ML17263B249

From kanterella
Jump to navigation Jump to search
Emergency Plan, Rev. 59. Part 2 of 2
ML17263B249
Person / Time
Site: Palo Verde  Arizona Public Service icon.png
Issue date: 09/15/2017
From:
Arizona Public Service Co
To:
Office of Nuclear Material Safety and Safeguards, Office of Nuclear Reactor Regulation
Shared Package
ML17264A609 List:
References
102-07585-CS/DWC
Download: ML17263B249 (169)
v  d  e


Text

PVNGS EMERGENCY PLAN REVISION 59 PAGE 167 of 332 ATTACHMENT 1 EAL Technical Bases even if the source of the leakage cannot be immediately identified. Visual observation of significant leakage from systems connected to the RCS that cannot be isolated could also be indicative of a loss of RCS inventory (ref. 1,2).

This IC addresses the inability to restore and maintain water level to a required minimum level (or the lower limit of a level band), or a loss of the ability to monitor RCS level concurrent with indications of coolant leakage. Either of these conditions is considered to be a potential degradation of the level of safety of the plant.

Refueling evolutions that decrease RCS water inventory are carefully planned and controlled. An UNPLANNED event that results in water level decreasing below a procedurally required limit warrants the declaration of an Unusual Event due to the reduced water inventory that is available to keep the core covered.

This EAL addresses a condition where all means to determine level have been lost. In this condition, operators may determine that an inventory loss is occurring by observing changes in sump and/or tank levels (Table C-1). Sump and/or tank level changes must be evaluated against other potential sources of water flow to ensure they are indicative of leakage from the RCS.

Continued loss of RCS inventory may result in escalation to the Alert emergency classification level via either IC CA1 or CA3.

PVNGS Basis Reference(s):

1. Procedure 40AO-9ZZ02, Excessive RCS Leakrate
2. Procedure 40OP-9ZZ16, RCS Drain Operations
3. NEI 99-01, CU1 Page 65 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 168 of 332 ATTACHMENT 1 EAL Technical Bases Category: C - Cold Shutdown / Refueling System Malfunction Subcategory: 1 - RCS Level Initiating Condition: Loss of RCS inventory EAL:

CA1.1 Alert Loss of RCS inventory as indicated by RCS level < 101 ft. 6 in.

(RWLIS NR RCN-LI-752A/RCN-LR-752)

Mode Applicability:

5 - Cold Shutdown, 6 - Refueling Definition(s):

None Basis:

RCS water level, as indicated on RWLIS narrow range (RCN-LI-752A or RCN-LR-752), of 101 ft 6 in., corresponds to 2 inches above the RCS Hot Leg centerline and is the lowest level for continued operation of normal shutdown cooling (SDC) (ref. 1).

The inability to restore and maintain level after reaching this setpoint infers a failure of the RCS barrier.

This 1C addresses conditions that are precursors to a loss of the ability to adequately cool irradiated fuel (i.e., a precursor to a challenge to the fuel clad barrier). This condition represents a potential substantial reduction in the level of plant safety.

For this EAL, a lowering of RCS water level below 101 ft. 6 in. indicates that operator actions have not been successful in restoring and maintaining RCS water level. The heat-up rate of the coolant will increase as the available water inventory is reduced. A continuing decrease in water level will lead to core uncovery.

Although related, this EAL is concerned with the loss of RCS inventory and not the potential concurrent effects on systems needed for decay heat removal (e.g., loss of a Decay Heat Removal suction point). An increase in RCS temperature caused by a loss of decay heat removal capability is evaluated under 1C CAS.

If RCS water level continues to lower, then escalation to Site Area Emergency would be via 1C CS1.

PVNGS Basis Reference(s):

1. Procedure 40OP-9ZZ16, RCS Drain Operations
2. NEI 99-01, CA1 Page 66 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 169 of 332 ATTACHMENT 1 EAL Technical Bases Category: C - Cold Shutdown / Refueling System Malfunction Subcategory: 1 - RCS Level Initiating Condition: Loss of RCS inventory EAL:

CA1.2 Alert RCS level cannot be monitored for > 15 minutes (Note 1)

AND EITHER

  • UNPLANNED increase in any Table C-1 Sump / Tank level due to a loss of RCS inventory
  • Visual observation of UNISOLABLE RCS leakage Note 1; The Emergency Coordinator should declare the event promptly upon determining that time limit has been exceeded, or will likely be exceeded.

Table C-1 Sumps / Tanks Containment Sumps Reactor Cavity Sump Auxiliary Building Sumps eves Holdup Tank Reactor Drain Tank Refueling Water Tank Equipment Drain Tank Mode Applicability:

5 - Cold Shutdown, 6 - Refueling Definition(s):

UNISOLABLE - An open or breached system line that cannot be isolated, remotely or locally.

UNPLANNED - A parameter change or an event that is not 1) the result of an intended evolution or 2) an expected plant response to a transient. The cause of the parameter change or event may be known or unknown.

Basis:

In Cold Shutdown mode, the RCS will normally be intact and standard RCS level monitoring means are available.

In the Refuel mode, the RCS is not intact and RCS level may be monitored by different means, including the ability to monitor level visually.

In this EAL, all RCS water level indication would be unavailable for greater than 15 minutes and the RCS inventory loss must be detected by indirect leakage indications (Table C-1). Level increases must be evaluated against other potential sources of leakage such as cooling water Page 67 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 170 of 332 ATTACHMENT 1 EAL Technical Bases sources inside the containment to ensure they are indicative of RCS leakage. If the make-up rate to the RCS unexplainably rises above the pre-established rate, a loss of RCS inventory may be occurring even if the source of the leakage cannot be immediately identified. Visual observation of significant leakage from systems connected to the RCS that cannot be isolated could also be indicative of a loss of RCS inventory (ref 1,2).

This IC addresses conditions that are precursors to a loss of the ability to adequately cool irradiated fuel (i.e., a precursor to a challenge to the fuel clad barrier). This condition represents a potential substantial reduction in the level of plant safety.

For this EAL, the inability to monitor RCS level may be caused by instrumentation and/or power failures, or water level dropping below the range of available instrumentation. If water level cannot be monitored, operators may determine that an inventory loss is occurring by observing changes in sump and/or tank levels. Sump and/or tank level changes must be evaluated against other potential sources of water flow to ensure they are indicative of leakage from the RCS.

The 15-minute duration for the loss of level indication was chosen because it is half of the EAL duration specified in IC CS1.

If the RCS inventory level continues to lower, then escalation to Site Area Emergency would be via IC CS1.

PVNGS Basis Reference(s):

1. Procedure 40AO-9ZZ02, Excessive RCS Leakrate
2. Procedure 40OP-9ZZ16, RCS Drain Operations
3. NEI 99-01, CA1 Page 68 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 171 of 332 ATTACHMENT 1 EAL Technical Bases Category: C - Cold Shutdown / Refueling System Malfunction Subcategory: 1 - RCS Level Initiating Condition: Loss of RCS inventory affecting core decay heat removal capability EAL:

CS1.1 Site Area Emergency RCS level cannot be monitored for ^ 30 minutes (Note 1)

AND Core uncovery is indicated by any of the following:

  • UNPLANNED increase in any Table C-1 sump/tank level of sufficient magnitude to indicate core uncovery
  • RU-33 s 9,000 mR/hr (when installed)
  • Erratic Excore Monitor indication Note 1: The Emergency Coordinator should declare the event promptly upon determining that time limit has been exceeded, or will likely be exceeded.

Table C-1 Sumps/Tanks Containment Sumps Reactor Cavity Sump Auxiliary Building Sumps eves Holdup Tank Reactor Drain Tank Refueling Water Tank Equipment Drain Tank Mode Applicability:

5 - Cold Shutdown, 6 - Refueling Definition(s):

UNPLANNED - A parameter change or an event that is not 1) the result of an intended evolution or 2) an expected plant response to a transient. The cause of the parameter change or event may be known or unknown.

Basis:

In Cold Shutdown mode, the RCS will normally be intact and standard RCS level monitoring means are available.

In the Refueling mode, the RCS is not intact and RPV level may be monitored by different means, including the ability to monitor level visually.

The bottom of the RWLIS indication is 99 7. If level lowers less than 99 7 then level would not be able to be monitored. If RWLIS is not in service then when RVLMS is < 21 % plenum level (Detector #8) level would not be able to be monitored.

Page 69 of 230

ft PVNGS EMERGENCY PLAN REVISION 59 PAGE 172 of 332 ATTACHMENT 1 EAL Technical Bases In this EAL, all RCS water level indication would be unavailable for greater than 30 minutes and the RCS inventory loss must be detected by indirect leakage indications (Table C-1). Level increases must be evaluated against other potential sources of leakage such as cooling water sources inside the containment to ensure they are indicative of RCS leakage. If the make-up rate to the RCS unexplainably rises above the pre-established rate, a loss of RCS inventory may be occurring even if the source of the leakage cannot be immediately identified. Visual observation of significant leakage from systems connected to the RCS that cannot be isolated could also be indicative of a loss of RCS inventory (ref. 1,2).

Sump or tank level increases should be of a magnitude that correlates to a volume sufficient to indicate fuel has been uncovered or uncovery is imminent.

The Reactor Vessel inventory loss may be detected by the refueling machine area radiation monitor or erratic Excore Monitor indication.

As water level in the reactor vessel lowers, the dose rate above the core will rise. The dose rate due to this core shine should result in up-scaled (10,000 mR/hr) refueling machine area radiation monitor (RU-33) indication. A threshold value of 90% of scale has been selected as an on-scale indicator (ref. 3, 4).

Post-TMI accident studies indicated that the installed PWR nuclear instrumentation will operate erratically when the core is uncovered and that this should be used as a tool for making such determinations (ref. 5).

This IC addresses a significant and prolonged loss of reactor vessel/RCS inventory control and makeup capability leading to IMMINENT fuel damage. The lost inventory may be due to a RCS component failure, a loss of configuration control or prolonged boiling of reactor coolant. These conditions entail major failures of plant functions needed for protection of the public and thus warrant a Site Area Emergency declaration.

Following an extended loss of core decay heat removal and inventory makeup, decay heat will cause reactor coolant boiling and a further reduction in reactor vessel level. If RCS level cannot be restored, fuel damage is probable.

The 30-minute criterion is tied to a readily recognizable event start time (i.e., the total loss of ability to monitor level) and allows sufficient time to monitor, assess and correlate reactor and plant conditions to determine if core uncovery has actually occurred (i.e., to account for various accident progression and instrumentation uncertainties). It also allows sufficient time for performance of actions to terminate leakage, recover inventory control/makeup equipment and/or restore level monitoring.

The inability to monitor RCS level may be caused by instrumentation and/or power failures, or water level dropping below the range of available instrumentation. If water level cannot be monitored, operators may determine that an inventory loss is occurring by observing changes in sump and/or tank levels. Sump and/or tank level changes must be evaluated against other potential sources of water flow to ensure they are indicative of leakage from the RCS .

This EAL addresses concerns raised by Generic Letter 88-17, Loss of Decay Heat Removal, SECY 91-283, Evaluation of Shutdown and Low Power Risk Issues, NUREG-1449, Shutdown and Low-Power Operation at Commercial Nuclear Power Plants in the United States, and NUMARC 91-06, Guidelines for Industry Actions to Assess Shutdown Management.

Escalation of the emergency classification level would be via IC CGI or RG1 Page 70 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 173 of 332 ATTACHMENT 1 EAL Technical Bases PVNGS Basis Reference(s):

1. Procedure 40AO-9ZZ02, Excessive RCS Leakrate
2. Procedure 40OP-9ZZ16, RCS Drain Operations
3. UFSAR Table 11.5-1, Continuous Process and Effluent Radiation Monitoring
4. UFSAR Section 11.5.2.1.5.4, Refueling Area Monitor
5. Nuclear Safety Analysis Center (NSAC), 1980, Analysis of Three Mile Island - Unit 2 Accident, NSAC-1
6. NEI 99-01, CS1 Page 71 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 174 of 332 ATTACHMENT 1 EAL Technical Bases Category: C - Cold Shutdown / Refueling System Malfunction Subcategory: 1 - RCS Level Initiating Condition: Loss of RCS inventory affecting fuel clad integrity with containment challenged EAL:

CG1.1 General Emergency RCS level cannot be monitored for> 30 minutes (Note 1)

AND Core uncovery is indicated by any of the following;

  • UNPLANNED increase in any Table C-1 sump/tank level of sufficient magnitude to indicate core uncovery
  • RU-33 > 9,000 mR/hr (when installed)
  • Erratic Excore Monitor indication AND Any Containment Challenge indication, Table C-2 Note 1: The Emergency Coordinator should declare the event promptly upon determining that time limit has been exceeded, or will likely be exceeded.

Note 6: If CONTAINMENT CLOSURE is re-established prior to exceeding the 30-minute time limit, declaration of a General Emergency is not required.

Table C-1 Sumps/Tanks

  • eves Holdup Tank
  • Reactor Drain Tank
  • Refueling Water Tank
  • Equipment Drain Tank Table C-2 Containment Challenge Indications
  • CONTAINMENT CLOSURE not established (Note 6)
  • Containment hydrogen concentration ^ 4.5%
  • Unplanned rise in containment pressure Page 72 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 175 of 332 ATTACHMENT 1 EAL Technical Bases Mode Applicability:

5 - Cold Shutdown, 6 - Refueling Definition(s):

CONTAINMENT CLOSURE - The procedurally defined actions taken to secure containment and its associated structures, systems and components as a functional barrier to fission product release under shutdown conditions.

As applied to PVNGS, Containment Closure is established when the requirements of procedure 40EP-9E010, LM-Containment Evacuation and Closure, Appendix 249, for containment closure are met.

UNPLANNED - A parameter change or an event that is not 1) the result of an intended evolution or 2) an expected plant response to a transient. The cause of the parameter change or event may be known or unknown.

Basis:

In Cold Shutdown mode, the RCS will normally be intact and standard RCS level monitoring means are available.

In the Refueling mode, the RCS is not intact and RPV level may be monitored by different means, including the ability to monitor level visually.

The bottom of the RWLIS indication is 99 7. If level lowers less than 99 7 then level would not be able to be monitored. If RWLIS is not in service then when RVLMS is < 21 % plenum level (Detector #8) level would not be able to be monitored.

In this EAL, all RCS water level indication would be unavailable for greater than 30 minutes and the RCS inventory loss must be detected by indirect leakage indications (Table C-1). Level increases must be evaluated against other potential sources of leakage such as cooling water sources inside the containment to ensure they are indicative of RCS leakage. If the make-up rate to the RCS unexplainably rises above the pre-established rate, a loss of RCS inventory may be occurring even if the source of the leakage cannot be immediately identified. Visual observation of significant leakage from systems connected to the RCS that cannot be isolated could also be indicative of a loss of RCS inventory (ref. 1, 2).

Sump or tank level increases should be of a magnitude that correlates to a volume sufficient to indicate fuel has been uncovered or uncovery is imminent.

The Reactor Vessel inventory loss may be detected by the refueling machine area radiation monitor or erratic Excore Monitor indication.

As water level in the reactor vessel lowers, the dose rate above the core will rise. The dose rate due to this core shine should result in up-scaled (10,000 mR/hr) refueling machine area radiation monitor (RU-33) indication. A threshold value of 90% of scale has been selected as an on-scale indicator (ref. 3, 4).

Post-TMI accident studies indicate that the installed PWR nuclear instrumentation will operate erratically when the core is uncovered and that this should be used as a tool for making such determinations (ref 5).

Page 73 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 176 of 332 ATTACHMENT 1 EAL Technical Bases Three conditions are associated with a challenge to Containment integrity:

1. CONTAINMENT CLOSURE not established - The status of Containment closure is tracked if plant conditions change that could raise the risk of a fission product release as a result of a loss of decay heat removal (ref. 6). If containment closure is re-established prior to exceeding the 30 minute core uncovery time limit then escalation to GE would not occur.
2. Containment hydrogen >4.5% - The 4.5% hydrogen concentration threshold represents the Hydrogen Recombiners Function Failure Indication (ref. 11) and is the acceptance criteria for the PVNGS Safety Function Status Check for LOCA, Containment Combustible Gas Control (ref.7, 8, 10,). PVNGS is equipped with a Hydrogen Control System (HCS) which serves to limit or reduce combustible gas concentrations in the containment. The HCS is an engineered safety feature with redundant hydrogen recombiners, hydrogen mixing system, hydrogen monitoring subsystem and a backup hydrogen purge subsystem.

The HCS is designed to maintain the containment hydrogen concentration below 4% by volume (ref. 8). Two containment hydrogen monitors have a range of 0% to 10% (ref. 8, 9). Since the hydrogen monitoring system may be out of service in Modes 5 and 6, alternative means of determining hydrogen concentration may be required if the Emergency Coordinator believes conditions exist that may cause hydrogen generation inside containment.

3. UNPLANNED rise in containment pressure - An unplanned pressure rise in containment while in cold shutdown or refueling modes can threaten Containment Closure capability and thus containment potentially cannot be relied upon as a barrier to fission product release.

This 1C addresses the inability to restore and maintain reactor vessel level above the top of active fuel with containment challenged. This condition represents actual or IMMINENT substantial core degradation or melting with potential for loss of containment integrity. Releases can be reasonably expected to exceed EPA PAG exposure levels offsite for more than the immediate site area.

Following an extended loss of core decay heat removal and inventory makeup, decay heat will cause reactor coolant boiling and a further reduction in reactor vessel level. If RCS level cannot be restored, fuel damage is probable.

With CONTAINMENT CLOSURE not established, there is a high potential for a direct and unmonitored release of radioactivity to the environment. If CONTAINMENT CLOSURE is re established prior to exceeding the 30-minute time limit, then declaration of a General Emergency is not required.

The existence of an explosive mixture means, at a minimum, that the containment atmospheric hydrogen concentration is sufficient to support a hydrogen burn (i.e., at the lower deflagration limit). A hydrogen burn will raise containment pressure and could result in collateral equipment damage leading to a loss of containment integrity. It therefore represents a challenge to Containment integrity.

In the early stages of a core uncovery event, it is unlikely that hydrogen buildup due to a core uncovery could result in an explosive gas mixture in containment. If all installed hydrogen gas monitors are out-of-service during an event leading to fuel cladding damage, it may not be possible to obtain a containment hydrogen gas concentration reading as ambient conditions Page 74 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 177 of 332 ATTACHMENT 1 EAL Technical Bases within the containment will preclude personnel access. During periods when installed containment hydrogen gas monitors are out-of-service, operators may use the other listed indications to assess whether or not containment is challenged.

The 30-minute criterion is tied to a readily recognizable event start time (i.e., the total loss of ability to monitor level) and allows sufficient time to monitor, assess and correlate reactor and plant conditions to determine if core uncovery has actually occurred (i.e., to account for various accident progression and instrumentation uncertainties). It also allows sufficient time for performance of actions to terminate leakage, recover inventory control/makeup equipment and/or restore level monitoring.

The inability to monitor RCS level may be caused by instrumentation and/or power failures, or water level dropping below the range of available instrumentation. If water level cannot be monitored, operators may determine that an inventory loss is occurring by observing changes in sump and/or tank levels. Sump and/or tank level changes must be evaluated against other potential sources of water flow to ensure they are indicative of leakage from the RCS.

This EAL addresses concerns raised by Generic Letter 88-17, Loss of Decay Heat Removal]

SECY 91-283, Evaluation of Shutdown and Low Power Risk Issues] NUREG-1449, Shutdown and Low-Power Operation at Commercial Nuclear Power Plants in the United States] and NUMARC 91-06, Guidelines for Industry Actions to Assess Shutdown Management.

PVNGS Basis Reference(s):

I. Procedure 40AO-9ZZ02, Excessive RCS Leakrate

2. Procedure 40OP-9ZZ16, RCS Drain Operations
3. UFSAR Table 11.5-1, Continuous Process and Effluent Radiation Monitoring
4. UFSAR Section 11.5.2.1.5.4, Refueling Area Monitor
5. Nuclear Safety Analysis Center (NSAC), 1980, Analysis of Three Mile Island - Unit 2 Accident, NSAC-1
6. Procedure 40EP-9E010, LM-Containment Evacuation and Closure, Appendix 249
7. Procedure 40DP-9AP08, Loss of Coolant Accident Technical Guideline
8. UFSAR Section 1.2.4.2, Additional PVNGS Engineered Safety Features
9. UFSAR Table 6.2.5-1, Combustible Gas Control System Design Parameters
10. Procedure 40EP-9E003, Loss of Coolant Accident II. Nuclear Fuel Management Analysis Calculation TA-13-C00-2000-001, EOP Setpoint Document 12.NEI 99-01, CGI Page 75 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 178 of 332 ATTACHMENT 1 EAL Technical Bases Category: C - Cold Shutdown / Refueling System Malfunction Subcategory: 2 - Loss of Emergency AC Power Initiating Condition: Loss of all but one AC power source to emergency buses for 15 minutes or longer EAL:_______________________________________________________________________

CU2.1 Unusual Event AC power capability, Table C-3, to emergency 4.16KV buses PBA-S03 and PBB-S04 reduced to a single power source for > 15 minutes (Note 1)

AND Any additional single power source failure will result in loss of all AC power to SAFETY SYSTEMS Note 1: The Emergency Coordinator should declare the event promptly upon determining that time limit has been exceeded, or\will likely be exceeded.

Table C-3 AC Power Sources Offsite:

  • SUT (alternate)
  • SBOG #1 (if already aligned)
  • SBOG #2 (if already aligned)

Onsite:

  • DG B Mode Applicability:

5 - Cold Shutdown, 6 - Refueling, D - Defueled Definition(s):

SAFETY SYSTEM - A system required for safe plant operation, cooling down the plant and/or placing it in the cold shutdown condition, including the ECCS. These are typically systems classified as safety-related (as defined in 10 CFR 50.2):

Those structures, systems and components that are relied upon to remain functional during and following design basis events to assure:

(1) The integrity of the reactor coolant pressure boundary:

(2) The capability to shut down the reactor and maintain it in a safe shutdown condition; (3) The capability to prevent or mitigate the consequences of accidents which could result in potential offsite exposures.

Page 76 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 179 of 332 ATTACHMENT 1 EAL Technical Bases Basis:

For emergency classification purposes, capability means that an AC power source is available to and capable of powering the emergency bus(es) within 15 min, whether or not the buses are currently powered from it.

The condition indicated by this EAL is the degradation of the offsite and onsite power sources such that any additional single failure would result in a loss of all AC power to the emergency buses.

4.16KV buses PBA-S03 and PBB-S04 are the emergency (essential) buses. PBA-S03 supplies power to Train A safety related loads and PBB-S04 supplies power to Train B safety related loads. Each bus has two normal sources of offsite power. Each source is from one of three 13.8 KV Startup Transformers (SUT) via its normal and alternative ESF Service Transformer NAN-X03 and the alternate supply to PBB-S04 or NAN-X04. Transformer NAN-X03 is the normal supply to bus PBA-S03 and the alternate supply to PBB-S04; Transformer NAN-X04 is the normal supply to bus PBB-S04 and the alternate supply to PBA-S03 (ref. 1).

In addition, PBA-S03 and PBB-S04 each have an emergency diesel generator (DG A & DG B) which supply electrical power to the bus automatically in the event that the preferred source becomes unavailable (ref. 1).

Additional alternate offsite AC power sources are the two redundant 13.8KV SBO gas turbine generators (SBOG #1 & SBOG #2). However, these sources can only be credited if already aligned, that is, capable of powering one or more emergency bus within 15 minutes. Each SBOG is rated at approximately 3.4 MW and can supply the shutdown SAFETY SYSTEM loads in Modes 5, 6 and Defueled.

This cold condition EAL is equivalent to the hot condition EAL SA1.1.

This 1C describes a significant degradation of offsite and onsite AC power sources such that any additional single failure would result in a loss of all AC power to SAFETY SYSTEMS. In this condition, the sole AC power source may be powering one, or more than one, train of safety-related equipment.

When in the cold shutdown, refueling, or defueled mode, this condition is not classified as an Alert because of the increased time available to restore another power source to service.

Additional time is available due to the reduced core decay heat load and the lower temperatures and pressures in various plant systems. Thus, when in these modes, this condition is considered to be a potential degradation of the level of safety of the plant.

An AC power source is a source recognized in AOPs and EOF and capable of supplying required power to an essential bus. Some examples of this condition are presented below.

A loss of all offsite power with a concurrent failure of all but one emergency power source (e.g., an onsite diesel generator).

A loss of all offsite power and loss of all emergency power sources (e.g., onsite diesel generators) with a single train of emergency buses being fed from an SBOG.

A loss of emergency power sources (e.g., onsite diesel generators) with a single train of emergency buses being fed from an offsite power source.

Page 77 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 180 of 332 ATTACHMENT 1 EAL Technical Bases Fifteen minutes was selected as a threshold to exclude transient or momentary losses of power.

The subsequent loss of the remaining single power source would escalate the event to an Alert in accordance with IC CA2.

PVNGS Basis Reference(s):

1. Drawing 13-E-MAA-001, Main Single Line Diagram
2. UFSAR Section 8.3.1, AC Power Systems
3. Procedure 40AO-9ZZ12, Degraded Electrical Power
4. UFSAR Section 1.2.10.3.9, Alternate AC Power System
5. NEI 99-01, CU2 Page 78 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 181 of 332 ATTACHMENT 1 EAL Technical Bases Category: C - Cold Shutdown / Refueling System Malfunction Subcategory: 2 - Loss of Emergency AC Power Initiating Condition: Loss of all offsite and all onsite AC power to emergency buses for 15 minutes or longer EAL:

CA2.1 Alert Loss of all offsite and all onsite AC power capability to emergency 4.16KV buses PBA-S03 and PBB-S04 for s 15 minutes (Note 1)

Note 1: The Emergency Coordinator should declare the event promptly upon determining that time limit has been exceeded, or will likely be exceeded.

Mode Applicability:

5 - Cold Shutdown, 6 - Refueling, D - Defueled Basis:

For emergency classification purposes, capability means that an AC power source is available to and capable of powering the emergency bus(es) within 15 min, whether or not the buses are currently powered from it.

4.16KV buses PBA-S03 and PBB-S04 are the emergency (essential) buses. PBA-S03 supplies power to Train A safety related loads and PBB-S04 supplies power to Train B safety related loads. Each bus has two normal sources of offsite power. Each source is from one of three 13.8 KV Startup Transformers (SUT) via its normal and alternative ESF Service Transformer NAN-X03 or NAN-X04. Transformer NAN-X03 is the normal supply to bus PBA-S03 and the alternate supply to PBB-S04; Transformer NAN-X04 is the normal supply to bus PBB-S04 and the alternate supply to PBA-S03 (ref. 1).

In addition, PBA-S03 and PBB-S04 each have an emergency diesel generator (DG A & DG B) which supply electrical power to the bus automatically in the event that the preferred source becomes unavailable (ref. 1).

Additional alternate offsite AC power sources include, but not limited to, the two redundant 13.8KV SBO gas turbine generators (SBOG #1 & SBOG #2). However, these sources can only be credited if already aligned, that is, capable of powering one or more emergency bus within 15 minutes. Each SBOG is rated at approximately 3.4 MW and can supply the shutdown SAFETY SYSTEM loads in Modes 5, 6 and Defueled.

This cold condition EAL is equivalent to the hot condition loss of all offsite AC power EAL SSI .1.

This 1C addresses a total loss of AC power that compromises the performance of all SAFETY SYSTEMS requiring electric power including those necessary for emergency core cooling, containment heat removal/pressure control, spent fuel heat removal and the ultimate heat sink.

When in the cold shutdown, refueling, or defueled mode, this condition is not classified as a Site Area Emergency because of the increased time available to restore an emergency bus to service. Additional time is available due to the reduced core decay heat load and the lower Page 79 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 182 of 332 ATTACHMENT 1 EAL Technical Bases temperatures and pressures in various plant systems. Thus, when in these modes, this condition represents an actual or potential substantial degradation of the level of safety of the plant.

Fifteen minutes was selected as a threshold to exclude transient or momentary power losses.

Escalation of the emergency classification level would be via IC CS1 or RS1.

PVNGS Basis Reference(s):

1. Drawing 13-E-MAA-001, Main Single Line Diagram
2. UFSAR Section 8.3.1, AC Power Systems
3. Procedure 40AO-9ZZ12, Degraded Electrical Power
4. UFSAR Section 1.2.10.3.9, Alternate AC Power System
5. NEI 99-01, CA2 Page 80 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 183 of 332 ATTACHMENT 1 EAL Technical Bases Category: C - Cold Shutdown / Refueling System Malfunction Subcategory: 3 - RCS Temperature Initiating Condition: UNPLANNED increase in RCS temperature EAL:

CU3.1 Unusual Event UNPLANNED increase in RCS temperature to > 210°F Mode Applicability:

5 - Cold Shutdown, 6 - Refueling If'; Definition(s):

UNPLANNED - A parameter change or an event that is not 1) the result of an intended evolution or 2) an expected plant response to a transient. The cause of the parameter change or event may be known or unknown.

Basis:

Several instruments are capable of providing indication of RCS temperature with respect to the Technical Specification cold shutdown temperature limit (210°F, ref. 1). These include cold leg (Tcoid) temperature indications, hot leg (Tuot) temperature indications with RCPs running, CETs and SDC Heat Exchanger inlet temperature indications (ref. 2, 3).

However, if Shutdown Cooling (SDC) flow is lost, then the normal temperature elements used to monitor RCS temperature are not accurate indicators of RCS temperature. The CETs are the design instruments for these conditions. For some periods of time the CETs may not be available. The current practices concerning determining time to boil can be used in the evaluation of these EALs. Without CET indication and with a loss of SDC flow the following guidance should be used (ref. 4);

  • Use the predetermined time to boil data for evaluating these EALs. This approach reflects the relatively small numerical difference between the typical Technical Specification cold shutdown temperature limit of 210°F and the boiling temperature of RCS water with the plant in Mode 5 or 6.
  • Alternately, the Control Room staff may use a procedure or user aid to determine when RCS temperature will likely exceed 210°F given the actual plant conditions (e.g., using a heat-up curve).

This IC addresses an UNPLANNED increase in RCS temperature above the Technical Specification cold shutdown temperature limit and represents a potential degradation of the level of safety of the plant. If the RCS is not intact and CONTAINMENT CLOSURE is not established during this event, the Emergency Coordinator should also refer to IC CA3.

A momentary UNPLANNED excursion above the Technical Specification cold shutdown temperature limit when the heat removal function is available does not warrant a classification.

This EAL involves a loss of decay heat removal capability, or an addition of heat to the RCS in excess of that which can currently be removed, such that reactor coolant temperature cannot be maintained below the cold shutdown temperature limit specified in Technical Specifications.

Page 81 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 184 of 332 ATTACHMENT 1 EAL Technical Bases During this condition, there is no immediate threat of fuel damage because the core decay heat load has been reduced since the cessation of power operation.

During an outage, the level in the reactor vessel will normally be maintained at or above the reactor vessel flange. Refueling evolutions that lower water level below the reactor vessel flange are carefully planned and controlled. A loss of forced decay heat removal at reduced inventory may result in a rapid increase in reactor coolant temperature depending on the time after shutdown.

Escalation to Alert would be via IC CA1 based on an inventory loss or IC CA3 based on exceeding plant configuration-specific time criteria.

