ML21294A085
| ML21294A085 | |
| Person / Time | |
|---|---|
| Site: | Susquehanna  |
| Issue date: | 10/12/2021 |
| From: | Talen Energy, Susquehanna |
| To: | Office of Nuclear Reactor Regulation |
| Shared Package | |
| ML21294A245 | List:
|
| References | |
| PLA-7935 | |
| Download: ML21294A085 (130) | |
Text
SSES-FSAR Text Rev. 56 FSAR Rev. 65 15A-1 START HISTORICAL APPENDIX 15A NUCLEAR SAFETY OPERATIONAL ANALYSIS (NSOA) -
(A System-Level/Qualitative Type Plant FMEA) 15A.1 OBJECTIVES 15A.1.1 General Objectives The general objectives of the Nuclear Safety Operational Analysis (NSOA) are cited below along with the mission of each objective.
(1)
Essential Protective Sequences - to identify and demonstrate that the essential protection sequences needed to accommodate the plant normal operations, anticipated and abnormal operational transients, and design basis accidents are available and adequate.
(2)
Design, Basis Adequacy - to identify and demonstrate that the safety design basis of the various structures, systems or components, needed to satisfy the plant essential protection sequences are appropriate, available and adequate.
(3)
System-Level/Qualitative Type FMEA - to provide a system level/qualitative-type Failure Modes and Effects Analysis (FMEA) of essential protective sequences to show compliance with the Single Active Component Failure (SACF) or Single Operator Error (SOE) criteria; (4)
NSOA Criteria Relative to Plant Safety Analysis - to identify the systems, equipment, or components' operational conditions or requirements essential to satisfy the nuclear safety operational criteria utilized in the Chapter 15 plant events; and (5)
Technical Specification Operational Basis - to establish limiting operating conditions, testing, and surveillance bases relative to plant technical specification operational requirements.
15A.1.2 Specific Objectives The specific objectives of the Nuclear Safety Operational Analysis (NSOA) are cited below:
(1)
Essential Protective Sequences - Each event considered in the plant safety analysis (Chapter 15) is further examined and analyzed. Essential protective sequences are identified. The appropriateness of each sequence is discussed for all operating modes. Each protective sequence path is evaluated for SACF.
SSES-FSAR Text Rev. 56 FSAR Rev. 65 15A-2 (2)
Design Basis Adequacy - Each essential protective sequence involves specific structures, systems or components performing safety or power generation functions. There are also interrelationships between primary systems and secondary or auxiliary equipment in providing these functions. The individual design bases (identified throughout the FSAR for each structure, system, or component) are brought together in this section. The entire plant safety analysis is evaluated here.
(3)
System-Level/Qualitative Type FMEA - A system-level, qualitative-type FMEA is presented here. Each protective sequence entry is evaluated relative to SACF or SOE criteria. Safety classification aspects and interrelationships between systems are also considered. The system-level SACF or SOE is a conservative "worst-case" envelope evaluation. Discounting any less severe evaluations than SACF or SOE such as by quantitative analysis is not claimed in this section although certainly it would assure less limiting results than shown.
(4)
NSOA Criteria Relative to Plant Safety Analysis - The safety analysis performed in Chapter 15 is further examined relative to the systematic classification of plant events by frequency of occurrence, radiological impact, unacceptable results, and allowable limits of the safety criteria for the various event classifications; normal (planned) operation, anticipated (expected) and abnormal (unexpected) operational transients, and design basis accidents are described.
(5)
Technical Specifications Operational Basis - Evaluations presented in this section provide the basis for justifications of more realistic, engineered technical specifications including system or equipment surveillance requirements, allowable down times, etc.
15A.2 APPROACH TO OPERATIONAL NUCLEAR SAFETY 15A.2.1 General Philosophy The objective of this appendix is to derive nuclear safety operational requirements and analyses for the plant that are based on specified measures of nuclear safety.
The specified measures of safety used in this analysis are referred to as "unacceptable results-oriented." They are analytically determinable limits on the consequences of different classifications of plant events. The nuclear safety operational analysis is thus an "event-consequence-oriented" evaluation.
15A.2.2 Specific Philosophy In this appendix the following guidelines are utilized to develop the NSOA.
- 1)
Scope and Classification of Plant Events The scope and classification of the situations analyzed will include:
SSES-FSAR Text Rev. 56 FSAR Rev. 65 15A-3 a)
Normal (Planned) Operations b)
Anticipated (Expected) Operational Transients c)
Abnormal (Unexpected) Operational Transients d)
Design Basis (Postulated) Accidents e)
Special (Hypothetical) Events Refer to Tables 15A.2-1 through 15A.2-6 for specific event/classifications.
The events referenced and classified above represent the plant situations considered applicable to safety evaluation.
- 2)
Safety and Power Generation Aspects Safety considerations directly involve the health and safety of the off-site public.
Matters identified with "safety" classification are governed by regulatory requirements. Safety functions include:
a)
The accommodation of abnormal operational transients and postulated design basis accidents.
b)
The maintenance of containment integrity, when necessary.
c)
The assurance of ECCS, when necessary, and d)
The continuance of RCPB integrity, when necessary.
Safety is related to 10CFR100 dose limits, infrequent and low probability occurrences, SACF criteria, worst case operating conditions and initial assumptions, automatic (10 minute) corrective action, significant unacceptable dose and environmental effects, and the involvement of other coincident (mechanistic or non-mechanistic) plant and environmental situations.
Power generation considerations are directly related to continued plant power generation operation, equipment operational matters, component availability aspects and indirectly related to long term off-site public effects.
Matters identified with "power generation" classification are also covered by regulatory guidelines. Power generation functions include:
a) the accommodation of planned operations and anticipated operational transients, b) the minimization of radiological releases to appropriate levels, c) the assurance of safe and orderly reactor shutdown, when necessary, and/or return to power generation operation, and d) the continuance of plant equipment design conditions to ensure long term reliable operation.
Power generation is related to 10CFR20 and 10CFR50, Appendix I dose limits, moderate and high probability occurrences nominal operating conditions and initial assumptions, allowable immediate operator manual actions, and insignificant unacceptable dose and environmental effects.
SSES-FSAR Text Rev. 56 FSAR Rev. 65 15A-4
- 3)
Frequency of Events Consideration of the frequency of the initial (or initiating) event is reasonably straight-forward. Added considerations of further component failures or operator errors complicates the classification grouping and the related limits or acceptable consequences. The events in this appendix are initially grouped by initiating frequency occurrence. The imposition of further failures will necessitate further reclassification. This reclassification will result in the event being listed in a less restrictive category.
The introduction of SACF or SCF or SOE in planned operation/anticipated and abnormal operational transient evaluations has not been previously considered a design basis or evaluation prerequisite. It is entertained here for plant capability demonstration purposes.
- 4)
Conservative Analysis - Margins The unacceptable results established in this appendix relative to the public health and safety aspects are in themselves in conformance to regulatory requirements.
They are also in conformance with regulations by large margins even though the events, their assumptions, conditions of evaluation, coincident situations, the limits, etc., are equally conservative in themselves by large margins. Further introduction of large margin operational requirements is not reasonable or justifiable. The results of this NSOA should directly lead to envelope technical specifications.
The utilization of a margin allowance to introduce further limiting restrictions is not safety oriented.
- 5)
Safety Function Definition Consideration of the frequency of the need for a safety function should be very carefully weighed and examined in order to truly assess real design basis, operational and availability requirements.
First, the essential protective sequences shown for an event in this appendix are the minimum required to be available to satisfy the SACF or SOE evaluation aspects of the event and yet meet all safety functional objectives. Many more protective "success paths" exist with the event than are shown.
Second, not all the events involve the same natural, environmental or plant conditional assumptions. For example, LOCA and SSE are associated with Event 44. In Event 41, CRDA is not assumed to be associated with any SSE or OBE occurrence, therefore, seismic safety function requirements are inappropriate for Event 41, although most safety function equipment associated with the protective sequence are capable of more limiting events, such as Event
- 44. The probability of Event 41 is far less than Event 44 occurrence-wise and certainly evaluation-assumption-wise.
SSES-FSAR Text Rev. 56 FSAR Rev. 65 15A-5 Third, containment may be a safety function for some events (when uncontained radiological effects would be unacceptable) but for other events it may not be applicable (e.g. during refueling). The requirement to maintain the containment during post-accident recovery is only needed to limit doses to less than 10CFR100. After radiological sources are depleted with time, further containment is unnecessary. Thus the time domain and need for a function is taken into account and considered when evaluating the events in this appendix.
Fourth, the use of low frequency, high priority ESF equipment, limiting unacceptable result events for high probability, minor unacceptable result events should not be misunderstood to require similar pedigree equipment requirements on other supplement motor-safety components.
The interpretation of the use of ESF-SACF capable systems for anticipated operational transient protective sequences should not lead to the assumption that these equipment requirements (seismic, redundancy, diversity, testable, IEEE, etc.) are required for this event or associated with the event.
- 6)
Envelope and Actual Event Analyses The event analyses presented in Chapter 15, when examined from the frequency standpoint, would lead to the conclusion that each year a spectrum of the events occur as postulated. Study of the operating and plant occurrences verifies that the protective sequences cited in Chapter 15 are conservative, and in most cases never needed. Experience, of course, has been confined to planned operation, anticipated operational transients, and a very small number of abnormal operational transients situations. Operator action is valuable and repeatedly demonstrated yet ignored as a protective sequence. Consideration of and credit for this success path should be allowed for operational transients.
15A.2.2.1 Consistency of the Analysis An objective of this analysis is consistency. Therefore, it is worthwhile to investigate possible inconsistencies in the selection of nuclear safety operational requirements (and technical specifications); then it will be seen in the presented NSOA that such inconsistencies are avoided.
Figure 15A.2-1 illustrates three inconsistencies. Panel A shows the possible inconsistency resulting from operational requirements being placed on separated levels of protection for one event. If the second and sixth levels of protection are important enough to warrant operational requirements, then so are the third, fourth, and fifth levels. Panel B shows the possible inconsistency resulting from operational requirements being arbitrarily placed on some action thought to be important to safety. In the case shown, scram represents different protection levels for two similar events in one category; if the fourth level of protection for Event B is important enough to warrant an operational requirement, then so is the fourth level for Event A.
Thus, to simply place operational requirements on all equipment needed for some action (scram, isolation, etc.) could be inconsistent and unreasonable if different protection levels are represented. Panel C shows the possible inconsistency resulting from operational requirements being placed on some arbitrary level of protection for any and all postulated events. Here the
SSES-FSAR Text Rev. 56 FSAR Rev. 65 15A-6 inconsistency is not recognizing and accounting for different event categories based on cause or expected frequency of occurrence.
Inconsistencies of the types illustrated in Figure 15A.2-1 are avoided in the NSOA by directing the analysis to "event-consequences-oriented" aspects. Analytical inconsistencies are avoided by treating all the events of categories under the same set of functional rules. Thus, it is valid to compare the results of the analyses of the events in any one category and invalid to compare events of different category to each other.
15A.2.3 Comprehensiveness of the Analysis The analysis must be sufficiently comprehensive in method that (1) all plant hardware is considered; and, (2) that the full range of plant operating conditions are considered. The tendency to be preoccupied with "worst cases" (those that appear to give the most severe consequences) is recognized; however, the protection sequences essential to lesser cases may be different (more or less restrictive) from the "worst-case" sequence. To assure that operational and design basis requirements are defined and appropriate for all equipment essential to attaining acceptable consequences, all essential protection sequences must be identified for each of the plant safety events examinations.
Only in this way is a comprehensive level of safety attained. Thus, the NSOA is also "protection sequence-oriented" to achieve comprehensiveness.
15A.2.4 Systematic Approach of the Analysis In summary, the systematic method utilized in this analysis contributes to both the consistency and comprehensiveness of the analysis mentioned above. The desired characteristics representative of a systematic approach to selecting BWR operational requirements are listed as follows:
(1)
Specified measures of safety-unacceptable results (2)
Consideration of all planned operations (3)
Systematic event selection (4)
Common treatment analysis (FMEA, SACF, SOE) of all events of any one type (5)
Systematic identification of plant actions and systems essential to avoiding unacceptable results (6)
Emergence of operational requirements and limits from system analysis Figure 15A.2-2 illustrates the systematic process by which the operational and design basis nuclear safety requirements and technical specifications are derived. The process involves the evaluation of carefully selected plant events relative to the unacceptable results (specified measures of safety). Those limits, actions, systems, and components found to be essential to achieving acceptable consequences are the subjects of operational requirements.
SSES-FSAR Text Rev. 56 FSAR Rev. 65 15A-7 15A.2.5 Relationship of Nuclear Safety Operational Analysis to Safety Analyses of Chapter 15 One of the main objectives of the operational analysis is to identify all essential protection sequences and to establish the detailed equipment conditions essential to satisfying the nuclear safety operational criteria. The spectrum of events examined in Chapter 15 represent a complete set of plant safety considerations. The main objective of the earlier analyses of Chapter 15, is, of course, to provide detailed "worst-case" (limiting or envelope) analysis of the plant events. The "worst cases" are correspondingly analyzed and treated likewise in this appendix, but in light of frequency at occurrence, unacceptable results, assumption categorization, etc.
The detailed discussion relative to each of the events covered in Chapter 15 will not be repeated in this appendix. Tables 15A.2-1 through 15A.2-5 provide cross-correlation between the NSOA event, its protection sequence diagram, and its safety evaluation in Chapter 15.
15A.2.6 Relationship Between NSOA and Operational Requirements, Technical Specifications, Design Basis, and SACF Aspects By definition, "an operational requirement" is a requirement or restriction (limit) on either the value of a plant variable or the operability condition associated with a plant system. Such requirements must be observed during all modes of plant operation (not just at full power) to assure that the plant is operated safely. There are two kinds of operational requirements for plant hardware; (1)
Limiting condition for operation: the required condition for a system while the reactor is operating in a specified state.
(2)
Surveillance requirements: the nature and frequency of tests required to assure that the system is capable of performing its essential functions.
Operational requirements are systematically selected for one of two basic reasons:
(1)
To assure that unacceptable results are avoided or mitigated following specified plant events by examining and challenging the system, component, and equipment design basis.
(2)
To assure the existence of a single failure proof success path to acceptable consequences should a transient or accident occur by confirming SACF or SOE criteria conformance.
The operational requirements that emerge from the NSOA are frequently complex hardware requirements applicable only under certain carefully specified plant conditions. Although these complex operational requirements are the true safety requirements, they frequently are too complicated for direct use as a technical specification. As shown in Figure 15A.2-2, the complex operational requirements are conservatively simplified as a final step in the process so that a practical set of technical specifications and operating procedures may be obtained.
The individual structures, systems, components which perform a safety function are required to do so under design basis conditions including environmental consideration and under single
SSES-FSAR Text Rev. 56 FSAR Rev. 65 15A-8 active component failure assumptions. The NSOA confirms the previous examination of the individual equipment (See "Evaluations" subsection) requirement conformance analyses.
15A.2.7 Unacceptable Results Criteria Tables 15A.2-6 through 15A.2-10 identify the unacceptable results associated with different event categories. In order to prevent or mitigate them, they are recognized as the major bases for identifying system operational requirements as well as the bases for all other safety analyses vs. criteria throughout the FSAR.
15.A.2.8 General Nuclear Safety Operational Criteria The following general nuclear safety operational criteria are used to select operational requirements:
Applicability Nuclear Safety Operational Criteria Planned operation, anticipated abnormal operational transients, design basis accidents, and additional separate plant capability events The plant shall be operated so as to avoid unacceptable results.
Anticipated and abnormal operational transients and design basis accidents The plant shall be operated in such a way that no Single Active Component Failure (SACF) can prevent the safety actions essential to avoiding the unacceptable results associated with anticipated or abnormal operational transients or design basis accidents. However, this requirement is not applicable during structure, system, or component repair if the availability of the safety action is maintained either by restricting the allowable repair time or by more frequently testing a redundant structure, system, or component.
The unacceptable results associated with the different categories of plant operation and events are dictated by:
a) frequency of occurrence (probability),
b) allowable limits (per the probability) - related to radiological, structural, environmental, etc., aspects, c) coincidence of other related or unrelated disturbances, and d) time domain of event and consequences consideration.
SSES-FSAR Text Rev. 56 FSAR Rev. 65 15A-9 15A.3 METHOD OF ANALYSIS 15A.3.1 General Approach The NSOA is performed assuming that the plant design has been established. The end products of the analysis are the nuclear safety operational requirements and the restrictions on plant hardware and its operation that must be observed (1) to satisfy the nuclear safety operational criteria, and (2) to show compliance of the plant safety and power generation systems with plant wide requirements. Figure 15A.2-2 shows the process used in the analysis.
The following inputs are required for the analysis of specific plant events:
(1)
Applicable unacceptable results (Subsection 15A.2.7)
(2)
Applicable nuclear safety operational criteria (Subsection 15A.2.8)
(3)
Definition of BWR operating states (Subsection 15A.3.2)
(4)
Event selection criteria (Subsection 15A.3.3)
(5)
Rules for event analysis (Subsection 15A.3.5)
With this information, each selected event can be evaluated to determine systematically, the actions, the systems, and the limits essential to avoiding the defined unacceptable results. The essential plant components and limits so identified are then considered to be in agreement with and subject to nuclear operational, design basis requirements and technical specification restrictions.
15A.3.2 BWR Operating States Four BWR operating states in which the reactor can exist are defined in Table 15A.3-1. The main objective in selecting operating states is to divide the BWR operating spectrum into sets of initial conditions to facilitate consideration of various events in each state.
Each operating state includes a wide spectrum of values for important plant parameters. Within each state, these parameters are considered over their entire range to determine the limits on their values necessary to satisfy the nuclear safety operational criteria. Such limitations are presented in the subsections of the FSAR that describe the systems associated with the parameter limit. The plant parameters to be considered in this manner include the following:
Reactor coolant temperature Reactor vessel water level Reactor vessel pressure Reactor vessel water quality Reactor coolant forced circulation flow rate Reactor power level (thermal and neutron flux)
Core neutron flux distribution Feedwater temperature Containment temperature and pressure Suppression pool water temperature and level Spent fuel pool water temperature and level
SSES-FSAR Text Rev. 56 FSAR Rev. 65 15A-10 15A.3.3 Selection of Events for Analysis 15A.3.3.1 Planned Operations "Planned operation" refers to normal plant operation under predetermined conditions in the absence of significant abnormalities. Operations subsequent to an incident (transient, accident, or additional plant capability event) are not considered planned operations until the actions taken or equipment used in the plant are identical to those that would be used had the incident not occurred. As defined, the planned operations can be considered as a chronological sequence: refueling outage, achieving criticality, heatup, power operation, achieving shutdown, cooldown, and refueling outage.
The planned operations are defined below.
(1)
Refueling outage: includes all the planned operations associated with a normal refueling outage except those tests in which the reactor is taken critical and returned to the shutdown condition. The following planned operations are included in refueling outage:
- a.
Planned, physical movement of core components (fuel, control rods, etc.)
- b.
Refueling test operations (except criticality and shutdown margin tests)
- c.
Planned maintenance
- d.
Required inspection (2)
Achieving criticality: Includes all the plant actions normally accomplished in bringing the plant from a condition in which all control rods are fully inserted to a condition in which nuclear criticality is achieved and maintained.
(3)
Heatup: Begins when achieving criticality ends and includes all plant actions normally accomplished in approaching nuclear system rated temperature and pressure by using nuclear power (reactor critical). Heatup extends through warmup and synchronization of the main turbine-generator.
(4)
Power operation: Begins when heatup ends and includes continued plant operation at power levels in excess of heatup power.
(5)
Achieving Shutdown: Begins when the main generator is unloaded and includes all plant actions normally accomplished in achieving nuclear shutdown (more than one rod subcritical) following power operation.
(6)
Cooldown: Begins when achieving shutdown ends and includes all plant actions normal to the continued removal of decay heat and the reduction of nuclear system temperature and pressure.
The exact point at which some of the planned operations end and others begins cannot be precisely determined. It will be shown later that such precision is not required, for the protection requirements are adequately defined in passing from one state to the next. Dependence on several planned operations on the one rod subcritical condition provides an exact point on either side of which protection (especially scram) requirements differ. Thus, where a precise boundary between planned operations is needed, the definitions provide the needed precision.
SSES-FSAR Text Rev. 56 FSAR Rev. 65 15A-11 Together, the BWR operating states and the planned operations define the full spectrum of conditions from which transients, accidents, and special events are initiated. The BWR operating states define only the physical condition (pressure, temperature, etc.) of the reactor; the planned operations define what the plant is doing. The separation of physical conditions from the operation being performed is deliberate and facilitates careful consideration of all possible initial conditions from which incidents may occur.
15A.3.3.2 Anticipated (Expected) Operational Transients To select anticipated operational transients, eight nuclear system parameter variations are considered as potential initiating causes of threats to the fuel and the reactor coolant pressure boundary. The parameter variations are as follows:
(1)
Nuclear system pressure increase (2)
Reactor vessel water (moderator) temperature decrease (3)
Positive reactivity insertion (4)
Reactor vessel coolant inventory decrease (5)
Reactor core coolant flow decrease (6)
Reactor core coolant flow increase (7)
Core coolant temperature increase (8)
Excess of coolant inventory These parameter variations, if uncontrolled, could result in damage to the reactor fuel or reactor coolant pressure boundary, or both. A nuclear system pressure increase threatens to rupture the reactor coolant pressure boundary from internal pressure. A pressure increase also collapses voids in the moderator, causing an insertion of positive reactivity that threatens fuel damage as a result of overheating. A reactor vessel water (moderator) temperature decrease results in an insertion of positive reactivity as density increases. This could lead to fuel overheating. Positive reactivity insertions are possible from causes other than nuclear system pressure or moderator temperature changes. Such reactivity insertions threaten fuel damage caused by overheating. Both a reactor vessel coolant inventory decrease and a reduction in coolant flow through the core threaten to overheat the fuel as the coolant becomes unable to adequately remove the heat generated in the core. An increase in coolant flow through the core reduces the void content of the moderator, resulting in an increased fission rate. A core coolant temperature increase threatens the integrity of the fuel; such a variation could be the result of a heat exchanger malfunction during operation in the shutdown cooling mode. An excess of coolant inventory could be the result of malfunctioning water level control equipment; such a malfunction can result in a turbine trip, which causes an increase in nuclear system pressure and an increased fission rate.
The eight parameter variations listed above include all effects within the nuclear system caused by anticipated operational transients that threaten the integrity of the reactor fuel or reactor coolant pressure boundary. Variation of any one parameter may cause a change in another listed parameter; however, for analysis purposes, threats to barrier integrity are evaluated by groups according to the parameter variation originating the threat. For example, positive reactivity insertions resulting from sudden pressure increases are evaluated in the group of threats stemming from nuclear system pressure increases.
SSES-FSAR Text Rev. 56 FSAR Rev. 65 15A-12 Anticipated operational transients are defined as transients resulting from single equipment failures or single operator errors that can be reasonably expected (moderate probability of occurrence once per day to once in 20 years) during any mode of plant operation. Examples of single operational failures or operator errors in this range of probability are:
(1)
Opening or closing any single valve (a check valve is not assumed to close against normal flow)
(2)
Starting or stopping any single component (3)
Malfunction or maloperation of any single control device (4)
Any single electrical failure (5)
Any single operator error An operator error is defined as an active deviation from nuclear plant standard operating practices. A single operator error is the set of actions that is a direct consequence of a single reasonably expected erroneous decision. The set of actions is limited as follows:
(1)
Those actions that could be performed by only one person.
