.0 and Attachments 1 & 2 of this document for such information.

I [Document No.] Rev. [X] Page 11 of 3081

2.5 Technical Bases Information EAL technical bases are provided in Attachment 1 for each EAL according to EAL group (Any, Hot, Cold), EAL category (R, C, H, S, E and F) and EAL subcategory. A summary explapation of each category and subcategory is given at the beginning of the technical bases discussions of the EALs included in the category. For each EAL, the following information is provided:

Category Letter & Title Subcategory Number & Title Initiating Condition (IC)

Site-specific description of the generic IC given in NEI 99-01 Rev. 6.

EAL Identifier (enclosed in rectangle)

Each EAL is assigned a unique identifier to support accurate communication of the emergency classification to onsite and offsite personnel. Four characters define each EAL identifier:

1. First character (letter): Corresponds to the EAL category as described above (R, C, H, S, E or F)

2. Second character (letter): The emergency classification (G, S, A or U)

G = General Emergency S = Site Area Emergency A= Alert U = Unusual Event

3. Third character (number): Subcategory number within the given category.

Subcategories are sequentially numbered beginning with the number one (1 ). If a category does not have a subcategory, this character is assigned the number one (1 ).

4. Fourth character (number): The numerical sequence of the EAL within the EAL subcategory. If the subcategory has only one EAL, it is given the number one (1 ).

Classification (enclosed in rectangle):

Unusual Event (U), Alert (A), Site Area Emergency (S) or General Emergency (G)

EAL (enclosed in rectangle)

Exact wording of the EAL as it appears in the EAL Classification Matrix Mode Applicability One or more of the following plant operating conditions comprise the mode to which each EAL is applicable: 1 - Power Operation, 2 - Startup, 3 - Hot Standby, 4 - Hot Shutdown, 5 -

Cold Shutdown, 6 - Refueling, D - Defueled, or Any. (See Section 2.6 for operating mode definitions)

Definitions:

If the EAL wording contains a defined term, the definition of the term is included in this section. These definitions can also be found in Section 5.1.

I [Document No.] Rev. [X] Page 12 of 3081 l_ . . LC_

Basis:

An EAL basis section that provides both generic anc::I site-specific ERO decision making guidance as well as background information that supports the rationale for the EAL as provided in NEI 99-01 Rev. 6.

DCPP Basis Reference(s):

Site-specific source documentation from which the EAL is derived 2.6 Operating Mode Applicability (ref. 4.1.7) 1 Power Operation

Kett;::: 0.99 and reactor thermal power> 5%

2 Startup Kett;::: 0.99 and reactor thermal power :5 5%

1 3 Hot Standby Kett< 0.99 and average coolant temperature ;::: 350°F 4 Hot Shutdown Kett< 0.99 and average coolant temperature 350°F > T avg > 200 °F with all reactor vessel head closure bolts fully tensioned 5 Cold Shutdown Kett< 0.99 and average coolant temperature :5 200°F with all reactor vessel head

. closure bolts fully tensioned 6 Refueling One or more reactor vessel head closure bolts are less than fully tensioned D Defueled Reactor vessel contains no irradiated fuel (full core off-load during refueling or extended outage).

The plant operating mode that exists at the time that the event occurs (prior to ariy protective system or operator action being initiated in response to the condition) should be compared to the mode applicability of the EALs. If a lower or higher plant operating mod~ is reached before the emergency classification is made, the declaration shall be based on the mode that existed at the time the event occurred.

I [Document No.] ~1 Rev. [X] Page 13 of 3081

3.0 GUIDANCE ON MAKING EMERGENCY CLASSIFICATIONS 3.1 General Considerations When making an emergency classification, the SM/SEC/ED must consider all information having a bearing on the proper assessment of an Initiating Condition (IC). This includes the Emergency Action Level (EAL) plus the associated Operating Mode Applicability, Notes, and the informing basis information. In the Recognition Category F matrices, EALs are based on loss or potential loss of Fission Product Barrier Thresholds.

In this Technical Basis Document (TBD), the Basis Section is divided up into two subsections.

The first is the ERO Decision Making Information followed by a Background Section. The ERO Decision Making Information section highlights key data and pertinent information that is more likely to immediately assist key decision makers in classification as compared to more generic background information. However, decision makers (SM/SEC/ED) are still responsible for assessing all TBD information at is pertains to the Emergency Action Level (EAL).

3.1.1 Classification Timeliness NRG regulations require the licensee to establish and maintain the capability to assess, classify, and declare an emergency condition within 15 minutes after the availability of indications to plant operators that an emergency action level has been exceeded and to promptly declare the emergency condition as soon as possible following identification of the appropriate emergency classification level (ref. 4.1.9).

Time based EALs should be evaluated upon first indication of the conditions. If someone is working to mitigate the condition in less than the time required, the declaration can wait to see if they are successful within the time constraints. If there is indication that the threshold will be exceeded for the time period, the declaration should immediately be declared, regardless of the time remaining. In the case of leaks, the exceeded threshold will take some additional period of time to lower and must be taken into account.

When assessing an EAL that specifies a time duration for the off-normal condition, the "clock" for the EAL time duration runs concurrently with the emergency classification process "clock."

3.1.2 Valid Indications All emergency classification assessments shall be based upon valid indications, reports or conditions. A valid indication, report, or condition, is one that has been verified through .

appropriate means such that there is no doubt regarding the indicator's operability, the condition's existence, or the report's accuracy. For example, verification could be accomplished through an instrument channel check, response on related or redundant indicators, or direct observation by plant personnel. The validation of indications should be completed in a manner that supports timely emergency declaration.

An indication, report, or condition is considered to be valid when it is verified by (1) an instrument channel check, or (2) indications on related or redundant indicators, or (3) by direct observation by plant personnel, such that doubt related to the indicator's operability, the condition's existence, or the report's accuracy is removed. Implicit in this definition is the need for timely assessment.

I [Document No.] Rev. [X] Page 14 of 3081

3.1.3 Imminent Conditions For ICs and EALs that have a stipulated time duration (e.g., 15 minutes, 30 minutes, etc.), the SM/SEC/ED should not wait until the applicable time has elapsed. The SM/SEC/ED should declare the event as soon as it is determined that the condition has e~ceeded, or will likely exceed, the applicable time. If an ongoing radiological release is detected and the release start time is cannot be determined, it should be assumed that the release duration specified in the IC/EAL has been exceeded, absent data to the contrary.

3.1.4 Planned vs. Unplanned Events A planned work activity that results in an expected event or condition which meets or exceeds an EAL does not warrant an emergency declaration provided that: 1) the activity proceeds as planned, and 2) the plant remains within the limits imposed by the operating license. Such activities include planned work to test, manipulate, repair, maintain or modify a system or component. In these cases, the controls associated-with the planning, preparation and execution of the work will ensure that compliance is maintained with all aspects of the operating license provided that the activity proceeds and concludes as expected. Events or conditions of this type may be subject to the reporting requirements of 10 § CFR 50. 72 (ref.

4.1.4).

3.1.5 Classification Based on Analysis The assessment of some EALs is based on the results of analyses that are necessary to ,'

ascertain whether a speeific EAL threshold has been exceeded (e.g., dose assessments, chemistry sampling, RCS leak rate calculation, etc.). For these EALs, the EAL wording or the associated basi~ discussion will identify the necessary analysis. In these cases, the 15-minute declaration period starts with the availability of the analysis results that show the threshold to be exceeded (i.e., this is the time that the EAL information is first available). The NRG expects licensees to establish the capability to initiate and complete EAL-related analyses within a reasonable period of time (e.g., maintain the necessary expertise on-shift). For example, a coolant activity sample is taken. Chemistry reports results indicate activity greater than Technical Specification limits. The classification clock begins when Chemistry reports the sample results.

3.1.6 SM/SEC/ED Judgment While the EALs have been developed to address a full spectrum of possible events and conditions which may warrant emergency classification, a provision for classification based on operator/management experience and judgment is still necessary. The NEI 99-01 EAL scheme provides the SM/SEC/ED with the ability to classify events and conditions based upon judgment using EALs that are consistent with the Emergency Classification Level (EGL) definitions (refer to Category H). The SM/SEC/ED will need to determine if the effects or consequences of the event or condition reasonably meet or exceed a particular EGL definition.

A similar provision is incorporated in the Fission Product Barrier Tables; judgment may be used to determine the status of a fission product barrier.

I [Docum~nt No.] Rev. [X] Page 15 of 3081

3.2 Classification Methodology To make an emergency classification, the user will compare an event or condition (i.e., the relevant plant indications and reports) to an EAL(s) and determine if the EAL has been met or exceeded. The evaluation of an EAL must be consistent with the related Operating Mode Applicability and Notes. If an EAL has been met or exceeded, the associated IC is likewise met, the emergency classification process "clock" starts, and the ECL must be declared in accordance with plant procedures no later than fifteen minutes after the process "clock" started.

When assessing an EAL that spedfies a time duration for the off-normal condition, the "clock" for the EAL time duration runs concurrently with the emergency classification process "clock."

(ref. 4.1.9).

3.2.1 Classification of Multiple Events and Conditions When multiple emergency events or conditions are present, the user will recognize all met or exceeded EALs. The highest applicable ECL identified during this review is declared. For example: *

If an Alert EAL and a Site Area Emergency EAL are met, whether at one unit or at two different units, a Site Area Emergency should be declared.

There is no "additive" effect from multiple EALs meeting the same ECL. For example:

If two Alert EALs are met, whether at one unit or at two different units, an Alert should be declared.

Related guidalilce concerning classification of rapidly escalating events or conditions is provided in Regulafory Issue Summary (RIS) 2007-02, Clarification of NRG Guidance for Emergency Notifications During Quickly Changing Events (ref. 4.1.2).

3.2.2 Consideration of Mode Changes During *Classification The mode in effect at the time that an event or condition occurred, and prior to any plant or operator response, is the mode that determines whether or not an IC is applicable. If an event or condition occurs, and results in a mode change before the emergency is declared, the emergency classification level is still based on the mode that existed at the time that the event or condition was initiated (and not when it was declared). Once a different mode is reached, any new event or condition, not related to the original event or condition, requiring emergency classification should be evaluated against the ICs and EALs applicable to the operating mode at the time of the new event or condition.

For events that occur in Cold Shutdown or Refueling, escalation is via EALs that are applicable in the Cold Shutdown or Refueling modes, even if Hot Shutdown (or a higher mode) is entered during the subsequent plant response. In particular, the fission product barrier EALs are applicable only to events that initiate in the Hot Shutdown,mode or higher.

For example, a loss of decay heat removal when in Mode 5 results in RCS temperature exceeding 200?F. Escalation of the loss of decay heat removal event will be via the cold condition mode EALs even though the plant is now in Mode 4 as a result of the RCS temperature increase. However, any subsequent new evenUcondition must be assessed against the hot condition EALs (Mode 4 and above).*

I [Document No.] Rev. [X] Page 16 of 3081

3.2.3 Classification of Imminent Conditions Although EALs provide specific thresholds, the SM/SEC/ED must remain alert to events or conditions that could lead to meeting or exceeding an EAL within a relatively short period of time (i.e., a change in the EGL is imminent). If, in the judgment of the SM/SEC/ED, meeting an EAL is imminent, the emergency classification should be made as if the EAL has been met.

While applicable to all emergency classification levels, this approach is particularly important at the higher emergency classification levels since it provides additional time for implementation of protective measures.

3.2.4 Emergency Classification Level Upgrading and Downgrading An EGL may be downgraded when the event or condition that meets the highest IC and EAL no longer exists, and other site-specific downgrading requirements are met. If downgrading the EGL is deemed appropriate, the new EGL would then be based on a lower applicable IC(s)

and EAL(s). The EGL may also simply be terminated. Refer to EP G-1 Emergency Classification and Emergency Plan Activation for guidance on downgrading and terminating an EGL. Refer to EP OR-3 Emergency Recovery for guidance for entering long-term recovery.

As noted above, guidance concerning classification of rapidly escalating events or conditions is provided in RIS 2007-02 (ref. 4.1.2).

3.2.5 Classification of Short-Lived Events Event-based ICs and EALs define a variety of specific occurrences that have potential or actual safety significance. By their nature, some of these events may be short-lived and, thus, over before the emergency classification assessment can be completed. If an event occurs that meets or exceeds an EAL, the associated EGL must be declared regardless of its continued presence at the time of declaration. Examples of such events include an earthquake or a failure of the reactor protection system to automatically trip the reactor followed by a successful manual trip.

3.2.6 Classification of Transient Conditions Many of the ICs and/or EALs employ time-based criteria. These criteria will require that the IC/EAL conditions be present for a defined period of time before an emergency declaration is warranted. In cases where no time-based criterion is specified, it is recognized that some transient conditions may cause an EAL to be met for a brief period of time (e.g., a few seconds to a few minutes). The following guidance should be applied to the classification of these conditions.

EAL momentarily met during expected plant response - In instances where an EAL is briefly met during an expected (normal) plant response, an emergency declaration is not warranted provided that associated systems and components are operating as expected, and operator actions are performed in accordance with procedures.

(continued)

I [Document No.] Rev. [X] Page 17 of 3081

EAL momentarily met but the condition is corrected prior to an emergency declaration - If an operator takes prompt manual action to address a condition, and the action is successful in correcting the condition prior to the emergency declaration, then the applicable EAL is not considered met and the associated emergency declaration is not required. For illustrative purposes, consider the following example:

An ATWS occurs and the high pressure ECCS systems fail to automatically start. RPV level rapidly decreases and the plant enters an inadequate core cooling condition (a potential loss of both the fuel clad and RCS barriers). If an operator manually starts a high pressure ECCS system in accordance with an EOP step and clears the inadequate core cooling condition prior to an emergency de.claration, then the classification should be based on the ATWS only.

' It is important to stress that the 15-minute emergency classification assessment period (process clock) is not a "grace period" during which a classification may be delayed to allow the~performance of a corrective action that would preclude the need to classify the event.

Emergency classification assessments must be deliberate and timely, with no undue delays.

The provision discussed above addresses only those rapidly" evolving situations when an operator is able to take a successful corrective action prior to thEl SM/SEC/ED completing the review and steps necessary to make the emergency declaration. This provision is included to ensure that any public protective actions resulting from the emergency classification are truly warranted by the plant conditions.

3.2.7 After-the-Fact Discovery of an Emergency Event or Condition In some cases, an EAL may be met but the emergency classification was not made at the time

. of the event or condition. This situation can occur when personnel discover that an event or condition existed which met an EAL, but no emergency was declared, and the event or condition no longer exists at the time of discovery. This may be due to the event or condition not _being recognized at the time or an error that was made in the emergency classification process.

In these cases, no emergency declaration is warranted; however, the guidance contained in NUREG-1022 (ref. 4.1.3) is applicable. Specifically, the event should be reported to the NRC in accordance with 10 CFR § 50.72 (ref. 4.1.4) within one hour of the discovery of the undeclared event or condition (refer to Xl1.ID2 Regulatory Reporting Requirements and Reporting Process (ref. 4.1.11 )). The licensee should also notify appropriate State and local agencies in accordance with the agreed upon arrangements.

3.2.8 Retraction of an Emergency Declaration Guidance on the .retraction of kn emergency declaration reported to the NRC is discussed in NUREG-1022 (ref. 4.1.3).

3.3 Notes on Development 3.3.1 Seiection of Rad Monitors in Table R-1 For the Plant Vent, only RM-14/14R and RM-87 are used.

The deletion of RM-24/24R; RM-28/28R, RM-71-74 and RM-.3 from previous EAL schemes is explained below:

A. 1(2)-RM-24/24R are Plant Vent 1-131 isokinetic continuous inline sample low range monitors that constitute the 1-131 (halogen) channels for the plant vent. 1(2)-RM-24/24R

/ [Document No.] Rev. [X] Page 18 of 308 /

are in the same sample stream as the 1(2)-RM-14/14R noble gas monitor channels. 1(2)-

RM-24/24R are not commonly used for accident monitoring as halogens are collected on media and will not accurately represent a release rate for the postulated event used as the

)

basis for the NEI 99-01 Rev 6 EALs (cumulative deposition will progressively over estimate accident releases). While it is possible to mathematically develop an EAL threshold for the halogen channel, it has limited value and is redundant to the noble gas channel as applicable halogen components are factored into the 1(2)-RM-14/14R EAL threshold developed by the MIDAS dose assessment model.

B. 1(2)-RM-28/28R are Plant Vent particulate isokinetic continuous in line sample low range monitors that constitute the particulate channels for the plant vent. 1(2)-RM-28/28R are in the same sample stream. as the 1(2)-RM-14/14R noble gas monitor channels. 1(2)-RM-28/28R are not commonly used for accident monitoring as particulates are collected on media and will not accurately represent a release rate for the postulated event used as the basis for the NEI 99-01 Rev 6 EALs (cumulative deposition will progressively over estimate accident releases). While it is possible to mathematically develop an EAL threshold for the particulate channel, it has limited value and is redundant to the noble gas channel as applicable particulate components are factored into the 1(2)-RM-14/14R EAL threshold developed by the MIDAS dose assessment model.

C. 1(2)-RM-71/72/73/74 are RG 1.97 Rev 3 ML003740282 main steam line gross gamma radiation monitors which are not part of the radioactive effluents program. The use of these area radiation monitors as an indirect means of release rate estimation involve a significant number of fixed assumptions for input variables, such as steam isotopic concentration, SG pressure, RCS leak rate and valve position. While DCPP maintains the capability to input variables necessary to perform dose projections from MSL monitors in the MIDAS model, developing a fixed value for EAL thresholds was not included in the EAL scheme change submittal as a single derived value Js not likely to be representative and potentially could force an incorrect classification.

D. O-RM-3 is a leak detection monitor for the Oily Water Separator tank, which typically contains no radioactive material. Like numerous other leak detection monitors, the OWS does not meet the NEI 99-01 criteria of a normally occurring continuous radioactivity release effluent pathway or a planned batch release non-continuous pathway.

Contamination of this system, as with many other leak detection monitors, would only occur during a primary-to-secondary leakage and thus is not appropriate for use as an EAL threshold.

3.3.2 Rad level threshold values 3.3.2.1 The Rev 6 EAL threshold values for TablE? R-1 are based on:

MIDAS Dose Assessment program, which is more accurate than the previously used QuickDose Dose Assessment program.

NUREG 1940 and 1465 gap source term derived using WCAP-14696-A Core Damage Assessment Guidance (CDAG), and PRFs from NUREG 1940 and Response Technical Manual (RTM)-96.

Release duration of 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months

Plant vent flow rate 207,750 cfm

XIQ calculated by MIDAS dose assessment program using wind speed and stability from FSAR Section 2.3.3.2.7; 10 mph, FSAR Tables 2.3-42 through 2.3 stability class with the highest frequency* is E.

I [Document No.] I Rev. [X] Page 19 of 3081

3.3.2.2 The Rev 6 EAL threshold values for Table F-1 Containment and Fuel Clad losses are based on:

NUREG 1940 and 1465 gap source term derived using WCAP-14696-A CDAG, and PRFs from NUREG 1940 and RTM-96 3.3.2.3 The Rev 6 EAL threshold values for SU4.2 and Table F-1 RCS loss are based on:

WECTEC technical report 14078104-RADR-001-6 Rev 6, "Implementation of Alternate Source Terms (AST)", Tables 4.2-1 "Primary and Secondary Coolant Technical Specification Activity Concentrations" and 4.2-2 "Primary Coolant Pre-Accident Iodine Spike Concentrations & Equilibrium Iodine Appearance Rates", adjusted for an activity equivalent to 10% of the TS 3.4.16 limit of 60 µCi/g of dose equivalent (DE) 1-131 and 270 µCi/g of DE Xe-133, was used along with WCAP-14696-A CDAG CRM1 release fraction assumptions to develop the site specific source term.

4.0 REFERENCES

4.1 Developmental 4.1.1 NEI 99-01 Revision 6, Methodology for the Develop.ment of Emergency Action Levels for Non-Passive Reactors, ADAMS Accession Number ML12326A805 4.1.2 RIS 2007-02 Clarification of NRC Guidance for Emergency Notifications During Quickly Changing Events, February 2, 2007.

4.1.3 NUREG-1022 Event Reporting Guidelines: 10CFR50.72 and 50.73 4.1.4 10CFR 50.72 Immediate Notification Requirements for Operating Nuclear Power Reactors 4.1.5 10CFR 50.73 License Event Report System 4.1.6 Final Safety Analysis Report Update (UFSAR), Figure 2.1-2, Site Plan and Gaseous/Liquid Effluent Release Points 4.1.7 Technical Specifications Table 1.1-1 Modes 4.1.8 Administrative Procedure AD8.DC54 "Containment Closure" 4.1.9 NSIR/DPR-ISG-01 Interim Staff Guidance, Emergency Planning for Nuclear Power Plants 4.1.10 DCPP Emergency Plan 4.1.11 Xl1.ID2 Regulatory Reporting Requirements and Reporting Process 4.1.12 . DCPP Security and Safeguards Contingency Plan 4.2 Implementing 4.2.1 .EP G-1 Emergency Classification and Emergency Plan Activation 4.2.2 NEI 99-01 Rev. 6 to DCPP EAL Comparison Matrix 4.2.3 DCPP EAL Wall Chart I [Document No.] Rev. [X] Page 20 of 3081

5.0 DEFINITIONS, ACRONYMS & ABBREVIATIONS 5.1 Definitions Selected terms used in Initiating Condition and Emergency Action Level statements are set in all capital letters (e.g., ALL CAPS). These words are defined terms that ha'{e specific meanings as used in this document. The definitions of these terms are provided below.

Alert Events are in progress, or have occurred, which involve an actual or potential substantial degradation of the level of safety of the plant OR A SECURITY EVENT that involves probable life threatening risk to site personnel or damage to site equipment because of HOSTILE ACTION.

Any releases are expected to be small fractions of the EPA PROTECTIVE ACTION GUIDELINE exposure levels.

Confinement Boundary The barrier(s) between spent fuel and the environment once the spent fuel is processed for dry storage. As applied to the DCPP ISFSI, the confinement boundary is defined to be the Multi-Purpose Canister (MPC).

Containment Closure The procedurally defined actions taken to secure containment and its associated structures, systems, and components as a functional barrier to fission product release under shutdown conditions.

As applied to DCPP, Containment Closure is defined by Administrative Procedure AD8.DC54 "Containment Closure" (ref. 4.1.8).

Degraded Performance As applied to hazardous event thresholds, damage significant enough to cause concern regarding the operability or reliability of the affected safety system train.

Emergency Action Level A pre-determined, site-specific, observable threshold for an Initiating Condition that, when met or exceeded, places the plant in a given emergency classification level.

Emergency Classification Level One of a set of names or titles established by the US Nuclear Regulatory Commission (NRC) for grouping off-normal events or conditions according to (1) potential or actual effects or consequences, and (2) resulting onsite and offsite response action.s. The emergency

. classification levels, in ascending order of severity, are: Unusual Event (UE), Alert; Site Area Emergency (SAE) and General Emergency (GE).

EPA Protective Action Guidelines (EPA PAG)

The EPA PAGs are expressed in terms of dose commitment: 1 Rem TEDE or 5 Rem COE Thyroid. Actual or projected offsite exposures in excess of the EPA PAGs requires DCPP to recommend protective actions for the general public to offsite response organizations.

I [Document No.] R~v. [X] Page 21 of 3081

Explosion A rapid, violent and catastrophic failure of a piece of equipment due to combustion, chemical' reaction or overpressurization. A release of steam (from high energy lines or components) or an electrical component failure (caused by short circuits, grounding, arcing, etc.) should not automatically be considered an explosion. Such events require a post-event inspection to

determine if the attributes of an explosion are present.

Faulted The term applied to a steam generator that has a steam leak on the secondary side of sufficient size to cause an uncontrolled drop in steam generator pressure or the steam generator to become completely depressurized.

Fire Combustion characterized by heat and light. Sources of smoke such as slipping drive belts or overheated electrical equipment do not constitute fires. Observation of flame is preferred but I is NOT required if large quantities of smoke and heat are observed.

Fission Product Barrier Threshold A pre-determined, site-specific, observable threshold indicating the loss or potential loss of a fission product barrier. (refer to Section 2.2)

Flooding A condition where water is entering a room or area faster than installed equipment is capable of removal, resulting in a rise of water level within the room or area.

General Emergency Events are in progress or have occurred which involve actual or IMMINENT substantial core degradation or melting with potential for loss of containment integrity OR HOSTILE ACTIONS that result in an actual loss of physical control of the facility.

Releases can be reasonably expected to exceed EPA PROTECTIVE ACTION GUIDELINE exposure levels offsite for more than the immediate site area.

Hostage A person(s) held as leverage against the station to ensure that demands will be met by the station.

Hostile Action An act toward DCPP or its personnel that includes the use of violent force to destroy equipment, take HOSTAGES, and/or intimidate the licensee to achieve an end. This includes attack by air, land, or water using guns, explosives, PROJECTILES, vehicles, or other devices used to deliver destructive force. Other acts that satisfy the overall intent may be included.

Hostile action should not be construed to include acts of civil disobedience or felonious acts that are not part of a concerted attack on DCPP. Non-terrorism-based EALs should be used to address such activities (i.e., this may include violent acts between individuals in the OWNER CONTROLLED AREA).

I [Document No.] Rev. [X] Page 22 of 3081

Hostile Fprce One or more individuals who are engaged in a determined assault, overtly or by stealth and deception, equipped with suitable weapons capable of killing, maiming, or causing destruction.

Imminent The trajectory of events or conditions is such that an EAL will be met within a relatively short period of time regardless of mitigation or corrective _)actions.

lmpede(d)

Personnel access to a room or area is hindered to an extent that extraordinary measures are necessary to facilitate entry of personnel into the affected room/area (e.g., requiring use of protective equipment, such as SCBAs, that is not routinely employed).

Independent Spent Fuel Storage Installation (ISFSI)

A complex that is designed and constructed for the interim storage of spent nuclear fuel and other radioactive materials associated with spent fuel storage.

ISFSI Protected Area Areas within the ISFSI to which access is strictly controlled in accordance with the station's Security Plan.

Initiating Condition An event or condition that aligns with the definition of one of the four emergency classification levels by virtue of the potential or actual effects or consequences.

Intact (RCS)

The RCS should be considered intact when the RCS pressure boundary is in its normal condition for the cold shutdown mode of operation (e.g., no freeze seals or nozzle dams) (ref.

4.1.8).

Offsite Response Organizations (ORO)

The State of California Office of Emergency Services and the County of San Luis Obispo Office of Emergency Services.

Owner Controlled Area (OCA)

For purpose of HOSTILE ACTION classifications, in accordance with this EAL scheme, the OCA is defined as the same area and boundary contained in the DCPP Security and

. Safeguards Contingency Plan (ref. 4.1.12).

Projectile An object directed toward a Nuclear Power Plant that could cause concern for its continued operability, reliability, or personnel safety.

Plant Protected Area Areas to which access is strictly controlled in accordance with the station's Security Plan.

c Note: The DCPP Independent Spent Fuel Storage Installation (ISFSI) has its own ISFSI PROTECTED AREA separate from the Plant Protected Area.

I [Document No.] Rev. [X]

I Page 23 of 3081

RCS Leakage RCS Leakage shall be:

a. Identified Leakage

1. Leakage, such as that from pump seals or valve packing (except reactor coolant pump (RCP) seal water injection or leak off), that is captured and conducted to collection systems or a sump or collecting tank;

2. Leakage into the containment atmosphere from sources that are both specifically located and known either not to interfere with the operation of leakage detection systems or not to be pressure boundary leakage;

3. Reactor Coolant System (RCS) leakage through a steam generator to the secondary system (primary to secondary leakage).

b. Unidentified Leakage All leakage (except RCP seal water injection or leak off) that is not identified leakage.

c. Pressure Boundary Leakage Leakage (except primary to secondary leakage) through a non-isolable fault in an RCS component body, pipe wall, or vessel wall.

d.

RCS leakage outside of the containment that is not considered identified or unidentified leakage per Technical Specifications includes leakage via interfacing systems such as RCS to the Component Cooling Water, or systems that directly see RCS pressure outside containment such as Chemical & Volume Control System, Nuclear Sampling System and Residual Heat Removal system (when in the sh~tdown cooling mode).

Reduced Inventory Condition (RIC)

The condition existing whenever RCS water level is lower than 3 feet below the reactor vessel flange (below 111-foot elevation) with fuel in the core.

Refueling Pathway The refueling cavity, spent fuel pool and fuel transfer canal comprise the refueling pathway.

Ruptured The condition of a steam generator in which primary-to-secondary leakage is of sufficient magnitude to require a safety injection.

Safety System A system required for safe plant operation, cooling down the plant and/or placing it in the cold shutdown condition, including the ECCS. These are typically systems classified as safety-related (as defined in 10CFR50.2):

Those structures, systems and components that are relied upon to remain functional during and following design basis events to assure:

(1) The integrity of the reactor coolant pressure boundary; (2) The capability to shut down the reactor and maintain it in a safe shutdown condition; (3) The capability to prevent or mitigate the consequences of accidents which could result in potential offsite exposures.

I [Document No.] Rev. [X] Page 24 of 3081

Security Condition Any SECURITY EVENT as listed in the approved security contingency plan that constitutes a threat/compromise to site security, threat/risk to site personnel, or a potential degradation to the level of safety of the plant. A security condition does not involve a HOSTILE ACTION.

Security Event Any incident representing an attempted, threatened, or actual breach of the security system or reduction of the operational effectiveness of that system. A security event can result in either a SECURITY CONDITION or HOSTILE ACTION (ref. 4.1.12).

,, Site Area Emergency Events are in progress or have occurred which involve actual or likely major failures of plant

functions needed for protection of the public OR HOSTILE ACTIONS that result in intentional damage or malicious acts; (1) toward site personnel or equipment that could lead to the likely failure of or; (2) that prevent effective access to equipment needed for the protection of the public.

Any releases are not expected to result in exposure levels which exceed EPA PROTECTIVE ACTION GUIDELINES exposure levels beyond the SITE BOUNDARY.

Site Boundary As depicted in the Final Safety Analysis Report Update (UFSAR), Figure 2.1-2, Site Plan and Gaseous/Liquid Effluent Release Points (ref. 4.1.6).

Tornado A violently rotating column of air in contact with the ground and extending from the base of a thunderstorm.

Unisolable An open or breached system line that cannot be isolated, remotely or locally.

NOTE: If an isolation valve could not be accessed due to local conditions (i.e. high radiation, temperature, etc.) then that would also make a leak unisolable, even though the inaccessible valve could isolate the leak.

Unplanned A parameter change or an event that is not 1) the result of an intended evolution or 2) an expected plant response to a transient. The cause of the parameter change or event may be known or unknown.

Unusual Event Events are in progress or have occurred which indicate a potential degradation in the level of safety of the plant OR Indicate a security threat to facility protection has been initiated.

No releases of radioactive material requiring offsite response or monitoring are expected unless further degradation of SAFETY SYSTEMS occurs.

I [Document No.] j, Rev. [X] Page 25 of 3081

Valid An indication, report, or condition, is considered to be valid when it is verified by (1) an instrument channel check, or (2) indications on related or redundant indicators, or (3) by direct observation by plant personnel, such that doubt related to the indicator's operability, the condition's existence, or the report's accuracy is removed. Implicit in this definition is the need for timely assessment.

Visible Damage Damage to a SAFETY SYSTEM train that is readily observable without measurements, testing, or analysis. The visual impact of the damage is sufficient to cause concern regarding the operability or reliability of the affected SAFETY SYSTEM train.

I [Document No.] Rev. [X] Page 26 of 3081

\

~,

\

p;,~11:l1Jt.:'l i~"ri Qi!;JA-J1.t.El!'.fU.E'f '!!)_

- .. . .. :tlE Stw~t-i!}il.lt.Y .

E~tbuil:Ol< .. Hf4 ~O'JUr.... '1¥

\."°~n:a1*.10'tP.M(J. fl~utt0.4~

-FA~.t;

-~~t'!'fi\I. 1trv. rt .. ~.~.i,.n. t *th.If:*

.*e.*~.-: 'errri.i~C-1'1~i1( f.:mi::M.*._

.---.-~-

210-.'*. ,.,,,..

....... '>,HO** .. ,.

. ¢1:'\1 ?UT.C:OLL!:e:"l'°"'~TS1'i;iu* .

-=~-.

31~ ..

.. ; Q'1 e0rdAM'01*1:ttiY l'_lilfieoC. C>.JJAt.i::T ::t1¢o*" : >.<-;" 0 .C. r;_ A* :rt

. .:..fl)_ ~~~~~~:;t ;~~~~~AV'-: .* _,.1-*0' :*1,t..r;: ::rAiitt: _

F:SAR ~PDATE ..

**'ll'*C:OHOrnup;*4J!Pit:meum"

_-*_ it.llttAUl:T* .-*> . ".>1tt ,__

">*N:!~* .1.Arll

, **i.tJ. ~n.,,.1nu:nM( rXJ.. .-.wrtf"- *. . . UNITS*.1 ANO 2',

-*~*

. :..

bt.0"1'1~'11 Dl~Ct1,i1,:..*,;:1t:**. '- *. * ~ _:~n11.

~**tUIJ!Q.,ft.M~'t't-n:C)(!':tACff ..

G. ?11'i"Mll_'fl~lll5'ft.A10~ 9'1-¢i'!OOM**.

- rn. :z..-w *:u~*** *DIABLO -CANY.ON)~ITE' l.~* :.~*~i~'!~'fu:*~*c;; 1~~Li)~-.': -

. H>1- ::~"~~' _:.~.~

,-, :,l'<<J*' :i:~-'*

,. -*A1'it:t1'CVfH%C>iAAt;.U- *.<<li*

.C)'.l!'fll;l'i$~f.1Aft~-t \f'At,'JJ;* -~tl.$T.Ol1

'**.' .OC:t:tt-\~~c:.- , .. *- *J<:<<>:

-~~-

'Y\ill _,2!1

C( L~~1~:o~~c.k~*'.f9.0t'.iA..:,.- ~ *l.-t~-::i

[Document No.] Rev. [X] Page 27 of 308

5.2 Abbreviations/Acronyms

°F ................................................................................................................ Degrees Fahrenheit 0

- - - - - ********************************************************* Degrees AC ............................................................................................................... Alternating Current AFW ........................................................................................................... Auxiliary Feedwater AOP ......................................................................................... Abnormal Operating Procedure ATL ..............................................................................................................Automatic Tie Line ATWS .............................................................................. Anticipated Transient Without Scram BA ............................................................................................................................. Boric Acid BART ................................................................................................. Boric Acid Reserve Tank BAST ................................................................................................... Boric Acid Storage Tank CAS .......................................................................................................... Central Alarm Station CCW ............................................................................................... Component Cooling Water CC(#) ............................................................................................... Control Console (number)

CDAG .................................................................. Core Damage Assessment Guidance COE .............................................................................................. Committed Dose Equivalent CEDE ............................................................................. Committed Effective Dose Equivalent CET ..................................................................................................... Core Exit Thermocouple CFCU ........................................................................................ Containment Fan Cooling Unit CFR .............................................................................................. Code of Federal Regulations CMT ..................................... ,................................................................................. Containment CSFST .............................................................................. Critical Safety Function Status Tree CST .................................................................................................. Condensate Storage Tank OBA ........................................................................................................ Design Basis Accident DC ....................................................................................................................... Direct Current DCPP .............................................................................................. Diab lo Canyon Power Plant DOE ................................................................................................ Double Design Earthquake DE ............................................................................................................... Design Earthquake EAL ..................................................................................................... Emergency Action Level ECCS .................................................................................... Emergency Core Cooling System ECL .......................................................................................... Emergency Classification Level ED .............................................................................................................. Emergency Director EDE ................................................................................................... Effective Dose Equivalent EFM ................................................................................................. Earthquake Force Monitor ENF ............................................................................................. Emergency Notification Form EOF ........................................................................................... Emergency Operations Facility EOP ...................................................................................... Emergency Operating Procedure EPA .......................................................................................Environmental Protection Agency ERG ....................................................................................... Emergency Response Guideline EPIP ........................................................................ Emergency Plan Implementing Procedure I [Document No.] Rev. [X] ' *1 Page 28 of 3081 l

ESF ................................................................................................. Engineered Safety Feature ERFDS ............................................................. Emergency Response Facility Display System FAA ................................................'.......................................... Federal Aviation Administration FBI ........................................................................................... Federal Bureau of Investigation FEMA ...................................................................... Federal Emergency Management Agency FSAR ........................................................................................... Final Safety Analysis Report ft ............................................................ :............................................................................ Feet FTS ................................................................................................ Federal Telephone System GDC ....................................................................................................... General Design Criteria GE ..............................................................................................................General Emergency HASP ......................................................................................................... High Alarm Setpoint HOO .............................................................................. NRC Headquarters Operations Officer IC ................................................................................................................. Initiating Condition

in ..................................................................................................................................... Inches IPEEE ........................ Individual Plant Examination of External Events (Generic Letter 88-20)

Keff ................................................................................. Effective Neutron Multiplication Factor LCO ................. :........................................................................ Limiting Condition of Operation LER:-...................................................................................................... Licensee Event Report LOCA ................................................................................................. Loss of Coolant Accident LWR ........................................................................................................... Light Water Reactor MEDT .............................................................'. ............... Miscellaneous Equipment Drain Tank MPC .~ .................................................................................................... Multi-Purpose Canister mR, mRem, mrem, mREM ....................................................... mi Iii-Roentgen Equivalent Man MSL .................................................................................................................Main Steam Line MW ............................................................................................................................. Megawatt NEI .................................... ( ................................................................ Nuclear Energy Institute NEIC ......................................................................, ... National Earthquake Information Center NESP .................. ~ ....................................................... National Environmental Studies Project NPP ........................................................................................................... Nuclear Power Plant NRC ....................................................................................... Nuclear Regulatory Commission NSSS ........................................................................................ Nuclear Steam Supply System NORAD .. , ........................................................ North American Aerospace Defense Command (NO)UE ....................................................................................... Notification of Unusual Event NUREG ....................................................................................................... Nuclear Regulation OBE .............................................................................................. Operating Basis Earthq~ake OCA ....................................................................*..............................*.... Owner Controlled Area ODCM ................................................................................... Off-site Dose Calculation Manual OES ........................................................................................... Office of Emergency Services ORO .......................................................................................... Offsite Response Organization PA ......................................................................................................................Protected Area I [Document No.] Rev. [X] Page 29 of 3081

PAG ........................................................................................... :-... Protective Action Guideline PAM ................................................................................................... Post Accident Monitoring PAR. ...................................................................................Protective Action Recommendation PBX ................................................................................................... Private Branch Exchange PGA ................................................................................................. Peak Ground Acceleration PPG ..................................................................................................... Plant Process Computer PRA/PSA. ............................. Probabilistic Risk Assessment I Probabilistic Safety Assessment PRF ...................................................................................Process Reduction Factor PRT ...................................................................................................... Pressurizer Relief Tank PSIG ............... '. ....................................................................... Pounds per Square Inch Gauge PTS ............................................................................................... Pressurized Thermal Shock PWR. ............................................................. :................................ Pressurized Water Reactor R ................................. _. .............................................................................................. Roentgen RCC ................................................................................................... Reactor Control Console RCDT ............................................................................................ Reactor Coolant Drain Tank RCS .................................................................................................... Reactor Coolant System RHR ..................................................................................................... Residual Heat Removal Rem, rem, REM .............................................................................. Roentgen Equivalent Man RETS ................................................................ Radiological Effluent Technical Specifications RTM ..............................................................................1** Response Technical Manual

' )

RTS ........................................................................................................... Reactor Trip System R(P)V .............................................................................................. Reactor (Pressure) Vessel RVLIS ......................................................................... Reactor Vessel Level Indicating System RVRLIS ...................................................... Reactor Vessel Refueling Level Indicating System RWST. ....................................................................................... Refueling Water Storage Tank SAE ..........................................................................................................Site Area Emergency SAMG ......................................................................... Sever Accident Management Guideline SAR ....................................................................................................... Safety Analysis Report SAS ......................................................................................... [; ......... Secondary Alarm Station SBO .................................................................................................................Station Blackout SCBA ... :...................................................................*:...... Self-Contained Breathing Apparatus SCMM ............................................................................................ Sub Cooled Margin Monitor SEC .............................................................................................. Site Emergency Coordinator SG .................................................................................................................. Steam Generator SGBD ............................................................................................ Steam Generator Slowdown SI ....................................... :............................................................................... Safety Injection SM ........................................................................................................................ Shift Manager SPDS ................................................................................... Safety Parameter Display System SRO ................................................................................................... Senior Reador Operator SSF ....................................................................................................... Safe Shutdown Facility J [Document No.] Rev. [X] Page 30.of 308 J

TC ..........................*.............................................................................................Thermocouple TEDE ....................................................................................... Total Effective Dose Equivalent TOAF ............................................................................................................Top of Active Fuel TSC ................................................................................................... Technical Support Center UE ...................................................................................................................... Unusual Event UFSAR ........................................................................... Updated Final Safety Analysis Report USGS ..................................................................................... United States Geological Survey VB(#) ................................................................................................... Vertical Board (number)

VDC ........................................................................................................... Volts Direct Current WOG .......................................................................................... Westinghouse Owners Group WR .........................................................................................................................Wide Range XFM R ......................................................................................................... ~ ........... Transformer I

I [Document No.] Rev. [X] Page 31 of 308 j

6.0 DCPP-TO-NEI 99-01 Rev. 6 EAL CROSS-REFERENCE This cross-reference is provided to facilitate association and location of a DCPP EAL within the NEI 99-01 IC/EAL identification scheme. Further information regarding the development of the DCPP EALs based on the NEI guidance can be found in the EAL Comparison Matrix.

DCPP NEI 99-01 Rev. 6 Example EAL IC EAL RU1.1 AU1 1, 2 RU1.2 AU1 3 RU2.1 AU2 1 RA1.1 AA1 1 RA1.2 AA1 2 RA1.3 AA1 3 RA1.4 AA1 4 RA2.1 AA2 1 RA2.2 AA2 2 RA2.3 AA2 3 RA3.1 AA3 1 RA3.2 AA3 2 RS1.1 AS1 1 RS1.2 AS1 2 RS1.3 AS1 3 RS2.1 AS2 1 RG1.1 AG1 1 RG1.2 AG1 2 RG1.3 AG1 3

'RG2.1 AG2 1 CU1.1 CU1 1 I [Document No.] Rev. [X] Page 32 of 3081

DCPP NEI 99-01 Rev. 6 Example EAL IC EAL

, CU1.2 CU1 2

cu2.1 CU2 1 CU3.1 CU3 1 CU3.2 CU3 2 CU4.1 CU4 1 CU5.1 . CU5 1, 2, 3 CA1.1 CA1 1 CA1.2 CA1 2 CA2.1 CA2 1 CA3.1 CA3 1, 2 CA6.1 ' CA6 .1 CS1.1 CS1 1 CS1.2 CS1 2 CS1.3 CS1 3 CG1.1 CG1 1 CG1.2 CG 2 FA1.1 FA1 1 FS1.1 FS1 1 FG1.1 FG1 1 HU1.1 HU1 1, 2 3 HU2.1 HU2 1 HU3.1 HU3 1 HU3.2 HU3 2 HU3.3 HU3 3 HU3.4 HU3 4 I [Document No.] Rev. [X] Page 33 of 3081

DCPP NEI 99-01 Rev. 6 Example EAL IC EAL HU4.1 HU4 1 HU4.2 HU4 2 HU4.3 HU4 3 HU4.4 HU4 4 HU7.1 HU? 1 HA1.1 HA1 1, 2 HA5.1 HA5 1 HA6.1 HA6 1 HA7.1 HA? 1 HS1.1 HS1 1 HS6.1 HS6 1 HS7.1 HS? 1 HG7.1 HG? 1 SU1.1 SU1 1 SU3.1 SU2 1 SU4.1 SU3 1 SU4.2 SU3 2.

SU5.1 SU4 1, 2, 3 SU6.1 SU5 1 SU6.2 SU5 2 SU7.1 SU6 1, 2, 3 SUB.1 SU? 1, 2 SA1.1 SA1 1 SA3.1 SA2 1 SA6.1 SA5 1 I [Document No.] Rev. [X] Page 34 of 3081

DCPP NEI 99-01 Rev. 6 Example EAL IC EAL SA9.1 SA9 1 SS1.1 SS1 1 SS2.1 SSS 1 SS6.1 SS5 1 SG1.1 SG1 1 SG2.1 SGS 1 E!J1 .1 E-HU1 1 I [Document No.] I Rev. [X] Page 35 of 3os I

7.0 ATTACHMENTS 7.1 Attachment 1, Emergency Action Level Technical Bases 7.2 Attachment 2, Fission Product Barrier Matrix and Basis 7.3 Attachment 3, Safe Operation & Shutdown Areas Tables R-2 & H-2 Bases I [Document No.] Rev. [X] Page 36 of 3081

ATTACHMENT 1 EAL Bases Category R - Abnormal Rad Release I Rad Effluent EAL Group: ANY (EALs in this category are applicable to any plant condition, hot or cold.)

Many EALs are based on actual or potential degradation of fission product barriers because (

of the elevated potential for offsite radioactivity release. Degradation of fission product barriers though is not always apparent via non-radiological symptoms. Therefore, direct indication of elevated radiological effluents or area radiation levels are appropriate symptoms for emergency classification.

At lower levels, abnormal radioactivity releases may be indicative of a failure of containment systems or precursors to more significant releases. At higher release rates, offsite radiological conditions may result which require offsite protective actions. Elevated area radiation levels in plant may also be indicative of the failure of containment systems or preclude access to plant vital equipment necessary to ensure plant safety.

Events of this category pertain to the following subcategories:

1. Radiological Effluent Direct indication of effluent radiation monitoring systems provides a rapid assessment mechanism to determine releases in excess of classifiable limits. Projected offsite doses, actual offsite field measurements or measured release rates via sampling indicate doses or dose rates above classifiable limits.

2. Irradiated Fuel Event Conditions indicative of a loss of adequate shielding or damage to irradiated fuel may preclude access to vital plant areas or result in radiological releases that warrant emergency classification.

3. Area Radiation Levels Sustained general area radiation levels which may preclude access to areas requiring continuous occupancy also warrant emergency classification.

I [Document No.] Rev. [X] Page 37 of 3081 J

ATTACHMENT 1 EAL Bases Category: R - Abnormal Rad Levels I Rad Effluent Subcategory: 1 - Radiological Effluent Initiating Condition: Release of gaseous or liquid radioactivity greater than 2 times the Offsite Dose Calculation Manual limits for 60 minutes or longer.

EAL:

RU1.1 Unusual Event Reading on any Table R-1 effluent radiation monitor> column "UE" for ;::: 60 minutes.

(Notes 1, 2, 3)

Note 1: The SM/SEC/ED should declare the event promptly upon determining that time limit has been exceeded, or will likely be exceeded.

Note 2: If an ongoing release is detected and the release start time cannot be determined, assume that the release duration has exceeded the specified time limit.

Note 3: If the effluent flow past an effluent monitor is known to have stopped, indicating that the release path is isolated, the effluent monitor reading is no longer VALID for classification purposes.

Table R-1 Effluent Monitor Classification Thresholds Release Point Monitor GE SAE Alert UE 2.5E+6 cpm 2.5E+5 cpm 8.0E+4 cpm f/J 1(2)-RM-14/14R -----

J 0 5.6E-2 µCi/cc 5.6E-3 µCi/cc 1.8E-3 µCi/cc Cll f/J Plant Vent ra 1.9E-10 amps C>

1(2)-RM-87 ---- ---- ----

3.2E-1 µCi/cc Liquid Radwaste Effluent "C

Line O-RM-18 ----- ----- ----- 1.6E+5 cpm er

J SGBD Tank 1(2)-RM-23 ----- ----- ----- 2.0E+4 cpm Mode Applicability:

All Definition(s):

VALID -An indication, report, or condition, is considered to be valid when it is verified by (1) an instrument channel check, or (2) indications on related or redundant indicators, or (3) by direct observation by plant personnel, such that doubt related to the indicator's operability, the condition's existence, or the report's accuracy is removed. Implicit in this definition is the need for timely assessment.

I [Document No.] Rev. [X] Page 38 of 3081

ATTACHMENT 1 EAL Bases Basis:

ERO Decision Making Information Classification based on effluent monitor readings assumes that a release path to the environment is established. If the effluent flow past an effluent monitor is known to have stopped due to actions to isolate the release path, then the effluent monitor reading is no longer VALID for classification purposes.

Even if a rel~ase does not meet the levels of this EAL, a release may be reportable. In these cases, consun Admin Procedure Xl1.ID2. .

Releases should not be prorated or averaged. For example, a release exceeding 4 times release limits for 30 minutes does not meet the EAL.

This EAL addresses normally occurring continuous radioactivity releases from monitored gaseous or liquid effluent pathways.

Escalation of the emergency classification level would be via IC RA 1.

Background

The column "UE" gaseous and liquid release values in Table R-1 represent two times the appropriate Offsite Dose Calculation Manual release rate limits associated with the specified monitors (ref. 1, 2).

This IC addresses a potential decrease in the level of safety of the plant as indicated by a low-level radiological release that exceeds regulatory commitments for an extended period of time (e.g., an uncontrolled release). It includes any gaseous or liquid radiological ,release, monitored or un-monitored, including those for which a radioactivity discharge permit is

normally prepared.

Nuclear power plants incorporate design features intended .to control the release of radioactive effluents to the environment. Further, there are administrative controls established to prevent unintentional releases, and to control and monitor intentional releases. The occurrence of an extended, uncontrolled radioactive release to the environment is indicative of degradation in these features and/or controls.

Radiological effluent EALs are also included to provide a basis for classifying events and conditions that qmnot be readily or appropriately classified on the basis of plant conditions alone. The inclusion of both plant condition and radiological effluent EALs more fully addresses the spectrum of possible accident events and conditions.

DCPP Basis Reference(s):

1. DCPP Radiological Effluent Technical Specifications

2. EP-CALC-DCPP-1601 Radiological Effluent EAL Values

3. NEI 99-01 AU1 I [Document No.] Rev. [X] I Page 39 of 3081

ATTACHMENT 1 EAL Bases Category: R - Abnormal Rad Levels I Rad Effluent Subcategory: 1 - Radiological Effluent Initiating Condition: Release of gaseous or liquid radioactivity greater than 2 times the Offsite Dose Calculation Manual limits for 60 minutes or longer.

EAL:

RU1.2 Unusual Event Sample analysis for a gaseous or liquid release indicates a concentration or release rate

> 2 x Offsite Dose Calculation Manual limits for;:: 60 minutes. (Notes 1, 2)

Note 1: The SM/SEC/ED should declare the event promptly upon determining that time limit has been exceeded, or will likely be exceeded.

Note 2: If an ongoing release is detected and the release start time cannot be determined, assume that the release duration has exceeded the specified time limit.

Mode Applicability:

All Definition(s):

UNISOLABLE -An open or breached system line that cannot be isolated, remotely or locally.

NOTE: If an isolation valve could not be accessed due to local conditions (i.e. high radiation, temperature, etc.) then that would also make a leak unisolable, even though the inaccessible valve could isolate the leak.

Basis:

ERO Decision Making Information This EAL addresses uncontrolled gaseous or liquid releases that are detected by sample analyses or environmental surveys (particularly on unmonitored and/or UNISOLABLE pathways, e.g., spills of radioactive liquids into storm drains, heat exchanger leaks into river water systems, etc.).

Sample analysis results relative to Offsite Dose Calculation Manual limits are provided by Chemistry.

Releases should not be prorated or averaged. For example, a release exceeding 4 times release limits for 30 minutes does not meet the EAL.

Escalation of the emergency classification level would be via IC RA 1.

Background

This IC addresses a potential decrease in the level of safety of the plant as indicated by a low-level radiological release that exceeds regulatory commitments for an extended period of time (e.g., an uncontrolled release). It includes any gaseous or liquid radiological release, monitored or un-monitored, including those for which a radioactivity discharge permit is normally prepared.

(continued)

I [Document No.] Rev. [X] Page 40 of 3081

ATTACHMENT 1 EAL Bases Nuclear power plants incorporate design features intended to control the release of radioactive effluents to the environment. Further, there are administrative controls established to prevent unintentional releases, and to control and monitor intentional releases. The occurrence of an extended, uncontrolled radioactive release to the environment is indicative of degradation in these features and/or controls.

Radiological effluent EALs are also included to provide a basis for classifying events and conditions that cannot be readily or appropriately classified on the basis of plant conditions alone. The inclusion of both plant condition and radiological effluent EALs more fully addresses the spectrum of possible accident events and conditions.

DCPP Basis Reference(s):

1. DCPP Radiological Effluent Technical Specifications

2. NEI 99-01 AU1 I [Document No.] Rev. [X] Page 41 of 3081

___J

ATTACHMENT 1 EAL Bases Category: R - Abnormal Rad Levels I Rad Effluent Subcategory: 1 - Radiological Effluent Initiating Condition: Release of gaseous or liquid radioactivity resulting in offsite dose greater than 10 mrem TEDE or 50 mrem thyroid COE.

EAL:

RA1.1 Alert Reading on any Table R-1 effluent radiation monitor> column "ALERT" for~ 15 minutes.

(Notes 1, 2, 3, 4)

Note 1: The SM/SEC/ED should declare the event promptly upon determining that time limit has been exceeded, or will likely be exceeded.

Note 2: If an ongoing release is detected and the release start time cannot be determined, assume that the release duration has exceeded the specified time limit.

Note 3: If the effluent flow past an effluent monitor is known to have stopped, indicating that the release path is isolated, the effluent monitor reading is no longer VALID for classification purposes.

Note 4 The pre-calculated effluent monitor values presented in EALs RA1 .1, RS1 .1 and RG1 .1 should only be used for emergency classification assessments until the results from a dose assessment using actual meteorology are available.

Table R-1 Effluent Monitor Classification Thresholds I Release Point I Monitor I GE I SAE I Alert I UE I

2.5E+6 cpm 2.5E+5 cpm 8.0E+4 cpm U)

J '

1(2)-RM-14/14R -----

0 5.6E-2 µCi/cc 5.6E-3 µCi/cc 1.8E-3 µCi/cc Q)

U) Plant Vent cu 1.9E-10 amps

(!)

1(2)-RM-87 ---- ---- ----

3.2E-1 µCi/cc Liquid Radwaste Effluent "C

s Line O-RM-18 ----- ----- ----- 1.6E+5 cpm C'"

J SGBD Tank 1(2)-RM-23 ----- ----- ----- 2.0E+4 cpm Mode Applicability:

I All Deflnition(s):

SITE BOUNDARY - As depicted in the Final Safety Analysis Report Update (UFSAR),

Figure 2.1-2, Site Plan and Gaseous/Liquid Effluent Release Points.

VALID -An indication, report, or condition, is considered to be valid when it is verified by (1) an instrument channel check, or (2) indications on related or redundant indicators, or (3) by direct observation by plant personnel, such that doubt related to the indicator's operability, the_

condition's existence, or the report's accuracy is removed. Implicit in this definition is the need for timely assessment.

[Document No.] Rev. [X] Page 42 of 308 J

I _J L _ _ _ _____ -----

ATTACHMENT 1 EAL Bases Basis:

ERO Decision Making Information This EAL address gaseous radioactivity releases, that for whatever reason, cause effluent radiation monitor readings corresponding to SITE BOUNDARY doses that exceed either:

10 mRem TEDE

50 mRem thyroid COE Use Table R-1 only until dose assessment using currently approved software is available.

The results from a dose assessment are preferred using actual meteorology, when available.

Until available, the pre-calculated effluent monitor values presented in Table R-1 should be

used for emergency classification. Once an accurate dose assessment is performed, classification should be based on dose assessment only and not using the effluent monitor

_ values in Table R-1. For example, a Table R-1 Alert effluent threshold is exceeded. However, real-time dose assessment results are available indicating offsite doses less than EAL RA 1.2 thresholds. Declaration of an Alert due to EA~ RA 1.1 is not required.

I If a threshold value is met in Table R-1 for a classification, there is a 15 minute time limit to make the classification (RA 1.1). If Dose Assessment software is available, it should be used instead (RA1:2) since it is more accurate than the values in Table R-1. However, the Dose Assessment personnel must be able to calculate results within 15 minutes of the Table R-1 value being exceeded OR the classification should be made using Table R-1 (RA 1.1).

Classification based on effluent monitor readings assumes that a release path to the environrnent is established. If the effluent flow past an effluent monitor is known to have stopped- due to actions to isolate the release path, then the effluent monitor reading is no longer VALID for classification purposes.

Escalation of the emergency classification level would be via IC RS1.

Background

The.column "ALERT" gaseous effluent release values in Table R-1 correspond to calculated doses of 1% (10% of the SAE thresholds) of the EPA PROTECTIVE ACTION GUIDELINES (TEDE or COE Thyroid) (ref. 1).

This IC addresses a release of gaseous or liquid radioactivity that results in projected or actual offsite doses greater than or equal to 1% of the EPA PROTECTIVE ACTION GUIDES (PAGs).

It includes both monitored'and un-monitored releases. Releases of this magnitude represent an actual or potential substantial degradation of the level of safety of the plant as indicated by a radiological release that significantly exceeds regulatory limits (e.g., a significant uncontrolled release).

Radiological effluent EALs are also included to provide a basis for classifying events and conditions that cannot be readily or appropriately classified on the basis of plant conditions alone. The inclusion of both plant condition' and radiological effluent EALs more fully addresses the spectrum of possible accident events and conditions.

The TEDE dose is set at 1% of the EPA PAG of 1,000 mrem while the 50 mrem thyroid COE was established in consideration of the 1:5 ratio of the EPA PAG for TEDE and thyroid COE.

I [Dobument No.] Rev. [X] Ppge 43 of 3081

ATTACHMENT 1 EAL Bases DCPP Basis Reference(s):

1. EP-CALC-DCPP-1601 Radiological Effluent EAL Values

2. NEI 99-01 AA 1

(

I I [Document No.] Rev. [X] Page 44 of 3081

ATTACHMENT 1 EAL Bases Category: R - Abnormal Rad Levels I Rad Effluent Subcategory: 1 - Radiological Effluent Initiating Condition: Release of gaseous or liquid radioactivity resulting in offsite dose greater than 10 mrem TEDE or 50 mrem thyroid COE.

EAL:

RA1.2 Alert Dose assessment using actual meteorology indicates doses > 10 mrem TEDE or 50 mrem thyroid COE at or beyond the SITE BOUNDARY. (Note 4)

Note 4: The pre-calculated effluent monitor values presented in EALs RA 1.1, RS1 .1 and RG1 .1 should only be used for emergency classification assessments until the results from a dose assessment using actual meteorology are available.

Mode Applicability:

All Definition(s):

SITE BOUNDARY-As depicted in the Final Safety Analysis Report Update (UFSAR),

Figure 2.1-2, Site Plan and Gaseous/Liquid Effluent Release Points.