PVNGS Basis Reference(s):

1. Technical Specifications Table 1.1-1, Modes
2. Procedure 400P-9ZZ03, Reactor Startup
3. Procedure 40ST-9RC01, RCS and Pressurizer Heatup and Cooldown Rates
4. Safety Analysis Operational Data Book
5. NEI 99-01, CU3 Page 82 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 185 of 332 ATTACHMENT 1 EAL Technical Bases Category: C - Cold Shutdown / Refueling System Malfunction Subcategory: 3 - RCS Temperature Initiating Condition: UNPLANNED increase in RCS temperature EAL:

CU3.2 Unusual Event Loss of all RCS temperature and RCS level indication for > 15 minutes (Note 1)

Note 1: The Emergency Coordinator should declare the event promptly upon determining that time limit has been exceeded, or will likely be exceeded.

Mode Applicability:

5 - Cold Shutdown, 6- Refueling Definition(s):

}

None Basis:

Several instruments are capable of providing indication of RCS temperature with respect to the Technical Specification cold shutdown temperature limit (210°F, ref. 1). These include cold leg (Tcoid) temperature indications, hot leg (Thot) temperature indications with RCPs running, CETs and SDC Heat Exchanger inlet temperature indications (ref. 2, 3).

Several instruments are capable of providing indication of RCS level including pressurizer level, RWLIS, RVLMS and local monitor (gauge glass) (ref. 4).

This EAL addresses the inability to determine RCS temperature and level and represents a potential degradation of the level of safety of the plant. If the RCS is not intact and CONTAINMENT CLOSURE is not established during this event, the Emergency Coordinator should also refer to 1C CA3.

This EAL reflects a condition where there has been a significant loss of instrumentation capability necessary to monitor RCS conditions and operators would be unable to monitor key parameters necessary to assure core decay heat removal. During this condition, there is no immediate threat of fuel damage because the core decay heat load has been reduced since the cessation of power operation.

Fifteen minutes was selected as a threshold to exclude transient or momentary losses of indication.

Escalation to Alert would be via 1C CA1 based on an inventory loss or 1C CA3 based on exceeding plant configuration-specific time criteria.

Page 83 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 186 of 332 ATTACHMENT 1 EAL Technical Bases PVNGS Basis Reference(s):

1. Technical Specification Table 1.1-1, Modes
2. Procedure 400P-9ZZ03, Reactor Startup
3. Procedure 40ST-9RC01, RCS and Pressurizer Heatup and Cooldown Rates
4. Procedure 40OP-9ZZ16, RCS Drain Operations
5. NEI 99-01, CU3 b_

\ -

Page 84 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 187 of 332 ATTACHMENT 1 EAL Technical Bases Category: C - Cold Shutdown / Refueling System Malfunction Subcategory: 3 - RCS Temperature Initiating Condition: Inability to maintain plant in cold shutdown EAL:

CA3.1 Alert UNPLANNED increase in RCS temperature to > 210°F for > Table C-4 duration (Note 1)

UNPLANNED RCS pressure increase > 10 psia (This criterion does not apply during water-solid plant conditions)

Note 1: The Emergency Coordinator should declare the event promptly upon determining that the applicable time has been exceeded, or will likely be exceeded.

Table C-4: RCS Heat-up Duration Thresholds CONTAINMENT RCS Status Heat-up Duration CLOSURE Status Intact (but not REDUCED N/A 60 minutes.*

INVENTORY)

Not intact Established 20 minutes.*

OR REDUCED INVENTORY Not Established 0 minutes.

  • If an RCS heat removal system is in operation within this time frame and RCS temperature is being reduced, the EAL is not applicable.

Mode Applicability:

5 - Cold Shutdown, 6 - Refueling Definition(s):

CONTAINMENT CLOSURE - The procedurally defined actions taken to secure containment and its associated structures, systems and components as a functional barrier to fission product release under shutdown conditions.

As applied to PVNGS, Containment Closure is established when the requirements of procedure 40EP-9E010, LM-Containment Evacuation and Closure, Appendix 249, for containment closure are met.

UNPLANNED A parameter change or an event that is not 1) the result of an intended evolution or 2) an expected plant response to a transient. The cause of the parameter change or event may be known or unknown.

REDUCED INVENTORY - Plant condition when fuel is in the reactor vessel and Reactor Coolant System level is less than or equal to the 111 foot elevation.

Page 85 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 188 of 332 ATTACHMENT 1 EAL Technical Bases Basis:

Several instruments are capable of providing indication of RCS temperature with respect to the Technical Specification cold shutdown temperature limit (210°F, ref. 1). These include cold leg (Tcoid) temperature indications, hot leg (Thot) temperature indications with RCPs running, CETs and SDC Heat Exchanger inlet temperature indications (ref. 2, 3).

However, if Shutdown Cooling (SDC) flow is lost, then the normal temperature elements used to monitor RCS temperature are not accurate indicators of RCS temperature. The CETs are the design instruments for these conditions. For some periods of time the CETs may not be available. The current practices concerning determining time to boil can be used in the evaluation of these EALs. Without CET indication and with a loss of SDC flow the following guidance should be used (ref. 4):

  • Use the predetermined time to boil data for evaluating these EALs. This approach reflects the relatively small numerical difference between the typical Technical Specification cold shutdown temperature limit of 210°F and the boiling temperature of RCS water with the plant in Mode 5 or 6.
  • Alternately, the Control Room staff may use a procedure or user aid to determine when RCS temperature will likely exceed 210°F given the actual plant conditions (e.g., using a heat-up curve).

RCS pressure instruments RCA PI-103, RCC-PI-105, RCD-PI-106 and RCB-PI-104 are capable of measuring pressure to less than 10 psia (ref. 3).

This 1C addresses conditions involving a loss of decay heat removal capability or an addition of heat to the RCS in excess of that which can currently be removed. Either condition represents an actual or potential substantial degradation of the level of safety of the plant.

A momentary UNPLANNED excursion above the Technical Specification cold shutdown temperature limit when the heat removal function is available does not warrant a classification.

The RCS Heat-up Duration Thresholds table addresses an increase in RCS temperature when CONTAINMENT CLOSURE is established but the RCS is not intact, or RCS inventory is reduced (e.g., mid-loop operation). The 20-minute criterion was included to allow time for operator action to address the temperature increase.

The RCS Heat-up Duration Thresholds table also addresses an increase in RCS temperature with the RCS intact. The status of CONTAINMENT CLOSURE is not crucial in this condition since the intact RCS is providing a high pressure barrier to a fission product release. The 60-minute time frame should allow sufficient time to address the temperature increase without a substantial degradation in plant safety.

Finally, in the case where there is an increase in RCS temperature, the RCS is not intact or is at reduced inventory and CONTAINMENT CLOSURE is not established, no heat-up duration is allowed (i.e., 0 minutes). This is because 1) the evaporated reactor coolant may be released directly into the containment atmosphere and subsequently to the environment, and 2) there is reduced reactor coolant inventory above the top of irradiated fuel.

The RCS pressure increase threshold provides a pressure-based indication of RCS heat-up in the absence of RCS temperature monitoring capability.

Escalation of the emergency classification level would be via 1C CS1 or RSI.

Page 86 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 189 of 332 ATTACHMENT 1 EAL Technical Bases PVNGS Basis Reference(s):

1. Technical Specification Table 1.1-1, Modes
2. Procedure 400P-9ZZ03, Reactor Startup
3. Procedure 40ST-9RC01, RCS and Pressurizer Heatup and Cooldown Rates A. Safety Analysis Operational Data Book
5. NEI 99-01, CA3 Page 87 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 190 of 332 ATTACHMENT 1 EAL Technical Bases Category: C - Cold Shutdown / Refueling System Malfunction Subcategory: 4 - Loss of Vital DC Power Initiating Condition: Loss of Vital DC power for 15 minutes or longer EAL:

CU4.1 Unusual Event Indicated voltage is < 112VDC on vital DC buses required by Technical Specifications for ^

15 minutes (Note 1)

Note 1: The Emergency Coordinator should declare the event promptly upon determining that time limit has been exceeded, or will likely be exceeded.

Mode Applicability:

5 - Cold Shutdown, 6 - Refueling Definition(s):

b- None Basis:

The purpose of this EAL is to recognize a loss of DC power compromising the ability to monitor and control the removal of decay heat during cold shutdown or refueling operations. This EAL is intended to be anticipatory in as much as the operating crew may not have necessary indication and control of equipment needed to respond to the loss.

The vital DC buses are the following 125 VDC Class IE buses (ref. 1):

Train A: Train B:

  • PKA-M41
  • PKB-M42

. PKC-M43

  • PKD-M44 There are four, 60 cell, lead-calcium storage batteries (PKA-F11, PKC-F13, PKB-F12 and PKD-F14) that supplement the output of the battery chargers. They supply DC power to the distribution buses when AC power to the chargers is lost or when transient loads exceed the capacity of the battery chargers (ref. 1).

All four of the 125VDC buses supply inverters for 120VAC PN bus power as well as control power for various safety related systems. Each battery is designed to have sufficient stored energy to supply the required emergency loads for 120 minutes following a loss of AC power to the chargers (ref. 2).

Minimum DC bus voltage is 112 VDC (ref. 3).

This EAL is the cold condition equivalent of the hot condition loss of DC power EAL SS7.1.

This 1C addresses a loss of vital DC power which compromises the ability to monitor and control operable SAFETY SYSTEMS when the plant is in the cold shutdown or refueling mode. In these modes, the core decay heat load has been significantly reduced and coolant system temperatures and pressures are lower; these conditions increase the time available to restore Page 88 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 191 of 332 ATTACHMENT 1 EAL Technical Bases a vital DC bus to service. Thus, this condition is considered to be a potential degradation of the level of safety of the plant.

As used in this EAL, required" means the vital DC buses necessary to support operation of the in-service, or operable, train or trains of SAFETY SYSTEM equipment. For example, if Train A is out-of-service (inoperable) for scheduled outage maintenance work and Train B is in-service (operable), then a loss of Vital DC power affecting Train B would require the declaration of an Unusual Event. A loss of Vital DC power to Train A would not warrant an emergency classification.

Fifteen minutes was selected as a threshold to exclude transient or momentary power losses.

Depending upon the event, escalation of the emergency classification level would be via IC CA1 or CAS, or an IC in Recognition Category R.

PVNGS Basis Reference(s):

1. Drawing 01-E-PKA-001, Main Single Line Diagram 125V DC Class IE and 120VAC Vital Inst Power System
2. UFSAR Section 8.3.2, DC Power Systems
3. Calculation 01-EC-PK-0207, DC Battery Sizing and Minimum Voltage
4. NEI 99-01, CU4 Page 89 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 192 of 332 ATTACHMENT 1 EAL Technical Bases Category: C - Cold Shutdown / Refueling System Malfunction Subcategory: 5 - Loss of Communications Initiating Condition: Loss of ail onsite or offsite communications capabilities EAL:

CU5.1 Unusual Event Loss of all Table C-5 onsite communication methods OR Loss of all Table C-5 Offsite Response Organization (ORO) communication methods Loss of all Table C-5 NRC communication methods Table C-5 Communication Methods System Onsite ORO NRC PBX X X X Plant Page X Two-Way Radio X FTS (ENS) X Telephone Ringdown Circuits (NAN) X Cellular Phones X X Mode Applicability:

5 - Cold Shutdown, 6 - Refueling, D - Defueled Definition(s):

None Basis:

Onsite, offsite and NRC communications include one or more of the systems listed in Table C-5 (ref. 1,2).

1. PBX Onsite emergency telephone lines are divided among three onsite EPABX switches. Each EPABX switch is provided with a backup battery for reliability.

Page 90 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 193 of 332 ATTACHMENT 1 EAL Technical Bases This system will function during emergencies as it does during normal operations. Telephones have the capability of trunk access (via local provider) and the APS owned private communications system which provides direct dial capabilities to the entire APS voice system via the company owned private communications system. The PVNGS telephone EPABX Systems through which all PVNGS telephone calls pass, are equipped with uninterruptible power supplies (battery chargers and batteries) and dedicated priority switching to ensure the reliability of the telephone system. The PVNGS EPABXs are the primary links for PVNGS phones. There are also administratively dedicated lines for the CR, STSC, TSC, EOF and OSC.

S'. 2. Plant (Area) Paging The area paging system provides a reliable means of notifying and providing instructions to onsite personnel. Access to this system is through the EPABX system telephones by use of dedicated numbers.

3. Two-Way Radios PVNGS operates a trunked radio system, with separate talk groups available for departments such as Operations, Security, Fire Protection, Radiation Protection, Emergency Preparedness, the Water Reclamation Facility, etc. This system includes base station consoles at various locations and emergency facilities throughout the site. Some of the radios used during emergencies are portable radios at various site locations, mobile radios in the RFAT vehicles and base station consoles at the TSC, EOF, Unit OSCs, Unit STSCs and Unit Control Rooms. PVNGS Fire Protection also maintains radios that are used to contact the air ambulance service to provide landing instructions.
4. FTS(ENS)

The NRC Emergency Notification System (ENS) is an FTS telephone used for official communications with NRC Headquarters. The NRC Headquarters has the capability to patch into the NRC Regional offices. The primary purpose of this phone is to provide a reliable method for the initial notification of the NRC and to maintain continuous communications with the NRC after initial notification. ENS telephones are located in the Control Room, TSC and EOF.

5. Telephone Ringdown Circuits (NAN)

These voice circuits serve as a primary communications link for providing technical information to offsite agencies, public information communications and the communication of protective action recommendations to offsite authorities.

6. Cellular Phones Each STSC, the TSC and EOF have a cellular phone to provide additional independent lines of communication.

This EAL is the cold condition equivalent of the hot condition EAL SU7.1.

Page 91 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 194 of 332 ATTACHMENT 1 EAL Technical Bases This IC addresses a significant loss of on-site or offsite communications capabilities. While not a direct challenge to plant or personnel safety, this event warrants prompt notifications to OROs and the NRC.

This IC should be assessed only when extraordinary means are being utilized to make communications possible (e.g., use of non-plant, privately owned equipment, relaying of on-site information via individuals or multiple radio transmission points, individuals being sent to offsite locations, etc.).

The first EAL condition addresses a total loss of the communications methods used in support of routine plant operations.

The second EAL condition addresses a total loss of the communications methods used to notify all OROs of an emergency declaration. The OROs referred to here are the State and Maricopa County EOCs.

The third condition addresses a total loss of the communications methods used to notify the NRC of an emergency declaration.

PVNGS Basis Reference(s):

1. PVNGS Emergency Plan, Section 7.2 Communications Systems
2. UFSAR Section 9.5.2, Communication Systems
3. NEI 99-01, CU5 Page 92 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 195 of 332 ATTACHMENT 1 EAL Technical Bases Category: C - Cold Shutdown / Refueling System Malfunction Subcategory: 6 - Hazardous Event Affecting Safety Systems Initiating Condition: Hazardous event affecting a SAFETY SYSTEM needed for the current operating mode EAL:

CA6.1 Alert The occurrence of any Table C-6 hazardous event AND EITHER:

  • Event damage has caused indications of degraded performance in at least one train of a SAFETY SYSTEM needed for the current operating mode
  • The event has caused VISIBLE DAMAGE to a SAFETY SYSTEM component or structure needed for the current operating mode Table C-6 Hazardous Events Seismic event (earthquake)

Internal or external FLOODING event High winds or tornado strike FIRE EXPLOSION Other events with similar hazard characteristics as determined by the Shift Manager Mode Applicability:

5 - Cold Shutdown, 6 - Refueling Definition(s):

EXPLOSION - A rapid, violent and catastrophic failure of a piece of equipment due to combustion, chemical reaction or overpressurization. A release of steam (from high energy lines or components) or an electrical component failure (caused by short circuits, grounding, arcing, etc.) should not automatically be considered an explosion. Such events require a post-event inspection to determine if the attributes of an explosion are present.

FIRE - Combustion characterized by heat and light. Sources of smoke such as slipping drive belts or overheated electrical equipment do not constitute fires. Observation of flame is preferred but is NOT required if large quantities of smoke and heat are observed.

FLOODING - A condition where water is entering a room or area faster than installed equipment is capable of removal, resulting in a rise of water level within the room or area.

Page 93 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 196 of 332 ATTACHMENT 1 EAL Technical Bases SAFETY SYSTEM - A system required for safe plant operation, cooling down the plant and/or placing it in the cold shutdown condition, including the ECCS. These are typically systems classified as safety-related (as defined in 10 CFR 50.2):

Those structures, systems and components that are relied upon to remain functional during and following design basis events to assure:

(1) The integrity of the reactor coolant pressure boundary; (2) The capability to shut down the reactor and maintain it in a safe shutdown condition; (3) The capability to prevent or mitigate the consequences of accidents which could result in potential offsite exposures.

VISIBLE DAMAGE - Damage to a component or structure that is readily observable without measurements, testing, or analysis. The visual impact of the damage is sufficient to cause concern regarding the operability or reliability of the affected component or structure.

Basis:

Refer to Attachment 4 for a list of Palo Verde SAFETY SYTEMS (ref. 5).

This 1C addresses a hazardous event that causes damage to a SAFETY SYSTEM, or a structure containing SAFETY SYSTEM components, needed for the current operating mode. This condition significantly reduces the margin to a loss or potential loss of a fission product barrier and therefore represents an actual or potential substantial degradation of the level of safety of the plant.

The first conditional addresses damage to a SAFETY SYSTEM train that is in service/operation since indications for it will be readily available. The indications of degraded performance should be significant enough to cause concern regarding the operability or reliability of the SAFETY SYSTEM train.

The second conditional addresses damage to a SAFETY SYSTEM component that is not in service/operation or readily apparent through indications alone, or to a structure containing SAFETY SYSTEM components. Operators will make this determination based on the totality of available event and damage report information. This is intended to be a brief assessment not requiring lengthy analysis or quantification of the damage.

The significance of seismic events are discussed under EAL HU2.1. Annunciator 7C14A, SEISMIC OCCURRENCE will illuminate if the seismic instrument detects ground motion in excess of the seismic EVENT trigger threshold (ref. 1).

Internal FLOODING may be caused by events such as component failures, equipment misalignment, or outage activity mishaps.

High winds in excess of design (105 mph) or tornado strikes can cause significant structural damage (ref. 4).

Areas containing functions and systems required for safe shutdown of the plant are identified by fire area (ref. 2).

  • An explosion that degrades the performance of a SAFETY SYSTEM train or visibly damages a SAFETY SYSTEM component or structure would be classified under this EAL.

Escalation of the emergency classification level would be via 1C CS1 or RSI.

Page 94 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 197 of 332 ATTACHMENT 1 EAL Technical Bases PVNGS Basis Reference(s):

1. Procedure 40AO-9ZZ21, Acfs of Nature
2. UFSAR Table 3-2.1, Quality Classification of Structures, Systems and Components
3. UFSAR Section 2.4.2.2.1, Offsite Flood Design Considerations
4. UFSAR Section 2.3.1.2.3, Extreme Winds
5. Attachment 4 - Palo Verde Safety Systems
6. NEI 99-01, CA6 Page 95 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 198 of 332 ATTACHMENT 1 EAL Technical Bases Category H - Hazards and Other Conditions Affecting Plant Safety EAL Group: ANY (EALs in this category are applicable to any plant condition, hot or cold.)

Hazards are non-plant, system-related events that can directly or indirectly affect plant operation, reactor plant safety or personnel safety.

1. Security Unauthorized entry attempts into the Plant Protected Area, bomb threats, sabotage attempts and actual security compromises threatening loss of physical control of the plant.
2. Seismic Event Natural events such as earthquakes have potential to cause plant structure or equipment damage of sufficient magnitude to threaten personnel or plant safety.
3. Natural or Technology Hazard Other natural and non-naturally occurring events that can cause damage to plant facilities include tornados, FLOODING, hazardous material releases and events restricting site access v/arranting classification.
4. Fire Fires can pose significant hazards to personnel and reactor safety. Appropriate for classification are fires within the Plant Protected Area or which may affect operability of equipment needed for safe shutdown
5. Hazardous Gas Toxic, corrosive, asphyxiant or flammable gas leaks can affect normal plant operations or preclude access to plant areas required to safely shutdown the plant.
6. Control Room Evacuation Events that are indicative of loss of Control Room habitability. If the Control Room must be evacuated, additional support for monitoring and controlling plant functions is necessary through the emergency response facilities.
7. Emergency Coordinator Judgment The EALs defined in other categories specify the predetermined symptoms or events that are indicative of emergency or potential emergency conditions and thus warrant classification. While these EALs have been developed to address the full spectrum of possible emergency conditions which may warrant classification and subsequent implementation of the Emergency Plan, a provision for classification of emergencies based on operator/management experience and judgment is still necessary. The EALs of this category provide the Emergency Coordinator the latitude to classify emergency conditions consistent with the established classification criteria based upon Emergency Coordinator judgment.

Page 96 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 199 of 332 ATTACHMENT 1 EAL Technical Bases Category: H - Hazards Subcategory: 1 - Security Initiating Condition: Confirmed SECURITY CONDITION or threat EAL:

HU1.1 Unusual Event A SECURITY CONDITION that does not involve a HOSTILE ACTION as reported by the Security Shift Supervision OR Notification of a credible security threat directed at the site OR A validated notification from the NRC providing information of an aircraft threat Mode Applicability:

All Definition(s):

SECURITY CONDITION - Any security event as listed in the approved security contingency plan that constitutes a threat/compromise to site security, threat/risk to site personnel, or a potential degradation to the level of safety of the plant. A security condition does not involve a hostile action.

HOSTILE ACTION - An act toward PVNGS or its personnel that includes the use of violent force to destroy equipment, take hostages and/or intimidate the licensee to achieve an end. This includes attack by air, land, or water using guns, explosives, projectiles, vehicles, or other devices used to deliver destructive force. Other acts that satisfy the overall intent may be included. Hostile action should not be construed to include acts of civil disobedience or felonious acts that are not part of a concerted attack on PVNGS. Non-terrorism-based EALs should be used to address such activities (i.e., this may include violent acts between individuals in the owner controlled area).

Basis:

This EAL is based on the PVNGS Security Plan, Training and Qualification Plan, Safeguards Contingency Plan and Independent Spent Fuel Storage Installation Security Program (ref. 1).

Page 97 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 200 of 332 ATTACHMENT 1 EAL Technical Bases This IC addresses events that pose a threat to plant personnel or SAFETY SYSTEM equipment and thus represent a potential degradation in the level of plant safety. Security events which do not meet one of these EALs are adequately addressed by the requirements of 10 CFR 73.71 or 10 CFR 50.72. Security events assessed as HOSTILE ACTIONS are classifiable under ICs HA1 and HS1.

Timely and accurate communications between the Security Shift Supervision and the Control Room is essential for proper classification of a security-related event. Classification of these events will initiate appropriate threat-related notifications to plant personnel and Offsite Response Organizations.

Security plans and terminology are based on the guidance provided by NEI 03-12, Template for the Security Plan, Training and Qualification Plan, Safeguards Contingency Plan and Independent Spent Fuel Storage Installation Security Program.

The first threshold references the Security Shift Supervision because these are the individuals trained to confirm that a security event is occurring or has occurred. Training on security event confirmation and classification is controlled due to the nature of Safeguards and 10 CFR 2.39 information.

The second threshold addresses the receipt of a credible security threat. The credibility of the threat is assessed in accordance with the PVNGS Security Plan.

The third threshold addresses the threat from the impact of an aircraft on the plant. The NRC Headquarters Operations Officer (HOO) will communicate to the licensee if the threat involves an aircraft. The status and size of the plane may also be provided by NORAD through the NRC.

Validation of the threat is performed in accordance with the PVNGS Security Plan (ref 1).

Emergency plans and implementing procedures are public documents: therefore, EALs should not incorporate Security-sensitive information. This includes information that may be advantageous to a potential adversary, such as the particulars concerning a specific threat or threat location. Security-sensitive information should be contained in non-public documents such as the PVNGS Security Plan (ref 1).

Escalation of the emergency classification level would be via IC HA1.

PVNGS Basis Reference(s):

1. PVNGS Security Plan, Training and Qualification Plan, Safeguards Contingency Plan and Independent Spent Fuel Storage Installation Security Program (Safeguards)
2. NEI 99-01, HU1 Page 98 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 201 of 332 ATTACHMENT 1 EAL Technical Bases Category: H - Hazards Subcategory: 1 - Security Initiating Condition: Hostile action within the SECURED OWNER CONTROLLED AREA or airborne attack threat within 30 minutes EAL:

HA1.1 Alert A HOSTILE ACTION is occurring or has occurred within the SECURED OWNER CONTROLLED AREA as reported by the Security Shift Supervision OR A validated notification from NRC of an aircraft attack threat within 30 minutes of the site Mode Applicability:

All Definition(s):

HOSTILE ACTION - An act toward PVNGS or its personnel that includes the use of violent force to destroy equipment, take hostages and/or intimidate the licensee to achieve an end. This includes attack by air, land, or water using guns, explosives, projectiles, vehicles, or other devices used to deliver destructive force. Other acts that satisfy the overall intent may be included. Hostile action should not be construed to include acts of civil disobedience or felonious acts that are not part of a concerted attack on PVNGS. Non-terrorism-based EALs should be used to address such activities (i.e., this may include violent acts between individuals in the owner controlled area).

SECURED OWNER CONTROLLED AREA - An area encompassed by physical barriers to which access is controlled.

Basis:

This IC addresses the occurrence of a HOSTILE ACTION within the SECURED OWNER CONTROLLED AREA or notification of an aircraft attack threat. This event will require rapid response and assistance due to the possibility of the attack progressing to the PLANT PROTECTED AREA, or the need to prepare the plant and staff for a potential aircraft impact.

Timely and accurate communications between the Security Shift Supervision and the Control Room is essential for proper classification of a security-related event (ref. 1).

Security plans and terminology are based on the guidance provided by NEI 03-12, Template for the Security Plan, Training and Qualification Plan, Safeguards Contingency Plan and Independent Spent Fuel Storage Installation Security Program.

As time and conditions allow, these events require a heightened state of readiness by the plant staff and implementation of onsite protective measures (e.g., evacuation, dispersal or sheltering).

The Alert declaration will also heighten the awareness of Offsite Response Organizations (OROs), allowing them to be better prepared should it be necessary to consider further actions.

Page 99 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 202 of 332 ATTACHMENT 1 EAL Technical Bases This IC does not apply to incidents that are accidental events, acts of civil disobedience, or otherwise are not a HOSTILE ACTION perpetrated by a HOSTILE FORCE. Examples include the crash of a small aircraft, shots from hunters, physical disputes between employees, etc.

Reporting of these types of events is adequately addressed by other EALs, or the requirements of 10 CFR 73.71 or 10 CFR 50.72.

The first threshold is applicable for any HOSTILE ACTION occurring, or that has occurred, in the SECURED OWNER CONTROLLED AREA. This includes any action directed against an ISFSI that is located outside the PLANT PROTECTED AREA.

The second threshold addresses the threat from the impact of an aircraft on the plant and the anticipated arrival time is within 30 minutes. The intent of this EAL is to ensure that threat-related notifications are made in a timely manner so that plant personnel and OROs are in a heightened state of readiness. This EAL is met when the threat-related information has been validated in accordance with security procedures.

The NRC Headquarters Operations Officer (HOO) will communicate to the licensee if the threat involves an aircraft. The status and size of the plane may be provided by NORAD through the NRC.

In some cases, it may not be readily apparent if an aircraft impact within the SECURED OWNER CONTROLLED AREA was intentional (i.e., a HOSTILE ACTION). It is expected, although not certain, that notification by an appropriate Federal agency to the site would clarify this point. In this case, the appropriate federal agency is intended to be NORAD, FBI, FAA or NRC. The emergency declaration, including one based on other ICs/EALs, should not be unduly delayed while awaiting notification by a Federal agency.

Emergency plans and implementing procedures are public documents; therefore, EALs should not incorporate Security-sensitive information. This includes information that may be advantageous to a potential adversary, such as the particulars concerning a specific threat or threat location. Security-sensitive information should be contained in non-public documents such as the PVNGS Security Plan (ref. 1).

Escalation of the emergency classification level would be via IC HS1.

PVNGS Basis Reference(s):

1. PVNGS Security Plan, Training and Qualification Plan, Safeguards Contingency Plan and Independent Spent Fuel Storage Installation Security Program (Safeguards)
2. NEI 99-01, HA1 Page 100 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 203 of 332 ATTACHMENT 1 EAL Technical Bases Category: H - Hazards Subcategory: 1 - Security Initiating Condition: Hostile Action within the PLANT PROTECTED AREA EAL:

HS1.1 Site Area Emergency A HOSTILE ACTION is occurring or has occurred within the PLANT PROTECTED AREA as reported by the Security Shift Supervision Mode Applicability:

All Definition(s):

HOSTILE ACTION - An act toward PVNGS or its personnel that includes the use of violent force to destroy equipment, take hostages and/or intimidate the licensee to achieve an end. This includes attack by air, land, or water using guns, explosives, projectiles, vehicles, or other devices used to deliver destructive force. Other acts that satisfy the overall intent may be included. Hostile action should not be construed to include acts of civil disobedience or felonious acts that are not part of a concerted attack on PVNGS. Non-terrorism-based EALs should be used to address such activities (i.e., this may include violent acts between individuals in the owner controlled area).

PLANT PROTECTED AREA - An area, located within the PVNGS Exclusion Area Boundary, encompassed by physical barriers and to which access is controlled per 10 CFR 73.55. The PVNGS Plant Protected Area and the ISFSI Protected Area are two Protected Areas located within the PVNGS OWNER CONTROLLED AREA.

Basis:

This IC addresses the occurrence of a HOSTILE ACTION within the PROTECTED AREA. This event will require rapid response and assistance due to the possibility for damage to plant equipment.

Timely and accurate communications between the Security Shift Supervision and the Control Room is essential for proper classification of a security-related event (ref. 1).

Security plans and terminology are based on the guidance provided by NEI 03-12, Template for the Security Plan, Training and Qualification Plan, Safeguards Contingency Plan and Independent Spent Fuel Storage Installation Security Program.

As time and conditions allow, these events require a heightened state of readiness by the plant staff and implementation of onsite protective measures (e.g., evacuation, dispersal or sheltering).

The Site Area Emergency declaration will mobilize Offsite Response Organization (ORO) resources and have them available to develop and implement public protective actions in the unlikely event that the attack is successful in impairing multiple safety functions.

This IC does not apply to a HOSTILE ACTION directed at an ISFSI PROTECTED AREA located outside the PLANT PROTECTED AREA; such an attack should be assessed using IC HA1. It also does not apply to incidents that are accidental events, acts of civil disobedience.

Page 101 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 204 of 332 ATTACHMENT 1 EAL Technical Bases or otherwise are not a HOSTILE ACTION perpetrated by a HOSTILE FORCE. Examples include the crash of a small aircraft, shots from hunters, physical disputes between employees, etc. Reporting of these types of events is adequately addressed by other EALs, or the requirements of 10 CFR 73.71 or 10 CFR 50.72.

Emergency plans and implementing procedures are public documents; therefore, EALs should not incorporate Security-sensitive information. This includes information that may be advantageous to a potential adversary, such as the particulars concerning a specific threat or threat location. Security-sensitive information should be contained in non-public documents such as the PVNGS Security Plan (ref. 1).

PVNGS Basis Reference(s):

1. PVNGS Security Plan, Training and Qualification Plan, Safeguards Contingency Plan and Independent Spent Fuel Storage Installation Security Program (Safeguards)
2. NEI 99-01, HS1 Page 102 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 205 of 332 ATTACHMENT 1 EAL Technical Bases Category: H - Hazards and Other Conditions Affecting Plant Safety Subcategory: 2 - Seismic Event Initiating Condition: Seismic event greater than OBE levels EAL:

HU2.1 Unusual Event Seismic event > OBE as indicated on Control Panel A-J-SMN-C01 Mode Applicability:

All Definition(s):

None Basis:

Five Force Balance Accelerometer units are installed within Unit 1 structures and one is installed in the Free Field area south of Unit 1.