(2)
Those actions that would have constituted a correct procedure had the initial decision been correct.
(3)
Those actions that are subsequent to the initial operator error and that affect the designed operation of the plant, but are not necessarily directly related to the operator error.
Examples of single operator errors are as follows:
(1)
An increase in power above the established flow control power limits by control rod withdrawal in the specified sequences.
(2)
The selection and complete withdrawal of a single control rod out of sequence.
(3)
An incorrect calibration of an average power range monitor.
(4)
Manual isolation of the main steam lines caused by operator misinterpretation of an alarm or indication.
The five types of a single operator error or a single equipment malfunction are applied to various plant systems with a consideration for a variety of plant conditions to discover events directly resulting in an undesired parameter variation. Once discovered, each event is evaluated for the threat it poses to the integrity of the radioactive material barriers.
15A.3.3.3 Abnormal (Unexpected) Operational Transients To select abnormal operational transients, eight nuclear system parameter variations are considered as potential initiating causes of gross core-wide fuel failures and threats of the reactor coolant pressure boundary. The parameter variations are as follows:
(1)
Nuclear system pressure increase (2)
Reactor vessel water (moderator) temperature decrease (3)
Positive reactivity insertion (4)
Reactor vessel coolant inventory decrease (5)
Reactor core coolant flow decrease (6)
Reactor core coolant flow increase
SSES-FSAR Text Rev. 56 FSAR Rev. 65 15A-13 (7)
Core coolant temperature increase (8)
Excess of coolant inventory These parameter variations, if uncontrolled, could result in gross core-wide reactor fuel failure or damage to the reactor coolant pressure boundary, or both.
The eight parameter variations listed above include all effects within the nuclear system caused by abnormal operational transients that threaten gross core-wide reactor fuel integrity or seriously affect reactor coolant pressure boundary. Variation of any one parameter may cause a change in another listed parameter; however, for analysis purposes, threats to barrier integrity are evaluated by groups according to the parameter variation originating the threat. For example, positive reactivity insertions resulting from sudden pressure increases are evaluated in the group of threats stemming from nuclear system pressure increases.
Abnormal operational transients are defined as incidents resulting from single or multiple equipment failures and/or single or multiple operator errors that are not reasonably expected (less than one event in 20 years to one in 100 years) during any mode of plant operation.
Examples of single or multiple operational failures and/or single or multiple operator errors are:
(1)
Catastrophic failure of major power generation equipment components (2)
Multiple electrical failures (3)
Multiple operator errors (4)
Combinations of equipment failure and an operator error Operator error is defined as an active deviation from nuclear plant standard operating practices.
A multiple operator error is the set of actions that is a direct consequence of several unexpected erroneous decisions.
Examples of multiple operator errors are as follows:
(1)
Inadvertent loading and operating a fuel assembly in an improper position.
(2)
The movement of a control rod during refueling operations.
The various types of single errors and/or single malfunctions are applied to various plant systems with a consideration for a variety of plant conditions to discover events directly resulting in an undesired parameter variation. Once discovered, each event is evaluated for the threat it poses to the integrity of the various radioactive material barriers.
15A.3.3.4 Accidents Accidents are defined as hypothesized events that affect one or more of the radioactive material barriers and that are not expected during plant operations. These are plant events, equipment failures, combinations of initial conditions which are of extremely low probability (once in 100 years to once in 10,000 years). The postulated accident types considered are as follows:
(1)
Mechanical failure of a single component leading to the release of radioactive material from one or more barriers. The components referred to here are not
SSES-FSAR Text Rev. 56 FSAR Rev. 65 15A-14 those that act as radioactive material barriers. Example of mechanical failure is breakage of the coupling between a control rod drive and the control rod.
(2)
Arbitrary rupture of any single pipe up to and including complete severance of the largest pipe in the reactor coolant pressure boundary. This kind of accident is considered only under conditions in which the nuclear system is pressurized.
For purposes of analysis, accidents are categorized as those events that result in releasing radioactive material:
(1)
From the fuel with the reactor coolant pressure boundary and reactor building initially intact. (Event 40)
(2)
Directly to the containment. (Event 42)
(3)
Directly to the reactor or turbine buildings with the containment initially intact.
(Events 40, 43, 44, 45, 50)
(4)
Directly to the reactor building with the containment not intact.
(Events 41, 50)
(5)
Directly to the spent fuel containing facilities. (Events 41, 50)
(6)
Directly to the turbine building (Events 46, 47)
(7)
Directly to the environs (Events 48, 49)
The effects of various accident types are investigated, with consideration for the full spectrum of plant conditions, to examine events that result in the release of radioactive material. The accidents resulting in potential radiation exposures greater than day other accident considered under the same general accident assumptions are designated design basis accidents.
15A.3.3.5 Additional Special Plant Capability Events A number of additional events are evaluated to demonstrate plant capabilities relative to special arbitrary nuclear safety criteria. These special events involve extremely low-probability occurrence situations. As an example, the adequacy of the redundant reactivity control system is demonstrated by evaluating the special event: "reactor shutdown without control rods."
Another similar example, the capability to perform a safe shutdown from outside the main control room is demonstrated by evaluating the special event "reactor shutdown from outside the main control room."
15A.3.4 Applicability of Events to Operating States The first step in performing an operational analysis for a given "incident" (transient, accident, or special event) is to determine in which operating states the incident can occur. An incident is considered applicable within an operating state if the incident can be initiated from the physical conditions that characterize the operating state. Applicability of the "planned operations" to the operating states follows from the definitions of planned operations. A planned operation is considered applicable within an operating state if the planned operation can be conducted when the reactor exists under the physical conditions defining the operating state.
SSES-FSAR Text Rev. 56 FSAR Rev. 65 15A-15 15A.3.5 Rules for Event Analysis The following functional rules are followed in performing SACF, operational and design basis analyses for the various plant events:
(1)
An action, system, or limit shall be considered essential only if it is essential to avoiding an unacceptable result or satisfying the nuclear safety operational criteria.
(2)
The full range of initial conditions (as defined in paragraph 15A.3.5.(3) shall be considered for each event analyzed so that all essential protection sequences are identified. Consideration is not limited to "worst cases" because lesser cases sometimes may require more restrictive actions or systems different from the "worst cases."
(3)
The initial conditions of transients, accidents, and additional plant capability events shall be limited to conditions that would exist during planned operations in the applicable operating state.
(4)
For planned operations, consideration shall be made only for actions, limits, and systems essential to avoiding the unacceptable results during operation in that state (as opposed to transients, accidents, and additional plant capability events, which are followed through to completion). Planned operations are treated differently from other events because the transfer from one state to another during planned operations is deliberate. For events other than planned operations, the transfer from one state to another may be unavoidable.
(5)
Limits shall be derived only for those essential parameters that are continuously monitored by the operator. Parameter limits associated with the required performance of an essential system are considered to be included in the requirement for the operability of the system. Limits on frequently monitored process parameters are called "envelope limits," and limits on parameters associated with the operability of a safety system are called "operability limits."
Systems associated with the control of the envelope parameters are considered nonessential if it is possible to place the plant in a safe condition without using the system in question.
(6)
For transients, accidents and additional plant capability events, consideration shall be made for the entire duration of the event and aftermath until some planned operation is resumed. Planned operation is considered resumed when the procedures being followed or equipment being used are identical to those used during any one of the defined planned operations.
(7)
Credit for operator action shall be taken on a case-by-case basis depending on the conditions that would exist at the time operator action would be required.
Because transients, accidents, and additional plant capability events are considered through the entire duration of the event until planned operation is resumed, manual operation of certain systems is sometimes required following the more rapid or automatic portions of the event. Credit for operator action is taken only when the operator can reasonably be expected to accomplish the required action under the existing conditions.
(8)
For transients, accidents, and additional plant capability events, only those actions, limits, and systems shall be considered essential for which there arises a unique requirement as a result of the event. For instance, if a system that was operating prior to the event (during planned operation) is to be employed in the same manner following the event and if the event did not affect the operation of
SSES-FSAR Text Rev. 56 FSAR Rev. 65 15A-16 the system, then the system would not appear on the protection sequence diagram.
(9)
The operational analyses shall identify all the support or auxiliary systems essential to the functioning of the front-line safety systems. Safety system auxiliaries whose failure results in safe failure of the front-line safety systems shall be considered nonessential.
(10)
A system or action that plays a unique role in the response to a transient, accident, or additional plant capability event shall be considered essential unless the effects of the system or action are not included in the detailed analysis of the event.
15A.3.6 Steps in an Operational Analysis All information needed to perform an operational analysis for each plant event has been presented (Figure 15A.2-2). The procedure followed in performing an operational analysis for a given event (selected according to the event selection criteria) is as follows:
(1)
Determine the BWR operating states in which the event is applicable.
(2)
Identify all the essential protection sequences (safety actions and front-line safety systems) for the event in each applicable operating state.
(3)
Identify all the safety system auxiliaries essential to the functioning of the front-line safety systems.
The above three steps are performed in later sections of this appendix.
To derive the operational requirements and technical specifications for the individual components of a system included in any essential protection sequence, the following steps are taken:
(1)
Identify all the essential actions within the system (intrasystem actions) necessary for the system to function to the degree necessary to avoid the unacceptable results.
(2)
Identify the minimum hardware conditions necessary for the system to accomplish the minimum intra-system actions.
(3)
If the single-failure criterion applies, identity the additional hardware conditions necessary to achieve the plant safety actions (scram, pressure relief, isolation, cooling, etc.) in spite of single failures. This step gives the nuclear safety operational requirements for the plant components so identified.
(4)
Identify surveillance requirements and allowable repair times for the essential plant hardware (Subsection 15A.5.2).
(5)
Simplify the operational requirements determined in steps (3) and (4) so that technical specifications may be obtained that encompass the true operational requirements and are easily used by plant operations and management personnel.
15A.4 DISPLAY OF OPERATIONAL ANALYSIS RESULTS
SSES-FSAR Text Rev. 56 FSAR Rev. 65 15A-17 15A.4.1 General To fully identify and establish the requirements, restrictions, and limitations that must be observed during plant operation, plant systems and components must be related to the needs for their actions in satisfying the nuclear safety operational criteria. This appendix displays these relationships in a series of block diagrams.
First, a table like Table 15A.3-1 will be supplied indicating in which operating states each event is applicable. Then, for each event, a block diagram is presented showing the, conditions and systems required to achieve each essential safety action. The block diagrams show only those systems necessary to provide the safety actions such that the nuclear safety operational and design basis criteria are satisfied. The total plant capability to provide a safety action is generally not shown, only the minimum capability essential to satisfying the operational criteria.
It is very important to understand that only enough protective equipment is cited in the diagram to provide the necessary action. Many events can utilize many more paths to success then are shown. These operational analyses involve the minimum equipment needed to prevent or avert an unacceptable result. Thus, the diagrams depict essential protection sequences for each event with the least amount of protective equipment needed. Once all of these protection sequences are identified in block diagram form, system requirements are derived by considering all events in which the particular system is employed. The analysis considers the following conceptual aspects:
(1)
The BWR operating state.
(2)
Types of operations or events that are possible within the operating state.
(3)
Relationships of certain safety actions to the unacceptable results and to specific types of operations and events.
(4)
Relationships of certain systems to safety actions and to specific types of operations and events.
(5)
Supporting or auxiliary systems essential to the operation of the front-line safety systems.
(6)
Functional redundancy, the single-failure criterion applied at the safety action level. This is, in effect, a qualitative/ system level/FMEA-type analysis.
Each block in the sequence diagrams represents a finding of essentiality for the safety action, system, or limit under consideration. Essentiality in this context means that the safety action, system, or limit is needed to satisfy the nuclear safety operational criteria. Essentiality is determined through an analysis in which the safety action, system, or limit being considered is completely disregarded in the analyses of the applicable operations or events. If the nuclear safety operational criteria are satisfied without the safety action, system, or limit, then the safety action, system, or limit is not essential, and no operational nuclear safety requirement would be indicated. When disregarding a safety action, system, or limit results in violating one or more nuclear safety operational criteria, the safety action, system, or limit is considered essential, and the resulting operational nuclear safety requirements can be related to specific criteria and unacceptable results.
SSES-FSAR Text Rev. 56 FSAR Rev. 65 15A-18 15A.4.2 Protection Sequence and Safety System Auxiliary Diagrams Block diagrams illustrate essential protection sequences for each event requiring unique safety actions. These protection sequence diagrams show only the required front-line safety systems.
The format and conventions used for these diagrams are shown in Figure 15A.4-1.
The auxiliary systems essential to the correct functioning of front-line safety systems are shown on safety system auxiliary diagrams. The format used for these diagrams is shown in Figure 15A.4-2.
The diagram indicates that auxiliary systems A, B, and C are required for proper operation of front-line safety system X.
Total plant requirements for an auxiliary system or the relationships of a particular auxiliary system to all other safety systems (frontline and auxiliary) within an operating state are shown on the commonality of auxiliary diagrams. The format used for these diagrams is shown in Figure 15A.4-3.
The convention employed in Figure 15A.4-3 indicates that auxiliary system A is required:
(1) to be single-failure proof relative to system q in State A-events X, Y; State B-events X, Y; State C-events X, Y, Z; State D-events X, Y, Z.
(2) to be single-failure proof relative to the parallel combination of systems a and b in State A-events U, V, W; State B-events V, W; State C-events U, V, W, X; State D-events U, V, W, X.
(3) to be single-failure proof relative to the parallel combination of system ! and +/-
system e in series with the parallel combination of systems u and C1 in State C-events Y, W; State D-events Y, W, Z. As noted, system e is part of the combination but does not require auxiliary system A for its proper operation.
(4) for system W in State B-events Q, R; State D-events Q, R, S.
With these three types of diagrams, it is possible to determine for each system the detailed functional requirements and conditions to be observed regarding system hardware in each operating state. The detailed conditions to be observed regarding system hardware include such nuclear safety operational requirements as test frequencies and the number of components that must be operable.
15A.5 BASES FOR SELECTING SURVEILLANCE TEST FREQUENCIES 15A.5.1 Normal Surveillance Test Frequencies After the essential nuclear safety systems and engineered safeguards have been identified by applying the nuclear safety operational criteria, surveillance requirements are selected for these systems. In this selection process, the various systems are considered in terms of relative availability, test capability, plant conditions necessary for testing, and engineering experience with the system type. The surveillance test frequency selected represents the application of engineering judgment integrating all of these considerations.
SSES-FSAR Text Rev. 56 FSAR Rev. 65 15A-19 15A.5.2 Allowable Repair Times Allowable repair times are selected by computation using availability analysis methods (Reference 15A-1) for redundant standby systems. The resulting maximum average allowable repair times assure that a system's long-term availability, including allowance for repair, is not reduced below the theoretical availability that would be achieved if repairs could be made in zero time.
15A.5.3 Repair Time Rule A safety system can be repaired while the reactor is in operation if the repair time is equal to or less than the maximum allowable average repair time. If repair is not complete when the allowable repair time expires, the plant must be placed in its safest mode (with respect to the protection lost).
To maintain the validity of the assumptions used to establish the above repair time rule, the following restrictions must be observed:
(1)
The allowable repair time should only be used as needed to restore failed equipment to operation, not for routine maintenance.
Using this time should be an event as rare as failure of the equipment itself.
Routine maintenance should be scheduled when the equipment is not needed.
(2)
When a failure is discovered by test, all the redundant components should be tested to establish that they are good at the beginning of the repair time for the failed component and do not suffer from the same failure mode discovered in the failed component. If there are multiple failures of the same mode, the repair time allowance does not apply and the plant must be placed in a condition in which the actions of the safety system are not essential to avoiding the unacceptable safety results.
(3)
At the conclusion of the repair, the repaired component must be retested and placed in service. The redundant components must also be retested, not only to validate the assumptions, but to assure that the repair did not inadvertently invalidate a good component.
(4)
Once the need for repair of a failed component is discovered, repairs should proceed as quickly as possible consistent with good craftsmanship.
Alternatively, if a system is expected to be out of repair for an extended time, the availability of the remaining systems can be maintained at the prefailure level by testing them more often.
This technique is fully developed in Reference 15A-1.
15A.6 OPERATIONAL ANALYSES Results of the operational analyses are discussed in the following subsections and displayed on Figures 15A.6-1, 15A.6-2, 15A.6-3, 15A.6-4 and 15A.6-5. Tables 15A.6-1 through 15A.6-5 indicate the BWR operating states in which each of the approximately 50 events is applicable.
SSES-FSAR Text Rev. 56 FSAR Rev. 65 15A-20 15A.6.1 Safety System Auxiliaries Figures 15A.6-1 and 15A.6-2 show the safety system auxiliaries essential to the functioning of each front-line safety system. Commonality of auxiliary diagrams are shown in Figures 15A.6-54, 15A.6-55, 15A.6-56, 15A.6-57, 15A.6-58 and 15A.6-59.
15A.6.2 Planned (Normal) Operations 15A.6.2.1 General Requirements for the planned operations normally involve limits (L) on certain key process variables and restrictions (R) on certain plant equipment. The control block diagrams for each operating state (Figures 15A.6-3, 15A.6-4, 15A.6-5 and 15A.6-6) show only those controls necessary to avoid unacceptable safety results 1-1 through 1-4. Refer to Table 15A.2-6 for unacceptable results criteria.
Following is a description of the planned operations (Events 1 through 6), as they pertain to each of the four operating states. The description of each operating state contains a definition of that state, a list of the planned operations that apply to that state, and a list of the safety actions that are required to avoid the unacceptable safety results.
15A.6.2.2 Event Definitions Event 1 - Refueling Outage Refueling outage includes all the planned operations associated with a normal refueling outage except those tests in which the reactor is made critical and returned to the shutdown condition.
The following planned operations are included in refueling outage:
(1)
Planned, physical movement of core components (fuel, control rods, etc.)
(2)
Refueling test operations (except criticality and shutdown margin tests)
(3)
Planned maintenance (4)
Required inspection Event 2 - Achieving Criticality Achieving criticality includes all the plant actions normally accomplished in bringing the plant from a condition in which all control rods are fully inserted to a condition in which nuclear criticality is achieved and maintained.
Event 3 - Reactor Heatup Heatup begins where achieving criticality ends and includes all plant actions normally accomplished in approaching nuclear system rated temperature and pressure by using nuclear power (reactor critical). Heatup extends through warmup and synchronization of the main turbine generator.
SSES-FSAR Text Rev. 56 FSAR Rev. 65 15A-21 Event 4 - Power Operation - Electric generation Power operation begins where heatup ends and continued plant operation at power levels in excess of heatup power or steady state operation. It also includes plant maneuvers such as:
(1)
Daily electrical load reduction and recoveries (2)
Electrical grid frequency control adjustment (3)
Control rod/reactor fuel/core management movements (4)
Power generation surveillance testing involving:
- a.
Turbine stop valve closing
- b.
Turbine control valve adjustments
- c.
MSLIV exercising Event 5 - Achieving Reactor Shutdown Achieving shutdown begins where the main generator is unloaded and includes all plant actions normally accomplished in achieving nuclear shutdown (more than one rod subcritical) after power operation.
Event 6 - Reactor Cooldown Cooldown begins where achieving shutdown ends and includes all plant actions normal to the continued removal of decay heat and the reduction of nuclear system temperature and pressure.
15A.6.2.3 Required Safety Actions/Related Unacceptable Results The following paragraphs describe the safety actions for planned operations. Each description includes a selection of the operating states that apply to the safety action, the plant system affected by limits or restrictions, and the unacceptable result that is avoided. The four operating states are defined in Table 15A.3-1. The unacceptable results criteria are tabulated in Table 15A.2-6.
15A.6.2.3.1 Radioactive Material Release Control Radioactive materials may be released to the environs in any operating state; therefore, radioactive material release control is required in all operating states. Because of the significance of preventing excessive release of radioactive materials to the environs, this is the only safety action for which monitoring systems are explicitly shown. The offgas vent radiation monitoring system provides indication for gaseous release through the main vent. Gaseous releases through other vents are monitored by the ventilation monitoring system. The process liquid radiation monitors are not required, because all liquid wastes are monitored by batch sampling before a controlled release. Limits are expressed on the offgas vent system, liquid radwaste system, and solid radwaste system so that the planned releases of radioactive materials comply with the limits given in 10CFR20, 10CFR50, and 10C.FR71 (related unacceptable safety result 1-1).
SSES-FSAR Text Rev. 56 FSAR Rev. 65 15A-22 15A.6.2.3.2 Core Coolant Flow Rate Control In State D, when above approximately 10% NB rated power, the core coolant flow rate must be maintained above certain minimums (i.e., limited) to maintain the integrity of the fuel cladding (1-2) and assure the validity of the plant safety analysis (1-4).
15A.6.2.3.3 Core Power Level Control The plant safety analyses of accidental positive reactivity additions have assumed as an initial condition that the neutron source level is above a specified minimum. Because a significant positive reactivity addition can only occur when the reactor is less than one rod subcritical, the assumed minimum source level need be observed only in States B and D. The minimum source level assumed in the analyses has been related to the counts/sec readings on the source range monitors (SRM); thus, this minimum power level limit on the fuel is expressed as a required SRM count level. Observing the limit assures validity of the plant safety analysis (1-4).
Maximum core power limits are also expressed for operating States B and D to maintain fuel integrity (1-2) and remain below the maximum power levels assumed in the plant safety analysis (1-4).
15A.6.2.3.4 Core Neutron Flux Distribution Control Core neutron flux distribution must be limited in State D, otherwise core power peaking could result in fuel failure (1-2). Additional limits are expressed in this state, because the core neutron flux distribution must be maintained within the envelope of conditions considered by plant safety analysis (1-4).
15A.6.2.3.5 Reactor Vessel Water Level Control In any operating state, the reactor vessel water level could, unless controlled, drop to a level that will not provide adequate core cooling; therefore, reactor vessel water level control applies to all operating states. Observation of the reactor vessel water level limits protects against fuel failure (1-2) and assures the validity of the plant safety analysis (1-4).
15A.6.2.3.6 Reactor Vessel Pressure Control Reactor vessel pressure control is not needed in States A and B because vessel pressure cannot be increased above atmospheric pressure. In State C, a limit is expressed on the reactor vessel to assure that it is not hydrostatically tested until the temperature is above the NDT temperature plus 60oF; this prevents excessive stress (1-3). Also, in States C and D a limit is expressed on the residual heat removal system to assure that it is not operated in the shutdown cooling mode when the reactor vessel pressure is greater than approximately 150 psig; this prevents excessive stress (1-3). In States C and D, a limit on the reactor vessel pressure is necessitated by the plant safety analysis (1-4).
15A.6.2.3.7 Nuclear System Temperature Control In operating States A, C, and D, a limit is expressed on the reactor vessel to prevent the reactor vessel head bolting studs from being in tension when the temperature is less than 70oF to avoid excessive stress (1-3) on the reactor vessel flange. This limit does not apply in States A and B because the head will not be bolted in place during criticality tests or during refueling. In all
SSES-FSAR Text Rev. 56 FSAR Rev. 65 15A-23 operating states, a limit is expressed on the reactor vessel to prevent an excessive rate of change of the reactor vessel temperature to avoid excessive stress (1-3). In States C and D, where it is planned operation to use the feedwater system, a limit is placed on the reactor fuel so that the feedwater temperature is maintained within the envelope of conditions considered by the plant safety analysis (1-4). For State D, a limit is observed on the temperature difference between the recirculation system and the reactor vessel to prevent the starting of the recirculation pumps. This operating restriction and limit prevents excessive stress in the reactor vessel (1-3).