Basis:

ERO Decision Making Information Dose projections are performed by computer-based method (ref. 1, 2, 3). Dose assessments may utilize real-time dose projections and/or field monitoring results.

Classification based on effluent monitor readings assumes that a release path to the environment is established. If the effluent fi'ow past an effluent monitor is known to have stopped due to actions to isolate the release path, then the effluent monitor reading is no longer VALID for classification purposes.

Escalation of the emergency classification level would be via IC RS1.

Background

This IC addresses a release of gaseous or liquid radioactivity that results in project,ed or actual offsite doses greater than or equal to 1% of the EPA PROTECTIVE ACTION GUIDES (PAGs).

It includes both monitored and un-monitored releases. Releases of this magnitude represent ,

an actual or potential substantial degradation. of the level of safety of the plant as indicated by a radiological release that significantly exceeds regulatory limits (e.g., a significant uncontrolled release).

Radiological effluent EALs are also included to provide a basis for classifying events and conditions that cannot be readily or appropriately classified on the basis of plant conditions alone. The inclusion of both plant condition and radiological effluent EALs more fully addresses the spectrum of possible accident events and conditions.

The TEDE dose is set at 1% of the EPA PAG of 1,000 mrem while the 50 mrem thyroid COE was established in consideration of the 1:5 ratio of the EPA PAG for TEDE and thyroid COE.

I [Document No.] Rev. [X] Page 45 of 3081

ATTACHMENT 1 EAL Bases*

DCPP Basis Reference(s):

1. EP RB-9, Calculation of Release Rate

2. EP RB-11, Emergency Offsite Dose Calculations

3. EP R-2, Release of Airborne Radioactive Materials Initial Assessment

4. EP RB-16, Operating lnstrµctions for the EARS Computer Program

5. NEI 99-01 AA 1 I [Document No.] Rev. [X] Page 46 of 3081

ATTACHMENT 1 EAL Bases Category: R - Abnormal Rad Levels I Rad Effluent Subcategory: 1 - Radiological Effluent Initiating Condition: Release of gaseous or liquid radioactivity resulting in offsite dose greater than 10 mrem TEDE or 50 mrem thyroid COE.

EAL:

RA1.3 Alert Analysis of a gaseous or liquid effluent sample indicates a concentration or release rate that would result in doses > 10 mrem TEDE or 50 mrem thyroid COE at or beyond the SITE BOUNDARY for 60 minutes of exposure. (Notes 1, 2)

Note 1: The SM/SEC/ED should declare the event promptly upon determining that time limit has been exceeded, or will likely be exceeded.

Note 2: If an ongoing release is detected and the release start time cannot be determined, assume that the release duration has exceeded the specified time limit.

Mode Applicability:

All Definition(s):

SITE BOUNDARY - As depicted in the Final Safety Analysis Report Update (UFSAR),

Figure 2.1-2, Site Plan and Gaseous/Liquid Effluent Release Points.

Basis:

ERO Decision Making Information This EAL is determined by a gaseous or liquid sample analysis by the Count Room.

Escalation of the emergency classification level would be via IC RS1.

Background

This IC addresses a release of gaseous or liquid radioactivity that results in projected or actual offsite doses greater than or equal to 1% of the EPA PROTECTIVE ACTION GUIDES (PAGs).

It includes both monitored and un-monitored releases. Releases of this magnitude represent an actual or potential substantial degradation of the level of safety of the plant as indicated by a radiological release that significantly exceeds regulatory limits (e.g., a significant uncontrolled release).

Radiological effluent EALs are also included to provide a basis for classifying events and conditions that cannot be readily or appropriately classified on the basis of plant conditions alone. The inclusion of both plant condition and radiological effluent EALs more fully addresses the spectrum of possible accident events and conditions.

The TEDE dose is set at 1% of the EPA PAG of 1,000 mrem while the 50 mrem thyroid COE was established in consideration of the 1:5 ratio of the EPA PAG for TEDE and thyroid COE.

I [Document No.] Rev. [X] Page 47 of 3081

ATTACHMENT 1 EAL Bases DCPP Basis Reference(s):

1. EP R-3 Release of Radioactive Liquids

2. EP EF-3, Activation and Operation of the Emergency Operations Facility

3. NEI 99-01 AA1 J [Document No.] Rev. [X] Page 48 of 308 J

ATTACHMENT 1 EAL Bases Category: R - Abnormal Rad Levels I Rad Effluent Subcategory: 1 - Radiological Effluent Initiating Condition: Release of gaseous or liquid radioactivity resulting in offsite dose greater than 10 mrem TEDE or 50 mrem thyroid COE.

EAL:

RA1.4 Alert Field survey results indicate EITHER of the following at or beyond the SITE BOUNDARY:

Closed window dose rates are > 10 mR/hr and are expected to continue for;::: 60 minutes.

Analyses of field survey samples indicate thyroid COE > 50 mrem for 60 minutes of inhalation.

(Notes 1, 2)

Note 1: The SM/SEC/ED should declare the event promptly upon determining that time limit has been exceeded, or will likely be exceeded.

Note 2: If an ongoing release is detected and the release start time cannot be determined, assume that the release duration has exceeded the specified time limit.

Mode Applicability:

All Definition(s):

SITE BOUNDARY - As depicted in the Final Safety Analysis Report Update (UFSAR),

Figure 2.1-2, Site Plan and Gaseous/Liquid Effluent Release Points.

Basis:

ERO Decision Making Information This IC is based solely on field monitoring team results without performing calculations using the dose assessment software.

EP RB-8, Instructions for Field .Monitoring Teams provides guidance for.emergency or post-accident radiological environmental monitoring (ref. 1).

Escalation of the emergency classification level would be via IC RS1.

(continued)

I [Document No.] Rev. [X] Page 49 of 3081

ATTACHMENT 1 EAL Bases

Background

This IC addresses a release of gaseous or liquid radioactivity that results in projected or actual offsite doses greater than or equal to 1% of the EPA PROTECTIVE ACTION GUIDES (PAGs).

It includes both monitored and un-monitored releases. Releases of this magnitude represent an actual or potential substantial degradation of the level of safety of the plant as indicated by a radiological release that significantly exceeds regulatory limits (e.g., a significant uncontrolled release).

Radiological effluent EALs are also included to provide a basis for classifying events and conditions that cannot be readily or appropriately classified on the basis of plant conditions alone. The inclusion of both plant condition and radiological effluent EALs more fully addresses the spectrum of possible accident events and conditions.

The TEDE dose is set at 1% of the EPA PAG of 1,000 mrem while the 50 mrem thyroid COE was established in consideration of the 1:5 ratio of the EPA PAG for TEDE and thyroid COE.

DCPP Basis Reference(s):

1. EP RB-8, Instructions for Field Monitoring Teams

2. NEI 99-01 AA 1 I [Document No.] Rev. [X] Page 50 of 3081

ATTACHMENT 1 EAL Bases Category: R - Abnormal Rad Levels I Rad Effluent Subcategory: 1 - Radiological Effluent Initiating Condition: Release of gaseous radioactivity resulting in offsite dose greater than 100 mrem TEDE or 500 mrem thyroid COE.

EAL:

RS1 .1 . Site Area Emergency Reading on any Table R-1 effluent radiation monitor> column "SAE" for ;::: 15 minutes.

(Notes 1,2, 3, 4)

Note 1: The SM/SEC/ED should declare the event promptly upon determining that time limit has been exceeded, or will likely be exceeded.

Note 2: If an ongoing release is detected and the release start time cannot be determined, assume that the release duration has exceeded the specified time limit.

Note 3: If the effluent flow past an effluent monitor is known to have stopped, indicating that the release path is isolated, the effluent monitor reading is no longer VALID for classification purposes.

Note 4: The pre-calculated effluent monitor values presented in EALs RA 1.1, RS1 .1 and RG1 .1 should only be used for emergency classification assessments until the results from a dose assessment using actual meteorology are available.

Table R-1 Effluent Monitor Classification Thresholds Release Point Monitor GE SAE Alert UE 2.5E+6 cpm 2.5E+5 cpm 8.0E+4 cpm rn

i 1(2)-RM-14/14R -----

0 5.6E-2 µCi/cc 5.6E-3 µCi/cc 1.8E-3 µCi/cc cu Plant Vent rn cu 1.9E-10 amps

(!)

1(2)-RM-87 ---- ---- ----

3.2E-1 µCi/cc -

Liquid Radwaste Effluent "C

5 Line O-RM-18 ----- ----- ----- 1.6E+5 cpm CT

J SGBD Tank 1(2)-RM-23 ----- ----- ----- 2.0E+4 cpm Mode Applicability:

All Definition(s):

SITE BOUNDARY - As depicted in the Final Safety Analysis Report Update (UFSAR),

Figure 2.1-2, Site Plan and Gaseous/Liquid Effluent Release Points.

VALID -An indication, report, or condition, is considered to be valid when it is verified by (1) an instrument channel check, or (2) indications on related or redundant indicators, or (3) by direct observation by plant personnel, such that doubt related to the indicator's operability, the condition's existence, or the report's accuracy is removed. Implicit in this definition is the need for timely assessment.

I [Document No.] Rev. [X] Page 51 of 3081

ATTACHMENT 1 EAL Bases Basis:

ERO Decision Making Information This EAL address gaseous radioactivity releases, that for whatever reason, cause effluent radiation monitor readings corresponding to SITE BOUNDARY doses that exceed either:

100 mRem TEDE

500 mRem thyroid COE Use Table R-1 only until dose assessment using currently approved software is available.

The results from a dose assessment are preferred using actual meteorology, when available.

Until available, the pre-calculated effluent monitor values presented in Table R-1 should be used for emergency classification. Once an accurate dose assessment is performed, classification should be based on dose assessment only and not using the effluent monitor values in Table R-1. For example, a Table R-1 SAE effluent threshold is exceeded. However, real-time dose assessment results are available indicating offsite doses less than EAL RS1 .2 thresholds. Declaration of a Site Area Emergency due to EAL RS1 .1 is not required.

If a threshold value is met in Table R-1 for a classification, there is a 15 minute time limit to make the classification (RS1.1). If Dose Assessment software is available, it should be used instead (RS1.2) since it is more ~ccurate than the values in Table R-1. However, the Dose Assessment personnel must be able to calculate results within 15 minutes of the Table R-1 value being exceeded OR the classification should be made using Table R-1 (RS1.1).Classification based on effluent monitor readings assumes that a release path to the environment is established. If the effluent flow past an effluent monitor is known to have stopped due to actions to isolate the release path, then the effluent monitor reading is no longer VALID for classification purposes.

Escalation of the emergency classification level would be via IC RG1.

Background

The column "SAE" gaseous effluent release value in Table R-1 corresponds to calculated doses of 10% of the EPA PROTECTIVE ACTION GUIDELINES (TEDE or thyroid COE) (ref.

1).

This IC addresses a release of gaseous radioactivity that results in projected or actual offsite doses greater than or equal to 10% of the EPA PROTECTIVE ACTION GUIDES (PAGs). It includes both monitored and un-monitored releases. Releases of this magnitude are

?ssociated with the failure of plant systems needed for the protection of the public.

Radiological effluent EALs are also includeq to provide a basis for classifying events and conditions that cannot be readily or appropriately classified on the basis of plant conditions alone.* The inclusion of both plant condition and radiological effluent EALs more fully addresses the spectrum of possible accident events and conditions.

The TEDE dose is set at 10% of the EPA PAG of 1,000 mrem while the 500 mrem thyroid COE was established in consideration of the 1:5 ratio of the EPA PAG for TEDE and thyroid COE.

I [Document No.] Rev. [X] Page 52 of 3081

ATTACHMENT 1 EAL Bases DCPP Basis Reference(s):

1. EP-CALC-DCPP-1601 Radiological Effluent EAL Values

2. NEI 99-01 AS1 I [Document No.] Rev. [X] Page 53 of 3081*

ATTACHMENT 1 EAL Bases Category: R - Abnormal Rad Levels I Rad Effluent Subcategory: 1 - Radiological Effluent Initiating Condition: Release of gaseous radioactivity resulting in offsite dose greater than 100 mrem TEDE or 500 mrem thyroid COE.

EAL:

RS1.2 . Site Area Emergency Dose assessment using actual meteorology indicates doses > 100 mrem TEDE or 500 mrem thyroid COE at or beyond the SITE BOUNDARY. (Note 4)

Note 4: The pre-calculated effluent monitor values presented in EALs RA 1.1, RS1 .1 and RG1 .1 should only be used for emergency classification assessments until the results from a dose assessment using actual meteorology are available.

Mode Applicability:

All Definition(s):

SITE BOUNDARY - As depicted in the Final Safety Analysis Report Update (UFSAR),

Figure 2.1-2, Site Plan and Gaseous/Liquid Effluent Release Points.

\

Basis:

ERO Decision Making Information Dose projections are performed by computer-based method (ref. 1, 2, 3, 4). Dose assessments may utilize real-time dose projections and/or field monitoring results.

Escalation of the emergency classification level would be via IC RG1.

Background

. This IC addresses a release of gaseous radioactivity that results in projected or actual offsite doses greater than or equal to 10% of the EPA PROTECTIVE ACTION GUIDES (PAGs). It includes both monitored and un-monitored releases. Releases of this magnitude are associated with the failure of plant systems needed for the protection of the public.

Radiological effluent EALs are also included to provide a basis for classifying events and conditions that cannot be readily or appropriately classified on the basis of plant conditions alone. The inclusion of both plant condition and radiological effluent EALs more fully addresses the spectrum of possible accident events and conditions.

The TEDE dose is set at 10% of the EPA PAG of 1,000 mrem while the 500 mrem thyroid COE was established in consideration of the 1:5 ratio of the EPA PAG for TEDE and thyroid COE.

I [Document No.] Rev. [X] Page 54 of 308 j L_ -

ATTACHMENT 1 EAL Bases DCPP Basis Reference(s):

1. EP RB-9, Calculation of Release Rate

2. EP RB-11, Emergency Offsite Dose Calculations

3. EP R-2, Release of Airborne Radioactive Materials Initial Assessment

4. EP RB-16, Operating Instructions for the EARS Computer Program

5. NEI 99-01 AS1 I [Document No.] Rev. [X] . Page 55 of 3081

ATTACHMENT 1 EAL Bases Category: R - Abnormal Rad Levels I Rad Effluent Subcategory: 1 - Radiological Effluent Initiating Condition: Release of gaseous radioactivity resulting in offsite dose greater than 100 mrem TEDE or 500 mrem thyroid COE.

EAL:

RS1 .3 Site Area Emergency Field survey results indicate EITHER of the following at or beyond the SITE BOUNDARY:

Closed window dose rates are > 100 mR/hr and are expected to continue for~ 60 minutes.

Analyses of field survey samples indicate thyroid COE > 500 mrem for 60 minutes of inhalation.

(Notes 1, 2)

Note 1: The SM/SEC/ED should declare the event promptly upon determining that time limit has been exceeded, or will likely be exceeded.

Note 2: If an ongoing release is detected and the release start time cannot be determined, assume that the release duration has exceeded the specified time limit.

Mode Applicability:

All Definition(s):

SITE BOUNDARY -As depicted in the Final Safety Analysis Report Update (UFSAR),

Figure 2.1-2, Site Plan and Gaseous/Liquid Effluent Release Points.

Basis:

ERO Decision Making Information This IC is based solely on field monitoring team results without performing calculations using the dose assessment software.

EP RB-8, Instructions for Field Monitoring Teams provides guidance for emergency or post-accident radiological environmental monitoring (ref. 1).

Escalation of the emergency classification level would be via IC RG1.

(continued)

I [Document No.] Rev. [X] .Page 56 of 3081

ATIACHMENT 1 EAL Bases

Background

This IC addresses a release of gaseous radioactivity that results in projected or actual offsite doses greater than or equal to 10% of the EPA PROTECTIVE ACTION GUIDES (PAGs). It includes both monitored and un-monitored releases. Releases of this magnitude are associated with the failure of plant systems needed for the protection* of the public.

Radiological effluent EALs are also included to provide a basis for classifying events and conditions that cannot be readily or appropriately classified on the basis of plant conditions alone. The inclusion of both plant condition and radiological effluent EALs more fully addresses the spectrum of possible accident events and conditions.

The TEDE dose is set at 10% of thd EPA PAG of 1,000 mrem while the 500 mrem thyroid COE was established in consideration of the 1:5 ratio of the EPA PAG for TEDE and thyroid COE.

DCPP Basis Reference(s):

1. EP RB-8, Instructions for Field Monitoring Teams

2. EP EF-3, Activation and Operation of the Emergency Operations Facility

3. NEI 99-01 AS1 I.

\

I [Document No.] Rev. [X] .Page 57 of 3081

ATTACHMENT 1 EAL Bases Category: R - Abnormal Rad Levels I Rad Effluent Subcategory: 1 - Radiological Effluent Initiating Condition: Release of gaseous radioactivity resulting in offsite dose greater than

.1,000 mrem TEDE or 5,000 mrem thyroid COE.

EAL:

RG1.1 General Emergency Reading on any Table R-1 effluent radiation monitor> column "GE" for ~ 15 minutes.

(Notes 1, 2, 3, 4)

Note 1: The SM/SEC/ED should declare the event promptly upon determining that time limit has been exceeded, or will likely be exceeded.

Note 2: If an ongoing release is detected and the release start time cannot be determined, assume that the release duration has exceeded the specified time limit.

Note 3: If the effluent flow past an effluent monitor is known to have stopped, indicating that the release path is isolated, the effluent monitor reading is no longer VALID for classification purposes.

Note 4: The pre-calculated effluent monitor values presented in EALs RA 1.1, RS1 .1 and RG1 .1 should only be used for emergency classification assessments until the results from a dose assessment using actual meteorology are available.

Table R-1 Effluent Monitor Classification Thresholds Release Point Monitor GE SAE Alert UE 2.5E+6 cpm 2.5E+5 cpm 8.0E+4 cpm Ill 1(2)-RM-14/14R -----

l 0 5.6E-2 µCi/cc 5.6E-3 µCi/cc 1.8E-3 µCi/cc Q)

Ill Plant Vent IQ

(!)

1.9E-10 amps 1(2}-RM-87 ---- ---- ----

3.2E-1 µCi/cc Liquid Radwaste Effluent

'C

3 Line O-RM-18 ----- ----- ----- 1.6E+5 cpm C"

i SGBD Tank 1(2}-RM-23 ----- ----- ----- 2.0E+4 cpm Mode Applicability: .

All Definition(s):

SITE BOUNDARY - As depicted in the Final Safety Analysis Report Update (UFSAR),

Figure 2.1-2, Site Plan and Gaseous/Liquid Effluent Release Points.

VALID -An indication, report, or condition, is considered to be valid when it is verified by (1) an instrument channel check, or (2) indications on related or redundant indicators, or (3) by direct observation by plant personnel, such that doubt related to the indicator's operability, the condition's existence, or the report's accuracy is removed. Implicit in this definition is the need for timely assessment.

j [Document No.] Rev. [X] Page 58 of 308 j

ATTACHMENT 1 EAL Bases Basis:

ERO Decision Making lnfon:nation This EAL address gaseous radio.activity releases, that for whatever reason, cause effluent radiation monitor readings corresponding to SITE BOUNDARY doses that exceed either:

1000 mRem TEDE

5000 mRem thyroid COE Use Table R-1 only until dose assessment using currently approved software is available.

The results from a dose assessment are preferred using actual meteorology, when available.

Until available, the pre-calculated effluent monitor values presented in Table R-1 should be used for emergency classification. Once an accurate dose assessment is performed, classification should be based on dose assessment only a~d not using the effluent monitor values in Table R-1. For example, a Table R-1 GE effluent threshold is exceeded. However, real-time dose assessment results are available indicating offsite doses less than EAL RG1 .2 thresholds. Declaration of a General Emergency due to EAL RG1 .1 is not required.

If a threshold value is met in Table R-1 for a classification, there is a 15 minute time limit to make the classification (RG1.1). If Dose Assessment software is available, it should be used instead (RG1.2) since it is more accurate than the values in Table R-1. However, the Dose Assessment personnel must be able to calculate results within 15 minutes of the Table R-1 value being exceeded OR the classification should be made using Table R-1 (RG1.1).

Classification based on effluent monitor readings assumes that a release path to the environment is established. If the effluent flow past an effluent monitor is known to have stopped due to actions to isolate the release path, then the effluent monitor reading is no longer VALID for classification purposes.

Background

The column "GE" gaseous effluent release values in Table R-1 correspond to calculated doses of 100% of the EPA PROTECTIVE ACTION GUIDELINES (TEDE or thyroid COE) (ref. 1).

This IC addresses a release of gaseous radioactivity that results in projected or actual offsite doses greater than or equal to the EPA PROTECTIVE ACTION GUIDES (PAGs). It includes both monitored and un-monitored releases. Releases of this magnitude will require implementation of protective actions for the public.

Radiological effluent EALs are also included to provide a basis for classifying events and conditions that cannot be readily or appropriately classified on the basis of plant conditions alone. The inclusion of both plant condition and radiological effluent EALs more fully addresses the spectrum of possible accident events and conditions.

The TEDE dose is set at the EPA PAG of 1,000 mrem while the 5,000 mrem thyroid COE was established in consideration of the 1:5 ratio of the EPA PAG for TEDE and thyroid COE.

DCPP Basis Reference(s):

1. EP-CALC-DCPP-1601 Radiological Effluent EAL Values

2. NEI 99-01 AG1 I [Document No.] Rev. [X] Page 59 of 3081

ATIACHMENT 1 EAL Bases Category: R - Abnormal Rad Levels I Rad Effluent Subcategory: 1 - Radiological Effluent Initiating Condition: Release of gaseous radioactivity resulting in offsite dose greater than 1,000 mrem TEDE or 5,000 mrem thyroid COE.

EAL:

RG1.2 General Emergency Dose assessment using actual meteorology indicates dos~s > 1,000 mrem TEDE or 5,000 mrem thyroid COE at or beyond the SITE BOUNDARY. (Note 4)

Note 4: The pre-calculated effluent monitor values presented in EALs RA 1.1, RS1 .1 and RG1 .1 should only be used for emergency classification assessments until the results from a dose assessment using actual meteorology are available.

Mode Applicability:

All Definition(s):

SITE BOUNDARY - As depicted in the Final Safety Analysis Report Update (UFSAR),

Figure 2.1.,2, Site Plan and Gaseous/Liquid Effluent Release Points.

Basis:

ERO Decision Making Information Dose projections are performed by computer-based method (ref. 1, 2, 3). Dose assessments may utilized real-time dose projections and/or field monitoring results.

Background

This IC addresses a release of gaseous radioactivity that results in projected or actual offsite doses greater than or equal to the EPA PROTECTIVE ACTION GUIDES (PAGs). It includes both monitored and un-monitored releases. Releases of this magnitude will require implementation of protective actions for the public.

Radiological effluent EALs are also included to provide a basis for classifying events and conditions that cannot be readily or appropriately classified on the basis of plant conditions alone. The inclusion of both plant condition and radiological effluent EALs more fully addresses the spectrum of possible accident events and conditions.

The TEDE dose is set at the EPA PAG of 1,000 mrem while the 5,000 mrem thyroid COE was established in consideration of the 1:5 ratio of the EPA PAG for TEDE and thyroid COE.

I [Document No.] Rev. [X] Page 60 of 3081

ATTACHMENT 1 EAL Bases DCPP Basis Reference(s):

1. EP RB-9, Calculation of Release Rate

2. EP RB-11, Emergency Offsite Dose Calculations

3. EP R-2, Release of Airborne Radioactive Materials Initial Assessment

4. EP RB-16, Operating Instructions for the EARS Computer Program

5. NEI 99-01 AG1 J [Document No.] Rev. [X] Page 61 of 3os j

ATTACHMENT 1 EAL Bases Category: R - Abnormal Rad Levels I Rad Effluent Subcategory: 1 - Radiological Effluent Initiating Condition: Release of gaseous radioactivity resulting in offsite dose greater than 1,000 mrem TEDE or 5,000 mrem thyroid COE.

EAL:

RG1 .3 General Emergency Field survey results indicate EITHER of the following at or beyond the SITE BOUNDARY:

Closed window dose rates are > 1,000 mR/hr and are expected to continue for~ 60 minutes.

,* Analyses of field survey samples indicate thyroid COE > 5,000 mrem for 60 minutes of inhalation.

(Notes 1, 2)

Note 1: The SM/SEC/ED should declare the event promptly upon determining that time limit has been exceeded, or will likely be exceeded.

Note 2: If an ongoing release is detected and the release start time cannot be determined, assume that the release duration has exceeded the specified time limit.

Mode Applicability:

All Definition(s):

SITE BOUNDARY-As depicted in the Final Safety Analysis Report Update (UFSAR),

Figure 2.1-2, Site Plan and Gaseous/Liquid Effluent Release Points.

Basis:

ERO Decision Making Information This IC is based solely on field monitoring team results without performing calculations using the dose assessment software. '

EP RB-8, Instructions for Field Monitoring Teams provides guidance for emergency or post-accident radiological environmental monitoring (ref. 1).

Background

This IC addresses a release of gaseous radioactivity that results in projected or actual offsite doses greater than or equal to the EPA PROTECTIVE ACTION GUIDES (PAGs). It includes both monitored and un-monitored releases. Releases of this magnitude will require implementation of protective actions for the public.

Radiological effluent EALs are also included to provide a basis for classifying events and conditions that cannot be readily or appropriately classified on the basis of plant conditions alone. The inclusion of both plant condition and radiological effluent EALs more fully addresses the spectrum of possible accident events and conditions.

I [Document No.] Rev. [X] Page 62 of 3081

ATTACHMENT 1 EAL Bases The TEDE dose is set at the EPA PAG of 1,000 mrem while the 5,000 mrem thyroid COE was established in consideration of the 1:5 ratio of the EPA PAG for TEDE and thyroid COE.

DCPP Basis Reference(s):

1. EP RB-8, Instructions for Field Monitoring Teams

2. EP EF-3, Activation and Operation of the Emergency Operations Facility

3. NEI 99-01 AG1

/ [Document No.] Rev. [X] Page 63 of 308 /

ATIACHMENT 1 EAL Bases Category: R - Abnormal Rad Levels I Rad Effluent Subcategory: 2 - Irradiated Fuel Event Initiating Condition: UNPLANNED loss of water level above irradiated fuel.

EAL:

RU2.1 Unusual Event UNPLANNED water level drop in the REFUELING PATHWAY as indicated by low water level alarm or equivalent indication.

AND UNPLANNED rise to alarm setpoint in corresponding area radiation levels as indicated by any of the following radiation monitors:

RM-58 Spent Fuel Pool Area

RM-59 New Fuel Area

RM-2 Containment Area (Mode 6 only)

Any temporary installed monitor in vicinity of the REFUELING PATHWAY (when installed)

Mode Applicability:

All Definition(s):

UNPLANNED - A parameter change or an event that is not 1) the result of an intended evolution or 2) an expected plant response to a transient. The cause of the parameter change or event may be known or unknown.

REFUELING PATHWAY - The reactor refueling cavity, spent fuel pool and fuel transfer canal comprise the refueling pathway.

Basis:

ERO Decision Making Information Note that this EAL is applicable only in cases where the elevated reading is due to an UNPLANNED loss of water level.

The Spent Fuel Pool (SFP) low water level alarm setpoint is 23 ft. 9 in. above the top of irradiated fuel seated in the SFP storage racks or 137 feet 4 inches elevation.

The Refueling Cavity low water level alarm setpoint is at 138 feet elevation as measured on Reactor Vessel Refueling Level Indicating System (RVRLIS) (i.e., 24 feet above the top of reactor vessel flange).

I [Document No.] Rev. [X] Page 64 of 3081

ATTACHMENT 1 EAL Bases The reading on an area radiation monitor (permanently installed or temporary) located near the Reactor Cavity may increase due to planned evolutions such as head lift, or even a fuel assembly being raised in the manipulator mast. Elevated radiation monitor indications to the alarm setpoint will need to be combined with another indicator (or personnel report) of water loss (ref. 5, 6)

RM-58 and RM-59 each have two alarm settings.

The lower level Hi Radiation setting is identified as a "Trip 1" level indicated by an amber light on the Control Room module located behind the vertical boards on panel PAM 2. On the local area module, this setting is labeled as an "Alert Alarm." A radiation dose level rise to this Trip 1 or Alert level radiation alarm meets the intent of this EAL.

The higher level Hi Radiation alarm setting initiates the Iodine Removal ventilation mode. If RM-58 or 59 alarms at this setting, review RA2.2 for applicability.

Likewise, if a temporarily installed monitor were to have multiple alarm levels, the lower level high radiation alarm would meet the intent of this EAL. A water level decrease will be primarily determined by indications from available level instrumentation. Other sources of level indications may include reports from plant personnel (e.g., from a refueling crew) or video camera observations (if available). A significant drop in the water level may also cause an increase in the radiation levels of adjacent areas that can be detected by monitors in those locations.

A drop in water level above irradiated fuel within the reactor vessel may be classified in accordance Recognition Category C during the Cold Shutdown and Refueling modes.

Escalation of the emergency classification level would be via IC RA2.

Background

SFP water level at 136 feet 7 inches elevation is the Technical Specification LCO limit (SR 3.7.15) that requires 23 ft. of water above irradiated fuel seated in the Spent Fuel Pool storage racks. '

A minimum depth of 23 feet of water over the irradiated fuel assemblies in the SFP and 23 feet of water over the reactor vessel flange in the refueling cavity is maintained to ensure sufficient iodine activity would be retained to limit offsite doses from the accident to < 25% of 10 CFR 100 limits and to ensure that the offsite dose consequences due to a postulated fuel handling accident are acceptable (ref. 1, 2, 3, 4).

Loss of Spent Fuel Pool water inventory results from either a rupture of the pool or transfer canal liner, or failure of the spent fuel cooling system and the subsequent boil-off. Allowing SFP water level to decrease could result in spent fuel being uncovered, reducing spent fuel decay heat removal and creating an extremely hazardous radiation environment. The movement of irradiated fuel assemblies within containment requires a minimum water level of 23 feet above the top of the reactor vessel flange.

While a radiation monitor (RM-58, RM-59, RM-2 or temporarily installed monitors in the vicinity of the REFUELING PATHWAY) could detect an increase in dose rate due to a drop in the water level, it might not be a reliable indication, in and of itself, of whether or not there is adequate shielding from irradiated fuel (ref. 5, 6).

I [Docµment No.] Rev. [X] Page 65 of 308 j

ATTACHMENT 1 EAL Bases When the spent fuel pool and reactor cavity are connected, there could exist the possibility of uncovering irradiated fuel. Therefore, this EAL is applicable for conditions in which irradiated fuel is being transferred to and from the reactor vessel and spent fuel pool.

This IC addresses a decrease in water level above irradiated fuel sufficient to cause elevated radiation levels. This condition could be a precursor to a more serious event and is also indicative of a minor loss in the ability to control radiation levels within the plant. It is therefore a potential degradation in the level of safety of the plant.

1 DCPP Basis Reference(s):

1. Technical Specification 3. 7 .15, SFP Level

2. Technical Specification 3.9.7, Refueling Cavity Water Level

3. AR PK11-04input1064, Spent Fuel Pool Lvl/Temp

4. AR PK02-22 input 1185, Rx Vsl Refueling Lvl

5. OP AP-22, Spent Fuel Pool Abnormalities

6. AR PK11-10, FHB High Radiation

7. System Training Guide G4A

8. SAP notification 50917642

9. NEI 99-01 AU2 I [Document No.] Rev. [X] Page 66 of 3081

ATTACHMENT 1 EAL Bases Category: R - Abnormal Rad Levels I Rad Effluent Subcategory: 2 - Irradiated Fuel Event Initiating Condition: Significant lowering of water level above, or damage to, irradiated fuel.

EAL:

RA2.1 Alert Uncovery of irradiated fuel in the REFUELING PATHWAY.

Mode Applicability:

All Definition(s):

CONFINEMENT BOUNDARY - The barrier(s) between spent fuel and the environment once the spent fuel is processed for dry storage. As applied to the DCPP ISFSI, the confinement boundary is defined to be the Multi-Purpose Canister (MPG).

REFUELING PATHWAY - The reactor refueling cavity, spent fuel pool and fuel transfer canal comprise the refueling pathway.

Basis:

ERO Decision Making Information This EAL addresses events that have caused a significant lowering of water level within the REFUELING PATHWAY.

This EAL escalates from RU2.1 in that the loss of level, in the affected portion of the REFUELING PATHWAY, is of sufficient magnitude to have resulted in uncovery of irradiated fuel. Indications of irradiated fuel uncovery may include direct or indirect visual observation (e.g., reports from personnel or camera images), as well as significant changes in water and radiation levels, or other plant parameters. Computational aids may also be used (e.g., a boil-off curve). Classification of an event using this EAL should be based on the totality of available indications, reports and observations.

This EAL applies to irradiated fuel that is licensed for dry storage up to the point that the loaded storage cask is sealed. Once sealed, damage to a loaded cask causing loss of the CONFINEMENT BOUNDARY is classified in accordance with EU1 .1.

While an area radiation monitor could detect an increase in a dose rate due to a lowering of water level in some portion of the REFUELING PATHWAY, the reading may not be a reliable indication of whether or not the fuel is actually uncovered. To the degree possible, readings should be considered in combination with other available indications of inventory loss.

A drop in water level above irradiated fuel within the reactor vessel may be classified in accordance Recognition Category C during the Cold Shutdown and Refueling modes ..

Escalation of the emergency classification level would be via IC RS1.

I [Document No.] Rev. [X] I Page 67 of 3081.

ATTACHMENT 1 EAL Bases

Background

These events present radiological safety challenges to plant personnel and are precursors to a release of radioactivity to the environment. As such, they represent an actual or potential substantial degradation of the level of safety of the plant.

DCPP Basis Reference(s):

1. OP AP-21, Irradiated Fuel Damage

2. OP AP-22, Spent Fuel Pool Abnormalities

3. NEI 99-01 AA2 I [Document No.] Rev. [X] Page 68 of 3081

ATTACHMENT 1 EAL Bases Category.: R - Abnormal Rad Levels I Rad Effluent Subcategory: 2 - Irradiated Fuel Event Initiating Condition: Significant lowering of water level above, or damage to, irradiated fuel.

EAL:

RA2.2 Alert Damage to irradiated fuel resulting in a release of radioactivity.

AND High alarm on any of the following radiation monitors:

RM-59 New Fuel Storage Area

RM-58 Spent Fuel Pool Area

Any temporary installed monitor in vicinity of the REFUELING PATHWAY (when installed)

RM-2 Containment Area (Mode 6 only)

RM-44A/B Containment Ventilation Exhaust (Mode 6 only)

Mode Applicability:

All Definition(s):

CONFINEMENT BOUNDARY - The barrier(s) between spent fuel and the environment once the spent fuel is processed for dry sto'rage. As applied to the DCPP ISFSI, the confinement boundary is defined to be the Multi-Purpose Canister (MPG).

Basis:

ERO Decision Making Information This EAL addresses a release of radioactive material caused by mechanical damage to irradiated fuel. Damaging events may include the dropping, bumping or binding of an assembly, or dropping a heavy load onto an assembly. A rise in readings on radiation monitors should be considered in conjunction with in-plant reports or observations of a potential fuel damaging event (e.g., a fuel handling accident).

This EAL applies to irradiated fuel that is licensed for dry storage up to the point that the loaded storage cask is sealed. Once sealed, damage to a loaded cask causing loss of the CONFINEMENT BOUNDARY is classified in accordance with EAL EU 1.1. Cask is sealed when welding is complete.

RM-58 and RM-59 each have two alarm settings.

The higher level alarm Hi Radiation setting initiates the Iodine Removal ventilation mode, and this alarm level meets the intent of this EAL.

(continued)

I [Document No.] Rev. [X] Page 69 of 3081

ATTACHMENT 1 EAL Bases The lower level Hi Radiation setting is identified as a "Trip 1" level indicated by an amber light on the Control Room module located behind the vertical boards on panel PAM 2. On the local area module, this setting is labeled as an "Alert Alarm." A radiation dose *1evel rise to this Trip 1 or Alert level radiation alarm does NOT meet the intent of this EAL. If RM-58 or 59 alarms at this setting, review RU2.1 for applicability.

Escalation of the emergency would be based on either Recognition Category R or C ICs.

Background

The specified radiation monitors are those expected to see increase area radiation levels as a result of damage to irradiated fuel (ref. 1, 2).

The bases for the SFP area radiation high alarms and containment area and ventilation radiation high alarms are a spent fuel handling accident *and are, therefore, appropriate for this EAL. In the fuel handling building, a fuel assembly could be dropped in the fuel transfer canal or in the SFP. Should a fuel assembly be dropped in the fuel transfer canal or in the spent fuel pool and release radioactivity above a prescribed level, the area radiation monitors sound an alarm, alerting personnel to the problem. Area radiation monitors in the fuel handling building isolate the normal fuel handling building ventilation system and automatically initiate the recirculation and filtration systems. (ref. 1, 2, 3).

This EAL addresses events that have caused IMMINENT or actual damage to an irradiated fuel assembly.

These events present radiological safety challenges to plant personnel and are precursors to a release of radioactivity to the environment. As such, they represent an actual or potential substantial degradation of the level of safety of the plant.

DCPP Basis Reference(s):

1. OP AP-21, Irradiated Fuel Damage

2. OP AP-22, Spent Fuel Pool Abnormalities

3. l&C RMS Data Book

4. NEI 99-01 AA2 I [Document No.] Rev. [X] Page 70 of 3081

ATTACHMENT 1 EAL Bases Category:* R - Abnormal Rad Levels I Rad Effluent Subcategory: 2 - Irradiated Fuel Event Initiating Condition: Significant lowering of water level above, or damage to, irradiated fuel.

EAL:

RA2.3 Alert Lowering of spent fuel pool level to 10 ft. above top of the fuel racks (Level 2).

Mode Applicability:

All Definition(s):

None Basis:

ERO Decision Making Information This EAL addresses a significant lowering of water level within the spent fuel pool.

For DCPP Plant SFP Level 2 is 10 ft. (plant El. 123' 11 ") as indicated on Ll-801. Backup indication is also available on Ll-802. The PPG point for SFP level is L0690A for both units.

Main Annunciator window PK11-04 will alarm at SFP Level 2 (ref. 3).

Escalation of the emergency classification level would be via one or more EALs under IC RS1 or RS2.

Background

These events present radiological safety challenges to plant personnel and are precursors to a release of radioactivity to the environment. As such, they represent an actual or potential substantial degradation of the level of safety of the plant.

Spent fuel pool water level at this value is within the lower end of the level range necessary to prevent significant dose consequences from direct gamma radiation to personnel performing operations in the vicinity of the spent fuel pool. This condition reflects a significant loss of spent fuel pool water inventory and thus it is also a precursor to a loss of the ability to adequately cool the irradiated fuel assembles stored in the pool.

Post-Fukushima order EA-12-051 (ref. 1) required the installation of reliable SFP level indication capable of identifying normal minimum level (Level 1 - 134' 5"), SFP level 10 ft.

above the top of the fuel racks (Level 2 - 123' 11 ") and SFP level at the top of the fuel racks (Level 3 - 114' 11" - includes a 1 foot instrument indication uncertainty error margin).

I [Document No.] Rev. [X] Page 71 of 3081

ATTACHMENT 1 EAL Bases DCPP Basis Reference(s):

1. NRG EA-12-51 Issuance of Order to Modify Licenses with Regard to Reliable Spent Fuel Pool Instrumentation

2. PG&E Letter DCL-13-073 Response to Request for Additional Information Regarding Overall Integrated Plan in Response to March 12, 2012, Commission Order to Modify Licenses with Regard to Reliable Spent Fuel Pool Instrumentation (Order Number EA 051)

3. AR PK11-04, Spent Fuel Pool Lvl/Temp

4. SAP documents 50808058 & 68039896 (Unit 1)

5. SAP documents 50808059 & 68039897 (Unit 2)

6. NEI 99-01 AA2

\

I [Document No.] Rev. [X] Page 72 of 3081

ATTACHMENT 1 EAL Bases Catego..Y: R - Abnormal Rad Levels I Rad Effluent Subcategory: 2 - Irradiated Fuel Event Initiating Condition: Spent fuel pool level at the top of the fuel racks.

EAL:

RS2.1 Site Area Emergency Lowering of spent fuel pool level to 1 ft. above top of the fuel racks (Level 3).

Mode Applicability:

All Definition(s):

IMMINENT - The trajectory of events or conditions is such that an EAL will be met within a relatively short period of time regardless of mitigation or corrective actions.

Basis:

ERO Decision Making Information This EAL addresses a significant loss of spent fuel pool inventory control leading to IMMINENT fuel damage.

For DCPP Plant SFP Level 3 is 1 ft. (plant El. 114' 11 ")as indicated on Ll-801 (includes a 1 foot instrument uncertainty error margin). Backup indication is also available on Ll-802. The PPG point for SFP level is L0690A for both units.

Escalation of the emergency classification level would be via one or more EALs under IC RG1 or RG2.

Background

This condition entails major failures of plant functions needed for protection *Of the public and thus warrant a Site Area Emergency declaration.

It is recognized that this EAL would likely not be met until well after another Site Area Emergency EAL was met; however, it is included to provide classification diversity.

Post-Fukushima order EA-12-051 (ref. 1) required the installation of reliable SFP level indication capable of identifying normal minimum level (Level 1 - 134' 5"), SFP level 10 ft.

above the top of the fuel racks (Level 2 - 123' 11 ") and SFP Jevel at the top of the fuel racks (Level 3 - 114' 11" - includes a 1 foot instrument indication uncertainty error margin).

I [Document No.] Rev. [X] Page 73 of 3081

ATTACHMENT 1 EAL Bases DCPP Basis Reference(s):

1. NRG EA-12-51 Issuance of Order to Modify Licenses with Regard to Reliable Spent Fuel Pool Instrumentation

2. PG&E Letter DCL-13-073 Response to Request for Additional Information Regarding Overall Integrated Plan in Response to March 12, 2012, Commission Order to Modify Licenses with Regard to Reliable Spent Fuel Pool Instrumentation (Order Number EA 051)

3. NEI 99-01 AS2 I [Document No.] Rev. [X] Page 74 of 3081

ATTACHMENT 1 EAL Bases Category: R -Abnormal Rad Levels I Rad Effluent Subcategory: 2 - Irradiated Fuel Event Initiating Condition: Spent fuel pool level cannot be restored to at least the top of the fuel racks for 60 minutes or longer.

EAL:

RG2.1 General Emergency Spent fuel pool level cannot be restored to at least 1 ft. above top of the fuel racks (Level 3) for ~ 60 minutes. (Note 1)

Note 1: The SM/SEC/ED should declare the event promptly upon determining that time limit has been exceeded, or will likely be exceeded.

Mode Applicability: ,

All Definition(s):

None Basis:

ERO Decision Making Information This EAL addresses a significant loss of spent fuel pool inventory control and makeup capability leading to a prolonged uncovery of spent fuel. This condition will lead to fuel damage and a radiological release to the environment.

For DCPP Plant SFP Level 3 is 1 ft. (plant El. 114' 11 ")as indicated on Ll-801 (includes a 1 foot instrument uncertainty error margin). Backup indication is also available on Ll-802. The PPC point for SFP level is L0690Afor both units.

It is recognized that this EAL would likely not be met until well after another General Emergency EAL was met; however, it is included to provide classification diversity.

Background

Post-Fukushima order EA-12-051 (ref. 1) required the installation of reliable SFP level indication capable of identifying normal minimum level (Level 1 - 134' 5"), SFP level 10 ft.

above the top of the fuel racks (Level 2 - 123' 11 ") and SFP level at the top of the fuel racks (Level 3 - 114' 11" - includes a 1 foot instrument indication uncertainty error margin).

DCPP Basis Reference(s):

1. NRG EA-12-51 Issuance of Order to Modify Licenses with Regard to Reliable Spent Fuel

Pool Instrumentation

2. PG&E Letter DCL-13-073 Response to Request for Additional Information Regarding -

Overall Integrated Plan in Response to March 12, 2012, Commission Order to Modify Licenses with Regard to Reliable Spent Fuel Pool Instrumentation (Order Number EA 051)

3. NEI 99-01 AG2 I [Document No.] Rev. [X] Page 75 of_ 3081

ATTACHMENT 1 EAL Bases ategory: R - Abnormal Rad Levels I Rad Effluent Subcategory: 3 -Area Radiation Levels Initiating Condition:. Radiation levels that IMPEDE access to equipment necessary for normal plant operations, co9ldown or shutdown EAL:

RA3.1 Alert Dose rates > 15 mR/hr in EITHER of the following areas:

Control Room (O-RM-1 or portable gamma radiation instrument)

OR Central Alarm Station (by survey)

Mode Applicability:

All Definition(s):

IMPEDE(D) - Personnel access to a room or area is hindered to an extent that extraordinary measures are necessary to facilitate entry of personnel into the affected room/area (e.g., requiring use of protective equipment, such as SCBAs, that is not routinely employed).

Basis:

ERO Decision Making Information Areas that meet this threshold include the Control Room and the Central Alarm Station (GAS).

O-RM-1 monitors the Control Room for area radiation (ref. 1). A portable gamma radiation

instrument may be installed if O-RM-1 is out of service. The GAS is included in this EAL because of its' importance to permitting access to areas required to assure safe plant operations.

There is no permanently installed GAS area radiation monitor that may be used to assess this EAL threshold. Therefore this threshold must be assessed via local radiation survey for the GAS (ref. 1). For this EAL the Secondary Alarm Station (SAS) is not considered.

Escalation of the emergency classification level would be via Recognition Category R, C or F ICs.

Background

This IC addresses elevated radiation levels in certain plant rooms/areas sufficient fo preclude or IMPEDE personnel from performing actions necessary to maintain normal plant operation, or to perform a normal plant cooldown and shutdown. As such, it represents an actual or potential substantial degradation of the level of safety of the plant. The SM/SEC/ED should consider the cause of the increased radiation levels and determine if another IC may be

applicable.

I [Document No.] Rev. [X] Page 76 of 3081

ATTACHMENT 1 EAL Bases DCPP Basis Reference(s):

1. FSAR Table 11.4-1 Radiation Monitors and Readouts

2. NEI 99-01 AA3 I [Document No.] Rev. [X] Page 77 of 3081

ATTACHMENT 1 EAL Bases Category: R - Abnormal Rad Levels I Rad Effluent Subcategory: 3 - Area Radiation Levels Initiating Condition: Radiation levels that IMPEDE access to equipment necessary for normal plant operations, cooldown or shutdown.

EAL:

RA3.2 Alert An UNPLANNED event results in radiation levels ,that prohibit or IMPEDE access to any Table R-2 rooms or areas. (Note 5)

Note 5: If the equipment in the listed room or area was already inoperable or out-of-service before the event occurred, then no *emergency classification is warranted.

Table R-2 Safe Operation & Shutdown Rooms/Areas Room/Area Mode(s)

Auxiliary Building - 115' - BASTs 2, 3,4 Auxiliary Building - 100' - BA Pumps 2, 3,4 Auxiliary Building - 85' ~Aux Control Board 2,3,4 Auxiliary Building - 64' - BART Tank area 2, 3,4

Area H (below Control Room) - 100' 480V Bus area/rooms 3,4 Mode Applicability:

2 - Startup, 3 - Hot Standby, 4 - Hot Shutdown Definition(s):

IMPEDE(D) - Personnel access to a room or area is hindered to an extent that extraordinary measures are necessary to facilitate entry of personnel into the affected room/area (e.g., requiring use of protective equipment, such as SCBAs, that is not routinely employed).

UNPLANNED - A parameter change or an event that is not 1) the result of an intended evolution or 2) an expected plant response to a transient. The cause of the parameter ch'ange or event may be known or unknown.

Basis:

ERO Decision Making Information The identified rooms are those where an activity must be performed to borate to cold shutdown, isolate accumulators or cooldown using RHR.

If the equipment in the listed room or area was already inoperable, or out-of-service, before the event occurred, then no emergency should be declared since the event will have no adverse impact beyond that already allowed by Technical Specifications at the time of the event.

I [Document No.] Rev. [X] Page 78 of 3081

ATTACHMENT 1 EAL Bases Rooms or areas in which actions of a contingent or emergency nature would be performed

. (e.g., an action to address an off-normal or emergency condition such as emergency repairs, corrective measures or emergency operations) are not included. In addition, the list specifies the plant mode(s) during which entry would be required for each room or area (ref. 1).

For RA3.2, an Alert declaration is warranted if entry into the affected room/area is, or may be, procedurally required during the plant operating mode in effect at the time of the elevated radiation levels. The emergency classification is not contingent upon whether entry is actually necessary at the time of the increased radiation levels. Access should be considered as IMPEDED if extraordinary measures are necessary to facilitate entry of personnel into the affected room/area (e.g., installing temporary shielding, requiring use of non-routine protective equipment, requesting an extension in dose limits beyond normal administrative limits).

An emergency declaration is not warranted if any of the following conditions apply:

The plant is in an operating mode different than the mode specified for the affected room/area (i.e., entry is not required during the operating mode in effect at the time of the elevated radiation levels). For example, the plant is in Mode 1 when the radiation increase occurs, and the procedures used for normal operation, cooldown and shutdown do not require entry into the affected room until Mode 4.

The increased radiation levels are a result of a planned activity that includes compensatory measures which address the temporary inaccessibility of a room or area (e.g., radiography, spent filter or resin transfer, etc.).

The action for which room/area entry is required is of an administrative or record keeping nature (e.g., normal rounds or routine inspections).

The access control measures are of a conservative or precautionary nature, and would not actually prevent or IMPEDE a required action.

Escalation of the emergency classification level would be via Rec.ognition Category R, C or F ICs.

Background

The list of plant rooms or areas with entry-related mode applicability identified specify th'ose rooms or areas that contain equipment which require a manual/local action as specified in operating procedures used for normal plant operation, cooldown and shutdown.

This IC addresses elevated radiation levels fn certain plant rooms/areas sufficient to preclude or IMPEDE personnel from performing actions necessary-to maintain normal plant operation, or to perform a normal plant cooldown and shutdown. As such, it represents an actual or potential substantial degradation of the level of safety of the plant. The SM/SEC/ED should consider the cause of the increased radiation levels and determine if another IC may be applicable.

NOTE: EAL RA3.2 mode applicability has been limited to the applicable modes identified in Table R-2 Safe Operation & Shutdown Rooms/Areas. If due to plant operating procedure or plant configuration changes, the applicable plant modes specified in Table R-2 are changed, a corresponding change to Attachment 3 'Safe Operation & Shutdown Areas Tables R-2 & H-2 Bases' and to EAL RA3.2 mode applicability is required."

I [Document No.] Rev. [X] Page 79 of 3081

ATIACHMENT 1 EAL Bases DCCP Basis Reference(s):

1. Attachment 3 Safe Operation & Shutdown Rooms/Areas Table R-2 & H-2 Bases

2. NEI 99-01 AA3 I [Document No.] Rev. [X] Page 80 of 3081

ATTACHMENT 1 EAL Bases Category E - Independent Spent Fuel Storage Installation (ISFSI)

EAL Group: Any (EALs in this category are applicab.le to any plant condition, hot or cold.)

An independent spent fuel storage installation (ISFSI) is a complex that is designed and constructed for the interim storage of spent nuclear fuel and other radioactive materials associated with spent fuel storage. A significant amount of the radioactive material contained within a canister must escape its packaging and enter the biosphere for there to be a significant environmental effect resulting from an accident involving the dry storage of spent nuclear fuel.

An Unusual Event is declared on the basis of the occurrence of an event of sufficient magnitude that a loaded cask confinement boundary is damaged or violated.

The DCPP ISFSI is located within the OWNER CONTROLLED AREA but outside the PLANT PROTECTED AREA. Therefore SECURITY EVENTS related to the ISFSI are classified under either HU1.1 or HA1.1.

/SFSI PROTECTED AREA - Areas within the ISFSI to which access is strictly controlled in accordance with the station's Security Plan.

OWNER CONTROLLED AREA (OCA) - For purpose of HOSTILE ACTION classifications, in accordance with this EAL scheme, the OCA is defined as the same area and boundary contained in the DCPP Security and Safeguards Contingency Plan.

PLANT.PROTECTED AREA -Areas to which access is strictly controlled in accordance with the station's Security Plan.

Note: The DCPP Independent Spent Fuel Storage Installation (ISFSI) has its own ISFSI PROTECTED AREA separate from the PLANT PROTECTED AREA.

I [Document No.] Rev. [X] Page 81 of 3081

ATTACHMENT 1 EAL Bases Category: ISFSI Su bcategory: Confinement Boundary Initiating Condition: Damage to a loaded cask CONFINEMENT BOUNDARY.

EA L:

EU 1.1 Unusual Event Da mage to a loaded cask CONFINEMENT BOUNDARY as indicated by an on-contact radi ation reading >Table E-1.

Table E-1 ISFSI Radiation Readings Surface Dose Dose Point Location Rate (see figure)

(mRem/hour)

.~*~~ **.:~::***:

1 Base vent 132 .. .:. .:.:

~. *': .... :***

~

3~ *~*:~.~*::

~~

.. ~ *.

Mid plane 150 2

3 Top vent 140 4 Lid-center 34 4a Lid-over top vents 267 Mo de Applicability:

All Definition(s):

co NFINEMENT BOUNDARY - The barrier(s) between spent fuel and the environment once the spent fuel is processed for dry storage. As ap plied to the DCPP ISFSI, the confinement bou ndary is defined to be the Multi-Purpose Ca nister (MPG).

INDEPENDENT SPENT FUEL STORAGE IN STALLA TION (ISFSI)

. BASEPLATE Ac omplex that is designed and constructed for the interim storage of spent nuclear fuel and oth er radioactive materials associated with spe nt fuel storage.

I [Do cument No.] Rev. [X] Page 82 of 308 *I

ATTACHMENT 1 EAL Bases

/SFS/ PROTECTED AREA Areas within the ISFSI to which access is strictly controlled in accordance with the station's Security Plan.

PLANT PROTECTED AREA - Areas to which access is strictly controlled in accordance with the station's Security Plan.

Note: The DCPP Independent Spent Fuel Storage Installation (ISFSI) has its own ISFSI PROTECTED AREA separate from the PLANT PROTECTED AREA.

Basis:

ERO Decision Making Information An Unusual Event is declared on the basis of the occurrence'of any event of sufficient magnitude that a loaded cask confinement boundary is damaged or violated as indicated by external on-contact dose rates exceeding two times the maximum calculated levels of an overpack with a loaded MPC-32 canister, in ISFSI FSAR Table 7.3-1A based on the locations in ISFSI FSAR Figure 7.3-1 (ref. 1 and 2).

This IC addresses an event that results in damage to the CONFINEMENT BOUNDARY of a storage cask containing spent fuel. It applies to irradiated fuel that is licensed for dry storage beginning at the point that the loaded storage cask is sealed. Cask is sealed when welding is complete.

It is recognized that in the case of extreme damage to a loaded cask, the fact that the "on-contact" dose rate limit is exceeded may be determined based on measurement of a dose rate at some distance from the cask.

The existence of "damage" is determined by radiological survey. Exceedance of two times the maximum ISFSI FSAR dose rates, as noted in reference 1, is used here to distinguish between non-emergency and emergency conditions. The emphasis for this classification is the degradation in the level of safety of the spent fuel cask and not the magnitude of the associated dose or dose rate.

The DCPP ISFSI is located wholly outside the PLANT PROTECTED AREA, and is inside the ISFSI PROTECTED AREA. .

Security-related events for ISFSls are covered under ICs HU1 and HA1.

Background

The DCPP ISFSI Technical Specifications do not have maximum contact dose rate specified for the exterior of an overpack. The values in Table E-1 are derived from ISFSI FSAR Table 7.3-1A (ref 1). Table E-1 establishes surface dose rates that are two times the UFSAR Table 7.3-1A maximum calculated dose rate values ..

The ISFSI includes the dry-cask storage system, the cask transfer facility, onsite transporter, and the storage pads. The dry-cask storage system is the HI-STORM 100 System. This is a canister-based storage system that stores spent nuclear fuel in a vertical orientatio1;1. It consists of three discrete components: the MPG, the HI-TRAC 125 Transfer Cask, and the HI-STORM 100 System Overpack (see pictures at end of section). The MPG provides the confinement boundary for the stored fuel. The Hl.:TRAC 125 Transfer Cask provides radiation shielding and st.ructural protection of the MPG during transfer operations, while the storage*

I [Document No.] Rev. [X] Page 83 of 3081

ATTACHMENT 1 EAL Bases overpack provides radiation shielding and structural protection of the MPC during storage . The HI-STORM 100 System is passive and does not rely on any active cooling systems to remove spent fuel decay heat. After the storage casks are placed on the storage pad , the ISFSI Technical Specifications require that the casks be inspected periodically to ensure that the air vents are not blocked . Security personnel control access to the storage area and identify and assess off-normal and emergency events . Health physics personnel perform dose rate and contamination surveys to ensure that the appropriate regulatory limits are maintained .

Maintenance personnel maintain the facilities including the storage casks , emergency equipment, and transport systems (ref. 4).

The issues of concern are the creation of a potential or actual release path to the environment, degradation of one or more fuel assemblies due to environmental factors , and configuration changes which could cause challenges in removing the cask or fuel from storage.

DCCP Basis Reference(s):

1. Diablo Canyon ISFSI FSAR Update, Chapter 7 Radiation Protection, Table 7.3-1A "Surface and 1 Meter Dose Rates for the Overpack with an MPC-32 69,000 MWD/MTU and 5-Year Cool ing "

2. Diablo Canyon ISFSI FSAR Update, Chapter 7, Figure 7.3-1 "Cross Section Elevation of the Generic Hi-Storm 100S Overpack with Dose Point Locations. "

3. NRC Materials License No. SNM-2511 , LICENSE FOR INDEPENDENT STORAGE OF SPENT NUCLEAR FUEL AND HIGH-LEVEL RADIOACTIVE WASTE , Safety Evaluation Report

4. NEI 99-01 E-HU1 DCPP ISFSI HI-STORM 100 System HI-STORM Storage Casks (Overpack)

I [Document No.] Rev. [X] Page 84 of 3081

ATTACHMENT 1 EAL Bases Category C - Cold Shutdown I Refueling System Malfunction*

EAL Group: Cold Conditions (RCS temperature : : :; 200°F); EALs in this category are applicable only in one or more cold operating modes.

Category C EALs are directly associated with cold shutdown or refueling system safety functions. Given the variability of plant configurations (e.g., systems out-of-service for maintenance, containment open, reduced AC power redundancy, time since shutdown) during these periods, the consequences of any given initiating event can vary greatly. For example, a loss of decay heat removal capability that occurs at the end of an extended outage has less significance than a similar loss occurring during the first week after shutdown. Compounding these events is the likelihood that instrumentation necessary for assessment may also be inoperable. The cold shutdown and refueling system malfunction EALs are based on performance capability to the extent possible with consideration given to RCS integrity, containment closure, and fuel clad integrity for the applicable operating modes (5 - Cold Shutdown, 6 - Refueling, D - Defueled).