Peak ground motion acceleration of 0.1 Og horizontal or vertical is the Operating Basis Earthquake for PVNGS (ref. 1). OBE is detected and analyzed by Free Field Accelerometer Sensor #6 (AJSMNXT0006) only.

Annunciator 7C14A, SEISMIC OCCURRENCE, will illuminate if the seismic instrument detects ground motion in excess of the seismic EVENT trigger threshold (ref. 1,2).

Unit 1 Control Panel A-J-SMN-C01 provides both red EVENT and yellow OBE LED indications (ref. 1,2). Peak acceleration levels can also be determined using the graphic user interface display screen (ref. 4).

Procedure 40AO-9ZZ21, Acts of Nature, provides the guidance should the OBE earthquake threshold be exceeded and any required response actions (ref. 3, 4).

To avoid inappropriate emergency classification resulting from spurious actuation of the seismic instrumentation or felt motion not attributable to seismic activity, an offsite agency (USGS, National Earthquake Information Center) can confirm that an earthquake has occurred in the area of the plant. Such confirmation should not, however, preclude a timely emergency declaration based on receipt of the OBE alarm. The NEIC can be contacted by calling the number listed in procedure 40AO-9ZZ21. Select option #1 and inform the analyst you wish to confirm recent seismic activity in the vicinity of PVNGS. If requested, provide the analyst with the following PVNGS Unit 1 coordinates: 33° 23' 23" north latitude, 112° 5T 43" west longitude (ref. 5).

Alternatively, near real-time seismic activity can be accessed via the NEIC vjebs\te:http://earthquake.usgs.gov/earthquakes/clyfi/archives.php Page 103 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 206 of 332 ATTACHMENT 1 EAL Technical Bases This IC addresses a seismic event that results in accelerations at the plant site greater than those specified for an Operating Basis Earthquake (OBE). An earthquake greater than an OBE but less than a Safe Shutdown Earthquake (SSE) should have no significant impact on safety-related systems, structures and components; however, some time may be required for the plant staff to ascertain the actual post-event condition of the plant (e.g., performs walk-downs and post-event inspections). Given the time necessary to perform walk-downs and inspections and fully understand any impacts, this event represents a potential degradation of the level of safety of the plant.

Event verification with external sources should not be necessary during or following an OBE.

Earthquakes of this magnitude should be readily felt by on-site personnel and recognized as a seismic event (e.g., lateral accelerations in excess of O.IOg). The Shift Manager or Emergency Coordinator may seek external verification if deemed appropriate (e.g., a call to the USGS, check internet news sources, etc.); however, the verification action must not preclude a timely emergency declaration.

Depending upon the plant mode at the time of the event, escalation of the emergency classification level would be via IC CA6 or SA9.

PVNGS Basis Reference(s):

1. UFSAR Section 2.5.2.7, Operating Basis Earthquakes
2. Procedure 40AL-9RK7C, Panel C07C Alarm Response 7C14A Seismic Occurrence
3. Procedure 40AO-9ZZ21, Acts of Nature
4. Procedure 79IS-9SM01, Analysis of Seismic Event 5 UFSAR Table 2.1-1, Containment Building Centerlines
6. NEI 99-01, HU2 Page 104 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 207 of 332 ATTACHMENT 1 EAL Technical Bases Category: H - Hazards and Other Conditions Affecting Plant Safety Subcategory: 3 - Natural or Technology Hazard Initiating Condition: Hazardous event EAL:

HU3.1 Unusual Event A tornado strike within the PLANT PROTECTED AREA Mode Applicability:

All Definition(s):

PLANT PROTECTED AREA - An area, located within the PVNGS Exclusion Area Boundary, encompassed by physical barriers and to which access is controlled per 10 CFR 73.55. The PVNGS Plant Protected Area and the ISFSI Protected Area are two Protected Areas located within the PVNGS OWNER CONTROLLED AREA.

Basis:

Response actions associated with a tornado onsite is provided in procedure 40AO-9ZZ21, Acfs of Nature (ref. 1).

If damage is confirmed visually or by other in-plant indications, the event may be escalated to an Alert under EAL CA6.1 or SA9.1.

A tornado striking (touching down) within the PLANT PROTECTED AREA warrants declaration of an Unusual Event regardless of the measured wind speed at the meteorological tower. A tornado is defined as a violently rotating column of air in contact with the ground and extending from the base of a thunderstorm.

This 1C addresses hazardous events that are considered to represent a potential degradation of the level of safety of the plant.

EAL HU3.1 addresses a tornado striking (touching down) within the PLANT PROTECTED AREA.

Escalation of the emergency classification level would be based on ICs in Recognition Categories R, F, SorC.

PVNGS Basis Reference(s):

1. Procedure 40AO-97721, Acts of Nature
2. UFSAR Section 2.3.1.2.3, Extreme Winds
2. NEI 99-01, HU3 Page 105 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 208 of 332 ATTACHMENT 1 EAL Technical Bases Category: H - Hazards and Other Conditions Affecting Plant Safety Subcategory: 3 - Natural or Technology Hazard Initiating Condition: Hazardous event EAL:

HU3.2 Unusual Event Internal room or area FLOODING of a magnitude sufficient to require manual or automatic electrical isolation of a SAFETY SYSTEM component needed for the current operating mode Mode Applicability:

All Definition(s):

FLOODING - A condition where water is entering a room or area faster than installed equipment is capable of removal, resulting in a rise of water level within the room or area.

SAFETY SYSTEM - A system required for safe plant operation, cooling down the plant and/or placing it in the cold shutdown condition, including the ECCS. These are typically systems classified as safety-related (as defined in 10 CFR 50.2):

Those structures, systems and components that are relied upon to remain functional during and following design basis events to assure; (1) The integrity of the reactor coolant pressure boundary; (2) The capability to shut down the reactor and maintain it in a safe shutdown condition; (3) The capability to prevent or mitigate the consequences of accidents which could result in potential offsite exposures.

Basis:

This 1C addresses hazardous events that are considered to represent a potential degradation of the level of safety of the plant.

This EAL addresses FLOODING of a building room or area that results in operators isolating power to a SAFETY SYSTEM component due to water level or other wetting concerns.

Classification is also required if the water level or related wetting causes an automatic isolation of a SAFETY SYSTEM component from its power source (e.g., a breaker or relay trip). To warrant classification, operability of the affected component must be required by Technical Specifications for the current operating mode.

Escalation of the emergency classification level would be based on ICs in Recognition Categories R, F, SorC.

PVNGS Basis Reference(s):

1. NEI 99-01, HU3 Page 106 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 209 of 332 ATTACHMENT 1 EAL Technical Bases Category: H - Hazards and Other Conditions Affecting Plant Safety Subcategory: 3 - Natural or Technology Hazard Initiating Condition: Hazardous event EAL:

HU3.3 Unusual Event Movement of personnel within the PLANT PROTECTED AREA is IMPEDED due to an offsite event involving hazardous materials (e.g., an offsite chemical spill or toxic gas release)

Mode Applicability:

All Definition(s):

IMPEDE(D) - Personnel access to a room or area is hindered to an extent that extraordinary measures are necessary to facilitate entry of personnel into the affected room/area (e.g., requiring use of protective equipment, such as SCBAs, that is not routinely employed).

PLANT PROTECTED AREA - An area, located within the PVNGS Exclusion Area Boundary, encompassed by physical barriers and to which access is controlled per 10 CFR 73.55. The PVNGS Plant Protected Area and the ISFSI Protected Area are two Protected Areas located within the PVNGS OWNER CONTROLLED AREA.

Basis:

As used here, the term "offsite" is meant to be areas external to the PVNGS PLANT PROTECTED AREA.

This IC addresses hazardous events that are considered to represent a potential degradation of the level of safety of the plant.

This EAL addresses a hazardous materials event originating at an offsite location and of sufficient magnitude to impede the movement of personnel within the PLANT PROTECTED AREA.

Escalation of the emergency classification level would be based on ICs in Recognition Categories R, F, SorC.

PVNGS Basis Reference(s):

1. NEI 99-01, HU3 Page 107 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 210 of 332 ATTACHMENT 1 EAL Technical Bases Category: H - Hazards and Other Conditions Affecting Plant Safety Subcategory: 3 - Natural or Technology Hazard Initiating Condition: Hazardous event EAL:

HU3.4 Unusual Event A hazardous event that results in on-site conditions sufficient to prohibit the plant staff from accessing the site via personal vehicles (Note 7)

Note 7; This EAL does not apply to routine traffic impediments such as fog, snow, ice, or vehicle breakdowns or accidents.

Mode Applicability:

All Definition(s):

None Basis:

This IC addresses hazardous events that are considered to represent a potential degradation of the level of safety of the plant.

This EAL addresses a hazardous event that causes an on-site impediment to vehicle movement and significant enough to prohibit the plant staff from accessing the site using personal vehicles.

Examples of such an event include site FLOODING caused by a hurricane, heavy rains, up-river water releases, dam failure, etc., or an on-site train derailment blocking the access road.

This EAL is not intended apply to routine impediments such as fog, snow, ice, or vehicle breakdowns or accidents, but rather to more significant conditions such as the Hurricane Andrew strike on Turkey Point in 1992, the flooding around the Cooper Station during the Midwest floods of 1993, or the flooding around Ft. Calhoun Station in 2011.

Escalation of the emergency classification level would be based on ICs in Recognition Categories R, F, SorC.

PVNGS Basis Reference(s):

1. NEI 99-01, HU3 Page 108 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 211 of 332 ATTACHMENT 1 EAL Technical Bases Category: H - Hazards and Other Conditions Affecting Plant Safety Subcategory: 4 - Fire Initiating Condition: FIRE potentially degrading the level of safety of the plant EAL; HU4.1 Unusual Event A FIRE is not extinguished within 15 minutes of any of the following FIRE detection indications (Note 1):

  • Report from the field (i.e., visual observation)
  • Receipt of multiple (more than 1) fire alarms or indications
  • Field verification of a single fire alarm AND The FIRE is located within any Table H-1 area Note 1: The Emergency Coordinator should declare the event promptly upon determining that time limit has been exceeded, or will likely be exceeded.

Table H-1 Fire Areas

  • Containment
  • Auxiliary Building
  • Control Building
  • Diesel Generator Building
  • Diesel Generator Fuel Oil Storage Tanks
  • Fuel Building
  • Refueling Water Tank
  • Condensate Storage Tank Mode Applicability:

All Definition(s):

FIRE - Combustion characterized by heat and light. Sources of smoke such as slipping drive belts or overheated electrical equipment do not constitute fires. Observation of flame is preferred but is NOT required if large quantities of smoke and heat are observed.

Basis:

The 15 minute requirement begins with a credible notification that a fire is occurring, or receipt of multiple valid fire detection system alarms or field validation of a single fire alarm. The alarm is to be validated using available Control Room indications or alarms to prove that it is not Page 109 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 212 of 332 ATTACHMENT 1 EAL Technical Bases spurious, or by reports from the field. Actual field reports must be made within the 15 minute time limit or a classification must be made.

Table H-1 Fire Areas are based on UFSAR Table 3.2-1 Quality Classification of Structures, Systems and Components. Table H-1 Fire Areas include those structures containing functions and systems required for safe shutdown of the plant (SAFETY SYSTEMS) (ref. 1).

This 1C addresses the magnitude and extent of FIRES that may be indicative of a potential degradation of the level of safety of the plant.

For EAL HU4.1 the intent of the 15-minute duration is to size the FIRE and to discriminate against small FIRES that are readily extinguished (e.g., smoldering waste paper basket). In addition to alarms, other indications of a FIRE could be a drop in fire main pressure, automatic activation of a suppression system, etc.

Upon receipt, operators will take prompt actions to confirm the validity of an initial fire alarm, indication, or report. For EAL assessment purposes, the emergency declaration clock starts at the time that the initial multiple alarms, indication, or report was received and not the time that a subsequent verification action was performed. If only a single indication is available to the Control Room staff, the emergency declaration clock starts at the time a field report is given that validates the existence. Similarly, the fire duration clock also starts at the time of receipt of the initial multiple alarms, indication or report.

Depending upon the plant mode at the time of the event, escalation of the emergency classification level would be via 1C CA6 or SA9.

PVNGS Basis Reference(s):

1. UFSAR Table 3.2-1, Quality Classification of Structures, Systems and Components
2. NEI 99-01, HU4 Page 110 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 213 of 332 ATTACHMENT 1 EAL Technical Bases Category: H - Hazards and Other Conditions Affecting Plant Safety Subcategory: 4 - Fire Initiating Condition: FIRE potentially degrading the level of safety of the plant EAL:

HU4.2 Unusual Event Receipt of a single fire alarnn (i.e., no other indications of a FIRE)

AND The fire alarm is indicating a FIRE within any Table H-1 area AND The existence of a FIRE is not verified within 30 minutes of alarm receipt (Note 1)

Note 1: The Emergency Coordinator should declare the event promptly upon determining that time limit has been exceeded, or will likely be exceeded.

Table H-1 Fire Areas

  • Containment
  • Auxiliary Building
  • Control Building
  • Diesel Generator Building
  • Diesel Generator Fuel Oil Storage Tanks
  • Fuel Building
  • Refueling Water Tank
  • Condensate Storage Tank Mode Applicability:

All Definition(s):

FIRE - Combustion characterized by heat and light. Sources of smoke such as slipping drive belts or overheated electrical equipment do not constitute fires. Observation of flame is preferred but is NOT required if large quantities of smoke and heat are observed.

Basis:

The 30 minute requirement begins upon receipt of a single valid fire detection system alarm. The alarm is to be validated using available Control Room indications or alarms to prove that it is not spurious, or by reports from the field. Actual field reports must be made within the 30 minute time limit or a classification must be made. If a fire is verified to be occurring by field report, classification shall be made based on EAL HU4.1.

Page 111 of230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 214 of 332 ATTACHMENT 1 EAL Technical Bases Table H-1 Fire Areas are based on UFSAR Table 3.2-1 Quality Classification of Structures, Systems and Components. Table H-1 Fire Areas include those structures containing functions and systems required for safe shutdown of the plant (SAFETY SYSTEMS) (ref. 1).

This 1C addresses the magnitude and extent of FIRES that may be indicative of a potential degradation of the level of safety of the plant.

This EAL addresses receipt of a single fire alarm and the existence of a FIRE is not verified (i.e.,

proved or disproved) within 30-minutes of the alarm. Upon receipt, operators will take prompt actions to confirm the validity of a single fire alarm. For EAL assessment purposes, the 30-minute clock starts at the time that the initial alarm was received and not the time that a subsequent verification action was performed.

A single fire alarm, absent other indication(s) of a FIRE, may be indicative of equipment failure or a spurious activation and not an actual FIRE. For this reason, additional time is allowed to verify the validity of the alarm. The 30-minute period is a reasonable amount of time to determine if an actual FIRE exists; however, after that time and absent information to the contrary, it is assumed that an actual FIRE is in progress.

If an actual FIRE is verified by a report from the field, then HU4.1 is immediately applicable and the emergency must be declared if the FIRE is not extinguished within 15-minutes of the report.

If the alarm is verified to be due to an equipment failure or a spurious activation and this verification occurs within 30-minutes of the receipt of the alarm, then this EAL is not applicable and no emergency declaration is warranted.

Basis-Related Requirements from Appendix R Appendix R to 10 CFR 50, states in part:

Criterion 3 of Appendix A to this part specifies that Structures, systems and components important to safety shall be designed and located to minimize, consistent with other safety requirements, the probability and effect of fires and explosions.

When considering the effects of fire, those systems associated with achieving and maintaining safe shutdown conditions assume major importance to safety because damage to them can lead to core damage resulting from loss of coolant through boil-off.

Because fire may affect safe shutdown systems and because the loss of function of systems used to mitigate the consequences of design basis accidents under post-fire conditions does not per se impact public safety, the need to limit fire damage to systems required to achieve and maintain safe shutdown conditions is greater than the need to limit fire damage to those systems required to mitigate the consequences of design basis accidents.

In addition, Appendix R to 10 CFR 50, requires, among other considerations, the use of 1-hour fire barriers for the enclosure of cable and equipment and associated non-safety circuits of one redundant train (G.2.c). As used in HU4.2, the 30-minutes to verify a single alarm is well within this worst-case 1-hour time period.

Depending upon the plant mode at the time of the event, escalation of the emergency classification level would be via 1C CA6 or SA9.

Page 112 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 215 of 332 ATTACHMENT 1 EAL Technical Bases PVNGS Basis Reference(s):

1. UFSAR Table 3.2-1, Quality Classification of Structures, Systems and Components
2. NEI 99-01, HU4 Page 113 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 216 of 332 ATTACHMENT 1 EAL Technical Bases Category: H - Hazards and Other Conditions Affecting Plant Safety Subcategory: 4 - Fire Initiating Condition: FIRE potentially degrading the level of safety of the plant EAL:

HU4.3 Unusual Event A FIRE \within the PLANT PROTECTED AREA or ISFSI PROTECTED AREA not extinguished within 60 minutes of the initial report, alarm or indication (Note 1)

Note 1: The Emergency Coordinator should declare the event promptly upon determining that time limit has been exceeded, or will likely be exceeded.

Mode Applicability:

All Definition(s):

F/RE - Combustion characterized by heat and light. Sources of smoke such as slipping drive belts or overheated electrical equipment do not constitute fires. Observation of flame is preferred but is NOT required if large quantities of smoke and heat are observed.

INDEPENDENT SPENT FUEL STORAGE INSTALLATION (ISFSI) - A complex that is designed and constructed for the interim storage of spent nuclear fuel and other radioactive materials associated with spent fuel storage.

PLANT or ISFSI PROTECTED AREA - An area, located within the PVNGS Exclusion Area Boundary, encompassed by physical barriers and to which access is controlled per 10 CFR 73.55. The PVNGS Plant Protected Area and the ISFSI Protected Area are two Protected Areas located within the PVNGS OWNER CONTROLLED AREA.

Basis:

This IC addresses the magnitude and extent of FIRES that may be indicative of a potential degradation of the level of safety of the plant.

In addition to a FIRE addressed by EAL HU4.1 or HU4.2, a FIRE within the PLANT PROTECTED AREA not extinguished within 60-minutes may also potentially degrade the level of plant safety.

This basis extends to a FIRE occurring within the ISFSI PROTECTED AREA .

Depending upon the plant mode at the time of the event, escalation of the emergency classification level would be via IC CA6 or SA9.

PVNGS Basis Reference(s):

1. NEI 99-01, HU4 Page 114 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 217 of 332 ATTACHMENT 1 EAL Technical Bases Category: H - Hazards and Other Conditions Affecting Plant Safety Subcategory: 4 - Fire Initiating Condition: FIRE potentially degrading the level of safety of the plant EAL:

HU4.4 Unusual Event A FIRE within the PLANT PROTECTED AREA or ISFSI PROTECTED AREA that requires firefighting support by an offsite fire response agency to extinguish Mode Applicability:

All Definition(s):

FIRE - Combustion characterized by heat and light. Sources of smoke such as slipping drive belts or overheated electrical equipment do not constitute fires. Observation of flame is preferred but is NOT required if large quantities of smoke and heat are observed.

INDEPENDENT SPENT FUEL STORAGE INSTALLATION (ISFSI): A complex that is designed and constructed for the interim storage of spent nuclear fuel and other radioactive materials associated with spent fuel storage.

PLANT or ISFSI PROTECTED AREA - An area, located within the PVNGS Exclusion Area Boundary, encompassed by physical barriers and to which access is controlled per 10 CFR 73.55. The PVNGS Plant Protected Area and the ISFSI Protected Area are two Protected Areas located within the PVNGS OWNER CONTROLLED AREA.

Basis:

This IC addresses the magnitude and extent of FIRES that may be indicative of a potential degradation of the level of safety of the plant.

If a FIRE within the PLANT or ISFSI PROTECTED AREA is of sufficient size to require a response by an offsite firefighting agency (e.g., a local town Fire Department), then the level of plant safety is potentially degraded. The dispatch of an offsite firefighting agency to the site requires an emergency declaration only if it is needed to actively support firefighting efforts because the fire is beyond the capability of the Onsite Fire Department to extinguish. Declaration is not necessary if the agency resources are placed on stand-by, or supporting post extinguishment recovery or investigation actions.

Depending upon the plant mode at the time of the event, escalation of the emergency classification level would be via IC CA6 or SA9.

PVNGS Basis Reference(s):

1. NEI 99-01, HU4 Page 115 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 218 of 332 ATTACHMENT 1 EAL Technical Bases Category: H - Hazards and Other Conditions Affecting Plant Safety Subcategory: 5 - Hazardous Gases Initiating Condition: Gaseous release IMPEDING access to equipment necessary for normal plant operations, cooldown or shutdown EAL:

HA5.1 Alert Release of a toxic, corrosive, asphyxiant or flammable gas into any Table H-2 rooms AND Entry into the room is prohibited or IMPEDED (Note 5)

Note 5: If the equipment in the listed room was already inoperable or out-of-service before the event occurred, then no emergency classification is warranted.

Table H-2 Safe Operation & Shutdown Rooms Room Mode Applicability Control Building 100 ft. Class DC Equipment Room C 4,5 Control Building 100 ft. Class DC Equipment Room D 4,5 Mode Applicability:

4 - Hot Shutdown, 5 - Cold Shutdown Definition(s):

IMPEDE(D) - Personnel access to a room or area is hindered to an extent that extraordinary measures are necessary to facilitate entry of personnel into the affected room/area (e.g., requiring use of protective equipment, such as SCBAs, that is not routinely employed).

Basis:

If the equipment in the listed room was already inoperable, or out-of-service, before the event occurred, then no emergency should be declared since the event will have no adverse impact beyond that already allowed by Technical Specifications at the time of the event.

The list of plant rooms with entry-related mode applicability identified specify those rooms that contain equipment which require a manual/local action as specified in operating procedures used for normal plant operation, cooldown and shutdown. Rooms or areas in which actions of a contingent or emergency nature would be performed (e.g., an action to address an off-normal or emergency condition such as emergency repairs, corrective measures or emergency operations) are not included. In addition, the list specifies the plant mode(s) during which entry would be required for each room or area (ref. 1).

This IC addresses an event involving a release of a hazardous gas that precludes or impedes access to equipment necessary to maintain normal plant operation, or required for a normal plant cooldown and shutdown. This condition represents an actual or potential substantial degradation of the level of safety of the plant.

Page 116 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 219 of 332 ATTACHMENT 1 EAL Technical Bases An Alert declaration is warranted if entry into the affected room/area is, or may be, procedurally required during the plant operating mode in effect at the time of the gaseous release. The emergency classification is not contingent upon whether entry is actually necessary at the time of the release.

Evaluation of the IC and EAL do not require atmospheric sampling; it only requires the Emergency Coordinators judgment that the gas concentration in the affected room/area is sufficient to preclude or significantly impede procedurally required access. This judgment may be based on a variety of factors including an existing job hazard analysis, report of ill effects on personnel, advice from a subject matter expert or operating experience with the same or similar hazards. Access should be considered as impeded if extraordinary measures are necessary to facilitate entry of personnel into the affected room/area (e.g., requiring use of protective equipment, such as SCBAs, that is not routinely employed).

An emergency declaration is not warranted if any of the following conditions apply:

  • The plant is in an operating mode different than the mode specified for the affected room/area (i.e., entry is not required during the operating mode in effect at the time of the gaseous release). For example, the plant is in Mode 1 when the gaseous release occurs and the procedures used for normal operation, cooldown and shutdown do not require entry into the affected room until Mode 4.
  • The gas release is a planned activity that includes compensatory measures which address the temporary inaccessibility of a room or area (e.g., fire suppression system testing).
  • The action for which room/area entry is required is of an administrative or record keeping nature (e.g., normal rounds or routine inspections).
  • The access control measures are of a conservative or precautionary nature and would not actually prevent or impede a required action.

An asphyxiant is a gas capable of reducing the level of oxygen in the body to dangerous levels.

Most commonly, asphyxiants work by merely displacing air in an enclosed environment. This reduces the concentration of oxygen below the normal level of around 19%, which can lead to breathing difficulties, unconsciousness or even death.

This EAL does not apply to firefighting activities that automatically or manually activate a fire suppression system in an area.

Escalation of the emergency classification level would be via Recognition Category R, C or F ICs.

NOTE: EAL HA5.1 mode applicability has been limited to the applicable modes identified in Table H-2 Safe Operation & Shutdown Rooms/Areas. If due to plant operating procedure or plant configuration changes, the applicable plant modes specified in Table H-2 are changed, a corresponding change to Attachment 3 Safe Operation & Shutdown Areas Tables R-2 & H-2 Bases and to EAL HAS mode applicability is required.

PVNGS Basis Reference(s):

1. Attachment 3 - Safe Operation & Shutdown Areas Tables R-3 & H-2 Bases
2. NEI 99-01, HAS Page 117 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 220 of 332 ATTACHMENT 1 EAL Technical Bases Category: H - Hazards and Other Conditions Affecting Plant Safety Subcategory: 6 - Control Room Evacuation Initiating Condition: Control Room evacuation resulting in transfer of plant control to alternate locations EAL:

HA6.1 Alert An event has resulted in plant control being transferred from the Control Room to the Remote Shutdown Panel (RSP)

Mode Applicability:

All Definition(s):

None Basis:

The Control Room Supervisor (CRS) determines if the Control Room is uninhabitable and requires evacuation. Control Room inhabitability may be caused by fire, dense smoke, noxious fumes, bomb threat in or adjacent to the Control Room, or other life threatening conditions.

Procedure 40AO-9ZZ18, Shutdown Outside the Control Room, provides the instructions for bringing the unit to Mode 5, Cold Shutdown, if the Control Room has been determined to be uninhabitable for any reason other than fire (Ref. 1).

Procedure 40AO-9ZZ19, Control Room Fire, provides the instructions for bringing the unit to Mode 5, Cold Shutdown, if the Control Room has been determined to be uninhabitable due to a fire (Ref. 2).

Inability to establish plant control from outside the Control Room escalates this event to a Site Area Emergency per EAL HS6.1.

This IC addresses an evacuation of the Control Room that results in transfer of plant control to alternate locations outside the Control Room. The loss of the ability to control the plant from the Control Room is considered to be a potential substantial degradation in the level of plant safety.

Following a Control Room evacuation, control of the plant will be transferred to alternate shutdown locations. The necessity to control a plant shutdown from outside the Control Room, in addition to responding to the event that required the evacuation of the Control Room, will present challenges to plant operators and other on-shift personnel. Activation of the ERO and emergency response facilities will assist in responding to these challenges.

Escalation of the emergency classification level would be via IC HS6.

Page 118 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 221 of 332 ATTACHMENT 1 EAL Technical Bases PVNGS Basis Reference(s):

1. Procedure 40AO-9ZZ18, Shutdown Outside the Control Room
2. Procedure 40AO-9ZZ19, Control Room Fire
3. NEI 99-01, HA6 Page 119 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 222 of 332 ATTACHMENT 1 EAL Technical Bases Category: H - Hazards and Other Conditions Affecting Plant Safety Subcategory: 6 - Control Room Evacuation Initiating Condition: Inability to control a key safety function from outside the Control Room EAL:

HS6.1 Site Area Emergency An event has resulted in plant control being transferred from the Control Room to the Remote Shutdown Panel (RSP)

AND Control of any of the following key safety functions is not re-established within 15 minutes (Note 1):

  • Reactivity Control (Modes 1,2 and 3 only)
  • Core Heat Removal
  • RCS Heat Removal Note 1: The Emergency Coordinator should declare the event promptly upon determining that time limit has been exceeded, or will likely be exceeded.

Mode Applicability:

1 - Power Operation, 2 - Startup, 3 - Hot Standby, 4 - Hot Shutdown, 5 - Cold Shutdown, 6 - Refueling Definition(s):

None Basis:

The Control Room Supervisor (CRS) determines if the Control Room is uninhabitable and requires evacuation. Control Room inhabitability may be caused by fire, dense smoke, noxious fumes, bomb threat in or adjacent to the Control Room, or other life threatening conditions.

Procedure 40AO-9ZZ18, Shutdown Outside the Control Room, provides the instructions for tripping the unit and maintaining RCS inventory and Hot Shutdown conditions from outside the Control Room due to reasons other than fire (Ref. 1).

Procedure 40AO-9ZZ19, Control Room Fire, provides the instructions for tripping the unit and maintaining RCS inventory and Hot Shutdown conditions from outside the Control Room due to a fire (Ref. 2).

The intent of this EAL is to capture events in which control of the plant cannot be reestablished in a timely manner. The 15 minute time for transfer starts when the Control Room is evacuated (when CRS leaves the Control Room, not when procedures 40AO-9ZZ18 or 40AO-9ZZ19 are entered). The time interval is based on how quickly control must be reestablished without core uncovery and/or core damage. The determination of whether or not control is established from outside the Control Room is based on Emergency Coordinator judgment. The Emergency Coordinator is expected to make a reasonable, informed judgment that control of the plant from outside the Control Room cannot be established within the 15 minute interval.

Page 120 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 223 of 332 ATTACHMENT 1 EAL Technical Bases Once the Control Room is evacuated, the objective is to establish control of important plant equipment and maintain knowledge of important plant parameters in a timely manner. Primary emphasis should be placed on components and instruments that supply protection for and information about safety functions. Typically, these safety functions are reactivity control (ability to shutdown the reactor and maintain it shutdown), RCS inventory (ability to cool the core) and secondary heat removal (ability to maintain a heat sink).

This IC addresses an evacuation of the Control Room that results in transfer of plant control to alternate locations and the control of a key safety function cannot be reestablished in a timely manner. The failure to gain control of a key safety function following a transfer of plant control to alternate locations is a precursor to a challenge to one or more fission product barriers within a relatively short period of time.

The determination of whether or not control is established at the remote safe shutdown location(s) is based on Emergency Coordinator judgment. The Emergency Coordinator is expected to make a reasonable, informed judgment within 15 minutes whether or not the operating staff has control of key safety functions from the remote safe shutdown location(s).

Escalation of the emergency classification level would be via IC FG1 or CGI PVNGS Basis Reference(s):

1. Procedure 40AO-9ZZ18, Shutdown Outside the Control Room
2. Procedure 40AO-9ZZ19, Control Room Fire
3. NEI 99-01, HS6 Page 121 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 224 of 332 ATTACHMENT 1 EAL Technical Bases Category: H - Hazards and Other Conditions Affecting Plant Safety Subcategory: 7 - Emergency Coordinator Judgment Initiating Condition: Other conditions existing that in the judgment of the Emergency Coordinator warrant declaration of a UE EAL:

HU7.1 Unusual Event Other conditions exist which in the Judgment of the Emergency Coordinator indicate that events are in progress or have occurred which indicate a potential degradation of the level of safety of the plant or indicate a security threat to facility protection has been initiated.

No releases of radioactive material requiring offsite response or monitoring are expected unless further degradation of safety systems occurs.

Mode Applicability:

All Definition(s):

None Basis:

The Emergency Coordinator is the designated onsite individual having the responsibility and authority for implementing the PVNGS Emergency Plan (ref. 1). The Operations Shift Manager (SM) initially acts in the capacity of the Emergency Coordinator and takes actions as outlined in the Emergency Plan implementing procedures (ref. 2). If required by the emergency classification or if deemed appropriate by the Emergency Coordinator, emergency response personnel are notified and instructed to report to their emergency response locations. In this manner, the individual usually in charge of activities in the Control Room is responsible for initiating the necessary emergency response, but Plant Management is expected to manage the emergency response as soon as available to do so in anticipation of the possible wide-ranging responsibilities associated with managing a major emergency.

