SBK-L-15120, Independent Spent Fuel Storage Installation (ISFSI) Ics/Eals

From kanterella
Jump to navigation Jump to search
Independent Spent Fuel Storage Installation (ISFSI) Ics/Eals
ML16068A133
Person / Time
Site: Seabrook NextEra Energy icon.png
Issue date: 02/27/2016
From:
NextEra Energy Seabrook
To:
Office of Nuclear Reactor Regulation
Shared Package
ML16068A128 List:
References
SBK-L-15120
Download: ML16068A133 (73)
v  d  e


Text

{{#Wiki_filter:85 INDEPENDENT SPENT FUEL STORAGE INSTALLATION (ISFSI) ICS/EALS Recognition Category "E" Initiating Condition Matrix UNUSUAL EVENT 

                * --444t-'-U1 Damage to a loaded cask CONFINEMENT BOUNDARY.

Op. Modes: All 65

EU1 ECL: Notification of Unusual Event Initiating Condition: Damage to a loaded cask CONFINEMENT BOUNDARY. Operating Mode Applicability: All Emergency Action Levels: Note: [The on-contact dose rate may be determined based on measurement of a dose rate at some dsacfrmteak (I) Damage to a loaded cask CONFINEMENT BOUNDARY as indicated by ANY of the following afi-on-contact surface radiation readings greater than: (2 :----hz~tz~~ii 1600 mrem/hr at the front bird screen 4 mrem/hr at the door centerline 4 mrem/hr at the end shield wall exterioij Comme-nt [-MiKF43]: V19 NUH OMS--HS-M Dos--e Rates Technical Specification Basis: CONFINEMENT BOUNDARY: The barrier(s) between spent fuel and the environment once the spent fuel is processed for dry storage. This IC addresses an event that results in damage to the CONFINEMENT BOUNDARY of a storage cask containing spent fuel. It applies to irradiated fuel that is licensed for dry storage beginning at the point that the loaded storage cask is sealed in the Horizontal Storage Module. The issues of concern are the creation of a potential or actual release path to the environment, degradation of one or more fuel assemblies due to environmental factors, and configuration changes which could cause challenges in removing the cask or fuel from storage. The existence of "damage" is determined by radiological survey. The technical specification multiple of"2 times", which is also used in Recognition Category R IC RU1, is used here to distinguish between non-emergency and emergency conditions. The emphasis for this classification is the degradation in the level of safety of the spent fuel cask and not the magnitude of the associated dose or dose rate. It is recognized that in the case of extreme damage to a loaded cask, the fact that the "on-contact" dose rate limit is exceeded may be determined based on measurement of a dose rate at some distance from the cask. Security-related events for ISFSIs are covered under ICs HU1 and HAl.

Reference:

Appendix A to Certificate Of Compliance No. 1030 NUHOMS RD System Generic Technical Specifications 5.4.3. 66

06 FISSION PRODUCT BARRIER ICS/EALS Recognition Category "F" Initiating Condition Matrix 67

Fission Product Barrier Table Thresholds for LOSS or POTENTIAL LOSS of Barriers FG1 GENERAL EMERGENCY FSI SITE AREA EMERGENCY FA1 ALERT Loss of any two barriers and Loss or Loss or Potential Loss of any two barriers. Any Loss or any Potential Loss of either Potential Loss of the third barrier, the Fuel Clad or RCS barrier. Fuel Clad Barrier RCS Barrier Containment Barrier LOSS POTENTIAL LOSS LOSS POTENTIAL LOSS LOSS POTENTIAL LOSS

1. RCS or SG Tube Leakage 1. RCS or SG Tube Leakage 1.RCS or SG Tube Leakage Not Applicable A. K'orc Cooling (C) A. An automatic or A. Operation of a A. A leaking or Not Applicable CSF - O)RANGE manual F*:G--{S I)... .. m. .. ';,.,
                                                                                                 .             RUPTURED SG is entry conditions me4        actuation is required by     second charging            FAULTED outside of P.CS/r^a:z=r vzaesse keve!      EITHER of the                (-akeep* pump in           containment.                               --,Commented [DWS44]-"V20 CSFST Core Cooling le ......+ l-**-+-
                                          ..           following:                   the naonial charging spee'^i*..-4e.*.,.          1. UNISOLABLE                mode is required by RCS leakage              EITHER of the OR                           following:
2. SGtubeI. UNISOLABLE RUPTURE. RCS leakage OR
2. SG tube leakage.

B. RCS Integrity (P) CSF - RED entry conditions met with RCS press > 300 

                                                                                                                                                    - - - -[ Commented [DWS45]: V21 CSFST Integrity psztuiz-C e!d  term,.

68

Fuel Clad Barrier RCS Barrier Containment Barrier LOSS POTENTIAL LOSS LOSS POTENTIAL LOSS LOSS POTENTIAL LOSS

2. Inadequate Heat Removal 2. Inadequate Heat Removal 2. Inadequnate Heat Removal A. More Cooling (C) A. More Cooling (C) Not Applicable A.l H-eat Sink (II) CSIE - Not Applicable --A. [Core Cooling (C)

CSF - RED entry CSF - ORANGE RED entry conditions CSF - RED entry conditions met[ Goe entry conditions met. J e. nd qae,'C conditions met for I5 

         ......... .                      -..........                                                                                            minutes or Ionger.1-l-           ',Conmmented        lDWS471]tV20CSFST Core Cooling
                                                                                                                                                                            -'*        Commented CDWS4O1: V20 CSFST Core Coating B.
  • leat Sink (H) CSF - 2. Rzztc~ratizn RED entry conditions prz.....................
                                                                                                                                                                          -   - -( Commented [DW548J: v 22 CSFST Heei Sink
3. RCS Activity / Containment Radiation 3. RCS Activity / Containment Radiation 3. RCS Activity I Containment Radiation A. Post LOCA Not Applicable A. Post L()CA Radiation Not Applicable Not Applicable A. Post L,(CA Radiation Radiation Monitors Monitors Monitors RM 6576A-l or RM RM 6576A-t or RM RM 6576A-I or RM 6576B- 1 6576B3-I 6576B- I
  > 95 R/hr.                                                    >_ 16 Rihr. Ceo---!mei#                                                              1,305 R/hr.

(^;, . . ..  ;--...I.,,^ 

                                                                                                                                                                          - -   -    ICommented        [DWS51l: V23 EPCALC-tt6-01 -Red Vetoes for OR                                                                                                                                                                                    /Fission Prodoci Berrier Matrix B. RCS activity > 300 uCi/gm Dose Equivalent I1131 as determined per Procedure CS0925.01, Reactor Coolant Post Accident Sampling.

69

Fuel Clad Barrier RCS Barrier Containment Barrier LOSS POTENTIAL LOSS LOSS POTENTIAL LOSS LOSS POTENTIAL LOSS

4. Containment Integrity or Bypass 4. Containment Integrity or Bypass 4. Containment Integrity or Bypass Not Applicable Not Applicable Not Applicable Not Applicable A. Containment isolation A. *onntainment (Z) CSF -

is required RED cntry conditions AND 1nIe~tCeninment 

                                                                                                                                                          -  [*Comnmnt:el [DWS52]: V24 CSFST Containment EITHER of the                 (zt            ~ ;,

following: ... ... . .. ,

1. Containment OR integrity has been B. Containment IH2 lost based on conccntration >_6% I
                                                                                                                                                            " lCommented [DWS53]: V t4 H-2concentration in containment t) judgment.           eontainment OR                         OR
2. UNISOLABLE C. I. Containment pathway from the prcssure gfeate4 containment to t8 psi* (ste.-

1l the environmentspifcrcze [ Comrmented [DWS54]: V25 Containment Spray Setpoint exists. OR AND B. Indications of RCS 2. Less than one full leakage outside of train of containment. Conltalnmenlt Btuilding Spray tCI3S (site-operating per design for 15 _________________minutes or longer.

65. Emergc:n.cy DireeterSTED/SED 65. Emcrgrncy, DirectorSTED/SED0 65. Emergencyd Di'rectorSTED/SED 70

Fuel Clad Barrier RCS Barrier Containment Barrier LOSS POTENTIAL LOSS LOSS POTENTIAL LOSS LOSS POTENTIAL LOSS Judgment Judgment Judgment _________ A. ANY condition in A. ANY condition in the A. ANY condition in the A. ANY condition in the A. ANY condition in the A. ANY condition in the the opinion of the opinion of the opinion of the opinion of the opinion of the opinion of the 2 Dif-eeteFSTE'D!S ED DireetefSTEDiS1lD tDireetefSTE DiSEI) DiSeTeP1 )/S1 I) Diree-te*S TElI)iS ED tife-ef*STED/Sl ED that that indicates Loss that indicates that indicates Loss of that indicates that indicates Loss of indicates Potential Loss of the Fuel Clad Potential Loss of the the RCS Barrier. Potential Loss of the the Containment of the Containment Barrier. Fuel Clad Barrier. ____________ RCS Barrier. Barrier. Barrier. 71

Basis Information For Fission Product Barrier Table FUEL CLAD BARRIER THRESHOLDS: The Fuel Clad Barrier consists of the cladding material that contains the fuel pellets.

1. RCS or SG Tube Leakage There is no Loss threshold associated with RCS or SG Tube Leakage.

Potential Loss l.A This reading indicates a reduction in reactor vessel water level sufficient to allow the onset of heat-induced cladding damage.

2. Inadequate Heat Removal Loss 2.A This reading indicates temperatures within the core are sufficient to cause significant superheating of reactor coolant.

Potential Loss 2.A This reading indicates temperatures within the core are sufficient to allow the onset of heat-induced cladding damage. Potential Loss 2.B This condition indicates an extreme challenge to the ability to remove RCS heat using the steam generators (i.e., loss of an effective secondary-side heat sink). This condition represents a potential loss of the Fuel Clad Barrier. In accordance with EOPs, there may be unusual accident conditions during which operators intentionally reduce the heat removal capability of the steam generators; during these conditions, classification using threshold is not warranted. Meeting this threshold results in a Site Area Emergency because this threshold is identical to RCS Barrier Potential Loss threshold 2.A; both will be met. This condition warrants a Site Area Emergency declaration because inadequate RCS heat removal may result in fuel heat-up sufficient to damage the cladding and increase RCS pressure to the point where mass will be lost from the system. As a potential loss indication, developers should consider including a threshold the same as, or similar to, "Core Cooling Orange entry conditions met" in accordance with the guidance at the front of this section. As a potential loss indication, developers should consider including a threshold the same as, or similar to, "Heat Sink Red entry conditions met" in accordance with the guidance at the front of this section.