The events of this category pertain to the following subcategories:

1. RCS Level RCS water level is directly related to the status of adequate core cooling and, therefore, fuel clad integrity.

2. Loss of Emergency AC Power Loss of emergency plant electrical power can compromise plant SAFETY SYSTEM operability including decay heat removal and emergency core cooling systems which may be nece~sary to ensure fission product barrier integrity. This category includes loss of.

onsite and offsite power sources for 4.16KV AC emergency buses.

3. RCS Temperature Uncontrolled or inadvertent temperature or pressure increases are indicative of a potential loss of safety functions.

4. Loss of Vital DC Power Loss of emergency plant electrical power can compromise plant SAFETY SYSTEM operability including decay heat removal and emergency core cooling systems which may be necessary to ensure fission product barrier integrity. This category includes loss of power to or degraded voltage on the 125V DC vital buses.

5. Loss of Communications Certain events that degrade plant operator ability to effectively communicate with essential personnel within or external to the plant warrant emergency classification.

6. Hazardous Event Affecting Safety Systems Certain hazardous natural and technological events may result in VISIBLE DAMAGE to or DEGRADED PERFORMANCE of SAFETY SYSTEMS warranting classification.

I [Document No.] Rev. [X] Page 85 of 3081

ATTACHMENT 1 EAL Bases DEGRADED PERFORMANCE - As applied to hazardous event thresholds, damage significant enough to cause concern regarding the operability or reliability of the 'affected safety system train.

SAFETY SYSTEM -Asystem required for safe plant operation, cooling down the plant and/or placing it in the cold shutdown condition, including the ECCS. These are typically systems classified as safety-related (as defined in 10CFR50.2):

Those structures, systems and components that are relied upon to remain functional during and following design basis events to assure:

(1) The integrity of the reactor coolant pressure boundary; (2) The capability to shut down the reaetor and maintain it in a safe shutdown condition; (3) The capability to prevent or mitigate the consequences of accidents whic.h could result in potential offsite exposures.

VISIBLE DAMAGE - Damage to a SAFETY SYSTEM train that is readily observable without measurements, testing, or analysis. The visual impact of the damage is sufficient to cause concern regarding the operability or reliability of the affected SAFETY SYSTEM train.

I [Document No.] Rev. [X] Page ,86 of 3081

ATTACHMENT 1 EAL Bases Category: C - Cold Shutdown I Refueling System Malfunction Subcategory: 1 - RCS Level Initiating Condition: UNPLANNED loss of RCS inventory.

EAL:

CU1.1 Unusual Event UNPLANNED loss of RCS inventory results in RCS water level less than a procedurally designated lower limit for~ 15 minutes. (Note 1)

Note 1: The SM/SEC/ED should declare the event promptly upon determining that time limit has been exceeded, or will likely be exceeded.

Mode Applicability:

5 - Cold Shutdown, 6 - Refueling Definition(s):

REDUCED INVENTORY CONDITION (RIC) - The condition existing whenever RCS water level is lower than 3 feet below the reactor vessel flange (below 111-foot elevation) with fuel in the core.

UNPLANNED - A parameter change or an event that is not 1) the result of an intended evolution or 2) an expected plant response to a transient. The cause of the parameter change or event may be known or unknown.

Basis:

ERO Decision Making Information Refueling evolutions that decrease RCS water inventory are carefully planned and controlled.

An UNPLANNED event that results in water level decreasing below a procedurally required limit warrants the declaration of an Unusual Event due to the reduced water inventory that is available to keep the core covered.

The 15-minute threshold duration allows sufficient time for prompt operator actions to restore and maintain the expected water level. This criterion excludes transient conditions causing a brief lowering of water level.

Continued loss of RCS inventory may result in escalation to the Alert emergency classification level via either IC CA 1 or CA3.

Background

With the plant in Cold Shutdown, RCS water level is normally maintained above 25% Cold Calibration Pressurizer level (-129 ft. elevation). However, if RCS level is being controlled below 25%, or if level is being maintained in a procedurally*designated band in the reactor vessel it is the inability to maintain level above the low end of the designated control band due to a loss of inventory resulting from a leak in the RCS that is the concern (ref. 2).

With the plant in Refueling mode, RCS water level is normally maintained at or above the reactor vessel flange (Technical Specifications requires at least 23 ft. of water above the top of the reactor vessel flange in the refueling cavity during refueling operations) (ref. 1). However, J [Document No.] Rev. [X] Page 87 of 308 J

ATTACHMENT 1 EAL Bases RCS level may be maintained below the reactor vessel flange if in "lowered inventory" or "REDUCED INVENTORY" condition (ref. 2).

This EAL addresses the inability to restore and maintain water level to a required minimum level (or the lower limit of a procedurally specified level band). This condition is considered to be a potential degradation of the level of safety of the plant.

This EAL recognizes that the minimum required RCS level can change several times during the course of a refueling outage as different plant configurations and system lineups are implemented. This EAL is met if the minimum level, specified for the current plant conditions, cannot be maintained for 15 minutes or longer. The minimum level is typically specified in the applicable operating procedure but may be specified in another controlling document.

DCPP Basis Reference(s):

1. Technical Specification 3.9.7, Refueling Cavity Water Level

2. OP A-2: II, U1 Reactor Vessel - Draining the RCS to the Vessel Flange - With Fuel in Vessel

3. NEI 99-01 CU1

/

I [Document No.] Rev. [X] Page 88 of 3081

ATTACHMENT 1 EAL Bases Category: C - Cold Shutdown I Refueling System Malfunction Subcategory: 1 - RCS Level Initiating Condition: UNPLANNED loss of RCS inventory.

EAL:

CU1.2 Unusual Event RCS water level cannot be monitored.

AND EITHER

UNPLANN~D increase, in any Table C-1 sump/tank level due to loss of RCS inventory.

Visual observation of UNISOLABLE RCS LEAKAGE.

Table C-1 Sumps I Tanks

Containment Structure Sumps

Reactor Cavity Sump

PRT

RCDT

CCW Surge Tank(s)

Auxiliary Building Sump

RWST

RHR Room Sumps (alarm only)

MEDT Mode Applicability:

5 - Cold Shutdown, 6 - Refueling Definition(s):

INTACT (RCS) - The RCS should be considered intact when the RCS pressure boundary is in its normal condition for the cold shutdown mode of operation (e.g., no freeze seals or nozzle dams).

RCS LEAKAGE - RCS leakage shall be:

a. Identified Leakage

1. Leakage, such as thatfrom pump seals or valve packing (except reactor coolant pump (RCP) seal water injection or leak off), that is captured and conducted to collection systems or a sump or collecting tank;

2. Leakage into the containment atmosphere from sources that are both specifically located and known either not to interfere with the operation of leakage detection systems or not to be pressure boundary leakage; I [Document No.] Rev. [X] Page 89 of 3081

ATTACHMENT 1 EAL Bases

3. Reactor Coolant System (RCS) leakage through a steam generator to the secondary system (primary to secondary leakage).

b. Unidentified Leakage All leakage (except RCP seal water injection or leak off) that is not identified leakage.

c. Pressure Boundary Leakage Leakage (except primary to secondary leakage) through a non-isolable fault in an RCS component body, pipe wall,_ or vessel wall.

d. RCS leakage outside of the containment that is not considered identified or unidentified leakage per Technical Specifications includes leakage via interfacing systems such as RCS to the Component Cooling Water, or systems that directly see RCS pressure outside containment such as Chemical & Volume Control System, Nuclear Sampling System and Residual Heat Removal system (when in the shutdown cooling mode).

UNISOLABLE - An open or breached system line that cannot be isolated, remotely or locally.

NOTE: If an isolation valve could not be accessed due to local conditions (i.e. high radiation, temperature, etc.) then that would also make a leak unisolable, even though the inaccessible valve could isolate the leak.

UNPLANNED - A parameter change or an event that is not 1) the result of an intended evolution or 2) an expected plant response to a transient. The cause of the parameter change or event.may be known or unknown.

Basis:

ERO Decision Making Information Refueling evolutions that decrease RCS water inventory are carefully planned and controlled.

An UNPLANNED event that results in water level decreasing below a procedurally required limit warrants the declaration of an Unusual Event due to the reduced water inventory that is available to keep the core covered. The ability to monitor RCS level includes level instrumentation as well as direct and indirect (e. g. camera) visual observation.

This EAL addresses a condition where all means to determine RCS level have been lost. In this condition, operators may determine that an inventory loss is occurring by observing changes in sump and/or tank levels (Table C-1). Sump and/or tank level changes must be evaluated against other potential sources of water flow to ensure they are indicative of leakage from the RCS.

(continued)

I [Document No.] Rev. [X] Page 90 of 3081

ATTACHMENT 1 EAL Bases All of the Table C-1 Tanks are trended by either chart recorders, control room level indication and/or computer inputs, except for the RHR Sumps. The RHR Sumps, with a capacity of about 500 gallons each, can be evaluated by the frequency of the Hi Alarm/Pump Run alarms. Such trending methods should be used to evaluate RCS loss rate versus sump level increases. For reference purposes, the capacity of each tank system is listed below. These are based on Plant Manual Volume 9 Storage Tank Volume Data sheets.

Tank I Sump Gallons Data sheets Containment Structure Sumps

718 CMD IE-19.8 a & b Reactor Cavity Sump 284 CMD IE-19.9 a & b PRT 13466 CMD IE-7.1 a & b RCDT 377 (U-1) CMD IE-19.4 a, b & c 390 (U-2)

I CCW Surge Tank(s) 5352 per CMD IE-14.1 a & b each half Auxiliary Building Sump 4840 CMD IE-19.7 a & b RWST 484703 CMD IE-9.2 a & b MEDT 4541 CMD IE-19.6a & b Continued loss of RCS inventory may result in escalation to the Alert emergency classification level via either IC CA1 or CA3.

Background .

In Cold Shutdown mode, the RCS will normally be INTACT and standard RCS level monitoring means are available.

In this EAL, the ability to monitor RCS level is lost such that RCS inventory loss must be detected by indirect leakage indications. The ability to monitor RCS level includes level instrumentation as well as direct and indirect (e. g. camera) visual observation. Level increases must be evaluated against other potential sources of leakage such as cooling water sources inside the containment to ensure they are indicative of RCS LEAKAGE. If the make-up rate to the RCS unexplainably rises above the pre-established rate to maintain RCS inventory, a loss of RCS inventory may be occurring even if the source of the leakage cannot be immediately identified. Visual observation of leakage from systems connected to the RCS that cannot be isolated could also be indicative of a loss of RCS inventory (ref. 1).

This IC addresses the loss of the ability to monitor RCS level concurrent with indications of RCS LEAKAGE. Either of these conditions is considered to be a potential degradation of the level of safety of the plant.

DCPP Ba~is Reference(s):

1. OP AP SD-2, "Loss of RCS Inventory

2. NEI 99-01 CU1 I [Document No.] Rev. [X] Page 91 of 3081

ATTACHMENT 1 EAL Bases Category: C - Cold Shutdown I Refueling System Malfunction Subcategory: 1 - RCS Level Initiating Condition: Loss of RCS inventory.

EAL:

CA1.1 Alert Loss of RCS inventory as indicated by reactor vessel level < 107 ft. 6 in. (107.5 ft.) on RVRLIS, Ll-400 standpipe or ultrasonic sensor. "

OR

< 67.5% RVLIS full range (RVLIS equivalent to 107 ft. 6 in.).

Mode Applicability:

5 - Cold Shutdown, 6 - Refueling Definition(s):

None Basis:

ERO Decision Making Information When reactor vessel water level decreases to 107 ft. 6 in. el., RCS level is -21 in. above the bottom of the RCS hot leg penetration. This is the minimum procedurally allowed RCS level to preclude vortexing of the RHR pumps while in Shutdown Cooling. This level can be monitored by:

RVRLIS

Ll-400 standpipe

Ultrasonic sensor Although related, this EAL is concerned with the loss of RCS inventory and not the potential concurrent effects on systems needed for decay heat removal (e.g., loss of a Decay Heat Removal suction point). An increase in RCS temperature caused by a loss of decay heat removal capability is evaluated under IC CA3.

For this EAL, a lowering of RCS water level below the specified level indicates that operator actions have not been successful in restoring and maintaining RCS water level. The heat-up rate of the coolant will increase as the available water inventory is reduced. A continuing decrease in water level will lead to core uncovery.

If RCS water level continues to lower, then escalation to Site Area Emergency would be via IC CS1.

(continued) j [Document No.] Rev. [X] Page 92 of 308 j L

ATTACHMENT 1 EAL Bases

Background

The purpose of the Reactor Vessel Refueling Level Instrumentation System (RVRLIS) is to provide reactor vessel and refueling cavity level indication during refueling, when the vessel head will be removed, and during drainage to half loop. The system is designed to be used only when the RCS is at near atmospheric pressure or when a vacuum is being established for refill operations. The wide range and narrow range RVRLIS (if required) and the Ll-400 standpipe systems remain in service from the time RCS level is lowered below 25% Cold Calibrated Pressurizer level until just prior to pressurizing the RCS. Narrow Range RVRLIS is required if reduced inventory conditions (below 111 ft. elevation) are planned.

The Ll-400 standpipe is a magnetic level indicator (Ll-400A, B, C standpipe) and provides local indication of reactor vessel refueling level. The indicator is mounted on the outside of the secondary shield wall (crane wall) and can be viewed from the 91 ft. elevation of Containment.

The indicator is composed of three mechanical flag indicator units.

RVRLIS, Ll-400 standpipe and ultrasonic detectors ,are off-scale low (105 ft. 9 in.) wheri reactor vessel water level drops below the elevation of the bottom of the RCS hot leg penetration. The ultrasonic sensor is installed during an outage and measures level on one of the hot legs.

The purpose of the Reactor Vessel Level Instrumentation- System (RVLIS) is to measure the level of the water or the relative void content of the coolant in the reactor vessel. The RVLIS setpoint corresponding to the minimum RHR pump operation limit was obtained as follows (ref.

2, 3, 4):

Full range:

o = =

Per SC-l-87B, span 494.9 in. and 0% 79.6536 feet o % span/in. = 100 I 494.9 = 0.20206%/in. and minimum RCS level for RHR

=

operation (from above) 107 .5 feet

0 . (107.5 - 79.6536) x 12 x 0.20206 =;= 67.5%

This IC addresses conditions that are precursors to a loss of the ability to adequately cool irradiated fuel (i.e., a precursor to a challenge to the fuel clad barrier). This condition represents a potential substantial reouction in the level of plarit safety.

DCPP Basis Reference(s):

1. Plant Drawing No. 57729

2. OP A-2:111, Reactor Vessel - Draining to Half Loop/Half Loop Operations with Fuel in Vessel

3. Instrument Scaling Calculation SC-l-87B, Reactor Vessel Level Instrumentation Syst.em and Subcooled Margin Monitor

4. OP AP SD-0 Loss of, or Inadequate Decay Heat Removal

5. NEI 99-01 CA1 I [Document No.] Rev. [X] Page 93 of 3081

ATTACHMENT 1 EAL Bases Category: C - Cold Shutdown I Refueling System Malfunction Subcategory: 1 - RCS Level Initiating Condition: Loss of RCS inventory.

EAL:

CA1.2 Alert RCS water level cannot be monitored for ~ 15 minu.tes. (Note 1)

AND EITHER

UNPLANNED increase in any Table C-1 Sump I Tank level due to loss of RCS inventory.

Visual observation of UNISOLABLE RCS LEAKAGE.

Note 1: The SM/SEC/ED should declare the event promptly upon determining that time limit has been exceeded, or will likely be exceeded.

Table C-1 Sumps I Tanks

Containment Structure Sumps

Reactor Cavity Sump

PRT

RCDT

CCW Surge Tank(s)

Auxiliary Building Sump

RWST

RHR Room Sumps (alarm only)

MEDT Mode Applicability:

5 - Cold Shutdown, 6 - Refueling Definition(s):

INTACT (RCS) - The RCS should be considered intact when the RCS pressure boundary is in its normal condition for the cold shutdown mode of operation (e.g., no freeze seals or nozzle dams).

RCS LEAKAGE - RCS leakage shall be:

a. Identified Leakage

1. Leakage, such as that from pump seals or valve packing (except reactor coolant pump (RCP) seal water injection or leak off), that is captured and conducted to collection systems or a sump or collecting tank; j [Document No.] Rev. [X] Page 94 of 308 J

ATTACHMENT 1 EAL Bases

2. Leakage into the containment atmosphere from sources that are both *specifically located and known either not to interfere with the operation of leakage detection systems or not to be pressure boundary leakage;

3. Reactor Coolant System (RCS) leakage through a steam generator to the secondary system (primary to secondary leakage).

b. Unidentified Leakage All leakage (except RCP seal water injection or leak off) that is not identified leakage.

c. Pressure Boundary Leakage Leakage (except primary to secondary leakage) through a non-isolable fault in an RCS component body, pipe wall, or vessel wall.

e. RCS leakage outside of the containment that is not considered identified or unidentified leakage per Technical Specifications includes leakage via interfacing systems such as RCS to the Component Cooling Water, or systems that directly se.e RCS pressure outside containment such as Chemical & Volume Control System, Nuclear Sampling System and Residual Heat Removal system (when in the shutdown* cooling mode).

UNISOLABLE -An open or breached system line that cannot be isolated, remotely or locally.

NOTE: If an isolation valve could not be accessed due to local conditions (i.e. high radiation, temperature, etc.) then that would also make a leak unisolable, even though the inaccessible valve could isolate the leak.

UNPLANNED - A parameter change or an event that is not 1) the result of an intended evolution or 2) an expected plant response to a transient. The cause of the parameter change or event may be known or unknown.

Basis:

ERO Decision Making Information In this EAL, the ability to monitor RCS level would be unavailable for greater than 15 minutes, and the RCS inventory loss must be detected by indirect leakage indications (Table C-1). The ability to monitor RCS level includes level instrumentation as well as direct and indirect (e. g.

camera) visual observation.

Level increases must be evaluated against other potential sources of leakage such as cooling water sources inside the containment to ensure they are indicative of RCS LEAKAGE. If the make-up rate to the RCS unexplainably rises above the pre-established rate, a loss of RCS inventory may be occurring even if the source of the leakage cannot be immediately identified.

Visual observation of leakage from systems connected to the RCS that cannot be isolated could also be indicative of a loss of RCS inventory (ref. 1, 2).

(continued)

I [Document No.] Rev. [X] Page 95 of 3081

ATTACHMENT 1 EAL Bases All of the Table C-1 Tanks are trended by either chart recorders, control room level indication and/or computer inputs, except for the RHR Sumps. The RHR Sumps, with a capacity of about 500 gallons each, can be evaluated by the frequency of the Hi Alarm/Pump Run alarms. Such

) trending methods should be used to evaluate RCS loss rate versus sump level increases. For reference purposes, the capacity of each tank system is listed below. These are based on Plant Manual Volume 9 Storage Tank Volume Data sheets.

Tank/ Sump Gallons Data sheets Containment Structure Sumps 718 CMD IE-19.8 a & b Reactor Cavity Sump 284 CMD IE-19.9 a & b PRT '13466 CMD IE-7.1 a & b RCDT 377 (U-1) CMD IE-19.4 a, b & c 390 (U-2)

CCW Surge Tank(s) 5352 per CMD IE-14.1 a & b each half Auxiliary Building Sump 4840 CMD IE-19.7 a & b RWST 484703 CMD IE-9.2 a & b MEDT 4541 CMD IE-19.6a & b If the RCS inventory level continues to lower, then escalation to Site Area Emergency would be via IC CS1.

Background

For this EAL, the inability to monitor RCS level may be caused by instrumentation and/or power failures, or water level dropping below the range of available instrumentation. If water level cannot be monitored by direct or indirect methods, operators may determine that an inventory loss is occurring by observing changes in sump and/or tank levels. Sump and/or tank level changes must be evaluated against other potential sources of water flow to ensure they are indicative of leakage from the RCS.

In Cold Shutdown mode, the RCS will normally be INTACT and standard RCS level monitoring

.means are available.

In the Refuel mode, the RCS is not INTACT and RPV level may be monitored by different means, including the ability to monitor level visually.

This IC addresses conditions that are precursors to a loss of the ability to adequately cool irradiated fuel (i.e., a precursor to a challenge to the fuel clad barrier). This condition represents a potential substantial reduction in the level of plant safety.

The 15-minute duration for the loss of level indication was chosen because it is half of the EAL duration specified in IC CS1.

j [Document No.] Rev. [X] Page 96 of 308 j

ATTACHMENT 1 EAL Bases DCPP Basis Reference(s):

1. OP AP SD-2, Loss of RCS Inventory

2. OP AP-1, Excessive Reactor Coolant System Leakage

3. NEI 99-01 CA 1

/ [Document No.] Rev. [X] Page 97 of 308 /

ATTACHMENT 1 EAL Bases Category: C - Cold Shutdown I Refueling System Malfunction Subcategory: 1 - RCS Level Initiating Condition: Loss of RCS inventory affecting core decay heat removal capability.

EAL:

CS1 .1 Site Area Emergency With CONTAINMENT CLOSURE not established, RVLIS full range< 62.1 %. (Note 12)

Note 12: With RVLIS out-of-service, classification shall be based on CS1 .3 or CG1 .2 if RCS inventory cannot be monitored.

Mode Applicability:

5 - C.old Shutdown, 6 - Refueling Definition(s):

CONTAINMENT CLOSURE - The procedurally defined actions taken to secure containment and its associated structures, systems, and components as a functional barrier to fission product release under shutdown conditions.

As applied to DCPP, Containment Closure is defined by Administrative Procedure AD8.DC54 Containment Closure.

IMMINENT - The trajectory of events or conditions is such that an EAL will be met within a relatively short period of time regardless of mitigation or corrective actions.

Basis:

ERO Decision Making Information This EAL is only applicable when RVLIS is in service (see Note 12).

Wheri reactor vessel water level lowers to 62.1 %, water level is six inches below the elevation of the bottom of the RCS hot leg penetration.

Six inches below the elevation of the bottom of the RCS hot leg penetration can be 'monitored only by RVLIS.

Other reactor vessel water level monitoring systems (e.g., RVRLIS, Ll-400 standpipe, ultrasonic sensor, RVLIS upper range) are downscale-low when water level drops below the elevation of the bottom of the RCS hot leg penetration.

Escalation of the emergency classification level would be via IC CG1 or RG1.

(continued)

I [Document No.] I Rev. [X] Page 98 of 3081

ATTACHMENT 1 EAL Bases

Background

When reactor vessel water level drops significantly below the elevation of the bottom of the RCS hot leg penetration, all sources of RCS injection have failed or are incapable of making up for the inventory loss.

The RVLIS setpoint corresponding to six inches below the elevation of the bottom of the RCS hot leg penetration was obtained as follows (ref. 1, 2, 3, 4):

Per SC-l-87B, span= 494.9 in. and 0% = 79.6536 feet

% span/in. = 100 I 494.9 = 0.20206%/in. and bottom of the hot leg (from above) =

105.75 feet

(105.75 79.6536) x 12 x 0.20206 = 62.1%

Under the conditions specified by this EAL, continued lowering of reacto.r vessel water level is indicative of a loss of inventory control. Inventory loss may be due to a vessel breach, RCS pressure boundary leakage or continued boiling in the reactor vessel. The magnitude of this loss of water indicates that makeup systems have not been effective and may not be capable of preventing further RCS or reactor vessel water level drop and potential core uncovery. The inability to restore and maintain level after reaching this setpoint infers a failure of the RCS barrier and potential loss of the Fuel Clad barrier.

The status of Containment closure is tracked if plant conditions change that could raise the risk of a fission product release as a result of a loss of decay heat removal (ref. 5).

This IC addresses a significant and prolonged loss of RCS inventory control and makeup capability leading to IMMINENT fuel damage. The lost inventory may be due to a RCS component failure, a loss of configuratiori control or prolonged boiling of reactor coolant.

These conditioris entail major failures of plant functions needed for protection of the public and thus warrant a Site Area Emergency declaration.

Following an extended loss of core decay heat removal and inventory makeup, decay heat will cause reactor coolant boiling and a further reduction in reactor vessel level. If RCS level cannot be restored, fuel damage is probable.

Outage/shutdown contingency plans typically provide for re-establishing or verifying CONTAINMENT CLOSURE following a loss of heat removal or RCS inventory control functions. The difference. in the specified RCS/reactor vessel levels of EALs CS1 .1 and CS2.2 reflect the fact that with CONTAINMENT CLOSURE established, there is a lower probability of a fission product release to the environment.

This EAL addresses concerns raised by Generic Letter 88-17, Loss of Decay Heat Removal; SECY 91-283, Evaluation of Shutdown and Low Power Risk Issues; NUREG-1449, Shutdown and Low-Power Operation at Commercial Nuclear Power Plants .in the United States; and NUMARC 91-06, Guidelines for Industry Actions to Assess Shutdown Management.

I [Document No.] Rev. [X] Page 99 of 3081

ATTACHMENT 1 EAL Bases DCPP Basis Reference(s):

1. Plant Drawing No. 57729

2. OP A-2:111, Reactor Vessel - Draining to Half Loop/Half Loop Operations with Fuel in Vessel

3. AP E-55, Equipment Elevations for RCS Flood-Up and Drain-Down

4. Instrument scaling calculation SC-1-878, "Reactor Vessel Level Instrumentation System and Subcooled Margin Monitor

5. AD8.DC54, Containment Closure

6. NEI 99-01 CS1 I [Document No.] Rev. [X] Page 100 of 3081

ATTACHMENT 1 EAL Bases Category: C - Cold Shutdown I Refueling System Malfunction Subcategory: 1 - RCS Level Initiating Condition: Loss of RCS inventory affecting core decay heat removal capability.

EAL:

CS1 .2 Site Area Emergency With CONTAINMENT CLOSURE established, RVLIS full range< 56.6% (Top of Fuel).

(Note 12)

Note 12: With RVLIS out-of-service, classification shall be based on CS1 .3 or CG1 .2 if RCS inventory cannot be monitored.

Mode Applicability:

5 - Cold Shutdown, 6 - Refueling Definition(s}:

CONTAINMENT CLOSURE - The procedurally defined actions taken to secure containment and its associated structures, systems, and components as a functional barrier to fission product release under shutdown conditions. I As applied to DCPP, Containment Closure is defined by Administrative Procedure AD8.DC54 Containment Closure.

IMMINENT - The trajectory of events or conditions is such that an EAL Will be met within a relatively short period of time regardless of mitigation or corrective actions.

Bases:

ERO Decision Making Information This EAL is only applicable when RVLIS is in service (see Note 12).

When reactor vessel water level drops below RVLIS full range indication of 56.6% core uncovery is about to occur. This level drop can only be remotely monitored by reactor vessel Level Instrumentation System (RVLIS).

Other reactor vessel water level monitoring systems (e.g., RVRLIS, Ll-400 standpipe, ultrasonic sensor, RVLIS upper range) are downscale-low when water level drops below the elevation of the bottom of the RCS hot leg penetration.

Escalation of the emergency classification level would be via IC CG1 or RG1.

(continued)

I [Document No.] Rev. [X] Page 101 of 3081

ATTACHMENT 1 EAL Bases

Background

The RVLIS setpoint corresponding to the top of fuel was obtained as follows (ref. 1, 2, 3, 4):

Per SC-l-87B, span= 494.9 in. and 0% = 79.6536 feet

% span/in. = 100 I 494.9-= 0.20206%/in. and top of core = 103 feet

(103 - 79.6536) x 12 x 0.20206 = 56.6%

Under the conditions specified by this EAL, continued lowering of reactor vessel water level is indicative of a loss of inventory control. Inventory loss may be due to a vessel breach, RCS pressure boundary leakage or continued boiling in the reactor vessel. The magnitude of this loss of water indicates that makeup systems have not been effective and may not be capable of preventing further RCS or reactorvessel water level drop and potential core uncovery. The inability to restore and maintain level after reaching this setpoint infers a failure of the RCS barrier and Potential Loss of the Fuel Clad barrier.

The status of Containment closure is tracked if plant conditions change that could raise the risk of a fission product release as a result of a loss of decay heat removal (ref. 5).

This IC addresses a significant and prolonged loss of RCS inventory control and makeup

, capability leading to IMMINENT fuel damage. The lost inventory may be due to a RCS component failure, a loss of configuration control or prolonged boiling of reactor coolant.

1 These conditions entail major failures of plant functions needed for protection of the public and thus warrant a Site Area Emergency declaration.

Following an extended loss of core decay heat removal and inventory makeup, decay heat will cause reactor coolant boiling and a further reduction in reactor vessel level. If RCS level cannot be restored, fuel damage is probable.

Outage/shutdown contingency plans typically provide for re-establishing or verifying CONTAINMENT CLOSURE following a loss of heat removal or RCS inventory control functions. The difference in the specified RCS/reactor vessel levels of EALs CS1 .1 and CS1 .2 reflect the fact that with CONTAINMENT CLOSURE established, there is a lower probability of a fission product release to the environment.

This EAL addresses concerns raised by Generic Letter 88-17, Loss of Decay Heat Removal; SECY 91-283, Evaluation of Shutdown and Low Power Risk Issues; NUREG-1449, Shutdown and Low-Power Operation at Commercial Nuclear Power Plants in the United States; and NUMARC 91-06, Guidelines for Industry Actions to Assess Shutdown Management.

DCPP Basis Reference{s):

1. Plant Drawing No. 57729

2. OP A-2:111, Reactor Vessel - Draining to Half Loop/Half Loop Operations with Fuel in Vessel

3. AP E-55, Equipment Elevations for RCS Flood-Up and Drain-Down

4. Instrument scaling calculation SC-l-87B, "Reactor Vessel Level lnst,rumentation System and Subcooled Margin Monitor

5. AD8.DC54, Containment Closure

6. NEI 99-01 CS1 I [Document No.] Rev. [X] Page 102 of 3081

ATTACHMENT 1 EAL Bases Category: C - Cold Shutdown I Refueling System Malfunction Subcategory: 1 - RCS Level Initiating Condition: Loss of RCS inventory affecting core decay heat removal capability.

EAL:

CS1.3 Site Area Emergency RCS water level cannot be monitored for ;:: 30 minutes. (Note 1)

AND Core uncovery is ind!cated by any of the following:

UNPLANNED increase in any Table C-1 sump/tank level of sufficient magnitude to indicate core uncover.

Any Bridge (Manipulator) Crane Radiation Monitor> 9 R/hr.

Erratic Source Range Monitor indication.

Note 1: The SM/SEC/ED should declare the event promptly upon determining that time limit has been exceeded, or will likely be exceeded.

Table C-1 Sumps I Tanks

Containment Structure Sumps

Reactor Cavity Sump

PRT I

RCDT

CCW Surge Tank(s)

Auxiliary Building Sump

RWST

RHR Room Sumps (alarm only)

MEDT Mode Applicability:

5 - Cold Shutdown, 6 - Refueling Definition(s):

IMMINENT - The trajectory of events or conditions is such that an EAL will be met within a relatively short period of time regardless of mitigation or corrective actions.

INTACT (RCS) - The RCS should be considered intact when the RCS pressure boundary is in its normal condition for the cold shutdown mode of operation (e.g., no freeze seals or nozzle dams).

UNPLANNED - A parameter change or an event that is not 1) the result of an intended evolution or 2) an expected plant response to a transient. The cause of the parameter change or event may be known or unknown.

J [Document No.] Rev. [X] Page 103 of 308 J

ATTACHMENT 1 EAL Bases Basis:

ERO Decision Making Information In this EAL, the ability to monitor RCS level would be unavailable for greater than 30 minutes, and the RCS inventory loss must be detected by indirect leakage indications (Table C-1). The ability to monitor RCS level includes level instrumentation as well as direct and indirect (e. g.

camera) visual observation.

All of the Table C-1 Tanks are trended by either chart recorders, control room level indication and/or computer inputs, except for the RHR Sumps. The RHR Sumps, with a capacity of about 500 gallons each, can be evaluated by the frequency of the Hi Alarm/Pump Run alarms. Such trending methods should be used to evaluate RCS loss rate versus sump level increases. For reference purposes, the capacity of each tank system is listed below. These are based on Plant Manual Volume 9 Storage Tank Volume Data sheets.

Tank I Sump Gallons Data sheets Containment Structure Sumps 718 CMD IE-19.8 a &'b Reactor Cavity Sump 284 CMD IE-19.9 a & b PRT 13466 CMD IE-7.1 a & b RCDT 377 (U-1) CMD IE-19.4 a, b & c 390 (U-2)

CCW Surge Tank(s) 5352 per CMD IE-14.1 a & b each half Auxiliary Building Sump 4840 CMD IE-19.7 a & b ',

RWST 484703 CMD IE-9.2 a & b MEDT 4541 CMD IE-19.6a & b The reactor vessel inventory loss may be detected by the radiation monitors or erratic source range monitor indication. As water level in the reactor vessel lowers, the dose rate above the core will rise. The Bridge Crane Radiation Monitors can be monitored either locally, or remotely on the Viewpoint software.

Post-TMI accident studies indicated that the installed PWR nuclear instrumentation will operate erratically when the core is uncovered and that this should be used as a tool for making such determinations (ref.1 ).

The inability to monitor RCS level may be caused by instrumentation and/or power failures, or water level dropping below the range of available instrumentation. If water level cannot be monitored, operators may determine that an inventory loss is occurring by observing changes in sump and/or tank levels. Sump and/or tank level changes must be evaluated against other potential sources of water flow to ensure they are indicative of leakage from the RCS .

Escalation of the emergency classification level would be via IC CG1 or RG1.

I [Document No.] Rev. [X] Page 104 of 3081

ATTACHMENT 1 EAL Bases

Background

In Cold Shutdown mode, the RCS will normally be INTACT and standard RCS level monitoring means are available.

In the Refueling mode, the RCS is not INTACT and RPV level may be monitored by different means, including thE( ability to monitor level visually.

Level increases must be evaluated against other potential sources of leakage such as cooling water sources inside the containment to ensure they are indicative of RCS LEAKAGE. If the make-up rate to the. RCS unexplainably rises above the pre-established rate, a loss of RCS inventory may be occurring even if the source of the leakage cannot be immediately identified.

The dose rate due to this core shine should result in increased Bridge (Manipulator) Crane Radiation Monitor indication. A reading of 9 R/hr (90% of instrument scale) is indicative of core uncovery. There are a number of variables governing the projected dose rate from an actual core uncover (ref. 2).

This IC addresses a significant and prolonged loss of RCS inventory control and makeup capability leading to IMMINENT fuel damage. The lost inventory may be due to a RCS component failure, a loss of configuration control or prolonged boiling of reactor coolant.

1hese conditions entail major failures of plant functions needed for protection of the public and thus warrant a Site Area Emergency declaration.

Following an extended loss of core decay heat removal and inventory makeup, decay heat will cause reactor coolant boiling and a further reduction in reactor vessel level. If RCS level cannot be restored, fuel damage is probable.

The 30-minute criterion is tied to a readily recognizable event start time (i.e., the total loss of ability to monitor level), and allows sufficient time to monitor, assess and correlate reactor and plant conditions to determine if core uncovery has actually occurred (i.e., to account for various accident progression and instrumentation uncertainties). It also allows sufficient time for performance of actions to terminate leakage, recover inventory control/makeup equipment and/or restore level monitoring.

This EAL addresses concerns raised by Generic Letter 88-17, Loss of Decay Heat Removal; SECY 91-283, Evaluation of Shutdown and Low Power Risk Issues; NUREG-1449, Shutdown and Low-Power Operation at Commercial Nuclear Power Plants in the United States; and NUMARC 91-06, Guidelines for Industry Actions to Assess Shutdown Management.

DCPP Basis Reference(s):

1. Nuclear Safety Analysis Center (NSAC), 1980, "Analysis of Three Mile Island - Unit 2 Accident," NSAC-1

2. EP-.EALCALC-DCPP-1603 Radiation Monitor Readings for Core Uncovery During Refueling *

3. NEI 99-01 CS1 I [Document No.] Rev. [X] Page 105 of 3081

ATTACHMENT 1 EAL Bases Category: C - Cold Shutdown I Refueling System Malfunction Subcategory: 1 - RCS Level Initiating Condition: Loss of RCS inventory affecting fuel clad integrity with containment challenged.

EAL:

CG1 .1 General Emergency RVLIS full range< 56.6% (Top of Fuel) for;:: 30 minutes. (Notes 1, 12)

AND Any Containment Challenge indication, Table C-2.

Note 1: The SM/SEC/ED should declare the event promptly upon determining that time limit has been exceeded, or will likely be exceeded.

Note 6: If CONTAINMENT CLOSURE is re-established prior to exceeding the 30-minute time limit, declaration of a General Emergency is not required.

Note 12: With RVLIS out-of-service, classification.shall be based on CS1 .3 or CG1 .2 if RCS inventory cannot be monitored.

Table C-2 Containment Challenge Indications

CONTAINMENT CLOSURE not established (Note 6)

Containment hydrogen concentration ;:: 4%

UNPLANNED rise in Containment pressure Mode Applicability:

5 - Cold Shutdown, 6 - Refueling Definition(s):

CONTAINMENT CLOSURE - The procedurally defined actions taken to secure containment and its associated structures, systems, and components as a functional barrier to fission product release under shutdown conditions.

As applied to DCPP, Containment Closure is defined by Administrative Procedure AD8.DC54 Containment Closure.

UNPLANNED - A parameter change or an event that is not 1) the result of an intended evolution or 2) an expected plant response to a transient. The cause of the parameter change or event may be known or unknown.

I [Document No.] Rev. [X] Page 106 of 3081

ATTACHMENT 1 EAL Bases Basis:

ERO Decision Making Information This EAL is only applicable when RVLIS is in service (see Note 12).

When reactor. vessel water level drops below RVLIS full range indication of 56.6% core uncovery is about to occur. This level drop can only be remotely monitored by Reactor Vessel Level Instrumentation System (RVLIS).

Other reactor vessel water level monitoring systems (e.g., RVRLIS, Ll-400 standpipe, ultrasonic sensor, RVLIS upper range) are downscale-low when water level drops below the elevation of the bottom of the RCS hot leg penetration.

Three conditions are associated with a challenge to Containment:

1. CONTAINMENT CLOSURE not established

2. Containment hydrogen;:::: 4%

3. UNPLANNED rise in Containment pressure (Containment pressure changes due to ventilation system changes do not constitute a containment challenge)

With CONTAINMENT CLOSURE not established, there is a high potential for a direct and unmonitored release of radioactivity to the environment. If CONTAINMENT CLOSURE is re-established prior to exceeding the 30-minute time limit, then declaration of a General Emergency is not required.

During periods when installed containment hydrogen gas monitors are out-of-service, use the other listed indications to assess whether or not containment is challenged.

The 30-minute criterion is tied to a readily recognizable event start time (i.e., the total loss of ability to monitor level), and allows sufficient time to monitor, assess and correlate reactor and plant conditions to determine if core uncovery has actually occurred (i.e., to account for various accident progression and instrumentation uncertainties). It also allows sufficient time for performance of actions to terminate leakage, recover inventory control/makeup equipment and/or restore level monitoring.

Background

The RVLIS setpoint corresponding to the top of fuel was obtained as follows (ref. 1, 2, 3, 4):

Per SC-l-87B, span= 494.9 in. and 0% = 79.6536 feet

% span/in. = 100 I 494.9 = 0.,20206%/in. and top of core = 103 feet

(103 - 79.6536) x 12 x 0.20206 = 56.6%

(continued)

I [Document No.] Rev. [X] Page 107 of 3081

ATTACHMENT 1 EAL Bases Three conditions are associated with a challenge to Containment:

1. CONTAINMENT COSURE not established - The status of Containment closure is tracked if plant conditions change that could raise the risk of a fission product release as a result of a loss of decay heat removal (ref.5). If containment closure is re-established prior to exceeding the 30 minute core uncovery time limit then escalation to GE would not be required. _ .

2. Containment hydrogen~ 4% - The 4% hydrogen concentration threshold is generally considered the lower limit for hydrogen deflagrations. To generate such levels of combustible gas, loss of the Fuel Clad and RCS barriers are likely to have occurred.

Operation of the Containment Hydrogen Recombiner with Containment hydrogen concentrations above 4.0% could result in ignition of the hydrogen. If in operation, containment hydrogen can be monitored in the Control Room on ANR-82/ANR-83 and PAM1 following local equipment initialization (ref. 6, 7)

3. UNPLANNED rise in Containment pressure - In the operating modes associated with this EAL, Containment pressure is expected to remain very low; thus, an elevated Containment pressure resulting from an UNPLANNED rise above near-atmospheric_.

pressure conditions may be indicative of a challenge to the Containment barrier.

Containment pressure changes due to ventilation system changes do not constitute a containment challenge.

Under the conditions specified by: this EAL, continued lowering of reactor vessel water level is indicative of a loss of inventory control with a challenge to the Containment. Inventory loss may be due to a vessel breach, RCS pressure boundary leakage or continued boiling in the reactor vessel. The magnitude of this loss of water indicates that makeup systems have not been effective and may not be capable of preventing further RCS or reactor vessel water level drop and potential core uncovery. The inability to restore and maintain level inventory within 30 minutes after reaching this condition in combination with a Containment challenge infers a failure of the RCS barrier, Loss of the Fuel Clad barrier and a Potential Loss of Containment.

I This IC addresses the inability to restore and maintain reactor vessel level above the top of active fuel with containment challenged. This condition represents actual or IMMINENT substantial core degradation or melting with potential for loss of containment. Releases can be reasonably expected to exceed EPA PAG exposure levels offsite for more than the immediate site area.

Following an extended loss of core decay heat removal and inventory makeup, decay heat will cause reactor coolant boiling and a further reduction in reactor vessel level. If RCS level.

cannot be restored, fuel damage is probable.

The existence of an explosive mixture means, at a minimum, that the containment atmospheric hydrogen concentration is sufficient to support a hydrogen burn (i.e., at the lower deflagration limit). A hydrogen burn will raise containment pressure and could result in collateral equipment damage leading to a loss of containment integrity. It therefore represents a challenge to Containment integrity.

(continued)

I [Document No.] Rev. [X] Page 108 of 3081

ATTACHMENT 1 EAL Bases In the early stages of a core L1ncovery event, it is unlikely that hydrogen buildup due to a core uncovery could result in an explosive gas mixture in containment. If all installed hydrogen gas monitors are out-of-service during an event leading to fuel cladding damage, it may not be possible to obtain a containment hydrogen gas concentration reading as ambient conditions within the containment will preclude personnel access.

This EAL addresses concerns raised by Generic Letter 88-17, Loss of Decay Heat Removal; SECY 91-283, Evaluation of Shutdown and Low Power Risk Issues; NUREG-1449, Shutdown and Low-Power Operation at Commercial Nuclear Power Plants in the United States; and NUMARC 91-06, Guidelines for Industry Actions to Assess Shutdown Management.

DCPP Basis Reference(s}:

1. Plant Drawing No. 57729

2. OP A-2:111, Reactor Vessel - Draining to Half Loop/Half Loop Operations with Fuel in Vessel

3. AP E-55, Equipment Elevations for RCS Flood-Up and Drain-Down

4. Instrument scaling calculation SC-1-878, "Reactor Vessel Level Instrumentation System and Subcooled Margin Monitor

5. AD8.DC54, Containment Closure

6. CA-3, Hydrogen Flammability in Containment

7. OP H-9, Inside Containment H2 Recombination System

8. NEI 99-01 CG1

/

I [Document No.] Rev. [X] Page 109 of 3081

ATTACHMENT 1 EAL Bases Category: C - Cold Shutdown I Refueling System Malfunction

. Subcategory: 1 - RCS Level Initiating Condition: Loss of RCS inventory affecting fuel clad integrity with containment challenged.

EAL:

CG1 .2 General Emergency RCS level cannot be monitored for~ 30 minutes. (Note 1)

AND Core uncovery is indicated by any of the following:

UNPLANNED increase in any Table C-1 sump/tank level of sufficient magnitude to indicate core uncover.

Any Bridge (Manipulator) Crane Radiation Monitor > 9 R/hr.

Erratic Source Range Monitor indication.

AND Any Containment Challenge indication, Table C-2.

Note 1: The SM/SEC/ED should declare the event promptly upon determining that time limit has been exceeded, or will likely be exceeded.

Note 6: If CONTAINMENT CLOSURE is re-established prior to exceeding the 30-minute time limit, declaration of a General Emergency is not required.

I [Document No.] Rev. [X] Page 110 of 3081

ATTACHMENT 1 EAL Bases Table C-1 Sumps I Tanks

Containment Structure Sumps

Reactor Cavity Sump

PRT

RCDT

CCW Surge Tank(s)

Auxiliary Building Sump

RWST

RHR Room Sumps (alarm only)

MEDT Table C-2 Containment Challenge Indications

CONTAINMENT CLOSURE not established (Note 6)

Containment hydrogen concentration ~ 4%

UNPLANNED rise in containment pressure Mode Applicability:

5 - Cold Shutdown, 6 - Refueling Definition(s):

CONTAINMENT CLOSURE - The procedurally defined actions taken to secure containment and its associated structures, systems, and components as a functional barrier to fission product release under shutdown conditions.

As applied to DCPP, Containment Closure is defined by Administrative Procedure AD8.DC54 Containment Closure.

INTACT (RCS) - The RCS should be considered intact when the RCS pressure boundary is in I its normal condition for the cold shutdown mode of operation (e.g., no freeze seals or nozzle 1

dams).

UNPLANNED - A parameter change or an event that is not 1) the result of an intended evolution or 2) an expected plant response to a transient. The cause of the parameter change or event may be known or unknown.

I [Document No.] Rev. [X] Page 111 of 3081

ATTACHMENT 1 /

EAL Bases Basis:

ERO Decision Making Information In this EAL, the ability to monitor RCS level would be unavailable for greater than 30 minutes, and the RCS inventory loss must be detected by indirect leakage indications (Table C-1). The ability to monitor RCS level includes level instrumentation as well as direct and indirect (e. g.

camera) visual observation.

All of the Table C-1 Tanks are trended by either chart recorders, control room level indication and/or computer inputs, except for the RHR Sumps. The RHR Sumps, with a capacity of about 500 gallons each, can be evaluated by the frequency of the Hi Alarm/Pump Run alarms. Such trending methods should be used to evaluate RCS' loss rate versus sump level increases. For reference purposes, the capacity of each tank system is listed below. These are based on Plant Manual Volume 9 Storage Tank Volume Data sheets.

Tank I Sump Gallons Data sheets Containment Structure Sumps 718 CMD IE-19.8 a & b Reactor Cavity Sump 284 CMD IE-19.9 a & b PRT 13466 CMD IE-7.1 a & b RCDT 377 (U-1) CMD IE-19:4 a, b & c 390 (U-2)

CCW Surge Tank(s) 5352 per CMD IE-14.1 a & b each half Auxiliary Building Sump 4840 CMD IE-19.7 a & b RWST 484703 CMD IE-9.2 a & b MEDT 4541 CMD IE-19.6a & b The reactor vessel inventory loss may be detected by the radiation monitors or erratic source range monitor indication. As water level in the reactor vessel lowers, the dose rate above the core will rise. The Bridge Crane Radiation Monitors can be monitored either locally, or remotely on the Viewpoint software.

Post-TMI accident studies indicated that the installed PWR nuclear instrumentation will operate erratically when the core is uncovered and that this should be used as a tool for making such determinations (ref. 1).

Source Range indication can be seen on Source Range Detectors Nl-31 & 32 as well as the Gammametrics detectors.

Three conditions are associated with a challenge to Containment:

1. CONTAINMENT COSURE not established

2. Containment hydrogen ;::: 4%

3. UNPLANNED rise in Containment pressure (Containment pressure changes due to ventilation system changes do not constitute a containment challenge)

I [Document No.] I Rev. [X] I Page 112 of 308 J

ATTACHMENT 1 EAL Bases During periods when installed containment hydrogen gas monitors are out-of-service, use the other listed indications to assess whether or not containment is challenged.

The 30-minute criterion is tied to a readily recognizable event start time (i.e., the total loss of ability to monitor level), and allows sufficient time to monitor, assess and correlate reactor and plant conditions to determine if core uncovery has actually occurred (i.e., to account for various accident progression and instrumentation uncertainties). It also allows sufficient time for performance of actions to terminate leakage, recover inventory control/makeup equipment and/or restore level monitoring.

The inability to monitor RCS level may be caused by instrumentation and/or power failures, or water level dropping below the range of available instrumentation. If water level cannot be monitored, operators may determine that an inventory loss is occurring by observing changes in sump and/or tank levels. Sump and/or tank level changes must be evaluated against other potential sources of water flow to ensure they are indicative of leakage from the RCS.

Background

In Cold Shutdown mode, the RCS will normally be INTACT and standard RCS level monitoring means are available.

In the Refueling mode, the RCS is not INTACT and RPV level may be monitored by different means, including the ability to monitor level visually.

Level increases must be evaluated against other potential sources of leakage such as cooling water sources inside the containment to ensure they are indicative of RCS LEAKAGE. If the make-up rate to the RCS unexplainably rises above the pre-established rate, a loss of RCS inventory may be occurring even if the source of the leakage cannot be immediately identified.

The dose rate due to this core shine should result in increased Bridge (Manipulator) Crane Radiation Monitor indication. A reading of 9 R/hr (90% of instrument scale) is indicative of core uncovery. There are a number of variables governing the projected dose rate from an actual core uncover (ref. 5).

Three conditions are associated with a challenge to Containment: .

1. CONTAINMENT COSURE not established - The status of Containment closure is tracked if plant conditions change that could raise the risk of a fission product release as a result of a loss of decay heat removal (ref.2). -If containment closure is re-established prior to exceeding the 30 minute core uncovery time limit then escalation to GE would not be required.

2. Containment hydrogen ;:: 4% - The 4% hydrogen concentration threshold is generally considered the lower limit for hydrogen deflagrations. To generate such levels of combustible gas, loss of the Fuel Clad and RCS barriers are likely to have occurred.

Operation of the Containment Hydrogen Recombiner with Containment hydrogen concentrations above 4.0% could result in ignition of the hydrogen. Containment hydrogen can be monitored in the Control Room on ANR-82/ANR-83 and PAM1 following local equipment initialization (ref. 3, 4)

(continued)

I [Document No.] Rev. [X] Page 113 of 3081

ATTACHMENT 1 EAL Bases

3. UNPLANNED rise in Containment pressure - In the operating modes associated with this EAL, Containment pressure is expected to remain very low; thus, an elevated Containment pressure resulting from an UNPLANNED rise above near-atmospheric pressure conditions may be indicative of a challenge to the Containment barrier.

Containment pressure changes due to ventilation system changes do not constitute a containment challenge.

This IC addresses the inability to restore and maintain reactor vessel level above the top of active fuel with containment challenged. This condition represents actual.or IMMINENT substantial core degradation or melting with potential for loss of containment integrity.

Releases can be reasonably expected to exceed EPA PAG exposure levels offsite for more than the immediate site area.

Following an extended loss of core decay heat removal and inventory makeup, decay heat will cause reactor coolant boiling and a further reduction in reactor vessel level. If RCS level cannot be restored, fuel damage is probable.

With CONTAINMENT CLOSURE not established, there is a high potential for a direct and unmonitored release of radioactivity to the environment. If CONTAINMENT CLOSURE is re-established prior to exceeding the 30-minute time limit, then declaration of a General Emergency is not required.

The existence of an explosive mixture means, at a minimum, that the containment atmospheric hydrogen concentration is sufficient to support a hydrogen burn (i.e., at the lower deflagration limit). A hydrogen burn will raise containment pressure and could result in collateral equipment damage leading to a loss of containment integrity. It therefore represents a challenge to'*

Containment integrity.

In the early stages of a core uncovery event, it is unlikely that hydrogen buildup due to a core uncovery could result in an explosive gas mixture in containment. If all installed hydrogen gas monitors are out-of-service during an event leading to fuel cladding damage, it may not be possible to obtain a containment hydrogen gas concentration reading as ambient conditions within the containment will preclude personnel access.

This EAL addresses concerns raised by Generic Letter 88-17, Loss of Decay Heat Removal; SECY 91-283, Evaluation of Shutdown and Low Power Risk Issues; NUREG-1449, Shutdown and Low-Power Operation at Commercial Nuclear Power Plants in the United States; and NUMARC 91-06, Guidelines for Industry Actions to Assess Shutdown Management.

DCPP Basis Reference(s):

1. Nuclear Safety Analysis Center (NSAC), 1980, "Analysis of Three Mile Island - Unit 2 Accident," NSAC-1

2. AD8.DC54, Containment Closure

3. OP H-9, Inside Containment H2 Recombination System

4. CA-3, Hydrogen Flammability in Containment

5. EP-EALCALC-DCPP-1603 Radiation Monitor Readings for Core Uncovery During Refueling

6. NEI 99-01 CG1 I [Document No.] Rev. [X] Page 114 of 3081

ATTACHMENT 1 EAL Bases Category: C - Cold Shutdown I Refueling System Malfunction Subcategory: 2 - Loss of Vital AC Power Initiating Condition: Loss of all but one AC power source to vital buses for 15 minutes or longer.

EAL:

CU2.1 Unusual Event AC power capability, Table C-3, to Unit 1 or Unit 2 vital 4.16KV buses F, G and H reduced to a single power source for;::: 15 minutes. (Note 1)

AND A failure of that single power source will result in loss of all AC power to 'SAFETY SYSTEMS.

Note 1: The SM/SEC/ED should declare the event promptly upon determining that time limit has been excee ded , or w1*11 l"k I be exceed ed .

1 e1v Table C-3 AC Power Capability Unit 1 , Unit2

230 kV via either of the following:

230 kV via either of the following:

C1> *

!:::: Startup XFMR 1-2 via Startup XFMR 1-1

Startup XFMR 2-2 via,Startup XFMR 1-1 J!?

.....

Startup XFMR 1-2 via Startup XFMR 2-1

Startup XFMR 2-2 via Startup XFMR 2-1 0

500 kV backfed through Main XFMR to Aux

500 kV backfed through Main XFMR to Aux XFMR 1-2 XFMR 2-2

Aux XFMR 1-2 fed from the Main Generator

Aux XFMR 2-2 fed from the Main Generator C1>

!::::

DG 1 Bus H

DG 2 Bus H I

U) c:

DG 1 Bus G

DG 2 Bus G 0

DG 1 Bus F

DG 2 Bus F

Other Unit via Startup Bus X-Tie

Other Unit via Startup Bus X-Tie Mode Applicability:

5 - Cold Shutdown, 6 - Refueling, D - Defueled

~\

I [Document No.] Rev. [X] Page 115 of 3081 L

ATIACHMENT 1 EAL Bases Definition(s):

SAFETY SYSTEM - A system required for safe plant operation, cooling down the plant and/or placing it in the cold shutdown condition, including the ECCS. These are typically systems classified as safety-related (as defined in 10CFR50.2):

Those structures, systems and components that are relied upon to remain functional during and following design basis events to assure:

(1) The integrity of the reactor coolant pressure boundary; (2) The capability to shut down the reactor and maintain it in a safe shutdown condition;

(3) The capability to prevent or mitigate the consequences of accidents which could result in potential offsite exposures.

Basis:

ERO Decision Making Information For emergency classification purposes, "capability" means that, whether or not the buses are actually powered from it, an AC power source(s) can be aligned to the vital buses within 15

minutes. This is determined by:

Use of a clear procedure path, and

Breakers and equipment are readily available to power up the bus within the allotted time frame.

and

Power potential indication (power available white status light) from any Table C-3 source is illuminated.

The 15 minute declaration time runs concurrently with determining AC power capability and aligning the source to the buses. Therefore, this EAL does NOT provide for 15 minutes to ascertain capaoility and another 15 minutes to declare. In other words, you must either meet the AC power capability for the source of power OR declare within 15 minutes.

This EAL describes a significant degradation of offsite and onsite AC power sources such that any additional single failure would result in a loss of all AC power to SAFETY SYSTEMS. In this condition, the sole AC power source may be powering one, or more than one, train of safety-related equipment. In other words, a loss of this AC power source will result in a loss of all AC.

This IC describes a significant degradation of offsite and onsite AC power sources such that any additional single failure would result in a loss of all AC power to SAFETY SYSTEMS. In this condition, the sole AC power source may be powering one, or more than one, train of safety-related equipment.

(continued) j [Document No.] Rev. [X] Page 116 of 308 j

ATTACHMENT 1 EAL Bases An "AC power source" is a source recognized in AOPs and EOPs, and capable of supplying required power to a vital bus. Some examples of this condition are presented below.

A loss of all offsite power with a concurrent failure of all but one emergency power source (e.g., an onsite diesel generator).

A loss of all offsite power and loss of all emergency power sources (e.g., onsite diesel generators) with a single train of vital buses being back-fed from the unit main generator.

A loss of emergency power sources (e.g., onsite diesel generators) with a single train of vital buses being back-fed from an offsite power source.

If the 1 or 2.:.1 transformer is unavailable, the other unit's #1 transformer (2-1 or 1-1) can be used to supply the startup bus through the startup bus cross tie breaker.

Fifteen minutes was selected as a threshold to exclude transient or momentary losses of power.

When filling out the ENF form, this event can be Unit 1, Unit 2 or Unit 1 and 2.

The subsequent loss of the remaining single power source would escalate the event to an Alert in accordance with IC CA2. *

Background

The condition indicated by this EAL is the degradation of the offsite and onsite power sources s*uch that any additional single failure would result in a loss of all AC power to the vital buses.

4.16KV buses F, G and Hare the emergency (vital) buses. Each bus has three sources of power (see figure below).

One offsite source is from the 230KV switchyard via 12KV startup transformer 1-1 (2-1) to the 4.16KV startup transformer 1-2 (2-2).

Another method to obtain offsite power is by back feeding the vital buses from the 500KV switchyard through the main transformer to the 4.16KV unit auxiliary transformer 1-2 (2-2).

This is normally only done post-trip when 500KV power is available.

In addition, each units vital buses F, G and H have an onsite emergency diesel generator which can supply electrical power to its associated bus automatically in the event that the preferred source becomes unavailable (ref. 1-6).

Refer to the OP AP-34 series of procedures on fire response for a list of SAFETY SYSTEMS, usually noted their Attachment 1.

When in the cold shutdown, refueling, or defueled mode, this condition is not classified-as an Alert because of the increased time available to restore another power source to service.

Additional time is available due to the reduced core decay heat load, and the lower temperatures and pressures in various plant systems. Thus, when in these modes, this condition is considered to be a potential degradation of the level of safety of the plant.

This cold condition EAL is equivalent to the hot condition EAL SA 1.1.