This IC addresses unanticipated conditions not addressed explicitly elsewhere but that warrant declaration of an emergency because conditions exist which are believed by the Emergency Coordinator to fall under the emergency classification level description for an Unusual Event.

PVNGS Basis Reference(s):

1. PVNGS Emergency Plan, Section 4.2.1.1, Emergency Coordinator
2. PVNGS Emergency Plan, Section 4.2.1.12, Shift Manager
3. NEI 99-01, HU7 Page 122 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 225 of 332 ATTACHMENT 1 EAL Technical Bases Category: H - Hazards and Other Conditions Affecting Plant Safety Subcategory: 7 - Emergency Coordinator Judgment Initiating Condition: Other conditions exist that in the judgment of the Emergency Coordinator warrant declaration of an Alert EAL:

HA7.1 Alert Other conditions exist which, in the judgment of the Emergency Coordinator, indicate that events are in progress or have occurred which involve an actual or potential substantial degradation of the level of safety of the plant or a security event that involves probable life threatening risk to site personnel or damage to site equipment because of HOSTILE ACTION. Any releases are expected to be limited to small fractions of the EPA Protective Action Guideline exposure levels.

Mode Applicability:

All Definition(s):

HOSTILE ACTION - An act toward PVNGS or its personnel that includes the use of violent force to destroy equipment, take hostages and/or intimidate the licensee to achieve an end. This includes attack by air, land, or water using guns, explosives, projectiles, vehicles, or other devices used to deliver destructive force. Other acts that satisfy the overall intent may be included. Hostile action should not be construed to include acts of civil disobedience or felonious acts that are not part of a concerted attack on PVNGS. Non-terrorism-based EALs should be used to address such activities (i.e., this may include violent acts between individuals in the owner controlled area).

Basis:

The Emergency Coordinator is the designated onsite individual having the responsibility and authority for implementing the PVNGS Emergency Plan (ref. 1). The Operations Shift Manager (SM) initially acts in the capacity of the Emergency Coordinator and takes actions as outlined in the Emergency Plan implementing procedures (ref. 2). If required by the emergency classification or if deemed appropriate by the Emergency Coordinator, emergency response personnel are notified and instructed to report to their emergency response locations. In this manner, the individual usually in charge of activities in the Control Room is responsible for initiating the necessary emergency response, but Plant Management is expected to manage the emergency response as soon as available to do so in anticipation of the possible wide-ranging responsibilities associated with managing a major emergency.

This IC addresses unanticipated conditions not addressed explicitly elsewhere but that warrant declaration of an emergency because conditions exist which are believed by the Emergency Coordinator to fall under the emergency classification level description for an Alert.

Page 123 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 226 of 332 ATTACHMENT 1 EAL Technical Bases PVNGS Basis Reference(s):

1. PVNGS Emergency Plan, Section 4.2.1.1, Emergency Coordinator
2. PVNGS Emergency Plan, Section 4.2.1.12, Shift Manager
3. NEI 99-01, HA7 Page 124 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 227 of 332 ATTACHMENT 1 EAL Technical Bases Category: H - Hazards and Other Conditions Affecting Plant Safety Subcategory: 7 - Emergency Coordinator Judgment Initiating Condition: Other conditions existing that in the judgment of the Emergency Coordinator warrant declaration of a Site Area Emergency EAL:

HS7.1 Site Area Emergency Other conditions exist which in the judgment of the Emergency Coordinator indicate that events are in progress or have occurred which involve actual or likely major failures of plant functions needed for protection of the public or HOSTILE ACTION that results in intentional damage or malicious acts, (1) toward site personnel or equipment that could lead to the likely failure of or, (2) that prevent effective access to equipment needed for the protection of the public. Any releases are not expected to result in exposure levels which exceed EPA Protective Action Guideline exposure levels beyond the site boundary Mode Applicability:

Ali Definition(s):

HOSTILE ACTION - An act toward PVNGS or its personnel that includes the use of violent force to destroy equipment, take hostages and/or intimidate the licensee to achieve an end. This includes attack by air, land, or water using guns, explosives, projectiles, vehicles, or other devices used to deliver destructive force. Other acts that satisfy the overall intent may be included. Hostile action should not be construed to include acts of civil disobedience or felonious acts that are not part of a concerted attack on PVNGS. Non-terrorism-based EALs should be used to address such activities (i.e., this may include violent acts between individuals in the owner controlled area)

Basis:

The Emergency Coordinator is the designated onsite individual having the responsibility and authority for implementing the PVNGS Emergency Plan (ref. 1). The Operations Shift Manager (SM) initially acts in the capacity of the Emergency Coordinator and takes actions as outlined in the Emergency Plan implementing procedures (ref. 2). If required by the emergency classification or if deemed appropriate by the Emergency Coordinator, emergency response personnel are notified and instructed to report to their emergency response locations. In this manner, the individual usually in charge of activities in the Control Room is responsible for initiating the necessary emergency response, but Plant Management is expected to manage the emergency response as soon as available to do so in anticipation of the possible wide-ranging responsibilities associated with managing a major emergency.

This IC addresses unanticipated conditions not addressed explicitly elsewhere but that warrant declaration of an emergency because conditions exist which are believed by the Emergency Coordinator to fall under the emergency classification level description for a Site Area Emergency.

Page 125 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 228 of 332 ATTACHMENT 1 EAL Technical Bases PVNGS Basis Reference(s):

1. PVNGS Emergency Plan, Section 4.2.1.1 Emergency Coordinator
2. PVNGS Emergency Plan, Section 4.2.1.12 Shift Manager
3. NEI 99-01, HA7 Page 126 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 229 of 332 ATTACHMENT 1 EAL Technical Bases Category: H - Hazards and Other Conditions Affecting Plant Safety Subcategory: 7 - Emergency Coordinator Judgment Initiating Condition: Other conditions exist which in the judgment of the Emergency Coordinator warrant declaration of a General Emergency EAL:

HG7.1 General Emergency Other conditions exist which in the judgment of the Emergency Coordinator indicate that events are in progress or have occurred which involve actual or IMMINENT substantial core degradation or melting with potential for loss of containment integrity or HOSTILE ACTION that results in an actual loss of physical control of the facility. Releases can be reasonably expected to exceed EPA Protective Action Guideline exposure levels offsite for more than the immediate site area Mode Applicability:

All Definition(s):

HOSTILE ACTION - An act toward PVNGS or its personnel that includes the use of violent force to destroy equipment, take hostages and/or intimidate the licensee to achieve an end. This includes attack by air, land, or water using guns, explosives, projectiles, vehicles, or other devices used to deliver destructive force. Other acts that satisfy the overall intent may be included. Hostile action should not be construed to include acts of civil disobedience or felonious acts that are not part of a concerted attack on PVNGS. Non-terrorism-based EALs should be used to address such activities (i.e., this may include violent acts between individuals in the owner controlled area).

IMMINENT - The trajectory of events or conditions is such that an EAL will be met within a relatively short period of time regardless of mitigation or corrective actions.

Basis:

The Emergency Coordinator is the designated onsite individual having the responsibility and authority for implementing the PVNGS Emergency Plan (ref. 1). The Operations Shift Manager (SM) initially acts in the capacity of the Emergency Coordinator and takes actions as outlined in the Emergency Plan implementing procedures (ref. 2). If required by the emergency classification or if deemed appropriate by the Emergency Coordinator, emergency response personnel are notified and instructed to report to their emergency response locations, in this manner, the individual usually in charge of activities in the Control Room is responsible for initiating the necessary emergency response, but Plant Management is expected to manage the emergency response as soon as available to do so in anticipation of the possible wide-ranging responsibilities associated with managing a major emergency.

Releases can reasonably be expected to exceed EPA PAG plume exposure levels outside the Site Boundary.

Page 127 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 230 of 332 ATTACHMENT 1 EAL Technical Bases This IC addresses unanticipated conditions not addressed explicitly elsewhere but that warrant declaration of an emergency because conditions exist which are believed by the Emergency Coordinator to fall under the emergency classification level description for a General Emergency.

PVNGS Basis Reference(s):

1. PVNGS Emergency Plan, Section 4.2.1.1 Emergency Coordinator
2. PVNGS Emergency Plan, Section 4.2.1.12 Shift Manager
3. NEI 99-01, HA7 Page 128 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 231 of 332 ATTACHMENT 1 EAL Technical Bases Category S - System Malfunction EAL Group: Hot Conditions (RCS temperature > 210°F); EALs in this category are applicable only in one or more hot operating modes.

Numerous system-related equipment failure events that warrant emergency classification have been identified in this category. They may pose actual or potential threats to plant safety.

The events of this category pertain to the following subcategories:

1. Loss of Emergency AC Power Loss of emergency electrical power can compromise plant safety system operability including decay heat removal and emergency core cooling systems which may be necessary to ensure fission product barrier integrity. This category includes loss of onsite and offsite sources for 4.16KV AC emergency buses.
2. Loss of Vital DC Power Loss of emergency electrical power can compromise plant safety system operability including decay heat removal and emergency core cooling systems which may be necessary to ensure fission product barrier integrity. This category includes loss of vital plant 125 VDC power sources.
3. Loss of Control Room Indications Certain events that degrade plant operator ability to effectively assess plant conditions within the plant warrant emergency classification. Losses of indicators are in this subcategory.
4. RCS Activity During normal operation, reactor coolant fission product activity is very low. Small concentrations of fission products in the coolant are primarily from the fission of tramp uranium in the fuel clad or minor perforations in the clad itself. Any significant increase from these base-line levels (2% - 5%

clad failures) is indicative of fuel failures and is covered under the Fission Product Barrier Degradation category. However, lesser amounts of clad damage may result in coolant activity exceeding Technical Specification limits. These fission products will be circulated with the reactor coolant and can be detected by coolant sampling.

5. RCS Leakage The reactor vessel provides a volume for the coolant that covers the reactor core. The reactor pressure vessel and associated pressure piping (reactor coolant system) together provide a barrier to limit the release of radioactive material should the reactor fuel clad integrity fail.

Excessive RCS leakage greater than Technical Specification limits indicates potential pipe cracks that may propagate to an extent threatening fuel clad, RCS and containment integrity.

6. RPS Failure This subcategory includes events related to failure of the Reactor Protection System (RPS) to initiate and complete reactor trips. In the plant licensing basis, postulated failures of the RPS to complete a reactor trip comprise a specific set of analyzed events referred to as Anticipated Transient Without Scram (ATWS) events. For EAL classification, however, ATWS is intended to mean any trip failure event that does not achieve reactor shutdown. If RPS actuation fails to Page 129 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 232 of 332 ATTACHMENT 1 EAL Technical Bases assure reactor shutdown, positive control of reactivity is at risk and could cause a threat to fuel clad, RCS and containment integrity.

7. Loss of Communications Certain events that degrade plant operator ability to effectively communicate with essential personnel within or external to the plant warrant emergency classification.
8. Containment Failure Failure of containment isolation capability (under conditions in which the containment is not currently challenged) warrants emergency classification. Failure of containment pressure control capability also warrants emergency classification.
9. Hazardous Event Affecting Safety Systems Various natural and technological events that result in degraded plant safety system performance or significant visible damage warrant emergency classification under this subcategory.

Page 130 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 233 of 332 ATTACHMENT 1 EAL Technical Bases Category: S - System Malfunction Subcategory: 1 - Loss of Emergency AC Power Initiating Condition: Loss of all offsite AC power capability to emergency buses for 15 minutes or longer EAL:

SU1.1 Unusual Event Loss of all offsite AC power capability, Table S-1, to emergency 4,16KV buses PBA-S03 and PBB-S04 for > 15 minutes (Note 1)

Note 1: The Emergency Coordinator should declare the event promptly upon determining that time limit has been exceeded, or will likely be exceeded.

Table S-1 AC Power Sources Offsite:

  • SUT (alternate)
  • SBOG #1 AND SBOG #2 (if already aligned)

Onsite:

  • DG B Mode Applicability:

1 - Power Operation, 2 - Startup, 3 - Hot Standby, 4 - Hot Shutdown Definition(s):

None Basis:

The 4.16KV AC System provides the power requirements for operation and safe shutdown of the plant. The essential switchgear are buses PBA-S03 and PBB-S04 (ref. 1).

The condition indicated by this EAL is the degradation of all offsite AC power sources such that any only onsite AC power capability exists for 15 minutes or longer.

4.16KV buses PBA-S03 and PBB-S04 are the emergency (essential) buses. PBA-S03 supplies power to Train A safety related loads and PBB-S04 supplies power to Train B safety related loads. Each bus has two normal sources of offsite power. Each source is from one of three 13.8 KV Startup Transformers (SUT) via its normal and alternative ESP Service Transformer NAN-X03 or NAN-X04. Transformer NAN-X03 is the normal supply to bus PBA-S03 and the alternate supply to PBB-S04; Transformer NAN-X04 is the normal supply to bus PBB-S04 and the alternate supply to PBA-S03 (ref. 1).

Additional alternate offsite AC power sources are the two redundant 13.8KV SBO gas turbine generators (SBOG #1 & SBOG #2). However, these sources can only be credited if already Page 131 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 234 of 332 ATTACHMENT 1 EAL Technical Bases aligned, that is, capable of powering one or more emergency bus within 15 minutes. The SBOGs can only be credited if they are running in parallel since they are not rated to supply all the SAFETY SYSTEM loads.

PBA-S03 and PBB-S04 each have an onsite emergency diesel generator (DG A & DG B) which supply electrical power to the bus automatically in the event that the preferred source becomes unavailable (ref. 1).

This 1C addresses a prolonged loss of offsite power. The loss of offsite power sources renders the plant more vulnerable to a complete loss of power to AC emergency buses. This condition represents a potential reduction in the level of safety of the plant.

For emergency classification purposes, capability means that an offsite AC power source(s) is available to the emergency buses, whether or not the buses are powered from it.

Fifteen minutes was selected as a threshold to exclude transient or momentary losses of offsite power.

Escalation of the emergency classification level would be via 1C SA1.

PVNGS Basis Reference(s):

1. Drawing 13-E-MAA-001, Main Single Line Diagram
2. UFSAR Section 8.3.1, AC Power Systems
3. Procedure 40AO-9ZZ12, Degraded Electrical Power
4. UFSAR Section 1.2.10.3.9, Alternate AC Power System
5. NEI 99-01, SU1 Page 132 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 235 of 332 ATTACHMENT 1 EAL Technical Bases Category: S - System Malfunction Subcategory: 1 - Loss of Emergency AC Power Initiating Condition: Loss of all but one AC power source to emergency buses for 15 minutes or longer EAL:

SA1.1 Alert AC power capability, Table S-1, to emergency 4.16KV buses PBA-S03 and PBB-S04 reduced to a single power source for > 15 minutes (Note 1)

AND Any additional single power source failure will result in loss of all AC power to SAFETY SYSTEMS Note 1: The Emergency Coordinator should declare the event promptly upon determining that time limit has been exceeded, or will likely be exceeded.

Table S-1 AC Power Sources Offsite:

  • SLIT (normal)
  • SUT (alternate)
  • SBOG #1 AND SBOG #2 (if already aligned)

Onsite:

  • DG B Mode Applicability:

1 - Power Operation, 2 - Startup, 3 - Hot Standby, 3 - Hot Shutdown Definition(s):

SAFETY SYSTEM - A system required for safe plant operation, cooling down the plant and/or placing it in the cold shutdown condition, including the ECCS. These are typically systems classified as safety-related (as defined in 10 CFR 50.2):

Those structures, systems and components that are relied upon to remain functional during and following design basis events to assure:

(1) The integrity of the reactor coolant pressure boundary:

(2) The capability to shut down the reactor and maintain it in a safe shutdown condition; (3) The capability to prevent or mitigate the consequences of accidents which could result in potential offsite exposures.

Page 133 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 236 of 332 ATTACHMENT 1 EAL Technical Bases Basis:

For emergency classification purposes, capability means that an AC power source is available to and capable of powering the emergency bus(es) within 15 min, whether or not the buses are currently powered from it.

The 4.16KV AC System provides the power requirements for operation and safe shutdown of the plant. The essential switchgear are buses PBA-S03 and PBB-S04 (ref. 1).

The condition indicated by this EAL is the degradation of the offsite and onsite power sources such that any additional single failure would result in a loss of all AC power to the emergency buses.

4.16KV buses PBA-S03 and PBB-S04 are the emergency (essential) buses. PBA-S03 supplies power to Train A safety related loads and PBB-S04 supplies power to Train B safety related loads. Each bus has two normal sources of offsite power. Each source is from one of three 13.8 KV Startup Transformers (SUT) via its normal and alternative ESF Service Transformer NAN-X03 or NAN-X04. Transformer NAN-X03 is the normal supply to bus PBA-S03 and the alternate supply to PBB-S04; Transformer NAN-X04 is the normal supply to bus PBB-S04 and the alternate supply to PBA-S03 (ref. 1).

In addition, PBA-S03 and PBB-S04 each have an emergency diesel generator (DG A & DG B) which supply electrical power to the bus automatically in the event that the preferred source becomes unavailable (ref. 1).

Additional alternate offsite AC power sources are the two redundant 13.8KV SBO gas turbine generators (SBOG #1 & SBOG #2). However, these sources can only be credited if already aligned, that is, capable of powering one or more emergency bus within 15 minutes. The SBOGs can only be credited if they are running in parallel since they are not rated to supply all the SAFETY SYSTEM loads If the capability of a second source of emergency bus power is not restored within 15 minutes, an Alert is declared under this EAL.

This 1C describes a significant degradation of offsite and onsite AC power sources such that any additional single failure would result in a loss of all AC power to SAFETY SYSTEMS. In this condition, the sole AC power source may be powering one, or more than one, train of safety-related equipment. This 1C provides an escalation path from 1C SU1.

An AC power source is a source recognized in AOPs and EOPs and capable of supplying required power to an emergency bus. Some examples of this condition are presented below.

  • A loss of all offsite power with a concurrent failure of all but one emergency power source (e.g., an onsite diesel generator).
  • A loss of all offsite power and loss of all emergency power sources (e.g., onsite diesel generators) with a single train of emergency buses being back-fed from the unit main generator.
  • A loss of emergency power sources (e.g., onsite diesel generators) with a single train of emergency buses being fed from an offsite power source.

Fifteen minutes was selected as a threshold to exclude transient or momentary losses of power.

Page 134 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 237 of 332 ATTACHMENT 1 EAL Technical Bases Escalation of the emergency classification level would be via IC SS1.

PVNGS Basis Reference(s):

1. Drawing 13-E-MAA-001, Main Single Line Diagram
2. UFSAR Section 8.3.1, AC Power Systems
3. Procedure 40AO-9ZZ12, Degraded Electrical Power
4. UFSAR Section 1.2.10.3.9, Alternate AC Power System
5. NEI 99-01, SA1 Page 135 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 238 of 332 ATTACHMENT 1 EAL Technical Bases Category: S - System Malfunction Subcategory: 1 - Loss of Emergency AC Power Initiating Condition: Loss of all offsite power and all onsite AC power to emergency buses for 15 minutes or longer EAL:

SS1.1 Site Area Emergency Loss of all offsite and all onsite AC power capability to emergency 4.16KV buses PBA-S03 and PBB-S04 for > 15 minutes (Note 1)

Note 1: The Emergency Coordinator should declare the event promptly upon determining that time limit has been exceeded, or will likely be exceeded.

Mode Applicability:

1 - Power Operation, 2 - Startup, 3 - Hot Standby, 4 - Hot Shutdown Definition(s):

None Basis:

For emergency classification purposes, capability means that an AC power source is available to and capable of powering the emergency bus(es) within 15 min, whether or not the buses are currently powered from it.

The 4.16KV AC System provides the power requirements for operation and safe shutdown of the plant. The essential switchgear are buses PBA-S03 and PBB-S04 (ref. 1).

4.16KV buses PBA-S03 and PBB-S04 are the emergency (essential) buses. PBA-S03 supplies power to Train A safety related loads and PBB-S04 supplies power to Train B safety related loads. Each bus has two normal sources of offsite power. Each source is from one of three 13.8 KV Startup Transformers (SUT) via its normal and alternative ESF Service Transformer NAN-X03 or NAN-X04. Transformer NAN-X03 is the normal supply to bus PBA-S03 and the alternate supply to PBB-S04; Transformer NAN-X04 is the normal supply to bus PBB-S04 and the alternate supply to PBA-S03 (ref. 1).

In addition, PBA-S03 and PBB-S04 each have an emergency diesel generator (DG A & DG B) which supply electrical power to the bus automatically in the event that the preferred source becomes unavailable (ref. 1).

Additional alternate offsite AC power sources include, but not limited to, the two redundant 13.8KV SBO gas turbine generators (SBOG #1 & SBOG #2). However, these sources can only be credited if already aligned, that is, capable of powering one or more emergency bus within 15 minutes. The SBOGs can only be credited if they are running in parallel since they are not rated to supply all the SAFETY SYSTEM loads The interval begins when both offsite and onsite AC power capability are lost.

This 1C addresses a total loss of AC power that compromises the performance of all SAFETY SYSTEMS requiring electric power including those necessary for emergency core cooling.

Page 136 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 239 of 332 ATTACHMENT 1 EAL Technical Bases containment heat removal/pressure control, spent fuel heat removal and the ultimate heat sink.

In addition, fission product barrier monitoring capabilities may be degraded under these conditions. This IC represents a condition that involves actual or likely major failures of plant functions needed for the protection of the public.

Fifteen minutes was selected as a threshold to exclude transient or momentary power losses.

Escalation of the emergency classification level would be via ICs RG1, FG1 or SG1.

PVNGS Basis Reference(s):

1. Drawing 13-E-MAA-001, Main Single Line Diagram
2. UFSAR Section 8.3.1, AC Power Systems
3. Procedure 40AO-9ZZ12, Degraded Electrical Power
4. UFSAR Section 1.2.10.3.9, Alternate AC Power System
5. Procedure 40EP-9E008, Blackout
6. NEI 99-01, SSI Page 137 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 240 of 332 ATTACHMENT 1 EAL Technical Bases Category: S -System Malfunction Subcategory: 1 - Loss of Emergency AC Power Initiating Condition: Prolonged loss of all offsite and all onsite AC power to emergency buses EAL:

SG1.1 General Emergency Loss of all offsite and all onsite AC power capability to emergency 4.16KV buses PBA-S03 and PBB-S04 AND EITHER:

  • Restoration of at least one emergency bus in < 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> is not likely (Note 1)
  • Rep CET reading > 1200°F Note 1; The Emergency Coordinator should declare the event promptly upon determining that time limit has been exceeded, or will likely be exceeded.

Mode Applicability:

1 - Power Operation, 2 - Startup, 3 - Hot Standby, 4 - Hot Shutdown Definition(s):

None Basis:

This EAL is indicated by the extended loss of all offsite and onsite AC power capability to 4.16KV emergency buses PBA-S03 and PBB-S04 either for greater then the PVNGS Station Blackout (SBO) coping analysis time (4 hrs.) (ref. 8) or that has resulted in indications of an actual loss of adequate core cooling (Rep CET > 1200 °F) (ref. 6, 7).

For emergency classification purposes, capability means that an AC power source is available to and capable of powering the emergency bus(es), whether or not the buses are currently powered from it.

The 4.16KV AC System provides the power requirements for operation and safe shutdown of the plant. The essential switchgear are buses PBA-S03 and PBB-S04 (ref. 1).

4.16KV buses PBA-S03 and PBB-S04 are the emergency (essential) buses. PBA-S03 supplies power to Train A safety related loads and PBB-S04 supplies power to Train B safety related loads. Each bus has two normal sources of offsite power. Each source is from one of three 13.8 KV Startup Transformers (SUT) via its normal and alternative ESF Service Transformer NAN-X03 or NAN-X04. Transformer NAN-X03 is the normal supply to bus PBA-S03 and the alternate supply to PBB-S04; Transformer NAN-X04 is the normal supply to bus PBB-S04 and the alternate supply to PBA-S03 (ref. 1).

Page 138 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 241 of 332 ATTACHMENT 1 EAL Technical Bases In addition, PBA-S03 and PBB-S04 each have an emergency diesel generator (DG A & DG B) which supply electrical power to the bus automatically in the event that the preferred source becomes unavailable (ref. 1).

Additional alternate offsite AC power sources include, but no limited to, the two redundant 13.8KV SBO gas turbine generators (SBOG #1 & SBOG #2). The SBOGs can only be credited if they are running in parallel since they are not rated to supply all the SAFETY SYSTEM loads.

Rep CET (Representative Core Exit Temperature) is a calculated temperature value generated by the Qualified Safety Parameter Display System (QSPDS). The QSPDS CET processing function generates a representative temperature based on a statistical analysis of thermocouples monitoring the reactor coolant temperature at the top of selected fuel assemblies.

This IC addresses a prolonged loss of all power sources to AC emergency buses. A loss of all AC power compromises the performance of all SAFETY SYSTEMS requiring electric power including those necessary for emergency core cooling, containment heat removal/pressure control, spent fuel heat removal and the ultimate heat sink. A prolonged loss of these buses will lead to a loss of one or more fission product barriers. In addition, fission product barrier monitoring capabilities may be degraded under these conditions.

The EAL should require declaration of a General Emergency prior to meeting the thresholds for IC FG1. This will allow additional time for implementation of offsite protective actions.

Escalation of the emergency classification from Site Area Emergency will occur if it is projected that power cannot be restored to at least one AC emergency bus by the end of the analyzed station blackout coping period. Beyond this time, plant responses and event trajectory are subject to greater uncertainty and there is an increased likelihood of challenges to multiple fission product barriers.

The estimate for restoring at least one emergency bus should be based on a realistic appraisal of the situation. Mitigation actions with a low probability of success should not be used as a basis for delaying a classification upgrade. The goal is to maximize the time available to prepare for and implement, protective actions for the public.

The EAL will also require a General Emergency declaration if the loss of AC power results in parameters that indicate an inability to adequately remove decay heat from the core.

PVNGS Basis Reference(s):

1. Drawing 13-E-MAA-001, Main Single Line Diagram
2. UFSAR Section 8.3.1, AC Power Systems
3. EOP Setpoint Document TA-13-C00-2000-001
4. 40AO-9ZZ12, Degraded Electrical Power
5. UFSAR Section 1.2.10.3.9 Alternate AC Power System
6. Procedure 40DP-9AP13, Blackout Technical Guideline
7. Procedure 40EP-9E009, Functional Recovery
8. Core Damage Assessment User Manual
9. Evaluation 4578373, Station Blackout Coping Analysis for Margin to Core Covery
9. NEI 99-01, SGI Page 139 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 242 of 332 ATTACHMENT 1 EAL Technical Bases Category: S -System Malfunction Subcategory: 1 - Loss of Emergency AC Power Initiating Condition: Loss of all emergency AC and vital DC power sources for 15 minutes or longer EAL:

SG1.2 General Emergency k'

Loss of all offsite and all onsite AC power capability to emergency 4.16KV buses PBA-S03 and PBB-S04 for > 15 minutes AND Loss of 125 VDC power based on battery bus voltage indications <112 VDC on both vital DC buses PKA-M41and PKB-M42 for > 15 minutes (Note 1)

Note 1: The Emergency Coordinator should declare the event promptly upon determining that time limit has been exceeded, or will likely be exceeded.

Mode Applicability:

1 - Power Operation, 2 - Startup, 3 - Hot Standby, 4 - Hot Shutdown Definition(s):

None Basis:

This EAL is indicated by the loss of all offsite and onsite emergency AC power capability to 4.16KV emergency buses PBA-S03 and PBB-S04 for greater than 15 minutes in combination with degraded vital DC power voltage. This EAL addresses operating experience from the March 2011 accident at Fukushima Daiichi.

For emergency classification purposes, capability means that an AC power source is available to and capable of powering the emergency bus(es) within 15 min, whether or not the buses are currently powered from it.

The 4.16KV AC System provides the power requirements for operation and safe shutdown of the plant. The essential switchgear are buses PBA-S03 and PBB-S04 (ref. 1).

The 4.16KV buses PBA-S03 and PBB-S04 are the emergency (essential) buses. PBA-S03 supplies power to Train A safety related loads and PBB-S04 supplies power to Train B safety related loads. Each bus has two normal sources of offsite power. Each source is from one of three 13.8 KV Startup Transformers (SUT) via its normal and alternative ESF Service Transformer NAN-X03 or NAN-X04. Transformer NAN-X03 is the normal supply to bus PBA-S03 and the alternate supply to PBB-S04; Transformer NAN-X04 is the normal supply to bus PBB-S04 and the alternate supply to PBA-S03 (ref. 1).

In addition, PBA-S03 and PBB-S04 each have an emergency diesel generator (DG A & DG B) which supply electrical power to the bus automatically in the event that the preferred source becomes unavailable (ref. 1). However, these sources can only be credited if already aligned, that is, power one or more emergency bus within 15 minutes.

Page 140 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 243 of 332 ATTACHMENT 1 EAL Technical Bases Additional alternate offsite AC power sources include, but not limited to, the two redundant 13.8KV SBO gas turbine generators (SBOG #1 & SBOG #2). However, these sources can only be credited if already aligned, that is, capable of powering one or more emergency bus within 15 minutes. The SBOGs can only be credited if they are running in parallel since they are not rated to supply all the SAFETY SYSTEM loads The vital DC buses are the following 125 VDC Class IE buses (ref. 6):

Train A: Train B:

  • PKA-M41
  • PKB-M42
  • PKC-M43
  • PKD-M44 For this EAL credit is only taken for buses PKA-M41 and PKB-M42 as these are the Train A and Train B buses that provide safety system control power.

There are four, 60 cell, lead-calcium storage batteries (PKA-F11, PKC-F13, PKB-F12 and PKD-F14) that supplement the output of the battery chargers. They supply DC power to the distribution buses when AC power to the chargers is lost or when transient loads exceed the capacity of the battery chargers (ref. 6).

All four of the 125VDC buses supply inverters for 120VAC PN bus power as well as control power for various safety related systems. Each battery is designed to have sufficient stored energy to supply the required emergency loads for 120 minutes following a loss of AC power to the chargers (ref. 7).

Minimum DC bus voltage is 112 VDC (ref. 8).

This 1C addresses a concurrent and prolonged loss of both emergency AC and Vital DC power.

A loss of all emergency AC power compromises the performance of all SAFETY SYSTEMS requiring electric power including those necessary for emergency core cooling, containment heat removal/pressure control, spent fuel heat removal and the ultimate heat sink. A loss of vital DC power compromises the ability to monitor and control SAFETY SYSTEMS. A sustained loss of both emergency AC and vital DC power will lead to multiple challenges to fission product barriers.

Fifteen minutes was selected as a threshold to exclude transient or momentary power losses.

The 15-minute emergency declaration clock begins at the point when both EAL thresholds are met.

Page 141 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 244 of 332 ATTACHMENT 1 EAL Technical Bases PVNGS Basis Reference(s):

1. Drawing 13-E-MAA-001, Main Single Line Diagram
2. UFSAR Section 8.3.1 AC Power Systems
3. Procedure 40AO-9ZZ12, Degraded Electrical Power
4. UFSAR Section 1.2.10.3.9, Alternate AC Power System
5. Procedure 40DP-9AP13, Blackout Technical Guideline
6. Drawing 01-E-PKA-001, Main Single Line Diagram 125V DC Class IE and 120VAC Vital Inst Power System
7. UFSAR Section 8.3.2, DC Power Systems
8. Calculation 01-EC-PK-0207 DC, Battery Sizing and Minimum Voltage
9. NEI 99-01, SG8 Page 142 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 245 of 332 ATTACHMENT 1 EAL Technical Bases Category: S - System Malfunction Subcategory: 2 - Loss of Vital DC Power Initiating Condition: Loss of all vital DC power for 15 minutes or longer EAL:

SS2.1 Site Area Emergency Loss of 125 VDC power based on battery bus voltage indications <112 VDC on both vital DC buses PKA-M41and PKB-M42 for > 15 minutes (Note 1)

Note 1: The Emergency Coordinator should declare the event promptly upon determining that time limit has been exceeded, or will likely be exceeded.