3. RCS Activity / Containment Radiation Loss 3.A The radiation monitor reading corresponds to an instantaneous release of all reactor coolant mass into the containment, assuming that reactor coolant activity equals 300gICi/gm dose equivalent I-131. Reactor coolant activity above this level is greater than that expected for iodine spikes and corresponds to an approximate range of 2% to 5% fuel clad damage. Since this condition indicates that a significant amount of fuel clad damage has occurred, it represents a loss of the Fuel Clad Barrier.

72

The radiation monitor reading in this threshold is higher than that specified for RCS Barrier Loss threshold 3.A since it indicates a loss of both the Fuel Clad Barrier and the RCS Barrier. Note that a combination of the two monitor readings appropriately escalates the emergency classification level to a Site Area Emergency. Loss 3.B This threshold indicates that RCS radioactivity concentration is greater than 300 igCi/gm dose equivalent I- 131. Reactor coolant activity above this level is greater than that expected for iodine spikes and corresponds to an approximate range of 2% to 5% fuel clad damage. Since this condition indicates that a significant amount of fuel clad damage has occurred, it represents a loss of the Fuel Clad Barrier. There is no Potential Loss threshold associated with RCS Activity / Containment Radiation.

4. Containment Integrity or Bypass Not Applicable (included for numbering consistency)
5. .... Ind-i .atizn
                     ^r 6..5. Em.....         Di...e......STED/SED Judgment Loss 6.A This threshold addresses any other factors that may be used by the Emergency Di'eeteSTED/SED in determining whether the Fuel Clad Barrier is lost.

Potential Loss 6.A This threshold addresses any other factors that may be used by the Emnergent7y DieeeSTED/SED) in determining whether the Fuel Clad Barrier is potentially lost. The Em ......... r*:*,ct.....STED/SED" should also consider whether or not to declare the barrier potentially lost in the event that barrier status cannot be monitored. 73

RCS BARRIER THRESHOLDS: The RCS Barrier includes the RCS primary side and its connections up to and including the pressurizer safety and relief valves, and other connections up to and including the primary isolation valves.

1. RCS or SG Tube Leakage Loss l.A This threshold is based on an UNISOLABLE RCS leak of sufficient size to require an automatic or manual actuation of the Emergency Core Cooling System (ECCS). This condition clearly represents a loss of the RCS Barrier.

This threshold is applicable to unidentified and pressure boundary leakage, as well as identified leakage. It is also applicable to UNISOLABLE RCS leakage through an interfacing system. The mass loss may be into any location - inside containment, to the secondary-side (i.e., steam generator tube leakage) or outside of containment. A steam generator with primary-to-secondary leakage of sufficient magnitude to require a safety injection is considered to be RUPTURED. Ifra RUPTURED steam generator is also FAULTED outside of containment, the declaration escalates to a Site Area Emergency since the Containment Barrier Loss threshold l.A will also be met. Potential Loss l.A This threshold is based on an UNISOLABLE RCS leak that results in the inability to maintain pressurizer level within specified limits by operation of a normally used charging (makeup) pump, but an ECCS (SI) actuation has not occurred. The threshold is met when an operating procedure, or operating crew supervision, directs that a standby charging (makeup) pump be placed in service to restore and maintain pressurizer level. This threshold is applicable to unidentified and pressure boundary leakage, as well as identified leakage. It is also applicable to UNISOLABLE RCS leakage through an interfacing system. The mass loss may be into any location - inside containment, to the secondary-side (i.e., steam generator tube leakage) or outside of containment. If a leaking steam generator is also FAULTED outside of containment, the declaration escalates to a Site Area Emergency since the Containment Barrier Loss threshold 1.A will also be met. Potential Loss 1.B This condition indicates an extreme challenge to the integrity of the RCS pressure boundary due to pressurized thermal shock - a transient that causes rapid RCS cooldown while the RCS is in Mode 3 or higher (i.e., hot and pressurized).

2. Inadequate Heat Removal There is no Loss threshold associated with Inadequate Heat Removal.

Potential Loss 2.A This condition indicates an extreme challenge to the ability to remove RCS heat using the steam generators (i.e., loss of an effective secondary-side heat sink). This condition represents a potential loss of the RCS Barrier. In accordance with EOPs, there may be unusual accident conditions during which operators intentionally reduce the heat removal capability of the steam generators; during these conditions, classification using threshold is not warranted. 74

Meeting this threshold results in a Site Area Emergency because this threshold is identical to Fuel Clad Barrier Potential Loss threshold 2.B; both will be met. This condition warrants a Site Area Emergency declaration because inadequate RCS heat removal may result in fuel heat-up sufficient to damage the cladding and increase RCS pressure to the point where mass will be lost from the system.

3. RCS Activity / Containment Radiation Loss 3.A The radiation monitor reading corresponds to an instantaneous release of all reactor coolant mass into the containment, assuming that reactor coolant activity equals Technical Specification allowable limits. This value is lower than that specified for Fuel Clad Barrier Loss threshold 3.A since it indicates a loss of the RCS Barrier only.

There is no Potential Loss threshold associated with RCS Activity / Containment Radiation.

4. Containment Integrity or Bypass Not Applicable (included for numbering consistency)
5. Othcr Ind'zat'ens Lzcz ondlcr Potential Lzzs 5.A.

&i5. Em:.crgcncy DircetcrSTED!SED Judgment Loss 6.A 

                                                                           .........y This threshold addresses any other factors that may be used by the,.*,..+
     ~Ir-ee*OSTEDJSED in determining whether the RCS Barrier is lost.

Potential Loss 6.A This threshold addresses any other factors that may be used by the*.,. ....... 

                                                                               *.e t~ir-e+eSTED/SED in determining whether the RCS Barrier is potentially lost. The
     ...... nc Di...e......STED/SED should also consider whether or not to declare the barrier potentially lost in the event that barrier status cannot be monitored.

75

CONTAINMENT BARRIER THRESHOLDS: The Containment Barrier includes the containment building and connections up to and including the outermost containment isolation valves. This barrier also includes the main steam, feedwater, and blowdown line extensions outside the containment building up to and including the outermost secondary side isolation valve. Containment Barrier thresholds are used as criteria for escalation of the ECL from Alert to a Site Area Emergency or a General Emergency.

1. RCS or SG Tube Leakage Loss l.A This threshold addresses a leaking or RUPTURED Steam Generator (SG) that is also FAULTED outside of containment. The condition of the SG, whether leaking or RUPTURED, is determined in accordance with the thresholds for RCS Barrier Potential Loss l.A and Loss I.A, respectively. This condition represents a bypass of the containment barrier.

FAULTED is a defined term within the NEI 99-01 methodology; this determination is not necessarily dependent upon entry into, or diagnostic steps within, an BOP. For example, if the pressure in a steam generator is decreasing uncontrollably [part of the FAULTED definition] and the faulted steam generator isolation procedure is not entered because EOP user rules are dictating implementation of another procedure to address a higher priority condition, the steam generator is still considered FAULTED for emergency classification purposes. The FAULTED criterion establishes an appropriate lower bound on the size of a steam release that may require an emergency classification. Steam releases of this size are readily observable with normal Control Room indications. The lower bound for this aspect of the containment barrier is analogous to the lower bound criteria specified in IC MU3 for the fuel clad barrier (i.e., RCS activity values) and IC MU4 for the RCS barrier (i.e., RCS leak rate values). This threshold also applies to prolonged steam releases necessitated by operational considerations such as the forced steaming of a leaking or RUPTURED steam generator directly to atmosphere to cooldown the plant, or to drive an auxiliary (emergency) feed water pump. These types of conditions will result in a significant and sustained release of radioactive steam to the environment (and are thus similar to a FAULTED condition). The inability to isolate the steam flow without an adverse effect on plant cooldown meets the intent of a loss of containment. Steam releases associated with the expected operation of a SG power operated relief valve or safety relief valve do not meet the intent of this threshold. Such releases may occur intermittently for a short period of time following a reactor trip as operators process through emergency operating procedures to bring the plant to a stable condition and prepare to initiate a plant cooldown. Steam releases associated with the unexpected operation of a valve (z.g., a ....uc,,...... vw,, t ',:* 

                                                         ' ah-) do meet this threshold.

Following an SG tube leak or rupture, there may be minor radiological releases through a secondary-side system component (e.g., air ejezctrz, glad zeal exha.......... .p.cking,* eta-). These types of releases do not constitute a loss or potential loss of containment but should be evaluated using the Recognition Category R ICs. The emergency classification levels resulting from primary-to-secondary leakage, with or without a steam release from the FAULTED SG, are sunmmarized below. 76

Affected SG is FAULTED Outside of Containment? P-to-S Leak Rate Yes No Less than or equal to 25 gpm No classification No classification Greater than 25 gpm Unusual Event per Unusual Event per MU4 MU4 Requires operation of a standby-second charging Site Area Emergency Alert per FA 1 (-akup pump (RCS Barrier per FS 1 PotentialLoss) Reqirs n utmaicor Site Area Emergency Alert per FA1 manual ECG-C-{SI) actuation prF (RCS BarrierLoss) prF There is no Potential Loss threshold associated with RCS or SG Tube Leakage.