I [Document No.] Rev. [X] Page 117 of 3081

ATTACHMENT 1 EAL Bases DCPP Electrical Distribution System 500kV Switchyard 230kV Switchyard MidwayB~~1~T'-2"T'iYa Bus1E ; :~9Mesa Midway 3 +- ~T'£°"T~ Tr0-i+ Morro Gates 1 c ~ 722 J ~_____/.

622 u1Main Bus 1 BankXfmr ~SUXfmrs ~

,.-/---, I--/~

---1..'-0-".J.......!.___J 212 L-\ig_j Bay Bus 2 SOOkV1 ~ 21320kkVV ~ rF U2 Main Bank Xfmr 500kV/25kV AuxX~~{ ........L_,l* 12k~5kV4kV =:= ~-~};f~r liiJ)ll Dl~l AuxX~~Tor UJA:Ti 4k~5~~kVl ;::::;:::L__, ~-~x Xfmr 11 I) ,..., (II I U1 Main - i i - U2 Main (X)

) 12kV SU Bus ( ( (

(Y)

Jo; Generator Generator* __

l- - - -~)---------~SUXfmrs ~ ( ( ( (1

.:j .:.J :_; ~7:., "2L~ ~ =- =

y lFFf= ?~ 1~~4 ~l=r=F~ J tT=TI ~

~

Bus D i) i)

BusH i) i) i)

BusG i) i) i)

BusF Ci Ci Ci Bus F Ci Ci Ci Bus G Ci Ci Ci BusH

~

BusD DCPP Basis Reference(s):

1. UFSAR, Section 8.2.2

2. UFSAR, Section 8.3.1.6

3. OP AP SD-1, Loss of AC Power

4. OP AP-26, Loss of Offsite Power

5. OP J-2:V, Backfeeding the Unit From the 500kV System

6. ECA-0.0, Loss of All Vital AC Power

7. NEI 99-01 CU2 I [Document No.] Rev. [X] Page 118 of 3081

ATTACHMENT 1 EAL Bases Category: C - Cold Shutdown I Refueling System Malfunction Subcategory: 2 - Loss of Vital AC Power Initiating Condition: Loss of all offsite and all onsite AC power to vital QUses for 15 minutes or longer.

EAL:

CA2.1 Alert.

Loss of all offsite and all onsite AC power to Unit 1 or Unit 2 vital 4.16KV buses F, G and H for ;:: 15 minutes. (Note 1)

Note 1: The SM/SEC/ED should declare the event promptly upon determining that time limit has been exceeded, or will likely be exceeded.

Mode Applicability:

5 - Cold Shutdown, 6 - Refueling, D - Defueled Definition(s):

SAFETY SYSTEM - A system required for safe plant operation, cooling down the plant and/or placing it in the cold shutdown condition, including the ECCS. These are typically systems classified as safety-related (as defined in 10CFR50.2): .

Those structures, systems and components that are relied upon to remain functional during and following design basis events to assure:

(1) The integrity of the reactor coolant pressure boundary; (2) The capability to shut down the reactor and maintain it in a safe shutdown condition; (3) The capability to prevent or mitigate the consequences of accidents which could ,result in potential offsite exposures.

Basis:

ERO Decision Making Information This EAL addresses a total loss of AC power for greater than 15 minutes that compromises the performance of all SAFETY SYSTEMS requiring electric power including those necessary for emergency core cooling, containment heat removal/pressure control, spent fuel heat removal and the ultimate heat sink.

Fifteen minutes was selected as a threshold to exclude transient or momentary power losses.

When filling out the ENF form, this event can be Unit 1, Unit 2 or Unit 1 and 2.

Escalation of the emergency classification level would be via IC CS1 or RS1.

I [Document No.] Rev. [X] Page 119 of 3081

ATTACHMENT 1 EAL Bases

Background

The vital 4.16KV AC System provides the power requirements for operation and safe shutdown of the plant (see figure below).

Unit 1(2) 4.16KV buses F, G and Hare the emergency (vital) buses. Each bus has three sources of power.

One offsite source is from the 230KV switchyard via 12KV startup transformer 1-1 (2-1) to the 4.16KV startup transformer 1-2 (2-2).

Another method to obtain offsite power is by back feeding the vital buses from the 500KV switchyard through the main transformer to the 4.16KV unit auxiliary transformer 1-2 (2-2).

This is normally only done post-trip when 500KV power is available.

In addition, each units vital buses F, G and H have an onsite emergency diesel generator which can supply electrical power to its associated bus automatically in the event that the preferred source becomes unavailable (ref. 1-6).

When in the cold shutdown, refueling, or defueled mode, this condition is not classified as a Site Area Emergency because of the increased time available to restore a vital bus to service.

Additional time is available due to the reduced core decay heat load, and the lower temperatures and pressures in various plant systems. Thus, when in these modes, this condition represents an actual or potential substantial degradation of the level of safety of the plant.

This cold condition EAL is equivalent to the hot condition loss of all offsite AC power EAL SS1.1.

DCPP Electrical Distribution System 500kV Switchyard 230kV Switchyard MidwayB2~1~T'£"T'i(~

Midway 3 +- i?'T'£"T~

Bu.s 1E : :~9 T~.,+ Morro Mesa

~ ~__/. .----"---, I---/---.--/. ~llLJ Bay Gates 1 ~ 722 T 622 u1Main Bus 1 BankXfmr Bus 2 ff