15A.6.2.3.8 Nuclear System Water Quality Control In all operating states, water of improper chemical quality could produce excessive stress as a result of chemical corrosion (1-3). Therefore, a limit is placed on reactor coolant chemical quality in all operating states. For all operating states where the nuclear system can be pressurized (States C and D), and additional limit on reactor coolant activity assures the validity of the analysis of the main steamline break accident (1-4).
15A.6.2.3.9 Nuclear System Leakage Control Because excessive nuclear system leakage could occur only while the reactor vessel is pressurized, limits are applied only to the reactor vessel in States C and D. Observing these limits prevents vessel damage due to excessive stress (1-3) and assures the validity of the plant safety analysis (1-4).
15A.6.2.3.10 Core Reactivity Control In State A during refueling outage, a limit on core loading (fuel) to assure that core reactivity is maintained within the envelope of conditions considered by the plant safety analysis (1-4). In all states, limits are imposed on the control rod drive system to assure adequate control of core reactivity so that core reactivity remains within the envelope of conditions considered by the plant safety analysis (1-4).
15A.6.2.3.11 Control Rod Worth Control Any time the reactor is not shut down and is generating less than 30% power (State D), a limit is imposed on the control rod pattern to assure that control rod worth is maintained within the envelope of conditions considered by the analysis of the control rod drop accident (1-4).
15A.6.2.3.12 Refueling Restriction By definition, planned operation event 1 (refueling outage) applies only to State A. Observing the restrictions on the reactor fuel and on the operation of the control rod drive system within the specified limit maintains plant conditions within the envelope considered by the plant safety analysis (1-4).
15A.6.2.3.13 Containment & Reactor Building Pressure and Temperature Control In States C and D, limits are imposed on the containment and the suppression pool storage to maintain temperature and pressure within the envelope considered by plant safety analysis (1-4). These limits assure an environment in which instruments and equipment can operate
SSES-FSAR Text Rev. 56 FSAR Rev. 65 15A-24 correctly within the containment. Limits on the pressure suppression pool apply to the water temperature and water level to assure that it has the capability of absorbing the energy discharged during a safety/relief valve blowdown.
15A.6.2.3.14 Stored Fuel Shielding, Cooling, and Reactivity Control Because both new and spent fuel will be stored during all operating states, stored fuel shielding, cooling, and reactivity control apply to all operating states. Limits are imposed on the spent fuel pool storage positions, water level, fuel handling procedures, and water temperature.
Observing the limits on fuel storage positions assures that spent fuel reactivity remains within the envelope of conditions considered by the plant safety analysis (1-4). Observing the limits on water level assures shielding in order to maintain conditions within the envelope of conditions considered by the plant safety analysis (1-4) and provides the fuel cooling necessary to avoid fuel damage (1-2). Observing the limit on water temperature avoids excessive fuel pool stress (1-3). A limit is imposed on the new fuel storage arrangement to assure that the fuel storage geometry is maintained within the envelope of reactivity conditions considered by the plant safety analysis (1-4).
15A.6.2.4 Operational Safety Evaluations State A In State A the reactor is in a shutdown condition, the vessel head is off, and the vessel is at atmospheric pressure. The applicable events for planned operations are refueling outage, achieving criticality, and cooldown (Events 1, 2, and 6, respectively).
Figure 15A.6-3 shows the necessary safety actions for planned operations, the corresponding plant systems, and the event for which these actions are necessary. As indicated in the diagram the required safety actions are as follows:
Safety Action Radioactive material release control Reactor vessel water level control Nuclear system temperature control Nuclear system water quality control Core reactivity control Refueling restrictions Stored fuel shielding, cooling, and reactivity control State B In State B the reactor vessel head is off, the reactor is not shutdown, and the vessel is at atmospheric pressure. Applicable planned operations are achieving criticality and achieving shutdown (Events 2 and 5, respectively).
Figure 15A.6-4 relates the necessary safety actions for planned operations, the plant systems, and the event for which the safety actions are necessary. The required safety actions for planned operation in State B are as follows:
SSES-FSAR Text Rev. 56 FSAR Rev. 65 15A-25 Safety Action Radioactive material release control Core power level control Reactor vessel water level control Nuclear system temperature control Nuclear system water quality control Core reactivity control Rod worth control Stored fuel shielding, cooling, and reactivity control State C In State C the reactor vessel head is on and the reactor is shutdown. Applicable planned operations are achieving criticality and cooldown (Events 2 and 6, respectively).
Sequence diagrams relating safety actions for planned operations, plant systems, and applicable events are shown in Figure 15A.6-5. The required safety actions for planned operation in State C are as follows:
Safety Action Radioactive material release control Reactor vessel water level control Reactor vessel pressure control Nuclear system temperature control Nuclear system water quality control Nuclear system leakage control Core reactivity control Reactor building pressure and temperature control Stored fuel shielding, cooling, and reactivity control State D In State D the reactor vessel head is on and the reactor is not shutdown. Applicable planned operations are achieving criticality, heatup, power operation and achieving shutdown (Events 2, 3, 4, and 5, respectively).
Figure 15A.6-6 relates safety actions for planned operations, corresponding plant systems, and events for which the safety actions are necessary. The required safety actions for planned operation in State D are as follows:
SSES-FSAR Text Rev. 56 FSAR Rev. 65 15A-26 Safety Action Radioactive material release control Core coolant flow rate control Core power level control Core neutron flux distribution control Reactor vessel water level control Reactor vessel pressure control Nuclear system temperature control Nuclear system water quality control Nuclear system leakage control Core reactivity control Rod worth control Containment and reactor/auxiliary building pressure and temperature control Stored fuel shielding, cooling, and reactivity control 15A.6.3 Anticipated (Expected) Operational Transients 15A.6.3.1 General The safety requirements and protection sequences for anticipated operational transients are described in the following paragraphs for Events 7 through 29. The protection sequence block diagrams show the sequence of front-line safety systems. (Refer to Figure 15A.6-7 through 15A.6-29.) The auxiliaries for the front-line safety systems are indicated in the auxiliary diagrams (Figures 15A.6-1 and 15A.6-2) and the commonality of auxiliary diagrams (Figures 15A.6-54, 15A.6-55, 15A.6-56, 15A.6-57, 15A.6-58 and 15A.6-59).
15A.6.3.2 Required Safety Actions/Related Unacceptable Result The following list relates the safety actions for anticipated operational transients that mitigate or prevent the unacceptable safety results. Refer to Table 15A.2-7 for the unacceptable results criteria.
Safety Action Related Unacceptable Result Criteria Reason Action Required Scram and/or RPT Pressure relief 2-2 2-3 2-3 To prevent fuel damage and to limit nuclear system pressure rise.
To prevent excessive nuclear system pressure rise.
Core and Containment cooling 2-2 To prevent fuel and containment damage in the event that normal cooling is interrupted.
SSES-FSAR Text Rev. 56 FSAR Rev. 65 15A-27 Reactor vessel isolation 2-2 To prevent fuel damage by reducing the outflow of steam and water from the reactor vessel, thereby limiting the decrease in reactor vessel water level.
Restore ac power 2-2 To prevent fuel damage by restoring ac power to systems essential to other safety actions.
Prohibit rod motion 2-2 To prevent exceeding fuel limits during transients.
Containment isolation 2-4 To minimize radiological effects.
15A.6.3.3 Event Definitions & Operational Safety Evaluations Event 7 - Manual & Inadvertent SCRAM The deliberate manual or inadvertent automatic SCRAM due to single operator error is an event which can occur under any operating conditions. Although assumed to occur here for examination purpose, multi-operator error or action is necessary to initiate such an event.
While all the safety criteria apply, no unique safety actions are required to control the planned operation-like event after effects of the subject initiation actions. In all operating states, the safety criteria are therefore met through the basis design of the plant systems. Figure 15A.6-7 identifies the protection sequences for this event.
Event 8 - Loss-of-Plant Instrument Air Loss of all plant instrument air system requires a manual reactor shutdown and causes the closure of isolation valves. Although these actions occur, they are not a requirement to prevent unacceptable results in themselves. Multi-equipment failures would be necessary in order to cause the deterioration of the subject system to the point that the components supplied with instrument air would cease to operate "normally" and/or "fail-safe." The resulting actions are identical to the Event 14 described later.
Isolation of the main steam lines can result in a transient for which some degree of protection is required only in operating States C and D. In operating States A and B, the main steam lines are continuously isolated.
Isolation of all main steam lines is most severe and rapid in operating State D during power operation.
Figure 15A.6-8 shows how scram is accomplished by annual actuation or by main steam line isolation through the actions of the reactor protection system and the control rod drive system.
The nuclear system pressure relief system provides pressure relief. Pressure relief, combined with loss of feedwater flow, causes reactor vessel water level to fall. Either high-pressure core cooling system supplies water to maintain water level and to protect the core until normal steam flow (or other planned operation) is established.
SSES-FSAR Text Rev. 56 FSAR Rev. 65 15A-28 Adequate reserve air supplies are maintained exclusively for the continual operation of the safety/relief valves until reactor shutdown is accomplished.
Event 9 - Inadvertent HPCI Pump (or any NSSS Pump) Start (Moderator Temperature Decrease)
An inadvertent pump start (temperature decrease) is defined as an unintentional start of any nuclear system pump that adds sufficient cold water to the reactor coolant inventory to cause a measurable decrease in moderator temperature. This event is considered in all operating states because it can potentially occur under any operating condition. Since the HPCI pump operates over nearly the entire range of the operating states and delivers the greatest amount of cold water to the vessel, the following analysis will describe its inadvertent operation rather than other NSSS pumps (e.g., RCICS, RHRS, CSCS).
While all the safety criteria apply, no unique safety actions are required to control the adverse effects of such a pump start (i.e., pressure increase and temperature decrease in States A and C). In these operating states, the safety criteria are met through the basic design of the plant systems, and no safety action is specified. In States B and D, where the reactor is not shutdown, the operator or the plant normal control system can control any power changes in the normal manner of power control.
Figure 15A-6-9 illustrates the protection sequence for the subject event. Single failures to the normal plant control system pressure regulator or the feedwater controller systems will result in further protection sequences. These are shown in Events 22 and 23. The single failure (SF) aspects of their protection sequences will, of course, not be required.
Event 10 - Startup of Idle Recirculation Pump The cold-loop startup of an idle recirculation pump can occur in any state and is most severe and rapid for those operating states in which the reactor may be critical (States B and D). When the transient occurs in the range of 10 to 60% power operation, no safety action response is required. Reactor power is normally limited to approximately 60% design power because of core flow limitations while operability with one recirculation loop working. Above about 60%
power, a high neutron flux scram is initiated. Should the event occur when the reactor is in operating State D but not at power operation, but critical (5% < power < 10%), the resulting transient may produce a high level neutron flux scram of the intermediate range monitors (IRM).
No safety actions are required in State B since the power would be less than 5%.
As shown in Figure 15A.6-10, the scram action is accomplished through the combined actions of the neutron monitoring, reactor protection, and control rod drive systems. At power operation (10 to 60%) the high level IRM scram is not initiated, because the core flux monitoring has been shifted to the average power range monitors (APRM).
Event 11 - Recirculation Flow Control Failure (Increasing Flow)
A recirculation flow control failure causing increased flow is applicable in States C and D. In State D, the accompanying increase in power level is accommodated through a reactor scram.
As shown in Figure 15A.6-11, the scram safety action is accomplished through the combined actions of the neutron monitoring, reactor protection, and control rod drive systems.
SSES-FSAR Text Rev. 56 FSAR Rev. 65 15A-29 Event 12 - Recirculation Flow Control Failure (Decreasing Flow)
This recirculation flow control malfunction causes a decrease in core coolant flow. This event is not applicable to States A and B because the reactor vessel head is off and the recirculation pumps normally would not be in use.
The number and type of flow controller failure modes determine the protection sequence for the event. For M/G set flow control systems, failures of one or the master flow controller will result in a transient equivalent to one or two recirculation pump trips, respectively it is shown on Figure 15A.6.-12.
Event 13 - Trip of One or Both Recirculation Pumps The trip of one recirculation pump produces a milder transient than does the simultaneous trip of two recirculation pumps.
The transient resulting from this two-loop trip is not severe enough to require any unique safety action. The transient is compensated for by the inherent nuclear stability of the reactor. This event is not applicable in States A and B because the reactor vessel head is off and the recirculation pumps normally would not be in use. The trip could occur in States C and D; however, the reactor can accommodate the transient with no unique safety action requirement.
Figure 15A.6-13 provides the protection sequence for the event for one or both pump trip actuations.
In fact, this event constitutes all acceptable operational technique to reduce or minimize the effects of other event conditions. To this end, an engineered recirculation pump trip capability is included in the plant operational design to reduce pressure and thermohydraulic transient effects. Operating States C and D are involved in this event.
Tripping a single recirculation pump requires no protection system operation.
A two pump trip results in a high water level trip of the main turbine which further causes a stop valve closure and its subsequent SCRAM actuation. Main steam line isolation soon occurs and is followed by RCIC/HPCI systems initiation on low water level. Relief valve actuation will follow.
Event 14 - Isolation of One or All Main Steam Lines Isolation of the main steam lines can result in a transient for which some degree of protection is required only in operating States C and D. In operating States A and B, the main steam lines are continuously isolated.
Isolation of all main steam lines is most severe and rapid in operating State D during power operation.
Figure 15A.6-14a shows how scram is accomplished by main steam line isolation through the actions of the reactor protection system and the control rod drive system. The nuclear system pressure relief system provides relief. Pressure relief, combined with loss of feedwater flow, causes reactor vessel water level to fall. Either high-pressure core cooling system supplies
SSES-FSAR Text Rev. 56 FSAR Rev. 65 15A-30 water to maintain water level and to protect the core until normal steam flow (or other planned operation) is established.
Isolation of one main steam line causes a significant transient only in State D during high power operation. Scram is the only unique action required to avoid fuel damage and nuclear system overpressure. Because the feedwater system and main condenser remain in operation following the event, no unique requirement arises for core cooling.
As shown in Figure 15A.6-14b, the scram safety action is accomplished through the combined actions of the neutron monitoring, reactor protection, and control rod drive systems.
Event 15 - Inadvertent Opening of the Safety/Relief Valve The inadvertent opening of a safety/relief valve is possible in any operating state. The protection sequences are shown in Figure 16A.6-15. In States A, B, and C, the water level cannot be lowered far enough to threaten fuel damage; therefore, no safety actions are required.
In State D, there is a slight decrease in reactor pressure following the event. The pressure regulator closes the main turbine control valves enough to stabilize pressure at a level slightly below the initial value. There are no unique safety system requirements for this event.
If the event occurs when the feedwater system is not active in State D, a loss in the coolant inventory results in a reactor vessel isolation. The low water level signal initiates reactor vessel isolation. The nuclear system pressure relief system provides pressure relief.
Core cooling is accomplished by the RCIC/HPCI system which is automatically initiated by the incident detection circuitry (IDC). The automatic depressurization system (ADS) or the manual relief valve system remain as the backup depressurization system if needed. After the vessel has depressurized, long term core cooling is accomplished by the LPCI, or CSCS, which are initiated on low water level by the IDC system or are manually operated. Containment/
suppression pool cooling is manually initiated.
Event 16 - Control Rod Withdrawal Error (During Refueling & Startup Operation)
Because a control rod withdrawal error resulting in an increase of positive reactivity can occur under any operating condition, it must be considered in all operating states. For this specific event situation, only State A and B apply.
Refueling No unique safety action is required in operating State A for the withdrawal of one control rod because the core is more than one control rod subcritical. Withdrawal of more than one control rod is precluded by the protection sequence shown in Figure 15A.6-16.
During core alterations, the mode switch is normally in the REFUEL position, which allows the refueling equipment to be positioned over the core and also inhibits control rod withdrawal. This transient, therefore, applies only to operating State A. No safety action is required because the total worth (positive reactivity) of one fuel assembly or control rod is not adequate to cause criticality. Moreover, mechanical design of the control rod assembly prevents physical removal without removing the adjacent fuel assemblies.
SSES-FSAR Text Rev. 56 FSAR Rev. 65 15A-31 Startup During low power operation (State B), the neutron monitoring system via the RPS will initiate SCRAM if necessary. Refer to Figure 15A.6-16.
Event 17 - Control Rod Withdrawal Error (During Power Operation)
Because a control rod withdrawal occur resulting in an increase of positive reactivity can occur under any operating condition, it must be considered in all operating states. For this specific event situation, only States C and D apply.
During power operation (Power Range) (State D), a number of plant protective devices of various designs prohibit the control rod motion before critical levels are reached. Refer to Figure 15A.6-17. While in State C no protective action is needed.
Systems in the power range (0 to 100% NBR) prevent the selection of an out-of-sequenced rod movement by use of the RWM (Banked Position or Notch Group). In addition, the movement of the rod is monitored and limited within acceptable intervals either by neutronic effects or actual rod motion, (notch counting). The RBM provides movement surveillance. Of course, beyond these rod motion control limits are the fuel/core SCRAM protection systems. While in State C no protective action is needed.
Event 18 - Loss of Shutdown Cooling The loss of RHRS-shutdown cooling can occur only during the low pressure portion of a normal reactor shutdown and cooldown.
As shown in Figure 15A.6-18, for most single failures that could result in primary loss of shutdown cooling capabilities, no unique safety actions are required; in these cases, shutdown cooling is simply reestablished using redundant shutdown cooling equipment. In the cases where the RHRS-shutdown cooling suction line becomes inoperative, a unique arrangement for cooling arises. In States A and B, in which the reactor vessel head is off, the LPCI can be used to maintain reactor vessel water level. In States C and D, in which the reactor vessel head is on and the system can be pressurized, the automatic depressurization system (ADS) or manual operation of relief valves in conjunction with any of the ECCS and the RHRS suppression pool cooling mode (both manually operated) can be used to maintain water level and remove decay heat. Containment/Suppression pool cooling is actuated. Core and containment decay heat are removed by the RHRS containment cooling system.
Event 19 - RHF Shutdown Cooling Malfunction (Moderator Temperature Decrease)
An RHR shutdown cooling malfunction causing a moderator temperature decrease must be considered in all operating states. However, this event is not considered in States C and D if nuclear system pressure is too high to permit operation of the shutdown cooling (RHRS). Refer to Figure 15A.6-19. No unique safety actions are required to avoid the unacceptable safety results for transients as a result of a reactor coolant temperature decrease induced by misoperation of the shutdown cooling heat exchangers.
SSES-FSAR Text Rev. 56 FSAR Rev. 65 15A-32 In States B and D, where the reactor is at or near critical, the slow power increase resulting from the cooler moderator temperature would be controlled by the operator in the same manner normally used to control power in the source or intermediate power ranges.
Event 20 - Loss of All Feedwater Flow A loss of feedwater results in a net decrease in the coolant inventory available for core cooling.
A loss of feedwater flow can occur in States C and D. Appropriate responses to this transient include a reactor scram on low water level and maintenance of reactor vessel water level.
As shown in Figure 15A.6-20, the reactor protection and control rod drive systems effect a scram on low water level. The containment and reactor vessel isolation control system and the main steam line isolation valves act to isolate the reactor vessel. After the main steam line isolation valves close, decay heat slowly raises system pressure to the lowest relief valve setting. Pressure is relieved by the nuclear system pressure relief system. Initial core cooling is necessary to restore and maintain water level. Either the RCIC or HPCI system can maintain adequate water level. For long term shutdown and extended core coolings, containment/suppression pool cooling systems are manually initiated.
The requirements for operating State C is the same as for State D except that the scram action is not required in State C.
Event 21 - Loss of a Feedwater Heater Loss of a feedwater heater must he considered with regard to the nuclear safety operational criteria only in operating State D because significant feedwater heating does not occur in any other operating state.
A loss of feedwater heating causes a transient that requires no protective actions when the reactor is initially on automatic recirculation flow control. It the reactor is on manual flow control, however, the neutron flux increase associated with this event will reach the scram setting. As shown in Figure 15A.6-21, the scram safety action is accomplished through actions of the neutron monitoring, reactor protection, and control rod drive systems. Water level will initiate a turbine trip and isolation will soon follow.
Event 22 - Feedwater Controller Failure - Maximum Demand A feedwater controller failure, causing an excess of coolant inventory in the reactor vessel is possible in all operating states. Feedwater controller failures considered are those that would give failures of automatic flow control, manual flow control, or feedwater bypass valve control.
In operating States A and B, no safety actions are required since the vessel head is removed and the moderator temperature is low. In operating State D, any adverse responses by the reactor caused by cooling of the moderator can be mitigated by a scram. As shown in Figure 15A.6-22, the accomplishment of the scram safety action is satisfied through the combined actions of the neutron monitoring, reactor protection, and control rod drive systems. Pressure relief is required in States C and D and is achieved through the operation of the nuclear system pressure relief system. Initial restoration of the core water level is by the RCIC/HPCI systems.
Prolonged isolation may require extended core cooling and containment/suppression pool cooling.
SSES-FSAR Text Rev. 56 FSAR Rev. 65 15A-33 Event 23 - Pressure Regulator Failure (Open Direction)
A pressure regulator failure in the open direction, causing the opening of a turbine control or bypass valve, applies only in operating States C and D, because in other states the pressure regulator is not in operation. A pressure regulator failure is most severe and rapid in operating State D at low power.
The various protection sequences giving the safety actions are shown in Figure 15A.6-23.
Depending on plant conditions existing prior to the event, scram will be initiated either on main steamline isolation, main turbine trip, reactor vessel high pressure, or reactor vessel low water level. The sequence resulting in reactor vessel isolation also depends on initial conditions.
With the mode switch in "Run," isolation is initiated when main steamline pressure decreases to approximately 800 psig. Under other conditions, isolation is initiated by reactor vessel low water level. After isolation is completed, decay heat will cause reactor vessel pressure to increase until limited by the operation of the relief valves. Core cooling following isolation can be provided by either the RCICS or HPCI. Shortly after reactor vessel isolation, normal core cooling can be re-established via the main condenser and feedwater systems or if prolonged isolation is necessary, extended core and containment cooling will be manually actuated.
Event 24 - Pressure Regulator Failure - Closed A pressure regulator failure in the closed direction (or downscale), causing the closing of turbine control valves, applies only in operating States C and D, because in other states the pressure regulator is not in operation.
A single pressure regulator failure downscale would result in little or no effect on the plant operation. The second pressure regulator would provide turbine-reactor control. If the second unit failed this would result in the worst situation, yet it is much less severe than Events 25, 27, 30 and 31. The dual pressure regulator failures are most severe and rapid in operating State D at high power.
The various protection sequences giving the safety actions are shown in Figure 15A.6-24. Upon failure of one pressure regulator downscale, normally a backup regulator will maintain the plant in the present status upon the initial regulator downscale failure. An additional single failure (SF) of the backup regulator will result in a high flux or pressure SCRAM, system isolation, and subsequent extended isolation core cooling system actuations.