2. Inadequate Heat Removal There is no Loss threshold associated with Inadequate Heat Removal.

Potential Loss 2.A This condition represents an IMMINENT core melt sequence which, if not corrected, could lead to vessel failure and an increased potential for containment failure. For this condition to occur, there must already have been a loss of the RCS Barrier and the Fuel Clad Barrier. If implementation of a procedure(s) to restore adequate core cooling is not effective (successful) within 15 minutes, it is assumed that the event trajectory will likely lead to core melting and a subsequent challenge of the Containment Barrier. The restoration procedure is considered "effective" if core exit thermocouple readings are decreasing and/or if reactor vessel level is increasing. Whether or not the procedure(s) will be effective should be apparent within 15 minutes. The Emsergeney Di'eeSTED/SED should escalate the emergency classification level as soon as it is determined that the procedure(s) will not be effective. Severe accident analyses (z.g., NUREG 11!50) have concluded that function restoration procedures can arrest core degradation in a significant fraction of core damage scenarios, and that the likelihood of containment failure is very smail in these events. Given this, it is appropriate to provide 15 minutes beyond the required entry point to determine if procedural actions can reverse the core melt sequence.

3. RCS Activity!/ Containment Radiation There is no Loss threshold associated with RCS Activity / Containment Radiation.

Potential Loss 3.A The radiation monitor reading corresponds to an instantaneous release of all reactor coolant mass into the containment, assuming that 20% of the fuel cladding has failed. This level of fuel clad failure is well above that used to determine the analogous Fuel Clad Barrier Loss and RCS Barrier Loss thresholds. 77

NUREG- 1228, Source Estimations During Incident Response to Severe Nuclear Power PlantAccidents, indicates the fuel clad failure must be greater than approximately 20% in order for there to be a major release of radioactivity requiring offsite protective actions. For this condition to exist, there must already have been a loss of the RCS Barrier and the Fuel Clad Barrier. It is therefore prudent to treat this condition as a potential loss of containment which would then escalate the emergency classification level to a General Emergency.

4. Containment Integrity or Bypass Loss 4.A These thresholds address a situation where containment isolation is required and one of two conditions exists as discussed below. Users are reminded that there may be accident and release conditions that simultaneously meet both thresholds 4.A. 1 and 4.A.2.

4.A. 1 - Containment integrity has been lost, i.e., the actual containment atmospheric leak rate likely exceeds that associated with allowable leakage (or sometimes referred to as design leakage). Following the release of RCS mass into containment, containment pressure will fluctuate based on a variety of factors; a loss of containment integrity condition may (or may not) be accompanied by a noticeable drop in containment pressure. Recognizing the inherent difficulties in determining a containment leak rate during accident conditions, it is expected that the Emergency DirectorSTEDiSED) will assess this threshold using judgment, and with due consideration given to current plant conditions, and available operational and radiological data (e.g., cont.n.. n p........... readings.. n. radition..moitr .. ut.i..

... nt pe~rating sttus cf contai.nment onainm..

Following the leakage of RCS mass into containment and a rise in containment pressure, there may be minor radiological releases associated with allowable (design) containment leakage through various penetrations or system components. These releases do not constitute a loss or potential loss of containment but should be evaluated using the Recognition Category R ICs. 4.A.2 - Conditions are such that there is an UJNISOLABLE pathway for the migration of radioactive material from the containment atmosphere to the environment. As used here, the term "environment" includes the atmosphere of a room or area, outside the containment, that may, in turn, communicate with the outside-the-plant atmosphere-(-eg*. thrug , di.. hargeuof..a.. nilai.... syst m or- atmo.h.ri lekage)... Depending upon a variety of factors, this condition may or may not be accompanied by a noticeable drop in containment pressure. The existence of a filter is not considered in the threshold assessment. Filters do not remove fission product noble gases. In addition, a filter could become ineffective due to iodine and/or particulate loading beyond design limits (i.e., retention ability has been exceeded) or water saturation from steam/high humidity in the release stream. Leakage between two interfacing liquid systems, by itself, does not meet this threshold. Following the leakage of RCS mass into containment and a rise in containment pressure, there may be minor radiological releases associated with allowable (design) containment leakage through various penetrations or system components. Minor releases may also occur if a containment isolation valve(s) fails to close but the containment atmosphere escapes to a closed system. These releases do not constitute a loss or potential loss of containment but should be evaluated using the Recognition Category R ICs. 78

The status of the containment barrier during an event involving steam generator tube leakage is assessed using Loss Threshold 1.A. Loss 4.B Containment sump, temperature, pressure and/or radiation levels will increase if reactor coolant mass is leaking into the containment. If these parameters have not increased, then the reactor coolant mass may be leaking outside of containment (i.e., a containment bypass sequence). Increases in sump, temperature, pressure, flow and/or radiation level readings outside of the containment may indicate that the RCS mass is being lost outside of containment. Unexpected elevated readings and alarms on radiation monitors with detectors outside containment should be corroborated with other available indications to confirm that the source is a loss of RCS mass outside of containment. If the fuel clad barrier has not been lost, radiation monitor readings outside of containment may not increase significantly; however, other unexpected changes in sump levels, area temperatures or pressures, flow rates, etc. should be sufficient to determine if RCS mass is being lost outside of the containment. To ensure proper escalation of the emergency classification, the RCS leakage outside of containment must be related to the mass loss that is causing the RCS Loss and/or Potential Loss threshold 1.A to be met. Potential Loss 4.A If containment pressure exceeds the design pressure, there exists a potential to lose the Containment Barrier. To reach this level, there must be an inadequate core cooling condition for an extended period of time; therefore, the RCS and Fuel Clad barriers would already be lost. Thus, this threshold is a discriminator between a Site Area Emergency and Generai Emergency since there is now a potential to lose the third barrier. Potential Loss 4.B The existence of an explosive mixture means, at a minimum, that the containment atmospheric hydrogen concentration is sufficient to support a hydrogen bumn (i.e., at the lower deflagration limit). A hydrogen burn will raise containment pressure and could result in collateral equipment damage leading to a loss of containment integrity. It therefore represents a potential loss of the Containment Barrier. Potential Loss 4.C This threshold describes a condition where containment pressure is greater than the setpoint at which containment energy (heat) removal systems are designed to automatically actuate, and less than one full train of equipment is capable of operating per design. The 15-minute criterion is included to allow operators time to manually start equipment that may not have automatically started, if possible. This threshold represents a potential loss of containment in that containment heat removal/depressurization systems 

    ..... eies) are either lost or performing in a degraded manner.
5. Other !ndieat'ie, 6*5. STED/SED Judgment 79

Loss 6.A This threshold addresses any other factors that may he used by the Emergezey D*f-eefSTED/SED in determining whether the Containment Barrier is lost. Potential Loss 6.A This threshold addresses any other factors that may be used by the Em~ergencey 

  *ieeeSTEDiSED in determining whether the Containment Barrier is potentially lost.

The Emzrgenzy DirzctzrSTEDiSED should also consider whether or not to declare the barrier potentially lost in the event that barrier status cannot be monitored. 80

JL7HAZARDS AND OTHER CONDITIONS AFFECTING PLANT SAFETY ICS/EALS Recognition Category "H" Initiating Condition Matrix GENERAL SITE AREA EMREC EEGNYALERT UNUSUAL EVENT HG1 HOSTILE ACTION HS1 HOSTILE ACTION HAl HOSTILE ACTION HUI Confirmed resulting in loss of physical within the PROTECTED within the OWNER SECURITY CONDITION or control of the facility. AREA. CONTROLLED AREA or threat. Op. Modes: All Op. Modes: All airbomne attack threat within Op. Modes: All 30 minutes. Op. Modes: All HU2 Seismic event greater than OBE levels. Op. Modes: All HU3 Hazardous event. Op. Modes: All HU4 FIRE potentially degrading the level of safety of the plant. Op. Modes: All HA5 Gaseous release impeding access to equipment necessary for normal plant operations, shutdown or cooldown. Op. Modes: All HS6 Inability to control a HA6 Control Room key safety function from evacuation resulting in outside the Control Room, transfer of plant control to Op. Modes: All altemnate locations. _________________Op. Modes: All HtG7 Other conditions HS7 Other conditions HA7 Other conditions HU7 Other conditions exist which in the judgment exist which in the judgment exist which in the judgment exist which in the judgment ofthe E--mesgefie of the E-me-gefle of the Em gene*e of theE, ef-gefle 

   *ieeeSTED/SED warrant           DieeOSTEDiSED warrant              Dir--ei-fSTFD SED warrant      Dir-ee-eSTED/SED warrant declaration of a General           declaration of a Site Area          declaration of as Alert,      declaration of an Unusual Emergency.                         Emergency.                         Op. Modes: All                 Event-(NQ)U*.

Op. Modes: All Op. Modes: All Op. Modes':AII 81

HG1 ECL: General Emergency Initiating Condition: HOSTILE ACTION resulting in loss of physical control of the facility. Operating Mode Applicability: All Emergency Action Levels: (I) a. A HOSTILE ACTION is occurring or has occurred within the PROTECTED AREA as reported by "*h^,,f si'^e,-peeifik ecurity shift supervision). AND

b. EITHER of the following has occurred:

I. ANY of the following safety functions cannot be controlled or maintained. Reciiycontrol RSheat removal OR

2. Damage to spent fuel due to damaged SFP cooling system or loss of SFP integrity has occurred or is IMMINENT.

Basis: HOSTILE ACTION: An act toward a NPP or its personnel that includes the use of violent force to destroy equipment, take HOSTAGES, and/or intimidate the licensee to achieve an end. This includes attack by air, land, or water using guns, explosives, PROJECTILEs, vehicles, or other devices used to deliver destructive force. Other acts that satisfy the overall intent may be included. HOSTILE ACTION should not be construed to include acts of civil disobedience or felonious acts that are not part of a concerted attack on the NPP. PROTECTED AREA: The area under continuous access monitoring and control, and armed protection as described in the site Security Plan. IMMINENT: The trajectory of events or conditions is such that an EAL will be met within a relatively short period of time regardless of mitigation or corrective actions. This IC addresses an event in which a HOSTILE FORCE has taken physical control of the facility to the extent that the plant staff can no longer operate equipment necessary to maintain key safety functions. It also addresses a HOSTILE ACTION leading to a loss of physical control that results in actual or IMMINENT damage to spent fuel due to 1) damage to a spent fuel pool cooling system (e.g., pumps, heat ex~ochngera, cc~ntro!L, ctz.) or, 2) loss of spent fuel pool integrity such that sufficient water level cannot be maintained. Timely and accurate communications between Security Shift Supervision and the Control Room is essential for proper classification of a security-related event. Security plans and terminology are based on the guidance provided by NEI 03-12, Template for the Security Plan, Training and Qualification Plan, Safeguards Contingency Plan[and Independent Spent Fuel Storage InstallationSecurity Program]. Emergency plans and implementing procedures are public documents; therefore, EALs should not incorporate Security-sensitive information. This includes information that may be 82

advantageous to a potential adversary, such as the particulars concerning a specific threat or threat location. Security-sensitive information should be contained in non-public documents such as the Security Plan. 83