__J_'Q-/..L_!___J

~SU Xfmrs ~ 212 5

~~~~ ~ ~ 21~0ki:;' ~ U2 Main BankXfmr 500kV/25kV

~ 12 k~skv4 kv< =:=, ~-~x xrmr ~II _l_

1 Aux x~~{l _ I) ,.... Ci ~II Aux ::::r:::Jr 4k~s~~kvu::::L_,l ~-~x x1mr x~~Tor

= \';

U1 Main - i i U2 Main (X) (Y)

_ Generator ) 12kV SU Bus C C C Generator _

r;--) )) ~SUXfmrs~ 7

~

Ut~

(~ (X,11:~ (X) JY)

~~ LJ";

[

~

==

C C C y [Ff,)I=~~~~~

ti i) i) i) i) i) i) i) i)

~i=rf~ J Ci Ci Ci Ci Ci c, tr=n ~

Ci Ci Ci SW Bus D Bus H Bus G Bus F Bus F Bus G Bus H Bus D I [Document No.] Rev. [X] Page 120 of 3081

ATTACHMENT 1 EAL Bases DCPP Basis Reference(s}:

1. UFSAR, Section 8.2.2

2. UFSAR, Section 8.3.1.6

3. OP AP SD-1, Loss of AC Power

4. OP AP-26, Loss of Offsite Power

5. OP J-2:V, Backfeeding the Unit From the 500kV System

6. ECA-0.0, Loss of All Vital AC Power

7. NEI 99-01 CA2 I [Document No.] Rev. [X] Page 121 of 3081

ATTACHMENT 1 EAL Bases Category: C - Cold Shutdown I Refueling System Malfunction Subcategory: 3 - RCS Temperature Initiating Condition: UNPLANNED increase in RCS temperature.

EAL:

CU3.1 Unusual Event UNPLANNED increase in RCS temperature to> 200°F. (Note 10)

Note 10: Begin monitoring hot condition EALs concurrently.

Mode Applicability:

5 - Cold Shutdown, 6 - Refueling Definition(s):

CONTAINMENT CLOSURE - The procedurally defined actions taken to secure containment and its associated structures, systems, and components as a functional barrier to fission product release under shutdown conditions.

As applied to DCPP, Containment Closure is defined by Administrative Procedure AD8.DC54 "Containment Closure."

INTACT (RCS) - The RCS should be considered intact when the RCS pressure boundary is in its normal condition for the cold shutdown mode of operation (e.g., no freeze seals or nozzle dams).

UNPLANNED - A parameter change or an event that is not 1) the result of an intended evolution or 2) an expected plant response to a transient. The cause of the parameter change or event may be known or unknown.

Basis:

ERO Decision Making Information In the absence of reliable RCS temperature indication caused by a loss of decay heat removal capability, classification should be based on EAL CU3.2 should RCS level indication be subsequently lost.

A momentary UNPLANNED excursion above the Technical Specification cold shutdown temperature limit of 200°F when the heat removal function is available does not warrant a classification.

This IC addresses an UNPLANNED increase in RCS temperature above the Technical Specification cold shutdown temperature limit and represents a potential degradation of the level of safety of the plant. If the RCS is not INTACT and CONTAINMENT CLOSURE is not established during this event, the SM/SEC/ED should also refer to IC .CA3.

(continued)

I [Document No.] Rev. [X] Page 122 of 3081

ATTACHMENT 1 EAL Bases Numerous instruments are capable of providing indication of RCS temperature with respect to the Technical Specification cold shutdown temperature limit (200°F, ref. 1). These may include but are not limited to (ref. 2):

TR413 Loop 1 Wide Range Temperature

TR423 Loop 2 Wide Range Temperature

TR433 Loop 3 Wide Range Temperature

TR443 Loop 4 Wide Range Temperature

WR That recorders 0-700°F

WR Tcold recorders 0-700°F

CETs

RHR System temperatures (when RHR is in service)

The most limiting temperature indication (the highest valid reading temperature indication) should be used.

Escalation to,Alert would be via IC CA1 based on an inventory loss or IC CA3 based on exceeding plant configuration-specific time criteria.

Background

This EAL involves a loss of decay heat removal capability, or an addition of heat to the RCS in excess of that which can currently be removed, such that reactor coolant temperature cannot be maintained below the cold shutdown temperature limit specified in Technical Specifications.

During this condition, there is no immediate threat of fuel damage because the core decay heat load has been reduced since the cessation of power operation.

During an outage, the level in the reactor vessel will normally be maintained at or above the reactor vessel flange. Refueling evolutions that lower water level below the reactor vessel flange are carefully planned and controlled. A loss of forced decay heat removal at reduced inventory may result in a rapid increase in reactor coolant temperature depending on the time after shutdpwn.

DCPP Basis Reference(s):

1. DCPP Technical Specifications Table 1.1-1 Modes

2. OP L-1, Plant Heatup From Cold Shutdown to Hot Standby

3. NEI 99-01 CU3 I [Document No.] Rev. ,[X] Page 123 of 3081

ATTACHMENT 1 EAL Bases Category: C - Cold Shutdown I Refueling System Malfunction Subcategory: 3 - RCS Temperature Initiating Condition: UNPLANNED increase in RCS temperature.

EAL:

CU3.2 Unusual Event Loss of all RCS temperature and all RCS level indication for ~ 15 minutes. (Note 1)

\

Note 1: The SM/SEC/ED should declare the event promptly upon determining that time limit has been exceeded, or will likely be exceeded.

Mode Applicability:

5 - Cold Shutdown, 6- Refueling Definition(s}:

CONTAINMENT CLOSURE - The procedurally defined actions taken to secure containment and its associated structures; systems, and components as a functional barrier to fission product release under shutdown conditions.

As applied to DCPP, Containment Closure is defined by Administrative Procedure AD8.DC54 "Containment Closure."

INTACT (RCS) - The RCS should be considered intact when the RCS pressure boundary is in its normal condition for the cold shutdown mode of operation (e.g., no freeze seals or nozzle darns).

Basis:

ERO Decision Making Information This EAL addresses the inability to determine RCS temperature and level, and represents a potential degradation of the level of safety of the plant. If the RCS is not INTACT and CONTAINMENT CLOSURE is not established during this event, the SM/SEC/EQ should also refer to IC CA3.

Fifteen minutes was selected as a threshold to exclude transient or momentary losses of indication.

Reactor vessel water level is normally monitored using _the following instruments (ref. 1):

RVRLIS

Ll-400 Standpipe

RVLIS

Ultrasonic level detectors (continued)

I [Document No.] Rev. [X] Page 124 of 3081

ATTACHMENT 1 EAL Bases AP E-55, "Equipment Elevations for RCS Flood-Up and Drain-Down", provides a cross-reference of indicated water levels and key plant elevations Numerous instruments are capable of providing indication of RCS temperature with respect to the Technical Specification cold shutdown temperature limit (200°F, ref. 2). These may include but are not limited to (ref. 3):

TR413 Loop 1 Wide Range Temperature

TR423 Loop 2 Wide Range Temperature

. TR433 Loop 3 Wide Range Temperature

TR443 Loop 4 Wide Range Temperature

WR Thot recorders 0-700°F

WR Tcold recorders 0-700°F

CETs

RHR System temperatures (when RHR is in service)

The most limiting temperature indication (the highest valid reading temperature indication) should be used.

Escalation to Alert would be via IC CA 1 based on an inventory loss or IC CA3 based on exceeding plant configuration-specific time criteria.

Background

This EAL reflects a condition where there has been a significant loss of instrumentation capability necessary to monitor RCS conditions and operators would be unable to monitor key parameters necessary to assure core decay heat removal. During this condition, there is no immediate threat of fuel damage because the core decay heat load has been reduced since the cessation of power operation.

DCPP Basis Reference(s):

1. AP E-55, "Equipment Elevations for RCS Flood-Up and Drain-Down

2. DCPP Technical Specifications Table 1.1-1

3. OP L-1, Plant Heatup From Cold Shutdown to Hot Standby

4. NEI 99-01 CU3 I [Document No.] Rev. [X] Page 125 of 3081

ATTACHMENT 1 EAL Bases Category: C - Cold Shutdown I Refueling System Malfunction Subcategory: . 3 - RCS Temperature Initiating Condition: Inability to maintain plant in cold shutdown.

EAL:

CA3.1 Alert UNPLANNED increase in RCS temperature to > 200°F for > Table C-4 duration.

(Notes 1, 10)

OR UNPLANNED RCS pressure increase> 10 psig (this does not apply during water-solid plant conditions).

Note 1: The SM/SEC/ED should declare the event promptly upon determining that the applicable time has been exceeded, or will likely be exceeded.

Note 10: Begin monitoring hot condition EALs concurrently.

Table C-4: RCS Heat-up Duration Thresholds

- CONTAINMENT RCS Status Heat-up Duration CLOSURE Status INTACT (but not REDUCED N/A 60 minutes*

INVENTORY)

Not INTACT 20 minutes*

established OR REDUCED INVENTORY not established 0 minutes

If an RCS heat removal system is in operation within this time frame and RCS temperature is trending down, the EAL is not applicable.

Mode Applicability:

5 - Cold Shutdown, 6 - Refueling Definition(s):

CONTAINMENT CLOSURE - The procedurally defined actions taken to secure containment and its associated structures, systems, and components as a functional barrier to fission product release under shutdown conditions.

As applied to DCPP, Containment Closure is defined by Administrative Procedure AD8.DC54 Containment Closure.

INTACT (RCS) - The RCS should be considered INTACT when the RCS pressure boundary is in its normal condition for the cold shutdown mode of operation (e.g., no freeze seals or nozzle dams).

I [Document No.] Rev. [X] Page 126 of 3081 L _ _ __ _ _ - - - -

ATTACHMENT 1 EAL Bases UNPLANNED -. A parameter change or an event that is not 1) the result of an intended evolution or 2) an expected plant response to a transient. The cause of the parameter change or event may be known or unknown.

REDUCED INVENTORY - The condition existing whenever RCS water level is loyver than 3 feet below the reactor vessel flange (below 111-foot elevation) with fuel in.the core.

Basis:

ERO Decision Making Information In the absence of reliable RCS temperature indication caused by the loss of decay heat removal capability, classification should be based on the RCS pressure increase criteria when the RCS is INTACT in Mode 5 or based on time to boil data when in Mode 6 or the RCS is not INTACT in Mode 5.

A momentary UNPLANNED excursion above the Technical Specification cold shutdown temperature limit when the heat removal function is available does not warrant a classification.

The RCS Heat-up Duration Thresholds table addresses an increase in RCS temperature when CONTAINMENT CLOSURE is established but the RCS is not INTACT, or RCS inventory is reduced (e.g., mid-loop operation). The 20-minute criterion was included to allow time for operator action to address the temperature increase.

The RCS Heat-up Duration Thresholds table also addresses an increase in RCS temperature with the RCS INTACT. The status of CONTAINMENT CLOSURE is not crucial in this condition since the INTACT RCS is providing a high pressure barrier to a fissio_n product release. The 60-minute time frame should allow sufficient time to address the temperature increase without a substantial degradation in plant safety.

Escalation of the emergency classification level would be via IC CS1 or RS1.

Background

Numerous instruments are capable of providing indication of RCS temperature with respect to the Technical Specification cold shutdown temperature limit (200°F, ref. 1). These may include but are not limited to (ref. 2):

TR413 Loop 1 Wide Range Temperature

TR423 Loop 2 Wide Range Temperature

TR433 Loop 3 Wide Range Temperature .1

TR443 Loop 4 Wide Range Temperature

WR That recorders 0-700°F

WR Tcold recorders 0-700°F

CETs

RHR System temperatures (when RHR is in service)

Pl-403A, Pl-405 and Pl-405A display on VB2, with digital values available on PPG, SPDS and SCMM. Digital readouts can display changes of less than 10 psig.

j [Document No.] Rev. [X] Page 127 of 308 j

ATTACHMENT 1 EAL Bases This IC addresses conditions involving a loss of decay heat removal capability or an adoition of heat to the RCS in excess of that which can currently be removed. Either condition represents an actual or potential substantial degradation of the level of safety of the plant.

Finally, in the case where there is an increase in RCS temperature, the RCS is not INTACT or is at reduced inventory< and CONTAINMENT CLOSURE is not established, no heat-up duration is allowed (i.e., 0 minutes). This is because 1) the evaporated reactor coolant may be released directly into the containment atmosphere and subsequently to the environment, and

2) there is reduced reactor coolant inventory above the top of irradiated fuel.*

The RCS pressure increase threshold provides a pressure-based indication of RCS heat-up in the absence of RCS temperature monitoring capability.

DCPP Basis Reference(s):

1. DCPP Technical Specifications Table 1.1-1

2. OP L-1, Plant Heatup From Cold Shutdown to Hot Standby

3. NEI 99-01 CA3 I [Document No.] Rev. [X] Page 128 of 3081

ATTACHMENT 1 EAL Bases Category: C - Cold Shutdown I Refueling System Malfunction Subcategory: 4 - Loss of Vital DC Power Initiating Condition: Loss of Vital DC power for 15 minutes or longer.

EAL:

CU4.1 Unusual Event I

< 105 VDC bus voltage indications on Technical Specification required 125 VDC vital buses for;::: 15 minutes. (Note 1)

Note 1: The SM/SEC/ED should declare the event promptly upon determining that time limit has been exceeded, or will likely be exceeded.

Mode Applicability:

5 - Cold Shutdown, 6 - Refueling I

Definition(s):

SAFETY SYSTEM - A system required for safe plant operation, cooling down the plant and/or placing it in the cold shutdown condition, including the ECCS. These are typically systems classified as* safety-related (as defined in 10CFR50.2):

Those structures, systems and components that are relied upon to remain functional during and following design basis events to assure:

(1) The integrity of the reactor coolant pressure boundary; (2) The capability to shut down the reactor and maintain it in a safe shutdown condition; (3) The capability to prevent or mitigate the consequences of accidents which could result in potential offsite exposures.

Basis:

ERO Decision Making Information Minimum battery voltage of 105 VDC is the voltage below which supplied loads may not function (ref. 2, 3, 4).

As used in this EAL, "required" means the vital DC buses necessary to support operation of the in-service, or operable, train or trains of SAFETY SYSTEM equipment. For example, if Train A is out-of-service (inoperable) for scheduled outage maintenance work and Train B is in-service (operable), then a loss of Vital DC power affecting Train B would require the declaration of an Unusual Event. A loss of Vital DC power to Train A would not warrant an emergency classification.

Fifteen minutes was selected as a threshold to exclude transient or momentary power losses.

Depending upon the event, escalation of the emergency classification level would be via IC CA 1 or CA3, or an IC in Recognition Category R.

I [Document No.] Rev. [X] Page 129 of 3081

ATTACHMENT 1 EAL Bases

Background

The vital 125 VDC system consists of three independent networks per unit. Each network contains the following components:

Battery

Battery charger

Standby battery charger to allow maintenance and/or testing

Distribution panels

Ground detector The vital 125 VDC batteries and distribution panels are located in Area "H" of the 115 feet elevation of the Auxiliary Building. There are a total of three batteries per unit, 11 (21 ), 12(22),

and 13(23). The batteries are sized to provide sufficient power to operate the associated DC loads for the time necessary to safely shut down the unit, should a 480-VAC source to one or more battery chargers be unavailable (ref. 1, 2, 3).

This IC addresses a loss of vital DC power which compromises the ability to monitor and control operable SAFETY SYSTEMS when the plant is in the cold shutdown or refueling mode.

In these modes, the core decay heat load has been significantly reduced, and coolant system temperatures and pressures are lower; these conditions increase the time available to restore a vital DC bus to service. Thus, this condition is considered to be a potential degradation of the level of safety of the plant.

This EAL is the cold co_ndition equivalent of the hot condition loss of DC power EAL SS7.1.

DCPP Basis Reference(s):

1. UFSAR, Section 8.3.2.2.2

2. OP AP-23, Loss of Vital DC Bus

3. ECA-0.0, Loss of All Vital AC Power

4. Notification 50804190 DC Bus Voltage Trigger for EALs

5. NEI 99-01 CU4 I [Docum~nt No.] Rev. [XJ Page 130 of 3081

ATTACHMENT 1 EAL Bases Category: C - Cold Shutdown I Refueling System Malfunction Subcategory: 5 ,- Loss of Communications Initiating Condition: Loss of all onsite or offsite communications capabilities.

EAL:

CUS.1 Unusual Event Loss of all Table C-5 onsite communication methods.

OR Loss of all Table C-5 offsite communication methods.

OR Loss of all Table C-5 NRG communication methods.

Table C-5 Communication Methods System Onsite Offsite NRC DCPP Radio System x DCPP Telephone System (PBX) x x x Public Address System x NRG FTS x Satellite phones x x x Direct line (ATL) to the County and State OES x Mode Applicability:

5 - Cold Shutdown, 6 - Refueling, D - Defueled Definit~on(s):

None I [Document No.] Rev. [X] Page 131 of 3081

ATTACHMENT 1 EAL Bases Basis:

ERO Decision Making Information Onsite, offsite and NRC communications include one or more of the systems listed in Table C-5 (ref. 1, 2, 3).

This IC addresses a significant loss of onsite or offsite communications capabilities. While not a direct challenge to plant or personnel safety, this event warrants prompt notifications to OFFSITE RESPONSE ORGANIZATIONS (OROs) and the NRC.

For the onsite DCPP Radio System to be considered lost, communications between Control Room (or HSDP if it in control) and field personnel (i.e. operators, maintenance personnel, etc.) is lost.

NOTE: The plant radio system is not considered for Offsite Communication methods since it does not connect to the State OES, which is part of the OROs.

Loss of the Security radio system should be evaluated by the Watch Commander in accordance with Security procedures. In this case refer to Security related EALs.

Background

This IC should be assessed only when extraordinary me'ans are being utilized to make communications possible (e.g., use of non-plant, privately owned equipment, relaying of on-site information via individuals or multiple radio transmission points, individuals being sent to offsite locations, etc.).

The first EAL condition addresses a total loss of the communications methods used in support of routine plant operations.

The second EAL condition addresses a total loss of the communications methods used to notify all OROs of an emergency declaration. The OROs referred to here are the State and county EOCs The third EAL condition addresses a total loss of the communications methods used to notify the NRC of an emergency declaration.

This EAL is the cold condition equivalent of the hot condition EAL SU7.1.

DCPP Basis Reference(s):

1. UFSAR, Section 9.5.2

2. Emergency Plan Section 7.2 Communications Equipment 3., AR PK15-23, Communications

4. NEI 99-01 CU5 I [Document No.] Rev. [X] Page 132 of 308 /

ATTACHMENT 1 EAL Bases Category: C - Cold Shutdown I Refueling System Malfunction Subcategory: 6 - Hazardous Event Affecting Safety Systems Initiating Condition: Hazardous event affecting a SAFETY SYSTEM needed for the current operating mode.

EAL:

CA6.1 Alert The occurrence of any Table C-6 hazardous event.

AND:

Event damage has caused indications of degraded performance on one train of a SAFETY SYSTEM needed for the current operating mode.

AND EITHER:

Event damage has caused indications of degraded performance to a second train of the SAFETY SYSTEM needed for the current operating mode, or

Event damage has resulted in VISIBLE DAMAGE to the second train of a SAFETY SYSTEM needed for the current operating mode.

(Notes 13, 14)

Note 13: If the affected SAFETY SYSTEM train was-already inoperable or out of service before the hazardous

event occurred, then this emergency classification is not warranted.

Note 14: If the event results in VISIBLE DAMAGE, with no indications of degraded performance to any SAFETY

SYSTEM train, then this emergency classification is not warranted.

Table C-6 Hazardous Events

Seismic event (earthquake)

Internal or external FLOODING event

High winds or TORNADO strike

FIRE 1

EXPLOSION

Tsunami

Other events with similar hazard characteristics as determined by the SM/SEC/ED Mode Applicability:

5 - Cold Shutdown, 6 - Refueling j [Document No.] Rev. [X] Page 133 of 308 j

ATTACHMENT 1 EAL Bases Definition(s):

DEGRADED PERFORMANCE - As applied to hazardous event thresholds, event damage significant enough to cause concern regarding the operability or reliability of the affected safety system train.

EXPLOSION - A rapid, violent and catastrophic failure of a piece of equipment due to combustion, chemical reaction or overpressurization. A release of steam (from high energy lines or components) or an electrical component failure (caused by short circuits, grounding, arcing, etc.) should not automatically be considered an explosion. Such events require a post-event inspection to determine if the attributes of an explosion are present.

FIRE - Combustion characterized by heat and light. Sources of smoke such as slipping drive belts or overheated electrical equipment do not constitute fires. Observation of flame is preferred but is NOT required if large quantities of smoke and heat are observed.

FLOODING - A condition where water is e.ntering a room or area faster than installed equipment is capaple of removal, resulting in a rise of water level within the room or area.

SAFETY SYSTEM - A system required for safe plant operation, cooling down the plant and/or placing it in the cold shutdown condition, including the ECCS. These are typically systems classified as safety-related (as defined in 10CFR50.2):

Those structures, systems and components that are relied upon to remain functional during and following design basis events to assure:

(1) The integrity of the reactor coolant pressure boundary; (2) The capability to shut down the reactor and maintain it in a safe shutdown condition; (3) The capability to prevent or mitigate the consequences of accidents which could result in potential offsite exposures.

TORNADO - A violently rotating column of air in contact with the ground and extending from the base of a thunderstorm.

VISIBLE DAMAGE - Damage to a SAFETY SYSTEM train that is readily observable without measurements, testing, or analysis. The visual impact of the damage is sufficient to cause concern regarding the operability or reliability of the affected SAFETY SYSTEM train.

(continued)

I [Document No.] Rev. [X] Page 134 of 3081

ATTACHMENT 1 EAL Bases Basis:

ERO Decision Making Information This. IC addresses a hazardous event that causes damage to SAFETY SYSTEMS needed for the current operating mode.

In order to provide the appropriate context for consideration of an ALERT classification, the hazardous event must have caused indications of degraded SAFETY SYSTEM performance in one train, and there must be either indications of performance issues with the second SAFETY SYSTEM train or VISIBLE DAMAGE to the second train such that the potential exists for this second SAFETY SYSTEM train to have performance issues. In other words, in order for this EAL to be classified, the hazardous event must occur, at least one SAFETY SYSTEM train must have indications of degraded performance, and the second SAFETY SYSTEM train must have indications of degraded performance or VISIBLE DAMAGE such that the potential exists for performance issues. Note that this second SAFETY SYSTEM train is from the same SAFETY SYSTEM that has indications of degraded performance for criteria 1.b.1 of this EAL; commercial nuclear power plants are designed to be able to support single system issues without compromising public health and safety from radiological events.

Indications of degraded performance addresses damage to a SAFETY SYSTEM train that is in service/operation since indications for it will be readily available. The indications of degraded performance should be significant enough to cause concern regarding the operability or reliability of the SAFETY SYSTEM train.

VISIBLE DAMAGE addresses damage to a SAFETY SYSTEM train that is not in service/operation and that potentially could cause performance issues. Operators will make this determination based on the totality of available event and damage report information. This is intended to be a brief assessment not requiring lengthy analysis or quantification of the damage. This VISIBLE DAMAGE should be significant enough to .cause concern regarding the operability or reliability of the SAFETY SYSTEM train.

Escalation of the emergency classification level would be via IC CS1 or RS1.

Background

None DCPP Basis Reference(s):

1. AD8.DC55 Outage Safety Scheduling

2. NEI 99-01 CA6 I [Document No.] Rev. [X] Page 135 of 3081

ATTACHMENT 1 EAL Bases Category H - Hazards and Oth~r Conditions Affecting Plant Safety EAL Group: ANY (EALs in this category are applicable to any plant condition, hot or cold.)

Hazards are non-plant, system-related events that can directly or indirectly affect plant operation, reactor plant safety or personnel safety.

1. Security Unauthorized entry attempts into the PLANT PROTECTED AREA, bomb threats, sabotage attempts, and actual security compromises threatening loss of physical control of the plant.

2. Seismic Event Natural events such as earthquakes have potential to cause plant structure or equipment damage of sufficient magnitude to threaten personnel or plant safety.

3. Natural or Technology Hazard Other natural and non-naturally occurring events that can cause damage to plant facilities include TORNADOS, FLOODING, hazardous material releases and events restricting site

access warranting classification.

4. Fire Fires can pose significant hazards to personnel and reactor safety. Appropriate for classification are fires within the ISFSI or PLANT PROTECTED AREA or which may affect operability of equipment needed for safe shutdown

5. Control Room Evacuation Events t~at are indicative of loss of Control Room habitability. If the Control Room must be evacuated, additional support for monitoring and controlling plant functions is necessary through the emergency response facilities.

(continued)

I [Document No.] Rev. [X] Page 136 of 3081

ATTACHMENT 1 EAL Bases

6. SM/SEC/ED Judgment The EALs defined in other categories specify the predetermined symptoms or events that

are indicative of emergency or potential emergency conditions and thus warrant classification. While these EALs have been developed to address the full spectrum of possible emergency conditions.which may warrant classification and subsequent implementation of the Emergency Plan, a provision for classification of emergencies based on operator/management experience and judgment is still necessary. The EALs of this category provide the SM/SEC/ED the latitude to classify emergency conditions consistent with the established classification criteria based upon SM/SEC/ED judgment.

I [Document No.] Rev. [X] Page 137 of 3081

ATTACHMENT 1 EAL Bases Category: H - Hazards Subcategory: 1 - Security Initiating Condition: Confirmed SECURITY CONDITION or threat.

EAL:

HU1.1 Unusual Event A SECURITY CONDITION that does not involve a HOSTILE ACTION as reported by the Security Watch Commander.

OR Notification of a credible security threat directed.at the site.

OR A validated notification from the NRG providing information of an aircraft threat.

Mode Applicability:

All Definition(s):

HOSTILE ACTION - An act toward DCPP or its personnel that includes the use of violent force to destroy equipment, take HOSTAGES, and/or intimidate the licensee to achieve an end. This includes attack by air, land, or water using guns, explosives, PROJECTILES, vehicles, or other devices used to deliver destructive force. Other acts that satisfy the overall intent may be included. Hostile action should not be construed to include acts of civil disobedience or felonious acts that are not part of a concerted attack on DCPP. Non-terrorism-based EALs should be used to address such activities (i.e., this may include violent acts between individuals in the OWNER CONTROLLED AREA).

OWNER CONTROLLED AREA (OCA) - For purpose of HOSTILE ACTION classifications, in accordance with this EAL scheme, the OCA is defined as the same area and boundary contained in the DCPP Security and Safeguards Contingency Plan.

SAFETY SYSTEM- A system required for safe plant operation, cooling down the plantand/or placing it in the cold shutdown condition, including the ECCS. These are typically systems classified as safety-related (as defined in 10CFR50.2):

Those structures, systems and components that are relied upon to remain functional during and following design basis events to assure:

(1) The integrity of the reactor coolant pressure boundary; (2) The capability to shut down the reactor and maintain it in a safe shutdown condition; (3) The capability to prevent or mitigate the consequences of accidents which could result in potential offsite exposures.

(continued)

I [Document No.] Rev. [X] Page 138 of 3081

ATTACHMENT 1

.J EAL Bases SECURITY CONDITION - Any SECURITY EVENT as listed in the approved security contingency plan that constitutes a threat/compromise to site security, threat/risk to site personnel, or a potential degradation to the level of safety of the plant. A security condition does not involve a HOSTILE ACTION. .

SECURITY EVENT - Any incident representing an attempted, threatened, or actual breach of the security system or reduction of the operational effectiveness of that system. A security event can result in either a SECURITY CONDITION or HOSTILE ACTION.

Basis:

ERO Decision Making Information The intent of the EAL is to ensure that appropriate notifications for the security threat are made in a timely manner. The DCPP Security and Safeguards Contingency Plan provides a description of SECURITY EVENTS indicative of a potential loss of the level of safety of the plant. Events at the Unusual Event level include credible threats to attack or use a bomb against the plant, or involve extortion, coercion or HOSTAGE threats.

Security Watch Commanders are the designated on-site personnel qualified and trained to confirm that a SECURITY EVENT is occurring or has occurred. Training on SECURITY

EVENT classification confirmation is closely controlled due to the strict secrecy controls placed on the DCPP Security and Safeguards Contingency Plan (Safeguards) information. (ref. 1).

The first threshold:

The Security Watch Commanders, as the trained individuals confirm that a SECURITY EVENT is occurring or has occurred, and whether or not the event is or is not a HOSTILE ACTION.

Training on SECURITY EVENT confirmation and classification is controlled due to the nature of Safeguards and 10 CFR § 2.390 information.

The second threshold:

The receipt of a credible security threat is assessed in accordance with the Security and Safeguards Contingency Plan (ref. 1). This EAL is met when the plant receives information from the NRC or other reliable source, such as the FBI.

The third threshold:

This EAL is met when the plant receives information regarding an aircraft threat from the NRC or other reliable source, such as the FBI, FAA, or NORAD, and the aircraft is more than 30 minutes away from the plant. In this EAL the threat from the impact of an aircraft on the plant is assessed. The NRC Headquarters Operations Officer (HOO) will communicate to the licensee if the threat involves an aircraft. The status and size of the plane may also be provided by NORAD through the NRC. Validation of the threat is performed in accordance with the Security and Safeguards Contingency Plan.

Escalation of the emergency classification level would be via IC HA 1.

I [Document No.] Rev. [X] Page 139 of 3081

ATTACHMENT 1

EAL Bases

Background

The security shift supervision is defined as the Security Watch Commander.

Timely and accurate communications between Security Shift Supervision and the Control Room is essential for proper classification of a security-related event. Classification of these events will initiate appropriate threat-related notifications to plant personnel and OFFSITE RESPONSE ORGANIZATIONS.

Threat information may come from various sources, including the NRG or FBI. Only the plant to which the specific threat is made need declare the Unusual Event.

This EAL is based on the DCPP Security and Safeguards Contingency Plan (ref. 1).

This IC addresses events that pose a threat to plant personnel or SAFETY SYSTEM equipment, and thus represent a potential degradation in the level of plant safety. SECURITY EVENTS which do not meet one of these EALs are adequately addressed by the requirements of 10 CFR § 73.71or10 CFR § 50.72, as outlined in DCPP Administrative Procedure Xl1.ID2 (ref. 3).

SECURITY EVENTS assessed as HOSTILE ACTIONS are classifiable under ICs HA1 and HS1.

Security plans and terminology are based on the guidance provided by NEI 03-12, Template for the Security Plan, Training and Qualification Plan, Safeguards Contingency Plan and Independent Spent Fuel Storage Installation Security Program.

Emergency plans and implementing procedures are public documents; therefore, EALs should not incorporate Security-sensitive information. This includes information that may be advantageous to a potential adversary, such as the particulars concerning a specific threat or threat location. Security-sensitive information should be contained in non-public documents such as the Security and Safeguards Contingency Plan.

DCPP Basis Reference(s):

1. DCPP Security and Safeguards Contingency Plan

2. DCPP Procedures (Procedure names and designations are controlled due to the nature of Safeguards and 10 CFR § 2.390 information.)

3. DCPP Administrative Procedure Xl1.ID2 "Regulatory Reporting Requirements and Reporting Process"

4. NEI 99-01 HU1 I [Document No.] Rev. [X] Page 140 of 3081

ATTACHMENT 1 EAL Bases Category: H - Hazards Subcategory: 1 - Security Initiating Condition: HOSTILE ACTION within the OWNER CONTROLLED AREA or airborne attack threat within 30 minutes.

EAL:

HA1.1 Alert A HOSTILE ACTION is occurring or has occurred within the OWNER CONTROLLED AREA as reported by the Security Watch Commander.

OR A validated notification from NRG of an aircraft attack threat within 30 minutes of the site.

Mode Applicability:

All Definition(s):

HOST/LEA CT/ON - An act toward DCPP or its personnel that includes the use of violent force to destroy equipment, take HOSTAGES, and/or intimidate the licensee to achieve an end. This includes .attack by air, land, or water using guns, explosives, PROJECTILES, vehicles, or other devices used to deliver destructive force. Other acts that satisfy the overall intent may be included. Hostile action should not be construed to include acts of civil disobedience or felonious acts that are not part of a concerted attack on DCPP. Non-terrorism-based EALs should be used to address such activities (i.e., this may include violent acts between individuals in the OWNER CONTROLLED AREA).

HOSTILE FORCE - One or more individuals who are engaged in a determined assault, overtly

. or by stealth and deception, equipped with suitable weapons capable of killing, maiming, or causing destruction.

OWNER CONTROLLED AREA (OCA) - For purpose of HOSTILE ACTION classifications, in accordance with this EAL scheme, the OCA is defined as the same area and boundary contained in the DCPP Security and Safeguards Contingency Plan.

PLANT PROTECTED AREA - Areas to which access is strictly controlled in accordance with the station's Security Plan.

Note: The DCPP Independent Spent Fuel Storage Installation (ISFSI) has its own ISFSI PROTECTED AREA separate from the PLANT P.ROTECTED AREA.

SITE BOUNDARY - As depicted in the Final Safety Analysis Report Update (UFSAR),

Figure 2.1-2, Site Plan and Gaseous/Liquid Effluent Release Points.

I [Document No.] 1 Rev. [X] Page 141 of 3081

ATTACHMENT 1 EAL Bases Basis:

ERO Decision Making Information The intent of the EAL is to ensure that appropriate notifications are made in a timely manner.

The DCPP Safeguards Contingency Plan provides a description of SECURITY EVENTS indicative of a potential loss of the level of safety of the plant.

Security Watch Commanders are the designated on-site personnel qualified and trained to confirm that a SECURITY EVENT is occurring or has occurred. Training on SECURITY EVENT classification confirmation is closely controlled due. to the strict secrecy controls placed on the DCPP Security and Safeguards Contingency Plan (Safeguards) information. (ref. 1).

The first threshold:

Is applicable for any HOSTILE ACTION occurring, or that has occurred, in the OWNER CONTROLLED AREA (OCA). This includes any action directed against an ISFSI that is located outside the PLANT PROTECTED AREA.

This event will require rapid response and a*ssistance due to the possibility of the attack progressing to the PLANT PROTECTED AREA.

The OCA is the area and boundary contained in the DCPP Security and Safeguards Contingency Plan (ref. 1). Generally described, it is the area between Security Gate A (aka North Gate, and is located on the road located at the north edge of the exclusion area/SITE BOUNDARY) to Security Gate E (located on the main access road just north of Secondary (Backup) Met Tower and the SITE BOUNDARY), and extending eastward to encompass the 500 and 230kV switchyards, and bounded on the west by the Pacific Ocean. On UFSAR Figure 2.1-2 this is approximated as the "Exclusion Area Boundary". A copy of UFSAR Figure 2.1-2 is at the end of definitions section of this document.

This IC does not apply to incidents that are accidental events, acts of civil disobedience, or otherwise are not a HOSTILE ACTION perpetrated by a HOSTILE FORCE. Examples include the crash of a small aircraft, shots from hunters, physical disputes between employees, etc.

Reporting of these types of events is adequately addressed by other EALs, or the .

requirements of 10 CFR § 73.71 or 10 CFR § 50.72 as outlined in DCPP Administrative Procedure Xl1.ID2 (ref. 3).

The second threshold:

An assessment of the threat from the impact of an aircraft on. the plant, and the anticipated arrival time is within 30 minutes. The intent of this EAL is to ensure that threat-related notifications are made in a timely manner so that plant personnel and OROs are in a heightened state of readiness. This EAL is met when the threat-related information has been validated in accordance with site-specific security procedures.

This event will require rapid response and assistance due to the possibility of the need to prepare the plant and staff for a potential aircraft impact.

The NRC Headquarters Operations Officer (HOO) will communicate to the licensee if the threat involves an aircraft. The status and size of the plane may be provided by NORAD through the NRC. * '*

I [Document No.] . Rev. [X] Page 142 of 3081

ATTACHMENT 1 EAL Bases In some cases, it may not be readily apparent if an aircraft impact within the OWNER CONTROLLED AREA was intentional (i.e., a HOSTILE ACTION). It is expected, although not certain, that notification by an appropriate Federal agency to the site would clarify this point. In this case, the appropriate federal agency is intended to be NORAD, FBI, FAA or NRG. The emergency declaration, including one based on other ICs/EALs, should not be unduly delayed while awaiting notification by a Federal agency.

Background

The security shift supervision is defined as the Security Watch Commander (ref. 1).

Timely and accurate communications between the Security Watch Commander and the Control Room is essential for proper classification of a security-related event.

Security plans and terminology are based on the guidance provided by NEI 03-12, Template for the Security Plan, Training and Qualification Plan, Safeguards Contingency Plan and Independent Spent Fuel Storage Installation Security Program.

As time and conditions allow, these events require a heightened state of readiness by the plant staff and implementation of onsite protective measures (e.g., evacuation, dispersal or sheltering). The Alert declaration will also heighten the awareness of OFFSITE RESPONSE ORGANIZATIONS (OROs), allowing them to be better prepared should it be necessary to consider further actions.

Emergency plans and implementing procedures are public documents; therefore, EALs should not incorporate Security-sensitive information. This includes information that may be advantageous to a potential adversary, such as the particulars concerning a specific threat or threat location. Security-sensitive information should be contained in non-public documents such as the DCPP Security and Safeguards Contingency Plan.

DCPP Basis Reference(s):

1.. DCPP Security and Safeguards Contingency Plan

2. DCPP Procedures (Procedure names and designations are controlled due to the nature of Safeguards and 10 CFR § 2.390 information.)

3. DCPP Administrative Procedure Xl1.ID2 "Regulatory Reporting Requirements and Reporting Process"

4. NEI 99-01 HA1 I [Document No.] Rev. [X] Page 143 of 3081

ATTACHMENT 1 EAL Bases Category: H - Hazards Subcategory: 1 - Security Initiating Condition: HOSTILE ACTION within the PLANT PROT'i=CTED AREA.

EAL:

HS1 .1 Site Area Emergency

' A HOSTILE ACTION is occurring or has occurred within the PLANT PROTECTED AREA as reported by the Security Watch Commander.

Mode Applicability:

All Definition(s}:

HOSTILE ACTION - An act toward DCPP or its personnel that includes the use of violent force to destroy equipment, take HOSTAGES, and/or intimidate the licensee to achieve an end. This includes attack by air, land, or water using guns, explosives, PROJECTILES, vehicles, or other devices used to deliver destructive force. Other acts that satisfy the overall intent may be included. Hostile action should not be construed to include acts of civil disobedience or felonious acts that are not part of a concerted attack on DCPP. Non-terrorism-based EALs should be used to address such activities (i.e., this may include violent acts between individuals in the OWNER CONTROLLED AREA).

HOSTILE FORCE - One or more individuals who are engaged in a determined assault, overtly or by stealth and deception, equipped with suitable weapons capable of killing, maiming, or causing destruction.

OWNER CONTROLLED AREA (OCA) - For purpose of HOSTILE ACTION classifications, in accordance with this EAL scheme, the OCA is defined as the same area and boundary contained in the DCPP Security and Safeguards Contingency Plan.

PLANT PROTECTED AREA - Areas to which access is strictly controlled in accordance with the station's Security Plan.

Note: The DCPP Independent Spent Fuel Storage Installation (ISFSI) has its own ISFSI PROTECTED AREA separate from the PLANT PROTECTED AREA.

I [Document No.] Rev. [X] Page 144 of 3081

ATTACHMENT 1 EAL Bases Basis:

ERO Decision Making Information The intent of this EAL is to address the potential for a very rapid progression of events due to a dedicated attack. It is not intended to address incidents that are accidental or acts of civil disobedience, such as physical disputes between employees within the OCA or PLANT PROTECTED AREA. Those events are adequately addressed by c;>ther EALs. HOSTILE ACTION identified above encompasses various acts including SECURITY EVENTS:

This class of SECURITY EVENTS represents an escalated threat to plant safety above that contained in the Alert IC in that a hostile force has progressed from the OWNER CONTROLLED AREA (OCA) to the PLANT PROTECTED AREA (PA). Although DCPP security officers are well trained and prepared to protect against hostile action, it is appropriate for OFFSITE RESPONSE ORGANIZATIONS (OROs) to be notified and encouraged to begin preparations for public protective actions (if they do not normally) to be better prepared should it be necessary to consider further actions.

This IC addresses the occurrence of a HOSTILE ACTION within the PLANT PROTECTED AREA. This event will require rapid response and assistance due to the possibility for damage to plant equipment.

This IC does not apply to a HOSTILE ACTION directed at an ISFSI PROTECTED AREA located outside the PLANT PROTECTED AREA; such an attack should be assessed using IC HA 1. It also does not apply to incidents that are accidental events, acts of civil disobedience, or otherwise are not a HOSTILE ACTION perpetrated by a HOSTILE FORCE. Examples include the crash of a small aircraft, shots from hunters, physical disputes between employees, etc. Reporting of these types of events is adequately addressed by other EALs, or the requirements of 10 CFR § 73.71 or 10 CFR § 50.72 as outlined in DCPP Administrative Procedure Xl1.ID2 (ref. 3).

Security Watch Commanders are the designated on-site personnel qualified and trained to confirm that a SECURITY EVENT is occurring or has occurred. Training on SECURITY EVENT classification confirmation is closely controlled due to the strict secrecy controls placed on the DCPP Security and Safeguards Contingency Plan (Safeguards) information. (ref. 1). _

(continued)

J [Document No.] Rev. [X] Page 145 of 308 J

l ATTACHMENT 1 EAL Bases.

Background

The security shift supervision is defined as the Security Watch Commander.

Timely and accurate communications between Security Shift Supervision and the Control Room is essential for proper classification of a security-related event.

Security plans and terminology are based on the guidance provided by NEI 03-12, Template for the Security Plan, Training and Qualification Plan, Safeguards Contingency Plan and Independent Spent Fuel Storage Installation Security Program.

As time and conditions allow, these events require a heightened state of readiness by the plant staff and implementation of onsite protective measures (e.g., evacuation, dispersal or sheltering). The Site Area Emergency declaration will mobilize OFFSITE RESPONSE ORGANIZATION (ORO) resources and have them available to develop and implement public protective actions in the unlikely event that the attack is successful in impairing multiple safety functions.

Emergency plans and implementing procedures are public documents; therefore, EALs should not incorporate Security-sensitive information. This includes information that may be advantageous to a potential adversary, such as the particulars concerning a specific threat or threat location. Security-sensitive information should be contained in non-public documents such as the DCPP Security and Safeguards Contingency Plan.

DCPP Basis Reference(s):

1. ocp'p Security and Safeguards Contingency Plan

2. DCPP Procedures (Procedure names and designations are controlled due to the nature of Safeguards and 10 CFR § 2.390 information.)

3. DCPP Administrative Procedure Xl1.ID2 "Regulatory Reporting Requirements and Reporting Process"

4. NEI 99-01 HS1 I [Document No.] Rev. [X] Page 146 of 3081

ATTACHMENT 1 EAL Bases Category: H - Hazards and Other Conditions Affecting Plant Safety Subcategory: 2 - Seismic Event Initiating Condition: Seismic event greater than Design Earthquake (DE) level.

EAL:

HU2.1 Unusual Event EFM Alarm or CP M-4 determination indicates Seismic event > DE PGA as indicated by ground acceleration > 0.2 g on the "X" or "Y" axis or > 0.133 g on the "Z" axis.

Mode Applicability:

All Definition(s):

None Basis:

ERO Decision Making Information Ground motion acceleration > 0.2 g on the "X" or "Y" axis or > 0.133g on the "Z" axis is the peak ground acceleration (PGA) criterion for a Design Earthquake (DE) (ref. 3).

If the EFM indicator alarms (> 0.2 g on the "X" or "Y" axis or > 0.133g on the "Z" axis) indicating the DE PGA has been exceeded, an Unusual Event should be declared. The "X" and "Y" axes correspond to horizontal peak acceleration values while the "Z" axis corresponds to vertical peak acceleration values.

If the EFM is not operable, the earthquake magnitude is determined by alternative methods in accordance with CP M-4, "Earthquake." If it is determined that any peak acceleration has exceeded 0.2 g on the "X" or "Y" axis or 0.133g on the "Z" axis, an Unusual Event should be declared (ref. 3).

Event verification with external sources should not be necessary during or following a DE.

Earthquakes of this magnitude should be readily felt by on-site personnel and recognized as a seismic event (e.g., lateral accelerations in excess of 0.08g). The SM/SEC/ED may seek external verification if deemed appropriate (e.g., a call to the USGS, check internet news sources, etc.); however, the verification action must not preclude a timely emergency declaration.

Depending upon the plant mode at the time of the event, escalation of the emergency classification level would be via IC CA6 or SA9.

(continued)

I [Document No.] Rev. [X] Page 147 of 3081 L

ATTACHMENT 1 EAL Bases

Background

In the event of an earthquake measuring greater than or equal to 0.01 g, the Seismic Instrumentation System annunciator PK15-24 will alert the control room and peak acceleration indications will be displayed on the EFM. The primary means for timely determination of the magnitude of an earthquake, and subsequently assessing emergency action levels, is using the EFM located in the control room (ref. 2).

When the seismic monitoring system alarms, SM directs actions as defined in CP M-4, "Earthquake," and the seismic instrumentation system engineer is notified to coordinate post-earthquake activities including retrieval and analysis of the seismic event data. The purpose of the analysis is to determine within 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months whether the computed response spectra associated with any of the three directional components of the seismic ~vent exceed the DE response spectra exceedance criterion (ref.4).

It should be noted that the DE PGA values are the zero period accelerations associated the DE response spectra. Since the DE PGA indications are available and displayed on the EFM within minutes, these are the indications used for timely emergency classification. The seismic monitoring system also stores the seismic event data and generates reports later used during the post-earthquake evaluation (ref.4)

To avoid inappropriate emergency classification resulting from spurious actuation of the seismic instrumentation or felt motion not attributable to seismic activity, an offsite agency (USGS, National Earthquake Information Center) can confirm that an earthquake has occurred in the area of the plant. Such confirmation should not, however, preclude a timely emergency declaration based on receipt of the EFM alert alarm. The NEIC can be contacted by calling (303) 273-8500. Select option #1 and inform the analyst you wish to confirm recent seismic activity in the vicinity of DCPP. Alternatively, near real-time seismic activity can be accessed via the NEIC website:

http://earthquake.usgs.gov/eqcenterl This IC addresses a seismic event that results in accelerations at the plant site greater than those specified for a Design Earthquake (DE). An earthquake greater than a DE but less than a Double Design Earthquake (DOE) should have no significant impact on safety-related systems, structures and components; however, some time may be required for the plant staff to ascertain the actual post-event condition of the plant (e.g., performs walk-downs and post-event inspections). Given the time necessary to perform walk-downs and inspections, and fully understand any impacts, this event represents a potential degradation of the level of safety of the plant.

NOTE: An Operating Basis Earthquake (OBE) is referred to as Design Earthquake (DE) at DCPP, and a Safe Shutdown Earthquake (SSE) is referred to as Double Design Earthquake (DOE) at DCPP (ref. 3).

J [Document No.] *Rev. [X] Page 148 of 308 J

ATTACHMENT 1 EAL Bases DCPP Basis Reference(s):

1. DCM T-6, Seismic Analysis of Structures

2. AR PK15-24, Seismic Instr System

3. CP M-4, Earthquake

4. AWP E-017 Guidelines for Post-Earthquake Engineering Response

5. NEI 99-01 HU2 j [Document No.] Rev. [X] Page 149 of 308 j

ATTACHMENT 1 EAL Bases Category: H - Hazards and Other Conditions Affecting Plant Safety Subcategory: 3 - Natural or Technology Hazard Initiating Condition: Hazardous event.

EAL:

HU3.1 Unusual Event A TORNADO strike within the PLANT PROTECTED AREA.

Mode Applicability:

All Definition(s):.

PLANT PROTECTED AREA - Areas to which access is strictly controlled in accordance with the station's Security Plan.

Note: The DCPP Independent Spent Fuel Storage Installation (ISFSI) has its own ISFSI PROTECTED AREA separate from the, PLANT PROTECTED AREA. ~

TORNADO - A violently rotating column of air in contact with the ground and extending from the base of a thunderstorm.

Basis:

ERO Decision Making Information A TORNADO striking (touching down) within the PLANT PROTECTED AREA warrants declaration of an Unusual Event regardless of the measured wind speed at the meteorological tower.

If damage is confirmed visually or by other in-plant indications, the event may be escalated to an Alert under EAL CA6.1 or SA9.1.

Background

This -IC addresses hazardous events that are considered to represent a potential degradation of the level of safety of the plant. ~:

EAL HU3.1 addresses a TORNADO striking (touching down) within the PLANT PROTECTED AREA.

DCPP Basis Reference(s):

1. CP M-16 Severe Weather

2. NEI 99-01 HU3 I [Document No.] Rev. [X] Page 150 of 3081

ATTACHMENT 1 EAL Bases Category: H - Hazards and Other Conditions Affecting Plant Safety Subcategory: 3 - Natural or Technology Hazard Initiating Condition: Hazardous event.

EAL:

HU3.2 Unusual Event Internal room or area FLOODING of a magnitude sufficient to require manual or automatic electrical isolation of a SAFETY SYSTEM component required for the current operating mode. (Note 5)

Note 5: If the equipment in the listed room or area was already inoperable or out-of-service before the event occurred, then no emergency classification is warranted.

Mode Applicability:

All Definition(s):

FLOODING - A condition where water is entering a room or area faster than installed equipment is capable of removal, resulting in a rise of water level within the room or area.

SAFETY SYSTEM-A system required for safe plant operation, cooling down the plant and/or placing it in the cold shutdown condition, including the ECCS. These are typically systems classified as safety-related (as defined in 10CFR50.2):

Those structures, systems and components that are relied upon to remain functional during and following design basis events to assure:

(1) The integrity of the reactor coolant pressure boundary; (2) The capability to shut down the reactor and maintain it in a safe shutdown condition; (3) The capability to prevent or mitigate the consequences of accidents which could result in potential offsite exposures.

Basis:

ERO Decision Making Information This EAL addresses FLOODING of a building room or area that results in operators isolating power to a SAFETY SYSTEM component due to water level or other wetting concerns.

Classification is also required if the water level or related wetting causes an automatic isolation of a SAFETY SYSTEM component from its power source (e.g., a breaker or relay trip). To warrant classification, operability of the affected component must be required by Technical Specifications for the current operating mode, In modes 5, 6 and defueled, the appropriate plant configuration based Outage Safety Checklist in AD8.DC55 "Outage Safety Scheduling" should be consulted to identify required equipment supporting each of the specified safety functions (ref. 1).

Refer to EAL CA6.1 or SA9.1 for internal flooding affecting one or more SAFETY SYSTEM trains.

I [Document No.] Rev. [X] Page 151 of 3os j

ATTACHMENT 1 EAL Bases Escalation of the emergency classification level would be based on ICs in Recognition Categories R, F, Sor C.

Background

This IC addresses hazardous events that are considered to represent a potential degradation of the level of safety of the plant. r DCf'.'P Basis Reference(s):

1. AD8.DC55 Outage Safety Scheduling

2. NEI 99-01 HU3 I [Document No.] Rev. [X] Page 152 of 3081

- l ATTACHMENT 1 EAL Bases Category: H - Hazards and Other Conditions Affecting Plant Safety Subcategory: 3 - Natural or Technology Hazard Initiating Condition: Hazardous event.

EAL:

HU3.3 Unusual Event Movement of personnel within the PLANT PROTECTED AREA is IMPEDED due to an event involving hazardous materials (e.g., a chemical spill or toxic gas release from an area outside the PLANT PROTECTED AREA).

Mode Applicability:

All Definition(s):plant IMPEDE(D) - Personnel access to a room or area is hindered to an extent that extraordinary measures are necessary to facilitate entry of personnel into the affected room/area (e.g., requiring use of protective equipment, such as SCBAs, that is not routinely employed).

'PLANT PROTECTED AREA - Areas to which access is strictly controlled in accordance with the station's Security Plan.

Note: The DCPP Independent Spent Fuel Storage Installation (ISFSI) has its own ISFSI PROTECTED AREA separate from the PLANT PROTECTED AREA.

Basis:

ERO Decision Making Information This EAL is applicable to events in areas external to the DCPP PLANT PROTECTED AREA.

This EAL addresses a hazardous materials event originating outside the PLANT PROTECTED AREA and of sufficient magnitude to IMPEDE the movement of personnel within the PLANT PROTECTED AREA.

Escalation of the emergen'cy classification level would be based on ICs in Recognition Categories R, F, Sor C.

Background

This IC addresses hazardous events that are considered to represent a potential degradation of the level of safety of the plant.

DCPP Basis Reference(s):

1. CP M-9A Hazardous Material Incident - Initial Emergency Response/Mitigation Procedure

2. NEI 99-01 HU3 I [Document No.] Rev. [X] Page 153 of 3081

ATTACHMENT 1 EAL Bases Category: H - Hazards and Other Conditions Affecting Plant Safety Subcategory: 3 - Natural or Technology Hazard Initiating Condition: Hazardous event.

EAL:

HU3.4 Unusual Event A hazardous event that results in conditions sufficient to prohibit the plant staff from accessing the site via personal vehicles. (Note 7)

Note 7: This EAL does not apply to routine traffic impediments such as fog, snow, ice, or vehicle breakdowns or accidents.

Mode Applicability:

All Definition(s):

\

FLOODING - A condition where water is entering a room or area faster than installed equipment is capable of removal, resulting in a rise of water level within the room or area.

Basis:

ERO Decision Making Information This EAL addresses a hazardous event that causes an impediment to vehicle movement and significant enough to prohibit the plant staff from accessing the site using personal vehicles.

Examples of such an event include when both north and south access routes are unavailable due to site FLOODING caused by a hurricane, heavy rains, dam failure, tsunami, mudslide, etc., blocking the access and egress roads Refer to CP M-12 Stranded Plant for conditions in which viable plant access routes are lost (ref. 1).

This EAL is not intended apply to routine impediments such as fog, snow, ice, or vehicle breakdowns or accidents, but rather to more significant conditions such as the Hurricane Andrew strike on Turkey Point in 1992, the flooding around the Cooper Station during the Midwest floods of 1993, or the flooding around Ft. Calhoun Station in 2011.

Escalation of the emergency classification level would be based on ICs in Recognition Categories R, F, Sor C.

Background

This IC addresses hazardous events that are considered to represent a potential degradation of the level of safety of the plant.

DCPP Basis Reference(s):

1. CP M-12 Stranded Plant

2. NEI 99-01 HU3 j [Document No.] Rev. [X] . Page 154 of 308 j

ATTACHMENT 1 EAL Bases Category: H - Hazards and Other Conditions Affecting Plant Safety Subcategory: 4 - Fire Initiating Condition: FIRE potentially degrading the level of safety of the plant.

EAL:

HU4.1 Unusual Event L .

A FIRE is not extinguished within 15 minutes of any of the following FIRE detection indications (Note 1):

Report from the field (i.e., visual observation).

Receipt of multiple (more than 1) fire alarms or indications.

Field verification of a single fire alarm.

AND The FIRE is located within any Table H-1 area.

Note 1: The SM/SEC/ED should declare the event promptly upon determining that time limit has been exceeded, or will likely be exceeded.

(

I [Document No.] *Rev. [X] Page 155 of 3081

ATTACHMENT 1 EAL Bases Table H-1 Fire Areas (See 101942 Sheet 3 for Area Designations)

Containment

Auxiliary Building areas:

o All levels of Area H (Control Room and all areas above and below) o ESF (CCP, SI, RHR, CS, CCW) Pump Rooms o 115' & 100' East end affecting BA Pumps and/or Tanks o 85',

100' & 115' levels of Penetration Areas (Areas GE & GW) o 73' BIT Room o 64' RHR valve gallery & BIT room

Fuel Handling Building areas:

o All levels of Area J o Area L, excluding areas above 165' level, the U1 85' Packaged Boiler Room & its equivalent area on U2.

East Yard area, excluding the Laundry Decon Facility (PWST, RWST, CST, FWST/TT, H2 & N2 Banks)

Turbine Building areas:

o All levels of Area A (U 1 TB north & U2 TB south) o CCW HX Rooms o DFO pump vaults & tanks

Intake Structure Lower Levels

All areas and levels of the Pipe Racks, including inside the 85' caged area.

Transformer Yard areas that contain:

o Main Transformers o Auxiliary Transformers o Startup Transformers Mode Applicability:

All

\ [Document No.] Rev. [X] Page 156 of 308 \

ATTACHMENT 1 EAL Bases Definition(s}:

FIRE - Combustion characterized by heat and light. Sources of smoke such as slipping drive belts or overheated electrical equipment do not constitute fires. Observation of flame is preferred but is NOT required if large quantities of smoke and heat are observed.

SAFETY SYSTEM - A system required for safe plant operation, cooling down the plant and/or placing it in the cold shutdown condition, including the ECCS. These are typically systems classified as safety-related (as defined in 10CFR50.2):

Those structures, systems and components that are relied upon to remain functional during and following design basis events to assure:

(1) Th~ integrity of the reactor coolant pressure boundar)i; (2) The capability to shut down the reactor and maintain it in a safe shutdown condition; (3) The capability to prevent or mitigate the consequences of accidents which could result in potential offsite exposures.

Plant drawing 101942 sheet 3:

.o 2 3 4 6 7 8 9

<00 D

')li((l l or .. *~HUI$.

[Document No.] Rev. [X] Page 157 of 3081 I

/

ATTACHMENT 1 EAL Bases Basis:

ERO Decision Making Information Fire alarms or indications include, but are not limited to, smoke detectors, flame detectors, sprinkler and deluge alarms and flow switches that trigger main annunciator PK10-10 "Fire Detected".

An "incipient alarm" does meet the intent of a "single fire alarm" if it triggers at its high level and actuates the annunciator PK10-10 "Fire Detected."

However, for this EAL a "pre-alarm" or an "incipient alarm" that triggers main annunciator PK10-15 "Fire Alarm Trouble" does not meet the intent of a "single fire alarm."

Multiple flow switches for the same general vicinity constitute a single alarm. This is because water flow in the sprinkler system can be seen on multiple switches for the same location.

However, smoke and flame detectors are all individual alarms spaced far enough apart that

each should be considered independent of each other.

For EAL HU4.1 the intent of the 15-minute duration is to size the FIRE and to discriminate against small FIRES that are readily extinguished (e.g., smoldering waste paper basket). In addition to alarms, other indications of a FIRE could be a drop in fire main pressure, automatic activation of a suppression system, etc.

Upon receipt, operators will take prompt actions to confirm the validity of an initial fire alarm, indication, or report.

The Shift Manager needs to ask some specific questions to ensure they have the information needed to evaluate the situation.

Is there visible flame?

Are there copious quantities of smoke still being generated?

A smoked component (subject to overheating) should show blackened areas or signs that the component itself had been very hot (e.g., paint peeling). It can be expected to generate some lower level of smoke.

If there is so much smoke present that entry to inspect the component is not possible without an SCBA, that would be an indication that a fire existed and determine if EAL HA5.1 is applicable.

If a breaker truly suffered a fault local to the breaker, the damage and fire ball would be such that consideration of the Hazardous Event EAL SA9.1 would be recommended, if a required Safety System was affected.

If indications of failing safety related equipment are attributable to the fire, consider Hazardous Event EAL SA9.1 In the case of a fire alarm in Containment, procedure OP K-2C should be followed to determine the existence of a fire in containment.

Failure to declare an actual fire or an untimely declaration will be an NRG violation. The important thing is to make the initial declaration timely with respect to the time of the initial indication. In all cases, document the indications considered for the decision made.

For EAL HU4.1 assessment purposes, the emergency declaration clock starts at the time that multiple alarms or indications are received, the report was received, or the time that a single J [Document No.] Rev. [X] Page 158 of 308 J l

ATTACHMENT 1 EAL Bases alarm is confirmed by subsequent verification action. Similarly, the fire duration clock also starts at the time of receipt of the initial alarm, indication or report.

Depending upon the plant mode at the time of the event, escalation of the emergency classification level would be via IC CA6 or SA9.

Background

Table H-1 Fire Areas are based on the OP AP-34 series of procedures on fire response. Table H-1 Fire Areas include those structures containing functions and systems required for safe shutdown of the plant (SAFETY SYSTEMS) (ref. 1).

This IC addresses the magnitude and extent of FIRES that may be indicative of a potential degradation of the level of safety of the plant.

DCPP Basis Reference(s):

1. OP AP-34 series of procedures on fire response

2. AR PK10-10, Fire Detected

3. AR PK10-15, Fire Alarm Trouble

, 4. Plant drawing 101942 sheet 3 (Rev 35)

5. NEI 99-01 HU4

/

I [Document No.] Rev. [X] Page 159 of 3081

ATTACHMENT 1 EAL Bases Category: H - Hazards and Other Conditions Affecting Plant Safety Subcategory: 4 - Fire Initiating Condition: FIRE potentially degrading the level of safety of the plant.

EAL:

HU4.2 Unusual Event Receipt of a single fire alarm (i.e., no other indications of a FIRE).

AND The fire alarm is associated with any Table H-1 area.

AND The existence of a FIRE is not verified within 30 minutes of alarm receipt. (Note 1)

Note 1: The SM/SEC/ED should declare the event promptly upon determining that time limit has been exceeded, or will likely be exceeded.

I [Document No.] Rev. [X] Page 160 of 3081

ATTACHMENT 1 EAL Bases Table H-1 Fire Areas (See 101942 Sheet 3 for Area Designations)

Containment

Auxiliary Building areas:

o All levels of Area H (Control Room and all areas above and below) o ESF (CCP, SI, RHR, CS, CCW) Pump Rooms o 115' & 100' East end affecting BA Pumps and/or Tanks o 85', 100' & 115' levels of Penetration Areas (Areas GE & GW) o 73' BIT Room o 64' RHR valve gallery & BIT room

Fuel Handling Building areas:

o All levels of Area J o Area L, excluding areas above 165' level, the U1 85' Packaged Boiler Room & its equivalent area on U2.

East Yard area, excluding the Laundry Decon Facility (PWST, RWST, CST, FWSTfTT, H2 & N2 Banks)

Turbine Building areas:

o All levels of Area A (U1 TB north & U2 TB south) o CCW HX Rooms o DFO pump vaults & tanks

Intake Structure Lower Levels ,

All areas and levels of the Pipe Racks, including inside the 85' caged area.

Transformer Yard areas that contain:

o Main Transformers o Auxiliary Transformers o Startup Transformers

. Mode Applicability:

All I [Document No.] Rev. [X] Page 161 of 3081

ATTACHMENT 1 EAL Bases Definition(s):

FIRE - Combustion characterized by heat and light. Sources of smoke such as slipping drive belts or overheated electrical equipment do not constitute fires. Observation of flame is preferred but is NOT required if large quantities of smoke and heat are observed.

SAFETY SYSTEM - A system required for safe plant operation, cooling down the plant and/or placing it in the cold shutdown condition, including the ECCS. These are typically systems classified as safety-related (as defined in 10CFR50.2):

Those structures, systems and components that are relied upon to remain functional during and following design basis events to assure:

(1) The integrity of the reactor coolarit pressure boundary; (2) The capability to shut down the reactor and maintain it in a safe shutdown condition; (3) The capability to prevent or mitigate the consequences of accidents which could result in potential offsite exposures.

Plant drawing 101942 sheet 3:

0 2 3. 4 5, 6, 7 8 9,

I [Document No.] Rev. [X] Page 162 of 308

ATTACHMENT 1 EAL Bases Basis:

ERO Decision Making Information Fire alarms or indications include, but are not limited to, smoke detectors, flame detectors, sprinkler and deluge alarms and flow switches that trigger main annunciator PK10-10 "Fire Detected".

An "incipient alarm" does meet the intent of a "single fire alarm" if it triggers at its high level and actuates the annunciator PK10-10 "Fire Detected."

However, for this EAL a "pre-alarm" or an "incipient alarm" that triggers main annunciator' PK10-15 "Fire Alarm Trouble" does not meet the intent of a "single fire alarm."

Multiple flow switches for the same general vicinity constitute a single alarm. This is because water flow in the sprinkler system can be seen on multiple switches for the same location.

However, smoke and flame detectors are all individual alarms spaced far enough apart that each should be considered independent of each other.

This EAL addresses receipt of a single fire alarm, and the existence of a FIRE is not verified (i.e., proved or disproved) within 30-minutes of the alarm. Upon receipt, operators will take prompt actions to confirm the validity of a single fire alarm. For EAL HU4.2 assessment purposes, the 30-minute clock starts at the time that the initial alarm was received, and not the time that a s.ubsequent verification action was performed.

If an actual FIRE is verified by a report from the field, then HU4.1 is immediately applicable,*

and the emergency must be declared if the FIRE is not extinguished within 15-minutes of the report. If the alarm is verified to be due to an equipment failure or a spurious activation, and this verification occurs within 30-minutes of the receipt of the alarm, then this EAL is not applicable and no emergency declaration is warranted.

The Shift Manager needs to ask some specific questions to ensure they have the information needed to evaluate the situation.

Is there visible flame?

Are there copious quantities of smoke still being generated?

A smoked component (subject to overheating) should show blackened areas or signs that the component itself had been very hot (e.g., paint peeling). It can be expected to generate some lower level of smoke.

If there is so much smoke present that entry to inspect the component is not possible without an SCBA, that would be an indication that a fire existed and determine if EAL HA5.1 is applicable.

If a breaker truly suffered a fault local to the breaker, the damage and fire ball would be such that consideration of the Hazardous Event EAL SA9.1 would be recommended, if a required Safety System was affected.

'If indications of failing safety related equipment are attributable to the fire, consider Hazardous Event EAL SA9. 1 In the case of a fire alarm in Containment, procedure OP K-2C should be followed to, determine the existence of a fire in containment.

I [Document No.] Rev. [X] Page 163 of 3081 L

r--

ATTACHMENT 1 EAL Bases.

Failure to declare an actual.fire o(an untimely declaration will be an NRG violation. The important thing is to make the initial declaration timely with respect to the time of the initial indication. In all cases, document the indications considered for the decision made.

Depending upon the plant mode at the time of the event, escalation of the emergency classification level would be via IC CA6 or SA9.

Background

Table H-1 Fire Areas are based on the OP AP-34 series of procedures on fire response. Table H-1 Fire Areas include those structures containing functions and systems required for safe shutdown of the plant (SAFETY SYSTl;:MS) (ref. 1).

This IC addresses the magnitude and extent of FIRES that may be indicative of a potential degradation of the level of safety of the plant.

A single fire alarm, absent other indication(s) of a FIRE, may be indicative of equipment failure or a spurious activation, and not an actual FIRE. For this reason, additional time is allowed to verify the validity of the alarm. The 30-minute period is a reasonable amount of time to determine if an actual FIRE exists; however, after that time, and absent information to the contr~ry, it is assumed that an actual FIRE is in progress.

Basis-Related Requirements from Appendix R Appendix R to 10 CFR ~O, states in part:

Criterion 3 of Appendix A to this part specifies that "Structures, systems, and components important to safety shall be designed and located to minimize; consistent with other safety requirements, the probability and effect of fires and explosions."

When considering the effects of fire, those systems associated with achieving and maintaining safe shutdown conditions assume major importance to safety because damage to them can lead to core damage resulting from loss of coolant through boil-off.

Because fire may affect safe shutdown systems and because the loss of function of systems used to mitigate the consequences of design basis accidents under post-fire conditions does not per se impact public safety, the need to limit fire damage to systems required to achieve and maintain safe shutdown conditions is greater than the need to limit fire damage to those systems required to mitigate the consequences of design basis accidents.

In addition, Appendix R to 10 CFR 50, requires, among other considerations, the use of 1-hour fire barriers for the enclosure of cable and equipment and associated non-safety circuits of one redundant train (G.2.c). As used in HU4.2, the 30-minutes to verify a single alarm is well within this worst-case 1-hour time period.

I [Document No.] Rev. [X] Page 164 of 3081

ATTACHMENT 1 EAL Bases DCPP Basis Reference(s):

1. OP AP-34 series of procedures on fire response

2. AR PK10-10, Fire Detected

3. AR PK10-15, Fire Alarm Trouble

4. Plant drawing 101942 sheet 3 (Rev 35)

5. NEI 99-01 HU4 I [Document No.] Rev. [X] Page 165 of 3081 L

ATTACHMENT 1 EAL Bases Category: H - Hazards and Other Conditions Affecting Plant Safety Subcategory: 4 -- Fire Initiating Condition: FIRE potentially degrading the level of safety of the plant.

EAL:

HU4.3 Unusual Event A FIRE within the ISFSI PROTECTED AREAor PLANT PROTECTED AREA not extinguished within 60 minutes of the initial report, alarm or indication. (Note 1)

Note 1: The SM/SEC/ED should declare the event promptly upon determining that time limit has been exceeded, or will likely be exceeded.

Mode Applicability:

All Definition(s):

FIRE - Combustion characterized by heat and light. Sources of smoke such as slipping drive belts or overheated electrical equipment do not constitute fires. Observation of flame is

preferred but is NOT required if large quantities of smoke and heat are observed.

ISFSI PROTECTED AREA - Areas within the ISFSI to which access is strictly controlled in accordance with the station's Security Plan.

PLANT PROTECTED AREA - Areas to which access is strictly controlled in accordance with the station's Security Plan.

Note: The DCPP Independent Spent Fuel Storage Installation (ISFSI) has its own ISFSI PROTECTED AREA separate from the PLANT PROTECTED AREA.

Basis:

ERO Decision Making Information This IC addresses the magnitude and extent of FIRES that may be indicative of a potential degradation of the level of safety of the plant.

In addition to a FIRE addressed by EAL HU4.1 or HU4.2, a FIRE within the PLANT PROTECTED AREA not extinguished within 60-minutes may also potentially degrade the level of plant safety. This basis extends to a FIRE occurring within the ISFSI PROTECTED AREA located outside the PLANT PROTECTED AREA.

Depending upon the plant mode at the time of the event, escalation of the emergency classification level would be via IC CA6 or SA9.

Background

None DCPP Basis Reference(s):

1. NEI 99-01 HU4 I [Document No.] Rev. [X] Page 166 of 3081 L