Event 25 - Main Turbine Trips (With By-Pass System Operation)
A main turbine trip can occur only in operating State D (during heatup or power operation). A turbine trip during heatup is not as severe as a trip at full power because the initial power level is low (<30%), thus minimizing the effects of the. transient and enabling return to planned operations via the by-pass system operation. For a turbine trip above 30% power, a scram will occur via turbine stop valve closure as will a recirculation pump trip (RPT). Subsequent relief valve actuation will occur. Eventual main steam line isolation and RCIC/HPCI system initiation will result from low water level. Figure 15A.6-25 depicts the protection sequences required for main turbine trips. Main turbine trip and main generator trip are similar anticipated operational transients and, although main turbine trip is a more severe transient than main generator trip due to the rapid closure of the turbine stop valves, the required safety actions are the same.
SSES-FSAR Text Rev. 56 FSAR Rev. 65 15A-34 Event 26 - Loss of Main Condenser Vacuum (Turbine Trip)
A loss of vacuum in the main turbine condenser can occur any time steam pressure is available and the condenser is in use; it is applicable to operating States C and D. This nuclear system pressure increase transient is the most severe of the pressure increase transients. However, scram protection in State C is not needed since the reactor is not coupled to the turbine system.
For State D above 30% power, loss of condenser vacuum will initiate a turbine trip with its attendant stop valve closures (which leads to SCRAM) and a recirculation pump trip (RPT).
Loss of condenser vacuum will also initiate isolation, pressure relief valve actuation, and RCIC/HPCI initial core cooling. A scram is initiated by MSIV closure to prevent fuel damage and is accomplished with the actions of the reactor protection system and control rod drive system. Below 30% power (State D) scram is initiated by a high neutron flux signal. Figure 15A.6-26 shows the protection sequences. Decay heat will necessitate extended core and containment cooling. When the nuclear system depressurizes sufficiently, the low pressure core cooling systems provide core cooling until a planned operation via RHRS shutdown cooling is achieved.
Event 27 - Main Generator Trip (With By-Pass System Operation)
A main generator trip with by-pass system operation can occur only in operating State D (during heatup or power operation). Fast closure of the main turbine fast control valves (TGV) is initiated whenever an electrical grid disturbance occurs which results in significant loss of electrical load on the generator. The turbine control valves are required to close as rapidly as possible to prevent excessive overspeed of the main turbine-generator rotor. Closure of the turbine control valves will cause a sudden reduction in steam flow which results in an increase in system pressure. Above 30% power, scram will occur as a result of fast control valve closure. Turbine tripping will actuate the Recirculation Pump Trip (RPT). Subsequently main steam line isolation will result, pressure relief and initial core cooling by RCIC/HPCI will take place. Prolonged shutdown of the turbine-generator unit will necessitate extended core and containment cooling. A generator trip during heatup (<30%) is not severe because the turbine by-pass system can accommodate the decoupling of the reactor and the turbine-generator unit, thus minimizing the effects of the transient and enabling return to planned operations. Figure 15A.6-27 depicts the protection sequences required for a main generator trip. Main generator trip and main turbine trip are similar anticipated operational transients. Although the main generator trip is a less severe transient than a turbine trip due to the rapid closure of the turbine stop valves, the required safety actions for both are the same sequence.
Event 28 - Loss of Normal Onsite Power - Auxiliary Transformer Failure There is a variety of possible plant electrical component failures which could affect the reactor system. The total loss of onsite ac power is the most severe. The loss of auxiliary power transformer results in a sequence of events similar to that resulting from a loss of feedwater flow. The most severe situation occurs in State D during power operation. Figure 15A.6-28 shows the safety actions required to accommodate a loss of normal onsite power in the States A, B, C, and D.
The reactor protection and control rod drive systems effect a scram on main turbine trip or loss of reactor protection system power sources. The turbine trip will actuate a recirculation pump trip (RPT). The containment and reactor vessel isolation control system (PCRVICS/CRVICS)
SSES-FSAR Text Rev. 56 FSAR Rev. 65 15A-35 and the main steamline isolation valves act to isolate the reactor vessel. After the main steamline isolation valves (MSIV) close, decay heat slowly raises system pressure to the lowest relief valve setting. Pressure is relieved by the nuclear system pressure relief system. With continued isolation decay heat may cause increase in nuclear system pressure, eventually lifting relief valves and allowing reactor vessel water level to decrease. The core/containment cooling sequences shown in Figure 15A.6-28 denote the short-and long-term actions for achieving adequate cooling.
Event 29 - Loss of Offsite Power - Grid Loss There is a variety of plant/grid electrical component failures which can affect reactor operation.
The total loss of offsite ac power is the most severe. The loss of both onsite and offsite auxiliary power sources results in a sequence of events similar to that resulting from a loss of feedwater flow (see Event 20). The most severe case occurs in State D during power operation.
Figure 15A.6-29 shows the safety actions required for a total loss of offsite power in all States A, B, C, and D.
The reactor protection and control rod drive systems affect a scram from main turbine trip or loss of reactor protection system power sources. The turbine trip will initiate recirculation pump trip (RPT). The containment and reactor vessel isolation control system (PCRVICS/CRVICS) and the main steam line isolation valves (MSLIV) act to isolate the reactor vessel. After the main steamline isolation valves close, decay heat slowly raises system pressure to the lowest relief valve setting. Pressure is relieved by the nuclear system pressure relief system. After the reactor is isolated and feedwater flow has been lost, decay heat will cause an increase in nuclear system pressure, eventually lifting relief valves and allowing reactor vessel water level to decrease. The core and containment cooling sequence shown in Figure 15A.6-29 shows the short-and long-term sequences for achieving adequate cooling.
15A.6.4 Abnormal (Unexpected) Operational Transients 15A.6.4.1 General The safety requirements and protection sequences for abnormal operational transients are described in the following paragraphs for Events 30 through 39. The protection sequence block diagrams show the sequence of front-line safety systems (refer to Figure 15A.6-30 through 15A.6-39). The auxiliaries for the front-line safety systems are indicated in the auxiliary diagrams (Figures 15A.6-1 and 15A.6-2) and the commonality of auxiliary diagrams (Figures 15A.6-54, 15A.6-55, 15A.6-56, 15A.6-57, 15A.6-58 and 15A.6-59).
15.A.6.4.2 Required Safety Actions/Related Unacceptable Results The following list relates the safety actions for abnormal operational transients to mitigate or prevent the unacceptable safety results cited in Table 15A.2-8.
SSES-FSAR Text Rev. 56 FSAR Rev. 65 15A-36 Safety Action Related Unacceptable Result Reason Action Required Scram and/or RPT Pressure relief 3-2 3-3 3-3 To limit gross core-wide fuel damage and to limit nuclear system pressure rise.
To prevent excessive nuclear system pressure rise.
Core and Containment cooling 3-2 3-4 To limit further fuel and containment damage in the event that normal cooling is interrupted.
Reactor vessel isolation 3-2 To limit further fuel damage by reducing the outflow of steam and water from the reactor vessel, thereby limiting the decrease in reactor vessel water level.
Restore ac power 3-2 To limit initial fuel damage by restoring a-c power to system essential to other safety actions.
Containment isolation 3-4 To limit radiological effects.
15A.6.4.3 Event Definition & Operational Safety Evaluation Event 30 - Main Generator Trip (Without By-Pass System Operation)
A main generator trip without by-pass system operation can occur only in operating State D (during heatup or power operation). A generator trip during heatup without by-pass operation results in the same situation as the power operation case. Figure 15A.6-30 depicts the protection sequences required for a main generator trip. The event is basically the same as that described in Event 27 at power levels above 30%. A scram, RPT, isolation, relief valve, and RCIC/HPCI operation will immediately result in prolonged shutdown, which will follow the same pattern as Event 27.
The thermohydraulic and thermodynamic effects on the core, of course, are more severe. Since the event is of lower probability than Event 27, the unacceptable results are less limiting.
The load rejection and turbine trip are similar abnormal operational transients and, although main generator trip is a less severe transient than a turbine trip due to the rapid closure of the turbine stop valves, the required safety actions are the same.
Event 31 - Main Turbine Trip (Without By-Pass System Operation)
A main turbine trip without by-pass can occur only in operating State D (during heatup or power operation). Figure 15A.6-31 depicts the protection sequences required for main turbine trips.
Plant operation with by-pass system operation above or below 30% power, due to by-pass system failure, will result in the same transient effects: a scram, a RPT, an isolation, subsequent
SSES-FSAR Text Rev. 56 FSAR Rev. 65 15A-37 relief valve actuation, and immediate RCIC/HPCI actuation. After prolonged shutdown, similar extended core and containment cooling will be required as noted previously in Event 25.
Turbine trips without by-pass system operations results in very severe thermohydraulic impacts on the reactor core. The allowable limit or acceptable calculational techniques for this event are less demanding or strict due to the low probability of the stated event relative to turbine trip with a by-pass operation event.
Main turbine trip and load rejections are similar abnormal operational transients and, although main turbine trip is a more severe transient than main generator trip due to the rapid closure of the turbine stop valves, the required safety actions are the same.
Event 32 - Inadvertent Loading and Operation with Fuel Assembly in Improper Position Operation with a fuel assembly in the improper position can occur in all operating states. No protection sequences are necessary relative to this event. Results of worst fuel handle loading error will not cause fuel cladding integrity damage. It requires three independent equipment/operator errors to allow this situation to develop. See Figure 15A.6-32 for the event sequence.
Events 33 through 37 - Not Used Event 38 - Recirculation Loop Pump Seizure A recirculation loop pump seizure event considers the instantaneous stoppage of the pump motor shaft of one recirculation loop pump. The case involves operation at design power in State D.
A main turbine trip will occur as vessel level swell exceeds the turbine trip setpoint. This results in a trip scram and a RPT when the turbine stop valves close. Relief valve opening will occur to control pressure level and temperatures. RCIC or HPCI systems will maintain vessel water level. Prolonged isolation will require core and containment cooling and possibly some radiological effluent control.
The protection sequence for this event is given in Figure 15A.6-38.
Event 39 - Recirculation Loop Pump Shaft Break A recirculation loop pump shaft break event considers the degraded, delayed stoppage of the pump motor shaft of one recirculation loop pump. The case involves operation at design power in State D. A main turbine trip will occur as vessel level swell exceeds the turbine trip setpoint.
This results in a trip scram and a RPT when the turbine stop valves close. Relief valve opening will occur to control pressure level and temperatures. RCIC or HPCI systems will maintain vessel water level. Prolonged isolation will require core and containment cooling and possibly some radiological effluent control.
The protection sequence for this event is given in Figure 15A.6-39.
SSES-FSAR Text Rev. 56 FSAR Rev. 65 15A-38 15A.6.5 Design Basis (Postulated) Accidents 15A.6.5.1 General The safety requirements and protection sequences for accidents are described in the following paragraphs for Events 40 through 49. The protection sequence block diagrams show the safety actions and the sequence of front-line safety systems used for the accidents (refer to Figures 15A.6-54, 15A.6-55, 15A.6-56, 15A.6-57, 15A.6-58 and 15A.6-59).
The auxiliaries for the front-line safety systems are indicated in the auxiliary diagrams (Figures 15A.6-1 and 15A.6-2) and the commonality of auxiliary diagrams (Figures 15A.6-60 through 15A.6-65).
15A.6.5.2 Required Safety Actions/Unacceptable Results The following list relates the safety actions for design basis accidents to mitigate or prevent the unacceptable results cited in Table 15A.2-9.
SSES-FSAR Text Rev. 56 FSAR Rev. 65 15A-39 Safety Action Related Unacceptable Result Reason Action Required Scram 4-2 4-3 To prevent fuel cladding failure and to prevent excessive nuclear system pressures.
Failure of the fuel barrier includes fuel cladding fragmentation (loss-of-coolant accident) and excessive fuel enthalphy (control rod drop accident).
Pressure relief 4-3 To prevent excessive nuclear system pressure.
Core Cooling 4-2 To prevent fuel cladding failure.
Reactor vessel isolation 4-1 To limit radiological effect to not exceed the guideline values of 10 CFR 100.
Establish reactor containment 4-1 To limit radiological effects to not exceed the guideline values of 10 CFR 100.
Containment cooling 4-4 To prevent excessive pressure in the containment when containment is required.
Stop rod ejection 4-2 To prevent fuel cladding failure.
Restrict loss of reactor coolant (passive) 4-2 To prevent fuel cladding failure.
Main Control Room environmental control 4-5 To prevent overexposure to radiation of plant personnel in the control room.
Limit reactivity insertion rate (passive) 4-2 4-3 To prevent fuel cladding failure and to prevent excessive nuclear system pressure.
15A.6.5.3 Event Definition and Operational Safety Evaluations Event 40 - Control Rod Drop Accident (CRDA)
The control rod drop accident (CRDA) results from an assumed failure of the control rod-to-drive mechanism coupling after the control rod (very reactive rod) becomes stuck in its fully inserted position. It is assumed that the control rod drive is then fully withdrawn before the stuck rod falls out of the core. The control rod velocity limiter, an engineered safeguard, limits the control rod drop velocity. The resultant radioactive material release is maintained far below the guideline values of 10CFR1OO.
The control rod drop accident is applicable only in operating State D.
SSES-FSAR Text Rev. 56 FSAR Rev. 65 15A-40 The control rod drop accident cannot occur in State B because rod coupling integrity is checked on each rod to be withdrawn if more than one rod is to be withdrawn. No safety actions are required in States A or C where the plant is shutdown by more than one rod prior to the accident.
Figure 15A.6-40 presents the different protection sequences for the control rod drop accident.
As shown in Figure 15A.6-40, the reactor is automatically scrammed and isolated. For all design basis cases, the neutron monitoring, reactor protection, and control rod drive systems will provide a scram from high neutron flux. The main steam line radiation monitoring system will initiate the isolation of certain containment lines. Any high radiation in the containment areas will initiate closure of other possible pathways to atmosphere, as necessary.
After the reactor has been scrammed and isolated, the pressure relief system allows the steam (produced by decay heat) to be directed to the suppression pool. Initial core cooling is accomplished by either the RCICS or the HPCIS or the normal feedwater system.
With prolonged isolation, as indicated in Figure 15A.6-40, the reactor operator initiates the RHBS/suppression pool cooling mode and depressurizes the vessel with the automatic depressurization system (ADS) or via normal manual relief valve operation. The LPCI, CSCS or HPCI maintain the vessel water level and accomplish extended core cooling. Isolation of turbine-condenser fission product releases will also be maintained.
Event 41 - Fuel Handling Accident (FHA)
Because a fuel-handling accident can potentially occur any time fuel assemblies are being manipulated, either over the reactor core or in a spent fuel pool, this accident is considered in all operating states. Considerations include mechanical fuel damage caused by drop impact and a subsequent release of fission products. The protection sequences pertinent to this accident are shown in Figure 15A.6-41. Containment and/or reactor building isolation and standby gas treatment operation are automatically initiated by the respective building or ventilation radiation monitoring systems.
Figure 15A.6-41 describes the protection sequences for the event.
Event 42 - Loss-of-Coolant Accidents Resulting from Spectrum of Postulated Piping Breaks Within RPCB Inside Containment (DBA-LOCA)
Pipe breaks inside the containment are considered only when the nuclear system is significantly pressurized (States C and D). The result is a release of steam and water into the containment.
Consistent with NSOA criteria, the protection requirements consider all size line breaks including larger liquid recirculation loop piping down to small steam instrument line breaks. The most severe cases are the circumferential break of the largest (liquid) recirculation system pipe and the circumferential break of the largest (steam) main steam line.
As shown in Figure 15A.6-42, in operating State C (reactor shut down, but pressurized), a pipe break accident up to the DBA can be accommodated within the nuclear safety operational criteria through the various operations of the main steamline isolation valves, emergency core cooling systems (HPCI, ADS, LPCI, CSCS), containment and reactor vessel isolation control system, containment, reactor building, standby gas treatment system, main control room I I
SSES-FSAR Text Rev. 56 FSAR Rev. 65 15A-41 heating, cooling and ventilation system, MSIV Leakage Isolated Condenser Treatment Method, emergency service water systems, hydrogen control system, equipment cooling systems, and the incident detection circuitry. For small pipe breaks inside the containment, pressure relief is effected by the nuclear system pressure relief system, which transfers decay heat to the suppression pool. For large breaks, depressurization takes place though the break itself. In State D (reactor not shut down, but pressurized), the same equipment is required as in State C but, in addition, the reactor protection system and the control rod drive system must operate to scram the reactor. The limiting items, on which the operation of the above equipment is based, are the allowable fuel cladding temperature and the containment pressure capability. The control rod drive housing supports are considered necessary whenever the system is pressurized to prevent excessive control rod movement through the bottom of the reactor pressure vessel following the postulated rupture of one control rod drive housing (a lesser case of the design basis loss-of-coolant accident and a related preventive of a postulated rod ejection accident).
After completion of the automatic action of the above equipment, manual operation of the RHRS (suppression pool cooling mode) and ADS (controlled depressurization) is required to maintain containment pressure and fuel cladding temperature within limits during extended core cooling.
Event - 43, 44, 45 - Large, Small, Steam and Liquid Pipe Breaks Outside Containment (SLBA)
Pipe break accidents outside the containment are assumed to occur any time the nuclear system is pressurized (States C and D). This accident is most severe during operation at high power (State D). In State C, this accident becomes a lesser case of the State D sequence.
The protection sequences for the various possible pipe breaks outside the containment are shown in Figure 15A.6-43. The sequences also show that for small breaks (breaks not requiring immediate action) the reactor operator can use a large number of process indications to identify the break and isolate it.
In operating State D (reactor not shut down, but pressurized), scram is accomplished through operation of the reactor protection system and the control rod drive system. Reactor vessel isolation is accomplished through operation of the main steamline isolation valves and the containment and reactor vessel isolation control system.
For a main steamline break, initial core cooling is accomplished by either the HPCI or the automatic depressurization system (ADS) or manual relief valve operation in conjunction with either the CSCS or LPCI. These systems provide three parallel paths to effect initial core cooling, thereby satisfying the single-failure criterion. Extended core cooling is accomplished by the single-failure proof, parallel combination of CSCS, HPCI and LPCI. The automatic depressurization system (ADS) or relief valve system operation and the RHRS suppression pool cooling mode (both manually operated) are required to maintain containment pressure and fuel cladding temperature within limits during extended core cooling.
Event 46 - Gaseous Radwaste System Leak or Failure It is assumed that the line leading to the steam jet air ejector fails near the main condenser.
This results in activity normally processed by the offgas treatment system being discharged directly to the turbine building and subsequently through the ventilation system to the
SSES-FSAR Text Rev. 56 FSAR Rev. 65 15A-42 environment. This failure results in a loss-of-flow signal to the offgas system. This event can be considered only under States C and D.
The reactor operator initiates a normal shutdown of the reactor to reduce the gaseous activity being discharged. A loss of main condenser vacuum will result (timing depending on leak rate) in a main turbine trip and ultimately a reactor shutdown. Refer to Event 26 for reactor protection sequence (see Figure 15A.6-26).
The protective sequences for this event are provided in Figure 15A.6-46.
Event 47 - Ambient Charcoal Offgas Treatment System Failure An evaluation of those events which could cause a gross failure in the offgas system has resulted in the identification of a postulated seismic event, more severe than the one for which the system is designed, as the only conceivable event which could cause significant damage.
The detected gross failure of this system will result in manual isolation of this system from the main condenser. The isolation results in high main condenser pressure and ultimately a reactor scram.
The undetected postulated failure soon results in a system isolation necessitating reactor shutdown because of loss of vacuum in the main condenser. This transient has been analyzed in Event 26 (see Figure 15A.6-26).
The protective sequences for this event are provided in Figure 15A.6-47.
Event 48 - Liquid Radwaste System Leak or Failure Releases which could occur inside and outside of the containment, not covered by Events 40, 41, 42, 43, 44, 45, 47, and 48 will probably include small spills and equipment leaks of radioactive materials inside structures housing the subject process equipment. Conservative values for leakage have been assumed and evaluated in the plant under routine releases. The offsite dose that results from any small spill which could occur outside containment will be negligible in comparison to the dose resulting from the accountable (expected) plan leakages.
The protective sequences for this event are provided in Figure 15A.6-48.
Event 49 - Liquid Radwaste System - Storage Tank Failure An unspecified event causes the complete release of the average radioactivity inventory in the subject tank containing the largest quantities of significant radionuclides from the liquid radwaste system. This is assumed to be the concentrates waste tank in the radwaste building.
The airborne radioactivity released during the accident passes directly to the environment via the radwaste building vent.
The postulated events that could cause release of the radioactive inventory of the concentrates waste tank include cracks in the vessels and an operator error. The possibility of small cracks and consequent low-level release rates receives primary consideration in system and component design. The concentrates waste tank is designed to operate at atmospheric pressure and 200°F maximum temperature so the possibility of failure is considered small. A
SSES-FSAR Text Rev. 56 FSAR Rev. 65 15A-43 liquid radwaste release caused by operator error is also considered a remote possibility.
Operating techniques and administrative procedures emphasize detailed system and equipment operating instruction. A positive action interlock system is provided to prevent inadvertent opening of a drain valve. Should a release of liquid radioactive wastes occur, floor drain sump pumps in the floor of the radwaste building will receive a high water level alarm, activate automatically, and remove the spilled liquid to a contained storage tank.
The protective sequences for this event are provided in Figure 15A.6-49.
15A.6.6 Special Plant-Capability Events 15A.6.6.1 General Additional special events are postulated to demonstrate that the plant is capable of accommodating off-design occurrences. (Refer to Events 50 through 53). As such, these events are beyond the safety requirements of the other event categories. The safety actions shown on the sequence diagrams (refer to Figure 15A.6-50 through 15A.6-53) for the additional special events follow directly from the requirements cited in the demonstration of the plant capability.
Auxiliary system support analyses are shown in Figures 15A.6-1, 15A.6-2 and 15A.6-54, 15A.6-55, 15A.6-56, 15A.6-57, 15A.6-58 and 15A.6-59.
15A.6.6.2 Required Safety Action/Unacceptable Results The following list relates the safety actions for special events to prevent the unacceptable results cited in Table 15A.2-10.
Safety Action Related Unacceptable Result Reason Action Required Manually initiate all shutdown controls from local panels 5-1 5-2 Local panel control has been provided and is available outside main control room.
Manually initiate SLCS 5-3 Standby Liquid Control System to control reactivity to cold shutdown is available.
15A.6.6.3 Event Definitions and Operational Safety Evaluation Event 50 - Shipping Cask Drop Due to the redundant nature of the plant crane, the cask drop accident is not believed to be a credible accident. However, the accident is hypothetically assumed to occur as a consequence of an unspecified failure of the cask lifting mechanism, thereby allowing the cask to fall.
SSES-FSAR Text Rev. 56 FSAR Rev. 65 15A-44 It is assumed that a spent fuel shipping cask containing irradiated fuel assemblies is in the process of being moved with the cask suspended from the crane above the rail car. The fuel assemblies have been out of the reactor for at least 90 days.
Through some unspecified failure, the cask is released from the crane and falls between 30 to 100 feet onto the rail car. Some of the coolant in the outer cask structure may leak from the cask.
The reactor operator will ascertain the degree of cask damage and, if possible, make the necessary repairs and refill the cask coolant to its normal level if coolant has been lost.
It is assumed that if the coolant is lost from the external cask shield, the operator will establish forced cooling of the cask by introducing water exterior surface. Maintaining the cask in a cool condition will, therefore, ensure no fuel damage as a result of a temperature increase due to decay heat.
Since the cask is still within the reactor building volume, any activity postulated to be released can be accommodated by the SGTS.
The protective sequences for this event are provided in Figure 15A.6-50.