HG7 ECL: General Emergency Initiating Condition: Other conditions exist which in the judgment of the ~mergencey DiettoFSTED/SED warrant declaration of a General Emergency. Operating Mode Applicability: All Emergency Action Levels: (1) Other conditions exist which in the judgmnent of the Emergency DfirecterSTEDiSED indicate that events are in progress or have occurred which involve actual or IMMINENT substantial core degradation or melting with potential for loss of containment integrity or HOSTILE ACTION that results in an actual loss of physical control of the facility. Releases can be reasonably expected to exceed EPA Protective Action Guideline exposure levels offsite for more than the immediate site area. Basis: This IC addresses unanticipated conditions not addressed explicitly elsewhere but that warrant declaration of an emergency because conditions exist which are believed by the Emcrgezcy tieeofSTEDiSED to fall under the emergency classification level description for a General Emergency. 84

HSl ECL: Site Area Emergency Initiating Condition: HOSTILE ACTION within the PROTECTED AREA. Operating Mode Applicability: All Emergency Action Levels: Note: This Initiating Condition and EA. do not apply to an attack solely on the Dry Fuel Storage Protected Area. An attack on the Dry Fuel Storage Facility Protected Area should be considered an attack within the Ow*ner Controlled Area and classified as an Alert per Initiating Condition ItAI1. (1) A HOSTILE ACTION is occurring or has occurred within the PROTECTED AREA as reported by the (i~e-speeific-security shift supervision) Basis: [tOSTILE ACTION: An act toward a NPP or its personnel that includes the use of violent force to destroy equipment. take IIOSTAGES. and/or intimidate the licensee to achieve an end. This includes attack by air, land, or water using guns. explosives, PROJ ECTIL~s. vehicles, or other devices used to deliver destructive force. Other acts that satisfy' the overall intcnt may be included. IIOSTILI" ACTION should not be construed to include acts of civil disobedience or felonious acts that are not part of a concerted attack on the NPP. PROTIECTED AREA: The area tunder continuous access monitoring and control, and armed protection as described in the site Security Plan. This IC addresses the occurrence of a HOSTILE ACTION within the PROTECTED AREA. This event will require rapid response and assistance due to the possibility for damage to plant equipment. Timely and accurate communications between Security Shift Supervision and the Control Room is essential for proper classification of a security-related event. Security plans and terminology are based on the guidance provided by NEI 03-12, Template for the Security Plan, Training and Qualification Plan, Safeguards Contingency Plan [and Independent Spent Fuel Storage InstallationSecurity Program]. As time and conditions allow, these events require a heightened state of readiness by the plant staff and implementation of onsite protective measures (z.g.,, zvauat,'n, d~tperzal 3r sheltering). The Site Area Emergency declaration will mobilize ORO resources and have them available to develop and implement public protective actions in the unlikely event that the attack is successful in impairing multiple safety functions. This IC does not apply to a HOSTILE ACTION directed at an ISFSI PROTECTED AREA located outside the plant PROTECTED AREA; such an attack should be assessed using IC HA1. It also does not apply to incidents that are accidental events, acts of civil disobedience, or otherwise are not a HOSTILE ACTION perpetrated by a HOSTILE FORCE. Examples include the crash of a small aircraft, shots from hunters, physical disputes between employees, etc. Reporting of these types of events is adequately addressed by other EALs, or the requirements of 10 CFR § 73.71 or 10 CFR § 50.72. 85

Emergency plans and implementing procedures are public documents; therefore, EALs should not incorporate Security-sensitive information. This includes information that may be advantageous to a potential adversary, such as the particulars concerning a specific threat or threat location. Security-sensitive information should be contained in non-public documents such as the Security Plan. Escalation of the emergency classification level would be via IC HG1. 86

HS6 ECL: Site Area Emergency Initiating Condition: Inability to control a key safety function from outside the Control Room. Operating Mode Applicability: All Emergency Action Levels: Note: The Em.rg.n. Di... ec......STED/SED should declare the Site Area Emergency promptly upon determining that (site apceific num,-ber 3115 minutes-) has been exceeded, or will likely be exceeded. (1) a. An event has resulted in plant control being transferred from the Control Room to (zit ..... fi rem.... zhu..+wn p..n.... and Ieal centra,.^ zt++**Safe the Remote Shutdow n components. AND

b. Control of ANY of the following key safety functions is not reestablished within 15 minutes(eite .... ifie number zfminutez).

Recii7control Core cooling RSheat removal Basis: This IC addresses an evacuation of the Control Room that results in transfer of plant control to alternate locations, and the control of a key safety function cannot be reestablished in a timely manner. The failure to gain control of a key safety function following a transfer of plant control to alternate locations is a precursor to a challenge to one or more fission product barriers within a relatively short period of time. The determination of whether or not "control" is established at the remote safe shutdown location(s) is based on Emergency DirecterSTEDiSED judgment. The Emergency DieeoSTED/SE D is expected to make a reasonable, informed judgment within fh-ie epcii tim..................) 15 minutes whether or not the operating staff has control of key safety functions from the remote safe shutdown location(s). Escalation of the emergency classification level would be via IC FGl1 or CGl1. 87

HS7 ECL: Site Area Emergency Initiating Condition: Other conditions exist which in the judgment of the Emergencey Dif-ec-eSTED/SED warrant declaration of a Site Area Emergency. Operating Mode Applicability: All Emergency Action Levels: (1) Other conditions exist which in the judgment of the Emergezny DirzectrSTED/SED indicate that events are in progress or have occurred which involve actual or likely major failures of plant functions needed for protection of the public or HOSTILE ACTION that results in intentional damage or malicious acts, (1) toward site personnel or equipment that could lead to the likely failure of or, (2) that prevent effective access to equipment needed for the protection of the public. Any releases are not expected to result in exposure levels which exceed EPA Protective Action Guideline exposure levels beyond the site boundary. Basis: HOSTILE ACTION: An act toward a NI'P or its personnel that includes thc use of violent force to destroy equipment. take HOST AGES. andlor intimidate the licensee to achieve an end. This includes attack by air, land. or wxater using gunls. explosivcs. PROJECTILEs. vehicles, or other devices used to deliver destructive force. Other acts that satisfy the overall intent may be included. HOSTILE ACTION should not be construed to include acts of civil disobedience or felonious acts that are not part of a concerted attack on the NPP. This IC addresses unanticipated conditions not addressed explicitly elsewhere but that warrant declaration of an emergency because conditions exist which are believed by the Emer*,eaey 

   *ieeeSTED/SED to fall under the emergency classification level description for a Site Area Emergency.

88

HA1 ECL: Alert Initiating Condition: HOSTILE ACTION within the OWNER CONTROLLED AREA or airborne attack threat within 30 minutes. Operating Mode Applicability: All Emergency Action Levels: (1 or 2) (I) A HOSTILE ACTION is occurring or has occurred within the OWNER CONTROLLED AREA or the Dry Fuel Storage Facility as reported by the{(sp,,eecifie-security shift supervision-). OR (2) A validated notification from NRC of an aircraft attack threat within 30 minutes of the site. Basis: t!OSTILE ACTION: An act tow*ard a NPP or its personnel that includes the use of violent forcee to destroy equipment. take HOSTAGES, and/or intimidate the licensee to achieve an end. T'his includes attack by air, land, or wsater using guns. explosi, es. PROJE[CTILEs, vehicles, or other devices used to deliver destructive force. Other acts that satisfy the overall intent may be included. HOSTILE ACTION should not be construed to include acts of civil disobedience or felonious acts that are not part of a concerted attack on the NPP. OWNER CONTROLLED AREA: The site propertY owned by. or otherwise under the control otf the licensee. This IC addresses the occurrence of a HOSTILE ACTION within the OWNER CONTROLLED AREA or notification of an aircraft attack threat. This event will require rapid response and assistance due to the possibility of the attack progressing to the PROTECTED AREA, or the need to prepare the plant and staff for a potential aircraft impact. Timely and accurate communications between Security Shift Supervision and the Control Room is essential for proper classification of a security-related event. Security plans and terminology are based on the guidance provided by NEI 03-12, Template for the Security Plan, Training and Qualification Plan, Safeguards Contingency Plan[and Independent Spent Fuel Storage InstallationSecurity Program]. As time and conditions allow, these events require a heightened state of readiness by the plant staff and implementation of onsite protective measures (e.g.,, *v.'acuticn dispersal zr cheltering). The Alert declaration will also heighten the awareness of Offsite Response Organizations, allowing them to be better prepared should it be necessary to consider further actions. This IC does not apply to incidents that are accidental events, acts of civil disobedience, or otherwise are not a HOSTILE ACTION perpetrated by a HOSTILE FORCE. Examples include the crash of a small aircraft, shots from hunters, physical disputes between employees, etc. Reporting of these types of events is adequately addressed by other EALs, or the requirements of 10 CFR § 73.71 or 10 CFR § 50.72. 89