Mode Applicability:

1 - Power Operation, 2 - Startup, 3 - Hot Standby, 4 - Hot Shutdown Definition(s):

None Basis:

The vital DC buses are the following 125 VDC Class IE buses (ref. 1):

Train A: Train B:

  • PKA-M41
  • PKB-M42
  • PKC-M43
  • PKD-M44 For this EAL credit is only taken for buses PKA-M41 and PKB-M42 as these are the Train A and Train B buses that provide safety system control power.

There are four, 60 cell, lead-calcium storage batteries (PKA-F11, PKC-F13, PKB-F12 and PKD-F14) that supplement the output of the battery chargers. They supply DC power to the distribution buses when AC power to the chargers is lost or when transient loads exceed the capacity of the battery chargers (ref. 1).

All four of the 125VDC buses supply inverters for 120VAC PN bus power as well as control power for various safety related systems. Each battery is designed to have sufficient stored energy to supply the required emergency loads for 120 minutes following a loss of AC power to the chargers (ref. 2).

Minimum DC bus voltage is 112 VDC (ref. 3).

This 1C addresses a loss of vital DC power which compromises the ability to monitor and control SAFETY SYSTEMS. In modes above Cold Shutdown, this condition involves a major failure of plant functions needed for the protection of the public.

Fifteen minutes was selected as a threshold to exclude transient or momentary power losses.

Escalation of the emergency classification level would be via ICs RG1, FG1 or SGI.

Page 143 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 246 of 332 ATTACHMENT 1 EAL Technical Bases PVNGS Basis Reference(s):

1. Drawing Ol-E-PKA-001, Main Single Line Diagram 125V DC Class IE and 120VAC Vital Inst Power System
2. UFSAR Section 8.3.2, DC Power Systems
3. Calculation 01-EC-PK-0207, DC Battery Sizing and Minimum Voltage
4. NEI 99-01, SS8 Page 144 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 247 of 332 ATTACHMENT 1 EAL Technical Bases Category: S - System Malfunction Subcategory: 3 - Loss of Control Room Indications Initiating Condition: UNPLANNED loss of Control Room indications for 15 minutes or longer EAL:

SU3.1 Unusual Event An UNPLANNED event results in the inability to monitor one or more Table S-2 parameters from within the Control Room for > 15 minutes (Note 1)___________________

Note 1: The Emergency Coordinator should declare the event promptly upon determining that time limit has been exceeded, or will likely be exceeded.

Note 11: Downcomer flow instruments are also credited for auxiliary feed flow indication.

Table S-2 Safety System Parameters

  • Reactor power
  • CET temperature
  • Level in at least one S/G
  • Auxiliary feed flow to at least one S/G (Note 11)

Mode Applicability:

1 - Power Operation, 2 - Startup, 3 - Hot Standby, 4 - Hot Shutdown Definition(s):

UNPLANNED - A parameter change or an event that is not 1) the result of an intended evolution or 2) an expected plant response to a transient. The cause of the parameter change or event may be known or unknown.

Basis:

SAFETY SYSTEM parameters listed in Table S-2 are monitored in the Control Room through a combination of hard control panel indicators as well as computer based information systems.

The Plant Computer serves as a redundant compensatory indicator which may be utilized in lieu of normal Control Room indicators (ref. 1,2).

Downcomer flow instruments are also credited for auxiliary feed flow indication.

This 1C addresses the difficulty associated with monitoring normal plant conditions without the ability to obtain SAFETY SYSTEM parameters from within the Control Room. This condition is a precursor to a more significant event and represents a potential degradation in the level of safety of the plant As used in this EAL, an inability to monitor means that values for one or more of the listed parameters cannot be determined from within the Control Room. This situation would require Page 145 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 248 of 332 ATTACHMENT 1 EAL Technical Bases a loss of all of the Control Room sources for the given parameter(s). For example, the reactor power level cannot be determined from any analog, digital and recorder source within the Control Room.

An event involving a loss of plant indications, annunciators and/or display systems is evaluated in accordance with 10 CFR 50.72 (and associated guidance in NUREG-1022) to determine if an NRC event report is required. The event would be reported if it significantly impaired the capability to perform emergency assessments. In particular, emergency assessments necessary to implement abnormal operating procedures, emergency operating procedures and emergency plan implementing procedures addressing emergency classification, accident assessment, or protective action decision-making.

This EAL is focused on a selected subset of plant parameters associated with the key safety functions of reactivity control, core cooling and RCS heat removal. The loss of the ability to determine one or more of these parameters from within the Control Room is considered to be more significant than simply a reportable condition. In addition, if all indication sources for one or more of the listed parameters are lost, then the ability to determine the values of other SAFETY SYSTEM parameters may be impacted as well. For example, if the value for reactor vessel level cannot be determined from the indications and recorders on a main control board, the SPDS or the plant computer, the availability of other parameter values may be compromised as well.

Fifteen minutes was selected as a threshold to exclude transient or momentary losses of indication.

Escalation of the emergency classification level would be via 1C SA3.

PVNGS Basis Reference(s):

1. UFSAR Section 7.5, Safety-Related Display Instrumentation
2. UFSAR Section 18.I.D.2, Plant Safety Parameter Display System
3. NEI 99-01, SU2 Page 146 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 249 of 332 ATTACHMENT 1 EAL Technical Bases Category: S - System Malfunction Subcategory: 3 - Loss of Control Room Indications Initiating Condition: UNPLANNED loss of Control Room indications for 15 minutes or longer with a significant transient in progress EAL:

SA3.1 Alert An UNPLANNED event results in the inability to monitor one or more Table S-2 parameters from within the Control Room for > 15 minutes (Note 1)

AND Any significant transient is in progress, Table S-3 Note 1; The Emergency Coordinator should declare the event promptly upon determining that time limit has been exceeded, or will likely be exceeded.

Note 11; Downcomer flow instruments are also credited for auxiliary feed flow indication.

Table S-2 Safety System Parameters Reactor power RCS level RCS pressure CET temperature Level in at least one S/G Auxiliary feed flow to at least one S/G (Note 11)

Table S-3 Significant Transients

  • Runback > 25% thermal power
  • Electrical load rejection > 25%

electrical load

  • Reactor power cutback
  • ECCS actuation Mode Applicability:

1 - Power Operation, 2 - Startup, 3 - Hot Standby, 4 - Hot Shutdown Page 147 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 250 of 332 ATTACHMENT 1 EAL Technical Bases Definition(s):

UNPLANNED - A parameter change or an event that is not 1) the result of an intended evolution or 2) an expected plant response to a transient. The cause of the parameter change or event may be known or unknown.

Basis:

SAFETY SYSTEM parameters listed in Table S-2 are monitored in the Control Room through a combination of hard control panel indicators as well as computer based information systems.

The Plant Computer serves as a redundant compensatory indicator which may be utilized in lieu of normal Control Room indicators (ref. 1,2).

Downcomer flow instruments are also credited for auxiliary feed flow indication.

Significant transients are listed in Table S-3 and include response to automatic or manually initiated functions such as reactor trips, runbacks involving greater than 25% thermal power change, electrical load rejections of greater than 25% full electrical load, reactor power cutbacks or ECCS (SI) injection actuations.

This IC addresses the difficulty associated with monitoring rapidly changing plant conditions during a transient without the ability to obtain SAFETY SYSTEM parameters from within the Control Room. During this condition, the margin to a potential fission product barrier challenge is reduced. It thus represents a potential substantial degradation in the level of safety of the plant.

As used in this EAL, an inability to monitor means that values for one or more of the listed parameters cannot be determined from within the Control Room. This situation would require a loss of all of the Control Room sources for the given parameter(s). For example, the reactor power level cannot be determined from any analog, digital and recorder source within the Control Room.

An event involving a loss of plant indications, annunciators and/or display systems is evaluated in accordance with 10 CFR 50.72 (and associated guidance in NUREG-1022) to determine if an NRC event report is required. The event would be reported if it significantly impaired the capability to perform emergency assessments. In particular, emergency assessments necessary to implement abnormal operating procedures, emergency operating procedures and emergency plan implementing procedures addressing emergency classification, accident assessment, or protective action decision-making.

This EAL is focused on a selected subset of plant parameters associated with the key safety functions of reactivity control, core heat removal and RCS heat removal. The loss of the ability to determine one or more of these parameters from within the Control Room is considered to be more significant than simply a reportable condition. In addition, if all indication sources for one or more of the listed parameters are lost, then the ability to determine the values of other SAFETY SYSTEM parameters may be impacted as well. For example, if the value for reactor vessel level cannot be determined from the indications and recorders on a main control board, the SPDS or the plant computer, the availability of other parameter values may be compromised as well.

Fifteen minutes was selected as a threshold to exclude transient or momentary losses of indication. Escalation of the emergency classification level would be via ICs FS1 or IC RSI.

Page 148 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 251 of 332 ATTACHMENT 1 EAL Technical Bases PVNGS Basis Reference(s):

1. UFSAR Section 7.5, Safety-Related Display Instrumentation
2. UFSAR Section 18.I.D.2, Plant Safety Parameter Display System
3. NEI 99-01, SA2 Page 149 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 252 of 332 ATTACHMENT 1 EAL Technical Bases Category: S - System Malfunction Subcategory: 4 - RCS Activity Initiating Condition: Reactor coolant activity greater than Technical Specification allowable limits EAL:

SU4.1 Unusual Event Letdown Monitor RU-155D reading > high alarm Mode Applicability:

1 - Power Operation, 2 - Startup, 3 - Hot Standby, 4 - Hot Shutdown Definition(s):

None Basis:

A reading on the Letdown Monitor RU-155D > high alarm is indicative of coolant activity in excess of the Technical Specification RCS activity limits (ref 1,2).

This IC addresses a reactor coolant activity value that exceeds an allowable limit specified in Technical Specifications. This condition is a precursor to a more significant event and represents a potential degradation of the level of safety of the plant.

Escalation of the emergency classification level would be via ICs FA1 or the Recognition Category R ICs.

PVNGS Basis Reference(s):

1. Technical Specification 3.4.17, RCS Specific Activity
2. Calculation 13-NC-CH-311, Letdown Line PRM Dose Rates
3. NEI 99-01, SU3 Page 150 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 253 of 332 ATTACHMENT 1 EAL Technical Bases Category: S - System Malfunction Subcategory: 4 - RCS Activity Initiating Condition: Reactor coolant activity greater than Technical Specification allowable limits EAL:_________________________________________________________________

SU4.2 Unusual Event Sample analysis indicates RCS activity > Technical Specification LCO 3.4.17 limits Mode Applicability:

1 - Power Operation, 2 - Startup, 3 - Hot Standby, 4 - Hot Shutdown Definition(s):

None Basis:

The specific iodine activity is limited to either < 60 pCi/gm Dose Equivalent 1-131 or < 1.0 pCi/gm Dose Equivalent 1-131 for > 48 hr continuous period. The specific Xe-133 activity is limited to <

550 pCi/gm Dose Equivalent XE-133 for > 48 hr continuous period. Entry into Condition C of LCO 3.4.17 meets the intent of this EAL (ref 1,2).

This 1C addresses a reactor coolant activity value that exceeds an allowable limit specified in Technical Specifications. This condition is a precursor to a more significant event and represents a potential degradation of the level of safety of the plant.

Escalation of the emergency classification level would be via ICs FA1 or the Recognition Category R ICs.

PVNGS Basis Reference(s):

1. Technical Specification 3.4.17, RCS Specific Activity
2. Procedure 40AO-9ZZ22, Fuel Damage
3. NEI 99-01, SU3 Page 151 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 254 of 332 ATTACHMENT 1 EAL Technical Bases Category: S - System Malfunction Subcategory: 5 - RCS Leakage Initiating Condition: RCS leakage for 15 minutes or longer EAL:

SU5.1 Unusual Event RCS unidentified or pressure boundary leakage >10 gpm for > 15 minutes OR RCS identified leakage > 25 gpm for > 15 minutes OR Reactor coolant leakage to a location outside containment > 25 gpm for s 15 minutes (Note 1)

Note 1; The Emergency Coordinator should declare the event promptly upon determining that time limit has been exceeded, or will likely be exceeded.

Mode Applicability:

1 - Power Operation, 2 - Startup, 3 - Hot Standby, 4 - Hot Shutdown Definition(s):

None Basis:

Manual or computer-based methods of performing an RCS inventory balance are normally used to determine RCS leakage. ERFDADS is the preferred method of calculating RCS leak rate.

When ERFDADS software is not available, procedural guidance is available to perform the backup and manual RCS inventory balance (ref. 1,4, 5, 6).

Identified leakage includes

  • Leakage such as that from pump seals or valve packing (except reactor coolant pump (RCP) seal water injection or leakoff), that is captured and conducted to collection systems or a sump or collecting tank (leakage into an intact Reactor Drain Tank is also considered identified leakage), or
  • Leakage into the containment atmosphere from sources that are both specifically located and known either not to interfere with the operation of leakage detection systems or not to be pressure boundary leakage, or

Unidentified leakage is all leakage (except RCP seal water injection or leakoff) that is not identified leakage (ref. 2).

Pressure Boundary leakage is leakage (except SG leakage) through a nonisolable fault in an RCS component body, pipe wall, or vessel wall (ref. 2)

Reactor coolant leakage outside of the containment that is not considered identified or unidentified leakage per Technical Specifications. For example: leakage via interfacing systems such as RCS to the Nuclear Cooling Water System, Essential Cooling Water System, Safety Injection System, or systems that directly see RCS pressure outside containment such Page 152 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 255 of 332 ATTACHMENT 1 EAL Technical Bases as Chemical & Volume Control System, Nuclear Sampling system and Residual Heat Removal system (when in the shutdown cooling mode) (ref. 3, 4).

Palo Verde specific operating experience is that a High Pressure Seal Cooler (HPSC) leak to the Nuclear Cooling Water (NC) System must be isolated to containment within 15 minutes of discovery due to the location of the NC system expansion tank and potential dose concerns on the Auxiliary Building roof.

This IC addresses RCS leakage which may be a precursor to a more significant event. In this case, RCS leakage has been detected and operators, following applicable procedures, have been unable to promptly isolate the leak. This condition is considered to be a potential degradation of the level of safety of the plant.

The first and second EAL conditions are focused on a loss of mass from the RCS due to unidentified leakage," "pressure boundary leakage" or "identified leakage (as these leakage types are defined in the plant Technical Specifications). The third condition addresses an RCS mass loss caused by an UNISOLABLE leak through an interfacing system. These conditions thus apply to leakage into the containment, a secondary-side system (e.g., steam generator tube leakage) or a location outside of containment.

The leak rate values for each condition were selected because they are usually observable with normal Control Room indications. Lesser values typically require time-consuming calculations to determine (e.g., a mass balance calculation). The first condition uses a lower value that reflects the greater significance of unidentified or pressure boundary leakage.

The release of mass from the RCS due to the as-designed/expected operation of a relief valve does not warrant an emergency classification. An emergency classification would be required if a mass loss is caused by a relief valve that is not functioning as designed/expected (e.g., a relief valve sticks open and the line flow cannot be isolated).

The 15-minute threshold duration allows sufficient time for prompt operator actions to isolate the leakage, if possible.

Escalation of the emergency classification level would be via ICs of Recognition Category R or F.

PVNGS Basis Reference(s):

1. Procedure 40ST-9RC02, ERFDADS (Preferred) Calculation of RCS Water Inventory
2. Technical Specification, 1.1, Definitions
3. UFSAR Section 5.2.5.4, Intersystem Leakage
4. Procedure 40AO-9ZZ02, Excessive RCS Leakrate
5. Procedure 40ST-9RC05, Manual Calculation of RCS Water Inventory
6. Procedure 40ST-9RC08, CAP (Backup) Calculation of RCS Water Inventory
7. NEI 99-01, SU4 Page 153 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 256 of 332 ATTACHMENT 1 EAL Technical Bases Category: S - System Malfunction Subcategory: 6 - RPS Failure Initiating Condition: Automatic or manual trip fails to shut down the reactor EAL:

SU6.1 Unusual Event An automatic trip did not shut down the reactor as indicated by reactor power > 5% after any RPS setpoint is exceeded AND A subsequent automatic trip or manual trip action taken at the reactor control consoles (BOS or B01) is successful in shutting down the reactor as indicated by reactor power < 5%

(Note 8)

Note 8; A manual trip action is any operator action, or set of actions, which causes the control rods to be rapidly inserted into the core and does not include manually driving in control rods or implementation of boron injection strategies.

Mode Applicability:

1 - Power Operation Definition(s):

None Basis:

The first condition of this EAL identifies the need to cease critical reactor operations by actuation of the automatic Reactor Protection System (RPS) trip function. A reactor trip is automatically initiated by the RPS when certain continuously monitored parameters exceed predetermined setpoints (ref. 1,4).

Following a successful reactor trip, rapid insertion of the control rods occurs. Nuclear power promptly drops to a fraction of the original power level and then decays to a level several decades less with a negative startup rate. The reactor power drop continues until reactor power reaches the point at which the influence of source neutrons on reactor power starts to be observable. A predictable post-trip response from an automatic reactor trip signal should therefore consist of a prompt drop in reactor power as sensed by the nuclear instrumentation and a lowering of power into the source range. For the purpose of emergency classification a successful trip has occurred when there is sufficient rod insertion from the trip of RPS to bring the reactor power to or below the Power Operation Mode threshold of 5% (ref. 2).

5% rated power is the Power Operation mode threshold. Below 5%, plant response will be similar to that observed during a normal shutdown. Nuclear instrumentation can be used to determine if reactor power is greater than 5 % power (ref. 1,2).

For the purposes of emergency classification, successful manual trip actions are those which can be quickly performed from the reactor control consoles (BOS or B01). Reactor shutdown achieved by use of other trip actions do not constitute a successful manual trip (ref. 3).

Page 154 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 257 of 332 ATTACHMENT 1 EAL Technical Bases Following any automatic RPS trip signal, procedure 40EP-9E001, Standard Post Trip Actions (ref. 3) prescribes insertion of redundant manual trip signals to back up the automatic RPS trip function and ensure reactor shutdown is achieved if Reactivity Control acceptance criteria are not met. Even if the first subsequent manual trip signal inserts all control rods to the full-in position immediately after the initial failure of the automatic trip, the lowest level of classification that must be declared is an Unusual Event.

In the event that the operator identifies a reactor trip is imminent and initiates a successful manual reactor trip before the automatic RPS trip setpoint is reached, no declaration is required.

The successful manual trip of the reactor before it reaches its automatic trip setpoint or reactor trip signals caused by instrumentation channel failures (without exceeding an RPS trip setpoint) do not lead to a potential fission product barrier loss and are thus not classifiable under this EAL.

However, if subsequent manual reactor trip actions fail to reduce reactor power to or below 5%,

the event escalates to the Alert under EAL SA6.1.

If by procedure, operator actions include the initiation of an immediate manual trip following receipt of an automatic trip signal and there are no clear indications that the automatic trip failed (such as a time delay following indications that a trip setpoint was exceeded), it may be difficult to determine if the reactor was shut down because of automatic trip or manual actions. If a subsequent review of the trip actuation indications reveals that the automatic trip did not cause the reactor to be shut down, then consideration should be given to evaluating the fuel for potential damage and the reporting requirements of 50.72 should be considered for the transient event.

This IC addresses a failure of the RPS to initiate or complete an automatic or manual reactor trip that results in a reactor shutdown and either a subsequent operator manual action taken at the reactor control consoles or an automatic trip is successful in shutting down the reactor. This event is a precursor to a more significant condition and thus represents a potential degradation of the level of safety of the plant.

Following the failure on an automatic reactor trip, operators will promptly initiate manual actions at the reactor control consoles to shutdown the reactor (e.g., initiate a manual reactor trip). If these manual actions are successful in shutting down the reactor, core heat generation will quickly fall to a level within the capabilities of the plants decay heat removal systems.

If an initial manual reactor trip is unsuccessful, operators will promptly take manual action at another location(s) on the reactor control consoles to shutdown the reactor (e.g., initiate a manual reactor trip) using a different switch). Depending upon several factors, the initial or subsequent effort to manually trip the reactor, or a concurrent plant condition, may lead to the generation of an automatic reactor trip signal. If a subsequent manual or automatic trip is successful in shutting down the reactor, core heat generation will quickly fall to a level within the capabilities of the plants decay heat removal systems.

A manual action at the reactor control consoles is any operator action, or set of actions, which causes the control rods to be rapidly inserted into the core (e.g., initiating a manual reactor trip).

This action does not include manually driving in control rods or implementation of boron injection strategies. Actions taken at back-panels or other locations within the Control Room, or any location outside the Control Room, are not considered to be at the reactor control consoles.

Page 155 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 258 of 332 ATTACHMENT 1 EAL Technical Bases The plant response to the failure of an automatic or manual reactor trip will vary based upon several factors including the reactor power level prior to the event, availability of the condenser, performance of mitigation equipment and actions, other concurrent plant conditions, etc. If subsequent operator manual actions taken at the reactor control consoles are also unsuccessful in shutting down the reactor, then the emergency classification level will escalate to an Alert via IC SA6. Depending upon the plant response, escalation is also possible via IC FA1. Absent the plant conditions needed to meet either IC SA6 or FA1, an Unusual Event declaration is appropriate for this event.

Should a reactor trip signal be generated as a result of plant work (e.g., RPS setpoint testing), or instrument failure the following classification guidance should be applied.

  • If the signal causes a plant transient that should have included an automatic reactor trip and the RPS fails to automatically shutdown the reactor, then this IC and the EALs are applicable and should be evaluated.
  • If the signal does not cause a plant transient and the trip failure is determined through other means (e.g., assessment of test results), then this IC and the EALs are not applicable and no classification is warranted.

PVNGS Basis Reference(s):

1. Technical Specification 3.3.1, Reactor Protection System (RPS) Instrumentation -

Operating

2. Technical Specification Table 1.1-1, Modes
3. Procedure 40EP-9E001, Standard Post Trip Actions
4. UFSAR Section, 7.2.2.2 Trip Bases 5 NEI 99-01, SU5 Page 156 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 259 of 332 ATTACHMENT 1 EAL Technical Bases Category: S - System Malfunction Subcategory: 6 - RPS Failure Initiating Condition: Automatic or manual trip fails to shut down the reactor EAL:

SU6.2 Unusual Event A manual trip did not shut down the reactor as indicated by reactor power > 5% after any manual trip action was initiated AND A subsequent automatic trip or manual trip action taken at the reactor control consoles (BOS or B01) is successful in shutting down the reactor as indicated by reactor power s 5%

(Note 8)

Note 8: A manual trip action is any operator action, or set of actions, which causes the control rods to be rapidly inserted into the core and does not include manually driving in control rods or implementation of boron injection strategies.

Mode Applicability:

1 - Power Operation Definition(s):

None Basis:

This EAL addresses a failure of a manually initiated trip in the absence of having exceeded an automatic RPS trip setpoint and a subsequent automatic or manual trip is successful in shutting down the reactor (ref. 1).

Following a successful reactor trip, rapid insertion of the control rods occurs. Nuclear power promptly drops to a fraction of the original power level and then decays to a level several decades less with a negative startup rate. The reactor power drop continues until reactor power reaches the point at which the influence of source neutrons on reactor power starts to be observable. A predictable post-trip response from an automatic reactor trip signal should therefore consist of a prompt drop in reactor power as sensed by the nuclear instrumentation and a lowering of power into the source range. For the purpose of emergency classification a successful trip has occurred when there is sufficient rod insertion from the manual trip to bring the reactor power to or below the Power Operation Mode threshold level of 5% (ref. 2).

5% rated power is the Power Operation mode threshold. Below 5%, plant response will be similar to that observed during a normal shutdown. Nuclear instrumentation can be used to determine if reactor power is greater than 5 % power (ref. 1,2).

For the purposes of emergency classification, successful manual trip actions are those which can be quickly performed from the reactor control consoles (BOS or B01). Reactor shutdown achieved by use of other trip actions do not constitute a successful manual trip (ref. 3).

Following the failure of any manual trip signal, procedure 40EP-9E001, Standard Post Trip Actions (ref. 3), prescribes insertion of redundant manual trip signals to back up the RPS trip Page 157 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 260 of 332 ATTACHMENT 1 EAL Technical Bases function and ensure reactor shutdown is achieved if Reactivity Control acceptance criteria are not met. Even if a subsequent automatic trip signal or the first subsequent manual trip signal inserts all control rods to the full-in position immediately after the initial failure of the manual trip, the lowest level of classification that must be declared is an Unusual Event (ref. 3).

If both subsequent automatic and subsequent manual reactor trip actions in the Control Room fail to reduce reactor power below < 5% following a failure of an initial manual trip, the event escalates to an Alert under EAL SA6.1.

This IC addresses a failure of the RPS to initiate or complete an automatic or manual reactor trip that results in a reactor shutdown and either a subsequent operator manual action taken at the reactor control consoles or an automatic trip is successful in shutting down the reactor. This event is a precursor to a more significant condition and thus represents a potential degradation of the level of safety of the plant.

Following the failure on an automatic reactor trip, operators will promptly initiate manual actions at the reactor control consoles to shutdown the reactor (e.g., initiate a manual reactor trip). If these manual actions are successful in shutting down the reactor, core heat generation will quickly fall to a level within the capabilities of the plants decay heat removal systems.

If an initial manual reactor trip is unsuccessful, operators will promptly take manual action at another location(s) on the reactor control consoles to shutdown the reactor (e.g., initiate a manual reactor trip) using a different switch). Depending upon several factors, the initial or subsequent effort to manually the reactor, or a concurrent plant condition, may lead to the generation of an automatic reactor trip signal. If a subsequent manual or automatic trip is successful in shutting down the reactor, core heat generation will quickly fall to a level within the capabilities of the plants decay heat removal systems.

A manual action at the reactor control consoles is any operator action, or set of actions, which causes the control rods to be rapidly inserted into the core (e.g., initiating a manual reactor trip).

This action does not include manually driving in control rods or implementation of boron injection strategies. Actions taken at back-panels or other locations within the Control Room, or any location outside the Control Room, are not considered to be at the reactor control consoles.

The plant response to the failure of an automatic or manual reactor trip will vary based upon several factors including the reactor power level prior to the event, availability of the condenser, performance of mitigation equipment and actions, other concurrent plant conditions, etc. If subsequent operator manual actions taken at the reactor control consoles are also unsuccessful in shutting down the reactor, then the emergency classification level will escalate to an Alert via IC SA6. Depending upon the plant response, escalation is also possible via IC FA1. Absent the plant conditions needed to meet either IC SA6 or FA1, an Unusual Event declaration is appropriate for this event.

Page 158 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 261 of 332 ATTACHMENT 1 EAL Technical Bases Should a reactor trip signal be generated as a result of plant work (e.g., RPS setpoint testing) or instrument failure, the following classification guidance should be applied.

  • If the signal causes a plant transient that should have included an automatic reactor trip and the RPS fails to automatically shutdown the reactor, then this IC and the EALs are applicable and should be evaluated.
  • If the signal does not cause a plant transient and the trip failure is determined through other means (e.g., assessment of test results), then this IC and the EALs are not applicable and no classification is warranted.

PVNGS Basis Reference(s);

1. Technical Specification 3.3.1, Reactor Protection System (RPS) Instrumentation - Operating
2. Technical Specification Table 1.1-1, Modes
3. Procedure 40EP-9E001, Standard Post Trip Actions
4. UFSAR Section T.2.2.2, Trip Bases
5. NEI 99-01, SU5 Page 159 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 262 of 332 ATTACHMENT 1 EAL Technical Bases Category: S - System Malfunction Subcategory: 2 - RPS Failure Initiating Condition: Automatic or manual trip fails to shut down the reactor and subsequent manual actions taken at the reactor control consoles are not successful in shutting down the reactor EAL:

SA6.1 Alert An automatic or manual trip fails to shut down the reactor as indicated by reactor power

>5%

AND Manual trip actions taken at the reactor control consoles (BOS or B01) are not successful in shutting down the reactor as indicated by reactor power > 5% (Note 8)

Note 8: A manual trip action is any operator action, or set of actions, which causes the control rods to be rapidly inserted into the core and does not include manually driving in control rods or implementation of boron injection strategies.

Mode Applicability:

1 - Power Operation Definition(s):

None Basis:

This EAL addresses any automatic or manual reactor trip signal that fails to shut down the reactor followed by a subsequent manual trip that fails to shut down the reactor to an extent the reactor is producing significant power (ref. 1,4).

Following a successful reactor trip, rapid insertion of the control rods occurs. Nuclear power promptly drops to a fraction of the original power level and then decays to a level several decades less with a negative startup rate. The reactor power drop continues until reactor power reaches the point at which the influence of source neutrons on reactor power starts to be observable. A predictable post-trip response from an automatic reactor trip signal should therefore consist of a prompt drop in reactor power as sensed by the nuclear instrumentation and a lowering of power into the source range. For the purpose of emergency classification a successful trip has occurred when there is sufficient rod insertion from the manual trip to bring the reactor power to or below 5% (ref. 2).

5% rated power is the Power Operation mode threshold. Below 5%, plant response will be similar to that observed during a normal shutdown. Nuclear instrumentation can be used to determine if reactor power is greater than 5 % power (1, 2).

For the purposes of emergency classification, successful manual trip actions are those which can be quickly performed from the reactor control consoles (BOS or B01). Reactor shutdown achieved by use of other trip actions do not constitute a successful manual trip (ref. 3).

Page 160 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 263 of 332 ATTACHMENT 1 EAL Technical Bases Escalation of this event to a Site Area Emergency would be under EAL SS6.1 or Emergency Coordinator judgment.

This IC addresses a failure of the RPS to initiate or complete an automatic or manual reactor trip that results in a reactor shutdown and subsequent operator manual actions taken at the reactor control consoles to shutdown the reactor are also unsuccessful. This condition represents an actual or potential substantial degradation of the level of safety of the plant. An emergency declaration is required even if the reactor is subsequently shutdown by an action taken away from the reactor control consoles since this event entails a significant failure of the RPS.

A manual action at the reactor control console is any operator action, or set of actions, which causes the control rods to be rapidly inserted into the core (e.g., initiating a manual reactor trip).

This action does not include manually driving in control rods or implementation of boron injection strategies. If this action(s) is unsuccessful, operators would immediately pursue additional manual actions at locations away from the reactor control console (e.g., locally opening breakers). Actions taken at back panels or other locations within the Control Room, or any location outside the Control Room, are not considered to be at the reactor control console.

The plant response to the failure of an automatic or manual reactor trip will vary based upon several factors including the reactor power level prior to the event, availability of the condenser, performance of mitigation equipment and actions, other concurrent plant conditions, etc. If the failure to shut down the reactor is prolonged enough to cause a challenge to the core cooling or RCS heat removal safety functions, the emergency classification level will escalate to a Site Area Emergency via IC SS6. Depending upon plant responses and symptoms, escalation is also possible via IC FS1. Absent the plant conditions needed to meet either IC SS6 or FS1, an Alert declaration is appropriate for this event.

It is recognized that plant responses or symptoms may also require an Alert declaration in accordance with the Recognition Category F ICs; however, this IC and EAL are included to ensure a timely emergency declaration.