Event 51 - Reactor Shutdown - ATWS Reactor shutdown from a plant transient occurrence (e.g., turbine trip) without the use of mechanical control rods is an event currently being evaluated to determine the capability of the plant to be safely shutdown. The event is applicable in any operating state. Figure 15A.6-51 shows the protection sequence for this extremely improbable and demanding event in each operating state. In State A, no sequence is shown because the reactor is already in the condition finally required by definition.
State D is the most limiting case. Upon initiation of the plant transient situation (turbine trip), a scram will be initiated but no control rods are assumed to move. The recirculation pumps will be tripped by the initial turbine trip signal. If the nuclear system becomes isolated from the main condenser, low power neutron heat can be transferred from the reactor to the suppression pool via the relief valves. The incident detection circuitry initiated operation of the HPCIS on low water level which maintains reactor vessel water level. The standby liquid control system will be manually initiated and the transition from low power neutron heat to decay heat will occur. The RHRS suppression pool spray cooling mode is used to remove the low power neutron and decay heat from the suppression pool as required. When reactor pressure falls to 100 to 200 psig level, the RHRS shutdown cooling mode is started and continued to cold shutdown.
Various single failure analytical exercises can be examined to further show additional capabilities to accommodate further plant system degradations.
Event 52 - Reactor Shutdown From Outside Main Control Room Reactor shutdown from outside main control room is an event investigated to evaluate the capability of the plant to be safely shutdown and cooled to the cold shutdown state from outside the main control room. The event is applicable in any operating States A, B, C and D.
SSES-FSAR Text Rev. 56 FSAR Rev. 65 15A-45 Figure 15A.6-52 shows the protection sequences for this event in each operating state. In State A, no sequence is shown because the reactor is already in the condition finally required for the event. In State C, only cooldown is required since the reactor is already shutdown.
A scram from outside the main control room can be achieved by opening the ac supply breakers for the reactor protection system. If the nuclear system becomes isolated from the main condenser, decay heat is transferred from the reactor to the suppression pool via the relief valves. The incident detection circuitry initiates operation of the RCIC/HPCI systems on low water level which maintains reactor vessel water level, and the RHRS suppression pool cooling mode is used to remove the decay heat from the suppression pool if required. When reactor pressure falls to 100 to 200 psig level, the RHRS shutdown cooling mode is started.
Event 53 - Reactor Shutdown Without Control Rods Reactor shutdown without control rods is an event requiring an alternate method of reactivity control (the standby liquid control system). By definition, this event can occur only when the reactor is not already shutdown. Therefore, this event is considered only in operating States B and D.
The standby liquid control system must operate to avoid unacceptable result criteria 5-3. The design bases for the standby liquid control system result from these operating criteria when applied under the most severe conditions (State D at rated power). As indicated in Figure 15A.6-53, the standby liquid control system is manually initiated and controlled in States B and D.
15A.7 REMAINDER OF NSQA With the information presented in the protection sequence block diagrams, the auxiliary diagrams, and the commonality of auxiliary diagrams, it is possible to determine the exact functional and hardware requirements for each system. This is done by considering each event in which the system is employed and deriving a limiting set of operational requirements. This limiting set of operational requirements established the lowest acceptable level of performance for a system or component, or the minimum number of components or portions of a system that must be operable in order that plant operation may continue.
The operational requirements derived using the above process may be complicated functions of operating states, parameter ranges, and hardware conditions. The final step is to simplify these complex requirements into technical specifications that encompass the operational requirements but are easily used by plant operations and management personnel.
15A.8 CONCLUSIONS It is concluded that the nuclear safety operational and plant design basis criteria are satisfied when the plant is operated in accordance with the nuclear safety operational requirements determined by the method presented in this appendix.
SSES-FSAR Text Rev. 56 FSAR Rev. 65 15A-46 15A.9 REFERENCES 15A-1 Hirsch, M.M. "Methods for Calculating Safe Test Intervals and Allowable Repair Times for Engineered Safeguard Systems," January 1973 (NEDO-10739).
END HISTORICAL
SSES-FSAR HISTORICAL INFORMATION TABLE 15A.2-1 PLANNED (NORMAL) OPERATION Cross-Correlation References NSOA NSOA Event Safety Analysis Event No.
Event DescriQlion Figure No.
Section No.
1 Refueling 15A.6-3,4, 5,6 Initial Reload 2
Achieving Criticality 15A.6-3,4,5,6 3
Heat-Up 15A.6-3,4,5,6 4
Power Operation - Generation 1 SA.6-3,4,5,6 Steady State Daily Load Reduction & Recovery Grid Frequency Control Response Control Rod Sequence Exchanges Power Generation Surveillance Testing 0
Turbine Stop Valve Surveillance Tests 0
Turbine Control Valve Surveillance Tests 0
MSLIV Surveillance Tests 5
Achieving Shutdown 15A.6-3,4, 5,6 6
Cooldown 15A.6-3,4, 5,6 HISTORICAL INFORMATION Rev. 54, 10/99 Page 1 of 1
SSES-FSAR HISTORICAL INFOR~fA TION TABLE 15A.2-2 ANTICIPATED (EXPECTED) OPERATIONAL TRANSIENTS Cross-Correlation References NSQA NSQA Event Safety Analysis Event No.
Event Descri12Uon Figure No.
Section No.
7 Manual or lnadvertant SCRAM 15A.6-7 7.2 8
Loss of Plant Instrument Service Air 15A.6-8 9.3.1 Systems 9
lnadvertant Start-Up of HPCI Pump 15A.6-9 15.5.1 10 lnadvertant Start-Up of Idle Recirculation 15A.6-10 15.4.4 Loop Pump 11 Recirculation Loop Flow Control Failure 15A.6~11 15.4.5 with Increasing Flow 12 Recirculation Loop Flow Control Failure 15A.6-12 15.3.2 with Decreasing Flow 13 Recirculation Loop Pump Trip 15A.6-13 15.3.1 With One Pump With Two Pumps 14 f nadvertant MSLIV Closure 15A.6-14a 15.2.4 15A.6-14b With One Valve With Four Valves HISTORICAL INFORMATION Rev. 54, 10/99 Page 1 of 3
SSES-FSAR
-HISTORICAL INFORMATION TABLE 15A.2-2 ANTICIPATED (EXPECTED) OPERATIONAL TRANSIENTS Cross-Correlation References NSQA NSQA Event Safety Analysis Event No.
Event Descri~tion Figure No.
Section No.
15 lnadvertant Operation of One Safety/Relief 15A.6-15 15.1.4 Valve Opening/Closing Struck Open 16 Continuous Control Rod Withdrawal Error 15A.6-16 15.4.1 During Start-Up During Refueling 17 Continuous Control Rod Withdrawal Rod 15A.6-17 15.4.2 Error at Power 18 RHRS-Shutdown Cooling Failure Loss of 15A.6-18 15.2.9 Cooling 19 RHRS - Shutdown Cooling Failure 15A.6-19 15.1.6 Increased Cooling 20 loss of All Feedwater Flow 15A.6-20 15.2.7 21 Loss of Feedwater Heater 15A.6-21 15.1.1 22 F eedwater Controller Failure Maximum 15A.6-22 15.1.2 Demand 23 Pressure Regulator Failure 15A.6-23 15.1.3 Open I- -
HISTORICAL INFORMATION Rev. 54, 10/99 Page 2 of 3
SSES-FSAR HISTORICAL INFORMATION TABLE 15A.2-2 ANTICIPATED (EXPECTED) OPERATIONAL TRANSIENTS Cross-Correlation References NSQA NSQA Event Safety Analysis Event No.
Event Descri12tion Figure No.
Section No.
24 Pressure Regulator Failure 15A.6-24 15.2.1 Closed 25 Main Turbine Tr.ip Wrth Bypass System 15A.6-25 15.2.3 Operational 26 Loss of Main Condenser Vacuum 15A.6-26 15.2.5 27 Main Generator Trip (Load Rejection) With 15A.6-27 15.2.2 Bypass System Operational 28 Loss of Plant Normal On-Site AC Power -
15A.6~28 15.2.6 Auxiliary Transformer Failure 29 Loss of Plant Normal Off-Site AC Power -
15A.6-29 15.2.6 Grid Connection Failure HISTORICAL INFORMATION Rev. 54, 10/99 Page 3 of 3
SSES-FSAR 1-Hl~TORICAL INF:ORMA TION TABLE 15A.2-3 ABNORMAL (UNEXPECTED} OPERATIONAL TRANSIENTS Cross-Correlation References NSQA NSQA Event Safety Analysis Event No.
Event Descri9tion Figure No.
Section No.
30 Main Generator Trip (Load Rejection) with 15A.6-30 15.2.2 Bypass System Failure 31 Main Turbine Trip With Bypass System 15A.6*31 15.2.3 Failure 32 Inadvertent Loading and Operation of a 15A.6-32 15.4.7 Fuel Assembly In An Improper Position 33 NOT USED
- 34.
NOT USED 35 NOT USED 36 NOT USED 37 NOT USED 38 Recirculation Loop Pump Seizure 15A.6-38 15.3.3 39 Recirculation Loop Pump Shaft Break 15A.6*39 15.3.4 1-HISTORICAL INFORMATION Rev. 54, 10/99 Page 1 of 1
SSES-FSAR
[.
HIS'f PR/CAL INFORMATION TABLE 15A.2--4 DESIGN BASIS_ (POSTULATED) ACCIDENTS Cross-Correlation References NSQA NSQA Event Safety Analysis Event No.
Event Descri~tion Figure No.
Section No.
40 Control Rod Drop Accident 15A.6-40 15.4.9 41 Fuel Handling Accident 15A.6-41
- 15. 7.4 42 Loss-of-Coolant Accident Resulting from 15A6-42 15.6.5 Spectrum of Postulated Piping Breaks Within the RPCB Inside Containment 43 Small, Large, Steam and Liquid Piping 15A.6-43 15.6.4 Breaks Outside Containment 44 Instrument Line Break Outside Drywell 15A.6-44 15.6.2 45 Feedwater Line Break Outside 15A.6-45 15.6.6 Containment 46 Gaseous Radwaste System Leak or Failure 15A6-46 15.7.1 47 Ambient Charcoal Off-Gas Treatment 15A.6-47 15,7.1 System Failure 48 Liquid Radwaste System Leak or Failure 15A.6-48 15.7.2 49 Liquid Radwaste System Storage Tank 15A.6-49 15.7.3 Failure HISTORICAL INFORMATION Rev. 54, 10/99 Page 1 of 1
SSES-FSAR HISTORICAL INFORMATION TABLE) SA.2-5 SPECIAL (PLANT CAPABl~ITY} EVENTS Cross-Correlation References NSQA NSQA Event Safety Analysis Event No.
Event Descri12tion Figure No.
Section No.
50 Spent Fuel Cask Drop 15A.6-50 15.7.5 51 Reactor Shutdown From Anticipated 15A.6-51 15.8 Transient Without SCRAM (A TWS) 52 Reactor Shutdown From Outside Main 15A6-52 7.5 Control Room 53 Reactor Shutdown Without Control Rods 15A.6-53 9.3.5 HISTORICAL INFORMATION Rev. 54, 10/99 Page 1 of 1
SSES-FSAR HISTORICAL INFORMATION TABLE 15A.2-6 PLANT EVENT CATEGORY: PLANNED (NORMAL) OPERATION UNACCEPTABLE RESULTS CRITERIA UNACCEPTABLE RESULTS 1-1.
Release of radioactive material to the environs that exceeds the limits of either 1 0CFR20 or 10CFR50.
1-2.
Fuel failure to such an extent that were the treed fission products released to the environs via the normar discharge paths for radioactive material, the limits of 1 0CFR20 would be exceeded.
1-3.
Nuclear system stress in excess of that allowed for planned operation by applicable industry codes.
1-4.
Existence of a plant condition not considered by plant safety analyses.
HISTORICAL INFORMATION Rev. 54, 10/99 Page 1 of 1
SSES-FSAR HISTORICAL INFORMATION TABLE 15A.2-7 PLANT EVENT CATEGORY: ANTICIPATED (EXPECTED).OPERATIONAL TRANSIENTS UNACCEPTABLE RESULTS CRITERIA UNACCEPTABLE RESULTS 2-1.
Release of radioactive material to the environs that exceeds the limits of 1 0CFR20.
2-2.
Any fuel failure calculated as a direct result of the transient analyses.
2*3.
Nuclear system stress exceeding that allowed for transients by applicable industry codes.
2-4.
Containment stresses exceeding that allowed for transients by applicable industr; codes when containment is required.
HISTORICAL INFORMATION Rev. 54, 10/99 Page 1 of 1
SSES-FSAR I.
HISTORICAL INFORMATION
- I TABLE 15A.2-8 PLANT EVENT CATEGORY: *ABNORMAL (UNEXPECTED) OPERATIONAL TRANSIENTS UNACCEPTABLE RESULTS CRITERIA UNACCEPTABLE RESULTS 3-1.
Radioactive material release exceeding a small fraction of 10CFR100.
- 3-2.
Failure of the fuel barrier as a result of exceeding mechanical or thermal limits.
3-3.
Nuclear system stresses exceeding that allowed for transients by applicable industry codes.
3-4.
Containment stresses exceeding that allowed for accidents by applicable industry codes when containment is required.
- Failure of the fuel barrier means gross core-wide fuel cladding perforations.
HISTORICAi-INFORMATION Rev. 54, 10/99 Page 1 of 1
r SSES-FSAR HISTORICAL INFORMATION TABLE 15A.2-9 PLANT EVENT CATEGORY: DESIGN BASIS (POSTULATED) ACCIDENTS UNACCEPTABLE RESULTS CRITERIA UNACCEPTABLE RESULTS 4-1.
Radioactive material release exceeding the guideline values of 10CFR100.
- 4-2.
Failure of the fuel barrier as a result of exceeding mechanical or thermal limits.
4-3.
Nuclear system stresses exceeding that allowed for accidents by applicable industry codes.
4-4.
Containment stresses exceeding that allowed for accidents by applicable industry codes when containment is required.
4-5.
Overexposure to radiation of plant main control room personnel.
- Failure of the fuel barrier includes fuel cladding fragmentation (loss-of-coolant accident} and excessive fuel enthalpy (control rod drop accident).
HISTORICAL INFORMATION Rev. 541 10/99 Page 1 of 1
SSES-FSAR I*-.. -
HISTORICAL INFORMA TJON TABLE 15A.2-10 PLANT EVENT CATEGORY: SPECIAL (PLANT CAPABILITY) EVENTS UNACCEPTABLE RESULTS CONSIDERATIONS SQecial Events Considered A.
Reactor shutdown from outside control room B.
Reactor shutdown without control rods C.
Reactor shutdown with anticipated transient without scram {ATWS)
Ca~abili~ Demonstration 5-1.
Ability to shut down reactor by manipulating controls and equipment outside the main controt room.
5-2.
Ability to bring the reactor to the cold shutdown condition from outside the main control room.
- 5-3.
Ability to shut down the reactor independent of control rods.
HISTORICAL INFORMATION Rev. 54, 10/99 Page 1 of 1
SSES-FSAR HISTORICAL INFORMATION TABLE 15A.3-1 BWR OPERATING STATES Conditions States 8
~
.Q Q
Reactor vesset head off x*
x*
Reactor vessel head on X
X Shutdown X
X Not shutdown X
X Definition Shutdown: I<<<, sufficiently less than 1.0 that the full withdrawal of any one control rod could not produce criticality under the most restrictive potential conditions of temperature, pressure, core age, and fission product concentrations.
- secause the reactor vessel head is off in States A and B, pressure is atmospheric.
HISTORICAL INFORMATION Rev. 54, 10/99 Page 1 of 1
SSES-FSAR HISTORICAL INFORMATION TABLE 15A.6-1 PLANT EVENTS APPLICABLE IN EACH BWR OPERATING STATE PLANNED (NORMAL} OPERATION BWR 012erating States T~12es of 01;1eration and Events 8
I!
Q Q
- 1.
Refueling outage X
- 2.
Achieving Criticality X
X X
X
- 3.
Heatup X
- 4.
Power operation
- X
- 5.
Achieving Shutdown x*
X
- 6.
Cooldown X
X HISTORICAL INFORMATION Rev. 54, 10/99 Page 1 of 1
SSES-FSAR HISTORICAL JNFORMA TION TABLE 15A.6-2 PLANT EVENTS APPLICABLE IN EACH BWR OPERATING STATE ANTICIPATED (EXPECTED} OPERATIONAL TRANSIENTS BWR O~erating States T:tJ1es of 02eration and Events A
B C
D
- 7.
Manual or lnadvertant SCRAM X
X X
X 8
Loss of Plant Instrument/Service Air System X
X 9.*
lnadvertant Start-Up of HPC_I Pumps X
X X
X
- 10.
lnadvertant Start-Up of Idle Recirculation Loop X
X X
X Pump
- 11.
Recirculation Loop Flow Control Failure-X X
Increasing
- 12.
Recirculation Loop Flow Control Failure-X X
Decreasing
- 13.
Recirculation Loop Pump Trips - One or Both X
X
- 14.
Inadvertent MSIV Closure - One or Four Valves X
X
- 15.
Inadvertent Operation of One Safety/Relief Valve X
X
- 16.
Continuous Control Rod Withdrawal Error During Start-Up.
X During Refueling X
- 17.
Continuous Control Rod Withdrawal Error X
X
-At Power
- 18.
RHRS - Shutdown Cooling Failure - Loss of X
X X
X Cooling
- 19.
RHRS - Shutdown Cooling Failure - Increased X
X X
X Cooling
- 20.
Loss of All Feedwater Flow X
X
- 21.
Loss.of One Feedwater Heater X
HISTORICAL INFORMATION Rev. 541 10/99 Page 1 of 2
SSES-FSAR HISTORICAL' INFORMATION TABLE 15A.6-2 PLANT EVENTS APPLICABLE IN EACH BWR OPERATING STATE ANTICIPATED (EXPECTED} OPERATIONAL TRANSIENTS BWR 0Qerating States T112es of 012eration and Events A
B C
D
- 22.
Feedwater Controller Failure - Maximum Demand X
X X
X
- 23.
Pressure Regulator Failure - Open X
X
- 24.
Pressure Regulator Failure - Closed X
X
- 25.
Main T!Jrbine Trips - With Bypass X
- 26.
Loss of Main Condenser Vacuum X
X
- 27.
Main Generator Trip (Load Rejection) With X
Bypass
- 28.
Loss of Plant Normal On-site AC Power -
X X
X X
Auxiliary Transformer Loss
- 29.
Loss of Plant Normal Off-site AC Power-Grid X
X X
X Connection Loss HISTORICAL INFORMATION Rev. 54, 10/99 Page 2 of 2
SSES-FSAR HISTORICAL INFORMATION TABLE 15A.6-3 PLANT EVENTS APPLICABLE.IN EACH BWR OPERATING STATE ABNORMAL (UNEXPECTED} OPERATIONAL TRANSIENTS T:tQes of Oge ration and Events BWR 0Qerating States A
B C-D
- 30.
Main Generator Trip (Load Rejection} -Without X
Bypass
- 31.
Main Turbine Trip - Without Bypass X
- 32.
lnadvertant Loading and Operation of a Fuel X
X X
X Assembly in an tmproper Position
- 33.
NOT USED
- 34.
NOT USED
- 35.
NOT USED
- 36.
NOT USED
- 37.
NOT USED
- 38.
Recirculation Loop Pump Seizure X
X
- 39.
Recirculation Loop Pump Shaft Break X
X
- HISTORICAL INFORMATION Rev. 54, 10/99 Page 1 of 1
SSES-FSAR HIS°TORICAL INFORMATION TABLE 15A. 6-4 PLANT EVENTS APPLICABLE IN EACH BWR OPERATING STATE DESIGN BASIS (POSTULATED} ACCIDENTS BWR OQerating States T1~es of O~eration and Events A
B C
D
- 40.
Control Rod Drop Accident X
- 41.
Fuel Handling Accident X
X X
X
- 42.
Loss of Coolant Accident Resulting from Spectrum X
X of Postulated Piping Breaks 'Nithin RPCB Inside*
Containment
- 43.
Steam System Piping Break Outside Secondary X
X Containment
- 44.
Instrument Line Break Inside Secondary X
X Containment
- 45.
Feedwater Line Break Outside Containment X
X
- 46.
Gaseous Radwaste System Leak or Failure X
X
- 47.
. Ambient Charcoal Off-Gas Treatment System X
X Failure
- 48.
Liquid Radwaste System Leak or Failure X
X X
X
- 49.
Liquid Radwaste System Storage Tank Failure X
X X
X HISTORICAL INFORMATION Rev. 54, 10/99 Page 1 of 1
.- --HISTORICAL INFORMATION TABLE 15A.6-5 PLANT EVENTS APPLICABLE IN EACH BWR OPERATING STATE SPECIAL (PLANT CAPABILITY} EVENTS BWR O~erating States T~12es of O~eration and Events A
B C
D
- 50.
Spent Fuel C?sk Drop X
X X
X
- 51.
Reactor Shutdown from Anticipated Transient -
X X
X X
- 52.
Reactor Shutdown - From Outside Main Control X
X X
X Room
- 53.
Reactor Shutdown - Without Control Rods X
X X
X
- HISTORICAL JNFORMA TION Rev. 54, 10/99 Page 1 of 1
AutoCAD: Figure Fsar 15A_2_1.dwg FSAR REV.65 FIGURE 15A.2-1, Rev 55 POSSIBLE INCONSISTENCIES IN THE SELECTION OF NUCLEAR SAFETY OPERATIONAL REQUIREMENTS SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT I
EVENTA I Ol'EftATK>NAl.
REQUIREMENT 1ST PROTECTION LEVEL 2ND PROTECTION LEVEL EVENT A EVENT CATEGORY1 PROTECTION LEVEL I 1TECTION LEVELi 3RD PROTECTION OPERATIONAL LEVEL REQUIREMENT MO'JICTION uva~
4TH PROTECTION I
~TECTIGN LEVEL LIVEL S
.Ltva. 3 ION 6TH PROTECTION LEVEL OPERATIONAL 11TH PROTECTION REQUIREMENT LEVEL IT IS INCONSISTENT TO Pl.ACE OPERATIONAL RIOUIREIIENTI ON SEPARATED LEVELS OF PROTECTION FOR ANY ONE EVENT I
U)
1 0
- 0 n
)>
r PANELA l'ROTECTION LEVEL4 IT IS INCONIISTINTTO PLACEOf'lftATIONAL REOUIREMENTS ARBITRAAILYOft_. actlON ISCIIAMt (NALL CASES OF ONE EYPIT ~TEGORY, BECAUSE THAT ACTION l8CAAMl MAV REPRUENT DIFFERENT LEVELS OF PROTECTION FOR THE VARIOUSCASE&,
PANELS SINGLE EQUIPMENT MALFUNCtlON SINGLE OPERATOR ERROR
~OPERATOR AODrrlONAL EOUtl'MENT MALFUNCTION EVENT A 1ST PflOTECTION LIYEL OPERATIONAL 12ND REQUIREMENT :.WlfCTION 3RD PROTECTION LEVEL SINGLE OPERATOR ERROR EVENTS 1ST PROTECTION LEVl!t.
2ND OPERATIONAL IPROTECTION REOUIREMENTI: ",VEL 3RD PflOTECTION LIVEL IT IS INCONSISTENT TO PLACE OPERATIONAL RE-QUIREMENTS ON EVEN THE SAME LEVELS OF PROTECTION, IF THE EVENTS AflE NOT Pf' THE SAME CATEGORY.