EAL # 1 is applicable for any HOSTILE ACTION occurring, or that has occurred, in the OWNER CONTROLLED AREA. This includes any action directed against an ISFSI that is located outside the plant PROTECTED AREA. EAL #2 addresses the threat from the impact of an aircraft on the plant, and the anticipated arrival time is within 30 minutes. The intent of this BAIL is to ensure that threat-related notifications are made in a timely manner so that plant personnel and OROs are in a heightened state of readiness. This EAL is met when the threat-related information has been validated in accordance with (site specifi prsedeure)site procedurcs. The NRC Headquarters Operations Officer (HOO) will communicate to the licensee if the threat involves an aircraft. The status and size of the plane may be provided by NORAD through the NRC. In some cases, it may not be readily apparent if an aircraft impact within the OWNER CONTROLLED AREA was intentionai (i.e., a HOSTILE ACTION). It is expected, although not certain, that notification by an appropriate Federal agency to the site would clarify this point. In this case, the appropriate federal agency is intended to be NORAD, FBI, FAA or NRC. The emergency declaration, including one based on other ICs/EALs, should not be unduly delayed while awaiting notification by a Federal agency. Escalation of the emergency classification level would be via IC HS 1. 90

HA5 ECL: Alert Initiating Condition: Gaseous release impeding access to equipment necessary for normal plant operations, shutdown or cooldown. Operating Mode Applicability: All Emergency Action Levels: Note: If the equipment in the listed room or area was already inoperable or out-of-service before the event occurred, then no emergency classification is warranted. (1) a. Release of a toxic, corrosive, asphyxiant or flammable gas into anye*-e f,!ellwing-plaentTable H-11rooms or areass. iden*ified)AND

b. Entry into the room or area is prohibited or IMPEDED.

frable Hll - 4( Commented [DWSS5]: V7 TABLE H1 Procedure References Area Mode Primary. Aux Building 25 ft elevation1234 7 ft elevation 

                        - 26 ft elevation Turbiiie Building                            1, 2, 3 Switchgear Rooms Essential                               1.2,.3,4 Non-essential Steam and Feedwater Pipe chases              1. 2. 3 Waste Process Building 25 ft elevation1.3
                        -3 ft elevation1,23
                        -31 ft elevation Containment                                    3, 4 Equipment Vaults                               3, 4 Basis:

IMPEDE: Entry' into an area requires extraordinary' measures to facilitate entry of personnel into the affected room/area by installing temporary shielding, requiring use of non-routine protective equipment. or requesting an extension in dose limits beyond normal administrative limits. This IC addresses an event involving a release of a hazardous gas that precludes or impedes access to equipment necessary to maintain normal plant operation, or required for a normal plant cooldown and shutdown. This condition represents an actual or potential substantial degradation of the level of safety of the plant. 91

An Alert declaration is warranted if entry into the affected room/area is, or may be, procedurally required during the plant operating mode in effect at the time of the gaseous release. The emergency classification is not contingent upon whether entry is actually necessary at the time of the release. Evaluation of the IC and EAL do not require atmospheric sampling; it only requires the Emergency DirectorSTED/SED's judgment that the gas concentration in the affected room/area is sufficient to preclude or significantly impede procedurally required access. This judgment may be based on a variety of factors including an existing job hazard analysis, report of ill effects on personnel, advice from a subject matter expert or operating experience with the same or similar hazards. Access should be considered as impeded if extraordinary measures are necessary to facilitate entry of personnel into the affected room/area (e.g., requiring uoe ot An emergency declaration is not warranted if any of the following conditions apply.

  • The plant is in an operating mode different than the mode specified for the affected room/area (i.e., entry is not required during the operating mode in effect at the time of the gaseous release). For example, the plant is in Mode 1 when the gaseous release occurs, and the procedures used for normal operation, cooldown and shutdown do not require entry into the affected room until Mode 4.
  • The gas release is a planned activity that includes compensatory measures which address the temporary inaccessibility of a room or area (e.g., fir........... so....t.. ting..."
  • The action for which room/area entry is required is of an administrative or record keeping nature (e.g., n..r..l...........r.r..utin ........

on,.

  • The access control measures are of a conservative or precautionary nature, and would not actually prevent or impede a required action.

An asphyxiant is a gas capable of reducing the level of oxygen in the body to dangerous levels. Most commonly, asphyxiants work by merely displacing air in an enclosed environment. This reduces the concentration of oxygen below the normal level of around 19%*, which can lead to breathing difficulties, unconsciousness or even death. This EAL does not apply to firefighting activities that automatically or manually activate a fire suppression system in an area. Escalation of the emergency classification level would be via Recognition Category R, C or F ICs.

References:

OS 1000.03. Plant Shutdown From Minimum Load to I-ot Standby OS 1000.04. Plant Cooldown From Hot Standby to Cold Shutdown 92

HA6 ECL: Alert Initiating Condition: Control Room evacuation resulting in transfer of plant control to alternate locations. Operating Mode Applicability: All Emergency Action Levels: (1) Entry into Procedure 0S1200.02 for control room evacuation ,2 '-event-hae resulted in plant control being transferred from the Control Room ta (site* gpezifiz remote shutdcwn 

       .... l,nd 13a1
                   ,z.,     trzl *tati:z) Remote Safe Shutdown components.

Basis: This IC addresses an evacuation of the Control Room that results in transfer of plant control to alternate locations outside the Control Room. The loss of the ability to control the plant from the Control Room is considered to be a potential substantial degradation in the level of plant safety. Following a Control Room evacuation, control of the plant will be transferred to alternate shutdown locations. The necessity to control a plant shutdown from outside the Control Room, in addition to responding to the event that required the evacuation of the Control Room, will present challenges to plant operators and other on-shift personnel. Activation of the ERO and emergency response facilities will assist in responding to these challenges. Escalation of the emergency classification level would be via IC HS6. 93

HA7 ECL: Alert Initiating Condition: Other conditions exist which in the judgment of the Em~ergency Difeet-fSTED/SED warrant declaration of an Alert. Operating Mode Applicability: All Emergency Action Levels: (1) Other conditions exist which, in the judgment of the Emergency DircztorSTEDiSED, indicate that events are in progress or have occurred which involve an actual or potential substantial degradation of the level of safety of the plant or a security event that involves probable life threatening risk to site personnel or damage to site equipment because of HOSTILE ACTION. Any releases are expected to be limited to small fractions of the EPA Protective Action Guideline exposure levels. Basis: HOSTILE ACTION: An act toward a NPP or its personnel that includes the use of violent force to destroy equipment, take H-OSTAGES, and/or intimidate the licensee to achieve an end. This includes attack by air, land, or water using guns. explosives. PROJECTILEs, vehicles, or other devices used to deliver destructive force. Other acts that satisfy the overall intent may be included. HOSTILE ACTION should not be construed to include acts of civil disobedience or felonious acts that are not part of a concerted attack on the NPP. This IC addresses unanticipated conditions not addressed explicitly elsewhere but that warrant declaration of an emergency because conditions exist which are believed by the Emfer'gency DietISTED/SED to fall under the emergency classification level description for an Alert. 94

HU1 ECL: Notification of Unusual Event Initiating Condition: Confirmed SECURITY CONDITION or threat. Operating Mode Applicability: All Emergency Action Levels: (1 or 2 or 3) (I) A SECUPATY CONDITION that does net inve!l'e' a HOSTILE ACTION a*A Code Yellow is reported by the (rite specifiz *zcur'ty zhit supzrv.izion)Security Shift Supervisor. OR (2) Notification of a credible security threat directed at the-si*Scabrook Station. OR (3) A validated notification from the NRC providing information of an aircraft threat. Basis: Code Yellow - SECURITrY CONDITION: An\ Security Event as listed in the approved security contingency plan that constitutes a threat/compromise to site security, threat/risk to site personnel, or a potential degradation to the level of safety of the plant. A SECURITY CONDITION does not involve a HOSTILE ACTION. HOSTILE ACTION: An act tow*ard a NPP or its personnel that includes the use of violent force to destroy' equipment. take HOSTAGES, and/or intimidate the licensee to achieve an end. This includes attack by air, land, or water using guns. explosives. PROJECTILEs, vehicles, or other devices used to deliver destructive force. Other acts that satisfy the overall intent may be included. HlOSTILE ACTION should not be construed to include acts of civ il disobedience or felonious acts that are not part of a concerted attack on the NPP. This IC addresses events that pose a threat to plant personnel or SAFETY SYSTEM equipment, and thus represent a potential degradation in the level of plant safety. Security events which do not meet one of these EALs are adequately addressed by the requirements of 10 CFR § 73.71 or 10 CFR § 50.72. Security events assessed as HOSTILE ACTIONS are classifiable under ICs HAl, HSI and HG1. Timely and accurate communications between Security Shift Supervision and the Control Room is essential for proper classification of a security-related event. Classification of these events will initiate appropriate threat-related notifications to plant personnel and OROs. Security plans and terminology are based on the guidance provided by NEI 03-12, Template for the Security Plan, Trainingand Qualification Plan, Safeguards Contingency Plan [and Independent Spent Fuel Storage InstallationSecurity Program]. EAL # 1 references (rite wep ifie euwp.....iei,.n)' Security. Shift Supervisor because 

                                 --...... y zh"ifao.,.t" these are the individuals trained to confirm that a security event is occurring or has occurred.

Training on security event confirmation and classification is controlled due to the nature of Safeguards and 10 CFR § 2.390 information. EAL #2 addresses the receipt of a credible security threat. The credibility of the threat is assessed in accordance with (rite zpezife rzcd.....a site prcdrs 95

EAL #3 addresses the threat from the impact of an aircraft on the plant. The NRC Headquarters Operations Officer (HOO) will communicate to the licensee if the threat involves an aircraft. The status and size of the plane may also be provided by NORAD through the NRC. Validation of the threat is performed in accordance with (s'te specific przzea,,rz)site procedures. Emergency plans and implementing procedures are public documents; therefore, EALs should not incorporate Security-sensitive information. This includes information that may be advantageous to a potential adversary, such as the particulars concerning a specific threat or threat location. Security-sensitive information should be contained in non-public documents such as the Security Plan. Escalation of the emergency classification level would be via IC HAl.

References:

0S1290.03. Response to a Security' Event. OS 1290.04. Response to an Airborne Security Event 96

HU2 ECL: Notification of Unusual Event Initiating Condition: Seismic event greater than OBE levels. Operating Mode Applicability: All Emergency Action Levels: (1) Seismic event greater than Operating Basis Earthquake (OBE) as indicated by:

a. *Fhe red "EVENT' light is lit on seismic monitoring control panel 1-SM-CP-58.