ATTACHMENT 1 EAL Bases Category: H - Hazards and Other Conditions Affecting Plant Safety Subcategory: 4- Fire Initiating Condition: FIRE potentially degrading the level of safety of the plant.

EAL: /

HU4.4 Unusual Event A FIRE within the ISFSI PROTECTED AREA or PLANT PROTECTED AREA that requires firefighting support by an offsite fire response agency to extinguish.

Mode Applicability:

All Definition(s):

FIRE - Combustion characterized by heat and light. Sources of smoke such as slipping drive belts or overheated electrical equipment do not constituteJires. Observation of flame is preferred but is NOT required if large quantities of smoke and heat are observed.

JSFSI PROTECTED AREA - Areas within the ISFSI to which access is strictly controlled in accordance with the station's Security Plan.

PLANT PROTECTED AREA - Areas to which access is strictly controlled in accordance with

the station's Security Plan.

Note: The DCPP Independent Spent Fuel Storage Installation (ISFSI) has its own ISFSI PROTECTED AREA separate from the PLANT PROTECTED AREA.

Basis:

ERO Decision Making Information This IC addresses the magnitude and extent of FIRES that may be indicative of a potential degradation of the level of safety of the plant.

If a FIRE within the ISFSI or PLANT PROTECTED AREA is of sufficient size to require a response by an offsite firefighting agency (e.g., a local town Fire Department, for DCPP this is normally CalFire), then the level of plant safety is potentially degraded. The dispatch of an offsite firefighting agency to the site requires an emergency declaration only if it is needed to actively support firefighting efforts (engages in firefighting efforts or is needed to engage in firefighting efforts) because the fire is beyond the capability of the Fire Brigade (for DCPP, this is the DCPP Fire Department) to extinguish. Declaration is not necessary if the agency resources are placed on stand-by, or supporting post-extinguishment recovery or investigation actions.

Depending upon the plant mode at the time of the event, escalation of the emergency classification level would be via IC CA6 or SA9.

Background

None I [Document No.] Rev. [X] Page 167 of 3os I

ATTACHMENT 1 EAL Bases DCPP Basis Reference(s}:

1. NEI 99-01 HU4 I [Document No.] Rev. [X] Page 168 of 3081

ATTACHMENT 1 EAL Bases Category: H - Hazards and Other Conditions Affecting Plant Safety Subcategory: 5 - Hazardous Gases Initiating Condition: Gaseous release IMPEDING access to equipment necessary for normal plant operations, cooldown or shutdown.

EAL:

HA5.1 Alert Release of a toxic, corrosive, asphyxiant o~ flammable gas into any Table H-2 rooms or areas.

AND Entry into the room or area is prohibited or IMPEDED. (Note 5)

Note 5: If the equipment in the listed room or area was already inoperable or out-of-service before the event occurred, then no emergency classification i.s warranted.

Table H-2 Safe Operation & Shutdown Rooms/Areas Room/Area Mode(s)

Auxiliary Building - 115' - BASTs 2, 3,4

\

Auxiliary Building - 100' -'BA Pumps 2, 3,4 Auxiliary Building - 85' - Aux Control Board 2, 3,4 Auxiliary Building - 64' - BART Tank area 2, 3,4 Area H (below Control Room) - 100' 480V Bus area/rooms 3,4 Mode Applicability:

2 - Startup, 3 - Hot Standby, 4 - Hot Shutdown Definition(s):

IMPEDE(D) - Personnel access to a room or area is hindered to an extent that extraordinary measures are necessary to facilitate entry of personnel into the affected room/area (e.g., requiring use of protective equipment, such as SCBAs, that is not routinely employed).

Basis:

ERO Decision Making Information This EAL does not apply to firefighting activities that automatically or manually activate a fire suppression system in an area. Such events are classified per IC HU4 - Fire.

The list of plant rooms or areas with entry-related mode applicability identified specify those rooms or areas that contain equipment which require a manual/local action as specified in operating procedures used for normal plant operation, cooldown and shutdown. Specifically, the identified rooms are those where an activity must be performed to borate to cold shutdown, isolate accumulators or cooldown using RHR.

j [Document No.] Rev. [X] Page 169 of 308 j

ATTACHMENT 1 EAL Bases If the equipment in the listed room or area was already inoperable, or out-of-service, before the

/ event occurred, then no emergency should be declared since the event will have no adverse impact beyond that already allowed by Technical Specifications at the time of the event.

I An Alert declaration is warranted if entry into the affected room/a~ea is, or may be, procedurally requir~d during the plant operating mode in effect at the time of the gaseous release. The emergency classification is not contingent upon whether entry is actually necessary at the time of the release.

Evaluation of the IC and EAL do not require atmospheric sampling; it only requires the SM/SAC/ED judgment that the gas concentration in the affected room/area is sufficient to preclude or significantly IMPEDE procedurally required access. This judgment may be based on a variety of factors including an existing job hazard analysis, report of ill effects on personnel, advice from a subject matter expert or operating experience with the same or similar hazards. Access should be considered as IMPEDED if extraordinary measures are necessary to facilitate entry of personnel into the affected room/area (e.g., requiring use of protective equipment, such as SCBAs, that is riot routinely employed).

An emergency declaration is not warranted if any of the following conditions apply:

The plant is in an operating mode different than the mode specified for the affected room/area (i.e., entry is not required during the operating mode in effect at the time of the gaseous release). For example, the plant is in Mode 1 when the gaseous release occurs, and the procedures used for normal operation, cooldown and shutdown do not require entry into the affected room until Mode 4.

The gas release is a planned activity that includes compensatory measures which address the temporary inaccessibility of a room or area (e.g., fire suppression system testing).

The action for which room/area entry is required is of an administrative or record keeping nature (e.g., normal rounds or routine inspections).

The access control measures are of a conservative or precautionary nature, and would not actually prevent or IMPEDE a required action.

Escalation of the emergency classification level would be via Recognition Category R, C or F ICs.

(continued)

I [Document No.] Rev. [X] Page 170 of 3081

ATTACHMENT 1 EAL Bases.

Background

Rooms or areas in which actions of a contingent or emergency nature would be performed (e.g., an action to address an off-normal or emergency condition such as emergency repairs, corrective measures or emergency operations) are not included. In addition, the list specifies the plant mode(s) during which entry would be required for each room or area (ref. 1).

This EAL addresses an event involving a release of a hazardous gas that precludes or IMPEDES access to equipment necessary to maintain normal plant operation, or required for a normal plant cooldown and shutdown. This condition represents an actual or potential

substantial degradation of the level of safety of the plant.

An asphyxiant is a gas capable of reducing the level of oxygen in the body to dangerous levels. Most commonly, asphyxiants work by merely displacing air in an enclosed environment.

This reduces the concentration of oxygen below the normal level of around 19%, which can lead to,__ breathing difficulties, unconsciousness or even death.

NOTE: IC HA5 mode applicability has been limited to the applicable modes identified in Table H-2 Safe Operation & Shutdown Rooms/Areas. If due to plant operating procedure or plant configuration changes, the applicable plant modes specified in Table H-2 are changed, a corresponding change to Attachment 3 'Safe Operation & Shutdown Areas Tables R-2 & H-2 Bases' and to IC HA5 mode applicability is required.

DCCP Basis Reference(s): -'

1. Attachment 3 Safe Operation & Shutdown Rooms/Areas Table R-2 & H-2 Bases

2. NEI 99-01 HA5 I [Document No.] Rev. [X] Page 171 of 3081

ATTACHMENT 1 EAL Bases Category: H - Hazards and Other Conditions Affecting Plant Safety Subcategory: 6 - Control Room Evacuation Initiating Condition: Control Room evacuation resulting in transfer of plant control to alternate locations.

EAL:

HA6.1 Alert An event requiring plant control to be transferred from the Control Room to the Hot Shutdown Panel area.

Mode Applicability:

All Definition(s):

None Basis:

ERO Decision Making Information For the purpose of this EAL the 15 minute classification clock starts when the last licensed operator leaves the Control Room.

The Shift Manager (SM) determines if the Control Room requires evacuation and entry into OP AP-SA. Control Room inhabitability may be caused by fire, dense smoke, noxious fumes, bomb threat in or adjacent to the Control Room, or other life threatening conditions. OP AP-SA Control Room Inaccessibility - Establishing Hot Standby and OP AP-SB Control Room Inaccessibility - Hot Standby to Cold Shutdown provides the instructions establishing plant control from outside the Control Room (Ref. 1, 2).

Inability to establish plant control from outside the Control Room escalates this event to a Site Area Emergency per EAL HS6.1.

Escalation of the emergency classification level would be via IC HS6.

Background

This IC addresses an evacuation of the Control Room that results in transfer of plant control to alternate locations outside the Control Room. The loss of the ability to control the plant from the Control Room is considered to be a potential substantial degradation in the level of plant safety.

Following a Control Room evacuation, control of the plant will be transferred to alternate shutdown locations. The necessity to pontrol a plant shutdown from outside the Control Room, in addition to responding to the event that required the evacuation of the Control Room, will present challenges to plant operators and other on-shift personnel. Activation of the ERO and emergency response facilities will assist in responding to these challenges.

I [Document No.] Rev. [X] * ~Page 172 of 3os I

ATTACHMENT 1 EAL Bases DCPP Basis Reference(s):

1. OP AP-BA Control Room Inaccessibility - Establishing Hot Standby

2. OP AP-88 Control Room Inaccessibility - Hot Standby to Cold Shutdown

3. OP AP-34.5.1 Fire Response - Cable Spreading Room

4. OP AP-34.5.3 Fire Response - Control Room

5. NEI 99-01 HA6 j [Document No.] Rev. [X] Page 173 of 308 j

ATTACHMENT 1 EAL Bases I

Category: H - Hazards and Other Conditions Affecting Plant Safety Subcategory: 6 - Control Room Evacuation Initiating Condition: Inability to control a key safety function from outside the Control Room.

EAL:

HS6.1 Site Area Emergency An event has resulted in plant control being transferred from the Control Room to the Hot Shutdown Panel area.

AND SM/SEC/ED determination that control of any of the following key safety functions is not re-established within 15 minutes (Note 1):

Reactivity (Modes 1, 2 and 3 only)

Core Cooling

RCS heat removal Note 1: The SM/SEC/ED should declare the event promptly upon determining that time limit has been exceeded, or will likely be exceeded.*

Mode Applicability:

1 - Power Operation, 2 - Startup, 3 - Hot Standby, 4 - Hot Shutdown, 5 - Cold Shutdown, 6 - Refueling Definition(s):

None I [Document No.] Rev. [X] Page 174 of 3081

ATTACHMENT 1 EAL Bases Basis:

ERO Decision Making Information For the purpose of this EAL the 15 minute classification clock starts when the last licensed operator leaves the Control Room.

The determination of whether or not "control" is established at the remote safe shutdown location(s) is based on SM/SEC/ED judgment. The SM/SEC/ED is expected to make a reasonable, informed judgment within 15 minutes whether or not the operating staff has control of key safety functions from the remote safe shutdown location(s). In making this determination, the SM/SEC/ED must be working through the procedures to establish control and have: *

the required people to gain control of the key safety functions AND

an understanding that there are no known impediments that will prevent successfully taking control of the key safety functions.

Physical control of key safety functions by manipulation of controls is not required to verify control, rather, it is sufficient that control transfer is successful (i.e. light indication of applicable equipment).

Escalation of the emergency classification level would be via IC FG1 or CG1

Background

The Shift Manager (SM) determines if the Control Room requires evacuation per OP AP-SA.

Control Room inhabitability may be caused by fire, dense smoke, noxious fumes, bomb threat in or adjacent to the Control Room, or other life threatening conditions. OP AP-SA Control Room Inaccessibility - Establishing Hot Standby and OP AP-SB Control Room Inaccessibility -

Hot Standby to Cold Shutdown, provides the instructions establishing plant control from outside the Control Room (Ref. 1, 2).

Once the Control Room is evacuated, the objective is to establish control of important plant equipment and maintain knowledge of important plant parameters in a timely manner. Primary emphasis should be placed on components and instruments that supply protection for and information about safety functions. Typically, these safety functions are reactivity control (ability to shut down the reactor and maintain it shutdown), RCS inventory (ability to cool the core), and secondary heat removal (ability to maintain a heat sink).

(continued)

I [Document No.] Rev. [X] Page 175 of 3os I

ATTACHMENT 1 EAL Bases Hot Shutdown Panel (HSDP) indications for Reactivity, Core Cooling and RCS Heat Removal:

Reactivity o Gamma Metrics indicators (Nl-53 & Nl-54)

Core Cooling o Pressurizer Liquid Temperature (Tl-4538) o Pressurizer Pressure (Pl-4558) o RCS WR Pressure (Pl-406 at Dedicated Shutdown Panel) o RCS Temperatures (Loop 1 at Dedicated Shutdown Panel)

RCS heat removal o AFW Flow Indicators (Fl-165 through 1_68) o AFW Pump discharge pressures (Pl-51 B through 538) o SG WR Levels (ll-501 through 504) o SG Pressures (Pl-514, 524, 534, 544)

This IC addresses an evacuation of the Control Room that results in transfer of plant control to alternate locations, and the control of a key safety function cannot be reestablished in a timely manner; The failure to gain control of a key safety function following a transfer of plant control to alternate locations is a precursor to a challenge to one or more fission product barriers within a relatively short period of time.

DCPP Basis Reference(s):

1. OP AP-BA Control Room Inaccessibility - Establishing Hot Standby \

2. OP AP-88 Control Room Inaccessibility - Hot Standby to Cold Shutdown

3. OP AP-34.5.1 Fire Response - Cable Spreading Room

4. OP AP-34.5.3 Fire Response - Control Room

5. NEI 99-01 HS6 I [Document No.] Rev. [X] Page 176 of 308 J

ATTACHMENT 1 EAL Bases Category: H - Hazards and Other Conditions Affecting Plant Safety Subcategory: 7 - SM/SEC/ED J°udgment Initiating Condition: Other conditions existing that in the judgment of the SM/SEC/ED warrant declaration of a UE.

EAL:

HU7.1 Unusual Event Other conditions exist which in the judgment of the SM/SEC/ED indicate that events are in progress or have occurred which indicate a potential degradation of the level of safety of the plant or indicate a security threat to facility protection has been initiated. No releases of radioactive material requiring offsite response or monitoring are expected unless further degradation of SAFETY SYSTEMS occurs.

Mode Applicability:

All Definition(s):

SAFETY SYSTEM - A system required for safe plant operation, cooling down the plant and/or placing it in the cold shutdown condition, including the ECCS. These are typically systems classified as safety-related (as defined in 10CFR50.2):

Those structures, systems and components that are relied upon to remain functional during and following design basis events to assure:

(1) The integrity of the reactor coolant pressure boundary; (2) The capability to shut down the reactor and maintain it in a safe shutdown condition; (3) The capability to prevent or mitigate the consequences of accidents which could result in potential offsite exposures.

Basis:

ERO Decision Making Information This IC addresses unanticipated conditions not addressed explicitly elsewhere but that warrant declaration of an emergency because conditions exist which are believed by the SM/SEC/ED to fall under the emergency classification level description for an Unusual Event.

(continued)

I [Document No.] Rev. [X] .I Page 177 of 3081

ATIACHMENT 1 EAL Bases

Background

The SM/SEC/ED is the designated onsite individual having the responsibility and authority for implementing the DCPP Radiological Emergency Response Plan. The operations Shift Manager (SM) initially acts in the capacity of the SEC/ED and takes actions as outlined in the Emergency Plan implementing procedures. If required by the emergency classification or if deemed appropriate by the SM/SEC/ED, emergency response personnel are notified and instructed to report to their emergency response locations. In this manner, the individual usually in charge of activities in the Control Room is responsible for initiating the necessary emergency response, but Plant Management is expected to manage the emergency response as soon as available to do so in anticipation of the possible wide-ranging responsibilities associated with managing a major emergency.

Refer to the OP AP-34 series of procedures on fire response for a list of SAFETY SYSTEMS, usually noted their Attachment 1.

DCPP Basis Reference(s):

1. NEI 99-01 HU7 I [Document No.] Rev. [X] Page 178 of 3081

ATTACHMENT 1 EAL Bases Category: H - Hazards and Other Conditions Affecting Plant Safety Subcategory: 7 - SM/SEC/ED Judgment lni_tiating Condition: Other conditions exist that in the judgment of the SM/SEC/ED warrant declaration of an Alert.

EAL:

HA7.1 Alert Other conditions exist which, in the judgment of the SM/SEC/ED, indicate that events are in progress or have occurred which involve an actual or potential substantial degradation of the level of safety of the plant or a SECURITY EVENT that involves probable life threatening risk to site personnel or damage to site equipment because of HOSTILE ACTION. Any relea~es are expected to be limited to small fractions of the EPA PROTECTIVE ACTION GUIDELINE exposure levels ..

Mode Applicability:

All Definition(s):

EPA PROTECTIVE ACTION GUIDELINES (EPA PAG) - The EPA PAGs are expressed in terms of dose commitment: 1 Rem TEDE or 5 Rem COE Thyroid. Actual or projected offsite exposures in excess of the EPA PAGs requires DCPP to recommend protective actions for the general public to offsite planning agencies.

HOSTILE ACTION - An act toward DCPP or its personnel that includes the use of violent force to destroy equipment, take HOSTAGES, and/or intimidate the licensee to achieve an end. This includes attack by air, land, or water using guns, explosives, PROJECTILES, vehicles, or other devices used to deliver destructive force. Other acts that satisfy the overall intent may be included. Hostile action should not be construed to include acts of civil disobedience or felonious acts that are not part of a concerted attack on DCPP. Non-terrorism-based EALs should be used to address such activities (i.e., this may include violent acts between individuals in the OWNER CONTROLLED AREA).

OWNER CONTROLLED AREA (OCA) - For purpose of HOSTILE ACTION classifications, in accordance with this EAL scheme, the OCA is defined as the same area and boundary contained in the DCPP Security and Safeguards Contingency Plan. '

SECURITY EVENT -Any incident representing an attempted, threatened, or actual breach of the security system or reduction of the operational effectiveness of that system. A security event can result in either a SECURITY CONDITION or HOSTILE ACTION.

1 [Document No.] Rev. [X] Page 179 of 3081

ATTACHMENT 1 EAL Bases Basis:

ERO Decision Making Information This IC addresses unanticipated conditions not addressed explicitly elsewhere but that warrant declaration *of an emergency because conditions exist which are believed by the SM/SEC/ED to fall under the emergency classification level description for an Alert.

Background

The SM/SEC/ED is the designated onsite individual having the responsibility and authority for implementing the DCPP Radiological Emergency Response Plan. The operations Shift Manager (SM) initially acts in the capacity of the SEC/ED and takes actions as outlined in the Emergency Plan implementing procedures. If required by the emergency classification or if deemed appropriate by the SM/SEC/ED, emergency response personnel are notified and instructed to report to their emergency response locations. In this manner, the individual usually in charge of activities in the Control Room is responsible for initiating the necessary emergency response, but Plant Management is expected to manage the emergency response as soon as available to do so in anticipation of the possible wide-ranging responsibilities associated with managing a major emergency.

DCPP Basis Reference(s):

1. NEI 99-01 HA7 I [Document No.] Rev. [X] Page 180 of 3081'

ATTACHMENT 1 EAL Bases Category: H - Hazards and Other Conditions Affecting Plant Safety Subcategory: 7 - SM/SEC/ED Judgment Initiating Condition: Other conditions existing that in the judgment of the SM/SEC/ED warrant declaration of a Site Area Emergency.

EAL:

HS7 .1 Site Area Emergency Other conditions exist which in the judgrnent of the SM/SEC/ED indicate that events are in progress or have occurred which involve actual or likely major failures of plant functions needed for protection of the public or HOSTILE ACTION that results in intentional damage or mali.cious acts, (1) toward site personnel or equipment that could lead to the likely failure of or, (2) that prevent effective access to equipment needed for the protection of the public.

Any releases are not expected to result in exposure levels which exceed EPA PROTECTIVE ACTION GUIDELINE exposure levels beyond the SITE BOUNDARY.

Mode Applicability:

All Definition(s):

EPA PROTECTIVE ACTION GUIDELINES (EPA PAG) - The EPA PAGs are expressed in terms of dose commitment: 1 Rem TEDE or 5 Rem COE Thyroid. Actual or projected offsite exposures in excess of the EPA PAGs requires DCPP to recommend protective actions for the general public to offsite planning agencies.

HOSTILE ACTION - An act toward DCPP or its personnel that includes the use of violent force to destroy equipment, take HOSTAGES, and/or intimidate the licensee to achieve an end. This includes attack by air, land, or water using guns, explosives, PROJECTILES, vehicles, or other devices used to deliver destructive force. Other acts that satisfy the overall intent may be included. Hostile action should not be construed to include acts of civil disobedience or felonious acts that are not part of a concerted attack on DCPP. Non-terrorism-based EALs should be used to address such activities (i.e., this may include violent acts between individuals in the OWNER CONTROLLED AREA)

OWNER CONTROLLED AREA (OCA) - For purpose of HOSTILE ACTION classifications, in accordance with this EAL scheme, the OCA is defined as the same area and boundary contained in the DCPP Security and Safeguards Contingency Plan.

SITE BOUNDARY - As depicted in the Final Safety Analysis Report Update (UFSAR),

Figure 2.1-2, Site Plan and Gaseous/Liquid Effluent Release Points.

I [Document No.] Rev. [X] Page 181 of 3081

ATTACHMENT 1 EAL Bases Basis:

ERO Decision Making Information This IC addresses unanticipated conditions not addressed explicitly elsewhere but that warrant declaration of an emergency because conditions exist which are believed by the SM/SEC/ED to fall under the emergency classification level description for a Site Area Emergency.

Background

The SM/SEC/ED is the designated onsite individual having the responsibility and authority for implementing the DCPP Radiological Emergency Response Plan. The operations Shift Manager (SM) initially acts in the capacity of the SEC/ED and takes actions as outlined in the Emergency Plan implementing pro9edures. If required by'the emergency classification or if deemed appropriate by the SM/SEC/ED, emergency response personnel are notified and instructed to report to their emergency response locations. In this manner, the individual usually in charge of activities in the Control Room is responsible for initiating the necessary emergency response, but Plant Management is expected to manage the emergency response as soon as available to do so in anticipation of the possible wide-ranging responsibilities associated with managing a.major emergency.

DCPP Basis Reference(s):

1. NEI 99-01 HS7

\,

I [Document No.] Rev. [X] Page 182 of 3081

ATTACHMENT 1 EAL Bases Category: H - Hazards and Other Conditions Affecting Plant Safety Subcategory: 7 - SM/SEC/ED Judgment Initiating Condition: Other conditions exist which in the judgment of the SM/SEC/ED warrant declaration of a General Emergency.

EAL:

HG7.1 General Emergency Other conditions exist which in the judgment of the SM/SEC/ED indicate that events are in progress or have occurred which involve actual or IMMINENT substantial core degradation or melting with,potential for loss of containment integrity or HOSTILE ACTION that results in an actual loss of physical control of the facility. Releases can be reasonably expected to exceed EPA PROTECTIVE ACTION GUIDELINE exposure levels offsite for more than the immediate site area.

Mode Applicability:

All Definition(s):

EPA PROTECTIVE ACTION GUIDELINES (EPA PAG) - The EPA PAGs are expressed in terms of dose commitment: 1 Rem TEDE or 5 Rem COE Thyroid. Actual or projected offsite exposures in excess of the EPA PAGs requires DCPP to recommend protective actions for the general public to offsite planning agencies.

HOSTILE ACTION - An act toward DCPP or its personnel that includes the use of violent force to destroy equipment, take HOSTAGES, and/or intimidate the licensee to achieve an end. This includes attack by air, land, or water using guns, explosives, PROJECTILES, vehicles, or other devices used to deliver destructive force. Other acts that satisfy the overall intent may be included. Hostile action should not be construed to include acts of civil disobedience or felonious acts that are not part of a concerted attack on DCPP. Non-terrorism-based EALs should be used to address such activities (i.e., this may include violent acts between individuals in the OWNER CONTROLLED AREA).

IMMINENT - The trajectory of events or conditions is such that an EAL will be met within a relatively short period of time regardless of mitigation or corrective actions.

OWNER CONTROLLED AREA (OCA) - For purpose of HOSTILE ACTION classifications, in accordance with this EAL scheme, the OCA is defined as the same area and boundary contained in the DCPP Security and Safeguards Contingency Plan.

I [Document No.] Rev. [X] Page 183 of 3081

ATTACHMENT 1 EAL Bases Basis:

ERO Decision Making Information This IC addresses unanticipated conditions not addressed explicitly elsewhere but that warrant declaration of an emergency because conditions exist which are believed by the SM/SEC/ED to fall under the emergency classification level description for a General Emergency.

Releases can reasonably be expected to exceed EPA PAG plume exposure levels outside the SITE BOUNDARY.

Background

The SM/SEC/ED is the designated onsite individual having the responsibility and authority for implementing the DCPP Radiological Emergency Response Plan. The operations Shift Manager (SM) initially acts in the capacity of the SEC/ED and takes actions as outlined in the Emergency Plan implementing procedures. If required by the emergency classification or if deemed appropriate by the SM/SEC/ED, emergency response personnel are notified and instructed to report to their emergency response locations. l'n this manner, the individual usually in charge of activities in the Control Room is responsible for initiating the necessary emergency response, but Plant Management is expected to manage the emergency response as soon as available to do so in anticipation of the possible wide-ranging responsibilities associated with managing a major emergency.

DCPP Basis Reference(s):

1. NEI 99-01 HG?

I [Document No.] -~ I Rev. [X] Page 184 of 3081

ATTACHMENT 1 EAL Bases Category S - System Malfunction EAL Group: Hot Conditions (RCS temperature > 200°F); EALs in this category are applicable only in one or more hot operating modes.

Numerous system-related equipment failure events that warrant emergency classification have been identified in this category. They may pose actual or potential threats to plant safety.

The events of this category pertain to the following subcategories:

1. Loss of Vital AC Power I

Loss of vital electrical power can compromise plant SAFETY SYSTEM operability including decay heat removal and emergency core cooling systems which may be necessary to ensure fission product barrier integrity. This category includes loss of onsite and offsite sources for 4.16KV AC vital buses.

2. Loss of Vital DC Power Loss of vital electrical power can compromise plant SAFETY SYSTEM operability including decay heat removal and emergency core cooling systems which may be necessary to ensure fission product barrier integrity. This category includes loss of vital plant 125 VDC power sources.

3. Loss of Control Room Indications Certain events that degrade plant operator ability to effectively assess plant conditions within the plant warrant emergency classification. Losses of indicators are in this subcategory.

4. RCS Activity During normal operation, reactor coolant fission product activity is very low. Small concentrations of fission products in the coolant are primarily from the fission of tramp uranium in the fuel clad or minor perforations in the clad itself. Any significant increase from these base-line levels (2% - 5% clad failures) is indicative of fuel failures and is covered under the Fission Product Barrier Degradation category. However, lesser amounts of clad damage may result in coolant activity exceeding Technical Specification limits. These fission products will be circulated with the reactor coolant and can be detected by coolant sampling.

5. RCS LEAKAGE The reactor vessel provides a volume for the coolant that covers the reactor core. The reactor pressure vessel and associated pressure piping (reactor coolant system) together provide a barrier to limit the release of radioactive material should the reactor fuel clad integrity fail. Excessive RCS LEAKAGE greater than Technical Specification limits indicates potential pipe cracks that may propagate to an extent threatening fuel clad, RCS and containment integrity.

I [Document No.] Rev. [X] Page 185 of 3081

ATTACHMENT 1 EAL Bases

6. RTS Failure This subcategory includes events related to failure of the Reactor Trip System (RTS) to initiate and complete reactor trips. In the plant licensing basis, postulated failures of the RTS to complete a reactor trip comprise a specific set of analyzed events referred to as Anticipated Transient Without Scram (ATWS) events. For EAL classification, however, A TWS is intended to mean any trip failure event that does not achieve reactor shutdown. If RTS actuation fails to assure reactor shutdown, positive control of reactivity is at risk and could cause a threat to fuel clad, RCS and containment integrity.

7. Loss of Communications Certain events that degrade plant operator ability to effectively communicate with essential personnel within or external to the plant warrant emergency classification.

8. Containment Failure Failure of containment isolation capability (under conditions in which the containment is not currently challenged) warrants emergency classification. Failure of containment pressure control capability also warrants emergency classification.

9. Hazardous Event Affecting Safety Systems Various natural and technological events that result in degraded plant SAFETY SYSTEM performance or significant VISIBLE DAMAGE warrant emergency classification under this subcategory.

SAFETY SYSTEM - A system required for safe plant operation, cooling down the plant and/or placing it in the cold shutdown condition, including the ECCS. These are typically systems classified as safety-related (as defined in 10CFR50.2):

Those structures, systems and components that are relied upon to remain functional during and following design basis events to assure:

(1) The integrity of the reactor coolant pressure boundary; (2) The capability to shut down the reactor and maintain it in a safe shutdown condition; (3) The capability to prevent or mitigate the consequences of accidents which could result in potential offsite exposures.

VISIBLE DAMAGE - Damage to a SAFETY SYSTEM train that is readily observable without measurements, testing, or analysis. The visual impact of the damage is sufficient to cause concern regarding the operability or reliability of the affected SAFETY SYSTEM train:

I [Document No.] Rev. [X] Page 186 of 3081

ATTACHMENT 1 EAL Bases Category: S - System Malfunction Subcategory: 1 - Loss of Vital AC Power Initiating Condition: Loss of all offsite AC power capability to vital buses for 15 minutes or longer.

EAL:

SU1.1 Unusual Event Loss of all offsite AC power capability, Table S-1, to Unit 1 or Unit 2 vital 4.16KV buses F, G and H for ?.: 15 minutes. (Note 1)

Note 1: The SM/SEC/ED should declare the event promptly upon determining that time limit has been exceeded, or will likely be exceeded.

Table 5-1 AC Power Capability Unit 1 Unit2

230 kV via either of the following:

230 kV via either of the following:

~

Startup XFMR 1-2 via Startup XFMR 1-1

Startup XFMR 2-2 via Startup XFMR 1-1

~

Startup XFMR 1-2 via Startup XFMR 2-1

Startup XFMR 2-2 via Startup XFMR 2-1 0

500 kV backfed through Main XFMR to Aux

500 kV backfed through Main XFMR to Aux XFMR 1-2 XFMR 2-2

Aux XFMR 1-2 fed from the Main Generator

Aux XFMR 2-2 fed from the Main Generator Q)

!:::::

DG1-1-BusH

DG 2 Bus H UJ c:

DG 1 Bus G

DG 2 Bus 6 0

DG 1 Bus F

DG 2 Bus F

Other Unit via Startup Bus X-Tie

Other Unit via Startup Bus X-Tie Mode Applicability:

1 - Power Operation, 2 - Startup, 3 - Hot Standby, 4 - Hot Shutdown Definition(s):

None

. I [Document No.] Rev. [X] Page 187 of 3081

ATTACHMENT 1 EAL Bases -

Basis:

ERO Decision Making Information For emergency classification purposes, "capability" means that, whether or not the buses are actually powered from it, an AC power source(s) can be aligned to the vital buses within 15 minutes. This is determined by:

Use of a clear procedure path, and

Breakers and equipment are readily available to power up the bus within the allotted time frame.

and

' ~

Power potential indication (power available white status light) from any Table S-1 source is illuminated.

The 15 minute declaration time runs concurrently with determining AC power capability and aligning the source to the buses. Therefore, this EAL does NOT provide for 15 minutes to ascertain capability and another 15 minutes to dedare. In other words, you must either meet the AC power capability for the source of power OR declare within 15 minutes.

This EAL describes a significant degradation of offsite and onsite AC power sources such that I any additional single failure would result in a loss of all AC power to SAFETY SYSTEMS. In I

I' this condition, the sole AC power source may be powering one, or more than one, train of safety-related equipment. In other words, a loss of this AC power source will result in a loss of all AC.

The vital 4.16KV AC System provides the power requirements for operation and safe shutdown of the plant (see figure below).

This EAL addresses a prolonged (greater than 15 minutes) loss of offsite power. The loss of offsite power sources renders the plant more vulnerable to a complete loss of power to AC

, emergency buses. This condition represents a potential reduction in the level of safety of the plant.

Fifteen minutes was selected as a threshold to exclude transient or momentary losses of offsite power.

When filling out the ENF form, this event can be Unit 1, Unit 2 or Unit 1 and 2.

Escalation of the emergency classification level would be via IC SA 1.

(continued)

I [Document No.] Rev. [X] Page 188 of 3081

ATTACHMENT 1 EAL Bases

Background

Unit 1(2) 4.16KV buses F, G and Hare the emergency (vital) buses. Each bus has three sources of power.

One offsite source is from the 230KV switchyard via 12KV startup transformer 1-1 (2-1) to the 4.16KV startup transformer 1-2 (2-2).

If the 1 or 2-1 transformer is unavailable, the other unit's #1 transformer (2-1 or 1-1) can be used to supply the startup bus through the startup bus cross tie breaker.

Another method to obtain offsite power is by back feeding the vital buses from the 500KV switchyard through the main transformer to the 4.16KV unit auxiliary transformer / 1-2 (2-2).

This is normally only done post-trip when 500KV power is. available.

During normal operations, vital bus power* is supplied from onsite by the main generator via the 4.16KV unit auxiliary transformer 1-2 (2-2). In addition, each units vital buses F, G and H have an onsite emergency diesel generator which can supply electrical power to its associated bus automatically in the event that the preferred source becomes unavailable (ref. 1-6).

DCPP Electrical Distribution System Midway 3 +-

500kV Switchyard MidwayB2~1~J'£°"T'°£Y-~

~T'-£"'T~

~ ~_____/.

Bus 1 E: 230kV

,.-/---, I---/----.--/.

Switchyard

~$Mesa T~-i+ Morro

~ig_J Bay Gates 1 122 T s22 Bus 1 u1 Main BankXfmr I USUXfmrs i i i If __l'-()-/..L....!.....__

212 Bus 2 l

500kV ~ 230kV ~ U2 Main Bank Xfmr 500kV/25kV Aux Xfmr .....J=: 25kV ::::::r::::; Aux Xfmr U 25kll ~ l'""Y"'(Y""' 12kV l'""Y"'(Y""'

I- - I 11 Aux Xfmr ::::::r::::; 25kV ~ Aux Xfmr 1-1 12kV 4kV(~ (~ 1-2U1 Main ]' *-=- ) r. (I I I -*I U2 Main 2-2l";X) lcv~kV 1 2 k V l 2-1 I I I" I'

.:;:;., ~L~

Generator@ ) 12kV SU Bus ( ( ( @ Generator f) ) - ) ) ~ su xtmrs ~-========c::::;-C -C 7 f.:f f.:f \"! :J~ ~~ = f.:i!;

y [FfI= l ll Bus D

1) 1) 1)

Bus H 1~1~ ~l=rf~ J

1) 1) 1)

Bus G

1) 1) 1)

Bus F c1 c1 c1 Bus F c1 c1 c1 Bus G tTIJ ~

c1 c1 c1 Bus H

U Bus D DCPP Basis Reference(s):

1. UFSAR, Section 8.2.2

2. UFSAR, Section 8.3.1.6

3. OP AP SD-1, Loss of AC Power

4. OP AP-26, Loss of Offsite Power

5. OP J-2:V, Backfeeding the Unit From the 500kV System

6. ECA-0.0, Loss of All Vital AC Power

7. NEI 99-01 SU1 j [Document No.] Rev. [X] Page 189 of 308 j

ATTACHMENT 1 EAL Bases Category: S - System Malfunction Subcategory: 1 - Loss of Vital AC Power Initiating Condition: Loss of all but one AC power source to vital buses for 15 minutes or longer.

EAL:

SA1.1 Alert AC power capability, Table S-1, to Unit 1 or Unit 2 vital 4.16KV buses F, G and H reduced to a single power source for;::: 15 minutes. (Note 1)

AND A failure of that single power source will result in loss of all AC power to SAFETY SYSTEMS.

Note 1: The SM/SEC/ED should declare the event promptly upon determining that time limit has been exceeded, or will likely be exceeded.

Table 5-1 AC Power Capability Unit 1 Unit 2

230 kV via either of the following:

230 kV via either of the following:

Q)

!:::

Startup XFMR 1-2 via Startup XFMR 1-1

Startup XFMR 2-2 via Startup XFMR 1-1

~

'+-

Startup XFMR 1-2 via Startup XFMR 2-1

Startup XFMR 2-2 via Startup XFMR 2-1 0

500 kV backfed through Main XFMR to Aux

500 kV backfed through Main XFMR to Aux XFMR 1-2 XFMR 2-2

Aux XFMR 1-2 fed from the Main Generator

Aux XFMR 2-2 fed from the Main Generator Q)

!:::

DG 1 Bus H

DG 2 Bus H ti) c

DG 1 Bus G

DG 2 Bus G 0

DG1-3-BusF

DG 2 Bus F

Other Unit via Startup Bus X-Tie

Other Unit via Startup Bus X-Tie Mode Applicability:

1 - Power Operation, 2 - Startup, 3 - Hot Standby, 4 - Hot Shutdown

/ [Document No.] Rev. [X] Page 190 of 3os /

ATTACHMENT 1 EAL Bases Definition(s):

SAFETY SYSTEM - A system required for safe plant operation, cooling down the plant and/or placing it in the cold shutdown condition, including the ECCS. These are typically systems classified as safety-related (as defined in 10CFR50.2):

Those structures, systems and components that are relied upon to remain functional during and following design basis events to assure:

(1) The integrity of the reactor coolant pressure boundary; (2) The capability to shut down the reactor and maintain it in a safe shutdown condition; (3) The capability to prevent or mitigate the consequences of accidents which could result in potential offsite exposures.

Basis:

ERO Decision Making Information For emergency classification purposes, "capability" means that, whether or not the buses are actually powered from it, an AC power source(s) can be aligned to the vital buses within 15 minutes. This is determined by:

Use of a clear procedure path, and *

Breakers and equipment are readily available to power up the bus within the allotted time frame.

and

Power potential indication (power available white status light) from any Table S-1 source is illuminated.

The 15 minute declaration time runs concurrently with determining AC power capability and aligning the source to the buses. Therefore, this EAL does NOT provide for 15 minutes to ascertain capability and another 15 minutes to declare. In other words, you must either meet the AC power capability for the source of power OR declare within 15 minutes.

This EAL describes a significant degradation of offsite and onsite AC power sources such that any additional single failure would result in a loss of all AC power to SAFETY SYSTEMS. In this condition, the sole AC power source may be powering one, or more than one, train of safety-related equipment. In other words, a loss of this AC power source will result in a loss of all AC.

This IC provides an escalation path from IC SU1.

An "AC power source" is a source recognized in AOPs and EOPs, and capable of supplying required power to an emergency bus. Some examples of this condition are presented below.

A loss of all offsite power with a concurrent failure of all but one emergency power source (e.g., an onsite diesel generator).

A loss of all offsite power and loss of all emergency power sources (e.g., onsite diesel generators) with a single train of emergency buses being back-fed from the unit main generator.

I [Document No.] , Rev. [X] Page 191 of 3081

ATTACHMENT 1 EAL Bases

A loss of emergency power sources (e.g., onsite diesel generators) with a single train of emergency buses being fed from an offsite power source.

Fifteen minutes was selected as a threshold to exclude transient or momentary losses of power.

When filling out the ENF form, this event can be Unit 1, Unit 2 or Unit 1 and 2.

Escalation of the emergency classification level would be via IC SS1.

Background

The vital 4.16KV AC System provides the power requirements for operation and safe shutdown of the plant (see figure below). Unit 1(2) 4.16KV buses F, G and Hare the emergency (vital) buses. Each bus has three sources of power.

One offsite source is from the 230~ switchyard via 12KV startup transformer 1-1 (2-1) to the 4.16KV startup transformer 1-2 (2-2).

If the 1 or 2-1 transformer is unavailable, the other unit's #1 transformer (2-1 or 1-1) can be used to supply the startup bus through the startup bus cross tie breaker.

Another method to obtain offsite power is by back feeding the vital buses from the 500KV switchyard through the main transformer to the 4.16KV unit auxiliary transformer 1-2 (2-2).

This is normally only done post-trip when 500'KV power is available.

During normal operations, vital bus power is supplied from onsite by the main generator via the 4.16KV unit auxiliary transformer 1-2 (2-2). In addition, each units vital buses F, G and H have an onsite emergency diesel generator which can supply electrical power to its associated bus automatically in the event that the preferred source becomes unavailable (ref. 1-6).

If the capability of a second source of emergency bus power is not restored within 15 minutes, an Alert is declared under this EAL.

Refer to the OP AP-34 series of procedures on fire response for a list of SAFETY SYSTEMS, usually noted their Attachment 1.

I [Document No.] Rev. [X] Page 192 of 3081 L_ -

ATTACHMENT 1 EAL Bases DCPP Electrical Distribution System 500kV Switchyard 230kV Switchyard Midway2+-Bus21~

XJ~ e42 ~ ~~ ------------~ Bus1E~~~Mesa

..........-.-'- 282 Midway 3+- ~T'g"T~ --~ t___ T~-r+ Morro L-\!g__j Bay 1 ~T~______/. ..-"---, 1----/----.---/.

If Gates Bus 1 U1 Main r--------,--- __l_'-QJ'..l.......!.--1 Bus 2 c - BankXfmr ~SUXfmrs~ 212 500kV 12 f"Y"')'"V"\ 2 3 °k~ f"Y"')'"V"\ U2 Main Bank Xfmr 500kV/25kV Auxx~~{l~ 12k~5kV4kV :::AL ~~};~'rlid)ll I) CI 11 AuxXfmr :::AL 25kV ~ Aux Xfmr

i i -~

11 u

(Y) (X) - ,...., 2 - r r4kV 1 2 k V l 2-1 U1 Main - - U2 Main (X) (Y)

Generator ) 12kV SU Bus C1 C C Generator : --

r=--

ll ll ~s~;:~rs il: ~ Ci~

U 4

Bus E BusD (X) kV (X) Bus D Bus E2 DG DG DG DG DG DG 1-1 1-2 1-3 2-3 2-1 2-2 rn=I= ~ 1~~~ ~f=rf~

ll Bus D i) i) i)

Bus H i) i) i)

Bus G i) i) i)

Bus F Ci Ci Ci Bus F Ci Ci Ci Bus G tT=TI ~

J Ci Ci Ci Bus H

~

Bus D DCPP Basis Reference(s):

1. UFSAR, Section 8.2.2

2. UFSAR, Section 8.3.1.6

3. OP AP SD-1, Loss of AC Power

4. OP AP-26, Loss of Offsite Power

5. OP J-2:V, Backfeeding the Unit From the 500kV System

6. ECA-0.0, Loss of All Vital AC Power

7. NEI 99-01 SA 1 j [Document No.] Rev. [X] Page 193 of 308 j

ATTACHMENT 1 EAL Bases Category: S - System Malfunction Subcategory: 1 - Loss of Vital AC Power Initiating Condition: Loss of all offsite power and all onsite AC power to vital buses for 15 minutes or longer.

EAL:

SS1 .1 Site Area Emergency Loss of all offsite and all onsite AC power to Unit 1 or Unit 2 vital 4.16KV buses F, G and H for;::: 15 minutes. (Note 1)

Note 1: The SM/SEC/ED should declare the event promptly upon determining that time limit has been exceeded, or will likely be exceeded.

Mode Applicability:

1 - Power Operation, 2 - Startup, 3 - Hot Standby, 4 - Hot Shutdown Definition(s):

SAFETY SYSTEM -A system required for safe plant operation, cooling down the plant and/or placing it in the cold shutdown condition, including the ECCS. These are typically systems classified as safety-related (as defined in 10CFR50.2):

Those structures, systems and components that are relied upon to remain functional during and following design basis events to assure:

(1) The integrity of the reactor coolant pressure boundary; (2) The capability to shut down the reactor and maintain it in a safe shutdown condition; (3) The capability to prevent or mitigate the consequences of accidents which could result in potential offsite exposures.

Basis:

ERO Decision Making Information The 15-minute interval begins when both offsite and onsite AC power are lost.

This EAL addresses a total loss of AC power that compromises the performance of all SAFETY SYSTEMS requiring electric power including those necessary for emergency core cooling, containment heat removal/pressure control, spent fuel heat removal and the ultimate heat sink. In addition, fission product barrier monitoring capabilities may be degraded under these conditions. This IC represents a condition that involves actual or likely major failures of plant functions needed for the protection of the public.

Fifteen minutes was selected as a threshold to exclude transient or momentary power losses.

When filling out the ENF form, this event can be Unit 1, Unit 2 or Unit 1 and 2.

Escalation of the emergency classification level would be via ICs RG1, FG1 or SG1.

I [Document No.] Rev. [X] Page 194 of 3081

ATTACHMENT 1 EAL Bases

Background

The vital 4.16KV AC System provides the power requirements for operation and safe shutdown of the plant (see figure below).

Unit 1(2) 4.16KV buses F, G and H are the emergency (vital) buses. Each bus has three sources of power.

One offsite source is from the 230KV switchyard via 12KV startup transformer 1-1 (2-1) to the 4.16KV startup transformer 1-2 (2-2).

If the 1 or 2-1 transformer is unavailable, the other unit's #1 transformer (2-1 or 1-1) can be used to supply the startup bus through the startup bus cross tie hreaker.

Another method to obtain offsite power is by back feeding the vital buses from the 500KV switchyard through the main transformer to the 4.16KV unit auxiliary transformer 1-2 (2-2).

This is normally only done post-trip when 500KV power is available.

During normal operations, vital bus power is supplied from onsite by the main generator via the 4.16KV unit auxiliary transformer 1-2 (2-2). In addition, each units vital buses F, G and H have an onsite emergency diesel generator which can supply e.lectrical power to its associated bus automatically in the event that the preferred source becomes unavailable (ref. 1-6).

DCPP Electrical Distribution System 500kV Switchyard 230kV Switchyard Midway2~Bus2~~

~~ ~~ -----------~

e421.J1L Bus1E~~~ Mesa

........,....__ 282 Midway 3~ ~J'-g"T~ --~ L - T~,+ Morro

..-"----, I-/--.--/. ~ig_j Bay Gates 1 ~J'g"-------'- Bus 1 u1 Main ~----.---- ----1..'0-'...J........!.. Bus 2

- BankXfmr ~SUXfmrs~

ff 212 r

SOOkV

~ 2,32°k~ ~ U2 Main BankXfmrSOOkV/25kV u:::L I) CI

-Gk11 Aux Xfmr 25kV """"'""1...._ Aux Xfmr u

(""\ 2-r 4kV 1 2 k V l 2-1

' i i - U2 Main (X) M 12kV SU Bus C1 C C Generator i:--

ll ll

~s~;:~rs~ ~Is U

4 BusE Bus D Bus D BusE2 (X) kV (X)

DG DG DG DG DG DG 1-1 1-2 1-3 2-3 2-1 2-2 lf=fi= ~ ~~1~ ~l=r=IT tYTI ~

ll BusD

1) 1)

Bus H i) 1) 1)

BusG

1) i) 1)

BusF

1) C1 Ci Ci Bus F C1 C1 C1 BusG J C C c, U 1 1 Bus H Bus D DCPP Basis Reference(s):

1. UFSAR, Section 8.2.2

2. UFSAR, Section 8.3.1.6

3. OP AP SD-1, Loss of AC Power

4. OP AP-26, Loss of Offsite Power

5. OP J-2:V, Backfeeding the Unit From the 500kV System

6. ECA-0.0, Loss of All Vital AC Power

7. NEI 99-01 SS1 I [Document No.] Rev. [X] Page 195 of 3081

ATIACHMENT 1 EAL Bases Category: S -System Malfunction Subcategory: 1 - Loss of Vital AC Power Initiating Condition: Prolonged loss of all offsite and all onsite AC power to vital buses.

EAL:

SG1 .1 General Emergency Loss of all offsite and all onsite AC power to Unit 1 or Unit 2 vital 4.16KV buses F, G and H.

AND EITHER:

Restoration of at least one 4.16KV vital bus in < 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months is not likely. (Note 1)

CSFST Core Cooling RED path conditions met.

Note 1: The SM/SEC/ED should declare the event promptly upon determining that time limit has been exceeded, or will likely be exceeded.

Mode Applicability:

1 - Power Operation, 2 - Startup, 3 - Hot Standby, 4 - Hot Shutdown Definition(s):

SAFETY SYSTEM-A system required for safe plant operation, cooling down the plant and/or placing it in the cold shutdown condition, including the ECCS. These are typically systems classified as safety-related (as defined in 10CFR50.2):

Those structures, systems and components that are relied upon to remain functional during and following design basis events to assure: *

(1) The integrity of the reactor coolant pressure boundary; (2) The capability to shut down the reactor and maintain it in a safe shutdown condition; (3) The capability to prevent or mitigate the consequences of accidents which could result in potential offsite exposures.

I [Document No.] Rev. [X]

Page 196 of 3081

ATTACHMENT 1 EAL Bases Basis:

ERO Decision Making Information This EAL is indicated by the extended loss of all offsite and onsite AC power capability to 4.16KV vital buses F, G and Heither for greater then the DCPP Station Blackout (SBO) coping analysis time (4 hrs.) (ref. 1) or that has resulted in indications of an actual loss of adequate core cooling.

Indication of continuing core cooling degradation is manifested by CSFST Core Cooling' RED path conditions being met. (ref. 2).

The EAL should require declaration of a General Emergency prior to meeting the thresholds for IC FG1. This will allow additional time for implementation of offsite protective actions.

The estimate for restoring at least one emergency bus should be based on a realistic appraisal of the situation. Mitigation actions with a low probability of success should not be used as a basis for delaying a classification upgrade. The goal is to maximize the time available to prepare for, and implement, protective actions for the public.

The EAL will also require a General Emergency declaration if the loss of AC power results in parameters that indicate an inability to adequately remove decay heat from the core.

When filling out the ENF form, this event can be Unit 1, Unit 2 or Unit 1 and 2.

Background

The vital 4.16KV AC System provides the power requirements for operation and safe shutdown of the plant (see figure below).

Unit 1(2) 4.16KV buses F, G and Hare the emergency (vital) buses. Each bus has three sources of power.

One offsite source is from the 230KV switchyard via 12KV startup transformer 1-1 (2-1) to the 4.16KV startup transformer 1-2 (2-2).

If the 1-1 or 2-1 transformer is unavailable, the other unit's #1 transformer (2-1 or 1-1) can be used to supply the startup bus through the startup bus cross tie breaker.

Another method to obtain offsite power is by back feeding the vital buses from the 500KV switchyard through the main transformer to the 4.16KV unit auxiliary transformer 1-2 (2-2).

This is normally only done post-trip when 500KV power is available.

During normal operations, vital bus power is supplied from onsite by the main generator via the 4.16KV unifauxiliary transformer 1-2 (2-2). In addition, each units vital buses F, G and H have an onsite emergency diesel generator which can supply electrical power to its associated bus automatically in the event that the preferred source becomes unavailable (ref. 3-8).

Four hours is the station blackout coping time (ref 1).

(continued)

I [Document No.] Rev. [X] Page 197 of 3081

ATTACHMENT 1 EAL Bases Indication of continuing core cooling degradation must be based on fission product barrier monitoring with particular emphasis on SM/SEC/ED judgment as it relates to IMMIN~NT Loss of fission product barriers and degraded ability to monitor fission product barriers. Indication of continuing core cooling degradation is manifested by CSFST Core Cooling RED Path conditions being met (ref.2). Specifically, Core Cooling RED Path conditions exist if either:

Core exit TCs are reading greater than or equal to 1200°F, or

Core exit TCs are reading greater than or equal to 700°F with RCS subcooling less than or equal to 20°F, and RVLIS full range indication is less than or equal 32%.

This EAL addresses a prolonged loss of all power sources to AC emergency buses. A loss of all AC power compromises the performance of all SAFETY SYSTEMS requiring electric power including those necessary for emergency core cooling, containment heat removal/pressure control, spent fuel heat removal and the ultimate heat sink. A prolonged loss of these buses will lead to a loss of one or more fission product barriers. In addition, fission product barrier monitoring capabilities may be degraded under these conditions.

Escalation of the emergency classification from Site Area Emergency will occur if it is projected that power cannot be restored to at least one AC emergency bus by the end of the analyzed station blackout coping period. Beyond this time, plant responses and event trajectory are subject to greater uncertainty, and there is an increased likelihood of challenges to multiple fission product barriers.

DCPP Electrical Distribution System 500kV Switchyard 230kV Switchyard MidwayB2~~~J'£"J~~ Bus1E : :~$Mesa Midway 3 .._ ~T'£°"T~ Tr:9°'-r+ Morro

~ ~_____/. . ,.-/--, 1-/----.--/. L....\~ Bay Gates 1 722 J 622 Bus 1 u1 Main ____.l_~J.......!___J Bus 2

~ Bank Xfmr sg~~~ C!:f!=l

~SU Xfmrs ~

~ 213~k~ ~ ff 212 U2 Main Bank Xfmr 500kV/25kV Auxx~~{ ~l 12k~skv4kvf~f ~'.f x1mr ~ 11 _l_

_ 1) ,..., ci ~Gk" Auxx~~rr =:r::=r 4kJs~~kv;: : :L. ,l ~-'f x1mr U1 Main - i i U2 Main (X) (Y)

_ Generator , ) 12kV SU Bus CC( Generator _

==

r;--) )) ~SUXfmrs ~ ( *C ( 7 f.:f = i; \"'J~ ..,'f::.., ~L~~ ~

~ lFFI= ~ ~~i~ ~f=rf~ J ll Bus D i) i) i)

Bus H i) i) i)

Bus G i) i) i)

Bus F Ci Ci Ci Bus F Ci Ci Ci Bus G tTIJ ~

Ci Ci Ci Bus H SW Bus D I [Document No.] Rev. [X] Page 198 of 3081

ATTACHMENT 1 EAL Bases DCPP Basis Reference(s):

1. DCM T-42, Station Blackout

2. EOP F-0, Critical Safety Function Status Trees Attachment 2, "F-0.2 Core Cooling"

3. UFSAR, Section 8.2.2

4. UFSAR, Section 8.3.1.6

5. OP AP SD-1, Loss of AC Power

6. OP AP-26, Loss of Offsite Power

7. OP J-2:V, Backfeeding the Unit From the 500kV System

8. EOP ECA-0.0, Loss of All Vital AC Power

9. NEI 99-01 SG1 I [Document No.] Rev. [X] Page 199 of 3081

ATTACHMENT 1 EAL Bases Category: S - System Malfunction Subcategory: 2 - Loss of Vital DC Power Initiating Condition: Loss of all vital DC power for 15 minutes or longer.

EAL:

552.1 Site Area Emergency Loss of all 125 VDC power based on battery bus voltage indications< 105 VDC on all Unit 1 or Unit 2 vital DC buses for;::: 15 minutes. (Note 1)

Note 1: The SM/SEC/ED should declare the event promptly upon determining that time limit has been exceeded, or will likely be exceeded.

Mode Applicability:

I 1 - Power Operation, 2 - Startup, 3 - Hot Standby, 4 - Hot Shutdown Definition(s):

SAFETY SYSTEM - A system required for safe plant operation, cooling down the plant and/or placing it in the cold shutdown condition, including the ECCS. These are typically systems classified as safety-related (as defined in 10CFR50.2):

Those structures, systems and components that are relied upon to remain functional during and following design basis events to assure:

(1) The integrity of the reactor coolant pressure boundary; (2) The capability to shut down the reactor and maintain it in a safe shutdown condition; (3) The capability to prevent or mitigate the consequences of accidents which could result in potential offsite exposures.

Basis:

ERO Decision Making Information Minimum battery voltage of 105 VDC is the voltage below which supplied loads may not function (ref. 1, 3, 4).

This IC addresses a loss of vital DC power which compromises the ability to monitor and control SAFETY SYSTEMS. In modes above Cold Shutdown, this condition involves a major failure of plant functions needed for the protection of the public.

Fifteen minutes was selected as a threshold to exclude transient or momentary power losses.

Escalation of the emergency classification level would be v_ia ICs RG1, FG1 or SG1.

I [Document No.] Rev. [X] Page 200 of 3081

ATTACHMENT 1 EAL Bases

Background

The vital 125 VDC system consists of three independent networks per unit. Each network contains the following components:

Battery

Battery charger

Standby battery charger to allow maintenance and/or testing.

Distribution panels

Ground detector The vital 125 VDC batteries and distribution panels are located in Area "H" of the 115 feet elevation of the Auxiliary Building. There are a total of three batteries per unit, 11 (21 ), 12(22),

and 13(23). The batteries are sized to provide sufficient power to operate the associated DC loads for the time necessary to safely shut down the unit, should a 480-VAC source to one or more battery chargers be unavailable (ref. 1, 2, 3).

DCPP Basis Reference(s}:

1. EOP ECA-0.0, Loss of All Vital AC Power

2. UFSAR, Section 8.3.2.2.2

3. OP AP-23, Loss of Vital DC Bus

4. Notification 50804190 DC Bus Voltage Trigger for EALs

5. NEI 99-01 SS8 I [Document No.] Rev. [X] Page 201 of 3081

ATTACHMENT 1 EAL Bases Category: S -System Malfunction Subcategory: 2 - Loss of Vital DC Power Initiating Condition: Loss of all AC and vital DC power sources for 15 minutes or longer.

EAL:

SG2.1 General Emergency Loss of all offsite and all onsite AC power to Unit 1 or Unit 2 vital 4.16KV buses F, G and H for~ 15 minutes.

AND Loss of all 125 VDC power based on battery bus voltage indications < 105 VDC on all Unit 1 or Unit 2 vital DC buses for"~ 15 minutes.

(Note 1)

Note 1: The SM/SEC/ED should declare the event promptly upon determining that time limit has been exceeded, or will likely be exceeded.

Mode Applicability:

1 - Power Operation, 2 - Startup, 3 - Hot Standby, 4 - Hot Shutdown Definition(s):

SAFETY SYSTEM -A system required for safe plant operation, cooling down the plant and/or placing it in the cold shutdown condition, including the ECCS. These are typically systems classified as safety-related (as defined in 10CFR50.2):

Those structures, systems and components that are relied upon to remain functional during and following design basis events to assure:

(1) The integrity of the reactor coolant pressure boundary; (2) The capability to shut down the reactor and maintain it in a safe shutdown condition; (3) The capability to prevent or mitigate the consequences of accidents which could result in potential offsite exposures.

J [Document No.] Rev, [X] Page 202--of 308 J

ATTACHMENT 1 EAL Bases Basis:

ERO Decision Making Information Minimum battery voltage of 105 VDC is the voltage below which supplied loads may not function (ref.6, 8, 9).

This IC addresses a concurrent and prolonged loss of both vital AC and Vital DC power. A loss of all vital AC power compromises the performance of all SAFETY SYSTEMS requiring electric power including those necessary for emergency core cooling, containment heat removal/pressure control, spent fuel heat removal and the ultimate heat sink. A loss of vital DC power compromises the ability to monitor and control SAFETY SYSTEMS. A sustained loss of both vital AC and vital DC power will lead to multiple challenges to fission product barriers.

Fifteen minutes was selected as a threshold to exclude transient or momentary power losses.

The 15-minute*emergency declaration clock begins at the point when both EAL thresholds are met.

Background

This EAL is indicated by the loss of all offsite and onsite vital AC pow~r capability to 4.16KV vital buses F, G and H for greater than 15 minutes in combination with degraded vital DC power voltage. This EAL addresses operating experience from the March 2011 accident at Fukushima Daiichi.

The vital 4.16KV AC System provides the power requirements for operation and safe shutdown of the plant (see figure below).

Unit 1(2) 4.16KV buses F, G and Hare the emergency (vital) buses. Each bus has three sources of power.

One offsite source is from the 230KV switchyard via 12KV startup transformer 1-1 (2-1) to the 4.16KV startup transformer 1-2 (2-2).

Another method to obtain offsite power is by back feeding the vital buses from the 500KV switchyard through the rnain transformer to the 4.16KV unit auxiliary transformer 1-2 (2-2).

This is normally only done post-trip when 500KV power is available.

During normal operations, vital bus power is supplied from onsite by the main generator via the 4.16KV unit auxiliary transformer 1-2 (2-2). In addition, each units vital buses F, G and H have an onsite emergency diesel generator which can supply electrical power to its associated bus automatically in the event that the preferred source becomes unavailable (ref. 1-6).

The vital 125 VDC system consists of three independent networks per unit. Each network contains the following components:

Battery

Battery charger

Standby battery charger to allow maintenance and/or testing

Distribution panels

Ground detector I [Document No.] Rev. [X] Page 203 of 3081

ATTACHMENT 1 EAL Bases The vital 125 VDC batteries and distribution panels are located in Area "H" of the 115 feet elevation of the Auxiliary Building. A total of three batteries per unit, 11 (21), 12(22), and 13(23) are supplied for Units 1 and 2. The batteries are sized to provide sufficient power to operate the associated DC loads for the time necessary to safely shut down the unit, should a 480-VAC source to one or more battery chargers be unavailable (ref. 7, 8).

DCPP Electrical Distribution System 500kV Switchyard 230kV Switchyard MidwayB2~1~T'£""T~~ Bus 1E : :~9 Mesa Midway 3 .._ ~T'£"T* T~-,+ Morro Gates 1 * ~ 722 T~____/.

622 u1Main Bus 1 BankXfmr ~SUX!mrs ~

,.-/--, I---/---.--/.

---1.'-Q-/..L..!..---'

212 Bus 2~tlLJ Bay 500kV rYJY"' 21320kkVV rYJY"' rF U2 Main Bank Xfmr 500kV/25kV

.......L ; 2 k~skv4 kv l=:c::;l ~-~};:'r !}_cb11 Auxx~~Il (Y) (X) U1 Main -=-

1) ~ c' j j D'~ i 1 Auxx~~Tor U2 Main

=r=r (X) 4k~s~~kv ~l ~~x x1mr (Y)

; ;- =

1 Generator ) 12kV SU Bus ( ( ( Generator r;- -)- ) ~SUXfmrs~ ( ( -( 7

f -~* oG ~JG m~::f,~ 'L~ ~

~ rn=i: ~~{~ ~i=FF.~ ~ }TIJ ~

ll Bus D I) I) I)

BusH l I) I) I)

Bus G I) I) I)

Bus F cl cl cl Bus F cl cl cl BusG cl cl cl Bus H U

BusD DCPP Basis Reference(s}:

1. UFSAR, Section 8.2.2

2. UFSAR, Section 8.3.1.6

3. OP AP SD-1, Loss of AC Power

4. OP AP-26, Loss of Offsite Power

5. OP J-2:V, Backfeeding the Unit From the 500kV System

6. EOP ECA-0.0, Loss of All Vital AC Power

7. UFSAR, Section 8.3.2.2.2

8. OP AP-23, Loss of Vital DC Bus

9. Notification 50804190 DC Bus Voltage Trigger for EALs

10. NEI 99-01 SG8 I [Document No.] Rev. [X] Page 204 of 3081

ATTACHMENT 1 EAL Bases Category: S - System Malfunction Subcategory: 3 - Loss of Control Room Indications Initiating Condition: UNPLANNED loss of Control Room indications for 15 minutes or longer.

EAL:

SU3.1 Unusual Event An UNPLANNED event results in the inability to monitor one or more Table S-2 parameters from within the Control Room for~ 15 minutes. (Note 1)

Note 1: The SM/SEC/ED should declare the event promptly upon determining that time limit has been exceeded, or will likely be exceeded.

Table S-2 Safety Sy

Reactor power

RCS level

RCS pressure

Core Exit TC temperature

Level in at least one SG

Auxiliary or emergency feed flow in at least one SG Mode Applicability:

1 - Power Operation, 2 - Startup, 3 - Hot Standby, 4 - Hot Shutdown Definition(s):

SAFETY SYSTEM -A system required for safe plant operation, cooling down the plant and/or placing it in the cold shutdown condition, including the ECCS. These are typically systems classified as safety-related (as defined in 10CFR50.2):

Those structures, systems and components that are reliea upon to remain functional during and following design basis events to assure:

(1) The integrity of the reactor coolant pressure boundary; (2) The capability to shut down the reactor and maintain it in a safe shutdown condition; (3) The capability to prevent or mitigate the consequences of accidents which could result in potential offsite exposures.

UNPLANNED - A parameter change or an event that is not 1) the result of an intended evolution or 2) an expected plant response to a transient. The cause of the parameter change or event may be known or unknown.

I [Document No.] Rev. [X] Page 205 of 3081

ATTACHMENT 1 EAL Bases Basis:

ERO Decision Making Information SAFETY SYSTEM parameters listed in Table S-2 are monitored in the Control Room through a combination of hard control panel indicators as well as computer based information systems.

The Plant Computer (PPG), ERFDS and SPDS serve as a redundant compensatory indicators which may be utilized in lieu of normal Control Room indicators (ref. 1).

As u~ed in this EAL, an "inability to monitor" means that values for one or more of the listed parameters cannot be determined from within the Control Room. Ttiis situation would require a loss of all of the Control Room sources for the given parameter(s). For example, the reactor power level cannot be determined from any analog, digital and recorder source within the Control Room.

Fifteen minutes was selected as a threshold to exclude transient or momentary losses of indication.

Escalation of the emergency classification level would be via IC SA3.

Background

This IC addresses the difficulty associated with monitoring normal plant conditions without the ability to obtain SAFETY SYSTEM parameters from within the Control Room. This condition is a precursor to a more significant event and represents a potential degradation in the level of safety of the plant.

An event involving a loss of plant indications, annunciators and/or display systems is evaluated in accordance with 10 CFR 50.72 (and associated guidance in NUREG-1022) to determine if an NRG event report is required. The event would be reported if it significantliimpaired the capability to perform emergency assessments. In particular, emergency assessments necessary to implement abnormal operating procedures, emergency operating procedures, and emergency plan implementing procedures addressing emergency classification, accident assessment, or protective action decision-making.

This EAL is focused on a s~lected subset of plant parameters associated with the key safety functions of reactivity control, core cooling and RCS heat removal. The loss of the ability to determine one or more of these parameters from within the Control Room is considered to be more significant than simply a reportable condition. In addition, if all indication sources for one or more of the listed parameters are lost, then the ability to determine the values of other SAFETY SYSTEM parameters may be impacted as well. For example, if the value for reactor vessel level cannot be determined from the indications and recorders on a main control board, the SPDS or the plant computer, the availability of other parameter values may be compromised as well.

DCPP Basis Reference(s):

1. UFSAR Section 7.5 Safety-Related Display Instrumentation

2. NEI 99-01 SU2 I [Document No.] Rev. [X] Page 206 of 3081

ATTACHMENT 1 EAL Bases Category: S - System Malfunction Subcategory: 3 - Loss of Control Room Indications Initiating Condition: UNPLANNED loss of Control Room indications for 15 minutes or longer with a significant transient in progress.

EAL:

SA3.1 Alert An UNPLANNED event results in the inability to monitor one or more Table S-2 parameters from within the Control Room for;::: 15 minutes. (Note 1)

AND Any significant transient is in progress, Table S-3.

Note 1: The SM/SEC/ED should declare the event promptly upon determining that time limit has been exceeded, or will likely be exceeded.

Table S-2 , Safety System Parameters

Reactor power

RCS level

RCS pressure

Core Exit TC temperature

Level in at least one SG

Auxiliary or emergency feed flow in at least one SG Table S-3 Significant Transients

Reactor trip

Runback ;::: 25% thermal power

Electrical load rejection > 25% full electrical load

ECCS actuation Mode Applicability:

1 - Power Operation, 2 - Startup, 3 - Hot Standby, 4 - Hot Shutdown I [Document No.] Rev. [X] Page 207 of 3081

ATTACHMENT 1 EAL Bases Definition(s):

SAFETY SYSTEM -A system required for safe plant operation, cooling down the plant and/or placing it in the cold shutdown condition, including the ECCS. These are typically systems classified as safety-related (as defined in 10CFR50.2):

Those structures, systems and components that are relied upon to remain functional during and following design basis events to assure:

(1) The integrity of the reactor coolant pressure boundary; (2) The capability to shut down the reactor and maintain it in a safe shutdown condition; (3) The capability to prevent or mitigate the consequences of accidents which could result in potential offsite exposures.

UNPLANNED - A parameter change or an event that is not 1) the result of an intended evolution or 2) an expected plant response to a transient. The cause of the parameter change or event may be known or unknown.

Basis:

ERO Decision Making Information SAFETY SYSTEM parameters listed in Table S-2 are monitored in the Control Room through a combination of hard control panel indicators as well. as computer based information systems.

The Plant Computer (PPG), ERFDS and SPDS serve as a redundant compensatory indicator which may be utilized in lieu of normal Control Room indicators (ref. 1).

Significant transients are listed in Table S-3 and include response to automatic or manually initiated functions such as reactor trips, runbacks involving greater than or equal to 25%

thermal power change, electrical load rejections of greater than 25% full electrical load or .

ECCS (SI) injection actuations.

As used in this EAL, an "inability to monitor" means that values for one or more of the listed parameters cannot be determined from within the Control Room. This situation would require a loss of all of the Control Room sources for the given parameter(s). For example, the reactor power level cannot be determined from any analog, digital and recorder source within the Control Room.

Fifteen minutes was selected as a threshold to exclude transient or momentary losses of indication.

Escalation of the emergency classification level would be via ICs FS1 or IC RS1 (continued)

I [Document No.] Rev. [X] Page 208 of 3081

ATTACHMENT 1 EAL Bases

Background

This IC addresses the difficulty associated with monitoring rapidly changing plant conditions during a transient without the ability to obtain SAFETY SYSTEM parameters from within the Control Room. During this condition, the margin to a potential fission product barrier challenge is reduced. It thus represents a potential substantial degradation in the level of safety of the plant.

An event involving a loss of plant indications, annunciators and/or display systems is evaluated in accordance with 10 CFR 50.72 (and associated guidance in NUREG-1022) to determine if an NRG event report is required. The event would be reported if it significantly impaired the capability to perform emergency assessments. In particular, emergency assessments necessary to implement abnormal operating procedures, emergency operating procedures, and emergency plan implementing procedures addressing emergency classification, accident assessment, or protective action decision-making.

This EAL is focused on a selected subset of plant parameters associated with the key safety functions of reactivity control, core cooling and RCS heat removal. The loss of the ability to determine one or more of these parameters from within the Control Room is considered to be more significant than simply a reportable condition. In addition, if all indication sources for on~

or more of the listed parameters are lost, then the ability to determine the values of other SAFETY SYSTEM parameters may be impacted as well. For exam.pie, if the value for reactor vessel level cannot be determined from the indications and recorders on a main control board, the SPDS or the plant computer, the availability of other parameter values may be compromised as well.

DCPP Basis Reference(s):

1. UFSAR Section 7.5 Safety-Related Display Instrumentation

2. NEI 99-01 SA2 J [Document No.] Rev. [X] Page 209 of 308 J

ATTACHMENT 1 EAL Bases Category: S - System Malfunction Subcategory: 4 - RCS Activity Initiating Condition: Reactor coolant activity greater than Technical Specification permissible limits.

EAL:

SU4.1 Unusual Event RCS activity> Technical Specification Section 3.4.16 permissible limits.

Mode Applicability:

1 - Power Operation, 2 - Startup, 3 - Hot Standby, 4 - Hot Shutdown Definition(s):

None Basis:

ERO Decision Making Information This IC addresses a reactor coolant activity value that exceeds an allowable limit specified in Technical Specifications.

This EAL would be met if TS 3.4.16 Required Action C.1 (place plant in Mode 3 in 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months ) or C.2 (place plant in Mode 5 in 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months ) were not met.

Escalation of the emergency classification level would be via ICs FA1 or the Recognition Category R ICs.

Background

The specific iodine activity is limited to 1.0 µCi/gm Dose Equivalent 1-131. However, operation with iodine specific activity levels greater than the limit is permissible, if the activity levels do not exceed 60.0 µCi/gm Dose Equivalent 1-131, for more than 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months .

The specific X:e-133 activity is limited to~ 600 µCi/gm Dose Equivalent XE-133(ref1).

With the Dose Equivalent 1-131 greater than the LCO limit of 1 µCi/gm, samples at intervals of 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months must be taken to demonstrate that the specific activity is< 60.0 µCi/gm. Dose Equivalent 1-131 must be restored to within limits within 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months . This is acceptable since it is expected that, if there were an iodine spike, the normal RCS iodine concentration (~ 1 µCi/gm) would be restored within this time period (ref 2).

This condition is a precursor to a more significant event and represents a potential degradation ofthe level of safety of the plant.

DCPP Basis Reference(s):

1. DCPP Technical Specifications section 3.4.16 RCS Specific Activity

2. DCPP Technical Specifications Basis-section 3.4.16 RCS Specific Activity

3. NEI 99-01 SU3 I [Document No.] Rev. [X] Page 210 of 3081

ATTACHMENT 1 EAL Bases Category: S - System Malfunction Subcategory: 4 - RCS Activity Initiating Condition: Reactor coolant activity greater than Technical Specification allowable limits.