PVNGS Basis Reference(s):

1. Technical Specification 3.3.1, Reactor Trip System (RTS) Instrumentation 2 Technical Specification Table 1.1-1, Modes
3. Procedure 40EP-9E001, Standard Post Trip Actions
4. UFSAR Section 72.2.2, Trip Bases
5. NEI 99-01, SA5 Page 161 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 264 of 332 ATTACHMENT 1 EAL Technical Bases Category: S - System Malfunction Subcategory: 2 - RPS Failure Initiating Condition: Inability to shut down the reactor causing a challenge to core cooling or RCS heat removal EAL:

SS6.1 Site Area Emergency An automatic or manual trip fails to shut down the reactor as indicated by reactor power

>5%

AND All actions to shut down the reactor are not successful as indicated by reactor power

>5%

AND EITHER;

  • RepCET> 1200°F
  • RCS subcooling < 24 °F______________________________________________

Mode Applicability:

1 - Power Operation Definition(s):

None Basis:

This EAL addresses the following:

  • Any automatic reactor trip signal (ref. 1) followed by a manual trip that fails to shut down the reactor to an extent the reactor is producing energy in excess of the heat load for which the safety systems were designed (EAL SA6.1) and
  • Indications that either core cooling is extremely challenged or heat removal is extremely challenged.

The combination of failures of both front line and backup protection systems to function in response to a plant transient, along with the continued production of heat, poses a direct threat to the Fuel Clad and RCS barriers.

Reactor shutdown achieved by use of other trip actions specified in procedure 40EP-9E001, Standard Post Trip Actions, (such as opening NGN-L03B2 and NGN-L10B2 supply breakers, emergency boration or manually driving control rods) are also credited as a successful manual trip provided reactor power can be reduced to or below 5% before indications of an extreme challenge to either core cooling or heat removal exist (ref. 2, 3).

5% rated power is the Power Operation mode threshold. Below 5%, plant response will be similar to that observed during a normal shutdown. Nuclear instrumentation can be used to determine if reactor power is greater than 5 % power.

Page 162 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 265 of 332 ATTACHMENT 1 EAL Technical Bases Indication of continuing core cooling degradation is manifested by CETs are reading greater than 1200°F.

Rep GET (Representative Core Exit Temperature) is a calculated temperature value generated by the Qualified Safety Parameter Display System (QSPDS). The QSPDS GET processing function generates a representative temperature based on a statistical analysis of thermocouples monitoring the reactor coolant temperature at the top of selected fuel assemblies.

Indication of inability to adequately remove heat from the RCS is manifested by RCS subcooling

< 24 °F. (ref. 4).

This IC addresses a failure of the RPS to initiate or complete an automatic or manual reactor trip that results in a reactor shutdown, all subsequent operator actions to manually shutdown the reactor are unsuccessful and continued power generation is challenging the capability to adequately remove heat from the core and/or the RCS. This condition will lead to fuel damage if additional mitigation actions are unsuccessful and thus warrants the declaration of a Site Area Emergency.

In some instances, the emergency classification resulting from this IC/EAL may be higher than that resulting from an assessment of the plant responses and symptoms against the Recognition Category F ICs/EALs. This is appropriate in that the Recognition Category F ICs/EALs do not address the additional threat posed by a failure to shut down the reactor. The inclusion of this IC and EAL ensures the timely declaration of a Site Area Emergency in response to prolonged failure to shutdown the reactor.

Escalation of the emergency classification level would be via IC RG1 or FG1.

PVNGS Basis Reference(s):

1. Technical Specification 3.3.1, Reactor Trip System (RTS) Instrumentation 2 Technical Specification Table 1.1-1, Modes
3. Procedure 40EP-9E001, Standard Post Trip Actions
4. Procedure 40EP-9E009, Functional Recovery
5. NEI 99-01, SS5 Page 163 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 266 of 332 ATTACHMENT 1 EAL Technical Bases Category: S - System Malfunction Subcategory: 7 - Loss of Communications Initiating Condition: Loss of all onsite or offsite communications capabilities EAL:

SU7.1 Unusual Event Loss of all Table S-4 onsite communication methods OR Loss of all Table S-4 Offsite Response Organization (ORO) communication methods OR Loss of all Table S-4 NRC communication methods Table S-4 Communication Methods System Onsite ORO NRC PBX X X X Plant Page X Two-Way Radio X FTS (ENS) X Telephone Ringdown Circuits (NAN) X Cellular Phones X X Mode Applicability:

1 - Power Operation, 2 - Startup, 3 - Hot Standby, 4 - Hot Shutdown Definition(s):

None Basis:

Onsite, offsite and NRC communications include one or more of the systems listed in Table S-4 (ref. 1,2).

1. PBX Onsite emergency telephone lines are divided among three onsite EPABX switches. Each EPABX switch is provided with a backup battery for reliability.

Page 164 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 267 of 332 ATTACHMENT 1 EAL Technical Bases This system will function during emergencies as it does during normal operations. Telephones have the capability of trunk access (via local provider) and the APS owned private communications system which provides direct dial capabilities to the entire APS voice system via the company owned private communications system. The PVNGS telephone EPABX Systems through which all PVNGS telephone calls pass, are equipped with uninterruptible power supplies (battery chargers and batteries) and dedicated priority switching to ensure the reliability of the telephone system. The PVNGS EPABXs are the primary links for PVNGS phones. There are also administratively dedicated lines for the CR, STSC, TSC, EOF and OSC.

2. Plant (Area) Paging The area paging system provides a reliable means of notifying and providing instructions to onsite personnel. Access to this system is through the EPABX system telephones by use of dedicated numbers.
3. Two-Way Radios PVNGS operates a trunked radio system, with separate talk groups available for departments such as Operations, Security, Fire Protection, Radiation Protection, Emergency Preparedness, the Water Reclamation Facility, etc. This system includes base station consoles at various locations and emergency facilities throughout the site. Some of the radios used during emergencies are portable radios at various site locations, mobile radios in the RFAT vehicles and base station consoles at the TSC, EOF, Unit OSCs, Unit STSCs and Unit Control Rooms. PVNGS Fire Protection also maintains radios that are used to contact the air ambulance service to provide landing instructions.
4. FTS(ENS)

The NRC Emergency Notification System (ENS) is an FTS telephone used for official communications with NRC Headquarters. The NRC Headquarters has the capability to patch into the NRC Regional offices. The primary purpose of this phone is to provide a reliable method for the initial notification of the NRC and to maintain continuous communications with the NRC after initial notification. ENS telephones are located in the Control Room, TSC and EOF.

5. Telephone Ringdown Circuits (NAN)

These voice circuits serve as a primary communications link for providing technical information to offsite agencies, public information communications and the communication of protective action recommendations to offsite authorities.

6. Cellular Phones Each STSC, the TSC and EOF have a cellular phone to provide additional independent lines of communication.

This EAL is the hot condition equivalent of the cold condition EAL CU5.1.

Page 165 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 268 of 332 ATTACHMENT 1 EAL Technical Bases This IC addresses a significant loss of on-site or offsite communications capabilities. While not a direct challenge to plant or personnel safety, this event warrants prompt notifications to OROs and the NRC.

This IC should be assessed only when extraordinary means are being utilized to make communications possible (e.g., use of non-plant, privately owned equipment, relaying of on-site information via individuals or multiple radio transmission points, individuals being sent to offsite locations, etc.).

The first EAL condition addresses a total loss of the communications methods used in support of routine plant operations.

The second EAL condition addresses a total loss of the communications methods used to notify all OROs of an emergency declaration. The OROs referred to here are the State and Maricopa County EOCs.

The third condition addresses a total loss of the communications methods used to notify the NRC of an emergency declaration.

PVNGS Basis Reference(s):

1. PVNGS Plant Radiological Emergency Response Plan (RERP), Section 7.2
2. UFSAR Section 9.5.2, Communication Systems
3. NEI 99-01, sue Page 166 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 269 of 332 ATTACHMENT 1 EAL Technical Bases Category: S - System Malfunction Subcategory: 8 - Containment Failure Initiating Condition: Failure to isolate containment or loss of containment pressure control.

EAL:

SU8.1 Unusual Event EITHER:

  • Any penetration is not closed when required within 15 minutes of a VALID isolation signal

>15 minutes (Note 1)

Note 1: The Emergency Coordinator should declare the event promptly upon determining that time limit has been exceeded, or \<<ill likely be exceeded.

Mode Applicability:

1 - Power Operation, 2 - Startup, 3 - Hot Standby, 4 - Hot Shutdown Definition(s):

VALID-An indication, report, or condition, is considered to be valid when it is verified by (1) an instrument channel check, or (2) indications on related or redundant indicators, or (3) by direct observation by plant personnel, such that doubt related to the indicators operability, the conditions existence, or the reports accuracy is removed. Implicit in this definition is the need for timely assessment.

Basis:

Containment isolations are initiated by the Containment Isolation Actuation System (CIAS),

Safety Injection Actuation Signal (SIAS), Main Steam Isolation Signal (MSIS) and Containment Spray Actuation Signal (CSAS) (ref. 1,2).

The Containment Spray System consists of two separate trains of equal capacity, each capable of meeting the design bases requirement. Each train includes a containment spray pump, spray headers, nozzles, valves and piping. The refueling water storage tank (RWT) supplies borated water to the Containment Spray System during the injection phase of operation. In the recirculation mode of operation. Containment Spray pump suction is transferred from the RWT to the Containment sumps (ref. 3).

The Containment pressure high-high setpoint (8.5 psig) is the pressure at which the Containment Spray equipment should actuate and begin performing its function (ref. 4). Consistent with the design requirement, one full train of depressurization equipment is therefore defined to be the availability of one train of Containment Spray providing a minimum of 4350 gpm spray flow (ref.

5). LPSI cross-tie can be credited provided the alignment can be Page 167 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 270 of 332 ATTACHMENT 1 EAL Technical Bases made within the 15 minute threshold. If less than this equipment is operating and Containment pressure is above the actuation setpoint, the threshold is met.

This EAL addresses a failure of one or more containment penetrations to automatically isolate (close) when required by an actuation signal. It also addresses an event that results in high containment pressure with a concurrent failure of containment pressure control systems. Absent challenges to another fission product barrier, either condition represents potential degradation of the level of safety of the plant.

For the first condition, the containment isolation signal must be generated as the result on an off-normal/accident condition (e.g., a safety injection or high containment pressure); a failure resulting from testing or maintenance does not warrant classification. The determination of containment and penetration status - isolated or not isolated - should be made in accordance with the appropriate criteria contained in the plant AOPs and EOPs. The 15-minute criterion is included to allow operators time to manually isolate the required penetrations, if possible.

The second condition addresses a condition where containment pressure is greater than the setpoint at which containment energy (heat) removal systems are designed to automatically actuate and less than one full train of equipment is capable of operating per design. The 15-minute criterion is included to allow operators time to manually start equipment that may not have automatically started, if possible. The inability to start the required equipment indicates that containment heat removal/depressurization systems (e.g., containment sprays) are either lost or performing in a degraded manner.

This event would escalate to a Site Area Emergency in accordance with 1C FS1 if there were a concurrent loss or potential loss of either the Fuel Clad or RCS fission product barriers.

PVNGS Basis Reference(s):

1. UFSAR Section 6.2.1.5.3.8, Containment Purge System
2. UFSAR Section 6.2.4, Containment Isolation System
3. UFSAR Section 6.2.2, Containment Heat Removal System
4. UFSAR Table 7.3-11 A, ESFAS Setpoints and Margins to Actuation
5. Procedure 40EP-9E001, Standard Post Trip Actions
6. NEI 99-01, SU7 Page 168 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 271 of 332 ATTACHMENT 1 EAL Technical Bases Category: S - System Malfunction Subcategory: 9 - Hazardous Event Affecting Safety Systems Initiating Condition: Hazardous event affecting a SAFETY SYSTEM needed for the current operating mode EAL:

SA9.1 Alert The occurrence of any Table S-5 hazardous event AND EITHER:

  • Event damage has caused indications of degraded performance in at least one train of a SAFETY SYSTEM needed for the current operating mode
  • The event has caused VISIBLE DAMAGE to a SAFETY SYSTEM component or structure needed for the current operating mode Table S-5 Hazardous Events
  • Internal or external FLOODING event
  • FIRE
  • EXPLOSION
  • Other events with similar hazard characteristics as determined by the Shift Manager Mode Applicability:

1 - Power Operation, 2 - Startup, 3 - Hot Standby, 4 - Hot Shutdown Definition(s):

EXPLOSION - A rapid, violent and catastrophic failure of a piece of equipment due to combustion, chemical reaction or overpressurization. A release of steam (from high energy lines or components) or an electrical component failure (caused by short circuits, grounding, arcing, etc.) should not automatically be considered an explosion. Such events require a post-event inspection to determine if the attributes of an explosion are present.

FIRE - Combustion characterized by heat and light. Sources of smoke such as slipping drive belts or overheated electrical equipment do not constitute fires. Observation of flame is preferred but is NOT required if large quantities of smoke and heat are observed.

FLOODING - A condition where water is entering a room or area faster than installed equipment is capable of removal, resulting in a rise of water level within the room or area.

SAFETY SYSTEM - A system required for safe plant operation, cooling down the plant and/or placing it in the cold shutdown condition, including the ECCS. These are typically systems classified as safety-related (as defined in 10 CFR 50.2):

Page 169 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 272 of 332 ATTACHMENT 1 EAL Technical Bases Those structures, systems and components that are relied upon to remain functional during and following design basis events to assure; (1) The integrity of the reactor coolant pressure boundary; (2) The capability to shut down the reactor and maintain it in a safe shutdown condition; (3) The capability to prevent or mitigate the consequences of accidents which could result in potential offsite exposures.

VISIBLE DAMAGE - Damage to a component or structure that is readily observable without measurements, testing, or analysis. The visual impact of the damage is sufficient to cause concern regarding the operability or reliability of the affected component or structure.

Basis:

Refer to Attachment 4 for a list of Palo Verde SAFETY SYSTEMS (ref. 5)

This IC addresses a hazardous event that causes damage to a SAFETY SYSTEM, or a structure containing SAFETY SYSTEM components, needed for the current operating mode. This condition significantly reduces the margin to a loss or potential loss of a fission product barrier and therefore represents an actual or potential substantial degradation of the level of safety of the plant.

The first condition addresses damage to a SAFETY SYSTEM train that is in service/operation since indications for it will be readily available. The indications of degraded performance should be significant enough to cause concern regarding the operability or reliability of the SAFETY SYSTEM train.

The second condition addresses damage to a SAFETY SYSTEM component that is not in service/operation or readily apparent through indications alone, or to a structure containing SAFETY SYSTEM components. Operators will make this determination based on the totality of available event and damage report information. This is intended to be a brief assessment not requiring lengthy analysis or quantification of the damage.

  • The significance of seismic events are discussed under EAL HU2.1. Annunciator 7C14A, SEISMIC OCCURRENCE will illuminate if the seismic instrument detects ground motion in excess of the seismic EVENT trigger threshold (ref. 1).
  • Internal FLOODING may be caused by events such as component failures, equipment misalignment, or outage activity mishaps.
  • High winds in excess of design (105 mph) or tornado strikes can cause significant structural damage (ref. 4).
  • Areas containing functions and systems required for safe shutdown of the plant are identified by fire area (ref. 2).
  • An explosion that degrades the performance of a SAFETY SYSTEM train or visibly damages a SAFETY SYSTEM component or structure would be classified under this EAL.

Escalation of the emergency classification level would be via IC FS1 or RSI.

Page 170 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 273 of 332 ATTACHMENT 1 EAL Technical Bases PVNGS Basis Reference(s):

1. Procedure 40AO-9ZZ21, Acts of Nature
2. UFSAR Table 3-2.1, Quality Classification of Structures, Systems and Components
3. UFSAR Section 2.4.2.2.1, Offsite Flood Design Considerations
4. UFSAR Section 2.3.1.2.3, Extreme Winds
5. Attachment 4 - Palo Verde Safety Systems
6. NEI 99-01, SA9 Page 171 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 274 of 332 ATTACHMENT 1 EAL Technical Bases Category F - Fission Product Barrier Degradation EAL Group: Hot Conditions (RCS temperature > 210°F); EALs in this category are applicable only in one or more hot operating modes.

EALs in this category represent threats to the defense in depth design concept that precludes the release of highly radioactive fission products to the environment. This concept relies on multiple physical barriers any one of which, if maintained intact, precludes the release of significant amounts of radioactive fission products to the environment. The primary fission product barriers are; A. Fuel Clad (FC): The Fuel Clad Barrier consists of the cladding material that contains the fuel pellets.

B. Reactor Coolant System (RCS): The RCS Barrier includes the RCS primary side and its connections up to and including the pressurizer safety and relief valves and other connections up to and including the primary isolation valves.

C. Containment (CTMT): The Containment Barrier includes the containment building and connections up to and including the outermost containment isolation valves. This barrier also includes the main steam, feedwater and blowdown line extensions outside the containment building up to and including the outermost secondary side isolation valve.

Containment Barrier thresholds are used as criteria for escalation of the ECL from Alert to a Site Area Emergency or a General Emergency.

The EALs in this category require evaluation of the loss and potential loss thresholds listed in the fission product barrier matrix of Table F-1 (Attachment 2). Loss and Potential Loss signify the relative damage and threat of damage to the barrier. Loss means the barrier no longer assures containment of radioactive materials. Potential Loss means integrity of the barrier is threatened and could be lost if conditions continue to degrade. The number of barriers that are lost or potentially lost and the following criteria determine the appropriate emergency classification level:

Alert:

Any loss or any potential loss of either Fuel Clad or RCS Site Area Emergency:

Loss or potential loss of any two barriers General Emergency:

Loss of any two barriers and loss or potential loss of third barrier The logic used for emergency classification based on fission product barrier monitoring should reflect the following considerations:

  • The Fuel Clad Barrier and the RCS Barrier are weighted more heavily than the Containment Barrier.
  • Unusual Event ICs associated with RCS and Fuel Clad Barriers are addressed under System Malfunction ICs.

For accident conditions involving a radiological release, evaluation of the fission product barrier thresholds will need to be performed in conjunction with dose assessments to Page 172 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 275 of 332 ATTACHMENT 1 EAL Technical Bases ensure correct and timely escalation of the emergency classification. For example, an evaluation of the fission product barrier thresholds may result in a Site Area Emergency classification while a dose assessment may indicate that an EAL for General Emergency IC RG1 has been exceeded.

The fission product barrier thresholds specified within a scheme reflect plant-specific PVNGS design and operating characteristics.

  • As used in this category, the term RCS leakage encompasses not just those types defined in Technical Specifications but also includes the loss of RCS mass to any location- inside the containment, an interfacing system, or outside of the containment. The release of liquid or steam mass from the RCS due to the as-designed/expected operation of a relief valve is not considered to be RCS leakage.
  • At the Site Area Emergency level, EAL users should maintain cognizance of how far present conditions are from meeting a threshold that would require a General Emergency declaration. For example, if the Fuel Clad and RCS fission product barriers were both lost, then there should be frequent assessments of containment radioactive inventory and integrity. Alternatively, if both the Fuel Clad and RCS fission product barriers were potentially lost, the Emergency Coordinator would have more assurance that there was no immediate need to escalate to a General Emergency.

Page 173 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 276 of 332 ATTACHMENT 1 EAL Technical Bases Category: Fission Product Barrier Degradation Subcategory: N/A Initiating Condition: Any loss or any potential loss of either Fuel Clad or RCS EAL:

FA1.1 Any loss or any potential loss of either Fuel Clad or RCS (Table F-1)

Mode Applicability:

1 - Power Operation, 2 - Startup, 3 - Hot Standby, 4 - Hot Shutdown Definition(s):

None Basis:

Fuel Clad, RCS and Containment comprise the fission product barriers. Table F-1 (Attachment 2) lists the fission product barrier thresholds, bases and references.

At the Alert classification level. Fuel Clad and RCS barriers are weighted more heavily than the Containment barrier. Unlike the Containment barrier, loss or potential loss of either the Fuel Clad or RCS barrier may result in the relocation of radioactive materials or degradation of core cooling capability. Note that the loss or potential loss of Containment barrier in combination with loss or potential loss of either Fuel Clad or RCS barrier results in declaration of a Site Area Emergency under EAL FS1.1 PVNGS Basis Reference(s):

1. NEI 99-01, FA1 Page 174 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 277 of 332 ATTACHMENT 1 EAL Technical Bases Category: Fission Product Barrier Degradation Subcategory: N/A Initiating Condition: Loss or potential loss of any two barriers EAL:

FS1.1 Site Area Emergency Loss or potential loss of any two barriers (Table F-1)

Mode Applicability:

1 - Power Operation, 2 - Startup, 3 - Hot Standby, 4 - Hot Shutdown Definition(s):

None Basis:

Fuel Clad, RCS and Containment comprise the fission product barriers. Table F-1 (Attachment 2) lists the fission product barrier thresholds, bases and references.

At the Site Area Emergency classification level, each barrier is weighted equally. A Site Area Emergency is therefore appropriate for any combination of the following conditions:

  • One barrier loss and a second barrier loss (i.e., loss - loss)
  • One barrier loss and a second barrier potential loss (i.e., loss - potential loss)
  • One barrier potential loss and a second barrier potential loss (i.e., potential loss - potential loss)

At the Site Area Emergency classification level, the ability to dynamically assess the proximity of present conditions with respect to the threshold for a General Emergency is important. For example, the existence of Fuel Clad and RCS Barrier loss thresholds in addition to offsite dose assessments would require continual assessments of radioactive inventory and Containment integrity in anticipation of reaching a General Emergency classification. Alternatively, if both Fuel Clad and RCS potential loss thresholds existed, the Emergency Coordinator would have greater assurance that escalation to a General Emergency is less imminent.

PVNGS Basis Reference(s):

1. NEI 99-01, FS1 Page 175 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 278 of 332 ATTACHMENT 1 EAL Technical Bases Category: Fission Product Barrier Degradation Subcategory: N/A Initiating Condition: Loss of any two barriers and loss or potential loss of third barrier EAL:

FG1.1 General Emergency Loss of any two barriers AND Loss or potential loss of third barrier (Table F-1)

Mode Applicability:

1 - Power Operation, 2 - Startup, 3 - Hot Standby, 4 - Hot Shutdown Definition(s):

None Basis:

Fuei Clad, RCS and Containment comprise the fission product barriers. Table F-1 (Attachment 2) lists the fission product barrier thresholds, bases and references.

At the General Emergency classification level each barrier is weighted equally. A General Emergency is therefore appropriate for any combination of the foliowing conditions:

  • Loss of Fuel Clad, RCS and Containment barriers
  • Loss of Fuel Clad and RCS barriers with potential loss of Containment barrier
  • Loss of RCS and Containment barriers with potential loss of Fuel Clad barrier
  • Loss of Fuel Clad and Containment barriers with potential loss of RCS barrier PVNGS Basis Reference(s):
1. NEI 99-01, FG1 Page 176 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 279 of 332 ATTACHMENT 2 Fission Product Barrier Loss/Potential Loss Matrix and Bases Introduction Table F-1 lists the threshold conditions that define the Loss and Potential Loss of the three fission product barriers (Fuel Clad, Reactor Coolant System and Containment). The table is structured so that each of the three barriers occupies adjacent columns. Each fission product barrier column is further divided into two columns; one for Loss thresholds and one for Potential Loss thresholds.

The first column of the table (to the left of the Fuel Clad Loss column) lists the categories (types) of fission product barrier thresholds. The fission product barrier categories are:

A. RCS or SG Tube Leakage B. Inadequate Heat Removal C. CTMT Radiation / RCS Activity D. CTMT Integrity or Bypass E. Emergency Coordinator Judgment Each category occupies a row in Table F-1 thus forming a matrix defined by the categories.

The intersection of each row with each Loss/Potential Loss column forms a cell in which one or more fission product barrier thresholds appear. If NEI 99-01 does not define a threshold for a barrier Loss/Potential Loss, the word None is entered in the cell.

Thresholds are assigned sequential numbers within each Loss and Potential Loss column beginning with number one. In this manner, a threshold can be identified by its category title and number. For example, the first Fuel Clad barrier Loss in Category C would be assigned FC Loss C.1, the third Containment barrier Potential Loss in Category D would be assigned CTMT P-Loss D.3, etc.

If a cell in Table F-1 contains more than one numbered threshold, each of the numbered thresholds, if exceeded, signifies a Loss or Potential Loss of the barrier. It is not necessary to exceed all of the thresholds in a category before declaring a barrier Loss/Potential Loss.

Subdivision of Table F-1 by category facilitates association of plant conditions to the applicable fission product barrier Loss and Potential Loss thresholds. This structure promotes a systematic approach to assessing the classification status of the fission product barriers.

When equipped with knowledge of plant conditions related to the fission product barriers, the EAL-user first scans down the category column of Table F-1, locates the likely category and then reads across the fission product barrier Loss and Potential Loss thresholds in that category to determine if a threshold has been exceeded. If a threshold has not been exceeded, the EAL-user proceeds to the next likely category and continues review of the thresholds in the new category If the EAL-user determines that any threshold has been exceeded, by definition, the barrier is lost or potentially lost - even if multiple thresholds in the same barrier column are exceeded, only that one barrier is lost or potentially lost. The EAL-user must examine each of the three fission product barriers to determine if other barrier thresholds in the category are lost or potentially lost. For example, if containment radiation is sufficiently high, a Loss of the Fuel Clad and RCS barriers and a Potential Loss of the Containment barrier can occur. Barrier Page 177 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 280 of 332 ATTACHMENT 2 Fission Product Barrier Loss/Potential Loss Matrix and Bases Losses and Potential Losses are then applied to the criterion given in EALs FG1.1, FS1.1 and FA1.1 to determine the appropriate emergency classification.

In the remainder of this Attachment, the Fuel Clad barrier threshold bases appear first, followed by the RCS barrier and finally the Containment barrier threshold bases. In each barrier, the bases are given according category Loss followed by category Potential Loss beginning with Category A, then B,..., E.

Page 178 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 281 of 332 ATTACHMENT 2 Fission Product Barrier Loss/Potential Loss Matrix and Bases Table F-1 Fission Product Barrier Threshold Matrix Fuel Clad (FC) Barrier Reactor Coolant System (RCS) Barrier Containment (CTMT) Barrier Category Loss Potential Loss Loss Potential Loss Loss Potential Loss

1. SMth letoown isolated, operatiort of the standby charging pump ia required by EITHER:

A r An automatic or manual ECCS (SIAS)

EITHER:actuation required by

  • UNtSOLABLE RCS leakage RCSor None 1. RVLMS< 21% plenum
  • S6 tube leakage None
1. A lesMng or RUPTURED SGis SGTuba (Detector #8)
  • leakage UNtSOLABLE RCS 2. Pressurized thermal shock FAULTED outside of contNnment Leakage transisnt in sxcess of the upper
  • S6 tuba RUPTURE (20(W) subcooling P7T Hmit (Note AND9}

RCS oressure w risina B 1. RepCETs>700<<F

1. eataUishad RCS heat removal cannot be 1. Rep CETs> 1200^

AND IrMdequate 2. RCS heat remwal evtnot be established None None

1. RepCET8>1200*F AND Heat AND Functional recoveiy procedures Removal not effective wthin 15 min.

RCS subcooling <24^

RCS subcocing < 24*F (Note 1) c CTMT RU.148>2,1E*05 mRrtirOR None None None Radiation RU-149>2 4E+{)5 mRAtr RU-14S > 5 OE+04 mRAtr OR RU-148 > 6.8E<<06 mR/hr OR

/RC8 RU-149 > S.6E*04 mR/hr RU-149 > 7 BE^Oe mR/hr Z Dose equivalent k131 coolant Activity activity > 300 mC(^

retired AND EITHER:

D

  • Containment integrity has been lost based on Z
1. Containment pressure > 60 peig Containment hydrogen concentrsUor CTMT ttone None Nom Nona judgment >4 5%

Integrity

3. Containment pressure > 8.5 psig
  • UNtSOLABLE pathway from or Bypass Containment to the Spray (low for a IS mla (Note 1) environment exists Z Indications of RCS leakags outside of Containment E 1. Any cofxlition in the t^nion of 1- Any coneWon in the opinion of
1. Any condition in the opMon Of
1. Any condition in the opinion of the 1. Any condBon in the opinion of 1. Any condBon in the opinion of the EC the Emergency Coordinator that the Emergency Coordinator that Emergency Coordinator that the Emergency Coordnator that Emergency Coordnator that the Emergency Coordinator that Indcates potential loss of the Judgment indicates barrier loss of the fuel dad indicates potential loss of the fuel indicates barrier potential Ices of the RCS Indcates barrier loss of the Containment indicates loss of the RCS barrier Containment barrier dad barrier Page 179 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 282 of 332 ATTACHMENT 2 Fission Product Barrier Loss/Potential Loss Matrix and Bases Barrier: Fuel Clad Category: A. RCS or SG Tube Leakage Degradation Threat: Loss Threshold:

None Page 180 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 283 of 332 ATTACHMENT 2 Fission Product Barrier Loss/Potential Loss Matrix and Bases Barrier: Fuel Clad Category: A. RCS or SG Tube Leakage Degradation Threat: Potential Loss Threshold:

1. RVLMS < 21 % plenum (Detector #8)

Definition(s):

None Basis:

21% plenum on RVLMS (Detector #8) is the minimum RVLMS indication above Top of Active Fuel (TOAF) which corresponds to 4 in. above the fuel alignment plate and is the last indication of inventory control (ref. 1,2).

This reading indicates a reduction in reactor vessel water level sufficient to allow the onset of heat-induced cladding damage.

PVNGS Basis Reference(s):

1. Procedure 40OP-9ZZ16, RCS Drain Operations, Appendix M
2. Nuclear Fuel Management Analysis Calculation TA-13-C00-2000-001, EOF Setpoint Document
3. NEI 99-01, RCS or SG Tube Leakage Fuel Clad Potential Loss 1 .A Page 181 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 284 of 332 ATTACHMENT 2 Fission Product Barrier Loss/Potential Loss Matrix and Bases Barrier: Fuel Clad Category: B. Inadequate Heat Removal Degradation Threat: Loss Threshold:

1. RepCETs> 1200F Definition(s):

None Basis:

Core Exit Thermocouples (CETs) are a component of Inadequate Core Cooling Instrumentation and provide an indirect indication of fuel clad temperature by measuring the temperature of the reactor coolant that leaves the core region. Although clad rupture due to high temperature is not expected for CET readings less than the threshold, temperatures of this magnitude signal significant superheating of the reactor coolant and core uncovery (ref. 1).

This reading indicates temperatures within the core are sufficient to cause significant superheating of reactor coolant.

Rep CET (Representative Core Exit Temperature) is a calculated temperature value generated by the Qualified Safety Parameter Display System (QSPDS). The QSPDS CET processing function generates a representative temperature based on a statistical analysis of thermocouples monitoring the reactor coolant temperature at the top of selected fuel assemblies.

PVNGS Basis Reference(s):

1. UFSAR Appendix 18B, System 80 Generic Inadequate Core Cooling Instrumentation
2. NEI 99-01, Inadequate Heat Removal Fuel Clad Loss 2.A Page 182 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 285 of 332 ATTACHMENT 2 Fission Product Barrier Loss/Potential Loss Matrix and Bases Barrier: Fuel Clad Category: B. Inadequate Heat Removal Degradation Threat: Potential Loss Threshold:

1. Rep CETs > 700°F Definition(s):

None Basis:

Core Exit Thermocouples (CETs) are a component of Inadequate Core Cooling Instrumentation and provide an indirect indication of fuel clad temperature by measuring the temperature of the reactor coolant that leaves the core region. If Rep CETs indicate > 700°F, subcooling has been lost for at least some regions of the core (ref. 1). 700°F qualifies as a condition representing a potential loss of the fuel clad barrier.