AND

b. The yellow "OBE" light is lit on seismic monitoring control panel 1-SM-CP-58.1 - -1 Commented [DWS56J: V27 EC2821S4- Seismiic Monitoring

[System Upgrade OR (2) a. Seismic monitoring system out of service AND

b. Control Room personnel feel an actual or potential seismic event AND
c. The occurrence of a seismic event is confirmed in a manner deemed appropriate by the Shift Manager Basis:

This IC addresses a seismic event that results in accelerations at the plant site greater than those specified for an Operating Basis Earthquake (OBE). An earthquake greater than an OBE but less than a Safe Shutdown Earthquake (SSE) should have no significant impact on safety-related systems, structures and components; however, some time may be required for the plant staff to ascertain the actual post-event condition of the plant (c.g., pzr'fcrm.z wal...k..1 

                                                                                ....... and* pz
                                                                                             ........ n.t.
...... e^-o. Given the time necessary to perform walk-downs and inspections, and fully understand any impacts, this event represents a potential degradation of the level of safety of the plant.

Event verification with external sources should not be necessary during or following an OBE. Earthquakes of this magnitude should be readily felt by on-site personnel and recognized as a seismic event (zg. typi-zal laza 

                            .... ...       ticac
                                              ..... in....... cfO0.g). The Shift Manager or Emergency Di.......STED!SED may seek external verification if deemed appropriate-(e~g.,-a-ea1.

Tcheek*1 int..rn............., etc.); however, the verification action must not te the USS preclude a timely emergency declaration.

Reference:

EC 282184. Seismic Monitoring System Upgrade Depending upon the plant mode at the time of the event, escalation of the emergency classification level would be via IC CA6 or MA9. 97

HU3 ECL: Notification of Unusual Event Initiating Condition: Hazardous event. Operating Mode Applicability: All Emergency Action Levels: (1 or 2 or 3 or 4-er-4) Note: EAL #4 does not apply to routine traffic impediments such as fog, snow, ice, or vehicle breakdowns or accidents. (1) A tornado strike within the PROTECTED AREA. OR (2) Internal room or area flooding of a magnitude sufficient to require manual or automatic electrical isolation of a SAFETY SYSTEM component needed for the current operating mode. OR (3) Movement of personnel within the PROTECTED AREA is IMPEDED due to an offsite event involving hazardous materials (e.g., an offsite chemical spill er te,xie gac release). OR (4) A hazardous event that results in on-site conditions sufficient to prohibit the plant staff from accessing the site via personal vehicles. Basis: PROTECTED AREA: The area under continuous access monitoring and control, and armed protection as described in the site Security Plan. SAFETY SYSTEM: A system required for safe plant operation, cooling down the plant and/or placing it in the cold shutdown condition, including the ECCS. Systems classified as safety-related. IMPEDE: Entry into an area requires extraordinary measures to facilitate entry+of personnel into the affected room/area by installing temporary, shielding, requiring use of non-routine protective equipment. or requesting an extension in dose limits beyond normal administrative limits. This IC addresses hazardous events that are considered to represent a potential degradation of the level of safety of the plant. EAL # 1 addresses a tornado striking (touching down) within the Protected Area. EAL #2 addresses flooding of a building room or area that results in operators isolating power to a SAFETY SYSTEM component due to water level or other wetting concerns. Classification is also required if the water level or related wetting causes an automatic isolation of a SAFETY SYSTEM component from its power source (.g., '**a breaker or relay t:,rip). To warrant classification, operability of the affected component must be required by Technical Specifications for the current operating mode. 98

EAL #3 addresses a hazardous materials event originating at an offsite location and of sufficient magnitude to impede the movement of personnel within the PROTECTED AREA. EAL #4 addresses a hazardous event that causes an on-site impediment to vehicle movement and significant enough to prohibit the plant staff from accessing the site using personal vehicles. Examples of such an event include site flooding caused by a hurricane, heavy rains, up-river water releases, dam failure, etc., or an on-site train derailment blocking the access road. This EAL is not intended apply to routine impediments such as fog, snow, ice, or vehicle breakdowns or accidents, but rather to more significant conditions such as the Hurricane Andrew strike on Turkey Point in 1992, the flooding around the Cooper Station during the Midwest floods of 1993, or the flooding around Ft. Calhoun Station in 2011. Escalation of the emergency classification level would be based on ICs in Recognition Categories A, F, M or C. 99

HU4 ECL: Notification of Unusual Event Initiating Condition: FIRE potentially degrading the level of safety of the plant. Operating Mode Applicability: All Emergency Action Levels: (1 or 2 or 3 or 4) Notes:

  • The Emzrgzncy DirzzctrSTED/SED should declare the Unusual Event promptly upon determining that the applicable time has been exceeded, or will likely be exceeded.
      *A containment fire alarm is considered valid upon receipt of an actuated alarm on CP-376, combined with any of the following:

o CP 376 panel - Multiple Zones Actuated o Plant Equipment - Spuriously Operating o Containment Temperature - Increasing o Containment Particulate Radiation - Increasing (1) a. A FIRE is NOT extinguished within 15-minutes of ANY of the following FIRE detection indications: IReport from the field (i.e., visual observation) Receipt of multiple (more than 1) fire alarms or indications Field verification of a single fire alarm AND

b. The FIRE is located within ANY-ofthe-fellewifng Table H2 plant rooms or areas:

Fable H21 -{ Commented [DWS57]: V28 Verification of Fire Areas Condensate Storage Tank Enclosure 

                  .....                                      Fuel Storage Building
                  ...C'ontainment                            Primary Auxiliary Building Control Building                          Service Water Pump House
                  'Cooling Tower                             Steam and Feedwater Pipe Chases

[Diesel Generator Building North Tank Farm Emergency Feedwater Pump House Startup Feedwater Pump Area Equipment Vault ________________ OR (2) a. Receipt of a single fire alarm (i.e., no other indications of a FIRE). AND

b. The FIRE is located within ANY of the Table H-2f-ottewing plant rooms or areas except Containment (see note above):

AND

c. The existence of a FIRE is not verified within 30-minutes of alarmn receipt.

OR (3) A FIRE within the plant PROTECTEI) AREA or SS4Dry Fuel Storage Facility{-fi plantz.... ith on ,IFSIcu.÷id. ,thepan Protected .,Area] POnTEC,-TE,*D, ARE not extinguished within 60-minutes of the initial report, alarm or indication. OR 100

(4) A FIRE within the plant PROTECTED AREA ef* uorv.~t '- th pa. :t Pro:t:etedArea] PROTECTED .AREA that requires firefighting support by an offsite fire response agency to extinguish. Basis: FIRE: Combustion characterized by heat and light. Sources of smoke such as slipping drixe belts or overheated electrical equipment do not constitute FIRES. Observation of flamle is preferred but is NOT required if large quantities of smoke and heat are observed. PROTECTED AREA: The area under continuous access monitoring and control, and armed protection as described in the site Security Plan. This IC addresses the magnitude and extent of FIRES that may be indicative of a potential degradation of the level of safety of the plant. With regard to containment lire alanms, there is constant air movement in containment due to the operation of the CAH system. T'he operating cooling units are drawing air to the units past the smoke detectors. It can reasonably be expected that a fire that burns for 15 minutcs wvould produce suf'ficient products of combustion to cause fire detectors in multiple zones to alarm. EAL #1 The intent of the 15-minute duration is to size the FIRE and to discriminate against small FIRES that are readily extinguished (e.g., m.c.dering* 

                                      ..       .......... paper bae.ket)*,.In addition to alarms, other indications of a FIRE could be a drop in fire main pressure, automatic activation of a suppression system, etc.

Upon receipt, operators will take prompt actions to confirm the validity of an initial fire alarm, indication, or report. For EAL assessment purposes, the emergency declaration clock starts at the time that the initial alarm, indication, or report was received, and not the time that a subsequent verification action was performed. Similarly, the fire duration clock also starts at the time of receipt of the initial alarm, indication or report. EAL #2 This EAL addresses receipt of a single fire alarm, and the existence of a FIRE is not verified (i.e., proved or disproved) within 30-minutes of the alarm. Upon receipt, operators will take prompt actions to confirm the validity of a single fire alarm. For EAL assessment purposes, the 30-minute clock starts at the time that the initial alarm was received, and not the time that a subsequent verification action was performed. A single fire alarm, absent other indication(s) of a FIRE, may be indicative of equipment failure or a spurious activation, and not an actual FIRE. For this reason, additional time is allowed to verify, the validity of the alarm. The 30-minute period is a reasonable amount of time to determine if an actual FIRE exists; however, after that time, and absent information to the contrary, it is assumed that an actual FIRE is in progress. If an actual FIRE is verified by a report from the field, then EAL #1 is immediately applicable, and the emergency must be declared if the FIRE is not extinguished within 15-minutes of the report. If the alarm is verified to be due to an equipment failure or a spurious activation, and this verification occurs within 30-minutes of the receipt of the alarm, then this EAL is not applicable and no emergency declaration is warranted. EAL #3 101

In addition to a FIRE addressed by EAL # 1 or EAL #2, a FIRE within the plant PROTECTED AREA not extinguished within 60-minutes may also potentially degrade the level of plant safety. This basis extends to a FIRE occurring within the PROTECTED AREA of the Dry Fuel Storage Facility. EAL #4 If a FIRE within the plant PROTECTED AREA or is of sufficient size to require a response by an offsite firefighting agency (e.g., a lecal tv':,n Fire Depa....m.nt), then the level of plant safety is potentially degraded. The dispatch of an offsite firefighting agency to the site requires an emergency declaration only if it is needed to actively support firefighting efforts because the fire is beyond the capability of the Fire Brigade to extinguish. Declaration is not necessary if the agency resources are placed on stand-by, or supporting post-extinguishment recovery or investigation actions. Basis-Related Requirements from Appendix R Appendix R to 10 CFR 50, states in part: Criterion 3 of Appendix A to this part specifies that "Structures, systems, and components important to safety shall be designed and located to minimize, consistent with other safety requirements, the probability and effect of fires and explosions." When considering the effects of fire, those systems associated with achieving and maintaining safe shutdown conditions assume major importance to safety because damage to them can lead to core damage resulting from loss of coolant through boil-off. Because fire may affect safe shutdown systems and because the loss of function of systems used to mitigate the consequences of design basis accidents under post-fire conditions does not per se impact public safety, the need to limit fire damage to systems required to achieve and maintain safe shutdown conditions is greater than the need to limit fire damage to those systems required to mitigate the consequences of design basis accidents. In addition, Appendix R to 10 CFR 50, requires, among other considerations, the use of 1-hour fire barriers for the enclosure of cable and equipment and associated non-safety circuits of one redundant train (G.2.c). As used in EAL #2, the 30-minutes to verify' a single alarm is well within this worst-case 1-hour time period. Depending upon the plant mode at the time of the event, escalation of the emergency classification level would be via IC CA6 or MA9. 102

HU7 ECL: Notification of Unusual Event Initiating Condition: Other conditions exist which in the judgment of the ...... gef... DifeetefSTED/SED warrant declaration of ana Unusual Event(O4)UE. Operating Mode Applicability: All Emergency Action Levels: (1) Other conditions exist which in the judgment of the ........ y ir*: 

                                                                               ......           SE indicate that events are in progress or have occurred which indicate a potential degradation of the level of safety of the plant or indicate a security threat to facility protection has been initiated. No releases of radioactive material requiring offsite response or monitoring are expected unless further degradation of safety systems occurs.