EAL:

SU4.2 Unusual Event

. With letdown in service, procedurally directed letdown dose point radiation > 3 R/hour.

Mode Applicability:

1 - Power Operation, 2 - Startup, 3 -'Hot Standby, 4 - Hot Shutdown Definition(s):

None Basis:

ERO Decision Making Information This IC addresses a reactor coolant activity value that exceeds an allowable limit specified in Technical Specifications. This condition is a precursor to a more significant event and represents a potential degradation of the level of safety of the plant.

Escalation of the emergency classification level would be via ICs FA1 or the Recognition Category R ICs.

Background

Initial indication of Fuel Clad degradation can be determined by measuring the external radiation dose rate at a distance of one foot from the center of the letdown line in the letdown heat exchanger room using the technique described in Attachment 7.1 of EP RB-14A, Initial Detection of Core Damage. An external radiation dose rate exceeding 3 R/hour indicates Fuel Clad degradation greater than Technical Specification allowable limits. This value was determined by calculating the radiation level at the Letdown Heat Exchanger inlet pipe location stated above with RCS Technical Specification limit of 60 µCi/gm DEl-131 pre-accident iodine spike activity (ref 1, 2, 3).

DCPP Basis Reference(s):

1. EP RB-14A, Initial Detection of Fuel Cladding Damage

2. DCPP Technical Specifications section 3.4.16 RCS Specific Activity

3. PG&E Calculation EP-CALC-DCPP-1606, Letdown Radiation Monitor Technical Specification Limit 4 .. NEI 99-01 SU3 I [Document No:] Rev. [X] Page 211 of 3081

-- l ATTACHMENT 1 EAL Bases Category: S - System Malfunction Subcategory: 5 - RCS Leakage Initiating Condition: RCS LEAKAGE for 15 minutes or longer.

EAL:

SU5.1 Unusual Event RCS unidentified or pressure boundary leakage > 10 gpm for;::: 15 minutes.

OR RCS identified leakage > 25 gpm for ;::: 15 minutes.

OR Leakage from the RCS to a location outside containment > 25 gpm for ;::: 15 minutes.

(Note 1)

Note 1: The SM/SEC/ED should declare the event promptly upon determining that time limit has been exceeded, or will likely be exceeded.

Mode Applicability:

1 - Power Operation, 2 - Startup, 3 - Hot Standby, 4 - Hot Shutdown Definition(s):

RCS LEAKAGE - RCS leakage shall be:

a. Identified Leakage

1. Leakage, such as that from pump seals or valve packing (except reactor coolant pump (RCP) seal water injection or leak off), that is captured and conducted to collection systems or a sump or collecting tank;

2. Leakage into the containment atmosphere from sources that are both specifically located and known either not to interfere with the operation of leakage detection systems or not to be pressure boundary leakage;

3. Reactor Coolant System (RCS) leakage through a steam generator to the secondary system (primary to secondary leakage).

b. Unidentified Leakage All leakage (except RCP seal water injection or leak off) that is not identified leakage.

c. Pressure Boundary Leakage Leakage (except primary to secondary leakage) through a non-isolable fault in an RCS 1

component body, pipe wall, or vessel wall. *

f. RCS leakage outside of the containment that is not considered identified or unidentified leakage per Technical Specifications includes leakage via interfacing systems such as RCS to the Component Cooling Water, or systems that directly see RCS pressure outside containment such as Chemical & Volume Control System, Nuclear Sampling System and Residual Heat Removal system (when in the shutdown cooling mode).

I [Document No.] Rev. [X] Page 212 of 3081

ATTACHMENT 1 EAL Bases Basis:

ERO Decision Making Information These conditions apply to leakage into the containment, a secondary-side system (e.g., steam generator tube leakage) or a location outside of containment.

The first and second EAL conditions are focused on a loss of mass from the RCS due to "unidentified leakage", "pressure boundary leakage" or "identified leakage" (as these leakage types are defined in the plant Technical Specifications) (ref. 2).

The third condition addresses an RCS mass loss caused by an UNISOLABLE leak through an interfacing system (ref. 3, 4, 5).

If the leak is isolated, the RCS barrier was never lost.

The release of mass from the RCS due to the as-designed/expected operation of a relief valve does not warrant an emergency classification. An emergency classification would be required if a mass loss is caused by a relief valve that is not functioning as designed/expected (e.g., a relief valve sticks open and the line flow cannot be isolated).

The 15-minute threshold duration allows sufficient time for prompt operator actions to isolate the leakage, if possible.

Escalation of the emergency classification level would be via ICs of Recognition Category R or F.

Below is a summary of classification guidance for steam generator tube leaks:

Affected SG is FAUL TED Outside of Containment?

Primary-to-Secondary Yes No Leak Rate Less than or equal to 25 gpm No classification No classification Greater than 25 gpm Unusual Event per SU5.1 Unusual Event per SU5.1 Requires operation of a standby Site Area Emergency per charging (makeup) pump (RCS Alert per FA 1.1 FS1.1 Barrier Potential Loss)

Requires an automatic or manual Site Area Emergency per ECCS (SI) actuation (RCS Barrier Alert per FA1.1 FS1.1 Loss)

I [Document No.] Rev. [X] Page 213 of 3081

ATTACHMENT 1 EAL Bases Background.

Manual or computer-based methods of performing an RCS inventory balance are normally used to determine RCS LEAKAGE.

STP R-10C, Reactor Coolant System Water Inventory Balance, is performed to determine the source and flow rate of the leakage. (ref. 1).

Escalation of this EAL to the Alert level is via Category F, Fission Product Barrier Degradation, EAL FA1.1.

This IC addresses RCS LEAKAGE which may be a precursor to a more significant event. In this case, RCS LEAKAGE has been detected and operators, following applicable procedures, have been unable to promptly isolate the leak. This condition is considered to be a potential degradation of the level of safety of the plant.

The leak rate values for each condition were selected because they are usually observable with normal Control Room indications. Lesser values typically require time-consuming calculations to determine (e.g., a mass balance calculation). The first condition uses a lower value that reflects the greater significance of unidentified or pressure boundary leakage.

DCPP Basis Reference(s):

1. STP R-1 OC, Reactor Coolant System Water Inventory Bal.ance

2. DCPP Technical Specifications Definitions section 1.1

3. UFSAR Section 5.2.7 Reactor Coolant Pressure Boundary Leakage Detection System

4. UFSAR Section 5.2.9 Leakage Prediction From Primary Coolant Sources Outside Containment

5. OP AP-1, Excessive Reactor Coolant System Leakage

6. NEI 99-01 SU4 I

I [Document No.] Rev. [X] Page 214 of 3081

ATTACHMENT 1 EAL Bases Category: S - System Malfunction Subcategory: 6 - RTS Failure Initiating Condition: Automatic or manual trip fails to shut down the reactor.

EAL:

SU6.1 Unusual Event An automatic trip did not shut down the reactor after any RTS setpoint is exceeded.

AND A subsequent automatic trip or manual trip action taken at the control room panels (CC1, VB2 or VB5) is successful in shutting down the reactor. (Note 8)

Note 8: A manual trip action is any operator action, or set of actions, which causes the control rods to be rapidly inserted into the core, and does not include manually driving in control rods or implementation of boron injection strategies.

Mode Applicability: ,

1 - Power Operation Definition(s):

None Basis:

ERO Decision Making Information For the purposes of emergency classification, successful manual trip actions, which are outlined in EOP E-0 "Reactor Trip or Safety Injection", are those which can be quickly performed from the control room panels (CC1, VB2 or VB5):

Reactor trip switches (CC 1 and VB2)

Deenergization of 480V Buses 13D and .13E (23D and 23E) at the Control Room vertical board (VB5)

Reactor shutdown achieved by use of other trip actions specified in FR-S.1 Response to Nuclear Power Generation/ATWS (such as locally opening the reactor trip beakers, local deenergization of 480V Buses 13D and 13E, emergency boration or manually driving control rods) do not constitute a successful manual trip (ref. 4).

Following any automatic RTS trip signal, E-0 (ref. 2) and FR-S.1 (ref. 4) prescribe insertion of redundant manual trip signals to back up the automatic RTS trip function and ensure reactor shutdown is achieved. Even if the first subsequent manual trip signal inserts all control rods to the full-in position immediately after the initial failure of the automatic trip, the lowest level of classification that must be declared is an Unusual Event (ref. 4).

A reactor trip resulting from actuation of the A TWS Mitigation System Actuation Circuitry (AMSAC) logic that results in full insertion of control rods and diminishing neutron flux is considered a successful reactor trip. AMSAC automatically initiates auxiliary feedwater and a turbine trip under conditions indicative of ~m Anticipated Transient Without Scram (ATWS) event (ref. 5).

I [Document No.] Rev. [X] Page 215 of 3081

ATTACHMENT 1 EAL Bases In the event that the operator identifies a reactor trip is IMMINENT and initiates a successful manual reactor trip before the automatic RTS trip setpoint is reached, no declaration is

required. The successful manual trip of the reactor before it reaches its automatic trip setpoint or reactor trip signals caused by instrumentation channel failures do not lead to a potential fission product barrier loss. However, if subsequent manual reactor trip actions fail to reduce reactor power below 5%, the event escalates to the Alert under EAL SA6.1.

Actions,taken at back-panels or other locations within the Control Room, or any location outside the Control Room, are not considered to be "at the reactor control consoles".

Should a reactor trip signal be generated as a result of plant work (e.g., RTS setpoint testing),

the following classification guidance should be applied.

If the signal causes a plant transient that should have included an automatic reactor trip and the RTS fails to automatically shut down the reactor, then this IC and the EALs are applicable, and should be evaluated.

If the signal does not cause a plant transient and the trip failure is determined through other means (e.g., assessment of test results), then this IC and the EALs are not applicable and no.classification is warranted.

Background

The first condition of this EAL identifies the need to cease critical reactor operations by actuation of the automatic Reactor Trip System (RTS) trip function. A reactor trip is automatically initiated by the RTS when certain continuously monitored parameters exceed predetermined setpoints (ref. 1).

Following a successful reactor trip, rapid insertion of the control rods occurs. Nuclear power promptly drops to a fraction of the original power level and then decays to a level several decades less with a negative startup rate. The reactor power drop continues until reactor power reaches the point at which the influence of source neutrons on reactor power starts to be observable. A predictable post-trip response from an automatic reactor trip signal should therefore consist of a prompt drop in reactor power as sensed by the nuclear instrumentation and a lowering of power into the source range. A successful trip has therefore occurred when there is sufficient rod insertion from the trip of RTS to bring the reactor power below the immediate shutdown decay heat level of 5% (ref. 2, 3, 4).

If by procedure, operator actions include the initiation of an immediate manual trip following receipt of an automatic trip signal and there are no clear inqications that the automatic trip failed (such as a time delay following indications that a trip setpoi'nt was exceeded), it may be difficult to determine if the reac.tor was shut down because of automatic trip or manual actions.

If a subsequent review of the trip actuation indications reveals that the automatic trip did not cause the reactor to be shut down, then consideration should be given to evaluating the fuel for potential damage, and the reporting requirements of 50.72 should be considered for the transient event.

This IC addresses a failure of the RTS to initiate or complete an automatic or manual reactor trip that results in a reactor shutdown, and either a subsequent operator manual action taken at the reactor control consoles or an automatic trip is successful in shutting down the reactor.

This event is a precursor to a more significant condition and thus represents a potential degradation of the level of safety of the plant.

I [Document No.] Rev. [X] Page 216 of 3081

ATTACHMENT 1 EAL Bases Following the failure on an automatic reactor trip, operators will promptly initiate manual actions at the reactor control consoles to shut down the reactor (e.g., initiate a manual react9r trip). If these manual actions are successful in shutting down the reactor, core heat generation will quickly fall to a level within the capabilities of the plant's decay heat removal systems.

If an initial manual reactor trip is unsuccessful, operators will promptly take manual action at another location(s) on the reactor control consoles to shut down the reactor (e.g., initiate a manual reactor trip) using a different switch). Depending upon several factors, the initial or subsequent effort to manually trip the reactor, or a concurrent plant condition, may lead to the generation of an automatic reactor trip signal. If a subsequent manual or automatic trip is successful in shutting down the reactor, core heat generation will quickly fall to a level within the capabilities of the plant's decay heat removal systems.

A manual action at the reactor control consoles is any operator action, or set of actions, which causes the control rods to be rapidly inserted into the core (e.g., initiating a manual reactor trip). This action does not include manually driving in control rods or implementation of boron injection strategies.

The plant response to the failure of an automatic or manual reactor trip will vary based upon several factors including the reactor power level prior to the event, availability of the condenser, performance of mitigation equipment and actions, other concurrent plant conditions, etc. If subsequent operator manual actions taken at the reactor control consoles are also unsuccessful in shutting down the reactor, then the emergency classification level will escalate to an AlertI via IC SA6. Depending upon the plant response, escalation is also possible via IC FA 1. Absent the plant conditions needed to meet either IC SA6 or FA 1, an unusual event declaration is appropriate for this event.

A reactor shutdown is determined in accordance with applicable emergency operating procedure criteria.

DCPP Basis Reference(s):

1. DCPP Technical Specifications Section 3.3.1 Reactor Trip System (RTS) Instrumentation

2. EOP E-0 Reactor Trip or Safety Injection

3. EOP F-0 Critical Safety Function Status Trees Attachment 1, "F-0.1 Subcriticality

4. EOP FR-S.1 Response to Nuclear Power Generation/ATWS

5. UFSAR Section 7.6.2.3 ATWS Mitigation Actuation Circuitry (AMSAC) 6 NEI 99-01 SU5 I [Document No.] Rev. [X] Page 217 of 3081 l

ATTACHMENT 1 EAL Bases Category: S - System Malfunction Subcategory: 6 - RTS Failure Initiating Condition: Automatic or manual trip fails to shut down the reactor.

EAL:

SU6.2 Unusual Event A manual trip did not shut down the reactor after any manual trip action was initiated.

AND A subsequent automatic trip or manual trip action taken at the control room panels (CC1, VB2 or VB5) is successful in shutting down the reactor. (Note 8)

Note 8: A manual trip action is any operator action, or set of actions, which causes the control rods to be rapidly inserted into the core, and does not include manually driving in control rods or implementation of boron injection strategies. I Mode Applicability:

1 - Power Operation Definition(s):

SAFETY SYSTEM - A system required for safe plant operation, cooling down the plant and/or placing it in the cold shutdown condition, including the ECCS. These are typically systems classified as safety-related (as defined in 10CFR50.2):

Those structures, systems and components that are relied upon to remain functional during and following design basis events to assure:

(1) The integrity of the reactor coolant pressure boundary; (2) The capability to shut down the reactor and maintain it in a safe shutdown condition; (3) The capability to prevent or mitigate the consequences of accidents which could result

in potential offsite exposures.

Basis:

ERO Decision Making Information For the purposes of emergency classification, successful manual trip actions, which are outlined in EOP E-0 "Reactor Trip or Safety Injection", are those which can be quickly performed from the control room panels (CC1, VB2 or VB5):

Reactor trip switches (CC 1 and VB2)

Deenergization of 480V Buses 13D and 13E (23D and 23E) at the Control Room vertical board (VB5)

Reactor shutdown achieved by use of other trip actions specified in FR-S.1 Response to Nuclear Power Generation/A1WS (such as locally opening the reactor trip beakers, local deenergization of 480V Buses 13D and 13E (23D and 23E), emergency boration or manually driving control rods) do not constitute a successful manual trip (ref. 4).

I [Document No.] Rev. [X] Page 218 of 3081*

ATTACHMENT 1 EAL Bases A reactor trip resulting from actuation of the A TWS Mitigation System Actuation Circuitry (AMSAC) logic that results in full insertion of control rods and diminishing neutron flux is considered a successful reactor trip. AMSAC automatically initiates auxiliary feedwater and a turbine trip under conditions indicative of an Anticipated Transient Without Scram (ATWS) event (ref. 5).

If both subsequent automatic and subsequent manual reactor trip actions in the Control Room fail to reduce reactor power below the power associated with the SAFETY SYSTEM design (<

5%) following a failure of an initial manual trip, the event escalates to an Alert under EAL SA6.1. \

Actions taken at back-panels or other locations within the Control Room, or any location outside the Control Room, are not considered to be "at the reactor control consoles".

Should a reactor trip signal be generated as a result of plant work (e.g., RTS setpoint testing),

the following classification guidance should be applied.

If the signal causes a plant transient that should have included an automatic reactor trip and the RTS fails to automatically shut down the reactor, then this IC and the EALs are applicable, and should be evaluated.

If the signal does not cause a plant transient and the trip failure is determined through other means (e.g., assessment of test results), then this IC and the EALs are not applicable and no classification is warranted. *

Background

This EAL addresses a failure of a manually initiated trip in the absence of having exceeded an automatic RTS trip setpoint and a subsequent automatic or manual trip is successful in shutting down the reactor (reactor power< 5%). (ref. 1). ,

Following a successful reactor trip, rapid insertion of the control rods occurs. Nuclear power promptly drops to a fraction of the original power level and then decays to a level several decades less with a negative startup rate. The reactor power drop continues until reactor power reaches the point at which the influence of source neutrons on reactor power starts to be observable. A predictable post-trip response from a manual reactor trip signal should therefore consist of a prompt drop in reactor power as sensed by the nuclear instrumentation and a lowering of power into the source range. A successful trip has therefore occurred when there is sufficient rod insertion from the trip of RTS to,bring the reactor power below the immediate shutdown decay heat level of 5% (ref. 2, 3, 4).

This IC addresses a failure of the RTS to initiate or complete an automatic or manual reactor trip that results in a reactor shutdown, and either a subsequent operator manual action taken at the reactor control eonsoles or an automatic trip is successful in shutting down the reactor.

This event is a precursor to a more significant condition and thus represents a potential degradation of the level of safety of the plant.

Following the failure on an automatic reactor trip, operators will promptly initiate manual actions at the reactor control consoles to shut down the reactor (e.g., initiate a manual reactor trip). If these manual actions are successful in shutting down the reactor, core heat generation will quickly fall to a level within the capabilities of the plant's decay heat removal systems.

I [Document No.] Rev. [X] Page 219 of 3081

ATTACHMENT 1 EAL Bases If an initial manual reactor trip is unsuccessful, operators will promptly take manual action at another location(s) on the reactor control consoles to shut down the reactor (e.g., initiate a manual reactor trip) using a different switch. Depending upon several factors, the initial or subsequent effort to manually trip the reactor, or a concurrent plant condition, may lead to the generation of an automatic reactor trip signal. If a subsequent manual or automatic trip is successful in shutting down the reactor, core heat generation will quickly fall to a level within the capabilities of the plant's decay heat removal systems.

A manual action at the reactor control consoles is any operator action, or set of actions, which causes the control rods to be rapidly inserted into the core (e.g., initiating a manual reactor trip). This action does not include manually driving in control rods or implementation of boron injection strategies.

The plant response to the failure of an automatic or manual reactor trip will vary based upon several factors including the reactor power level prior to the event, availability of the condenser, performance of mitigation equipment and actions, other concurrent plant conditions, etc. If subsequent operator manual actions taken at the reactor control consoles are also unsuccessful in shutting down the reactor, then the emergency classification level will escalate to an Alert via IC SA6. Depending upon the plant response, escalation is also possible via IC FA 1. Absent the plant conditions needed to meet either IC SA6 or FA 1, an unusual event declaration is appropriate for this event.

A reactor shutdown is determined in accordance with applicable emergency operating procedure criteria.

DCPP Basis Reference(s):

1. DCPP Technical Specifications section 3.3.1 Reactor Trip System (RTS) Instrumentation

2. EOP E-0 Reactor Trip or Safety Injection

3. EOP F-0 Critical Safety Function Status Trees Attachment 1, "F-0.1 Subcriticality

4. EOP FR-S.1 Response to Nuclear Power Generation/ATWS

5. UFSAR Section 7.6.2.3 ATWS Mitigation Actuation Circuitry (AMSAC)

6. NEI 99-01 SU5 I [Document No.] Rev. [X] Page 220 of 3081

ATTACHMENT 1 EAL Bases Category: S - System Malfunction Subcategory: 2 - RTS Failure Initiating Condition: Automatic or manual trip fails to shut down the reactor and subsequent manual actions taken .at the reactor control consoles are not successful in shutting down the reactor.

EAL:

SA6.1 Alert An automatic or manual trip fails to shut down the reactor AND Manual trip actions taken at the control room panels (CC 1, VB2 or VB5) are not successful in shutting down the reactor. (Note 8) *

Note 8: A manual trip action is any operator action, or set of actions, which causes the control rods to be rapidly inserted into the core, and does not include manually driving in control rods or implementation of boron injection strategies.

Mode Applicability:

1 - Power Operation Definition(s):

SAFETY SYSTEM-A system required for safe plant operation, cooling down the plant and/or placing it in the cold shutdown condition, including the ECCS. These are typically systems classified as safety-related (as defined in 10CFR50.2):

Those structures, systems and components that are relied upon to remain functional during and following design basis events to assure:

(1) The integrity of the reactor coolant pressure boundary; (2) The capability to shut down the reactor and maintain it in a safe shutdown condition; (3) The capability to prevent or mitigate the consequences of accidents which could result in potential offsite exposures.

Basis:

ERO Decision Making Information For the purposes of emergency classification, successful manual trip actions, which are outlined in EOP E-0 "Reactor Trip or Safety Injection", are those which can be quickly performed from the control room panels (CC1, VB2 or VB5):

Reactor trip switches (CC 1 and VB2)

Deenergization of 480V Buses 13D and 13E (23D and 23E) at the Control Room vertical board (VB5)

If a reactor trip could NOT be accomplished from the Control Room panels, this EAL applies.

Reactor shutdown achieved by use of other trip actions specified in FR-S.1 Response to Nuclear Power Generation/ATWS (such as locally opening the reactor trip beakers, local I [Document No.] Rev. [X] Page 221 of 3081

ATTACHMENT 1 EAL Bases deenergization of 480V Buses 13D and 13E (23D and 23E), emergency boration or manually driving control rods) do not constitute a successful manual trip (ref. 4).

A reactor trip resulting from actuation of the ATWS Mitigation System Actuation Circuitry (AMSAC) logic that results in full insertion of control rods and diminishing neutron flux is considered a successful reactor trip. AMSAC automatically initiates auxiliary feedwater and a turbine trip under conditions indicative of an Anticipated Transient Without Scram (ATWS) event (ref. 5).

Escalation of this event to a Site Area Emergency would be under EAL SS6.1 or SM/SEC/ED judgment.

If the failure to shut down the reactor is prolonged enough to cause a challenge to the core cooling or RCS heat removal safety functions, the emergency classification level will escalate to a Site Area Emergency via IC SS6. Depending upon plant responses and symptoms, escalation is also possible via IC FS1.

Background

This IC addresses a failure of the RTS to initiate or compl~te an automatic or manual reactor trip that results in a reactor shutdown, and subsequent operator manual actions taken at the reactor control consoles to shut down the reactor are also unsuccessful. This condition represents an actual or potential substantial degradation of the level of safety of the plant. An emergency declaration is required even if the reactor is subsequently shutdown by an action

. taken away from the reactor control consoles since this event entails a significant failure of the RTS.

A manual action at the reactor control console is any operator action, or set of actions, which causes the control rods to be rapidly inserted into the core (e.g., initiating a manual reactor trip).\_ This action does not include manually driving in control rods or implementation of boron injection strategies. If this action(s) is unsuccessful, operators would immediately pursue additional manual actions at locations away from the reactor control console (e.g., locally opening breakers). Actions taken at back panels or other locations within the control room, or any location outside the control room, are not considered to be "at the reactor control console".

The plant response to the failure of an automatic or manual reactor trip will vary based upon several factors including the reactor power level prior to the event, availability of the condenser, performance of mitigation equipment and actions, other concurrent plant conditions, etc. Absent the plant conditions needed to meet either IC SS6 or FS1, an Alert declaration is appropriate for this event.

It is recognized that plant responses or symptoms may also require an Alert declaration in accordance with the Recognition Category F ICs; however, this IC and EAL are included to ensure a timely emergency declaration.

A reactor shutdown is determined in accordance with applicable Emergency Operating Procedure criteria.

I [Document No.] Rev. [X] Page 222 of 3081

ATTACHMENT 1 EAL Bases DCPP Basis Reference(s):

1. DCPP Technical Specifications section 3.3.1 Reactor Trip System (RTS) Instrumentation 1

2. EOP E-0 Reactor Trip or Safety Injection

3. EOP F-0 Critical Safety Function Status Trees Attachment 1, "F-0.1 Subcriticality

4. EOP FR-S.1 Response to Nuclear Power Generation/AlWS

5. UFSAR Section 7.6.2.3 AlWS Mitigation Actuation Circuitry (AMSAC)

6. NEI 99-01 SA5 I [Document No.] Rev. [X] . Page 223 of 3081

ATTACHMENT 1 EAL Bases Category: S - System Malfunction Subcategory: 2 - RTS Failure Initiating Condition: Inability to shut down the reactor causing a challenge to core cooling or RCS heat removal.

EAL:

SS6.1 Site Area Emergency An automatic or manual trip fails to shut down the reactor.

AND All actions to shut down the reactor are not successful AND EITHER:

CSFST Core Cooling RED path conditions met.

CSFST Heat Sink RED path conditions met.

AND Heat sink is required Note 11: In accordance with EOPs, there may be unusual accident conditions during which operators intentionally reduce the heat removal capability of the steam generators; during these conditions, classification using this EAL threshold is not warranted.

Mode Applicability:

1 - Power Operation Definition(s):

SAFETY SYSTEM -A system required for safe plant operation, cooling down the plant and/or placing it in the cold shutdown condition, including the ECCS. These are typically systems classified as safety-related (as defined in 10CFR50.2):

Those structures, systems and components that are relied upon to remain functional during and following design basis events to assure:

(1) The integrity of the reactor coolant pressure boundary; (2) The capability to shut down the reactor and maintain it in a safe shutdown condition; (3) The capability to prevent or mitigate the consequences of accidents which could result in potential offsite exposures.

I [Document No.] Rev. [X] Page 224 of 3081

ATTACHMENT 1 EAL Bases Basis:

ERO Decision Making Information This EAL addresses the following:

Any automatic reactor trip signal followed by a manual trip that fails to shut down the reactor to an extent the reactor is producing energy in excess of the heat load for which the SAFETY SYSTEMS were designed (EAL SA6.1 ), and

Indications that either core cooling is extremely challenged or heat removal is extremely challenged.

Reactor shutdown achieved by use of other trip actions specified in FR-S.1 "Response to Nuclear Power Generation/ATWS" (such as local deenergization of 480V Buses 13D and 13E (23D and 23E), emergency boration or manually driving control rods) are also credited as a successful manual trip provided reactor power can be reduced below 5% before indications of an extreme challenge to either core cooling or heat removal exist (ref. 1, 4).

Indication of continuing core cooling degradation is manifested by CSFST Core Cooling RED path conditions being met (ref. 2).

Indication of inability to adequately remove heat from the RCS is manifested by CSFST Heat Sink RED path conditions being met in combination when heat sink is required (ref. 3).

Heat Sink RED path conditions exist if:

f.11 SG narrow range levels less are than 15%, AND

Less than 435 total AFW available to feed the SGs Escalation of the emergency classification level would be via IC RG1 or FG1.

(continued)

I [Document No.] Rev. [X] Page 225 of 3081

ATTACHMENT1 EAL Bases

Background

The combination of failure of both front line and backup protection systems to function in response to a plant transient, along with the continued production of heat, poses a direct threat to the Fuel Clad and RCS barriers.

On the power range scale 5% rated power is a minimum reading on the power range scale that indicates continued power production. It also approximates the decay heat which the shutdown systems were designed to remove and is indicative of a condition requiring immediate response to prevent subsequent core damage. Below 5%, plant response will be similar to that observed during a normal shutdown. Nuclear instrumentation can be used to-determine if reactor power is greater than 5 % power (ref. 1, 4).

This IC addresses a failure of the RTS to initiate or complete an automatic or manual reactor trip that res.ults in a reactor shutdown, all subsequent operator actions to manually shut down the reactor are unsuccessful, and continued power generation is challenging the capability to adequately.remove heat from the core and/or the RCS. This condition will lead to fuel damage if additional mitigation actions are unsuccessful and thus warrants the declaration of a Site Area Emergency.

In some instances, the emergency classification resulting from this IC/EAL may be higher than that resulting from an assessment of the plant responses and symptoms against the Recognition Category F ICs/EALs. This is appropriate in that the Recognition Category F ICs/EALs do not address the additional threat posed by a failure to shut down the reactor. The inclusion of this IC and EAL ensures the timely declaration of a Site Area Emergency in response to prolonged failure to shut down the reactor.

A reactor shutdown is determined in accordance with applicable Emergency Operating Procedure criteria.

DCPP Basis Reference(s):

1. EOP F-0 Critical Safety Function Status Trees._ Attachment 1, "F-0.1 Subcriticality"

2. EOP F-0 Critical Safety Function Status Tress -Attachment 2, "F-0.2 Core Cooling"

3. EOP F-0 Critical Safety Function Status Tress - Attachment 3, "F-0.3 Heat Sink"

4. EOP FR-S.1 Response to Nuclear Power Generation/ATWS

5. NEI 99-01 SS5 I [Document No.] Rev. [X] Page 226 of 3081

ATTACHMENT 1 EAL Bases Category: S - System Malfunction Subcategory: 7 - Loss of Communications Initiating Condition: Loss of all onsite or offsite communications capabilities.

EAL:

SU7.1 Unusual Event Loss of all Table S-4 onsite communication methods.

OR Loss of all Table S-4 offsite communication methods.

OR \

Loss of all Table S-4 NRG communication methods.

Table S-4 Communication Methods I

System Onsite Offsite NRC DCPP Radio System x DCPP Telephone System (PBX) x x x Public Address System x NRG FTS x Satellite phones x x x Direct line (ATL) to the County and State OES x Mode Applicability:

1 - Power Operation, 2 - Startup, 3 - Hot Standby, 4 - Hot Shutdown Definition(s):

None J [Document No.] Rev. [X] Page 227 of 308 J

ATTACHMENT 1 l_ EAL Bases Basis:

ERO Decision Making Information Onsite, offsite and NRC communications include one or more of the systems listed in Table S-4 (ref. 1, 2, 3). '

This IC addresses a significant loss of on-site or offsite communications capabilities. While not a direct challenge to plant or personnel safety, this even~ warrants prompt notifications to OFFSITE RESPONSE ORGANIZATIONs (OROs) and the NRC.

This IC should be assessed only when extraordinary means are being utilized to make communications possible (e.g., use of non-plant, privately owned equipment, relaying of on-site information via individuals or multiple radio transmission points, individuals being sent to offsite locations, etc.).

For. the onsite DCPP Radio System to be considered lost, communications from C,antrol Room.

(or HSDP if it in control) to field personnel (i.e. operators, maintenance personnel, etc.) is lost.

NOTE: The plant radio system is not considered for Offsite Communication methods since it does not connect to the State OES, which is part of the OR Os.

Loss of the Security radio system should be evaluated by the Watch Commander in accordance with Security procedures. In this case refer to Security related EALs.Background The first EAL condition addresses a total loss of the communications methods used in support of routine plant operations.

The second EAL condition addresses a total loss of the communications methods used to notify all OROs of an emergency declaration. The OROs referred to here are the State and county EOCs.

The third EAL condition addresses a total loss of the communications methods used to notify the NRC of an emergency declaration.

This EAL is the hot condition equivalent of the cold condition EAL CU5.1.

DCPP Basis Reference(s):

1. UFSAR, Section 9.5.2

2. Emergency Plan Section 7.2 Communications Equipment

3. AR PK15-23, Communications

4. NEI 99-01 SU6 I [Document No.] Rev. [X] Page 228 of 3081

l ATTACHMENT 1 EAL Bases Category: S - System Malfunction Subcategory: 8 - Containment Failure Initiating Condition: Failure to isolate containment or loss of containment pressure control.

EAL:

SU8.1 Unusual Event Any penetration is not isolated within 15 minutes of a VALID containment isolation signal.

(Note 1)

OR Containment pressure ;:::: 22 psig with < one full train of containment depressurization equipment operating per design for ;:::: 15 minutes. (Notes 1, 9)

Note 1: The SM/SEC/ED should declare the event promptly upon determining that time limit has been exceeded, or will likely be exceeded.

Note 9: One Containment Spray pump and two CFCUs comprise one full train of depressurization equipment.

Mode Applicability:

1 - Power Operation, 2 - Startup, 3 - Hot Standby, 4 - Hot Shutdown Definition(s):

VALID -An indication, report, or condition, is considered to be valid when it is verified by (1) an instrument channel check, or (2) indications on related or redundant indicators, or (3) by direct observation by plant personnel, such that doubt related to the. indicator's operability, the condition's existence, or the report's accuracy is removed. Implicit in this definition is the need for timely assessment.

Basis:

ERO Decision Making Information This EAL addresses a failure of one or more containment penetrations to automatically isolate (close) when required by an actuation signal. It also addresses an event that results in high containment pressure with a concurrent failure of containment pressure control systems.

Absent challenges to another fission product barrier, either condition represents potential degradation of the level of safety of the plant.

For the first condition, the containment isolation signal (i.e. Phase A, Phase B, CVI, SI, Main Steam Isolation) is required as the result on an off-normal/accident condition (e.g., a safety injection or high containment pressure), regardless if the signal actuated or not; a failure resulting from testing or maintenance does not warrant classification. In order for a penetration to be considered isolated, a minimum of one valve in the flow path must be closed. The determination of containment and penetration status - isolated or not isolated - should be made in accordance with the appropriate criteria contained in the plant AOPs and EOPs. The 1

15-minute criterion is included to allow operators time to manually isolate the required penetrations, if possible.

The second condition addresses a condition where containment pressure is greater than the setpoint at which containment energy (heat) removal systems are designed to automatically I [Document No.] I Rev. [X] .

I Page 229 of 3081

ATTACHMENT 1 EAL Bases actuate, and less than one full train of equipment is capable of operating per design. The 15 minute criterion is included to allow operators time to manually start or restore equipment that may not have automatically started or actuated as required, if possible. The inability to start the required equipment indicates that containment heat removal/depressurization systems (e.g., containment sprays) are either lost or performing in a degraded manner.

This event would escalate to a Site Area Emergency in accordance with IC FS1 if there were a concurrent loss or potential loss of either the Fuel Clad or RCS fission product barriers.

Background

The Containment Spray System consists of two separate trains of equal capacity, each capable of meeting the design bases requirement. Each train includes a containment spray pump, spray headers, nozzles, valves, and piping. The Refueling Water Storage Tank (RWST) supplies borated water to the Containment Spray System during the injection phase of operation. In the recirculation 'mode of operation, Containment Spray, if needed, is transferred to the RHR Pumps and the Containment Spray Pumps are shut down(ref. 5).

The Containment Cooling System consists of two trains of Containment cooling, each of sufficient capacity to supply 100% of the design cooling requirement. Each train-, consisting of two Containment Fan Cooling Units (CFCU), is supplied with cooling water from a separate loop of Component Cooling Water (CCW). In post accident operation following an actuation signal, the Containment Cooling System fans are designed to start automatically if not already running (ref.5).

The Containment pressure setpoint (22 psig, ref. 1, 2, 3, 4) is the pressure at which the equipment should actuate and begin performing its function. The design basis accident analyses and evaluations assume the loss of one Containment Spray System train and one Containment Cooling System train (ref. 5). Consistent with the design requirement, "one full train of depressurization equipment" is therefore defined to be the availability of one train of each system. If less than this equipment is operating and Containment pressure is above the actuation setpoint, the threshold is met if the required equipment cannot be started within 15 minutes.

DCPP Basis Reference(s):

1. AR PK01-18, Contmt Spray Actuation

2. EOP F-0 Critical Safety Function Status Trees - Attachment 6, "F-0.5 Containment"

3. EOP FR-Z.1 Response to High Containment Pressure

4. Technical Specifications Table 3.3.2-1

5. Technical Specifications B3.6.6 Containment Spray and Cooling Systems

6. NEI 99-01 SU7 I [Document No.] Rev. [X] Page 230 of 3081

l ATTACHMENT 1 EAL Bases Category: S - System Malfqnction Subcategory: 9 -. Hazardous Event Affecting Safety Systems Initiating Condition: Hazardous event affecting SAFETY SYSTEMS needed for the current operating mode.

EAL:

SA9.1 Alert The occurrence of any Table S-5 hazardous event.

AND:

Event damage has caused indications of degraded performance on one train of a SAFETY SYSTEM needed for the current operating mode.

AND EITHER:

Event damage has caused indications of degraded performance to a second train of the SAFETY SYSTEM needed for the current operating mode, or

Event damage has resulted in VISIBLE DAMAGE to the second train of a SAFETY SYSTEM needed for the. current operating mode.

(Notes 13, 14)

Note 13: If the affected SAFETY SYSTEM train was already inoperable or out of service before the hazardous event occurred, then this emergency classification is not warranted.

Note 14: If the event results in VISIBLE DAMAGE, with no indications of degraded performance to any SAFETY SYSTEM train, then this emergency classification is not warranted.

Table S-5 Hazardous Events

Seismic event (earthquake)

Internal or external FLOODING event

High winds or TORNADO strike

FIRE

EXPLOSION

Tsunami

Other events with similar hazard characteristics as determined by the SM/SEC/ED Mode Applicability:

I 1 - Power Operation, 2 - Startup, 3 - Hot Standby, 4 - Hot Shutdown I [Document No.] Rev. [X] Page 231 of 3081

ATTACHMENT 1 EAL Bases Definition(s):

DEGRADED PERFORMANCE - As applied to hazardous event thresholds, event damage significant enough to cause concern regarding the operability or reliability of the affected-safety system train.

EXPLOSION -A rapid, violent and catastrophic failure of a piece of equipment due to combustion, chemical reaction or overpressurization. A release of steam (from high energy lines or components) or an electrical component failure (caused by short circuits, grounding, arcing, etc.) should not automatically be considered an explosion. Such events require a post-event inspection to determine if the attributes of an explosion are present.

FIRE - Combustion characterized by heat and light. Sources of smoke such as slipping drive belts or overheated electrical equipment do not constitute fires. Observation of flame is preferred but is NOT required if large quantities of smoke and heat are observed.

FLOODING - A condition where water is entering a room or area faster than installed equipment is capable of removal, resulting in a rise of water level within the room or area.

SAFETY $YSTEM -A system required for safe plant operation, cooling down the plant and/or placing it in the cold shutdown condition, including the ECCS. These are typically systems classified as safety-related (as defined in 10CFR50.2):

Those structures, systems and components that are relied upon to remain functional during and following design basis events to assure:

(1) The integrity of the reactor coolant pressure boundary; (2) The capability to shut down the reactor and maintain it in a safe shutdown condition; (3) The capability to prevent or mitigate the consequences of accidents which could result in potential offsite expo$ures.

TORNADO - A violently rotating column of air in contact with the ground and extending from the base of a thunderstorm.

VISIBLE DAMAGE - Damage to a SAFETY SYSTEM train that is readily observable without

measurements, testing, or analysis. The visual impact of the damage is sufficient to cause concern regarding the operability or reliability of the affected SAFETY SYSTEM train ..

I [Document No.] Rev. [X] Page 232 of 3081

ATTACHMENT 1 EAL Bases Basis:

ERO Decision Making Information This IC addresses a hazardous event that causes damage to SAFETY SYSTEMS needed for the current operating mode.

In order to provide the appropriate context for consideration of an ALERT classification, the hazardous event must have caused indications of degraded SAFETY SYSTEM performance in one train, and there must be either indications of performance issues with the second SAFETY ,_

SYSTEM train or VISIBLE DAMAGE to the second train such that the potential exists for this second SAFETY SYSTEM train to have performance issues. In other words, in order for this EAL to be classified, the hazardous event must occur, at least one SAFETY SYSTEM train must have indications of degraded performance, and the second SAFETY SYSTEM train must have indications of degraded performance or VISIBLE DAMAGE such that the potential exists for performance issues. Note that this second SAFETY SYSTEM train is from the same SAFETY SYSTEM that has indications of degraded performance for criteria 1.b.1 of this EAL; commercial nuclear power plants are designed to be able to support single system issues without compromising public health and safety from radiological events.

Indications of degraded performance addresses damage to a SAFETY SYSTEM train that is in service/operation since indications for it will be readily available. The indications of degraded performance should be significant enough to cause concern regarding the operability or reliability of the SAFETY SYSTEM train.

VISIBLE DAMAGE addresses damage to a SAFETY SYSTEM train that is not in service/operation and that potentially could *cause performance issues. Operators will make this determination based on the totality of available event and damage report information. This is intended to be a brief assessment not requiring lengthy analysis or quantification of the damage. This VISIBLE DAMAGE should be significant enough to cause concern regarding the operability or reliability of the SAFETY SYSTEM train.

Escalation of the emergency classification level would be Via IC FS1 or RS1.

Background

None DCPP Basis Reference(s):

1. NEI 99-01 SA9 I [Document No.] Rev. [X] Page 23.3 of 3081

ATTACHMENT 1 EAL Bases Category F - Fission Product Barrier Degradation EAL Group: Hot Conditions (RCS temperature > 200°F); EALs in this category are applicable only in one or more hot operating modes.

EALs in this category represent threats to the defense in depth design concept that precludes the release of highly radioactive fission products to the environment. This concept relies on multiple physical barriers any one of which, if maintained intact, precludes the release of significant amounts of radioactive fission products to the environment. The primary fission product barriers are:

A. Fuel Clad (FC): The Fuel Clad Barrier consists of the cladding material that contains the fuel pellets.

B. Reactor Coolant System (RCS): The RCS Barrier includes the RCS primary side and its connections up to and including the pressurizer safety and relief valves, and other connections up to and including the primary isolation valves.

C. Containment (CMT): The Containment Barrier includes the containment building and connections up to and including the outermost containment isolation valves. This barrier also includes the main steam, feedwater, and blowdown line extensions outside the containment building up to and including the outermost secondary side containment isolation valve. Containment Barrier thresholds are used as criteria for escalation of the ECL from Alert to a Site Area Emergency or a General Emergency.

The EALs in this category require evaluation of the loss and potential loss thresholds listed in the fission product barrier matrix of Table F-1 (Attachment 2). "Loss" and "Potential Loss" signify the relative damage and threat of damage to the barrier. "Loss" means the barrier no longer assures containment of radioactive materials. "Potential Loss" means integrity of the barrier is threatened and could be lost if conditions continue to degrade. The number of ba~riers that are lost or potentially lost and the following criteria determine the appropriate emergency classification level:

Alert:

Any Joss or any potential loss of either Fuel Clad or RCS Site Area Emergency:

Loss or potential Joss of any two barriers General Emergency: ,

Loss of any two barriers and loss or potential Joss of third barrier (continued)

I [Document No.] Rev. [X]

I Page 234 of 3081

ATTACHMENT 1 EAL Bases The logic used for emergency classification based on fission product barrier monitoring should reflect the following considerations:

The Fuel Clad Barrier and the RCS Barrier are weighted more heavily than the Containment Barrier.

Unusual Event ICs associated with RCS and Fuel Clad Barriers are addressed under System Malfunction ICs.

For accident conditions involving a radiological release, evaluation of the fission product barrier thresholds will need to be performed in conjunction with dose assessments to ensure correct and timely escalation of the emergency classification. For example, an evaluation of the fission product barrier thresholds may result in a Site Area Emergency classification while a dose assessment may indicate that an EAL for General Emergency IC RG1 has been exceeded.

The fission product barrier thresholds specified within a scheme reflect plant-specific DCPP design and operating characteristics.

As used in this category, the term RCS LEAKAGE encompasses not just those types defined in Technical Specifications but also includes the loss of RCS mass to any location- inside the primary containment, an interfacing system, or outside of the primary containment. The release of liquid or steam mass from the RCS due to the as-designed/expected operation of a relief valve is not considered to be RCS LEAKAGE.

At the Site Area Emergency level, EAL users should maintain cognizance of how far present conditions are from meeting a threshold that would require a General Emergency declaration. For example, if the Fuel Clad and RCS fission product barriers were both lost, then there should be frequent assessments of containment radioactive inventory and integrity. Alternatively, if both the Fuel Clad and RCS fission product barriers were potentially lost, the SM/SEC/ED would have more assurance that there was no immediate need to escalate to a General Emergency.

I [Document No.] Rev. [X] Page 235 of 3081

ATTACHMENT 1 EAL Bases Category: Fission Product Barrier Degradation Subcategory: NIA Initiating Condition: Any loss or any potential loss of either Fuel Clad or RCS.

EAL:

FA1.1 Alert Any loss or any potential loss of either Fuel Clad or RCS. (Table F-1)

Mode Applicability:

1 - Power Operation, 2 - Startup, 3 - Hot Standby, 4 - Hot Shutdown Definition(s):

None Basis:

Fuel Clad, RCS and Containment comprise the fission product barriers. Table F-1 (Attachment

2) lists the fission product barrier thresholds, bases and references.

, At the Alert classification level, Fuel Clad and RCS barriers are weighted more heavily than the Containment barrier. Unlike the Containment barrier, loss or potential loss of either the Fuel Clad or RCS barrier may result in the relocation of radioactive materials or degradation of core cooling capability. Note that the loss or potential loss of Containment barrier in combination with loss or potential loss of either Fuel Clad or RCS barrier results in declaration of a Site Area Emergency under EAL FS1 .1 DCPP Basis Reference(s):

1. NEI 99-01 FA1 I [Document No.] Rev. [X] Page 236 of 3081

ATTACHMENT 1 EAL Bases Category: Fission Product Barrier Degradation Subcategory: N/A Initiating Condition: Loss or potential loss of any two barriers.

EAL:

FS1.1 Site Area Emergency Loss or potential loss of any two barriers. (Table F-1)

Mode Applicability:

1 - Power Operation, 2 - Startup, 3 - Hot Standby, 4 - Hot Shutdown Definition(s):

None Basis:

Fuel Clad, RCS and Containment comprise the fission product barriers. Table F-1 (Attachment

2) lists the fission product barrier thresholds, bases and references.

At the Site Area Emergency classification level, each barrier is weighted equally. A Site Area Emergency is therefore appropriate for any combination of the following conditions:

One barrier loss and a second barrier loss (i.e., loss - loss)

One barrier loss and a second barrier potential loss (i.e., loss - potential loss)

One barrier potential loss and a second barrier potential loss (i.e., potential loss -

potential loss)

At the Site Area Emergency classification level, the ability to dynamically assess the proximity of present conditions with respect to the threshold for a General Emergency is important. For example, the exist~nce of Fuel Clad and RCS Barrier loss thresholds in addition to offsite dose assessments would require continual assessments of radioactive inventory arid Containment integrity in anticipation of reaching a General Emergency classification. Alternatively, if both Fuel Clad and RCS potential loss thresholds existed, the SM/SEC/ED would have greater assurance that escalation to a General Emergency is less IMMINENT.

DCPP Basis Reference(s):

1. NEI 99-01 FS1 I [Document No.] Rev. [X] Page 237 of 3081

ATTACHMENT 1 EAL Bases Category: Fission .Product Barrier Degradation Subcategory: N/A Initiating Condition: Loss of any two barriers and loss or potential loss of third barrier.

EAL:

FG1.1 General Emergency Loss of any two barriers AND Loss or potential loss of third barrier. (Table F-1)

Mode Applicability:

1 - Power Operation, 2 - Startup, 3 - Hot Standby, 4 - Hot Shutdown Definition(s):

None Basis:

Fuel Clad, RCS and Containment comprise the fission product barriers. Table F-1 (Attachment

2) lists the fission product barrier thresholds, bases and references.

At the General Emergency classification level each barrier is weighted equally. A General Emergency is therefore appropriate for any combination of the following conditions:

Loss of Fuel Clad, RCS and Containment barriers

Loss of Fuel Clad and RCS barriers with potential loss of Containment barrier

Loss of RCS and Containment barriers with potential loss of Fuel Clad barrier

.Loss of Fuel Clad and Containment barriers with potential loss of RCS barrier DCPP Basis Reference(s):

1. NEI 99-01 FG1 J [Document No.] Rev. [X] Page 238 of 308 J

/

ATTACHMENT 2 Fission Product Barrier Loss/Potential Loss Matrix and Bases Introduction Table F-1 lists the threshold conditions that define the Loss and Potential Loss of the three fission product barriers (Fuel Clad, Reactor Coolant System, and Containment). The table is structured so that each of the three barriers* occupies adjacent columns. Each fission product barrier column is further divided into two columns; one for Loss thresholds and one for Potential Loss thresholds.

The first column of the table (to the left of the Fuel Clad Loss column) lists the categories (types) of fission product barrier thresholds. The fission product barrier categories are:

A. RCS or SG Tube Leakage B. Inadequate Heat removal C. CMT Radiation I RCS Activity D. CMT Integrity or Bypass E. SM/SEC/ED Judgment Each category occupies a row in Table F-1 thus forming a matrix defined by the categories.

The intersection of each row with each Loss/Potential Loss column forms a cell in which one or more fission product barrier thresholds appear. If NEI 99-01 does not define a threshold for a barrier Loss/Potential Loss, the word "None" is entered in the cell.

Thresholds are assigned sequential numbers within each Loss and Potential Loss column beginning with number one. In this manner, a threshold can be identified by its category title and number. For example, the first Fuel Clad barrier Loss in Category A would be assigned "FC Loss A.1," the third Containment barrier Potential Loss in Category C would be assigned "CMT P-Loss C.3," etc.

If a cell in Table F-1 contains more than one numbered threshold, each of the numbered thresholds, if exceeded, signifies a Loss or Potential Loss of the barrier. It is not necessary to exceed all of the thresholds in a category before declaring a barrier Loss/Potential Loss.

Subdivision of Table F-1 by category facilitates association of plant conditions to the applicable fission product barrier Loss and Potential Loss thresholds. This structure promotes a systematic approach to assessing the classification status of the fission product barriers.

When equipped with knowledge of plant conditions related to the fission product barriers, the EAL-user first scans down the category column of Table F-1, locates the likely category and then reads across the fission product barrier Loss and Potential Loss thresholds in that category to determine if a threshold. has been exceeded. If a threshold has not been exceeded, the EAL-user proceeds to the next likely category and continues review of the thresholds in the new category If the EAL-user determines that any threshold has been exceeded, by definition, the barrier is lost or potentially lost - even if multiple thresholds in the same barrier column are exceeded, only that one barrier is lost or potentially lost. The EAL-user must examine each of the three fission product barriers to determine if other barrier thresholds in the category are lost or potentially lost. For example, if containment radiation is sufficiently high, a Loss of the Fuel Clad and RCS barriers and a Potential Loss of the Containment barrier can occur. Barrier I [Document No.] Rev. [X] Page 239 of 3081

ATTACHMENT 2 Fission Product Barrier Loss/Potential Loss Matrix and Bases Losses and Potential Losses are then applied to the algorithms given in EALs FG1 .1, FS1 .1, and FA 1.1 to determine the appropriate emergency classification.

In the remainder of this Attachment, the Fuel Clad barrier threshold bases appear first, followed by the RCS barrier and finally the Containment barrier threshold bases. In each barrier, the bases are given according category Loss followed by category Potential Loss beginning with Category A, then B, ... , E.

I [Document No.] Rev. [X] Page 240 of 308' I

ATTACHMENT 2 Fission Product Barrier Loss/Potential Loss Matrix and Bases Table F-1 Fission Product Barrier Threshold Matrix Fuel Clad (FC) Barrier Reactor Coolant System (RCS) Barrier Containment (CMT) Barrier Category Loss Potential Loss Loss Potential Loss Loss Potential Loss

1. With letdown isolated, operation of a standby

1. An automatic or manual charging pump is required A ECCS (SI) actuation required by EITHER:

by EITHER:

1. A leaking or RUPTURED SG RCS or None None

UNISOLABLE RCS is FAULTED outside of None

UNISOLABLE RCS LEAKAGE SG Tube containment LEAKAGE \

Leakage

SG tube leakage

SG tube RUPTURE

2. CSFST RCS Integrity-RED path conditions met

1. CSFST Core Cooling-MAGENTA path conditions 1. CSFST Core Cooling-RED met 1. CSFST Heat Sink-RED path B conditions met path conditions met

1. CSFST Core Cooling- 2. CSFST Heat Sink-RED path AND Inadequate conditions met None AND None RED path conditions met Restoration procedures not Heat Heat sink is required Removal AND effective within 15 minutes (Note 11)

Heat sink is required (Note 1)

(Note 11) c 1. Containment radiation (RM-30 or RM-31) > 300 R/hr CMT 1. Containment radiation 1. Containment radiation None None None Radiation 2. Dose equivalent 1-131 (RM-30 or RM-31) > 5 R/hr (RM-30 or RM-31) > 5,000 R/hr

/RCS coolant activity> 300 Activity µCi/gm """

1. Containment isolation is required AND EITHER: 1. CSFST Containment-RED path

Containment integrity conditions met(" 47 psig) has been lost based on 2. Containment hydrogen D SM/SEC/ED concentration "4%

CMT None None None None determination 3. Containment pressure" 22 Integrity

UNISOLABLE pathway from psig with < one full train of or Bypass Containment to the depressurization equipment environment exists operating per design for

-- 2. Indications of RCS ;;, 15 minutes (Note 1, 9)

LEAKAGE outside of Containment E 1. Any condition in the opinion 1. Any condition in the opinion 1. Any condition in the opinion 1. Any condition in the opinion 1. Any condition in the opinion 1. Any condition in the opinion of the SM/SEC/ED that of the SM/SEC/ED that of the SM/SEC/ED that of the SM/SEC/ED that of the SM/SEC/ED that of the SM/SEC/ED that SM/SEC indicates loss of the fuel indicates potential loss of indicates loss of the RCS indicates potential loss of the indicates loss of the indicates potential loss of the

/ED clad barrier the fuel clad barrier barrier RCS barrier containment barrier containment barrier '

Judgment

[Document No.] Rev. [X] Page 241 of 308

ATTACHMENT 2 Fission Product Barrier Loss/Potential Loss Matrix and Bases Barrier: Fuel Clad Category: A. RCS or SG Tube Leakage Degradation Threat: Loss Threshold:

None I [Document ,No.] Rev. [X] Page 242 of 3081

ATTACHMENT 2 Fission Product Barrier Loss/Potential Loss Matrix and Bases Barrier: Fuel Clad Category: A. RCS or SG Tube Leakage Degradation Threat: Potential Loss Threshold:

None I [Document No.] Rev. [X] Page 243 of 3081

ATTACHMENT 2 Fission Product Barrier Loss/Potential Loss Matrix and Bases Barrier: Fuel Clad Category: B. Inadequate Heat Removal Degradation Threat: Loss Threshold:

1. CSFS! Core Cooling-RED path conditions met.

Definition(s):

None Basis:

ERO Decision Making Information Core Cooling RED path conditions exist if either (ref. 1, 2):

Core exit TCs are reading greater than or equal to 1200°F, or

Core exit TCs are reading greater than or equal to 700°F with RCS subcooling less than or equal to 20°F and RVLIS full range indication is less than or equal 32% with no RCPs running

Background

Critical Safety Function Status Tree (CSFST) Core Cooling-RED path indicates significant core exit superheating and core uncovery. The CSFSTs are normally monitored using the dedicated SPDS display system. Some of the data is also available on the PPG, but the PPG is for information only (ref. 1, 2).

This reading indicates temperatures within the core are sufficient to cause significant superheating of reactor coolant.

DCPP Basis Reference(s):

1. EOP F-0 Critical Safety Function Status Trees Attachment 2, "F-0.2 Core Cooling"

2. EOP FR-C.1 Response to Inadequate Core Cooling

3. NEI 99-01 Inadequate Heat Removal Fuel Clad Loss 2.A I [Document No.] Rev. [X] Page 244 of 3081

ATTACHMENT 2 Fission P'roduct Barrier Loss/Potential Loss Matrix and Bases Barrier: Fuel Clad Category: B. Inadequate Heat Removal Degradation Threat: Potential Loss Threshold:

1. CSFST Core Cooling-MAGENTA path conditions met.

Definition(s):

None Basis:

ERO Decision Making Information Core Cooling MAGENTA path conditions exist if core exit subcooling margin is less than 20°F and any of the following (ref. 2, 3):

RVLIS full range less than or equal to 32% with no RCPs running and less than 700°F, or

Core exit TCs reading greater than or equal to 700°F with no RCPs running with greater than 32% RVLIS full range, or

, RVLIS dynamic' range level less than or equal to the specified dynamic head value with one or more RCPs running, Table F-2 Table F-2 RVLIS Values I I RVLIS No. RCPs Level Full Range None 32%

4' 44%

3 30%

Dynamic Head 2 20%

1 14%

Background

Critical Safety Function Status Tree (CSFST) Core Cooling-MAGENTA path indicates subcooling has been lost and that some fuel clad damage may potentially occur. The CSFSTs are normally monitored using the dedicated SPDS display system. Some of the data is also available on the PPG, but the PPG is for information only (ref. 1).

This reading indicates a reduction in reactor vessel water level sufficient to allow the onset of heat-induced cladding damage.

I [Document No.] Rev. [X] Page 245 of 3081

ATTACHMENT 2 Fission Product Barrier Loss/Potential Loss Matrix and Bases I

DCPP Basis Reference(s):

1. EOP F-0 Critical Safety Function Status Trees Attachment 2, "F-0.2 Core Cooling"

' 2. EOP FR-C.1 Response to Inadequate Core Cooling

3. EOP FR-C.2 Response to Degraded Core Cooling

4. NEI 99-01 Inadequate Heat Removal Fuel Clad, Loss 2.A I [Document No.] Rev. [X] Page 246 of 3081

ATTACHMENT 2 Fission Product Barrier Loss/Potential Loss Matrix and Bases Barrier: Fuel Clad Category: B. Inadequate Heat Removal Degradation Threat: Potential Loss Threshold:

2. CSFST Heat Sink-RED path conditions met.

AND Heat sink is required Note 11: In accordance with EOPs, there may be unusual accident conditions during which operators intentionally reduce the heat removal capapility of the steam generators; during these conditions, classification using this EAL threshold is not warranted.

Definition(s):

None Basis:

ERO Decision Making Information Heat Sink RED path conditions exist if:

All SG narrow range levels less are than 15%, AND

Less than 435 gpm total AFW available to feed the SGs In combination with RCS Potential Loss B.1, meeting this threshold results in a Site Area Emergency.

Background

This condition indicates an extreme challenge to the ability to remove RCS heat using the steam generators (i.e., loss of an effective secondary-side heat sink). This condition represents a potential loss of the Fuel Clad Barrier. In accordance with EOPs, there may be unusual accident conditions during which operators intentionally reduce the heat removal capability of the steam generators; during these conditions, classification using threshold is not warranted.

The CSFSTs are normally monitored using the dedicated SPDS display system. Some of the data is also available on the PPG, but the PPG is for information only (ref. 1).

DCPP Basis Reference(s):

1. EOP F-0 Critical Safety Function Status Trees Attachment 3, "F-0.3 Heat Sink"

2. EOP FR-H.1 Response to Loss of Secondary Heat Sink

3. NEI 99-01 Inadequate Heat Removal Fuel Clad Loss 2.B I [Document No.] Rev. [X] Page 247 of 3081

ATTACHMENT 2 Fission Product Barrier Loss/Potential Loss Matrix and Bases Barrier: Fuel Clad Category: C. GMT Radiation I RCS Activity Degradation Threat: Loss Threshold:

1. Containment radiation (RM-30 or RM-31) > 300 R/hr.

Definition(s):

None Basis:

ERO Decision Making Information Containment radiation monitor readings greater than 300 R/hr (ref. 1) indicate the release of reactor coolant, with elevated activity indicative of fuel damage, into the Containment. This value is higher than that specified for RCS barrier Los9 C.1.

The radiation monitor reading in this threshold is higher than that specified for RCS Barrier Loss threshold C.1 since it indicates a loss of both the Fuel Clad Barrier and the RCS Barrier.

Note that a combination of the two monitor readings appropriately escalates the EGL to a Site Area Emergency.

Background

Monitors used for this fission product barrier loss threshold are the Contftinment High Range Radiation Monitors RM-30 and RM-31. These monitors provide indication in the Control Room on PAM 2 with a range of 1R/hr to 1E7 R/hr (ref. 1).

The radiation monitor reading corresponds to an instantaneous release of all reactor coolant mass into the containment, assuming that reactor coolant activity equals 300 µCi/gm dose equivalent 1-131. Reactor coolant activity above this level is greater than that expected for iodine spikes and corresponds to an approximately 1.8% fuel clad damage. Since this condition indicates that a significant amount of fuel clad damage has occurred, it represents a loss of the Fuel Clad Barrier.

DCPP Basis Reference(s):'

1. EP-CALC-DCPP-1602 Containment Radiation EAL Threshold Values

2. NEI 99-01 GMT Radiation I RCS Activity Fuel Clad Loss 3.A I [Document No.] Rev. [X] Page 248 of 3081

ATTACHMENT 2 Fission Product Barrier Loss/Potential Loss Matrix and Bases Barrier: Fuel Clad Category: C. CMT Radiation I RCS Activity Degradation Threat: Loss Threshold:

2. Dose equivalent 1-131 coolant activity> 300 µCi/cc.

Definition(s):

None Basis:

ERO Decision Making Information This threshold indicates that RCS radioactivity concentration is greater than 300 µCi/gm dose

. equivalent 1-131. Reactor coolant activity above this level is greater than that expected for iodin*e spikes and corresponds to an approximate range of 2% to 5% fuel clad damage. Since this condition indicates that a significant amount of fuel clad damage has occurred, it represents a loss of the Fuel Clad Barrier.

This cor:1dition can be identified by either:

RCS sample analysis.

EP RB-14A indications> 15 R/hr (ref. 1, 2)

There is no Potential Loss threshold associated with RCS Activity I Containment Radiation.

Background

None DCPP Basis Reference(s):

1. EP RB-14A Initial Detection of Fuel Cladding Damage

2. SPG-11 Obtain.ing the EP RB-14A Dose Rate

3. NEI 99-01 CMT Radiation I RCS Activity Fuel Clad Loss 3.B I [Document No.] Rev. [X] Page 249 of 3081

ATTACHMENT 2 Fission Product Barrier Loss/Potential Loss Matrix and Bases Barrier: Fuel Clad Category: C. GMT Radiation I RCS Activity Degradation Threat: Potential Loss Threshold:

None I [Document No.] Rev. [X] Page 250 of 3081

ATTACHMENT 2 Fission Product Barrier Loss/Potential Loss Matrix and Bases Barrier: Fuel Clad Category: D. CMT Integrity or Bypass Degradation Threat: Loss Threshold:

I None j [Document No.] Rev. [X] Page 251 of 308 j

ATTACHMENT 2 Fission Product Barrier Loss/Potential Loss Matrix and Bases Barrier: Fuel Clad Category: D. GMT Integrity or Bypass Degradation Threat: Potential Loss Threshold:

I None I [Document No.] Rev. [Xl Page 252 of 3081

ATIACHMENT2 Fission Product Barrier Loss/Potential Loss Matrix and Bases Barrier: Fuel Clad Category: E. SM/SEC/ED Judgment Degradation Threat: Loss Threshold:

1. Any condition in the opinion of the SM/SEC/ED that indicates loss of the Fuel Clad barrier.

Definition(s):

IMMINENT - The trajectory of events or conditions is such that an EAL will be met within a relatively short period of time regardless of mitigation or corrective actions.

SAFETY SYSTEM - A system required for safe plant operation, cooling down the plant and/or placing it in the cold shutdown condition, including the ECCS. These are typically systems classified as safety-related (as defined in 10CFR50.2):

Those structures., systems and components that are relied upon to remain functional during and following design basis events to assure:

(1) The integrity of the reactor coolant pressure boundary; (2) The capability to shut down the reactor and maintain it in a safe shutdown condition; (3) The capability to prevent or mitigate the consequences of accidents which could result .

in potential offsite exposures.

Basis:

ERO Decision Making Information The SM/SEC/ED judgment threshold addresses any other factors relevant to determining if the Fuel Clad barrier is lost. Such a determination should include IMMINENT barrier degradation and dominant accident sequences.

IMMINENT barrier degradation exists if the degradation will likely occur within relatively short period of time based on a projection of current SAFETY SYSTEM performance.

The term "IMMINENT" refers to recognition of the inability to reach safety acceptance criteria before completion of all checks.

Dominant accident sequences lead to degradation of all fission product barriers and likely entry to the EOPs. The SM/SEC/ED should be mindful of the Loss of AC power (Station Blackout) and A TWS EALs to assure timely emergency classification declarations.

This threshold addresses any other factors that are to be used by the SM/SEC/ED in determining whether the Fuel Clad barrier is lost I [Document No.] .I Rev. [X] Page 253 of 3081

ATTACHMENT 2 Fission Product Barrier Loss/Potential Loss Matrix and Bases

Background

None DCPP Basis Reference{s):

1. NEI 99-01 Emergency Director Judgment Fuel Clad Loss 6.A I [Document No.] Rev. [X] Page 254 of 3081

ATTACHMENT 2 Fission Product Barrier Loss/Potential Loss Matrix and Bases Barrier: Fuel Clad Category: E. SM/SEC/ED Judgment Degradation Threat: Potential Loss Threshold:

(

1. Any condition in the opinion of the SM/SEC/ED that indicates potential loss of the Fuel Clad barrier.

Definition(s):

IMMINENT - The trajectory of events or conditions is such that an EAL will be met within a relatively short period of time regardless of mitigation or corrective actions.

SAFETY SYSTEM - A system required for safe plant operation, cooling down the plant and/or placing it in the cold shutdown condition, including the ECCS. These are typically systems classified as safety-related (as defined in, 10CFR50.2):

Those structures, systems and components that are relied upon to remain functional during and following design basis events to assure:

( 1) The integrity of the reactor coolant pressure boundary; (2) The capability to shut down the reactor and maintain it in a safe shutdown condition; (3) The capability to prevent or mitigate the consequences of accidents which could result in potential offsite exposures.

Basis:

ERO Decision Making Information The SM/SEC/ED judgment threshold addresses any other factors relevant to determining if the Fuel Clad barrier is potentially lost. Such a determination should include IMMINENT barrier degradation, barrier monitoring capability and dominant accident sequences.

IMMINENT barrier degradation exists if the degradation will likely occur within relatively short period of time based on a projection of current SAFETY SYSTEM performance.

The term "IMMINENT" refers to recognition of the inability to reach safety acceptance criteria before compl~tion of all checks.

Barrier monitoring capability is decreased if there is a loss or lack of reliable indicators.

This assessment should include instrumentation operability concerns, readings from portable instrumentation and consideration of offsite monitoring results.

Dominant accident sequences lead to degradation of all fission product barriers and likely entry to the EOPs. The SM/SEC/ED should be mindful of the Loss of AC power (Station Blackout) and A TWS EALs to assure timely emergency classification declarations.

This threshold addresses any other factors that are to be used by the SM/SEC/ED in determining whether the Fuel Clad barrier is potentially lost. The SM/SEC/ED should also I [Document No.] , Rev. [X] Page 255 of 3081

ATTACHMENT 2 Fission Product Barrier Loss/Potential -Loss Matrix and Bases consider whether or not to declare the barrier potentially lost in the event that barrier status cannot be monitored. *

Background

None DCPP Basis Reference(s):

1. NEI 99-01 Emergency Director Judgment Potential Fuel Clad Loss 6.A I [Document No.] Rev. [X] Page 256 of 3081

ATTACHMENT 2 Fission Product Barrier Loss/Potential Loss Matrix and Bases Barrier: Reactor Coolant System Category: A. RCS or SG Tube Leakage Degradation Threat: Loss Threshold:

1. An automatic or manual ECCS (SI) actuation required by EITHER:

UNISOLABLE RCS LEAKAGE.

SG tube RUPTURE.

Definition(s):

FAUL TED - The term applied to a steam generator that has a steam leak on the secondary side of sufficient size to cause an uncontrolled drop in steam generator pressure or the steam generator to become completely depressurized.

RCS LEAKAGE - RCS leakage shall be:

a. Identified Leakage 1

1. Leakage, such as that from pump seals or valve packing (except reactor coolant pump (RCP) seal water injection or leak off), that is captured and conducted to collection systems or a sump or collecting tank;

2. Leakage into the containment atmosphere from sources that are both specifically located and known either not to interfere with the operation of leakage detection systems or not to be pressure boundary leakage;

3. Reactor Coolant System (RCS) leakage through a steam generator to the secondary system (primary to secondary leakage).