This reading indicates a reduction in reactor vessel water level sufficient to allow the onset of heat-induced cladding damage.

Rep CET (Representative Core Exit Temperature) is a calculated temperature value generated by the Qualified Safety Parameter Display System (QSPDS). The QSPDS CET processing function generates a representative temperature based on a statistical analysis of thermocouples monitoring the reactor coolant temperature at the top of selected fuel assemblies.

PVNGS Basis Reference(s):

1. UFSAR Appendix 18B, System 80 Generic Inadequate Core Cooling Instrumentation
2. NEI 99-01, Inadequate Heat Removal Fuel Clad Potential Loss 2.A Page 183 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 286 of 332 ATTACHMENT 2 Fission Product Barrier Loss/Potential Loss Matrix and Bases Barrier: Fuel Clad Category: B. Inadequate Heat Removal Degradation Threat: Potential Loss Threshold:

2. RCS heat removal cannot be established AND RCS subcooling < 24°F Definition(s):

None Basis:

In combination with RCS Potential Loss B.1, meeting this threshold results in a Site Area Emergency.

The steam generators (SGs) provide the normal means of heat transfer from the RCS to the main condenser and ultimate heat sink. Procedure 40EP-9E003, Loss of Coolant Accident, requires maintenance of RCS heat removal at all times during a LOCA. Once RCS pressure and temperature are reduced, RCS heat removal can be provided by Shutdown Cooling (SDC) system. Once the SDC system is placed in service, the SG heat sink capability is no longer necessary (ref. 1).

If RCS subcooling approaches 24°F, the margin to superheated conditions is being reduced.

Following an uncomplicated reactor trip, subcooling margin should be in excess of 50°F.

Subcooling margin greater than 24°F ensures the fluid surrounding the core is sufficiently cooled and provides margin for reestablishing SI flow should subcooling deteriorate when SI flow is secured. Voids may exist in some parts of the RCS (e.g.. Reactor Vessel head) but are permissible as long as core heat removal is maintained (ref. 2). RCS subcooling is determined using appropriate CET (natural circulation) or Thot (forced circulation) temperature indications.

Upper head subcooling indication should not be used.

The combination of the threshold conditions indicates that RCS heat removal is under extreme challenge. This threshold addresses loss of functions required for hot shutdown with the reactor at pressure and temperature and thus a potential loss of the Fuel Clad barrier. This is also a potential loss of the RCS barrier and therefore results in at least a Site Area Emergency.

This condition indicates an extreme challenge to the ability to remove RCS heat using the steam generators (i.e., loss of an effective secondary-side heat sink). This condition represents a potential loss of the Fuel Clad Barrier. In accordance with EOPs, there may be unusual accident conditions during which operators intentionally reduce the heat removal capability of the steam generators; during these conditions, classification using threshold is not warranted.

Page 184 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 287 of 332 ATTACHMENT 2 Fission Product Barrier Loss/Potential Loss Matrix and Bases PVNGS Basis Reference(s):

1. Procedure 40EP-9E003, Loss of Coolant Accident
2. Procedure 40EP-9E009, Functional Recovery
3. NEI 99-01, Inadequate Heat Removal Fuel Clad Loss 2.B Page 185 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 288 of 332 ATTACHMENT 2 Fission Product Barrier Loss/Potential Loss Matrix and Bases Barrier: Fuel Clad Category: C. CTMT Radiation / RCS Activity Degradation Threat: Loss Threshoid:

1. Containment radiation RU-148 > 2.1 E+05 mR/hr OR RU-149 > 2.4E+05 mR/hr Definition(s):

None Basis:

The specified containment radiation monitor readings (ref. 1) indicate the release of reactor coolant, with elevated activity indicative of fuel damage, into the Containment. The reading is derived assuming the instantaneous release and dispersal of the reactor coolant noble gas and iodine inventory associated with a concentration of 300 pCi/cc dose equivalent 1-131 into the Containment atmosphere with containment sprays operating. The values are based on calculated readings fifteen minutes after shutdown. Reactor coolant concentrations of this magnitude are several times larger than the maximum concentrations (including iodine spiking) allowed within Technical Specifications and are therefore indicative of fuel damage (approximately 2-5% clad failure depending on core inventory and RCS volume).

Monitors used for this fission product barrier loss threshold are the Containment High Range Radiation Monitors RU-148 and RU-149 (ref. 1).

The radiation monitor reading corresponds to an instantaneous release of all reactor coolant mass into the containment, assuming that reactor coolant activity equals 300 pCi/gm dose equivalent 1-131. Reactor coolant activity above this level is greater than that expected for iodine spikes and corresponds to an approximate range of 2% to 5% fuel clad damage. Since this condition indicates that a significant amount of fuel clad damage has occurred, it represents a loss of the Fuel Clad Barrier.

The radiation monitor reading in this threshold is higher than that specified for RCS Barrier Loss threshold C.1 since it indicates a loss of both the Fuel Clad Barrier and the RCS Barrier.

Note that a combination of the two monitor readings appropriately escalates the ECL to a Site Area Emergency.

PVNGS Basis Reference(s):

1. Calculation 13-NC-ZY-216, Determination of Containment Activities from High Radiation Monitors
2. NEI 99-01, CTMT Radiation / RCS Activity Fuel Clad Loss 3.A Page 186 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 289 of 332 ATTACHMENT 2 Fission Product Barrier Loss/Potential Loss Matrix and Bases Barrier: Fuel Clad Category: C. CTMT Radiation / RCS Activity Degradation Threat: Loss Threshold:

2. Dose equivalent 1-131 coolant activity > 300 uCi/gm Definition(s):

None Basis:

Dose Equivalent Iodine (DEI) is determined by procedure 74ST-9RC02, Reactor Coolant System Specific Activity Surveiilance Test {ret. 1).

Elevated reactor coolant activity represents a potential degradation in the level of safety of the plant and a potential precursor of more serious problems. The threshold dose equivalent 1-131 concentration is well above that expected for iodine spikes and corresponds to about 2% to 5%

fuel clad damage. Since this condition indicates that a significant amount of fuel clad damage has occurred, it represents a loss of the Fuel Clad Barrier (ref. 2).

This threshold indicates that RCS radioactivity concentration is greater than 300 pCi/gm dose equivalent 1-131. Reactor coolant activity above this level is greater than that expected for iodine spikes and corresponds to an approximate range of 2% to 5% fuel clad damage. Since this condition indicates that a significant amount of fuel clad damage has occurred, it represents a loss of the Fuel Clad Barrier.

It is recognized that sample collection and analysis of reactor coolant with highly elevated activity levels could require several hours to complete. Nonetheless, a sample-related threshold is included as a backup to other indications.

There is no Potential Loss threshold associated with RCS Activity / Containment Radiation.

PVNGS Basis Reference(s):

1. Procedure 74ST-9RC02, Reactor Coolant System Specific Activity Surveillance Test
2. NEI 99-01, CTMT Radiation / RCS Activity Fuel Clad Loss 3.B Page 187 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 290 of 332 ATTACHMENT 2 Fission Product Barrier Loss/Potential Loss Matrix and Bases Barrier: Fuel Clad Category: C. CTMT Radiation / RCS Activity Degradation Threat: Potential Loss Threshold:

None Page 188 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 291 of 332 ATTACHMENT 2 Fission Product Barrier Loss/Potential Loss Matrix and Bases Barrier: Fuel Clad Category: D. CTMT Integrity or Bypass Degradation Threat: Loss Threshold:

None Page 189 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 292 of 332 ATTACHMENT 2 Fission Product Barrier Loss/Potential Loss Matrix and Bases Barrier: Fuel Clad Category: D. CTMT Integrity or Bypass Degradation Threat: Potential Loss Threshold:

None Page 190 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 293 of 332 ATTACHMENT 2 Fission Product Barrier Loss/Potential Loss Matrix and Bases Barrier: Fuel Clad Category: E. Emergency Coordinator Judgment Degradation Threat: Loss Threshold:

1. Any condition in the opinion of the Emergency Coordinator that indicates loss of the Fuel Clad barrier Definition(s):

None Basis:

The Emergency Coordinator judgment threshold addresses any other factors relevant to determining if the Fuel Clad barrier is lost. Such a determination should include imminent barrier degradation, barrier monitoring capability and dominant accident sequences.

  • Imminent barrier degradation exists if the degradation will likely occur within relatively short period of time based on a projection of current safety system performance. The term imminent refers to recognition of the inability to reach safety function acceptance criteria before completion of all checks.
  • Barrier monitoring capability is decreased if there is a loss or lack of reliable indicators.

This assessment should include instrumentation operability concerns, readings from portable instrumentation and consideration of offsite monitoring results.

  • Dominant accident sequences lead to degradation of all fission product barriers and likely entry to the EOPs. The Emergency Coordinator should be mindful of the Loss of AC power (Station Blackout) and ATWS EALs to assure timely emergency classification declarations.

This threshold addresses any other factors that are to be used by the Emergency Coordinator in determining whether the Fuel Clad barrier is lost PVNGS Basis Reference(s):

1. NEI 99-01, Emergency Director Judgment Fuel Clad Loss 6.A Page 191 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 294 of 332 ATTACHMENT 2 Fission Product Barrier Loss/Potential Loss Matrix and Bases Barrier: Fuel Clad Category: E. Emergency Coordinator Judgment Degradation Threat: Potential Loss Threshold:

1. Any condition in the opinion of the Emergency Coordinator that indicates potential loss of the Fuel Clad barrier Basis:

The Emergency Coordinator judgment threshold addresses any other factors relevant to determining if the Fuel Clad barrier is potentially lost. Such a determination should include imminent barrier degradation, barrier monitoring capability and dominant accident sequences.

  • Imminent barrier degradation exists if the degradation will likely occur within relatively short period of time based on a projection of current safety system performance. The term imminent refers to recognition of the inability to reach safety function acceptance

- criteria before completion of all checks.

  • Barrier monitoring capability is decreased if there is a loss or lack of reliable indicators.

This assessment should include instrumentation operability concerns, readings from portable instrumentation and consideration of offsite monitoring results.

  • Dominant accident sequences lead to degradation of all fission product barriers and likely entry to the EOPs. The Emergency Coordinator should be mindful of the Loss of AC power (Station Blackout) and ATWS EALs to assure timely emergency classification declarations.

This threshold addresses any other factors that are to be used by the Emergency Coordinator in determining whether the Fuel Clad barrier is potentially lost. The Emergency Coordinator should also consider whether or not to declare the barrier potentially lost in the event that barrier status cannot be monitored.

PVNGS Basis Reference(s):

1. NEI 99-01, Emergency Director Judgment Potential Fuel Clad Loss 6.A Page 192 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 295 of 332 ATTACHMENT 2 Fission Product Barrier Loss/Potential Loss Matrix and Bases Barrier: Reactor Coolant System Category: A. RCS or SG Tube Leakage Degradation Threat: Loss Threshoid:

1. An automatic or manual ECCS (SIAS) actuation required by EITHER:
  • UNISOLABLE RCS leakage
  • SG tube RUPTURE Definition(s):

UNISOLABLE - An open or breached system line that cannot be isolated, remotely or locally.

RUPTURE - The condition of a steam generator in which primary-to-secondary leakage is of sufficient magnitude to require a safety injection.

Basis:

This threshold is based on an UNISOLABLE RCS leak of sufficient size to require an automatic or manual actuation of the Emergency Core Cooling System (ECCS). This condition clearly represents a loss of the RCS Barrier.

This threshold is applicable to unidentified and pressure boundary leakage, as well as identified leakage. It is also applicable to UNISOLABLE RCS leakage through an interfacing system. The mass loss may be into any location - inside containment, to the secondary-side (i.e., steam generator tube leakage) or outside of containment.

A steam generator with primary-to-secondary leakage of sufficient magnitude to require a safety injection is considered to be RUPTURED. If a RUPTURED steam generator is also FAULTED outside of containment, the declaration escalates to a Site Area Emergency since the Containment Barrier Loss threshold 1.A will also be met.

PVNGS Basis Reference(s):

1. Procedure 40EP-9E001, Reactor Trip
2. Procedure 40EP-9E003, Loss of Coolant Accident
3. Procedure 40EP-9E004, Steam Generator Tube Rupture
4. NEI 99-01, RCS or SG Tube Leakage Reactor Coolant System Loss 1 .A Page 193 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 296 of 332 ATTACHMENT 2 Fission Product Barrier Loss/Potential Loss Matrix and Bases Barrier: Reactor Coolant System Category: A. RCS or SG Tube Leakage Degradation Threat: Potential Loss Threshold:

1. With letdown isolated, operation of the standby charging pump is required by EITHER:
  • UNISOLABLE RCS leakage
  • SG tube leakage Definition(s):

UNISOLABLE - An open or breached system line that cannot be isolated, remotely or locally.

Basis:

This threshold is based on the inability to maintain liquid inventory within the RCS by normal operation of the Chemical and Volume Control System (CVCS). The CVCS includes three charging pumps: two charging pumps are normally operating with a flow capacity of ~44 gpm each or a total of 88 gpm (ref. 1). Approximately 10 gpm of charging flow bypasses the RCS due to leakage through the RCP seals; thus, the normal charging lineup delivers 88 gpm - 10 gpm = 78 gpm (ref. 1). A third charging pump being required with letdown isolated is indicative of a substantial RCS leak.

If the standby charging pump is started in response to decreasing pressurizer level and following isolation of letdown and/or the leak pressurizer level can be subsequently maintained with just two charging pumps, this threshold is not exceeded.

This threshold is based on an UNISOLABLE RCS leak that results in the inability to maintain pressurizer level within specified limits by operation of a normally used charging (makeup) pump, but an ECCS (SI) actuation has not occurred. The threshold is met when an operating procedure, or operating crew supervision, directs that a standby charging (makeup) pump be placed in service to restore and maintain pressurizer level following appropriate system isolation.

This threshold is applicable to unidentified and pressure boundary leakage, as well as identified leakage. It is also applicable to UNISOLABLE RCS leakage through an interfacing system. The mass loss may be into any location - inside containment, to the secondary-side (i.e., steam generator tube leakage) or outside of containment.

If a leaking steam generator is also FAULTED outside of containment, the declaration escalates to a Site Area Emergency since the Containment Barrier Loss threshold 1 .A will also be met.

Page 194 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 297 of 332 ATTACHMENT 2 Fission Product Barrier Loss/Potential Loss Matrix and Bases PVNGS Basis Reference(s):

1. UFSAR Section 9.3.4, Chemical and Volume Control System
2. Procedure 40EP-9E001, Reactor Trip
3. Procedure 40EP-9E001, Standard Post Trip Actions
4. Procedure 40EP-9E003, Loss of Coolant Accident
5. Procedure 40EP-9E004, Steam Generator Tube Rupture
6. NEI 99-01, RCS or SG Tube Leakage Reactor Coolant System Potential Loss 1 .A Page 195 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 298 of 332 ATTACHMENT 2 Fission Product Barrier Loss/Potential Loss Matrix and Bases Barrier: Reactor Coolant System Category: A. RCS or SG Tube Leakage Degradation Threat: Potential Loss Threshold:

2. Pressurized thermal shock transient in excess of the upper (200°F) subcooling P/T limit (Note 9)

AND RCS pressure is rising Note 9: A pressurized thermal shock transient is defined as an UNPLANNED overcooling transient which causes RCS temperature to go below 500°F Definition(s):

UNPLANNED - A parameter change or an event that is not 1) the result of an intended evolution or 2) an expected plant response to a transient. The cause of the parameter change or event may be known or unknown.

Basis:

The "Potential Loss" threshold is defined by the upper subcooling P/T limit in combination with increasing RCS pressure which indicates an extreme challenge to the RCS barrier due to pressurized thermal shock transient, (ref. 1,2, 3).

A pressurized thermal shock transient is defined as an unplanned overcooling transient which causes RCS temperature to go below 500°F (ref. 4).

This condition indicates an extreme challenge to the integrity of the RCS pressure boundary due to pressurized thermal shock - a transient that causes rapid RCS cooldown while the RCS is in Mode 3 or higher (i.e., hot and pressurized).

PVNGS Basis Reference(s):

1. Procedure 40EP-9E005, Excess Steam Demand
2. Procedure 40EP-9E009, Functional Recovery
3. Procedure 40EP-9E010, Standard Appendices Attachment 2 Figures
4. Procedure 40DP-9AP17, Standard Appendices Technical Guideline
5. NEI 99-01, RCS or SG Tube Leakage Reactor Coolant System Potential Loss 1 .B Page 196 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 299 of 332 ATTACHMENT 2 Fission Product Barrier Loss/Potential Loss Matrix and Bases Barrier: Reactor Coolant System Category: B. Inadequate Heat Removal Degradation Threat: Loss Threshold:

None Page 197 of 230 J-

PVNGS EMERGENCY PLAN REVISION 59 PAGE 300 of 332 ATTACHMENT 2 Fission Product Barrier Loss/Potential Loss Matrix and Bases Barrier: Reactor Coolant System Category: B. Inadequate Heat Removal Degradation Threat: Potential Loss Threshold:

1. RCS heat removal cannot be established AND

______ RCS subcooling < 24°F_________________________________________________

Definition(s):

None Basis:

In combination with FC Potential Loss B.1, meeting this threshold results in a Site Area Emergency.

The steam generators (SGs) provide the normal means of heat transfer from the RCS to the main condenser and ultimate heat sink. Procedure 40EP-9E003, Loss of Coolant Accident, requires maintenance of RCS heat removal at all times during a LOCA. Once RCS pressure and temperature are reduced, RCS heat removal can be provided by Shutdown Cooling (SDC). Once the SDC is placed in service, the SG heat sink capability is no longer necessary (ref. 1).

If RCS subcooling approaches 24°F, the margin to superheated conditions is being reduced.

Following an uncomplicated reactor trip, subcooling margin should be in excess of 50°F.

Subcooling margin greater than 24°F ensures the fluid surrounding the core is sufficiently cooled and provides margin for reestablishing SI flow should subcooling deteriorate when SI flow is secured. Voids may exist in some parts of the RCS (e.g.. Reactor Vessel head) but are permissible as long as core heat removal is maintained (ref. 2). RCS subcooling is determined using appropriate CET or Tuot temperature indications. Upper head subcooling indication should not be used.

The combination of these conditions indicates the ultimate heat sink function is under extreme challenge. This threshold addresses loss of functions required for hot shutdown with the reactor at pressure and temperature and thus a potential loss of the Fuel Clad barrier. This is also a potential loss of the RCS barrier and therefore results in at least a Site Area Emergency.

This condition indicates an extreme challenge to the ability to remove RCS heat using the steam generators (i.e., loss of an effective secondary-side heat sink). This condition represents a potential loss of the RCS Barrier. In accordance with EOPs, there may be unusual accident conditions during which operators intentionally reduce the heat removal capability of the steam generators; during these conditions, classification using threshold is not warranted.

Page 198 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 301 of 332 ATTACHMENT 2 Fission Product Barrier Loss/Potential Loss Matrix and Bases Meeting this threshold results in a Site Area Emergency because this threshold is identical to Fuel Clad Barrier Potential Loss threshold B.2; both will be met. This condition warrants a Site Area Emergency declaration because inadequate RCS heat removal may result in fuel heat-up sufficient to damage the cladding and increase RCS pressure to the point where mass will be lost from the system.

PVNGS Basis Reference(s):

1. Procedure 40EP-9E003, Loss of Coolant Accident
2. Procedure 40EP-9E009, Functional Recovery
3. NEI 99-01, Inadequate Heat Removal RCS Loss 2.B Page 199 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 302 of 332 ATTACHMENT 2 Fission Product Barrier Loss/Potential Loss Matrix and Bases Barrier: Reactor Coolant System Category: C. CTMT Radiation/ RCS Activity Degradation Threat: Loss Threshold:

1. Containment radiation RU-148 > 5.0E+04 mR/hr OR RU-149 > 5.6E+04 mR/hr Definition(s):

N/A Basis:

Containment radiation monitor readings greater than the specified values (ref. 1) indicate the release of reactor coolant to the Containment. The readings assume the instantaneous release and dispersal of the reactor coolant noble gas and iodine inventory associated with normal operating concentrations (i.e., within Technical Specifications) into the Containment atmosphere. Because of the very high fuel clad integrity, only small amounts of noble gases would be dissolved in the primary coolant.

The readings are derived assuming the instantaneous release and dispersal of the reactor coolant noble gas and iodine inventory associated with a concentration of 60 pCi/gm dose equivalent 1-131 into the Containment atmosphere with containment sprays operating. The values are based on calculated readings fifteen minutes after shutdown.

Monitors used for this fission product barrier loss threshold are the Containment High Range Radiation Monitors RU-148 and RU-149 (ref. 1).

The radiation monitor reading corresponds to an instantaneous release of all reactor coolant mass into the containment, assuming that reactor coolant activity equals Technical Specification allowable limits. This value is lower than that specified for Fuel Clad Barrier Loss threshold C.1 since it indicates a loss of the RCS Barrier only.

There is no Potential Loss threshold associated with RCS Activity / Containment Radiation.

PVNGS Basis Reference(s):

1. Calculation 13-NC-ZY-216, Determination of Containment Activities from High Radiation Monitors
2. NEI 99-01, CTMT Radiation / RCS Activity RCS Loss 3.A Page 200 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 303 of 332 ATTACHMENT 2 Fission Product Barrier Loss/Potential Loss Matrix and Bases Barrier: Reactor Coolant System Category: C. CTMT Radiation/ RCS Activity Degradation Threat: Potential Loss Threshold:

None Page 201 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 304 of 332 ATTACHMENT 2 Fission Product Barrier Loss/Potential Loss Matrix and Bases Barrier: Reactor Coolant System Category: D. CTMT Integrity or Bypass Degradation Threat: Loss Threshoid:

None Page 202 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 305 of 332 ATTACHMENT 2 Fission Product Barrier Loss/Potential Loss Matrix and Bases Barrier: Reactor Coolant System Category: D. CTMT Integrity or Bypass Degradation Threat: Potential Loss Threshold:

None Page 203 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 306 of 332 ATTACHMENT 2 Fission Product Barrier Loss/Potential Loss Matrix and Bases Barrier: Reactor Coolant System Category: E. Emergency Coordinator Judgment Degradation Threat: Loss Threshold:

1. Any condition in the opinion of the Emergency Coordinator that indicates loss of the RCS barrier Definition(s):

None Basis:

The Emergency Coordinator judgment threshold addresses any other factors relevant to determining if the RCS barrier is lost. Such a determination should include imminent barrier degradation, barrier monitoring capability and dominant accident sequences.

  • Imminent barrier degradation exists if the degradation will likely occur within relatively short period of time based on a projection of current safety system performance. The term imminent refers to recognition of the inability to reach safety function acceptance criteria before completion of all checks.
  • Barrier monitoring capability is decreased if there is a loss or lack of reliable indicators.

This assessment should include instrumentation operability concerns, readings from portable instrumentation and consideration of offsite monitoring results.

  • Dominant accident sequences lead to degradation of all fission product barriers and likely entry to the EOPs. The Emergency Coordinator should be mindful of the Loss of AC power (Station Blackout) and ATWS EALs to assure timely emergency classification declarations.

This threshold addresses any other factors that may be used by the Emergency Coordinator in determining whether the RCS Barrier is lost.

PVNGS Basis Reference(s):

1. NEI 99-01, Emergency Director Judgment RCS Loss 6.A Page 204 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 307 of 332 ATTACHMENT 2 Fission Product Barrier Loss/Potential Loss Matrix and Bases Barrier: Reactor Coolant System Category: E. Emergency Coordinator Judgment Degradation Threat: Potential Loss Threshold:

1. Any condition in the opinion of the Emergency Coordinator that indicates potential loss of the RCS barrier Definition(s):

None Basis:

The Emergency Coordinator judgment threshold addresses any other factors relevant to determining if the RCS barrier is potentially lost. Such a determination should include imminent barrier degradation, barrier monitoring capability and dominant accident sequences.

  • Imminent barrier degradation exists if the degradation will likely occur within relatively short period of time based on a projection of current safety system performance. The term imminent refers to recognition of the inability to reach safety function acceptance criteria before completion of all checks.
  • Barrier monitoring capability is decreased if there is a loss or lack of reliable indicators.

This assessment should include instrumentation operability concerns, readings from portable instrumentation and consideration of offsite monitoring results.

  • Dominant accident sequences lead to degradation of all fission product barriers and likely entry to the EOPs. The Emergency Coordinator should be mindful of the Loss of AC power (Station Blackout) and ATWS EALs to assure timely emergency classification declarations.

This threshold addresses any other factors that may be used by the Emergency Coordinator in determining whether the RCS Barrier is potentially lost. The Emergency Coordinator should also consider whether or not to declare the barrier potentially lost in the event that barrier status cannot be monitored.

PVNGS Basis Reference(s):

1. NEI 99-01, Emergency Director Judgment RCS Potential Loss 6.A Page 205 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 308 of 332 ATTACHMENT 2 Fission Product Barrier Loss/Potential Loss Matrix and Bases Barrier: Containment Category: A. RCS or SG Tube Leakage Degradation Threat: Loss Threshold:

1. A leaking or RUPTURED SG is FAULTED outside of containment Definition(s):

FAULTED - The term applied to a steam generator that has a steam or feedwater leak on the secondary side of sufficient size to cause an uncontrolled drop in steam generator pressure or the steam generator to become completely depressurized.

RUPTURED - The condition of a steam generator in which primary-to-secondary leakage is of sufficient magnitude to require a safety injection.

Basis:

This threshold addresses a leaking or RUPTURED Steam Generator (SG) that is also FAULTED outside of containment. The condition of the SG, whether leaking or RUPTURED, is determined in accordance with the thresholds for RCS Barrier Potential Loss A.1 and Loss A.1, respectively. This condition represents a bypass of the containment barrier.

FAULTED is a defined term within the NEI 99-01 methodology: this determination is not necessarily dependent upon entry into, or diagnostic steps within, an EOP. For example, if the pressure in a steam generator is decreasing uncontrollably (part of the FAULTED definition) and the FAULTED steam generator isolation procedure is not entered because EOP user rules are dictating implementation of another procedure to address a higher priority condition, the steam generator is still considered FAULTED for emergency classification purposes.

The FAULTED criterion establishes an appropriate lower bound on the size of a steam release that may require an emergency classification. Steam releases of this size are readily observable with normal Control Room indications. The lower bound for this aspect of the containment barrier is analogous to the lower bound criteria specified in IC SU4 for the fuel clad barrier (i.e., RCS activity values) and IC SU5 for the RCS barrier (i.e., RCS leak rate values).

This threshold also applies to prolonged steam releases necessitated by operational considerations such as the forced steaming of a leaking or RUPTURED steam generator directly to atmosphere to cooldown the plant. These type of condition will result in a significant and sustained release of radioactive steam to the environment (and are thus similar to a FAULTED condition). The inability to isolate the steam flow without an adverse effect on plant cooldown meets the intent of a loss of containment.

Page 206 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 309 of 332 ATTACHMENT 2 Fission Product Barrier Loss/Potential Loss Matrix and Bases Steam releases associated with the expected operation of a SG Atmospheric Dump Valve(s) do not meet the intent of this threshold. Such releases may occur intermittently for a short period of time following a reactor trip as operators process through emergency operating procedures to bring the plant to a stable condition and prepare to initiate a plant cooldown.

This includes the initial cooldown to 540°F to isolate the ruptured SG using Atmospheric Dump Valves directed in the SGTR EOP. Steam releases associated with the unexpected operation of a valve (e.g., a stuck-open safety valve) do meet this threshold.

Following an SG tube leak or rupture, there may be minor radiological releases through a secondary-side system component (e.g., air ejectors, glad seal exhausters, valve packing, steam traps, terry turbine exhaust, etc.). These types of releases do not constitute a loss or potential loss of containment but should be evaluated using the Recognition Category R ICs.

The ECLs resulting from primary-to-secondary (P-to-S) leakage, with or without a steam release from the FAULTED SG, are summarized below.

Affected SG is FAULTED Outside of Containment?

P-to-S Leak Rate Yes No Less than or equal to 25 gpm No classification No classification Greater than 25 gpm Unusual Event per SU5.1 Unusual Event per SU5.1 Requires operation of the standby charging (makeup) Site Area Emergency per Alert perFAI.1 pump (RCS Barrier Potential Loss) FS1.1 Requires an automatic or manual ECCS (SIAS) Site Area Emergency per Alert per FA1.1 actuation (RCS Barrier Loss) FS1.1 There is no Potential Loss threshold associated with RCS or SG Tube Leakage.

PVNGS Basis Reference(s):

1. Procedure 40EP-9E001, Reactor Trip
2. Procedure 40EP-9E001, Standard Post Trip Actions
3. Procedure 40EP-9E003, Loss of Coolant Accident
4. Procedure 40EP-9E010, Excess Steam Demand
5. Procedure 40EP-9E004, Steam Generator Tube Rupture
6. NEI 99-01, RCS or SG Tube Leakage Containment Loss 1 .A Page 207 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 310 of 332 ATTACHMENT 2 Fission Product Barrier Loss/Potential Loss Matrix and Bases Barrier: Containment Category: A. RCS or SG Tube Leakage Degradation Threat: Potential Loss Threshold:

None Page 208 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 311 of 332 ATTACHMENT 2 Fission Product Barrier Loss/Potential Loss Matrix and Bases Barrier: Containment Category: B. Inadequate Heat Removal Degradation Threat: Loss None Page 209 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 312 of 332 ATTACHMENT 2 Fission Product Barrier Loss/Potential Loss Matrix and Bases Barrier: Containment Category: B. Inadequate Heat Removal Degradation Threat: Potential Loss Threshold:

1. RepCETs> 1200°F AND Functional recovery procedure not effective within 15 minutes (Note 1)

Note 1: The Emergency Coordinator should declare the event promptly upon determining that time limit has been exceeded, or will likely be exceeded.

Definition(s):

None Basis:

Core Exit Thermocouples (CETs) are a component of Inadequate Core Cooling Instrumentation and provide an indirect indication of fuel clad temperature by measuring the temperature of the reactor coolant that leaves the core region. Although clad rupture due to high temperature is not expected for CET readings less than the threshold, temperatures of this magnitude signal significant superheating of the reactor coolant and core uncovery (ref. 1).

The 15 minute threshold starts when operators begin taking procedurally directed functional recovery actions.

If CET readings are greater than 1,200°F (ref. 1), the Fuel Clad barrier is also lost.

Rep CET (Representative Core Exit Temperature) is a calculated temperature value generated by the Qualified Safety Parameter Display System (QSPDS). The QSPDS CET processing function generates a representative temperature based on a statistical analysis of thermocouples monitoring the reactor coolant temperature at the top of selected fuel assemblies.

This condition represents an IMMINENT core melt sequence which, if not corrected, could lead to vessel failure and an increased potential for containment failure. For this condition to occur, there must already have been a loss of the RCS Barrier and the Fuel Clad Barrier. If implementation of a procedure(s) to restore adequate core cooling is not effective (successful) within 15 minutes, it is assumed that the event trajectory will likely lead to core melting and a subsequent challenge of the Containment Barrier.

The restoration procedure is considered effective if core exit thermocouple readings are decreasing and/or if reactor vessel level is increasing. Whether or not the procedure(s) will be effective should be apparent within 15 minutes. The Emergency Coordinator should escalate Page 210 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 313 of 332 ATTACHMENT 2 Fission Product Barrier Loss/Potential Loss Matrix and Bases the emergency classification level as soon as it is determined that the procedure(s) will not be effective.