Basis: This IC addresses unanticipated conditions not addressed explicitly elsewhere but that warrant declaration of an emergency because conditions exist which are believed by the*,, E ........*,ey 

   *ieeeSTED/SED to fall under the emergency classification level description for a NOUE.

103

UL8SYSTEM MALFUNCTION ICS/EALS Recognition Category "M" Initiating Condition Matrix GENERAL EMERGENCY SITE AREA EMERGENCY ALERT UNUSUAL EVENT MG1 Prolonged loss of all MSI Loss of all offsite and MA1 Loss of all but one MU1 Loss of all offsite AC offsite and all onsite AC all onsite AC power to AC power source to power capability to emergency power to emergency buses, emergency buses for 15 emergency buses for 15 buses for 15 minutes or longer. Op. Modes: 1, 2, 3, 4 minutes or longer. minutes or longer. Op. Modes: 1, 2, 3. 4 ______________ Op. Modes: 1,2, 3, 4 Op. Modes: 1, 2, 3, 4 MA2 UNPLANNED loss MIU2 UNPLANNED loss of Control Room indications of Control Room indications for 15 minutes or longer with a for 15 minutes or longer. significant transient in Op. Modes: 1, 2, 3, 4 progress. Op. Modes: 1, 2, 3, 4 MUJ3 Reactor coolant activity greater than Technical Specification allowable limits. Op. Modes: 1, 2, 3, 4 MU4 RCS leakage for 15 minutes or longer. Op. Modes: 1, 2, 3, 4 M.S5 Inability to shutdown MA5 Automatic or manual MU5 Automatic or manual the reactor to neutron flux < trip falls to shutdown the trip falls to shutdown the 5% causing a challenge to core reactor to neutron flux <5%, reactor *o neutron flux < 5o/1 Coamamented [DWS58]: V29 CSFST Subcriticality cooling or RCS heat removal, and subsequent manual actions Op. Modes: 1 Op. Modes: 1 taken at the Main Control B~oardrczectz, r ceriSz cznzzlcz are not successful in shutting down the reactor. Op. Modes': I MU6 Loss of all onstte or offsite conmmunications capabilities. Op. Modes: 1, 2, 3, 4 MU7 Failure to isolate contaimnment or loss of containment pressure control. Op. Modes: 1, 2, 3, 4 MG8 Loss of all AC and MS8 Loss of all Vital DC Vttal DC power sources for 15 power for 15 minutes or minutes or longer, longer. Op. Modes: 1, 2, 3, 4 Op. Modes: 1, 2, 3, 4 MA9 Hazardous event affecting a SAFETY SYSTEM needed for the current operating mode. ____________________Op. Modes: 1, 2, 3. 4 ___________ 104

MG1 ECL: General Emergency Initiating Condition: Prolonged loss of all offsite and all onsite AC power to emergency buses. Operating Mode Applicability: 1, 2, 3, 4 Emergency Action Levels: T eS AN... [,6..(...t..STED/SED shmulrgenclar b he GnrlEmrecpopl Rpn estoratniong ofhatleasite one AC emers enc busen lxeeess ta hours wisno belikely omnedEW5] 2 0Cpn fu ctoreCona()CFRDlnr.odiin e Thi1 I addresse apoflogdLos offst anALL onieA sourcesTt power AC emergency buses. oso l ACpoe copoisEs the prormane ofoalloSFTYSSEMieuiigelcrc:oe including those necessary for emergency core cooling, containment beat removal/pressure control, spent fuel heat removal and the ultimate heat sink. A prolonged loss of these buses will lead to a loss of one or more fission product barriers. In addition, fission product barrier monitoring capabilities may be degraded under these conditions. The EAL should require declaration of a General Emergency prior to meeting the thresholds for IC FG1. This will allow additional time for implementation of offsite protective actions. Escalation of the emergency classification from Site Area Emergency will occur if it is projected that power cannot be restored to at least one AC emergency bus by the end of the analyzed station blackout coping period. Beyond this time, plant responses and event trajectory are subject to greater uncertainty, and there is an increased likelihood of challenges to multiple fission product barriers. The estimate for restoring at least one emergency bus should be based on a realistic appraisal of the situation. Mitigation actions with a low probability of success should not be used as a basis for delaying a classification upgrade. The goal is to maximize the time available to prepare for, and implement, protective actions for the public. The EAL will also require a General Emergency declaration if the loss of AC power results in parameters that indicate an inability to adequately remove decay heat from the core. This Initiating Condition is not met if either Bus E5 or E6 is energized from the Supplemental Emergency Power System (SEPS). 105

The SEPS primlary function is to supply power to one 4.16 kV emergency bus, EDE-SWG-5 (E5) or EDE-SWG-6 (E6), in the event of a loss-of-offsite-power (LOOP) and both EDGs fail to start and load. In addition (SEPS) provides back up power to the emergency buses when one of the emergency diesel generators (EDG) is out of service for up to fourteen days. SEPS can be used when it is anticipated that one of the EDGs will be inoperable for longer than the technical specification allowable outage time (AOT) of 72 hours. The design of the SEPS is capable of providing the required safety-related loads in the event of a loss of offsite power if both emergency diesel generators fail to start and load. During these events it is assumed that there is no seismic event or an event that requires safeguards actuation (SI, CBS, CVI, CI, etc.). In addition to providing power to the required loads, the total combined output of the SEPS system can supply either the RHR pump or the SI pump and one set of pressurizer heaters. These design conditions are based on Probabilistic Risk Evaluation (PRA) EE-03 -007. The SEPS consists of two 4.16 kV generators which use diesel fuel engines as the prime mover. The generator sets (gensets) SEPS-DG-2-A and SEPS-DG-2-B are capable of automatically starting, synchronizing together and energizing the SEPS electrical bus. The SEPS design requires a "dead bus" transfer back to an offsite power source, i.e., the emergency bus powered by SEPS must be dc-energized before restoring offsite power. For power restoration from the SEPS, both SEPS diesel generator sets must be functional. The use of the SEPS is recognized in the Emergency Operating Procedures

Reference:

UFSAR Section 8.3.1, AC Power Systems 106

MG8 ECL: General Emergency Initiating Condition: Loss of all AC and Vital DC power sources for 15 minutes or longer. Operating Mode Applicability: 1, 2, 3, 4 Emergency Action Levels: Note:

  • The Emergency DirecterSTED/SED should declare the General Emergency promptly upon deternining that 15 minutes has been exceeded, or will likely be exceeded.
      *For a bus to be considered energized from SEPS, both SEPS diesel generator sets must be functional.

(1) a. Loss of ALL offsite and ALL onsite AC power to BOTH AC emergency buses E5 AND E6 (ste;, ...... ... .. b,...e for 15 minutes or longer. i emergency* AND

b. Indicated voltage is less than (sitzpe zie'fiz bueu:cltage ...lue) 105 V on ALL (eite-s,peeifie Vital DC buses-) 11 A. 11 B, 11 C and lID for 15 minutes or longer.

Basis: This IC addresses a concurrent and prolonged loss of both AC and Vital DC power. A loss of all AC power compromises the performance of all SAFETY SYSTEMS requiring electric power including those necessary for emergency core cooling, containment heat removal/pressure control, spent fuel heat removal and the ultimate heat sink. A loss of Vital DC power compromises the ability to monitor and control SAFETY SYSTEMS. A sustained loss of both AC and DC power will lead to multiple challenges to fission product barriers. Fifteen minutes was selected as a threshold to exclude transient or momentary power losses. The 15-minute emergency declaration clock begins at the point when both EAL thresholds are met. This Initiating Condition is not met if either Bus E5 or E6 is energized from the Supplemental Emergency Power System (SEPS). The SEPS primary, function is to supply power to one 4.16 kV emergency bus. EDE-SWG-5 (ES) or EDE-SWG-6 (E6), in the event of a loss-of-offsite-power (LOOP) and both EDGs fail to start and load. In addition (SEPS) provides back up power to the emergency buses when one of the emergency diesel generators (EDG) is out of service for up to fourteen days. SEPS can be used when it is anticipated that one of the EDGs will be inoperable for longer than the technical specification allowable outage time (AOT) of 72 hours. The design of the SEPS is capable of providing the required safety-related loads in the event of a loss of offsite power if both emergency diesel generators fail to start and load. During these events it is assumed that there is no seismic event or an event that requires safeguards actuation (SI. CBS, CVI. CI, etc.). In addition to providing powver to the required loads, the total combined output of the SEPS system can supply either the RIHR pump or the SI pump and one set of pressurizer heaters. These design conditions are based on Probabilistic Risk Evaluation (PRA) EE-03 -007. The SEPS consists of two 4.16 kV generators which use diesel fuel engines as the prime mover. The generator sets (gensets) SEPS-DG-2-A and SEPS-DG-2-B are capable of automatically 107

starting, synchronizing together and energizing the SEPS electrical bus. The SEPS design requires a "dead bus" transfer back to an offsite power source, i.e., the emergency bus powered by SEPS must be de-energized before restoring offsite power. For power restoration from the SE PS. both SEPS diesel generator sets must be functional. T'he use of the SEPS is recognized in the Emergency Operating Procedures

Reference:

UJFSAR Section 8.3.1. AC Power Systems 108

MS1 ECL: Site Area Emergency Initiating Condition: Loss of all offsite and all onsite AC power to emergency buses for 15 minutes or longer. Operating Mode Applicability: 1, 2, 3, 4 Emergency Action Levels: Note:

  • The Emergency DirectcrS~l:DiSEiD should declare the Site Area Emergency promptly upon determining that 15 minutes has been exceeded, or will likely be exceeded.
  • For a bus to be considered energized from SEPS. both SEPS diesel generator sets must be functional.