AutoCAD: Figure Fsar 15A_2_2.dwg FSAR REV.65 FIGURE 15A.2-2, Rev 55 METHODS USED TO DERIVE NSO REQUIREMENTS SYSTEM &
SUBSYSTEM LEVEL QUALITATIVE FMEA & DESIGN BASIS CONFIRMATION AUDITS & TECH SPECS SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT UNACCl!l'TMl.l RtlULTS NUCLEAJISAFETV t----------------.....
DESIGN CRtTEJIIA PLANTSYST811 AIDESIGNIO ANO INSTALLED PLANNED OKRATtONI Ol'IRAT1NG 1---.....:,..=-:_=-:_=_=_=_=_=_=-:_=_=-:.=_=_=_=_=_=_=_.:s:~:i STAns O'EIIATIONAL AIIIAI.VIIS RUUIFOR EV£NT ANAL VIII IOINnFICATtC)N Of' IM'ITV IC-TIOIISllllll11A TI) AVQIOING UN-ACql'TAIU:..-,._Tt IEMN STATEI IDIIITIFICATIOII Of' IYSTEIIII AIIIO UllfTl__,.M.l'DIIACHtaYING unTY llli\\fflDNI IJACNSTA1'11 tDINTIFl(:ATION OF IN1RA-IWTEM AC'flllfllS'WMICH MUST II RIQUIIIED QIII RIITIIICTID IUCII IVll'IM)
IOIIITIFICATION OF MINlllUM IVITBll4MDaMECCINDl'TIONITO
~IIN M:nO!a CUCHl'l'ffllll 1DelfflNC4TION a,. HMIDWAIII CONDITIOM lOMT*Y~WIIMINTI IACH....
_~
__ _,Pa
~EAR SAl'tTYIIIOIMl...,.,UMITING CGNG11IGNI POii Ol'f!IIATIOIII tDllfflFY IUl'IVIILLANCE TUT FRECJUINCla AOOITIONAL Pl.ANT CAPA91UTY EVENTS REDUNDANCV REQUIREMENT ISACFI REDUNDANCV REQUIREMENT IIACFI EAIISAFETY
~ATIONAL UTERIA AVAILAllllTV CONSIDERATIONS lfJBftVV Al LOWAM TIMIS
~;;;;~II!-;;~,;,
..,., IYSTUI, IUM*
I OIPEIIA'f ONAL Rl!OUIRE-1 IVITl!M-ll!VIL QUALITATIVE HAN'f SAFE'rV FMEA l\\"ITllk.lVIL QUALITATIVE 1'1.AHTOIGNIIMIS
~TION fflfllGCONOl110NPOflONRAl"*TI_ON_I ____________
L_M_ENTS_-_JIIDTIA~~D_J
..-UFICATION
,----="'°',-D:n:_..__IV&_I!_--,
TECHNICAL fYl'fllf,'otltGN MIii SNCll"ICATIONS OCINI' nclN HISTORICAL
AutoCAD: Figure Fsar 15A_4_1.dwg FSAR REV.65 FIGURE 15A.4-1, Rev 55 FORMAT FOR PROTECTION SEQUENCE DIAGRAMS SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT SAFETY SYSTEM Q
DIFFERENT PLANT CONDITION SAFETY SYSTEM A
r, EVENT
\\ xv)
(wz \\
NUMBER C)F EVENT STATES IN WHICH THIS PROTECTION SEQUENCE: IS APPLICAll.E DIFFERENT PLAN CONDITtON SAFlcTY SYS'rEM u
S F
INDICATES THAT tvsTEMS Q AND R
~
....-:::;::::. SHARE AS A PAIR' ~AIOUtREMENT "r~;::.:;:::::;_..;_,
--~ TO MIET*THI SINGLE FAILURE CRITERION
---SA-P~---
~"=~L~
~E~
SYSTEM ACTa.,
~
SYSTEM S
AEOU-.oFOA
' I p )W
~w SAFETY SYSTEM T
S F SAFETY ACTION A
SYST&Mf MUST ITSEL.,
M&T TMI SINGLE FAILURE CI\\ITIFOON INl)ICATU THAT ONE OJI MORI OF 1}fE KEV PFl0CUI PAPI.TEAS MUST ----
8E LIMITED 19,,-ATUFY NUCLEAR SAFETY ~TtONAL CfUTlfllA EACN CONN~ED PROTECTION SEQUENCE IS FOR JUST ONG SAFETY ACTION HISTORICAL S F SAFI;\\
~:_;
AutoCAD: Figure Fsar 15A_4_2.dwg FSAR REV.65 FIGURE 15A.4-2, Rev 55 FORMAT FOR SAFETY SYSTEM AUXILIARY DIAGRAMS SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT I
U)
~
0 A]
n
)>
i AUXILIARY SYSTEM A STATE EVENTS STATE EVENTS STATES AND EVENTS A
X,Y A
B X,Y B
C X,Y,Z C
D X,Y,Z D
S F SAFETY I
~YSTEM I SAFETY
~YSTEM V
INDICATES THAT SYSTEM IS INCLUDED IN COMBINATION BUT DOES NOT REQUIRE THE AUXILIARY.
o,v,w FOR WHICH THE AUX-V,W ILIARY /SAFETY SYSTEM u,v,w,x RELATIONSHIP APPLIES u,v,w,x S F SAFETY SYSTEM J3 I
SAFETY SYSTEM E
STATE EVENTS A
B C
D Y,W Y,W,Z S F SAFETY I
~YSTEM I
SAFETY SYSTEM lp STATE EVENTS A
B O,R C
D O,R,S I SAFETY
~YSTEM
AutoCAD: Figure Fsar 15A_4_3.dwg FSAR REV.65 FIGURE 15A.4-3, Rev 55 FORMAT FOR COMMONALITY OF AUXILIARY DIAGRAMS SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT DIAGRAM INDICATES THAT AUXILIARIES A.B. ANO C ARE ESSENTIAL TO THE OPERATION OF THE FRONT LINE SAFETY SYSTEM X.
NO CHRONOLOGY OR ORDER OF I
ACTION IS IMPLIED HISTORICAL FftONTLtNE SAll:ETY SYSTEM X
SAFETY SYSTEM AUXILIARY A SAFETY SYSTEM AUXILIARY B SAFETY SYSTEM AUXILIARY C
SecurityRelatedInformation FigureWithheldUnder10CFR2.390 FIGURE15A.61 SAFETYSYSTEMAUXILIARIES SUSQUEHANNASTEAMELECTRICSTATION UNITS1&2 FINALSAFETYANALYSISREPORT
SecurityRelatedInformation FigureWithheldUnder10CFR2.390 FIGURE15A.62 SAFETYSYSTEMAUXILIARIES SUSQUEHANNASTEAMELECTRICSTATION UNITS1&2 FINALSAFETYANALYSISREPORT
SecurityRelatedInformation FigureWithheldUnder10CFR2.390 FIGURE15A.63 SAFETYACTIONSEQUENCE FORPLANNEDOPERATIONS INSTATEA SUSQUEHANNASTEAMELECTRICSTATION UNITS1&2 FINALSAFETYANALYSISREPORT
SecurityRelatedInformation FigureWithheldUnder10CFR2.390 FIGURE15A.64 SAFETYACTIONSEQUENCES FORPLANNEDOPERATIONS INSTATEB SUSQUEHANNASTEAMELECTRICSTATION UNITS1&2 FINALSAFETYANALYSISREPORT
SecurityRelatedInformation FigureWithheldUnder10CFR2.390 FIGURE15A.65 SAFETYACTIONSEQUENCES FORPLANNEDOPERATIONS INSTATEC SUSQUEHANNASTEAMELECTRICSTATION UNITS1&2 FINALSAFETYANALYSISREPORT
SecurityRelatedInformation FigureWithheldUnder10CFR2.390 FIGURE18.11 RADIATIONLEVELSFOR THESITEPLAN SUSQUEHANNASTEAMELECTRICSTATION UNITS1&2 FINALSAFETYANALYSISREPORT
AutoCAD: Figure Fsar 15A_6_7.dwg FSAR REV. 65 FIGURE 15A.6-7, Rev 55 PROTECTION SEQUENCE FOR MANUAL OR INADVERTENT SCRAM SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT HISTORICAL EVENT 7 MANUAL OR INADVERTENT SCRAM STATES A, B, C, D REACTOR PROTECTION SYSTEM S
F CONTROL ROD DRIVE SYSTEM S
F SCRAM
AutoCAD: Figure Fsar 15A_6_8.dwg FSAR REV. 65 FIGURE 15A.6-8, Rev 55 PROTECTION SEQUENCE FOR LOSS OF PLANT INSTRUMENT AIR SYSTEM SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT PLANNED OPERATION MANUAL/SCRAM OR SCRAM SIGNAL WHEN 3MAIN STEAM LINES CLOSED> 10%
INSERT CONTROL RODS STATE C, D REACTOR PROTECTION SYSTEM S F CONTORLROD DRIVE SYSTEM S F SCRAM HISTORICAL EVENTS SS OF PLAN STRUMENT SYSTEM STATESA,B, INCfDENT DETECTION CIRCUITRY S F RCICS HIGH PRESSURE LIFTS VAi.YE TRANSFERfUNG HEAT TO-SUP*
PRESSIOk-fOOL START HPCI RCIC, ON LOW WATER LEVEL MAINTAINW~Tlff LEVEL s
CORE COOLING PRESSURE RELIEF SYSTEM S
F PRESSURE RELIEF HPCIS
AutoCAD: Figure Fsar 15A_6_9.dwg FSAR REV. 65 FIGURE 15A.6-9, Rev 55 PROTECTION SEQUENCE FOR INADVERTENT START-UP OF HPCI'S PUMP SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT I
STATESB,O PRESSURE REGULATOR OPERATE I,
PLANNED OPERATION FAIUJRE 100PEN 1
- SEE EVENT N0.23 EVENT9 INADVERTENT START-UP HPCISPUMP STATES A, B, C AND D STATES A,C, PLANNED OPERATION HISTORICAL STATES8,D FEEDWATER CONTROLLER OPERATE FAILURE Pt.ANNEO OPERATION I,
MA:KIMUH DEMAND SEE EVENT N0.22
AutoCAD: Figure Fsar 15A_6_10.dwg FSAR REV.65 FIGURE 15A.6-10, Rev 55 PROTECTION SEQUENCES FOR INADVERTENT START-UP OF IDLE RECIRCULATION LOOP PUMP SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT STATED EVENT10 STARTUP OF IDLE RECIRCULATION PUMPS STATES A,B,C,D
.---------.--------_..,.._...,.,_. ________ STATESA.B.C.D I
V er w
~
V
~
IRM HIGH FLUX SIGNAL I
I\\
IC w
~
AfRM HIGH PLUX SIGNAL POWER 10-60%
POWER<s,r, NEUTRON MONITORING SYSTEM N.UTRON r,0NITt'JRING SYSTEM PLANNED OPERATION S
F REACTOR PROTECTIOH SYSTEM S
F CONTROLROO DRIVE SYSTEM S.
F SCRAM S
F SCRAM SIGNAL ON NEUTRON MONITORING SYSTEM TRIP INSERT CONTROL RODS HISTORICAL PLANNED OPERATION
AutoCAD: Figure Fsar 15A_6_11.dwg FSAR REV.65 FIGURE 15A.6-11, Rev 55 PROTECTION SEQUENCES FOR RECIRCULATION LOOP FLOW CONTROL FAILURE-MAXIMUM DEMAND SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT STATE D,MODE SWITCH IN RUN, POWER OPERATION NEUTRON MONITORING SYSTEM S
F CONTROL ROOORIVE SYSTEM S
F SCRAM HIGH NEl.ftRON FLUX (APRM) SIGNAL TO RPS SCRAM SIGNAL ONNfUTRON MONITORING SYSTEM TRIP OR FROM TURBINE TRIP INSERT CONTROL ROOS EVENT 11
&CIRCULATION t.
OW CONTROL FAIL MAXIMUM OEMA STATES C AND D PRESSURE RELIEF SYSTEM S F PRESSURE RELIEF STATEC STATED lMOPE SWITCH NOT IN AUN)
PLANNED OPERATION HISTORICAL
AutoCAD: Figure Fsar 15A_6_12.dwg FSAR REV.65 FIGURE 15A.6-12, Rev 55 PROTECTION SEQUENCES FOR RECIRCULATION LOOP FLOW CONTROL FAILURE-DECREASING SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT PRESSURE Mt.lEF SYSTEM SI F l'IIESS~E IIIELIIF ff.tlTE DONLY RIACTOR PROTECTION SYSTEM SI F COIITROLROD DRIVI SYSTEM S6F SCRAM ONEi-..t1STER CONTROLLER F.tllLUIIE SCR.tlM SIGN.tlL FIIOM I
TUii SiNE STOP V.tlLVE CLOSUIIE 2 HIGHW.tlTEIII LEVEL INSERT CONTROL RODS I -(/)
l¥l!IIJ1 RECIACULATION LOC.
fLOW~TROL f.tll LUl'lf-DECRE.Sl'IG Sl'AHSC.tlNDD INCIOENT OETE£TION CIRCUITRY HP(:I
-I 0
- a MAINTAIN WATER LEVEL IN RE.-CTOR VESSEL I
()
I
)>
r ONIJMASTIR CONTAOLLIR FAILURE MTEII ISOLATION STARTHPCI SYSTEM ON LDWW.tlTER LEVU s I F IIHA$ SUl'f'RESIION POOLCOOl.1111(;
MODE s*F flCICS llltllS ltlAT EIICHANGl!II IIHRSPUW' CONTAINMENT ANDRUCl'Cll'I VI-L IIOLATION Ct>>lfl!OL SYSTEM I I I' MA.. ITEAM L.. E IIOLATIOH VALVQ ll R!MSIEIIVM:E-TIIIPUMPI
.-X-VALVES lllOUIIIEO FOR CONTROLLIO OIPRESIUIUZATION p
INITIATE IIOLATION ON I LCIWWATIII LEVEL
AutoCAD: Figure Fsar 15A_6_13.dwg FSAR REV.65 FIGURE 15A.6-13, Rev 55 RECIRCULATION LOOP PUMP TRIP-ONE OR BOTH SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT PUNlltlD ClNRATION CONTAINMENT MDIIEACTOII VESSEL HIGHWATER LIVEL ISOLATION CONTROL SVSTIM S
F MAINITIAM UNI ISOLA1'1DM VALVO Af!ACTOII VISIEL ISOLATION UU1ll MCtllCULAl'ION Loe.
PIIIIPTft*
~ORIOTH ONEP\\IMPTRIII SACF TWO flUMPTflllP STATEC RPCTOfl MOHCTIOII S¥STIM s,
CQNTR~IICID DIIIVI IVSTIM S
F SCRAM 11:AAMIIGNAL TUIIIINI TIIII' INSERT CONTNIL IIODS INCIDIN'f DITICTIDN ClftCUITflY s "
IIMINT-'IN WATER LEVEL ltt!Tl-'L CORI COOL.ING HISTORICAL s
IIILIIF STAAT MPCI RCIC ON LOW WATER LIEVEL MIAT'l'O SUl'fl'IIIUSION l'OOL TURIINE
.VP,111.
RILIEf VALVES
AutoCAD: Figure Fsar 15A_6_14A.dwg FSAR REV.65 FIGURE 15A.6-14A, Rev 55 PROTECTION SEQUENCES FOR ISOLATION OF ALL MAIN STEAMLINES SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT
~NNED OPERATION FIIAC'l'OR PIIIOTICTION SYSTEM S
F CONTAOLROD DRIVE ffSTEM S
F SCRAM
- tyENT14 IIOLATION Of ALL MAtN STEAM LINES Sl'ATUC.D SCRAM SIGNAL WHEN MAINITEAM LINO CLOSED > 1°"
INIEl'IT CONTROL RODS PRESSURE RELIEP SYSTIN S F PREIIURE RELIEF INCIDENT HTICTION CIRCUfflltY ACtcS MAINTAIN WA TEFI LEVEi.
INITIAL CORE COOLING HISTORICAL HIGH PRESSURE UFTSYALVE TRANSFERRING HEAT TO SUP*
PRESSION POOL Sl'ART HPCI RC1C
-0N LOW WATER LEVEL HPCIS
AutoCAD: Figure Fsar 15A_6_14B.dwg FSAR REV.65 FIGURE 15A.6-14B, Rev 55 PROTECTION SEQUENCES FOR ISOLATION OF THE ONE MAIN STEAMLINE SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT CONTINUE PLANNED OPERATION EVENT14 ISOLATION OF ONE MAIN STEAM LINE SfATU C, AND D STATESCANDD LESS THAN 9°"POWEA STATE OVER 9°"POWER HIGH NEUTRON FLUX SIGNAL IICIIAM SIGNAL ONNEUTIION MONtTORING SYSTEM TRIP INSERT CONTROL RODS HISTORICAL NEUTRON WJNITORING SYSTEM S
F Fl&ACTOR PAoTECTION SYSTEM F
CX>NTROL ROD DRIVE SYSTEM S
F SCRAM
AutoCAD: Figure Fsar 15A_6_15.dwg FSAR REV.65 FIGURE 15A.6-15, Rev 55 PROTECTION SEQUENCES FOR INADVERTENT OPENING OF A SAFETY/RELIEF VALVE SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT I
... -........ -..... :::,:~:,.-;:-.-::,.
IIIACTCIII ---
IYITIII CONT---
OIIIVl IVSTIII I
F
-I IAllfOMATIC fllDWATIII Fl.OIi
_,TIIOl,.STATIOI 2
""TtA Tl IC_ ON LCM WATIII LEI/IL INIIIIT CDHTIIOL
-LIAfl SYSTPII 1111-EIIILIIF lij()FHOWATlR TII..... FIII DECAY HEAT TO --
'------' OOOL lllllUIII IIIUIP ADI LPCI MANUAL FIE Liff VALVE QflEAATtON HISTORICAL Hl'CIS llllfTUl~COlll COOi.iNG MLIIF VALVI 0Pt"ATIOt4
- 1.
START HPCI UICI, ANR CICIOIII 111!-CTIW TRIP RTT-$TAIIT-4AUTOIIATIC NED WA.TIii FLOWCONTIIOL STATI! 01 IICICI W.IIITA91 WATIII' LEWL
-IIIIITEolllll I.NI IIIIADIA TIION
--"'° Mmil SF CONTAINMINT
-111,IICTOl'I YlmL IIQLAT1 COOITIIOL SVITIII UAINITEAM LINI IIO\\.ATION VALVIS CONT,1,....NT ANOIIEACTOII V-C1811LA TIOIIIC DNTAOL S\\'ITE
- 911T1ATt CLOSt IRE a, "-Lt.
CDf,ITAI... NT IIOf..AllON VALVES IXCI,- 'NIIAIN ITIAlilll UNI ON MtGN( ONTAINMINT
-UIIE
..... ESIIO'tPOOL TIEWEAATUfll LIMIT
,~ STMT 01:,...-ssu,uZATION
> HM.F" 0, VAL YU HEOUIIIIED TO IIAltWTAIP, OEMESIUIIIIIZATION cscs
> HALF OF VALVCS AIOU9"IO TO MAINTAIN DEfflESSUfHZATIOt.il
AutoCAD: Figure Fsar 15A_6_16.dwg FSAR REV.65 FIGURE 15A.6-16, Rev 55 PROTECTION SEQUENCE FOR CONTROL ROD WITHDRAWAL ERROR-STARTUP AND REFUELING OPERAITON SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT ffATIA WITHDRAWAL ERROR ITNIT4"11 AM>> Rlft.lELINCI ONIIATION STA1'U A AND 9 ffATl!B STATI! I INTDMEDIATE RANGI PLANNED OPERATION REACT.OR PROTECTION SYSTEM I,
CONTROL ROD DRIVE SYSTEM S
F flODILOCK HISTORICAL "REFUEL",
RSCS NIUTIIION MOIHffMIIIJIG IYl1'IM I
F REAC1Ut PROTECTION SYSTEM I
F CONTROL ft00 DRIVE SVITEM S
F ICRAM HIGH
~
RUIC P.GNAI.--
ICRAM IIGNAL CIN NEUTRON MINITORING SVITEM flit*
!NMRT
~
RODS
AutoCAD: Figure Fsar 15A_6_17.dwg FSAR REV.65 FIGURE 15A.6-17, Rev 55 PROTECTION SEQUENCES FOR CONTROL ROD WITHDRAWAL ERROR-POWER OPERATION SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT I
1111 II.Hit 111 I -
lh 11 I
HI
- II
- sl -
Ii t5 HISTORICAL
AutoCAD: Figure Fsar 15A_6_18.dwg FSAR REV.65 FIGURE 15A.6-18, Rev 55 PROTECTION SEQUENCES FOR RHR'S - LOSS OF SHUTDOWN COOLING FAILURE SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT STATESA,8 LPCI cscs S
F E'nftT 18 RHflS-LOSS OF SHUTDOWN COOLING STATES A,
- C, ANO D STATESC, Dp>l3111111 MA.INT AIN CORE COOLING IV FLOODING AND/OR SPRAVING MANUAL RELIEF VALVE OPERATION EXTENDED CORE COOLING Ll'CI I'
ALL OTHER SINGLE l'AILUfleS S F ADS S F RHRS SUPPRESSION l'OOLCOOUNG MOOE CIICS PUNNED OPERATION REEST AIUSH AHAS SHUTDOWN COOLING MODE WITH ALTERNATE EQUIPMENT
>HALF OF VALVES flEQUIREO RHR& HEAT 11:XCHAHGER l'lftllJ PUMP RHflll SERVICE WATER 1'UMP MAIN STEAMLINE ISOLATION VALVE FtEACTOR VUSEL ISOLATION HISTORICAL
AutoCAD: Figure Fsar 15A_6_19.dwg FSAR REV.65 FIGURE 15A.6-19, Rev 55 RHR'S - SHUTDOWN COOLING FAILURE-INCREASED COOLING SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT PLANNED OPERATION AANDB eyern 19 RHRS......-rD0WN COOLING INCFIEASIO COOLING STATES A.8.C. AND 0 CANDO HISTORICAL PLANNED OPEltATION
AutoCAD: Figure Fsar 15A_6_20.dwg FSAR REV.65 FIGURE 15A.6-20, Rev 55 PROTECTION SEQUENCES FOR LOSS OF FEEDWATER FLOW SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT STAlED D ONLY INITlAlE REICl"OR SCRAM I
I PROTECllON ON LOW RECIRCULA110N Sl'SIBI WATER RUNIIACK LE.VEL s F CON1ROL ROD INSERr CONTROL DRNE Sl'SIBI RODS R~:_J CONTROL SCRAM I -en
-I 0
- a
-0
)>
r E.VENT 20 LOSS OF AU. FEEDWATER FLOW STATES C AND D INITlAlE CONTAINMENT MAIN STEAM AND REICl"OR LINE ISOLATION VESSEL ISOLA110N ON LOW CONIROL Sl'SIBI WATER I..E.VEL S F MAIN STEAM LINE ISOLATION VALVES IX'£r.Tf"m ~
I PRESSURE TRANSFER DEx:AY HEAT TO REUEF SUPPRESSION Sl'SIBI POOL
~,"'l:;.i.0/'-. STATESC Dp> 135-PLANNm OPERA110N I
INCIDENT I-START HPCI SHUTDOWN DEIECT10N ON LOW WATER I..E.VEL COOLING CIRCI.KIRY L:j-MAINTAIN WATER I..E.VEL J RICIS RHRS r
1 RHR HEAT EXCHANGE SUPPRESSION 1
POOL COOLING 2 RHRS PUMP MODE 3 RHRS SERVICE WATER PUMPS
(
L )- SUPPRESSION POOL lEMPERAl\\JRE LIMIT 130' F START DEPRESSURIZA110N MANUAL h
RELIEF VALVE ADS I- >HALF OF VALVES REQUIRm OPERA110N FOR CONTROLLm DEPRESSURIZATION I
MAINTAIN WATER LE.VEL IN REACTOR VESSEL Ip Ll'S;t I
Ip arcs
~
EXTENDED CORE COOLING
\\
I
AutoCAD: Figure Fsar 15A_6_21.dwg FSAR REV.65 FIGURE 15A.6-21, Rev 55 PROTECTION SEQUENCE FOR LOSS OF A FEEDWATER HEATER SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT RECIRCULATION FLOW IN MANUAL NEUTRON MONITORING SYSTEM S
F CONTROL ROD DRIVE SYSTEM S
F SCRAM HIGH FLUX SCRAM SIGNAL APRM (AVERAGE POWER RANGE MONITOR)
SCRAM SIGNAL ON NEUTRON MONITORING SYSTEM TRIP INSERT CONTROL RODS RECIRCULATION Ft.OW IN AUTO PLANNED OPERATION HISTORICAL
AutoCAD: Figure Fsar 15A_6_22.dwg FSAR REV.65 FIGURE 15A.6-22, Rev 55 PROTECTION SEQUENCES FOR FEEDWATER CONTROLLER FAILURE MAXIMUM DEMAND SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT I -en
-I 0
- a -0
)>
r PLANNED OPERATION STATEIAANOI STATED EYINT22 FEIDWATER CONTROLLER FAILURE
-MAXIMUM DEMAND STATES A, I. C, AND D OTHER OPERATING MOD~S C
STATED "RUN.. MODE NEUTRON MONITORING SYSTEM MAIN TUAIINE TRIP S I F RECIRCULATION PUMP TRIPIRPTI S I F HIGH FLUX SCRAM SIGNAL IIRMI REACTOR PROTECTION SYSTEM CONTROLROO DRIVE SYSTEM Sl'F REACTIVITY COlllTROL RCICS ICRAM.8'0lilAL FROM TUAatNE TRIP IRUN MODEi OR NIUTRON MONITORING SYSTEM INSERT CONTROL ROD$
STATISCANDD INCIDENT DETECTION CIRCUITRY MAINTAIN COIIE COOUNG..,
START HPCl8 RCIC ON LOW WATER LEYIL
.-C:11 PRESSURE RILIE~
SYSTEM I I F PRESSURE RELIEF PRIMARY CON*
TAINMENT AND REACTOR VIIIEL ISOLATION CON-TROL SYSTEM S,L F MAllllSTM!AM LINE ISOLATION VALVE I I F
AutoCAD: Figure Fsar 15A_6_23.dwg FSAR REV.65 FIGURE 15A.6-23, Rev 55 PROTECTION SEQUENCES FOR PRESSURE REGULATOR FAILURE - OPEN SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT I -(/)
-I 0
- a
-()
)>
r RELIEF VALVO f'RE&sURI RELIEF fflTlM l'IF RELIEF STATE OsONLY EVENT23 PRESSURE REGULATOR FAILURE - OPEN STATESC,ANDO sdl*~L*FROM
- MAN~UNE
___,__ __ 1'81,Aj(ON REACTOR l'f\\C)TECTION S"iSTEM
- TURlftNI TR*
IRUNlilODEPOWER
- HIGH PRESSURE 1Rut4MOOE.