Severe accident analyses (e.g., NUREG-1150) have concluded that function restoration procedures can arrest core degradation in a significant fraction of core damage scenarios, and that the likelihood of containment failure is very small in these events. Given this, it is appropriate to provide 15 minutes beyond the required entry point to determine if procedural actions can reverse the core melt sequence.

PVNGS Basis Reference(s):

1. UFSAR Appendix 18B, System 80 Generic Inadequate Core Cooling Instrumentation
2. Procedure 40EP-9E009, Functional Recovery
4. NEI 99-01, Inadequate Heat Removal Containment Potential Loss 2.A Page 211 of 230 Lt - ,

PVNGS EMERGENCY PLAN REVISION 59 PAGE 314 of 332 ATTACHMENT 2 Fission Product Barrier Loss/Potential Loss Matrix and Bases Barrier: Containment Category: C. CTMT Radiation/RCS Activity Degradation Threat: Loss Threshold:

None Page 212 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 315 of 332 ATTACHMENT 2 Fission Product Barrier Loss/Potential Loss Matrix and Bases Barrier: Containment Category: C. CTMT Radiation/RCS Activity Degradation Threat: Potential Loss Threshold:

1. Containment radiation RU-148 > 6.8E+06 mR/hr OR RU-149 > 7.8E+06 mR/hr Definition(s):

None Basis:

Containment radiation monitor readings greater than the values shown (ref. 1) indicate significant fuel damage well in excess of that required for loss of the RCS barrier and the Fuel Clad barrier.

The reading is derived assuming the instantaneous release and dispersal of the reactor coolant noble gas and iodine inventory associated with 20% clad failure into the Containment atmosphere with containment sprays operating. The values are based on calculated readings fifteen minutes after shutdown.

The readings are higher than that specified for Fuel Clad barrier Loss C.1 and RCS barrier Loss C.1. Containment radiation readings at or above the Containment barrier Potential Loss threshold, therefore, signify a loss of two fission product barriers and Potential Loss of a third, indicating the need to upgrade the emergency classification to a General Emergency.

Monitors used for this fission product barrier loss threshold are the Containment High Range Radiation Monitors RU-148 and RU-149 (ref. 1).

The radiation monitor reading corresponds to an instantaneous release of all reactor coolant mass into the containment, assuming that 20% of the fuel cladding has failed. This level of fuel clad failure is well above that used to determine the related Fuel Clad Barrier Loss and RCS Barrier Loss thresholds.

NUREG-1228, Source Estimations During Incident Response to Severe Nuclear Power Plant Accidents, indicates the fuel clad failure must be greater than approximately 20% in order for there to be a major release of radioactivity requiring offsite protective actions. For this condition to exist, there must already have been a loss of the RCS Barrier and the Fuel Clad Barrier. It is therefore prudent to treat this condition as a potential loss of containment which would then escalate the ECL to a General Emergency.

PVNGS Basis Reference(s):

1. Calculation 13-NC-ZY-216, Determination of Containment Activities from High Radiation Monitors
2. NEl 99-01, CTMT Radiation / RCS Activity Containment Potential Loss 3.A Page 213 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 316 of 332 ATTACHMENT 2 Fission Product Barrier Loss/Potential Loss Matrix and Bases Barrier: Containment Category: D. CTMT Integrity or Bypass Degradation Threat: Loss Threshold:

1. Containment isolation is required AND EITHER:
  • Containment integrity has been lost based on Emergency Coordinator judgment
  • UNISOLABLE pathway from Containment to the environment exists Definition(s):

UNISOLABLE - An open or breached system line that cannot be isolated, remotely or locally.

Basis:

Containment isolations are initiated by the Containment Isolation Actuation System (CIAS) in response to a high containment pressure signal or low pressurizer pressure below the SIAS setpoint (ref. 1,2).

A penetration is considered isolated with at least one containment isolation valve closed. This may include a check valve if there is no indication that it has failed to close.

Palo Verde specific operating experience is that a High Pressure Seal Cooler (HPSC) leak to the Nuclear Cooling Water (NC) System must be isolated to containment within 15 minutes of discovery due to the location of the NC system expansion tank and potential dose concerns on the Auxiliary Building roof.

These thresholds address a situation where containment isolation is required and one of two conditions exists as discussed below. Users are reminded that there may be accident and release conditions that simultaneously meet both bulleted thresholds.

First Threshold - Containment integrity has been lost, i.e., the actual containment atmospheric leak rate likely exceeds that associated with allowable leakage (or sometimes referred to as design leakage). Following the release of RCS mass into containment, containment pressure will fluctuate based on a variety of factors; a loss of containment integrity condition may (or may not) be accompanied by a noticeable drop in containment pressure. Recognizing the inherent difficulties in determining a containment leak rate during accident conditions, it is expected that the Emergency Coordinator will assess this threshold using judgment and with due consideration given to current plant conditions and available operational and radiological data (e.g., containment pressure, readings on radiation monitors outside containment, operating status of containment pressure control equipment, etc.).

Refer to the middle piping run of Figure 1. Two simplified examples are provided. One is leakage from a penetration and the other is leakage from an in-service system valve.

Page 214 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 317 of 332 ATTACHMENT 2 Fission Product Barrier Loss/Potential Loss Matrix and Bases Depending upon radiation monitor locations and sensitivities, the leakage could be detected by any of the four monitors depicted in the figure.

Another example would be a loss or potential loss of the RCS barrier and the simultaneous occurrence of two FAULTED locations on a steam generator where one fault is located inside containment (e.g., on a steam or feedwater line) and the other outside of containment. In this case, the associated steam line provides a pathway for the containment atmosphere to escape to an area outside the containment.

Following the leakage of RCS mass into containment and a rise in containment pressure, there may be minor radiological releases associated with allowable (design) containment leakage through various penetrations or system components. These releases do not constitute a loss or potential loss of containment but should be evaluated using the Recognition Category R ICs.

Second Threshold - Conditions are such that there is an UNISOLABLE pathway for the migration of radioactive material from the containment atmosphere to the environment. As used here, the term environment includes the atmosphere of a room or area, outside the containment, that may, in turn, communicate with the outside-the-plant atmosphere (e.g.,

through discharge of a ventilation system or atmospheric leakage). Depending upon a variety of factors, this condition may or may not be accompanied by a noticeable drop in containment pressure.

Refer to the top piping run of Figure 1. In this simplified example, the inboard and outboard isolation valves remained open after a containment isolation was required (i.e., containment isolation was not successful). There is now an UNISOLABLE pathway from the containment to the environment.

The existence of a filter is not considered in the threshold assessment. Filters do not remove fission product noble gases. In addition, a filter could become ineffective due to iodine and/or particulate loading beyond design limits (i.e., retention ability has been exceeded) or water saturation from steam/high humidity in the release stream.

Leakage between two interfacing liquid systems, by itself, does not meet this threshold. There must be a release involved to atmosphere or into another plant structure outside of Containment.

Refer to the bottom piping run of Figure 1. In this simplified example, leakage in an RCP seal cooler is allowing radioactive material to enter the Auxiliary Building. The radioactivity would be detected by the Process Monitor. If there is no leakage from the closed water cooling system to the Auxiliary Building or atmosphere, then no threshold has been met.

Following the leakage of RCS mass into containment and a rise in containment pressure, there may be minor radiological releases associated with allowable containment leakage through various penetrations or system components. Minor releases may also occur if a containment isolation valve(s) fails to close but the containment atmosphere escapes to an enclosed system. These releases do not constitute a loss or potential loss of containment but should be evaluated using the Recognition Category R ICs.

Page 215 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 318 of 332 ATTACHMENT 2 Fission Product Barrier Loss/Potential Loss Matrix and Bases The status of the containment barrier during an event involving steam generator tube leakage is assessed using Loss Threshold A.1.

PVNGS Basis Reference(s):

1. UFSAR Section 6.2.1.5.3.8, Containment Purge System
2. UFSAR Section 6.2.4, Containment Isolation System
3. NEI 99-01, CTMT Integrity or Bypass Containment Loss 4.A Page 216 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 319 of 332 ATTACHMENT 2 Fission Product Barrier Loss/Potential Loss Matrix and Bases Barrier: Containment Category: D. CTMT Integrity or Bypass Degradation Threat: Loss Threshold:

2. Indications of RCS leakage outside of Containment Definition(s):

None Basis:

Procedure 40AO-9Z202, Excessive RCS Leakrate, (ref. 1) provides instructions to identify and isolate a LOCA outside of the containment. Potential RCS leak pathways outside containment include (ref. 1,2):

  • Nuclear Cooling System (such as RCP high pressure seal cooler to NC system)
  • Safety Injection
  • Chemical & Volume Control
  • RCS sample lines Palo Verde specific operating experience is that a High Pressure Seal Cooler (HPSC) leak to the Nuclear Cooling Water (NC) System must be isolated to containment within 15 minutes of discovery due to the location of the NC system expansion tank and potential dose concerns on the Auxiliary Building roof.

RCS Leakage Outside of Containment?

RCS Leak Rate Yes No Less than or equal to 25 gpm No classification No classification Greater than 25 gpm Unusual Event per SU5.1 Unusual Event per SU5.1 Requires operation of the standby charging (makeup) Site Area Emergency per Alert per FA1.1 pump {RCS Barrier Potential Loss) FS1.1 Requires an automatic or manual ECCS (SIAS) Site Area Emergency per Alert perFAH actuation {RCS Barrier Loss) FS1.1 Containment sump, temperature, pressure and/or radiation levels will increase if reactor coolant mass is leaking into the containment. If these parameters have not increased, then the reactor coolant mass may be leaking outside of containment (i.e., a containment bypass sequence). Increases in sump, temperature, pressure, flow and/or radiation level readings Page 217 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 320 of 332 ATTACHMENT 2 Fission Product Barrier Loss/Potential Loss Matrix and Bases outside of the containment may indicate that the RCS mass is being lost outside of containment.

Unexpected elevated readings and alarms on radiation monitors with detectors outside containment should be corroborated with other available indications to confirm that the source is a loss of RCS mass outside of containment. If the fuel clad barrier has not been lost, radiation monitor readings outside of containment may not increase significantly; however, other unexpected changes in sump levels, area temperatures or pressures, flow rates, etc.

should be sufficient to determine if RCS mass is being lost outside of the containment.

Refer to the middle piping run of Figure 1. In this simplified example, a leak has occurred at a reducer on a pipe carrying reactor coolant in the Auxiliary Building. Depending upon radiation monitor locations and sensitivities, the leakage could be detected by any of the four monitors depicted in the figure and cause threshold D.1 to be met as well.

Refer to the bottom piping run of Figure 1. In this simplified example, leakage in an RCP seal cooler is allowing radioactive material to enter the Auxiliary Building and then atmosphere.

The radioactivity would be detected by the Process Monitor. If the Nuclear Cooling System (NC) pump developed a leak that allowed steam/water to leak to atmosphere, then this threshold is met.

To ensure proper escalation of the emergency classification, the RCS leakage outside of containment must be related to the mass loss that is causing the RCS Loss and/or Potential Loss threshold A.1 to be met.

PVNGS Basis Reference(s):

1. Procedure 40AO-9ZZ02, Excessive RCS Leakrate
2. Procedure 40EP-9E003, Loss of Coolant Accident
3. NEI 99-01, CTMT Integrity or Bypass Containment Loss Page 218 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 321 of 332 ATTACHMENT 2 Fission Product Barrier Loss/Potential Loss Matrix and Bases Figure 1: Containment Integrity or Bypass Examples 2nd Threshold-Airborne Effluent release Auxiliary Building from Monitor pathway Inside Containment Damper ___

Area Mf ^ewwswesewii Monitor Open valve Open valve Damper Penetration ^ t X Threshold-Airtwme Airborne I Monitor 0.2 Threshold-pen valve RCS Open valve leakage 1

Threshold- outside AB Interface leakage Airborne release from penetration Monitor Closed Cooling Open valve Open valve NC Pump RCP Seal Cooling Page 219 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 322 of 332 ATTACHMENT 2 Fission Product Barrier Loss/Potential Loss Matrix and Bases Barrier: Containment Category: D. CTMT Integrity or Bypass Degradation Threat: Potential Loss Threshold:

1. Containment pressure > 60 psig Definition(s):

None Basis:

60 psig is the containment design pressure (ref. 1).

If containment pressure exceeds the design pressure, there exists a potential to lose the Containment Barrier. To reach this level, there must be an inadequate core cooling condition for an extended period of time; therefore, the RCS and Fuel Clad barriers would already be lost. Thus, this threshold is a discriminator between a Site Area Emergency and General Emergency since there is now a potential to lose the third barrier.

PVNGS Basis Reference(s):

1. UFSAR Section 1.2.12.1, Containment Building
2. NEI 99-01, CTMT Integrity or Bypass Containment Potential Loss 4.A Page 220 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 323 of 332 ATTACHMENT 2 Fission Product Barrier Loss/Potential Loss Matrix and Bases Barrier: Containment Category: D. CTMT Integrity or Bypass Degradation Threat: Potential Loss Threshold:

2. Containment hydrogen concentration > 4.5%

Definition(s):

None Basis:

Following a design basis accident, hydrogen gas may be generated inside the containment by reactions such as zirconium metal with water, corrosion of materials of construction and radiolysis of aqueous solution in the core and sump. (ref. 1, 3).

PVNGS is equipped with a Containment Hydrogen Control (HP) system which serves to limit or reduce combustible gas concentrations in the Containment. The HP system is an engineered safety feature with redundant hydrogen recombiners, hydrogen mixing system, hydrogen monitoring subsystem and a backup hydrogen purge subsystem. The HP system is designed to maintain the Containment hydrogen concentration below 4% by volume (ref. 1,2).

HP system operation is prescribed by EOPs if Containment hydrogen concentration should reach 0.7% by volume (minimum detectable) (ref. 3).

The PVNGS Safety Function Status Check for LOCA, Containment Combustible Gas Control (procedure 40EP-9E003, Loss of Coolant Accident), uses 4.5% as an acceptance criterion, which represents the Hydrogen Recombiner Function Failure Indication. This value should not be exceeded if the hydrogen recombiners are operating as desired.

If the Potential Loss threshold is reached or exceeded, the primary means of controlling Containment hydrogen concentration must have failed to perform its design function or has otherwise been inadequate in mitigating the hydrogen generation rate. For either case, continued hydrogen production may yield a flammable hydrogen concentration and a consequent threat to Containment integrity.

To generate such levels of combustible gas, loss of the Fuel Clad and RCS barriers must have occurred. With the Potential Loss of the containment barrier, the threshold hydrogen concentration, therefore, will likely warrant declaration of a General Emergency.

Two Containment hydrogen monitor indicators (HPA-AI-9 and HPB-AI-10) with a range of 0%

to 10% provide indication on Control Room Panel B02 (ref. 2).

The existence of an explosive mixture means, at a minimum, that the containment atmospheric hydrogen concentration is sufficient to support a hydrogen burn (e.g., at the lower deflagration limit). A hydrogen burn will raise containment pressure and could result in collateral equipment damage leading to a loss of containment integrity. It therefore represents a potential loss of the Containment Barrier.

Page 221 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 324 of 332 ATTACHMENT 2 Fission Product Barrier Loss/Potential Loss Matrix and Bases PVNGS Basis Reference(s):

1. UFSAR Section 6.2.5, Combustible Gas Control in Containment
2. Design Basis Manual - HP Containment Hydrogen Control System
3. Procedure 40DP-9AP14, Functional Recovery Technical Guidline, Section 15.0 Containment Combustible Gas Control
4. NEI 99-01, CTMT Integrity or Bypass Containment Potential Loss 4.B Page 222 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 325 of 332 ATTACHMENT 2 Fission Product Barrier Loss/Potential Loss Matrix and Bases Barrier: Containment Category: D. CTMT Integrity or Bypass Degradation Threat: Potential Loss Threshold:

3. Containment pressure > 8.5 psig with < 4350 gpm Containment Spray flow for > 15 minutes (Note 1)

Note 1: The Emergency Coordinator should declare the event promptly upon determining that time limit has been exceeded, or will likely be exceeded.

Definition(s):

None Basis:

The Containment Spray System consists of two separate trains of equal capacity, each capable of meeting the design bases requirement. Each train includes a containment spray pump, spray headers, nozzles, valves and piping. The refueling water storage tank (RWT) supplies borated water to the Containment Spray System during the injection phase of operation. In the recirculation mode of operation. Containment Spray pump suction is transferred from the RWT to the Containment sumps (ref. 1).

The Containment pressure high-high setpoint (8.5 psig) is the pressure at which the Containment Spray equipment should actuate and begin performing its function (ref. 2).

Consistent with the design requirement, one full train of depressurization equipment is therefore defined to be the availability of one train of Containment Spray providing a minimum of 4350 gpm spray flow (ref. 3). If less than this equipment is operating and Containment pressure is above the actuation setpoint, the threshold is met.

This threshold describes a condition where containment pressure is greater than the setpoint at which containment energy (heat) removal systems are designed to automatically actuate and less than one full train of equipment is capable of operating per design. The 15-minute criterion is included to allow operators time to manually start equipment that may not have automatically started, if possible. This threshold represents a potential loss of containment in that containment heat removal/depressurization systems (e.g., containment sprays but not including containment venting strategies) are either lost or performing in a degraded manner.

PVNGS Basis Reference(s):

1. UFSAR Section 6.2.2, Containment Heat Removal System
2. UFSAR Table 7.3-11 A, ESFAS Setpoints and Margins to Actuation
3. Procedure 40EP-9E001, Standard Post Trip Actions
4. NEI 99-01, CTMT Integrity or Bypass Containment Potential Loss 4.C Page 223 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 326 of 332 ATTACHMENT 2 Fission Product Barrier Loss/Potential Loss Matrix and Bases Barrier: Containment Category: E. Emergency Coordinator Judgment Degradation Threat: Loss Threshold:

1. Any condition in the opinion of the Emergency Coordinator that indicates loss of the Containment barrier Definition(s):

None Basis:

The Emergency Coordinator judgment threshold addresses any other factors relevant to determining if the Primary Containment barrier is lost. Such a determination should include imminent barrier degradation, barrier monitoring capability and dominant accident sequences.

  • Imminent barrier degradation exists if the degradation will likely occur within relatively short period of time based on a projection of current safety system performance. The term imminent refers to recognition of the inability to reach safety function acceptance criteria before completion of all checks.
  • Barrier monitoring capability is decreased if there is a loss or lack of reliable indicators.

This assessment should include instrumentation operability concerns, readings from portable instrumentation and consideration of offsite monitoring results.

  • Dominant accident sequences lead to degradation of all fission product barriers and likely entry to the EOPs. The Emergency Coordinator should be mindful of the Loss of AC power (Station Blackout) and ATWS EALs to assure timely emergency classification declarations.

This threshold addresses any other factors that may be used by the Emergency Coordinator in determining whether the Containment Barrier is lost.

PVNGS Basis Reference(s):

1. NEI 99-01, Emergency Director Judgment PC Loss 6.A Page 224 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 327 of 332 ATTACHMENT 2 Fission Product Barrier Loss/Potential Loss Matrix and Bases Barrier: Containment Category: E. Emergency Coordinator Judgment Degradation Threat: Potential Loss Threshold:

1. Any condition in the opinion of the Emergency Coordinator that indicates potential loss of the Containment barrier Definition(s):

None Basis:

The Emergency Coordinator judgment threshold addresses any other factors relevant to determining if the Primary Containment barrier is potentially lost. Such a determination should include imminent barrier degradation, barrier monitoring capability and dominant accident sequences.

  • Imminent barrier degradation exists if the degradation will likely occur within relatively short period of time based on a projection of current safety system performance. The term imminent refers to recognition of the inability to reach safety function acceptance criteria before completion of all checks.
  • Barrier monitoring capability is decreased if there is a loss or lack of reliable indicators.

This assessment should include instrumentation operability concerns, readings from portable instrumentation and consideration of offsite monitoring results.

  • Dominant accident sequences lead to degradation of all fission product barriers and likely entry to the EOPs. The Emergency Coordinator should be mindful of the Loss of AC power (Station Blackout) and ATWS EALs to assure timely emergency classification declarations.

This threshold addresses any other factors that may be used by the Emergency Coordinator in determining whether the Containment Barrier is potentially lost. The Emergency Coordinator should also consider whether or not to declare the barrier potentially lost in the event that barrier status cannot be monitored.

PVNGS Basis Reference(s):

1. NEI 99-01, Emergency Director Judgment PC Potential Loss 6.A Page 225 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 328 of 332 ATTACHMENTS Safe Operation & Shutdown Rooms Tables R-2 & H-2 Bases

Background

NEI 99-01, Revision 6 ICs AA3 and HAS prescribe declaration of an Alert based on impeded access to rooms or areas (due to either area radiation levels or hazardous gas concentrations) where equipment necessary for normal plant operations, cooldown or shutdown is located.

These areas are intended to be plant operating mode dependent. Specifically the Developers Notes For AA3 and HAS states:

The site-specific list of plant rooms or areas with entry-related mode applicability identified should specify those rooms or areas that contain equipment which require a manual/local action as specified in operating procedures used for normal plant operation, cooldown and shutdown. Do not include rooms or areas in which actions of a contingent or emergency nature would be performed (e.g., an action to address an off-normal or emergency condition such as emergency repairs, corrective measures or emergency operations). In addition, the list should specify the plant mode(s) during which entry would be required for each room or area.

The list should not include rooms or areas for which entry is required solely to perform actions of an administrative or record keeping nature (e.g., normal rounds or routine inspections).

Further, as specified in IC HAS:

The list need not include the Control Room if adequate engineered safety/design features are in place to preclude a Control Room evacuation due to the release of a hazardous gas.

Such features may include, but are not limited to, capability to draw air from multiple air intakes at different and separate locations, inner and outer atmospheric boundaries, or the capability to acquire and maintain positive pressure within the Control Room envelope.

Page 226 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 329 of 332 ATTACHMENT 3 Safe Operation & Shutdown Rooms Tables R-2 & H-2 Bases PVNGS Table R-2 and H-2 Bases A review of station operating procedures identified the following mode dependent in-plant actions and associated areas that are required for normal plant operation, cooldown or shutdown:

Location- Modes- Modes-Safe Shutdown Area/Room 1.2 3,4 or 5 LPSI Pumps A and B SDC Equipment. Shut Down Cooling (SDC)

- No entry required - No entry required Inventory Control Equipment Inventory Control Equipment

- No entry required Reactivity Control.

- No entry required Containment Spray Pumps A Containment Pressure Control Shut Down Cooling (SDC) and B - No entry required - No entry required Inventory Control Equipment

- No entry required Reactivity Control.

- No entry required HPSI Pumps A and B Inventory Control Equipment. Inventory Control Equipment.

- No entry required - No entry required Reactivity Control. Reactivity Control.

- No entry required - No entry required Aux. Bldg 120 West Electrical Electrical Power. Electrical Power.

Penetration Room - No entry required - No entry required Aux. Bldg 100 East Electrical Electrical Power. Electrical Power.

Penetration Room - No entry required - No entry required Essential Cooling Water Pumps Support Equipment for Support Equipment for Habitability Habitability Control, Control, Containment Containment Temperature, Temperature, Control and Control and Shutdown Cooling Shutdown Cooling

- No entry required No entry required Control Building 100 foot 4160 Electrical Power. Electrical Power.

Class Switchgear Room A & B - No entry required - Entry required to access the DC equipment Rooms C and D-Modes 4 and 5 Control Building 100 foot Class Electrical Power. Electrical Power.

DC Equipment Rooms A & B - No entry required - No entry required Control Building 100 foot Class Electrical Power. Electrical Power.

DC Equipment Rooms C & D - No entry required - Energize LTOP Isolation Valves for SDC. Procedure 40OP-9ZZ23, Modes 4 and 5 Emergency Diesel Generators A Electrical Power. Electrical Power.

&B - No entry required - No entry required Emergency Diesel Generators Electrical Power. Electrical Power.

Day Tank Rooms - No entry required - No entry required EDG Building HVAC Room - No entry required - No entry required Control Building 160 ft Electrical - No entry required - No entry required Cable Spreading Control Building 120 ft Electrical - No entry required - No entry required Cable Spreading Control Building 80 ft Essential - No entry required - No entry required Chiller Rooms Page 227 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 330 of 332 ATTACHMENT 3 Safe Operal ion & Shutdown Rooms Tables R-2 & H-2 Bases Location- Modes- Modes-Safe Shutdown Area/Room 1,2 3,4 or 5 Control Building Battery Rooms - No entry required - No entry required A, B, C and D Turbine Building Elevations - No entry required - No entry required Main Steam Support Structure - No entry required - No entry required 140, 120 and 100 foot elevations Aux. Feedwater Pump Room A Steam Generator Heat Removal Steam Generator Heat Removal and B - No entry required - No entry required Spray Pond Pump Rooms A Support Equipment for Support Equipment for Habitability and B Habitability Control, Control, Containment Containment Temperature, Temperature, Control and Control and Shutdown Cooling Shutdown Cooling No entry required No entry required Table R-2 & H-2 Results Table R-2 & H-2 Safe Operation & Shutdown Rooms Room Mode Applicability l Control Building 100 ft. Class DC Equipment Room C 4.5 Control Building 100 ft. Class DC Equipment Room D 4,5 Plant Operating Procedures Reviewed

1. Procedure 400P-9ZZ05, Power Operations
2. Procedure 40OP-9ZZ23, Outage GOP
3. Procedure 40OP-9ZZ10, Mode 3 to Mode 5 Operations
4. Procedure 400P-9SI01, Shutdown Cooling Initiation Page 228 of 230

PVNGS EMERGENCY PLAN REVISION 59 PAGE 331 of 332 ATTACHMENT 4 Palo Verde Safety System List Safety System A system required for safe plant operation, cooling down the plant and/or placing it in the cold shutdown condition, including the ECCS. These are typically systems classified as safety-related (as defined in 10 CFR 50.2);

Those structures, systems and components that are relied upon to remain functional during and following design basis events to assure:

(1) The integrity of the reactor coolant pressure boundary; (2) The capability to shut down the reactor and maintain it in a safe shutdown condition; (3) The capability to prevent or mitigate the consequences of accidents which could result in potential offsite exposures.

The SAFETY SYSTEMS included in this definition are those included to satisfy Criteria 1,2 or 3 of 10 CFR 50.36(c)(2)(ii). Systems included by this definition are:

Structures - All Modes (except as noted)

  • Containment Building
  • Auxiliary Building
  • Diesel Building
  • Fuel Building
  • Control Building
  • Safety Injection (SI)
  • Refueling Water Tank
  • Containment Air Locks
  • Containment Isolation Valves- except when the penetration is isolated and out of service.
  • Main Feedwater Isolation Valves (SG) Mode 1-4 except when closed and deactivated or isolated by another valve
  • Atmospheric Dump Valves (SG) Modes 1-3, Mode 4 when Steam Generators are relied on for heat removal

PVNGS EMERGENCY PLAN REVISION 59 PAGE 332 of 332 ATTACHMENT 4 Palo Verde Safety System List

  • Condensate Storage Tank (CT) Modes 1-3, Mode 4 when Steam Generators are relied on for heat removal Essential Cooling Water System (EW)

Essential Chill Water System (EC)

Essential Spray Pond System (SP)

Ultimate Heat Sink (SP)

Control Room Essential Filtration and Ventilation (HJ)

Engineered Safety Features Pump Room Exhaust Cleanup (HF)

Diesel Generators (DG)

Diesel Fuel Oil System (DF)

DC Sources (PK)

Class Battery Chargers (PK)

Class Instrument Invertors (PN)

Distribution Systems (PB, PG, PH, PK and PN)

Shutdown Cooling System (SI) Mode 4 Reactor Protection System (RPS)

Engineered Safety Features Actuation System (ESFAS)

Balance of Plant Engineered Safety Features Actuation System (BOP-ESFAS)

Modes 5 and 6 Reactor Coolant System (RC)

Shutdown Cooling System (SI)

Diesel Generators (DG) Normally only one train required by TS Diesel Fuel Oil System (DF) Normally only one train required by TS DC Sources (PK) Normally only one train required by TS Class Battery Chargers (PK) Normally only one train required by TS Class Instrument Invertors (PN) Normally only one train required by TS Distribution Systems (PB, PG, PH, PK and PN) Normally only one train required by TS Control Room Essential Filtration and Ventilation (HJ)

Essential Cooling Water System (EW) Train(s) supporting Shutdown Cooling Essential Spray Pond System (SP) Train(s) supporting Shutdown Cooling and/or DG Ultimate Heat Sink (SP) Train(s) supporting Shutdown Cooling and/or DG Page 230 of 230

Enclosure 2 Summary of License Amendment 198 for PVNGS Emergency Plan Revision 59

Summary of License Amendment 198 for PVNGS Emergency Plan Revision 59

Background

By letter number 102-07135, dated October 9, 2015, Arizona Public Service Company (APS) submitted a license amendment request (LAR) to revise the Palo Verde Nuclear Generating Station (PVNGS) Emergency Action Levels (EALs) in accordance with the provisions of Title 10 of the Code of Federal Regulations (10 CFR) Part 50, Appendix E,Section IV.B.2 and 10 CFR 50.90. APS proposed to change the EALs from a scheme based on Nuclear Energy Institute (NEI) 99-01, Revision 5, Methodology for Development of Emergency Action Levels, to a scheme provided in the subsequent Revision 6, which was endorsed by the U.S.

Nuclear Regulatory Commission (NRC) staff by letter dated March 28, 2013 (ADAMS Accession No. ML12346A463).

On September 8, 2016, the NRC staff issued a letter, Palo Verde Nuclear Generating Station, Units 1, 2, and 3 - Issuance of Amendments to Revise Emergency Action Levels to a Scheme Based on Nuclear Energy Institute NEI 99-01, Revision 6. This letter transmitted License Amendment No. 198 to Renewed Facility Operating License Nos. NPF-41, NPF-51 and NPF-74 for PVNGS Units 1, 2, and 3, respectively. The amendments consist of changes to the EAL scheme in response to the APS LAR dated October 9, 2015, as supplemented by letter dated May 12, 2016. The NRC also included a copy of the approved safety evaluation which was included in a Notice of Issuance in the NRC biweekly Federal Register notice.

Based on its review, the NRC concluded that (1) there is reasonable assurance that the health and safety of the public will not be endangered by operation in the proposed manner, (2) there is reasonable assurance that such activities will be conducted in compliance with the Commission's regulations, and (3) the issuance of the amendments will not be inimical to the common defense and security or to the health and safety of the public.

PVNGS Emergency Plan Changes Revised Section 5.2, Eliminated Table 2, and added Appendix A Revised Section 5.2 to remove the EAL guidance and the EAL Technical Bases associated with Nuclear Energy Institute (NEI) 99-01, Revision 5, Methodology for Development of Emergency Action Levels. New EAL guidance, EALs and EAL Technical Bases previously provided in Section 5.2 and Table 2, Initiating Conditions and EAL Thresholds, are now provided in an Appendix A to the Emergency Plan.

The new Appendix A provides the new classification guidance and EAL Technical Basis. The content of Appendix A is identical to the submittal approved by the NRC.

Summary of License Amendment 198 for PVNGS Emergency Plan Revision 59 Conclusion Revision 59 of the PVNGS Emergency Plan is considered a conforming change; revising the emergency plan to incorporate License Amendment 198 and its associated safety evaluation. No modifications were made to the approved EAL Technical Bases and the change was incorporated into the PVNGS Emergency Plan, Revision 59, as submitted and approved by the NRC. An evaluation pursuant to 10 CFR 50.54(q) was not needed due to this change having received prior NRC approval and an NRC safety evaluation.

Retrieved from "https://kanterella.com/w/index.php?title=ML17263B249&oldid=1997406"