b. Unidentified Leakage '

All leakage (except RCP seal water injection or leak off) that is not identified leakage.

c. Pressure Boundary Leakage Leakage (except primary to secondary leakage) through a non-isolable fault in an RCS component body, pipe wall, or vessel wall.

g. RCS leakage outside of the containment that is not considered identified or unidentified leakage per Technical Specifications includes leakage via interfacing systems such as RCS to the Component Cooling Water, or systems that directly see RCS pressure outside containment such as Chemical & Volume Control System, Nuclear Sampling System and Residual Heat Removal system (when in the shutdown cooling mode).

I [Document No.] Rev. [X] Page 257 of 3081

ATTACHMENT 2 Fission Product Barrier Loss/Potentiaj Loss Matrix and Bases RUPTURED - The condition of a steam generator in which primary-to-secondary leakage is of sufficient magnitude to require a safety injection.

UN/SOLABLE - An open or breached system line that cannot be isolated, remotely or locally.

NOTE: If an isolation valve could not be accessed dt1e to local conditions (i.e. high radiation, temperature, etc.) then that would also make a leak unisolable, even though the inaccessible valve could isolate the leak.

Basis:

ERO Decision Making Information A steam generator with primary-to-secondary leakage of sufficient magnitude to require a safety injection is considered to be RUPTURED.

This threshold is based on an UNISOLABLE RCS leak of sufficient size to require an automatic or manual actuation of the Emergency Core Cooling System (ECCS). This condition clearly represents a loss of the RCS Barrier.

This threshold is applicable to unidentified and pressure boundary leakage, as well as identified leak9ge. It is also applicable to UNISOLABLE RCS LEAKAGE through an interfacing syster:n. The mass loss may be into any location - inside containment, to the secondary-side (i.e., steam generator tube leakage) or outside of containment.

If a RUPTURED steam generator is also FAULTED outside of containment, the declaration escalates to a Site Area Emergency since the Containment Barrier Loss threshold 1.A will also be met.

Background

None DCPP Basis Reference(s):

1. NEI 99-01 RCS or SG Tube Leakage Reactor Coolant System Loss 1.A I [Document No.] Rev. [X] Page 258 of 3081

ATTACHMENT 2 Fission Product Barrier Loss/Potential Loss Matrix and Bases Barrier: Reactor Coolant System Category: A RCS or SG Tube Leakage Degradation Threat: Potential Loss Threshold:

1. With letdown isolated, operation of a standby charging pump is required by EITHER:

UNISOLABLE RCS LEAKAGE.

SG tube leakage.

Definition(s):

FAUL TED - The term applied to a steam generator that has a steam leak on the secondary side of sufficient size to cause an uncontrolled drop in steam generator pressure or the steam generator to become completely depressurized.

RCS LEAKAGE - RCS leakage shall be:

a. Identified Leakage j

1. Leakage, such as that from pump seals or valve packing (except reactor coolant pump (RCP) seal water injection or leak off), that is captured, and conducted to collection systems or a sump or collecting tank; ~

2. Leakage into the containment atmosphere from sources that are both specifically located and known either not to interfere with the operation of leakage detection systems or not to be pressure boundary leakage;

3. Reactor Coolant System (RCS) leakage through a steam generator to the secondary system (primary to secondary leakage).

b. Unidentified Leakage All leakage (except RCP seal water injection or leak off) that is not identified leakage.

c. Pressure Boundary Leakage I

Leakage (except'primary to secondary leakage) through a non-isolable fault in an RCS component body, pipe wall, or vessel wall.*

h. RCS leakC;lge outside of the containment that is not considered identified or unidentified leakage 'per Technical Specifications includes leakage via interfacing systems such as RCS to the Component Cooling Water, or systems that direC,tly see, RCS pressure outside containment such as Chemical & Volume Control System, Nuclear Sampling System and Residual Heat Removal system (when in the shutdown cooling mode).

UN/SOLABLE - An open or breached system line that cannot be isolated, remotely or locally.

NOTE: If an isolation valve could not be accessed due to local conditions (i.e. high radiation, temperature, etc.) then that would also make a leak unisolable, even though the inaccessible valve could isolate the leak.

J [Document No.] Rev. [X] Page 259 of 308 J

ATTACHMENT 2 Fission Product Barrier Loss/Potential Loss Matrix and Bases Basis:

ERO Decision Making Information The need to start an additional charging pump due to RCS LEAKAGE is an indication that the leak is in excess of charging pump capacity. This threshold is met when an additional charging pump is started per conditions outlined in procedures OP AP-1 or OP AP-3, wherein RCS LEAKAGE exceeds capacity of a single charging pump with letdown isolated (ref. 1, 2).

This threshold is based on an UNISOLABLE RCS leak that results in the inability to maintain pressurizer level within specified limits by operation of a normally used charging (makeup) pump, but an ECCS (SI) actuation has not occurred.

This threshold is applicable to unidentified and pressure boundary leakage, as well as identified leakage. It is also applicable to UNISOLABLE RCS LEAKAGE through an interfacing system. The mass loss may be into any location - inside containment, to the secondary-side (i.e., steam generator tube leakage) or outside of containment.

If a leaking steam generator is also FAULTED outside of containment, the declaration escalates to a Site Area Emergency since the Containment Barrier Loss threshold 1.A will also be met.

Background

None DCPP Basis Reference(s):

1. OP AP-1 Excessive Reactor Coolant System Leakage

2. OP AP-3 Steam Generator Tube Failure

3. NEI 99-01 RCS or SG Tube Leakage Reactor Coolant System Potential Loss 1.A

(

I [Document No.] Rev. [X] Page 260 of 3081

ATTACHMENT 2 Fission Product Barrier Loss/Potential Loss Matrix and Bases Barrier: Reactor Coolant System Category: A. RCS or SG Tube Leakage Degradation Threat: Potential Loss Threshold:

2. CSFST RCS Integrity-RED path conditions met.

Definition(s):

None Basis:

ERO Decision Making Information The "Potential Loss" threshold is defined by the CSFST Reactor Coolant Integrity (RCS) - RED path. CSFST RCS Integrity - RED Path plant conditions and associated PTS Limit Curve A indicates an extreme challenge to the safety function when plant parameters are to the left of the limit curve following excessive RCS cooldown under pressure (ref. 1, 2).

This condition indicates an extreme challenge to the integrity of the RCS pressure boundary due to pressurized thermal shock (PTS). PTS results from a transient that causes rapid RCS cooldown while the RCS is in Mode 3 or higher (i.e., hot and pressurized).

Background

None DCPP Basis Reference(s):

1. EOP F-0 Critical Safety Function Status Trees' Attachment 4, "F-0.4 RCS Integrity"

2. EOP F-0 Critical Safety Function Status Trees Attachment 5,"Limit A Curve"

3. EOP FR-P.1 Response to Imminent Pressurized Thermal Shock Condition

4. NEI 99-01 RCS or SG Tube Leakage Reactor Coolant System Potential Loss 1.8 I [Document No.] . Rev. [X]

Page 261 of 3081

ATTACHMENT 2 Fission Product Barrier Loss/Potential Loss Matrix and Bases I

Barrier: Reactor Coolant System Category: B. Inadequate Heat Removal Degradation Threat: Loss Threshold:

I None j [Document No.] Rev. [X], ; Page 262 of 3081

ATTACHMENT 2 Fission Product Barrier Loss/Potential Loss Matrix and Bases Barrier: Reactor Coolant System Category: B. Inadequate Heat Removal Degradation Threat: Potential Loss Threshold:

1. CSFST Heat Sink-RED path conditions met.

AND Heat sink is required Note 11: In accordance with EOPs, there may be unusual accident conditions during which operators intentionally reduce the heat removal capability of the steam generators; during these sonditions, classification using this EAL threshold is not warranted.

Definition(s):

None Basis:

ERO Decision Making Information Heat Sink RED path conditions exist if:

All SG narrow range levels less are than 15%, AND

Less than 435 gpm total AFW available to feed the SGs In combination with RCS Potential Loss B.1, meeting this threshold results in a Site Area Emergency.

Background

This condition indicates an extreme challenge to the ability to remove RCS heat using the steam generators (i.e., loss of an effective secondary-side heat sink). !This condition represents ~ potential ~~ss of th~ RC~. Barrier. In a~cord~nce with EO~Ps, there may be unusual accident cond1t1ons during which operators intentionally reduc e the heat removal 1

capability of the steam generators; during these conditions, classificatipn using threshold is not warranted.

Meeting this threshold results in a Site Area Emergency because this threshold is identical to Fuel Clad Barrier Potential Loss threshold B.2; both will be met. This eondition warrants a Site Area Emergency declaration because inadequate RCS heat removal may result in fuel heat-up sufficient to damage the cladding and increase RCS pressure to the p~int where mass will be lost from the system.

The CSFSTs are normally monitored using the dedicated SPDS display system. Some of the data is also available on the PPG; but the PPG is for information only (ref. 1).

I [Document No.] I Rev. [X]

I : Page 263 of 3081

ATTACHMENT 2 Fission Product Barrier Loss/Potential Loss Matrix and Bases DCPP Basis Reference(s):

1. EOP F-0 Critical Safety Function Status Trees Attachment 3, "F-0.3 Heat Sink"

2. EOP FR-H.1 Response to Loss of Secondary Heat Sink

3. NEI 99-01 Inadequate Heat Removal RCS Loss 2.B I [Document No.] Rev. [X] : Page 264 of 3081

ATTACHMENT 2

Fission Product Barrier Loss/Potential Loss Matrix and Bases Barrier: Reactor Coolant System Category: C. GMT Radiation/ RCS Activity Degradation Threat: Loss Threshold:

1. Containment radiation (RM-30 or RM-31) > 5 R/hr.

Definition(s):

N/A Basis:

ERO Decision Making Information Containment radiation monitor readings greater than 40 R/hr (ref. 1) indicate the release of reactor coolant to the Containment.

This value is lower than that specified for Fuel Clad Barrier Loss threshold C.1 since it indicates a loss of the RCS Barrier only.

There is no Potential Loss threshold associated with RCS Activity I Containment Radiation.

Background

The readings assume the instantaneous release and dispersal of the reactor coolant noble gas and iodine inventory associated with normal coolant activity, with iodin:e spiking, discharged into containment (ref. 1).

Monitors used for this fission product barrier loss threshold are the Containment High Range Radiation Monitors RM-30 and RM-31. These monitors provide indication in the Control Room on PAM 2 with a range of 1R/hr to 1E7 R/hr (ref. 1). '

DCPP Basis Reference(s):

1. EP-CALC-DCPP-1602 Containment Radiation EAL Threshold Vall.1es

2. NEI 99-01 GMT Radiation I RCS Activity RCS Loss 3.A I [Document No.] Rev. [X] '. Page 265 of 3081

ATTACHMENT 2 Fission Product Barrier Loss/Potential Loss Matrix and Bases Barrier: Reactor Coolant System Category: B. CMT Radiation/ RCS Activity Degradation Threat: Potential Loss Threshold:

None I [Document No.] Rev. [X] Page 266 of 3081

ATTACHMENT 2 Fission Product Barrier Loss/Potential Loss Matrix and Bases Barrier: Reactor Coolant System Category: D. GMT Integrity or Bypass Degradation Threat: Loss Threshold:

' I j [Document No.] Rev. [X] : Page 267 of 308 j

ATTACHMENT 2 Fission Product Barrier Loss/Potential Loss Matrix and Bases Barrier: Reactor Coolant System Category: D. GMT Integrity or Bypass Degradation Threat: Potential Loss Threshold:

I None I [Document No.] Rev. [X] : Page 268 of 3081

ATTACHMENT 2 Fission Product Barrier Loss/Potential Loss Matrix a!'ld Bases*

Barrier: Reactor Coolant System Category: E. SM/SEC/ED Judgment Degradation Threat: Loss Threshold:

1. Any condition in the opinion of the SM/SEC/ED that indicates loss of the RCS barrier.

Definition(s):

IMMINENT - The trajectory of events or conditions is such that an EAL will be met within a relatively short period of time regardless of mitigation or corrective adions.

SAFETY SYSTEM -A system required for safe plant operation, cooling down the plant and/or placing it in the cold shutdown condition, including the ECCS. These ~re typically systems classified as safety-related (as defined in 10CFR50.2):

Those structures, systems and components that are relied upon to rerhain functional during and following design basis events to assure:

(1) The integrity of the reactor coolant pressure boundary; (2) The capability to shut down the reactor and maintain it in a saf~ shutdown condition; (3) The capability to prevent or mitigate the consequences of accidents which could result in potential offsite exposures. *

Basis:

ERO Decision Making Information The SM/SEC/ED judgment threshold addresses any other factors relevant to determining if the RCS barrier is lost. Such a determination should include IMMINENT barrier degradation and dominant accident sequences.

IMMINENT barrier degradation exists if the degradation will like,ly occur within relatively short period of time based on a projection of current SAFETY SYSTE;M performance.

The term "IMMINENT" refers to recognition of the inability to reach safety acceptance criteria before completion of all checks.

Dominant accident sequences lead to degradation of all fission product barriers and likely entry to the EOPs. The SM/SEC/ED should be mindful of the Loss of AC power (Station Blackout) and ATWS EALs to assure timely emergency classification declarations.

This threshold addresses any other factors that may be used by the SM/SEC/ED in determining whether the RCS Barrier is lost.

J [Document No.] ~ev. [X] '. Page 269 of 3os J

ATIACHMENT2 Fission Product Barrier Loss/Potential Loss Matrix and Bases

Background

None DCPP Basis Reference(s):

1. NEI 99-01 Emergency Director Judgment RCS Loss 6.A

.J I [Document No.] Rev. [X] ' Page 270 of 3081

ATTACHMENT 2 Fission Product Barrier Loss/Potential Loss Matrix and Bases Barrier: Reactor Coolant System Category: E. SM/SEC/ED Judgment Degradation Threat: Potential Loss Threshold:

1. Any condition in the opinion of the SM/SEC/ED that indicates potential loss of the RCS barrier.

Definition(s):

IMMINENT - The trajectory of events or conditions is such that an EA'- will be met within a relatively short period of time regardless of mitigation or corrective actions.

SAFETY SYSTEM - A system required for safe plant operation, cooling down the plant and/or placing it in the cold shutdown condition, including the ECCS. These are typically systems classified as safety-related (as defined in 10CFR50.2):

Those structures, systems and components that are relied upon to remain functional during and following design basis events to assure:

(1) The integrity of the reactor coolant pressure boundary; (2) The capability to shut down the reactor and maintain it in a safe shutdown condition;

' I (3) The capability to prevent or mitigate the consequences of accid.ents which could result in potential offsite exposures.

Basis:

ERO Decision Making Information The SM/SEC/ED judgment threshold addresses any other factors relevant to determining if the RCS barrier is potentially lost. Such a determination should include IM,MINENT barrier degradation, barrier monitoring capability and dominant accident sequ~nces.

IMMINENT barrier degradation exists if the degradation will like)y occur within relatively short period of time based on a projection of current SAFETY SYSTEM performance.

The term "IMMINENT" refers to recognition of the inability to reach safety acceptance criteria before completion of all checks. *

Barrier monitoring capability is decreased if there is a loss or lack of reliable indicators.

This assessment should include instrumentation operability concerns, readings from portable instrumentation and consideration _of offsite monitoring 1results.

Dominant accident sequences lead to degradation of all fission product barriers and likely entry to the EOPs. The SM/SEC/ED should be mindful of the Loss of AC power (Station Blackout) and A TWS EALs to assure timely emergency classification declarations.

This threshold addresses any other factors that may be used by the SM/SEC/ED in determining whether the RCS Barrier is potentially lost. The SM/SEC/l;:D should also consider I [Document No.] I Rev. [X] : Page 271 of 3081

ATTACHMENT 2 Fission Prdduct Barrier Loss/Potential Loss Matrix and Bases whether or not to declare the barrier potentially lost in the event that barrier status cannot be monitored.

Background

\_1 None DCPP Basis Reference(s):

1. NEI 99-01 Emergency Director Judgment RCS Potential Loss 6.A J

I [Document No.] Rev. [X] : Page 272 of 3081

ATTACHMENT 2 Fission Product Barrier Loss/Potential Loss Matrix and Bases I

Barrier: Containment Category: A. RCS or SG Tube Leakage Degradation Threat: Loss Threshold:

1. A leaking or RUPTURED SG is FAULTED outside of containment.

Definition(s):

FAUL TED - The term applied to a steam generator that has a steam leak on the secondary side of sufficient size to cause an uncontrolled drop in steam generator pressure or the steam generator to become completely depressurized.

1 RUPTURED - The condition of a steam generator in which primary-to-secondary leakage is of sufficient magnitude to require a safety injection.

Basis:

ERO Decision Making Information ,

I This threshold addresses a leaking or RUPTURED Steam Generator (SG) that is also FAULTED outside of containment. The condition of the SG, whether l~aking or RUPTURED, is determined in accordance with the thresholds for RCS Barrier Potential Loss A.1 and Loss A.1, respectively. This condition represents a bypass of the containment barrier.

This threshold also applies to prolonged steam releases necessitated by operational considerations such as the forced steaming of a leaking or RUPTURED steam generator directly to atmosphere to cooldown the plant, or to drive an auxiliary (~mergency) feed water pump. These types of conditions will result in a significant and sustairied release of radioactive steam to the environment (and are thus similar to a FAULTED condition). The inability to isolate the steam flow meets the intent of a loss of containment.

Steam releases associated with the expected operation of a SG power operated relief valve or safety relief valve do not meet the intent of this threshold. Such relea~es may occur intermittently for a short period of time following a reactor trip as opera~ors process through emergency operating procedures to bring the plant to a stable condition and prepare to initiate a plant cooldown. Steam releases associated with the unexpected op~ration of a valve (e.g., a stuck-open safety valve) do meet this threshold. '

Following an SG tube leak or rupture, there may be minor radiological releases through a secondary-side system component (e.g., air ejectors, gland seal exhausters, valve packing, etc.). These types of releases do not constitute a loss or potential loss of containment but should be evaluated using the Recognition Category R ICs.

The EC Ls resulting from primary-to-secondary leakage, with or without a steam release from the FAULTED SG, are summarized below.

I [Document No.] Rev. [X] , Page 273 of 3081

ATTACHMENT 2 Fission Product Barrier Loss/Potential Loss Matrix a!ild Bases Affected SG is FAiliLTED I

Outside of Contain,ment?

Primary-to-Secondary Yes No Leak Rate Less than or equal to 25 gpm No classification No classification I

Greater than 25 gpm Unusual Event per SU5.1 Unusu~I Event per SU5.1 Requires operation of a standby ' '

Site Area Emergency per charging (makeup) pump (RCS A,lert per FA1 .1 FS1.1 Barrier Potential Loss)

Requires an automatic or manual Site Area Emergency per ECCS (SI) actuation (RCS Barrier Alert per FA1 .1 FS1.1 Loss)

I

Background

The FAULTED criterion establishes an appropriate lower bound on the size of a steam release that may require an emergency classification. Steam releases of this size are readily observable with normal Control Room indications. The lower bound for this aspect of the containment barrier is analogous to the lower bound criteria specified In IC SU4 for the fuel clad barrier (i.e., RCS activity values) and IC SUS for the RCS barrier b.e., RCS leak rate values).

FAULTED is a defined term withi.n the NEI 99-01 methodology; this determination is not necessarily dependent upon entry into, or diagnostic steps within, an EOP. For example, if the pressure in a steam generator is decreasing uncontrollably (part of the FAULTED definition) and the FAULTED steam generator isolation procedure is not entered because EOP user rules are dictating implementation of another procedure to address a higher: priority condition, the steam generator is still considered FAULTED for emergency classification purposes.

There is no Potential Loss threshold associated with RCS or $G Tube' Leakage.

DCPP Basis Reference(s):

1. NEI 99-01 RCS or SG Tube Leakage Containment Loss 1.A I [Document No.] Rev. [X] : Page 274 of 3081

', ,. *, ... , ATTACHMENT 2 Fission Product Barrier Loss/Potential Loss Matrix and Bases Barrier: Containment Category: A. RCS or SG Tube Leakage Degradation Threat: Potential Loss Threshold:

. -*. ::*, ., [Document No.] Rev. [X] Page 275 of 3081

ATTACHMENT 2 Fission Product Barrier Loss/Potential Loss Matrix *and Bases-. * * * * ** ..

Barrier: Containment Category: B. Inadequate Heat'Removal Degradation Threat: Loss Threshold:

(

I [Document No.] Rev. [X] Page 276 of 3081

ATTACHMENT 2 Fission Product Barrier Loss/Potential Loss Matrix and Bases Barrier: Containment Category: B. Inadequate Heat Removal Degradation Threat: Potential Loss Threshold:

1. CSFST Core Cooling-RED path conditions met.

AND Restoration procedures not effective within 15 minutes. (Note 1)

Note 1: The SM/SEC/ED should declare the event promptly upon determining that time limit has been exceeded, or will likely be exceeded.

Definition(s):

IMMINENT - The trajectory of events or conditions is such that an EAL will be met within a relatively short period of time regardless of mitigation or corrective actions.

Basis:

ERO Decision Making Information The 15 minute clock starts upon entry into FR-C.1 Response to Inadequate Core Cooling (ref.2).

The restoration procedure is considered "effective" if core exit thermocouple readings are decreasing and/or if reactor vessel level is increasing. Whether or not the procedure(s) will be effective should be apparent within 15 minutes. The SM/SEC/ED should escalate the emergency classification level as soon as it is determined that the procedure(s) will not be effective.

Background

Critical Safety Function Status Tree (CSFST) Core Cooling-RED path indicates significant core exit superheating and core uncovery. The CSFSTs are normally monitored using the dedicated SPDS display system (ref. 1). Some of the data is also available on the PPG, but the PPG is for information only The function restoration procedures are those emergency operating procedures that address the recovery of the core cooling critical safety functions. The procedure is considered effective if the temperature is decreasing or if the vessel water level is increasing (ref. 1, 2).

1 A direct correlation to status trees can be made if the effectiveness of the restoration procedures is also evaluated. If core exit thermocouple (GET) readings are greater than 1,200°F, the Fuel Clad barrier is also lost (see Fuel Clad Loss B.1 ).

This condition represents an IMMINENT core melt sequence which, if not corrected, could lead to vessel failure and an increased potential for containment failure. For this condition to occur, there must already have been a loss of the RCS Barrier and the Fuel Clad Barrier. If implementation of a procedure(s) to restore adequate core cooling is not effective (successful)

I [Document No.] Rev. [X] Page 277 of 3081

ATTACHMENT 2 Fission Product Barrier Loss/Potential Loss Matrix and Bases within 15 minutes, it is assumed that the event trajectory will likely lead to core melting and a subsequent challenge of the Containment Barrier.

Severe accident analyses (e.g., NUREG-1150) have concluded that function restoration procedures can arrest core degradation in a significant fraction of core damage scenarios, and that the likelihood of containment failure is very small in these events. Given this, it is appropriate to provide 15 minutes beyond the required entry point to determine if procedural actions can reverse the core melt sequence.

DCPP Basis Reference(s):

1. EOP F-0 Critical Safety Function Status Trees Attachment 2, "F-0.2 Core Cooling"

2. EOP FR-C.1 Response to Inadequate Core Cooling

3. NEI 99-01 Inadequate Heat Removal Containment Potential Loss 2.A I [Document No.] Rev. [X] Page 278 of 3081

ATTACHMENT 2 Fission Product Barrier Loss/Potential Loss Matrix and Bases Barrier: Containment Category: C. GMT Radiation/RCS Activity Degradation Threat: Loss Thresh<;>ld:

None I [Document No.] Rev~ [X] Page 279 of 3081

ATTACHMENT 2 Fission Product Barrier Loss/Potential Loss Matrix and Bases Barrier: Containment Category: C. GMT Radiation/RCS Activity Degradation Threat: Potential Loss Threshold:

1. Containment radiation (RM-30 or RM-31) > 5,000 R/hr.

Definition(s):

None Basis:

ERO Decision Making Information The readings are higher than that specified for Fuel Clad barrier Loss C.1 and RCS barrier Loss C.1. Containment radiation readings at or above the containment barrier Potential Loss threshold, therefore, signify a loss of two fission product barriers and Potential Loss of a third, indicating the need to upgrade the emergency classification to a General Emergency.

Background

Containment radiation monitor readings greater than 5,000 R/hr (ref. 1) indicate significant fuel damage well in excess of that required for loss of the RCS barrier and the Fuel Clad barrier (ref. 1).

Monitors used for this fission product barrier loss threshold are the Containment High Range Radiation Monitors RM-30 and RM-31. These monitors provide indication in the Control Room on PAM 2 with a range of 1R/hr. to 1E7 R/hr (ref. 1).

The radiation monitor reading corresponds to an instantaneous release of all reactor coolant mass into the containment, assuming that 20% of the fuel cladding has failed. This level of fuel clad failure is well above that used to determine the associated Fuel Clad Barrier Loss and RCS Barrier Loss thresholds.

NUREG-1228, Source Estimations During Incident Response to Severe Nuclear Power Plant Accidents, indicates the fuel clad failure must be greater than approximately 20% in order for there to be a major release of radioactivity requiring offsite protective actions. For this condition to exist, there must already have been a loss of the RCS Barrier and the Fuel Clad Barrier. It is therefore prudent to treat this condition as a potential loss of containment which would then escalate the EGL to a General Emergency.

DCPP Basis Reference(s):

1. EP-CALC-DCPP-1602 Containment Radiation EAL Threshold Values

2. NEI 99-01 GMT Radiation I RCS Activity Containment Potential Loss 3.A j [Document No.] Rev. [X] Page 280 of 3081

ATTACHMENT 2 Fission Product Barrier Loss/Potential Loss Matrix and Bases Barrier: Containment Category: D. GMT Integrity or Bypass Degradation Threat: Loss Threshold:

1. Containment isolation is required.

AND EITHER:

Containment integrity has been lost based on SM/SEC/ED determination.

UNISOLABLE pathway from containment fo the environment exists.

Definition(s):

FAUL TED - The term applied to a steam generator that has a steam leak on the secondary side of sufficient size to cause an uncontrolled drop in steam generator pressure or the steam generator to become completely depressurized.

UNISOLABLE - An open or breached system line that cannot be isolated, remotely or locally.

NOTE: If an isolation valve could not be accessed due to local conditions (i.e. high radiation, temperature, etc.) then that would also make a leak unisolable, even though the inaccessible valve could isolate the leak.

Basis:

ERO Decision Making Information The status of the containment barrier during an event involving steam generator tube leakage is assessed using Loss Threshold A.1.

First Bullet- Containment integrity has been lost, i.e., the actual containment atmospheric leak rate likely exceeds that associated with allowable leakage (or sometimes referred to as design leakage).

Recognizing the inherent difficulties in determining a containment leak rate during accident conditions, it is expected that the SM/SEC/ED will assess this threshold using judgment, and with due consideration given to current plant conditions, and available operational and radiological data (e.g., containment pressure, readings on radiation monitors outside containment, operating status of containment pressure control equipment, etc.).

-Second Bullet- Conditions are such that there is an UNISOLABLE pathway for the migration of radioactive material from the containment atmosphere to the environment. As used here, the term "environment" includes the atmosphere of a room or area, outside the containment, that may, in turn, communicate with the outside-the-plant atmosphere (e.g., through discharge of a ventilation system or atmospheric leakage). Depending upon a variety of factors, this condition may or may not be accompanied by a noticeable drop in containment pressure.

The existence of a filter is not considered in the threshold assessment. Filters do not remove \__

fission product noble gases. In addition, a filter could become ineffective due to iodine and/or

/

I [Document No.] Rev. [X] Page 281 of 3081

ATTACHMENT 2 Fission Product Barrier Loss/Potential Loss Matrix and Bases particulate loading beyond design limits (i.e., retention ability has been exceeded) or water saturation from steam/high humidity in the release stream.

Leakage between two interfacing liquid systems, by itself, does not meet this threshold.

Following the leakage of RCS mass into containment and a rise in containment pressure, there may be minor radiological releases associated with allowable (design) containment leakage through various penetrations or system components. These releases do not constitute a loss or potential loss of containment but should be evaluated using the Recognition Category R ICs.

Background

These thresholds address a situation where containment isolation is required and one of two conditions exists as discussed below. Users are reminded that there may be accident and release conditions that simultaneously meet both bulleted thresholds.

Following the release of RCS mass into containment, containment pressure will fluctuate based on a variety of factors; a loss of containment integrity condition may (or may not) be accompanied by a noticeable drop in containment pressure.

Refer to the middle piping run of Figure 1 on the following page. Two simplified examples are provided. One is leakage from a penetration and the other is leakage from an in-service system valve. Depending upon radiation monitor locations and sensitivities, the leakage could be detected by any of the four monitors depicted in the figure.

Another example wbuld be a loss or potential loss of the RCS barrier, and the simultaneous occurrence of two FAULTED locations on a steam generator where one fault is located inside containment (e.g., on a steam or feedwater line) and the other outside of containment. In this case, the associated steam line provides a pathway for the containment atmosphere to escape to an area outside the containment.

Refer to the top piping run of Figure 1 on the following page. In this simplified example, the inboard and outboard isolation valves remained open after a containment isolation was required (i.e., containment isolation was not successful). There is now an UNISOLABLE pathway from the containment to the environment.

Refer to the bottom piping run of Figure 1 on the following page. In this simplified example, leakage in an RCP seal cooler is allowing radioactive material to enter the Auxiliary Building.

The radioactivity would be detected by the Process Monitor. If there is no leakage from the closed water cooling system to the Auxiliary Building, then no threshold has been met. If the pump developed a leak that allowed steam/water to enter the Auxiliary Building, then the second threshold would be met. Depending upon radiation monitor locations and sensitivities, this leakage could be detected by any of the four monitors depicted in the figure and cause the first threshold to be met as well.

Following the leakage of RCS mass into containment and a rise in containment pressure, there may be minor radiological releases associated with allowable containment leakage through various penetrations or system components. Minor releases may also occur if a containment isolation valve(s) fails to close but the containment atmosphere escapes to an enclosed system. These releases do not constitute a loss or potential loss of containment but should be evaluated using the Recognition Category R ICs.

I [Document No.] Rev. [X] Page 282 of 3081

ATTACHMENT 2 Fission Product Barrier Loss/Potential Loss Matrix and Bases DCPP Basis Reference(s):

1. NEI 99-01 GMT Integrity or Bypass Containment Loss 4.A I

I [Document No.] Rev. [X]

I Page 283 of 3081

ATTACHMENT 2 Fission Produqt Barrier Loss/Potential Loss Matrix and Bases Figure 1: Containment Integrity or Bypass Examples Auxiliary Building Inside CMT Damper Open valve Damper)f t ~

r- - - - - - - - - -1 I I

Process :

Monitor :4-~~~~~~~@:@~~-+

RCP Seal Cooling

[Document No.] Rev. [X] Page 284 of 308

ATIACHMENT2 Fission Product Barrier Loss/Potential Loss Matrix and Bases Barrier: Containment Category: D. CMT Integrity or Bypass Degradation Threat: Loss Threshold:

2. Indications of RCS LEAKAGE outside of containment.

Definition(s):

RCS LEAKAGE - RCS leakage shall be:

a. Identified Leakage

1. Leakage, such as that from pump seals or valve packing (except reactor coolant pump (RCP) seal water injection or leak off), that is captured and conducted to collection systems or a sump or collecting tank;

2. Leakage into the containment atmosphere from sources that are both specifically located and known either not to interfere with the operation of leakage detection systems or not to be pressure boundary leakage;

3. Reactor Coolant System (RCS) leakage through a steam generator to the secondary system (primary to secondary leakage).

b. Unidentified Leakage All leakage (except RCP seal water injection or leak off) that is not identified leakage.

c. Pressure Boundary Leakage Leakage (except primary to secondary leakage) through a non-isolable fault in an RCS component body, pipe wall, or vessel wall.

d. RCS leakage outside of the containment that is not considered identified or unidentified leakage per Technical Specifications includes leakage via interfacing systems such as RCS to the Component Cooling Water, or systems that directly see RCS pressure outside containment such as Chemical & Volume Control System, Nuclear Sampling System and Residual Heat Removal system (when in the shutdown cooling mode).

J [Document No.] Rev. [X] Page 285 of 308 J

ATTACHMENT 2 Fission Product Barrier Loss/Potential Loss Matrix and Bases Basis:

ERO Decision Making Information The status of the containment barrier during an event involving steam generator tube leakage is assessed using Loss Threshold A.1.

To ensure proper escalation of the emergency classification, the RCS LEAKAGE outside of containment must be related to the mass loss that is causing the RCS Loss and/or Potential Loss threshold A.1 to be met.

ECA-1.2 LOCA Outside Containment (ref. 1) provides instructions to identify and isolate a LOCA outside of the containment. Potential RCS leak pathways outside containment include (ref. 1, 2):

Residual Heat Removal

Safety Injection

Chemical & Volume Control

RCP seals

PZR/RCS Loop sample lines Containment sump, temperature, pressure and/or radiation levels will increase if reactor coolant mass is leaking into the containment. If these parameters have not increased, then the reactor coolant mass may be leaking outside of containment (i.e., a containment bypass

sequence). Increases in sump, temperature, pressure, flow and/or radiation level readings outside of the containment may indicate that the RCS mass is being lost outside of containment. * -

Unexpected elevated readings and alarms on radiation monitors with detectors outside containment should be corroborated with other available indications to confirm that the source is a loss of RCS mass outside of containment. If the fuel clad barrier has not been lost, radiation monitor readings outside of containment may not increase significantly; however, other unexpected changes in sump levels, area temperatures or pressures, flow rates, etc.

should be sufficient to determine if RCS mass is being lost outside of the containment.

The ECLs resulting from primary leakage outside containment (without a Fuel Clad challenge) are summarized below.

RCS LEAKAGE Outside Containment ECL

< 25 gpm No ECL

25 gpm - Charging Pump capacity . SU5.1

Charging pump capacity Site Area Emergency based on

RCS Potential Loss A.1

+

Containment Loss D.2 I [Document No.] Rev. [X] Page 286 of 3081

ATTACHMENT 2 Fission Product Barrier Loss/Potential Loss Matrix and Bases

Background

Refer to the middle piping run of Figure 1 on the following page. In this simplified example, a leak has occurred at a reducer on a pipe carrying reactor coolant in the Auxiliary Building.

Depending upon radiation monitor locations and sensitivities, the leakage could be detected by any of the four monitors depicted in the figure and cause threshold D.1 to be met as well.

DCPP Basis Reference(s):

1. EOP ECA-1.2 LOCA Outside Containment

2. EOP E-1 Loss of Reactor or Secondary Coolant

3. NEI 99-01 CMT Integrity or Bypass Containment Loss I [Document No.] Rev. [X] Page 287 of 3081

- - - - - - _ _ _J

ATTACHMENT 2 Fission Product Barrier Loss/Potential Loss Matrix and Bases Figure 1: Containment Integrity or Bypass Examples

.... znd ..... .

. * '.- : Threshold- : -'. -'. *

I- - - - - - - - - - - -

- >:- Airborne -: <<<

'.- : release from :- * '. * *

<<* pathway -: .;

"° < ~ * *0 * ~ I L " I Auxiliary Building .

Inside GMT Damper RCP Seal Cooling I [Document No.] Rev. [X]

I Page 288 of 3081

ATTACHMENT 2 Fission Product Barrier Loss/Potential Loss Matrix and Bases Barrier: Containment Category: D. GMT Integrity or' Bypass Degradation Threat: Potential Loss Threshold:

1. CSFST Containment - RED path conditions met(~ 47 psig).

Definition.(s):

None Basis:

ERO Decision Making Information If containment pressure exceeds the design pressure, there exists a potential to lose the Containment Barrier. As noted in the WOG SAMG and related DCPP implementation documents, to reach this level, there must be an inadequate core cooling condition for an extended period of time; therefore, the RCS and Fuel Clad barriers would already be lost.

Thus, this threshold is a discriminator between a Site Area Emergency and General Emergency since there is now a potential to lose the third b~rrier. -

Background

Critical Safety Function Status Tree (CSFST) Containment-RED path is entered if containment pressure is greater than or equal to 47 psig and represents an extreme challenge to safety function. The CSFSTs are normally monitored using the dedicated SPDS display system.

Some of the data is also available on the PPG, but the PPG is for information only (ref. 1).

Forty-seven psig is the containment design pressure (ref. 1, 2) and is the pressure used to define CSFST Containment RED path conditions.

DCPP Basis Reference(s):

1. EOP F-0 Critical Safety Function Status Trees Attachment 6, "F-0.5 Containment"

2. FSAR Appendix 6.2D

3. NEI 99-01 GMT Integrity or Bypass Containment Potential Loss 4.A I [Document No.] Rev. [X] Page 289 of 3081

ATTACHMENT 2 Fission Product Barrier Loss/Potential Loss Matrix and Bases Barrier: Containment Category: D. GMT Integrity or Bypass Degradation Threat: Potential Loss Threshold:

2. Containment hydrogen concentration;::::: 4%.

Definition(s):

None Basis:

ERO Decision Making Information The existence of an explosive mixture means, at a minimum, that the containment atmospheric hydrogen concentration is sufficient to support a hydrogen burn (i.e., at the lower flammability limit). A hydrogen burn will raise containment pressure and could result in collateral equipment damage leading to a loss of containment integrity. It therefore represents a potential loss of the Containment Barrier.

Background

After a LOCA, the containment atmosphere is a homogeneous mixture of steam, air, solid and gaseous fission products, hydrogen, and water droplets. During and following a LOCA, the hydrogen concentration in the containment results from radiolytic decomposition of water and metal-water reaction. If hydrogen concentration exceeds the lower flammability limit (4%) in an oxygen rich environment, a potentially explosive mixture exists. Operation of the Containment Hydrogen Recombiner with containment hydrogen concentrations greater than 4% could result in ignition of the hydrogen. If the combustible mixture ignites inside containment, loss of the containment barrier could occur. To generate such levels of combustible gas, loss of the Fuel Clad and RCS barriers must also have occurred. Since this threshold is also indicative of loss of both Fuel Clad and RCS barriers with the Potential Loss of the containment barrier, it therefore will likely warrant declaration of a General Emergency (ref. 1, 2, 3).

Containment hydrogen concentration is indicated in the Control Room on ANR-82/ANR-83 PAM1, (range: 1 - 10%).

DCPP Basis Reference(s):

1. UFSAR Section 6.2.5 Combustible Gas Control In Containment

2. OP-H-9 INSIDE CONT H2 RECOMB SYSTEM

3. CA-3 Hydrogen Flammability in Gontainment

4. NEI 99-01 GMT Integrity or Bypass Containment Potential Loss 4.B I [Document No.] Rev. [X] Page 290 of 3081

ATIACHMENT2 Fission Product Barrier Loss/Potential Loss Matrix and Bases Barrier: Containment Category: D. CMT Integrity or Bypass Degradation Threat: Potential Loss Threshold:

3. Containment pressure ~ 22 psig.

AND Less than one full train of containment depressurization equipment operating per design for~ 15 minutes. (Note 1, 9)

Note 1: The SM/SEC/ED should declare the event promptly upon determining that time limit has been exceeded, or will likely be exceeded.

Note 9: One Containment Spray pump and two CFCUs comprise one full train of depressurization equipment.

Definition(s):

None Basis:

ERO Decision Making Information This threshold describes a condition where containment pressure is greater than the setpoint at which containment energy (heat) removal systems are designed to automatically actuate, and less than one full train of equipment is capable of operating per design. The 15-minute criterion is included to allow operators time to manually start or restore equipment that may not have automatically started or actuated as required, if possible. This threshold represents a potential loss of containment in that containment heat removal/depressurization systems (e.g.,

containment sprays, etc., but not including containment venting strategies) are either lost or performing in a degraded manner.

Background

The Containment Spray System consists of two separate trains of equal capacity, each capable of meeting the design bases requirement. Each train *includes a containment spray pump, spray headers, nozzles, valves, and piping. The Refueling Wat~r Storage Tank (RWST) supplies borated water to the Containment Spray System during the injection phase of operation. In the recirculation mode of operation, Containment Spray, if needed, is transferred to the RHR Pumps and the Containment Spray Pumps are shut down (ref. 5).

The Containment Cooling System consists of two trains of Containment cooling, each of sufficient capacity to supply 100% of the design cooling requirement. Each train, consisting of two Containment Fan Cooling Units (CFCU), is supplied with cooling water from a separate loop of Component Cooling Water (CCW). In post accident operation following an actuation signal, the Containment Cooling System fans are designed to start automatically if not already running (ref.5).

I [Document No.] Rev. [X] Page 291 of 3081

ATTACHMENT 2 Fission Product Barrier Loss/Potential Loss Matrix and Bases The Containment pressure setpoint (22 psig, ref. 1, 2, 3, 4) is the pressure at which the equipment should actuate and begin performing its function. The design basis accident analyses and evaluations assume the loss of one Containment Spray System train and one Containment Cooling System train (ref. 5). Consistent with the design requirement, "one full train of depressurization equipment" is therefore defined to be the availability of one train of each system: If less than this equipment is operating and Containment pressure is above the actuation setpoint, the threshold is met if the required equipment cannot be started within 15 minutes.

DCPP Basis Reference(s):

1. AR PK01-18, CONTMT SPRAY ACTUATION red

2. EOP F-0 Critical Safety Function Status Trees Attachment 6, "F-0.5 Containment"

3. EOP FR-Z.1 Response to High Containment Pressure

4. Technical Specifications Table 3.3.2-1

5. Technical Specifications B3.6.6 Containment Spray and Cooling Systems

6. NEI 99-01 GMT Integrity or Bypass Containment Potential Loss 4.C I [Document No.] Rev. [X] Page 292 of 3081

ATTACHMENT 2 Fission Product Barrier Loss/Potential Loss Matrix and Bases Barrier: Containment Category: E. SM/SEC/ED Judgment Degradation Threat: Loss Threshold:

1. Any condition in the opinion of the SM/SEC/ED that indicates loss of the containment barrier.

Definition(s):

IMMINENT - The trajecfory of events or conditions is such that an EAL will be met within a relatively short period of time regardless of mitigation or corrective actions.

SAFETY SYSTEM - A system required for safe plant operation, cooling down the plant and/or placing it in the cold shutdown condition, including the ECCS. These are typically systems classified as safety-related (as defined in 10CFR50.2):

Those structures, systems and components that are relied upon to remain functional during and following design basis events to assure:

(1) The integrity of the reactor coolant pressure boundary; (2) The capability to shut down the reactor and maintain it in a safe shutdown condition; (3) The capability to prevent or mitigate the consequences of accidents which could result in potential offsite' exposures.

Basis:

ERO Decision Making Information The SM/SEC/ED judgment threshold addresses any other factors relevant to determining if the Primary Containment barrier is lost. Such a determination should include IMMINENT barrier degradation and dominant accident sequences.

IMMINENT barrier degradation E;!Xists if the degradation will likely occur within relatively short period of time based on a projection of current SAFETY SYSTEM performance.

The term "IMMINENT" refers to recognition of the inability to reach safety acceptance criteria before completion of all checks.

Dominant accident 'sequences lead to degradation of all fission product barriers and likely entry to the EOPs. The SM/SEC/ED should be mindful of the Loss of AC power (Station Blackout) and ATWS EALs to assure timely emergency classification declarations.

This threshold addresses any other factors that may be used by the SM/SEC/ED in determining whether the Containment Barrier is lost.

I [Document No.] Rev. [X] Page 293 of 3081

ATTACHMENT 2 Fission Product Barrier Loss/Potential Loss Matrix and Bases

Background

None DCPP Basis Reference(s):

1. NEI 99-01 Emergency Director Judgment PC Loss 6.A J [Document No.] Rev. [X] Page 294 of 308 J

l ATTACHMENT 2 Fission Product Barrier Loss/Potential Loss Matrix and Bases Barrier: Containment E. SM/SEC/ED Judgment Degradation Threat: Potential Loss Threshold:

1. Any condition in the opinion of the SM/SEC/ED that indicates potential loss of the containment barrier.

Definition(s):

IMMINENT - The trajectory of events or conditions is such that an EAL will be met within a relatively short period of time regardless of mitigation or corrective actions ..

SAFETY SYSTEM - A system required for safe plant operation, cooling down the plant and/or I .

placing it in the cold shutdown condition, including the ECCS. These are typically systems classified as safety-related (as defined in 10CFR50.2):

Those structures, systems and components that are relied upon to remain functional during and following design basis events to assure:

(1) The integrity of the reactor coolant pressure boundary; (2) The capability to shut down the reactor and maintain it in a safe shutdown condition; (3) The capability to prevent or mitigate the consequences of accidents which could result in potential offsite exposures.

Basis:

ERO Decision Making Information The SM/SEC/ED judgment threshold addresses any other factors relevant to determining if the Primary Containment barrier is potentially lost. Such a determination should include IMMINENT barrier degradation, barrier monitoring capability and dominant accident sequences.

IMMINENT barrier degradation exists if the degradation will likely occur within relatively short period of time based on a projection of current SAFETY SYSTEM performance.

The term "IMMINENT" refers to recognition of the inability to reach safety acceptance criteria before completion of all checks.

Barrier monitoring capability is decreased if there is a loss or lack of reliable indicators.

This assessment should include instrumentation operability concerns, readings from portable instrumentation and consideration of offsite monitoring results.

Dominant accident sequences lead to degradation of all fission product barriers and likely entry to the EOPs. The SM/SEC/ED should be mindful of the Loss of AC power (Station Blackout) and A TWS EALs to assure timely emergency classification declarations.

I [Document No.] Rev. [X] Page 295 of 3081

ATIACHMENT2 Fission Product Barrier Loss/Potential Loss Matrix and Bases This threshold addresses any other factors that may be used by the SM/SEC/ED in determining whether the Containment Barrier is lost.

Background

None DCPP Basis Reference(s):

1. NEI 99-01 Emergency Director Judgment PC Potential Loss 6.A j [Document No.] Rev. [X] Page 296 of 308 j

ATTACHMENT 3 Safe Operation & Shutdown Areas Tables R-2 & H-2 Bases

Background

NEI 99-01 Revision 6 ICs AA3 and HAS prescribe declaration of an Alert based on IMPEDED access to rooms or areas (due to either area radiation levels or hazardous gas concentrations) where equipment necessary for normal plant operations, cooldown or shutdown is located.

These areas are intended to be plant operating mode dependent. Specifically the Developers Notes For AA3 and HAS states:

The "site-specific list of plant rooms or areas with entry-related mode applicability identified" should specify those rooms or areas that contain equipment which require a manual/local action as specified in operating procedures used for normal plant operation, coo/down and shutdown. Do not include rooms or areas in which actions of a contingent or emergency nature would be performed (e.g., an action to address an off-normal or emergency condition such as emergency repairs, corrective measures or emergency operations). In addition, the list should specify the plant mode(s) during which entry would be required for each room or area.

The list should not include rooms or areas for which entry is required solely to perform actions of an administrative or record keeping nature (e.g., normal rounds or routine inspections).

Further, as specified in IC HAS:

The list need not include the Control Room if adequate engineered safety/design features are in place to preclude a Control Room evacuation due to the release of a hazardous gas.

Such features may include, but are not limited to, capability to draw air from multiple air intakes at different and separate locations, inner and outer atmospheric boundaries, or the capability to acquire and maintain positive pressure within the Control Room envelope.

Analysis OP L-4, Normal Operation at Power (rev 89/73) was reviewed to determine if any actions are "necessary" to maintain power operations. Over reasonable periods of time (days vice months or years) there are no actions outside the Control Room that are required to be performed to maintain normal operations. Eventually, you would have to shut down if Technical Specification surveillance testing was not completed and you complied with the associated LCOs or based on consumable supplies being depleted. For the purpose of this

table, no actions were determined to be required.

The following table lists the locations into which an operator may be dispatched in order perform a normal plant cool down and shutdown. The review was completed using the following procedures as the controlling documents: ~

OP L-4, Normal Operation at Power (rev 89/73) -

Sections 6.3 (Instructions for Power Decreases from 100% to SO%)

.Section 6.4 (Instructions for Power Reduction From SO% to 20%)

OP L-S, Plant Cooldown From Minimum Load to Cold Shutdown (rev 100/83)

OP L-7, Plant Stabilization Following Reactor Trip (rev 24/22)

OP AP-2S, Rapid Load Reduction or Shutdown (rev 2S/12)

I [Document No.] Rev. [X] Page 297 of 3081

ATTACHMENT 3 Safe Operation & Shutdown Areas Tables R-2 & H-2 Bases In addition, the Residual Heat Removal System is aligned per OP B-2:V "RHR - Place, In Service" (rev 37/36) which was also used to conduct this review.

At DCPP, RCS Cooldown starts at OP L-5 step 6.2.3.m.

Each step in the controlling procedures wqs evaluated to determine if the action was performed in the Control Room or in the plant. Each in-plant action listed below was evaluated and a determination made whether or not the actions, if not performed, would prevent achieving cold shutdown. The following generic assumptions were applied:

Steps involving option~I degassing of the RCS were not selected since degassing the RCS is not required to reach cold shutdown.

Steps involving supplying Auxiliary Steam were not selected since AFW can be used to reach cold shutdown if Condenser vacuum is lost.

Steps involving Main Feed Water Pumps were not selected since AFW can be used to reach cold shutdown if Main Feed Water is not available.

Steps that are stated as needed when entering an outage are disregarded, as they are optional and not mandatory for placing plant in Cold Shutdown.

Travel paths to the locations where the equipment is operated are not part of the determination of affected room/area, only the rooms/areas where the equipment is actually operated. Most locations can be reached via alternate travel paths if required due to a localized issue.

No assumption is made about which RHR Train is aligned for operation.

The minimum set of in-plant actions, associated locations, and operating modes to shut down and cool down the reactor are highlighted. The locations where those actions are performed comprise the rooms/areas to be included in EAL Tables R-2 and H-2. Specifically, the identified rooms are those where an activity must be performed to borate to cold shutdown, isolate accumulators or cooldown using RHR.

UFSAR Page 6.4-1 states "The DCPP control room, located at elevation 140 feet of the auxiliary building, is common to Unit 1 and Unit 2. The associated habitability systems provide for access and occupancy of the control room during normal operating conditions, radiological emergencies, hazardous chemical emergencies, and fire emergencies."

UFSAR Page 6.4-9 states "There are no offsite or onsite hazardous chemicals that would pose a credible threat to DCPP control room habitability. Therefore, engineered controls for the control room are not required to ensure habitability against a hazardous chemical threat and no amount of assumed unfiltered in-leakage is incorporated into PG&E's hazardous chemical assessment."

Control room habitability relative to area radiation levels is adequately bounded by EAL RA2.3.

. , [Document No.] Rev. [X] Page 298 of 3081

ATTACHMENT 3 Safe Operation & Shutdown Areas Tables R-2 & H-2 Bases

lfactio~~ nii>t , ,: *.

e*roce~lite and Builclingl * *pei:formeclidees this M.ede

step; ;Elevatiqn/Room prevent"cbel:dawnf ..

shut down?*

_- ' ~, ~- *.*

.*bPiL*71Ji:s~ctioii's~3:jri~truttforis;.ttjdg6\v~r,o'etre~*s'~strbrrt ~oo%:fo*5o'o;d ,** > :. "

\l *.. \(.'.: ..,, '

.:op\~a;?~eciion* s;t:i~~*~tuttio~s tdrh?w~r :~ed~cti~*~::Fro~*:so.%*:t~)~.6~o ' . .: ; , * . . . ' ;,. . **

OP L-4 Initiate RCS degassing as directed Aux/100/various 1 No 6.3.3.b.2 by chemistry PER OP B-1A:Vlll, "Reactor Coolant System Degassing During a Plant Shutdown" OR OP B 1A:X, "CVCS -

VCT Degassing."

OP L-4 IF either cylinder heating steam TB/104 1 No 6.3.3.1 I 6.3.4.e pressure controller is in "MANUAL,"

THEN direct Turbine Building Watch to maintain cylinder heating pressure during the ramp PER OP C-3A:I, "Sealing Steam System -

Place In Service."

OP L-4 As power decreases, direct Nuclear TB/119 1 No 6.3.3.n Operators to adjust SGBD flows PER OP D-2:V, "Steam Generator Slowdown System - Place in Service."

OP L-4 Direct operator in the field to open TB/85 1 No 6.3.3.r.6 I discharge vent to condenser valve 6.3.4.n.4 on condensate pump that was just shut down:

CND PP 1-1: CND-1-31

CND PP 1-2: CND-1-32

CND PP 1-3: CND-1-33 OP L-4 WHEN less than 60% power, AND Intake 1 No 6.3.3.s I 6.3.4.i IF desired, THEN shut down one of the two running Circulating Water Pumps PER OP E-4:111, "Circulating Water System Shutdown and Clearing."

OP L-4 IF shutdown of MFW pump i~ TB/85 1 No 6.3.3.t.4 I required, 6.3.4.h.4 THEN complete shutdown PER OP C-8:111, "Shutdown and Clearing of a Main Feed Water Pump."

OP L-4 IF condenser is to be cleared upon TB/104 1 No 6.3.4.j reaching MODE 3, THEN consider AB/100/Pen realigning TDAFWP steam traps PER appropriate steps in OP L-5, "Plant Cooldown from Minimum Load to Cold Shutdown," section for "Secondary Plant Shutdown."

I [Document No.] Rev. [X] Page 299 of 3081

ATTACHMENT 3 Safe Operation & Shutdown Areas Tables R-2 & H-2 Bases

.* . . ' / ... ,' ... *I * .*

y '<

?,: ' ' 'oc, '

.*: "'* lf*,!lctioh.*~ot *

i?rqc~Cltir:e an*~* ."Buildiflg"/ . . Mode p~rfor:m~d; does this Step $tepAction Eievation/Roem :Pr~vent cool downl

. '. '. ':. 1 /.' st\ ...t*dowr11

OP L-4 Direct Aux Watch to transfer aux AB/140 1 No

(?.3.4.k steam supply to U2 PER OP K-5:1V "Auxiliary Steam System - Change Over to Alternate Supply of Steam."

OP L-4 IF NOT already performed, THEN TB/85 1 No 6.3.4.1 swap the Hydrazine injection points

~to the alternate alignment (downstream of FCV-232) per OP D-2:11, "Main Feed Water Chemical Injection System - Place in Service."

OP L-4 IF unit is NOT being taken off line TB/104, 85 & 70 1 No 6.3.4.m.2.a for OP L-8, "Separating From the Grid While Maintaining Reactor Power Between 17% and 30%"),

THEN shut down No. 2 Heater Drip Pump PER OP C-7B:ll, "No. 2 Heater Drip Pump Shutdown and Clearing."

OP L-4 On the MFW pump in service, TB/85 1 No 6.3.4.t locally place the HP and LP Stop Valves Drain control switch to the "OPEN" position to open the before-seat drains.

c}p vs*sectio.ri 6.1.3: 'PbW~r't)~cteas~ frbrrt'20% tb l\n'e>DE 3 With Normar"ShutdoWn* . ,.

_Q_RL~5,~~ctie1J,A:1:4: p~werj)~~t~a~~,f~oni.9.q'.Yo**tp:_M(}D~:~with Pi~rn_edJ~.eactotTrip~: . ' .....'

OP L-5 IF Containment is to be entered, Pen/100 1 No 6.1.3.d.2 THEN Notify Chemistry to perform Containment air sampling.

OP L-5 Place AFW chemical injection in AB/100 1 No 6.1.3.m.13/ service PER OP D-2:1, "Auxiliary 6.1.4.t Feed Water Chemical Injection System - Place In Service."

OP L-5 IMPLEMENT Section 10 to open TB 1/2/3 See step by step 6.1.3.q FW-1-FCV-420 to prevent the FWH analysis of Section 10 outlet relief from lifting.

OP L-5 IMPLEMENT step 11.5 for TB 1/2/3 See step by step 6.1.3.s secondary shutdown. analysis of Section 11 OP L-5 Shut down both MFW pumps PER TB 2/3 No 6.1.3.w.8 I 6.1.4.u OP C-8:111, "Shutdown and Clearing of a Main Feed Water Pump."

OP L-5 IF desired, THEN shut down the Area H/100 No 6.1.3.y.5 I 6.1.4.w MG sets PER OP A-3:111, "Control Rod System - Shutdown &

Clearing."

I [Document No.] Rev. [X] Page 300 of 308 J

ATTACHMENT 3 Safe Operation & Shutdown Areas Tables R-2 & H-2 Bases

' 4 ' '."

i

If aG,tion not'

. . auildi~g/ . , ;**:Meoe

J>erformed, does thi$

* .i!ilev~tien~~apm * .*:: :*. . ." * ::*pre~~nt'coel*:~pwni * . *

--~ . - * *' . '~hut

.. ' down?. *

~.:

OP L-5 Initiate boration to the final AB 100/115/East 213 Yes - basis of location 6.1.3.aa I concentration for the mode to which End (BAST & BA is the ability to refill the 6.1.4.e.1 the plant is to be shut down PER Pumps), 85' (Aux BAST in order to have one of the following Control Board), 64' sufficient boric 'acid to

(Preferred) OP B-1A:XIX, "CVCS (BART Tank area) reach CSD

- Borate the RCS to Refueling concentreition. Cool Concentration" down below 500°F

(Alternate) OP B-1A:Vll, Section requires 11000 gallons 6.12', "Emergency Boration using of boric acid be added CVCS-1-8104" . (see step 6.2.3.d)

(Alternate) OP B-1A:Vll, Section 6.3, "Routine Boration" OP L-5 IF anticipated that the RCS will be AB/100 213 No 6.1.3.bb / 6.1.4.x opened and degassing of the RCS has not been started, THEN initiate degassing of the RCS to reduce H2

.concentration to 5 cc/kg or less

) '

PER OP B-1A:Vlll, "CVCS -

Reactor Coolant System Degassing During a Plant Shutdown."

OP L-5 Maintenance to perform STP M- Various 1/2/3 No 6.1.3.ee / 6.1.4.z 17B2, "Functional Test of Emergency DC Lighting System in Containment."

OP L-5 Ensure SGBD is maximized PER TB/119 1/2/3 No 6.1.3. gg I Chemistry direction and within the 6.1.4.bb ability to control RCS temperature.

~ettici~ s,2:: MQDE itb :r{~ady*:{or RHrlOperltioh : /* ..

QF{l*S

- * ~ * ,_ "- o. < - , ~ * ""*,;, - - *

A - "-* * <* * '* :

OP L-5 Place the personnel airlock AB/140 3 No 6.2.3. automatic leak rate monitor (ALRM) in manual PER STP M-8F1, "ALRM Leak Rate Testing of Personnel Air Lock Seals," to avoid nuisance alarms in the Control Room.

OP L-5 Borate the RCS to meet STP R-.19 AB 100/115/East 3/4 Yes - basis of location 6.2.3.e.2 COLD SHUTDOWN requirements. End (BAST & BA is the ability to refill the Pumps), 85' (Aux BAST in order to have Control Board), 64' sufficient boric acid to (BART Tank area) reach CSD concentration. (See Caution prior to step).

TS 3.1.1 OP L-5 Close the accumulator isolation Area H/100/480V 3/4 Yes - basis is that 6.2.3.s valve breakers Buses without closing

Sl-1-8808A: breaker 52-1 F-46 Accumulator outlet

Sl-1-8808B: breaker 52-1G-07 valves, RCS pressure

Sl-1-8808C: breaker52-1H-14 cannot go below -650 I [Document No.] Rev: [X]

, ATTACHMENT 3 Safe Operation & Shutdown Areas Tables R-2 & H-2 Bases

. ;.;it actiori..hqt .'

pt()<.ecju'r~ anc;I * . . J3Uilding/ , .pen~rrnea, d()e~ thJs.

Ste,p.:A~tion ** .

-St¢P * * .< . ;'~

- :Elev:ation1Room prevr:;nt-cool downl *

.. .. . ': . ,:. .. .. .... .. . _*. sh~!rdow~? _ .. . ,

Sl-1-88080: breaker 52-1 G-05 psig (procedure does not address alternate actions)

TS 3.5.1 OP L-5 WHEN desired, THEN secure the Area H/100/480V 3/4 No 6.2.3.y CROM fans PER OP H-6:11, "CROM Buses Fans - Shutdown and Clearing."

OP L-5 Disable BOTH SI Pumps PER OP TB/119/4kV Vital 3/4 No - ECG 8.6 violation, 6.2.3.cc.1.b 0-32,"Control of Refueling Tags." Bus Rooms but does not prevent getting to CSD OP L-5 Disable ONE ECCS centrifugal TB/119/4kV Vital 3/4 No - ECG 8.6 violation,

6.2.3.cc.2.b charging

Bus Rooms but does not prevent pump PER OP 0-32, "Control of getting to CSD Refueling Tags."

of>t.-5 section s.3~. Pla"ing :R.HRiin Service t~ QSD~ ~ubble in,:PZR:

' .*: ~ ""' .*. ,_ * .~* ** '~*,, ';'.ii*.*~* '* . ~> .. ' , - '" ' -* .. --.' *~*-- . ,.*~... ' ,

OP L-5 Place RHR system in service PER 3/4 See step by step 6.3.3.b.4 OP B-2:V, "RHR-Place in Service analysis of OP B-2:V During Plant Cooldown."

OP L-5 Place tags on RHR suction valves Area H/100/480V 3/4 No ...:. This is only a tag 6.3.3.b.6 (RHR-1-8701 and RHR-1-8702) Buses hanging step. Actual breakers PER OP 0-32, "Control of breaker manipulation is Refueling Tags." in OP B-2:V steps 6.2.12 I 6.3.12 OP L-5 Perform the following actions for AB/73/CCP3 room 4 No - ECG 8.1 violation, 6.3.3.d.1 CCP 1-3: Establish fire watch but does not prevent compensatory actions per ECG 8.1. getting to CSD OP L-5 Perform the following actions for TB/119/4kV Vital 4 No - ECG 8.1 violation, 6.3.3.d.2 CCP 1-3: No more than one hour Bus Rooms but does not prevent prior to reducing ciny WR RCS getting to CSD TCOLD to 283°F, make CCP 1-3 incapable of injecting.

OP L-5 Hang the RCS Dilution Flow Path AB/100 4 No 6.3.3.h Boundary valve tags PER OP 0-32, "Control of Refueling Tags."

,~ *. - \ -:,,;"&}'.,<" <;;,;-,. -,x'. "." .*t'* . __ ,,_" ;_ ...t*.. ,:_ , -~-' . .'.~;:*~; ' . . *.

OP":L*'S Section 1o: co 0 densate>-*- System tong* R'ecirq ."

"'" -*:!" ** -- '" , * "'- ** " * *-*""- ,. *-*~-- - '-'*-*-* :c-.

10.2 Ensure CLOSED FW-1-383, FCV- TB/85 3/4 No 420 Downstream Isolation.

10.3 Ensure CLOSED FW-1-384, FCV- TB/85 3/4 No 420 Downstream Isolation Bypass 10.4.1 Open FW-1-210, FW-1-211 TB/85 3/4 No Bypass.

10.4.2 Open FW-1-211 TB/85 3/4 No 10.4.3 Close FW-1-210 TB/85 3/4 No I [Document No.] Rev. [X] Page 302 of 3081

ATTACHMENT 3 Safe Operation & Shutdown Areas Tables R-2 & H-2 Bases

m~ action*nat .

Procedure and *,_peifdr~~d, do~~ this

.,.. step .. *. *)prevent :cpol *down": *

~ .

shufdowr:i?

10.6 Ensure a minimum of four polisher TB/85 3/4 No vessels in service until long recirc is established.

10.8.2 IF the temperature interlock is NOT TB/85 . 3/4 No made up, THEN contact Maintenance to open FW-1-FCV-420 by installing an air jumper with

a 50 psig air supply connected to the vent side of SV1420.

10.9 Coordinate with the Control Room TB/85 3/4 No and very slowly open FW-1-384 until the onset of FWH flashing, then throttle closed until it stops 10.12 Slowly begin to open FW-1-383. If TB/85 3/4 No FWH flashing occurs, then throttle closed until it stops.

10.14 Close FW-1-384. TB/85 3/4 No

'l 11.2.2.a Perform the following to prepare TJ3/104 3/4 No - If steam traps steam line drains for closing the cannot be re-aligned MSIVs: Align valves for steam traps declare AFW Pump 1 1, 2, 3 and 5 steam line drains. INOPERABLE.

11.2.2.b Align AFW Pump 1-1 and Main TB/104 & Pen/100 3/4 No - If steam traps Steam Traps 1, 2, 3 and 5 to the cannot be re-aligned Outfall declare AFW Pump 1 INOPERABLE.

11.2.3 Connect hoses for AFW chemical AB/100/AFW room 3/4 No injection PER OP D-2:1V, "Adding Chemicals to Chemical Day Tanks-AFW System."

11.2.5 IF desired, THEN secure and clear Intake 3/4 No a CWP PER OP E-4:111, "Circulating Water System Shutdown and Clearing."

11.2.7 IF the Main .Generator is to be TB/104 3/4 No depressurized and purged, THEN warm up the C02 vaporizer PER OP J-4C:lll, "Generator Hydrogen System-Remove Froni Service."

11.3 Just prior to separating from grid, TB/119 3/4 No drain MSR drain tanks and FW heaters PER OP C-7:111, "Condensate System - Shutdown and Layup."

11.5.2 IF relatching the Main Turbine is TB/140 3/4 No - If Cooldown I [Document No.] Rev. [X] Page 303 of 3081

l ATTACHMENT 3 Safe Operation & Shutdown Areas Tables R-2. & H-2 Bases I

.,I* .. '.: ,, ' ;

.If action not Pr9ced~re at1d~ '

. auilding/ ~perter.med, da:es t{lis

' . " Step :A~tiap. , Mode Step ... .

. ..El~'lation1Raoni . ~'pteyenl*c<l>oLctown/::

'-,. fl

., ' ;J; '

< '. ~

" ' . ,.~ ~

Fe'<.

shutdown?

needed to control plant cool down, control is an issue then THEN perform the following:T35016 MSIVs can be closed

a. Close AIR-1-1-2489, Air Supply to the Air/Oil Relay.

b. Isolate EH to the governor valves:

. EH-1-518, for FCV-139

. EH-1-519, for FCV-140

. EH-1-520, EH-1-521, for for FCV-141 FCV-142 11.5.3.b Align the MSRs as necessary PER TB/119 & 104 3/4 No OP C-5:111, "Moisture Separator I

Reheaters - Shutdown."

I 11.5.5 IF desired, THEN back feed the unit Various 3/4 No from 500kV PER OP J-2:V, "Back feeding the Unit from the 500kV System."

11.5.7 Secure and drain SCCW PER OP TB/85 3/4 No J-4A:lll, "Generator Stator Cooling Water-Shutdown and Draining."

11.6.1 Depressurize and purge the Main TB/140 & 119 3/4 No Generator PER OP J-4C:lll, "Generator Hydrogen System-Remove from Service."

11.6.2 Secure SCW to exciter air coolers TB/104 3/4 No 11.7.6 Remove polishers from service TB/85 & 3/4 No PER OP C-7C:ll, "Condensate 104/Polishers Polishing System-Remove Demineralizers from Service," as directed by the Secondary Foreman.

11.7.8 Open CND-1-506 to break vacuum. TB/119 3/4 No 11.7.9 Maintenance to remove RM-15 and TB/104 3/4 No RM-15R from service.

11.7.10 Secure gland steam and cylinder TB/104 & 140 3/4 No heating steam PER OP C-3A:lll, "Sealing Steam System-Shutdown and Clearing.

11.7.11 Secure condenser air removal PER TB/104 3/4 No OP C-6:111, "Condenser and Air i I

Removal System-Shutdown and Clearing."

11.7.12 Secure the following PER OP C- TB/119 & 140 3/4 No 6C:ll, "Condensate Air and Nitrogen Injection - Remove from Service:"

1 [Document No.] Rev. [X] Page 304 of 3081

r ATTACHMENT 3 Safe Operation & Shutdown Areas Tables R-2 & H-2 Bases

. ;; .. , ~If!aCtiOrirnet < . , ,~

Pr6ceClute anCI : Bi.dlClitjg/ 1* *performe:tt, .aoes th:ls

.... *. Step ..

~1ev"'1ionl~oom . *' r~~e .. .preV:~nt ~odl down/;;*

'shut.* Clown?

N2 injection

Air injection 11.7.14.b Secure chemical injection PER OP TB/85 3/4 No D-2:11, "Main Feed Water Chemical Injection-Place in Service."

11.7.15 Isolate condensate reject PER OP TB/85 3/4 No C-7:111, "Condensate System-Shutdown and Layup" (LCV-12).

11.11.1, Secure turning gear PER OP C- TB/140 3/4 No 3:1V, "Main Unit Turbine-Turbine Shutdown."

11.11.2 Shut down lube oil PER OP C- TB/85, 104 & 119 3/4 No 3B:lll, "Lube Oil Distribution System-Shutdown and Clearing."

11.11.4 Shut down H2 Seal Oil System TB/85 3/4 No PER OP J-4B:ll, "Hydrogen Seal Oil System-Shutdown and Drain."

11.12 WHEN the RCS is at or below TB/119 & AB/140 3/4 No 350°F, THEN remove locking devices on the following SGBD throttle valves and open them to achieve maximum blowdown

'.OPiB*2:V:

. / '

RHR

. -- ~ Place'lii

. Seniice

'* . ' . ~.

6.1.5 Shift chemistry/radiation protection AB/100/PSSS *4 No - Basis is the system technician to sample RHR Loop 1-1 is aligned for ECCS to determine RHR Loop 1-1 boron Mode from the RWST.

concentration. In the event of an SI, we do not verify boron concentration prior to injecting.

6.1.10 Shift chemistry/radiation protection AB/100/PSSS 4 No - Basis is the system technician to sample RHR Loop 1-2 is aligned for ECCS to determine RHR Loop 1-2 boron Mode from the RWST.

concentration. In the event of an SI, we do not verify boron concentration prior to injecting.

6.1.13.b I 6.2.27 I Open RHR-1-8734A, RHR System Pen/85 4 No - Basis is the system 6.2.43 1-1 Bypass to Letdown Heat is aligned for ECCS Exchanger Inlet (85' Containment Mode from the RWST.

Penetration Area). In the event of an SI, we do not verify boron concentration prior to injecting.

6.1.13.i Chemistry to sample RHR Loop 1-1 AB /100/PSSS 4 No - Basis is the system at approximately 10 minute is aliqned for ECCS I [Document No.] Rev. [X] Page 305 of 3081

ATTACHMENT 3 Safe Operation & Shutdown Areas Tables R-2 & H-2 Bases

,If action not* *

f>rocedure*and J3ulfdingi. 1*. p~r.fe~nie~l, d~es th is

. St~p .. ;~l~Y-ation/Room * , .'pri!vefit c6oi~Clo\ilnl.

..s'htit dowri?*

' ( - '

intervals until the boron Mode from the RWST.

concentration is equal to or.greater In the event of an SI, we than that in the RCS. do not verify boron concentration prior to injecting.

6.1.13.1I6.2.36.b Close RHR-1-8734A, RHR System Pen/85 4 No 1-1 Bypass to Letdown Heat Exchanger Inlet.

6.1.13.q I Open RHR-1-8734B, RHR System Pen/85 4 No - Basis is the system 6.2.36.a I 6.3.8 1-2 Bypass to Letdown Heat is aligned for ECCS Exchanger Inlet (85'Containment Mode from the RWST..

Penetration Area). In the event of an SI, we do not verify boron concentration prior to injecting.

6.1.13.u Chemistry to sample the RHR loop AB /100/PSSS 4 No - Basis is the system at approximately 10 minute is aligned for ECCS intervals until the boron Mode from the RWST.

concentration of RHR loop 1-2 is In the event of an SI, we equal to or greater than that in the do not verify boron RCS. concentration prior to injecting.

6.1.13.w I 6.2.18 Close RHR-1-8734B, RHR System Pen/85 4 No 1-2 Bypass to Letdown Heat Exchanger Inlet.

6.2.9 I 6.3.9 Open RHR-1-8726A, RHR Heat AB/64/RHR 4 No - This keeps the Exchanger 1-1 Bypass (64' pumps hallway RHR trains split but elevation Auxiliary Building). does not prevent cool down.

6.2.10 I 6.3.10 Open RHR-1-8726B, RHR Heat AB/64/RHR 4 No - This keeps the Exchanger 1-2 Bypass (64' pumps hallway RHR trains split but elevation Auxiliary Building) .. does not prevent cool down.

6.2.12 I 6.3.12 Ensure CLOSED the breakers for Area H/100/480V 4 Yes - required to align the following valves: Buses RHR system

52-1F-31, MOV 8980

52-1G-25, MOV 8701

52-1H-19, MOV 8702 ., ,, .,.

" '. . .c*

6.5.2 IF a Circulating Water pump was Intake 3 No tripped, THEN REFER TO OP E-4:111, Circulating Water System -

Shutdown and Clearing, for cleanup actions.

6.5.3 !E no Circulating Water pump can TB/various 3 No be placed in service, THEN cool I [Document No.] Rev. [X] Page 306 of 3081

ATTACHMENT 3 Safe Operation & Shutdown Areas Tables R-2 & H'-2 Bases

Jf action *not

~ ~

1* *

Mo(Je: . P..erfdr:me.CI~ ti~~s tnis

.P.tecedure* and ,. . . 8ol1dingl

. st~T> '\ ;.

E1ev~tioniR.00m

-;'. . ' " - ... ,,, . " '.:.ip~V~nt*~-~~:t~~'.awn( * **

'. *. '.:shutd9wn?*

down a hot condenser in accordance with AP-7, Attachment 1 6.10.7 Align SG Slowdown via the TB/119 & Pen/100 3 No Slowdown Tank per OP D-2:V for SG chemistry and RCS temperature control.

6.11.4 Condensate Polisher Beds aligned TB/104/Polisher 3 No per Secondary Foreman direction.

6.12.2.i Open FW-1-FCV-420 TB/104 3 No 6.12.2.j Coordinate with the Control Room TB/85 3 No and very slowly OPEN FW-1-384 6.12.2.k Very, slowly OPEN FW-1-383. TB/85 3 No 6.12.2.1 Close FW-1-384 TB/85 3 No 6.13.2.b Realign steam traps 1, 2, 3, and 5 I TB/104 3/4 No - If steam traps steam line drains cannot be re-aligned declare AFW Pump 1 INOPERABLE.

6.13.2.c & d Align AFW Pump 1-1 and Main TB/104 & Pen/100 3/4 No - If steam traps Steam Traps 1, 2, 3 and 5 to the cannot be re-aligned Outfall declare AFW Pump 1 INOPERABLE.

6.13.3 Align Auxiliary and Gland Seal TB/104 & AB/100 3/4 No steam as desired per OP C-3A:I.

6.14.2 If desired to control plant cool TB/140 3/4 No - If cooldown down, relatch the Main Turbine as control is an issue then follows: MSIVs can be closed

a. Close AIR-1-1-2489, Air Supply to the Air/Oil Relay.

b. Isolate EH to the governor valves:

EH-1-518, for FCV-139

EH-1-519, for FCV-140

EH-1-520, for FCV-141

EH-1-521, for FCV-142 6.15 IF desired, THEN back feed the unit Various 3/4 No from 500kV PER OP J-2:V, "Back feeding the Unit from the 500kV System."

6.31 On the 4kV vital buses, reset TB/119/4kV Vital 3/4 No dropped flags on undervoltage Bus Rooms relays 27HFB1, 27HGB1 and 27HHB1 .

. OP ~P:~i*s, RaplQ* koad R~ciilc~ion. or $h~t~*ow:ti'.

'*""" *~,. .Y, , *~'<< , c,~ ,* ~ '.>'* ,;,; *~ ~,*:, , f, * ,M,.A, <<~"J:<<'* " ; ;",;' ' .. ' ' ' " . " ..

I [Document No.] Rev. [X] Page 307 of 3081

ATTACHMENT 3 Safe Operation & Shutdown Areas Tables R-2 & H-2 Bases 7.a RNO e/ WHEN plant conditions permit, TB/85 1/2/3 No 14.f.4 I 20.c.4 THEN swap Condensate Pump vents PER OP C-7A:I.

Table R-2 & H-2 Safe Operation & Shutdown Rooms/Areas Room/Area Mode(s)

Auxiliary Building - 115' - BASTs 2, 3,4 Auxiliary Building - 100' - BA Pumps 2, 3, 4 Auxiliary Building - 85' - Aux Control Board 2,3,4 Auxiliary Building - 64' - BART Tank area 2,3,4 Area H (below Control Room) - 100' 480V Bus area/rooms 3,4 j [Document No.] Rev. [X] Page 308 of 308 j l

ML17179A019

Text

4.0 REFERENCES

4.0 REFERENCES

Background

Background

Background

Background

Background

Background

Background

Background

Background

Background

Background

Background

Background

Background

Background

Background

Background

Background

Background

Background

Background

Background

Background

Background

Background

Background

Background

Background

Background

Background

Background

Background

Background

Background

Background

Background

Background

Background

Background

Background

Background

Background

Background

Background

Background

Background

Background

Background

Background

Background

Background

Background

Background

Background

Background

Background

Background

Background

Background

Background

Background

Background

Background

Background

Background

Background

Background

Background

Background

Background

Background

Background

Background

Background

Background

Background