_______ _.. POWER t6-301U SI ft eLOWWATEft LEVEL INCIDENT DETECTION CIRCUITRY ST ART NPCIS, RCtCONLOW WATER LEVEL (OTHER THAN ____ __....,_ _____..
CONTROL AOl>ORIVE SVA'EM SI F SCRAM RUN MOOE: POWER 0-1°'" ---------,
NERT CONTROL~
flCICS MAINTAIN CORE COOLING s IF INITIAL CORE' COOLING PLANNED OPERATION:
RE-ESTABLISH COOLING VIA MAtN CONDENSER HPCIS CONTAIHMENT ANO REACTOR VESSEL ISOLATION CONTROL SYSfEM SIF MA IN STEAIII LINE ISOLATION VALVES SIF REACTOR VESSEL ISOLATION INITIATE ISOLATION ON:
- 1. OEPRESSURI*
ZA TION TO 8IO Plil IRUNMODE IOWEA0-1~
- 2. LOW WATER LEVEL IOTHE8THAN AUNM00£;
POWER 0-111%)
AutoCAD: Figure Fsar 15A_6_24.dwg FSAR REV.65 FIGURE 15A.6-24, Rev 55 PROTECTION SEQUENCE FOR PRESSURE REGULATOR FAILURE - CLOSED SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT l'I.ANNED OPERATION p
INCIDENT DETECTION CIIICUITIIY 11S -
SUl'PflESSION
.POOL
,COOLING MODE EVENT2t Pllll'f....,_ MGULATOR FAIWIII - CL.ONO STA.,_.C AND D SECONO l'RIIIURE
..aULATDA OPERATE FAILURE ITAtn' t4l'CIII RCIC ONU>WWATEII LEWL 1 RHRSHEAT EXCHANGER 1 RHRSPUMP 2 RHRS SERVICE LAYER SCRAM SUPMEIIION POOL
TEMPElllliTUIII! LIMIT STAR S
F EXTENDED CORE COOLING DEPREIIURIZ'ATION MAXIMUM OF 'l VALVES FOR CONTROLLED oe, MAINTAIN WATER IN REIICTOR VESSEL HISTORICAL HIGH FLUX PRIMMIY CONTAINMENT ANO REACTOR VESSEL ISOLATION CONTROL SYSTEM S
F PRESSURE RELIEF SYSTEM S
F
AutoCAD: Figure Fsar 15A_6_25.dwg FSAR REV.65 FIGURE 15A.6-25, Rev 55 PROTECTION SEQUENCE FOR MAIN TURBINE TRIP WITH BYPASS SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT I -en
-I 0
- a -()
)>
r EYENT21 TURIINE TRIP WITH IVPASI STATE 0 I
POWER(') POWER
< 3(1111,
_> 3n BYPASS SYSTEM OPERATES PLANNED OPERATION RESUME,OWl;R OPERATION OR ACHIEVE SHUTDOWN MAIN TURBINE TRIP SIF RECIRCULATION PUMP TRIP IRPTI S IF REACTOR PROTECTION SYSTEM SI F CONTROL AOODAIVE SYSTEM
!JF ih REACTIVITY CONTROL
\\
I I
ACICS l
INCIDENT MTHTtON CIRCUITRY T
MAtNTAIN j,,
CORE COOLING SIF 1-SCRAM SIGNALS
- 1. TUR81NE STOPVALYI CLOSURE I-INSERT CONTROL RODS INITIAL CORE i-, START ft'CIS, RCtC ON LOWWATIR LEVEL I
HPCIS I
TURBINE
- BYPASS, RELIEF VALV&I PRESSURE RELIEF SYSTEM s I I'
\\
COOLING
/
HIESSURE RELIEF
'--~I MAINSTIAM LINE IIOLATION VALVE CRVICS/
PCRVICS SIF CONTAINMENT ISOLATION
\\ ___ !
AutoCAD: Figure Fsar 15A_6_26.dwg FSAR REV.65 FIGURE 15A.6-26, Rev 55 PROTECTION SEQUENCEs FOR LOSS OF MAIN CONDENSER VACUUM SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT
-IN Tutt!IIN(
TRIP RECIRCULATION IIVW s f PM;UTIIION
-*TOl'IIIOG SYST£M 5
lltACTOIII PIIOTICTION SVSTIM 5 F
<:oi.TIIOl.11100 DRIVE SYITIIII I
f I
IIIIACTIVlTY CONTROL STAU ODNlY IYENTM LOIIOf
-NCONllE-111 YACl,IUV STATHCAIIDD INCIDENT OUECTION
(.lflCLJITIIY START..C:1S IICIC ONL-WATIIII LEVEL PIIESSURE IIELIEF SYSTEM s
ACICS
~ESSUfft REUliF MOYE--1'1 ICIIAlllll!GN#,1.0N MUTIION MONITOR SYSTEM Tl'UJI 01' TUll81NE STOP VALVE CLOIUIII.
INffRT CONTROL 11(1DI Ll'CI IIIHIISIUl'l'l'OOL COOLIIIIJMDDl IIIHIIISHIATIXCIIIWGIIII l'IMflSP..-
!VtllSIEIIIYICi -TEA PUMPS s
SUPl't!ESSIO'I POOL
-IIIAT\\1111 L>MIT STAIIT DEJIMIIU1112ATION
>HALF Of VALVES IIIEOUIIIID JOIII CONTIIIOLLEO 0EJll'IHSUl'lll4TION cscs
..__.,.._.. 1
-INTAIN
-TEii LEVll HISTORICAL TIIANSFER OKAY HUT TOW-ES SIONPOOl TURBINE
- BYPASS, RELIEF VALVES
~
1NSTIAM E 110LATION
.YES
[
NIIYICS CIIVICS 5
F lcOHTAINlilf!NT
\\OLATION
AutoCAD: Figure Fsar 15A_6_27.dwg FSAR REV.65 FIGURE 15A.6-27, Rev 55 PROTECTION SEQUENCES FOR MAIN GENERATOR TRIP WITH BYPASS SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT
~
en
~
0
~
n >
r POWER
< J()'ll, HVP,IISS S'l'STfM OP[RATES PLANN~O OPERATION flESU'-'IE POWER OPl;l-111,HON OR ACJlll'Vt S~IUTDOWN f'OWF.R
>W*~
1\\11111111 fllflfllNF.
Jfllf'
\\Gl'N\\aRAl.OFll 5 I F
.'lECIHCl.JLAJION]
PlJ~P Hllf' mPn s If REACTOR PROTECTION SYHEM s I F CONTROL.
RQO Oflflft:
SYSTEM S I F REACTIVflY CONTROL f;yENl l7 Gl!:NiaAA1*0A TRIP WI ru IIYPASS STATE 0 RCICS INC1Dl'Nl.
DETECTION CIACtffl RY MAINTAIN COflf COOPNG SI F l",(;.f'IAM SIGNAlS
- 1. TllR'illN'i:.
CONTROL VALVE F
0AST CLOSURE INSfHT C:OflllHOl. ROOS rNll 11\\l.
COHF.
COOl.lNG Sl"ART HPCIS HC:IC ON LOW WATER l.EVli;l HPCIS n1ne1Nt
- IIYPASS, RE:l.lEF VAl Vj'S PflESSWU:
RHIEF s i SHM
!l I F r*~i;:ss11rr1::
flU.IFF MAIN!iT~'AM LINE ISOLA-r!ON
\\IALVf CIWIC5/
f'CRVIC:S CONT 'IINMl::NT ISOl.ATION
AutoCAD: Figure Fsar 15A_6_28.dwg FSAR REV. 65 FIGURE 15A.6-28, Rev 55 PROTECTION SEQUENCE FOR LOSS OF NORMAL AC POWER AUX TRANSFORMER FAILURE SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT I -en
--1 0
- a -()
)>
r
- 11s&
uaruau.a
-A,ia.c.D ITAllD.---------.------------------------------
MillCfllll fllOTIC:T-aJNT---
11111,,,.SYlflM ONLOIII LfYIL COIIITIIOL IIODS TIIIJalNI.
CONTA..... Nf AIIIDAEACtOII vtllEL IICk.Afl(Sil
_,.-snM lltSH.... Lllill 111)1.Af-YAI.YI:
fllCIRCULATIOl'I
- ACtlV,ITY --
IIIIIT""H UNIIIOI.A-TICINMI.OIII
-TEIILIYEL PAI-I AIUIF lflHM
,_111 DICAY Olli&f TO IIUl'l'HINIOIII
,00,.
STAfl5C Lt
..__DOl'lill*Tllltl
-aMXIIIIG P~!IH D# >II-dAltUM
-t)l'HtA11Dfrl l'ODt.
COIII.IIIIG-11<-D ---
\\. ____}
---ftll.. WL OE---
- -*IVALlllt-D IIMNf... WAftltLIVle.
---L
AutoCAD: Figure Fsar 15A_6_29.dwg FSAR REV. 65 FIGURE 15A.6-29, Rev 55 PROTECTION SEQUENCES FOR LOSS OF NORMAL AC POWER-GRID CONNECTION LOSS SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT I
(J)
l 0
A]
n
)>
i St-*
AL~R SYSTIM M:-R "lLS-IAUS ST'AfESIMIUU-UIN n***-
tRW RU.IRCUlATION HHPIRPlt I If llf:.-Cl()III MOJfCtlON S"'IS,IM COlltllOt. IIOO DIIIIVESYl'T*M MACIIV'1Y COIIIIIOI.
..,...... n __
OlilUJIIO,-
.... _tlOI txlMTROLIIOD&
-STI-LINl mll.AIION YALYI...
IIQIVtCSICRYICS s1, Rt:AC'IOR YI-*
111111.ATION STAff.CANPD NIESSdll RELIEF SYSTEM s**
"'l-E
- uu fll-lllDECAV
.. ATTOIUP
--l'DOI.
YAI.-
...-oDN.... TION
... ~--
RCIC IIIUE*YALVI lf'C1 r
lfAtlilC D P>**-
INCIOINY DIETICTION CIIICUt'TftY St AH..-CIS IICIC ON LIMWAHII Uavn
..-CtS
- t IJW I -*IIYll:E-TIII,,_
I.I. f lXTl-0 CCIIII --
STMT DfMI-IIATGN
-*-Dl'IVALVU-D l'CIIICDN'fllOulD-*T-c;scs
AutoCAD: Figure Fsar 15A_6_30.dwg FSAR REV. 65 FIGURE 15A.6-30, Rev 55 PROTECTION SEQUENCES MAIN GENERATOR TRIP -
WITHOUT BYPASS SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT Ill lie i!I le 11 El fl li§;I es; Ill I I
.. I Ii ill 1*1.
11, I
IP I
s Iii d C
j I.:
lb
~
II IH I
11!
5 -
C I i..
I!
~1
- Ill ir3 II, C
liz
-2
"'I zz I
Iv
§ Ill It'
!Is c
II, a
ii I
19 ail..
w i.~
Ui HISTORICAL
AutoCAD: Figure Fsar 15A_6_31.dwg FSAR REV. 65 FIGURE 15A.6-31, Rev 55 PROTECTION SEQUENCES MAIN TURBINE TRIP -
WITH BYPASS FAILURE SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT I -
(/)
-I 0 ;o -()
)>
r SYSTEM POWER
<30" BYPASS FAILURE POWER
>30%
SCRAM SIGNALS:
- 1. HIGH PRESsURE
- 2. HIGH FLUX REACTOR PROTECTION SYSTEM S IF CX>NTROL ROODfllVE SYSTEM S IF SCRAM MAIN TURBINE TRIP SI F RECIRCULATION PUMP TRIPIRPTI S I F REACTOR PROTECTION SYSTEM s I F CONTROL ROD DRIVE SYSTEM
!J F sl F REACTIVITY CONTROL EVENT31 MAIN TURBINE TRIP WITH BYPASS FAil.URE STATED ACICS INCIDENT DETECTION CIRCUITRY MAINTAIN CORE COOLING SIF SCRAMIIGNALS 1, TUAIINE CONTROL VALVE FAST CLOSURE INSERT CONTROL RODS INITIAL CORE COOLING START HPCI, RCIC ONLOWWATER LEVEL HPCIS PRESSURE RELIEF SYSTEM SI F PRESSURE RELIEF MAINSTEAM LINE tsOLATION VALVE PCRVICS
AutoCAD: Figure Fsar 15A_6_32.dwg FSAR REV. 65 FIGURE 15A.6-32, Rev 55 PROTECTION SEQUENCE FOR INADVERTENT LOADING AND OPERATIONS OF FUEL ASSEMBLY IN IMPROPER POSITION SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT EVENT 32 INADVERTENT LOADING AND OPERATION -
FUEL ASSEMBLY IN IMPROPER POSITION STATES A, B, C, D HISTORICAL PLANNED OPERATION
AutoCAD: Figure Fsar 15A_6_38.dwg FSAR REV. 65 FIGURE 15A.6-38, Rev 55 PROTECTION SEQUENCES FOR RECIRCULATION LOOP PUMP SEIZURE SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT INCIDENT St:NSES HIGH DETECTION REACTOO VESSEL CtRCUITRY WATER LEVEL II F
REACTOR SCRAM SIGNAL IIAOTICTION FROM SYST!..
TUR81NE TRIP S F RCICS CONTROL INSERT ROD DRIVE CONTAOL SYSTEM RODS S F SCRAM MANUAL RV ACTUAT10N LPC:IS HISTORICAL INC:IOENT DETECTION CIRCUITRY MAINTAIN CORE COOi.iNG RHRS SUPPRESSION POOL COOUNGMOOI ADS S
F EXTENDED CORE COOLING START PftESSURE HPCIS, RCIC R&LIEfl ON LOW SVSTI!M WATER LEVEL s F MESSURE RELIEF MAIN STEAM LINE
..-C:IS ISOLATION VALVE S F PCAVICSICRVICS SF
AutoCAD: Figure Fsar 15A_6_39.dwg FSAR REV. 65 FIGURE 15A.6-39, Rev 55 PROTECTION SEQUENCE FOR RECIRCULATION LOOP PUMP SHAFT BREAK SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT INCIDENT SENSES HIGH DETECTION REACTOR VESSEL CIRCUITRY WATER LEVEL S F SCFIAM SIGNAL REACTOR f'ROTICTION FIIIOM SVSTIM TURBINE TRIP S F RCICS CONTROL INSERT IIODDRIVE CONTROi.
S'ISTPI RODS S F SCRAM MANUAL AV Ac:'fUATION LPCIS HISTORICAL
&Vm31 RCULA LOOP SHAl'TIR ATEDONL INCIDENT DETECTION CIRCUITRY MAINTAIN CORI COOLING S F AHAS IU#l'IIIISION POOL COOLING MOOE ADS S
F EXTENDED CORI COOLING START HPCI$, IICIC ON LOW WATER LEVEL HPCIS PRESSURE RELIEF SYffEM PRESSURE RELIEF MAIN STEAM LIN£ ISOLATION VALVE S F
~VICS/CRVICS S F CONTAINMENT ISOLATION
AutoCAD: Figure Fsar 15A_6_40.dwg FSAR REV. 65 FIGURE 15A.6-40, Rev 55 PROTECTION SEQUENCES FOR CONTROL ROD DROP ACCIDENT SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT NEUT-
-ITOIIING STSTl!M SIF NACTOR PflOTECTION SYSTEM SIF SCRAM NIGH IIEUTRON FLUX SIGNAL SCRAM SIGNAL ON NEUTIION MONITORING SYSTEM TRIP INSEIIT CONTROL IIOOS
-*ltJ'l'l:AII
~-
ING II F
PRIMARY CONTAllilMENT ANOMACTOR
¥EISEL ISOLATION CONTROL SYSTEM 5
F MAIN STEAM I I LINE ISOLATION VALVH s F I
CONTAINMENT ANDREACTOII VESSEL ISOLATION CONTROL SYSTEM p
s F
I CONTAINMENT lrASSI\\/EI VIF i\\11ENT...
CDNTROL IIJOO DllOf' ACCHJIN'f STAtE 0 RCICS lfjCIDEIIIT DETECTION CIRCUITRY MAINTAIN CORE COOLING IIHR$$Ul'PIIUSION l'OOL COOLING MOOE START ttPCIS. RCIC ON LOWWATEII LEI/EL Hl'CIS CONTROL ROD
¥ELOCITY LIMIT!R 1-IYEI LIMIT REACTIVITY INSEIITION RATE 1 ltHIIS HEAT EXCHANGE II tRHRSPUMP 2 IIHR$stRVICE WATER1'UWS
)
=~E::=:iiJ!=:'ATIJRE LIMIT UIITtATE CLOSbllE QF AI.L
~
CONTA...... NT 1801.AT-YALVIS EXCUT-N STE-LINEI ON....... Oll'l'WELL--
MAINT-WATl:11 p
L.lVEL III IIE= I..
. I I
t EIITENDEDCCIRi COOLJNG MAJU-OF 2 VALVES FIEOUIIIED fOOR COl'l'TROLLED IIEl"llfSSUIIIZATION RELll!F SYS'KM s.LF PRE$11URE RELIEF I -
CJ)
-I 0
- o -n r
MAIN COIIITROL IIOOM ENVlllON NTAL CONTIIOL SYStEM p
s J_f CONTROL ROOM ENVIIIONMl!NTAL CONTIIOL TIIA-EII DECAY HEAT TO SUl'PftEl$lON POOL
AutoCAD: Figure Fsar 15A_6_41.dwg FSAR REV. 65 FIGURE 15A.6-41, Rev 55 PROTECTION SEQUENCES FOR FUEL HANDLING ACCIDENT SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT REACTOR BUILDING, VENTILATION RADI-ATION MONITORING SYSTEM s
F REACTOR BUIILGING ISOLATION CONTROL SYSTEM S
F STANDBY GAS TREATMENT SYSTEM s
F REACTOR BUILDING
{PASSIVE)
OFF GAS VENT SYSTEM
{PASSIVE)
ESTABLISH SECONDARY CONTAINMENT RAIDATION MONITOR TRIP INITIATE BUILDING VENT ISOLATION EVENT 41 FUEL HANDLING ACCIDENT ALL STATES MAIN CONTROL ROOM HEATING VENTILATING AND AIR CONDITIONING SYSTEM s
F AIN CONTROL OOM ENVIRON ENTAL ONTROL HISTORICAL RADIATION LEVEL INDICATION
AutoCAD: Figure Fsar 15A_6_42.dwg FSAR REV. 65 FIGURE 15A.6-42, Rev 55 PROTECTION SEQUENCES FOR LOSS-OF-COOLANT PIPING BREAKS IN RCPB - INSIDE CONTAINMENT SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT f I
~
i I f
5
! i i I d! m
- I
'1
- f! 11,,1 11
! I lb I.
- I' ! I
~ I I it! (!Ip=
HISTORICAL
AutoCAD: Figure Fsar 15A_6_43.dwg FSAR REV. 65 FIGURE 15A.6-43, Rev 55 PROTECTION SYSTEM FOR LIQUID, STEAM, LARGE, SMALL PIPING BREAKS OUTSIDE CONTAINMENT SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT i I I.. I I
6 I I.
Hi I 1 bl1 Ill s
a 1
..,,11 ii I I illl 11! I 11 12, a 9!ifl' I nit 8!
.... -~
Ii!" u
AutoCAD: Figure Fsar 15A_6_46.dwg FSAR REV. 65 FIGURE 15A.6-46, Rev 55 PROTECTION SEQUENCES FOR GASEOUS RADWASTE SYSTEM LEAK OR FAILURE SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT PLANNED OPERATION STATESA,B HISTORICAL EVENT46 GASEOUS RAOWASTE SYSTEM LEAK OR FAILURE STATES A,8.C,D STATESC,O MANUAL OPERATOR ACTION OFF-GAS SYSTEM ISOLATION MAIN CONOENSEF]
LOW VACUUM SEE LOSS OF CONOENSE,R VACUUM EVENT 26
AutoCAD: Figure Fsar 15A_6_47.dwg FSAR REV. 65 FIGURE 15A.6-47, Rev 55 PROTECTION SEQUENCES FOR OFF-GAS TREATMENT SYSTEM FAILURE SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT STATESA,B.
Pl.ANNED OPERATION IVENT47 OFF.OAS TREATMENT SVST'EM FA1LURE STATES A, 8, C, AND D STATESC,0 MANUAi..
OPERATION ACTION OFF-OAS SYSTEM ISOLATION MAIN CONDENSER HIGH PRESSURE MAIN TURBINE TRIP s
F REACTOR PFIOTECTION SYSTEM s
F CONTROL ROD DRIVE SYSTEM s
F SCRAM HISTORICAL SEE OTHER LOSS OF CONDENSEII VACUUM EVENT28 ACTIONS
AutoCAD: Figure Fsar 15A_6_48.dwg FSAR REV. 65 FIGURE 15A.6-48, Rev 55 PROTECTION SEQUENCES FOR LIQUID RADWASTE SYSTEM LEAK OR FAILURE SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT GAS LEAK HIGH RA PROCESS VENTI-LATION RADIATION MONITORtNG SUBSYSTEM VENTILATION S'<STEM CONTROL ISOLATE BUILDING EVENT 48 L IOUID RAOWASTE SYSTEM LEAK OR FAILURE STATES A,8, C, D HISTORICAL WATER LEAK F
IN MONITORING SYSTEM SUMP flUMP SYSTEM CONTAINMENT LIQUID EFFLUENT
AutoCAD: Figure Fsar 15A_6_49.dwg FSAR REV. 65 FIGURE 15A.6-49, Rev 55 PROTECTION SEQUENCES FOR LIQUID RADWASTE SYSTEM STORAGE TANK FAILURE SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT GAS LEAK N
LATION RADIATION MONITORING SUISYSTEM VENTILATION SYSTEM CONTROL ISOLATE BUILDING HISTORICAL EVENT49 LIOUID RAOWASTE svsreM STORAGE TANK FAILURE STATES A, 8, C, 0 WATER LEAK HIGHWATER FL DRAIN MONITORING SYSTEM SUMP PUMP SYSTEM CONTAINMENT LIQUID EFFLUENT
AutoCAD: Figure Fsar 15A_6_50.dwg FSAR REV. 65 FIGURE 15A.6-50, Rev 55 PROTECTION SEQUENCE FOR SPENT FUEL CASK DROP SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT OPERATOR MANUAL INITIATION REACTOR BUILDING, POOL. AND/OR VEN-TILATION RADIATION MONITORING SYITIMS REACTOR BUILD-ING ISOLATION CONTROL SVS1'EMS S
F STANDBY GAS TREATMENT SYSl"EM S
F REACTOR IUILDING t,ASSIVE)
DFFGAS\\IENT SYSTEM IPASSIVEI ESTA8L1SH SECONDARY CONTAIIIIMENT HISTORICAL RADIATION MONITOR TRIP INITIATE BUILDING VENT ISOLATION EXTERNAL COOLING SPAAV SERVICE WATER SYSTEM RESTORE CASK COOLING INTERNAL COOLING CONNECTION TEMPORARY CONTAINMENT
AutoCAD: Figure Fsar 15A_6_51.dwg FSAR REV. 65 FIGURE 15A.6-51, Rev 55 PROTECTION SEQUENCE FOR REACTOR SHUTDOWN - FROM ANTICIPATED TRANSIENT WITHOUT SCRAM SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT I -en
-I 0
- o -()
)>
r STATES A p
STATESB,D REACTOR PROTECTION SYSTEM 5TAN08Y llOUIO a>NTROL SYSTEM llOUID SCRAM 1'1.ANNID OPERA TIOIIS OOfllTINUESHUTDOWN COOi.iNG SYSTEM MANUAll'I' INITIATED EVENT5I ACTOASHUTI IIOM ANTICIPATE IANSIENT WITHC RAM STATES A.I.
STATES~
REACTOR ISOLATED FROM MAIN CONDENSER TRANSFER DECAY HEAT TO SUPPRESSION POOL flRESSUAE RELIEF SYSTEM RCICS INCIDENT DETECTION CIRCUJTRY RHRS SUl"PIIESSION POOL LING MOOE p
SfARTNICI IVITUION L0WWATH LEVEL
.. CII MAINTAIN WATER LEVEL RIMOVE DECAY HEAT FROM SUPPRESSION POOL STATESl,C,D PRESSURE
<125 PIii P.M.IIURE ilE\\llf WHINNUCUAf'I SYSTEM PRESIURI
< 126 ps,g START SVSTIM CX>OL ING MODE c:::
I I RHRS SHUTDOWN
AutoCAD: Figure Fsar 15A_6_52.dwg FSAR REV. 65 FIGURE 15A.6-52, Rev 55 PROTECTION SEQUENCES FOR REACTOR SHUTDOWN - FROM OUTSIDE MAIN CONTROL ROOM SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT STATE A PLANNED OPERATION:
CONTINUE SHUTDOWN COOLING p
STATESB.D REACTOR PROTECTION SYSTEM CONTROL ROD DRIVE SYSTEM EYE!fl52 REACTOR SHUTDOWN FROM OUTSIDE CONTROL ROOM STATES A, B,C, ANO D REACTOR NOT !SOLA TED FROM MAIN CONDENSER SCFIAMBY DE-ENERGIZING SYSTEM MANUALLY I -en
--i 0
- a -()
)>
r PLANNED OPERATION:
CONTROL COOLDOWN USING NORMAL EQUIPMENT REACTOR ISOLATED FROM MAIN CONDENSER TRANSFER DECAY HEAT 'tO SUP-STATESC, D I STATESB,C,D PRESSION POOL PRESSURE ) 135 psig PRESSURE
( 135 Pll9 INCIDENT DETECTION CIRCUITRY HPCIS AHAS-SUPPRESS POOL COOLING MOOE p
START HPCI SYSTEM ON LOW WATER LEVEL MAINTAIN WATER LEVEL REMOVE DECAY HEAT FROM SUPPRESSION POOL STATESC,D PRESSURE RELIEF SYSTEM RHRS-$HUTDOWN COOLING MODE WHEN NUCLEAR SYSTEM PRESSURE< 135 psig START SYSTEM p
COOL DOWN REACTOR FROM OUTSIDE MAIN CONTROL
,ROOM
AutoCAD: Figure Fsar 15A_6_53.dwg FSAR REV. 65 FIGURE 15A.6-53, Rev 55 PROTECTION SEQUENCE FOR REACTOR SHUTDOWN -
WITHOUT CONTROL RODS SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT STATE A PLANNED OPERATIONS CONTINUE SHUTDOWN COOLING p
STATESB,D REACTOR f'ROTECTION SYSTEM STANDBY LIQUID CONTROL SYSTEM LIQUID SCRAM SYSTEM MANUALLY INITIATED I -CJ)
-I 0
- a -()
)>
r EVENT SJ EACTOR SHUTOOW THOUT CONTROL R, STATESC, ANO D REACTOR NOT ISOLATED FROM MAIN CONDENSER PLANNED OPERATION.
CONTROL COOLDOWN USING NORMAL EQUIPMENT REACTOR ISOLATED FROM MAIN CONDENSER TRANSFER DECAY HEAT TOSU:>,
PRF.SSION POOL STATESC,,D
)135 ps,g STATESC,D PRESSURE (135PSl!I PRESSURE RELIEF SYSTEM RCICS INCIDENT DETECTION CIRCUITRY RHRS-SUl'PRESSIO POOL COOLING MOOE p
STARTHPCI SYSTEMON LOWWATl:R LEVEL HPCIS MAINTAIN WATER LEVEL REMOVE DECAY HEAT FROM SUPf>AESSION
'POOL RHAS-sHUTOOWN COOLING MODE p
\\
I WHEN NUCLEAR SYSTEM PRESSURE< t35 Pll9 START SYSTEM
AutoCAD: Figure Fsar 15A_6_54_1.dwg FSAR REV. 65 FIGURE 15A.6-54-1, Rev 55 COMMONALITY OF AUXILIARY SYSTEMS - DC POWER SYSTEMS (125/250 VOLTS)
SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT 11'ATI!
C D
f;E-II ff "Tr HPCIS STATf A
I C
D aMC:iDENT DITICT-C-11\\V EVENTS e
~
ITATE I
C 0
t F TATE A
- C D
IVINTS 9
'1*
AUXIL,AFIIY AJ;,owt,R IYSTa,t I -en
-I 0
- 0 -0
)>
r EVENTI UTATE 3
PUIOT DC POMA SVSTIMI c121mo VDLTSI l;TSJ 11rTE AOI**
EVENTS s
STATE EVlNTS 8
C 0
6
&IF AHR$*
IIWffiES$10N ~
OOOLIIIGMOOI
$1"ATI:
I C
D EVEN1S 7
- IF rLAIIIT SERYICEWATl:.A SYSl'EM 8TATE EVlli,TI ITATE
~~NTSI ff ATE EVENTS ITATE A
E\\llNTS A
A 10 C
C 0
D RHRS-I I
COOLING MODE
. llOWDCMtl
'CONTIIOLLED DEPIIE-IZA1-
"'°"" If IIIOUIIIIM(lfl loOT ""1.-lll.E IN EVliN1 II 111 1,3 I F STANOIIY GAS TREATIINENT Slflffll 12 SIF RHR&-
IUIV,Cl VIA ffR sYSTEM C
0 13 SIF CONTA-N1 ANDRIACTOIIII VIIIEL IIOU'flONCONfflOt.
SYSTEM
AutoCAD: Figure Fsar 15A_6_54_2.dwg FSAR REV. 65 FIGURE 15A.6-54-2, Rev 55 EVENT IDENTIFICATION FOR FIGURE 15A.6-54 PAGE 1 OF 2 SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT SSES - FSAR EYEIJ IQEITIFICATICI EQR FIGURE 156,6::H
/~.I~'..*<
- '}'>,'
- ~*.':~"\\
- J*}t:',:.,:. ~-
).
.-¢
~-
~
.. ¥y;..
'1;
..... ~--* ~.... *:.... *"\\.*?--~.._.:-.;. *. -~--.......... :-!
~. "*"*;
- ...t.c-
- ..
1 A
B C
51, 52. 53 D
- 51. 52. 53 2
A B
C 14, 26, 23, 20, 29 D
- 14. 26. 23. 20. 29. 40 3
A 8
C 15, 42, 43, 44, 45 D
- 15. 42. 43. 44. 45 4
A 29, 18 B
29, 18 C
26, 15, 20, 29, 18, 42, 43, 44, 45 D
- 26. 15,, 20. 29. 40. 18. 42. 43. 44. 45 5
A 8
C 26, 15, 20, 29, 18, 42, 43, 44, 45 D
- 26. 15. 20. 29. 40. 18, 42, 43, 44, 45 6
A B
C 26, 15, 20, 29, 18, 42, 43, 44, 45, 51, 52, 53 D
- 26. 15. 20. 29. 18. 40. 42. 43. 44. 45. 51, 52. 53 7
A 29, 18, 41 B
29, 18, 41 C
26, 23, 15, 20, 29, 18, 41, 42, 43, 44, 45, 51, 52, 53 D
26, 23, 15, 20, H, 18, 48, 41, 42, 43, 44, 45, 51,
- 52. 53 8
A B
C 14, 15, 20, 23, 26, 29, 42, 43, 44, 45, 51, 52, 53 D
- 14. 15. 20. 23. 26. 29, 40, 42, 43, 44, 45. 51. 52. 53 HISTORICAL
AutoCAD: Figure Fsar 15A_6_54_3.dwg FSAR REV. 65 FIGURE 15A.6-54-3, Rev 55 EVENT IDENTIFICATION FOR FIGURE 15A.6-54 PAGE 2 OF 2 SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT SSES - FSAR EVENT IDENTIFICATION FOR FI$URE 15A,f-54 9
A 29, 18, 41 B
29, 18, 41, 51, 52, 53 C
14, 23, 26, 15, 20, 29, 18, 42, 41, 43, 44, 45, 51, D
52, 53 14, 23, 26, 15, 20, 19, 18, 40, 42, 41, 43, 44, 45,
- 51. 52. 53 10 A
52, 53 B
52, 53 C
51, 52, 53 D
51,. 52. 53 11 A
41 B
41 C
41, 42 D
41, 42 12 A
B 52, 53 C
14, 15, 20, 29, 18, 42, 43, 44, 45, 51, 52, 53 D
14, 15, 20, 29. 18. 40, 42, 43, 44, 45. 51, 52. 53 13 A
B C
23, 15, 20, 42, 43, 44, 45 D
23, 15, 20, 40, 42, 43, 44, 45 HISTORICAL
AutoCAD: Figure Fsar 15A_6_55_1.dwg FSAR REV. 65 FIGURE 15A.6-55-1, Rev 55 COMMONALITY OF AUXILIARY SYSTEMS - AC POWER SYSTEMS (120/480/4160 VOLTS)
SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT
' 1-.-
- 1111 11
- o
- 1111 lii,oeuo a ! Cft
- rlH i
' ao I I*
. iii I i 1*..
--;;I 'h 1..
1dl e
iiil lii,o uo
!: va
- hll
=
R
- .t1e-.ao
- i..
P*
..=
5
- cauc 11.. * '.
h~!
=
UH, a > N -.. a!:
,. lz;:
till..
1.:v..
I 111H
- <C&...
.. i
~ -
I I I
~.
1;t>
c i...
,cs-:
! n Iii HISTORICAL
AutoCAD: Figure Fsar 15A_6_55_2.dwg FSAR REV. 65 FIGURE 15A.6-55-2, Rev 55 EVENT IDENTIFICATION FOR FIGURE 15A.6-55 PAGE 1 OF 2 SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT SSES - FSAR EVENT IQENTIFICAJIQN FOR Fl&URE lSA.§::55
'.,friW
- ~ <.:-........
.¥1.:.
,.-qr.... "'**
<.>ff.-:*,..
V
- 1:-
- - '=.*tc--Uli*'~**'.<,..
I 1
A 41 B
41 C
41, 42, 43, 44, 45 D
- 41. 42. 43, 44, 45 2
A 18, 41, 51, sz, 53 B
18, 41, 51, 52, 53 C
14, 26, 23, 15, 20, 29, 18, 42, 43, 44, 45, 51, 52, 53 D
14, 26, 23, 15, 20, 29, 18, 40, 42, 43, 44, 45, 51,
- 52. 53 3
A 41 8
41 C
41, 42 D
41, 42 4
A B
C 26, 15, 20, 29, 18, 42, 43, 44, 45 0
- 26. 15, 20, 29, 18, 40, 42, 43, 44, 45 5
A B
C 51, 52, 53 D
51, 52, 53 6
A B
C 23, 15, 20, 42, 43, 44, 45 D
23, 15, 20, 40, 42, 43. 44, 45 1
A B
C 15, 42, 43, 44, 45 D
- 15. 42. 43. 44. 45 8
A 29, 18 B
29, 18 C
14, 26, 23, 15, 20, 29, 18, 42, 43, 44, 45, 51, 52, 53 D
14, 26, 23, 15, 20, 29, 18, 40, 42, 43, 44, 45, 51,
- 52. 53 HISTORICAL
AutoCAD: Figure Fsar 15A_6_55_3.dwg FSAR REV. 65 FIGURE 15A.6-55-3, Rev 55 EVENT IDENTIFICATION FOR FIGURE 15A.6-55 PAGE 2 OF 2 SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT 5S£S - FSAR EVENT IDENTIFICATION FOR FIGURE ISA,&-55 g
A 8
52, 53 C
26, 15, 20, 29, 18, 42, 43, 44, 45, 51, 52, 53 D
- 26. 15. 20. 29. 18. 40. 42, 43. 44. 45, 51. 52. 53 10 A
8 C
26, IS, 20, 29, 18, 42, 43, 44, 45, 51, 52, 53 D
26, 15. 20, 29, 18, 40, 42, 43, 44, 45, 51, 52. 53 11 A
52~ 53 B
52, S3 C
51, 52, 53 D
51, 52, 53 HISTORICAL
AutoCAD: Figure Fsar 15A_6_56_1.dwg FSAR REV. 65 FIGURE 15A.6-56-1, Rev 55 COMMONALITY OF AUXILIARY SYSTEMS - EQUIPMENT AREA CODING SYSTEM SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT STATE EVENTS A
B 1
C D
s F
RCICS I I HPCIS I I
STATE A
8 C
D EVENTS 2
F
~
I -en
-I 0
- a -0
)>
r EQUIPMENT AREA COOLING SYSTEM STATE EVENTS STATE EVENTS A
A 8
3 C
B 5
C D
D S I F AHAS-SUPPRESSION POOL AHAS-SHUTDOWN COOLING MODE COOLING MOOE STATE A
B C
D EVENTS 4
INCIDENT DETECTION CIRCUITRY HPCIS f
RHRS-LPCI
~ooe STATE EVENTS A
B 6
C D n V
I HPCIS I
cscs NOTE SF REQUIREMENT NOT APPLICABLE IN EVENTS 51. 52. 53
AutoCAD: Figure Fsar 15A_6_56_2.dwg FSAR REV. 65 FIGURE 15A.6-56-2, Rev 55 EVENT IDENTIFICATION FOR FIGURE 15A.6-56 SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT SSES - FSAR EYPI IQENTIFICA.TIQI FOR FQiURE lSA,&-56 ITEM STATE EVENTS 1
A B
C
- 14. 26. 23. 20, 29, 42 D
- 14. 26. 23. 20. 29. 40. 42 2
A
- 29. 18 B
29, 18 C
- 26. 15, 20, 29, 18, 42, 43, 44, 45 D
- 26. 15, 20. 29, 18. 40, 42, 43. 44. 45 3
A 8
51, 52, 53 C
51, 52, 53 D
- 51. 52. 53 4
A B
C
- 51. 52, 53 D
51, 52, 53 5
A B
C 26, 15, 20, 29, 18, 42, 43, 44, 45, 51, 52, 53 D
- 26. 15. 20. 29, 18. 40. 42. 43. 44. 45, 51. 52. !53 6
A B
C 15, 42, 43, 44, 45 D
- 15. 42. 43. 44. 45 HISTORIC)~L
AutoCAD: Figure Fsar 15A_6_57_1.dwg FSAR REV. 65 FIGURE 15A.6-57-1, Rev 55 COMMONALITY OF AUXILIARY SYSTEMS - PLANT SERVICE WATER SYSTEM SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT i ~
!i I
- 1111
~ c*ua I
- I
-- Ill C =
I I ~
5D:1 -
- E Ii c*ua l!IUi 1lh IN
!c C*UC I
Jg lc*uo I -
h II, -*
111 l.uo HISTORICAL
AutoCAD: Figure Fsar 15A_6_57_2.dwg FSAR REV. 65 FIGURE 15A.6-57-2, Rev 55 EVENT IDENTIFICATION FOR FIGURE 15A.6-57 SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT SSES - FSAR EYENJ IQEITIFICAJIQN FOR FIGURE ISA.6-57 ITEM STATE EVENTS 1
A 8
C 26, 15, 20, 29, 18, 42, 43, 44, 45, 51, 52, 53 D
26, 15, 20, 29. 18, 40, 42, 43, 44, 45, 51, 52, 5:1 2
A 29, 18 B
29, 18 C
26, 15, 20, 29, 18, 42, 43, 44, 45 D
26, 15, 20, 29, 18. 40, 42. 43. 44. 45 3
A 51, 52, 53 B
51, 52, 53 C
51, 52, 53 D
51, 52, 53 4
A 29 B
29 C
29, 42, 43, 44, 45 D
- 29. 42, 43. 44, 45 5
A 29, 18 8
29, 18 C
14, 26, 23, 15. 20, 29, 18, 42, 43, 44, 45, 51, 52, 53 D
14, 26, 23, 15, 20, 29, 18, 40, 42, 43, 44, 45, 51, 52, 53 HISTORICAL
AutoCAD: Figure Fsar 15A_6_58.dwg FSAR REV. 65 FIGURE 15A.6-58, Rev 55 COMMONALITY OF AUXILIARY SYSTEMS - RHR SERVICE WATER SYSTEM SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT STATE
~NT!
r-B C 26,15.20.29,18,42,43,44, 45.51,52,53 0 26, 15,20,29,18,40,42,43, 44,41,51,52,53 S
F RHRS-SUPPRESSION POOL COOL ING MODE RHR-SERVICE WATER SYSTEM I
NOTE: SF REQUIREMENT NOT APPLICABLE IN EVENTS 51, 52, 53 HISTORICAL
~,!.E A
I C
D SHUTDOWN COOLING MODE 1;'.!5/'j_TS 51,52,53 5,1,52.53 51,52,53 51,52,53 RHRS *
]
AutoCAD: Figure Fsar 15A_6_59_1.dwg FSAR REV. 65 FIGURE 15A.6-59-1, Rev 55 COMMONALITY OF AUXILIARY SYSTEMS - SUPPRESSION POOL STORAGE SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT I
U)
~
0
- (]
0
)>
i SHIT EVE~S B
C D
1 INCIDINT DETECTION CIRCUfTftY HflCl8 "IL~
ITATl EVENts A
- 2 C
D JtflCIS I I RC<<:I
- 'CONTIIOLLED DEMIIIUIIIZATION STATE EVINn A
- 3 C
D l'REISURE IIILIEF IVffEM NOTE P RIQUHIIIMINTNDT Al'ft.lCAILIE IN IYENTll1,l2,13 IUl'MES$10N l'OOl, ITORAGE IPAIIIYU STATE EVENTt I
4 C
D Ll'C1 MODI STATE EIIENTI A
I 5
C D
ADI" HPCIS CICS STATE EVIENTS A. '
C 0
CONTAINMINT
- AIIIYII STATI!
IVl!NTI C
0 ADI**
MANUAL'*
MUlf' IIALVE IVfflM c.lRA TIOM
AutoCAD: Figure Fsar 15A_6_59_2.dwg FSAR REV. 65 FIGURE 15A.6-59-2, Rev 55 EVENT IDENTIFICATION FOR FIGURE 15A.6-59 SUSQUEHANNA STEAM ELECTRIC STATION UNITS 1 & 2 FINAL SAFETY ANALYSIS REPORT SSE$ - FSAR EY£NT IDENTIFICATION FOi FIGURE ISA,&-59 ITEM STATE EVENTS 1
A B
C 51, 52, 53 D
51, 52. 53 2
A B
C 14, 26, 23, 20, 29 D
14, 26. 23, 20, 29. 40 3
A B
C 14, 26, 23, 20, 29, 22, 42, 43, 44, 45, 51, 52,
~,3 D
30, 25, 14, 26, 23, 20, 29, 22, 40, 42, 43, 44, 4,5, 51, 52, 53, 31, 27 4
A 29, 18 B
29, 18 C
26, 15, 20, 29, 18, 42, 43, 44, 45 D
- 26. 15, 20, 29, 18, 40, 42, 43, 44, 45 5
A 8
C 15, 42, 43, 44, 45 D
- 15. 42, 43, 44, 45 6
A B
23, 18, C
26, 23, 15, 20, 18, 42, 43, 44, 45, 51, 52, 53 D
26, 23, 15, 20, 18. 40, 42, 43, 44, 45. 51, 52, !,3 7
A B
C 26, 15, 20, 29, 18, 42, 43, 44, 45 0
26, 15, 20. 29. 18, 40. 42, 43, 44, 45 HISTORICAL