(1) Loss of ALL offsite and ALL onsite AC power to B(YTI- AC emergency buses E5 AND 

             .........pzii E6(rt                       buz for 15 minutes or longer.

Basis: This IC addresses a total loss of AC power that compromises the performance of all SAFETY SYSTEMS requiring electric power including those necessary for emergency core cooling, containment heat removal/pressure control, spent fuel heat removal and the ultimate heat sink. In addition, fission product barrier monitoring capabilities may be degraded under these conditions. This IC represents a condition that involves actual or likely major failures of plant functions needed for the protection of the public. Fifteen minutes was selected as a threshold to exclude transient or momentary power losses. Escalation of the emergency classification level would be via ICs RG1, FG1 or MGI. This Initiating Condition is not met if either Bus E5 or E6 is energized from the Supplemental Emergency Power System (SEPS). The SEPS primar, function is to supply power to one 4.16 kV emergency bus. EDE-SWG-5 (E5) or EDE-SWG-6 (E6), in the event of a loss-of-ofk~ite-power (LOOP) and both ED~s fail to start and load. In addition (SEPS) provides back up power to the emergency buses when one of the emergency diesel generators (EDG) is out of serxice for up to fourteen days. SEPS can be used when it is antieipated that one of the EDGs will be inoperable for longer than the technical specification allowable outage time (AOT) of 72 hours. The design of the SEPS is capable of providing the required safety-related loads in the event of a loss of offsite power if both emergency diesel generators fail to start and load. During these events it is assumed that there is no seismic event or an event that requires safeguards actuation (SI. CBS. CVI. Cl. etc.). In addition to providing power to the required loads, the total combined output of the SEPS system can supply either the RHR pump or the SI pump and one set of pressurizer heaters. These design conditions are based on Probabilistic Risk Evaluation (PRA) EE-03-007. The SEPS consists of two 4.16 kV generators which use diesel fuel engines as the prime mover. The generator sets (gensets) SEPS-DG-2-A and SEPS-DG-2-B are capable of automatically starting. synchronizing together anid energizing the SEPS electrical bus. The SEPS design 109

requires a 'dead bus" transfer back to an offsite power source. i.e.. the emergency bus powered by SEPS must be dc-energized before restoring offsite power. For power restoration from the SEPS, both SEPS diesel generator sets must be functional. The use of the SEPS is recognized in the Emergency Operating Procedures

Reference:

UFSAR Section 8.3.1, AC Power Systems 110

MS5 ECL: Site Area Emergency Initiating Condition: Inability to shutdown the reactor to neutron flux < 5% causing a challenge to core cooling or RCS heat removal. Operating Mode Applicability: 1 Emergency Action Levels: (1) a. An automatic or manual trip did not shutdown the reactor to neutron flux < 5%. AND

b. All manual actions to shutdown the reactor have been unsuccessful.

AND

c. EITHER of the following conditions exist:

Core Coolin* (C CSF RED entr 'conditions met. -. -( -ICommented[DWS6O]: V20CSFST CoreCooling I -eat SinI* (H) CS[ RED entry: conditions met. I- - ICommentlxd DWS6]: V22 CSFSTHeat sink q 

                  ...t. vpeii
                          .............. of a~n inabiit te adequatel remoe hea..t'°  f.rem*....th core)

(Sit....zpeifi i.ndicatic of an inabi!lty te nadequn....y remove heat fr th.. R.pCS) Basis: This IC addresses a failure of the RPS to initiate or complete an automatic or manual reactor trip that results in a reactor shutdown, all subsequent operator actions to manually shutdown the reactor are unsuccessful, and continued power generation is challenging the capability to adequately remove heat from the core and/or the RCS. This condition will lead to fuel damage if additional mitigation actions are unsuccessful and thus warrants the declaration of a Site Area Emergency. In some instances, the emergency classification resulting from this ICiEAL may be higher than that resulting from an assessment of the plant responses and symptoms against the Recognition Category F ICs/EALs. This is appropriate in that the Recognition Category F ICs/EALs do not address the additional threat posed by a failure to shutdown the reactor. The inclusion of this IC and EAL ensures the timely declaration of a Site Area Emergency in response to prolonged failure to shutdown the reactor. A reactor shutdown is determined in accordance with applicable Emergency Operating Procedure criteria. Escalation of the emergency classification level would be via IC RGI1 or FGI1. 111

MS8 ECL: Site Area Emergency Initiating Condition: Loss of all Vital DC power for 15 minutes or longer. Operating Mode Applicability: 1, 2, 3, 4 Emergency Action Levels: INote: The EmerTgen*c, DirectzrSTED/SED should declare the Site Area Emergency promptly I upon determining that 15 minutes has been exceeded, or will likely be exceeded. (1) Indicated voltage is less thar* 105 Vkzite spezific b"u° v'ltagz .,al.) on ALL vital DC 

                                                                                                   -. - Commented [DWS62]: VI8 UFSAR 83.2 - Dcv 105 limit
                                         .. zccifiz " i....l rDC*buses-) for 15 minutes or longer.

buses ItIA. 1liB.* lIC and I ID(Z*i' Basis: This IC addresses a loss of Vital DC power which compromises the ability to monitor and control SAFETY SYSTEMS. In modes above Cold Shutdown, this condition involves a major failure of plant functions needed for the protection of the public. Fifteen minutes was selected as a threshold to exclude transient or momentary power losses. Escalation of the emergency classification level would be via ICs RGI1, FGl1 or MG8. 112

MA1 ECL: Alert Initiating Condition: Loss of all but one AC power source to emergency buses for 15 minutes or longer. Operating Mode Applicability: 1, 2, 3, 4 Emergency Action Levels: Notes:

  • The Emergency DirectorSTEI)/SED should declare the Alert promptly upon determining that 15 minutes has been exceeded, or will likely be exceeded.
  • For a bus to be considered energized from SEPS. both SEPS diesel generator sets must be functional.

(1) &---AC power capability to BOTH AC emergency, buses E5 AND E6*st-:...... ewi.ve' em~ergeney-buseS) is reduced to a single power source for 15 minutes or longer. Basis: SAFETY SYSTEM: A system required tbr safe plant operation, cooling dowxn the plant and/or placing it in the cold shutdown condition, including the ECCS. Systems classified as safety-related. This IC describes a significant degradation of offsite and onsite AC power sources such that any additional single failure would result in a loss of all AC power to SAFETY SYSTEMS. In this condition, the sole AC power source may be powering one, or more than one, train of safety-related equipment. This IC provides an escalation path from IC MU1. An "AC power source" is a source recognized in AOPs and EOPs, and capable of supplying required power to an emergency bus. Some examples of this condition are presented below.

  • A loss of all offsite power with a concurrent failure of all but one emergency power source (e~.,an enratr) nste ieel
   *Aloss of all offsite power and loss of all emergency power sources (e.g., ansite diesel gneliftefsr)- with a single train of emergency buses being back-fed from the unit main generator.
  • A loss of emergency power sources (e.g., onsite .i...l g, .........) with a single train of emergency buses being back-fed from an offsite power source.

Fifteen minutes was selected as a threshold to exclude transient or momentary losses of power. Escalation of the emergency classification level would be via IC MS1. This Initiating Condition is not met if either Bus ES or E6 is energized from the Supplemental Emergency Power System (SEPS). The SEPS primary function is to supply power to one 4.16 kV emergency bus. EDE-SWG-5 (E5) or EDE-SWG-6 (E6). in the event of a loss-of-off site-power (LOOP) and both EDGs fail to 113

start and load. In addition (SEPS) provides back up power to the emergency buses when one of the emergency diesel generators (EDG) is out of service for up to fourteen days. SEPS can be used when it is anticipated that one of the EDGs will be inoperable for longer than the technical specification allowable outage time (AOl) of 72 hours. Thle design of the SEPS is capable of providing the required safety-related loads in the event of a loss of offsite power if both emergency diesel generators fail to start and load. During these events it is assumed that there is no seismic event or an event that requires safeguards actuation (SI. CBS, CVI, Ct, etc.). Inl addition to providing power to the required loads, the total combined output of the SEPS sy'stem can supply either the RHR pump or the SI pump and one set of pressurizer heaters. These design conditions are based on Probabilistic Risk Evaluation (PRA) EE-03 -007. The SEPS consists of 1two 4.16 kV generators which use diesel fuel engines as the prime mover. The generator sets (gensets) SEPS-DG-2-A and SEPS-DG-2-B are capable of automatically starting, synchronizing together and energizing the SEPS electrical bus. The SEPS design requires a "dead bus" transfer back to an offsite power source, i.e., the emergency bus powered by SEPS must be de-energized before restoring offsite power. For power restoration fr'om the SEPS. both SEPS diesel generator sets must be functional. The use of the SEPS is recognized inl the Emergency Operating Procedures

Reference:

UFSAR Section 8.3.1. AC Power Systems 114

MA2 ECL: Alert Initiating Condition: UNPLANNED loss of Control Room indications for 15 minutes or longer with a significant transient in progress. Operating Mode Applicability: 1, 2, 3, 4 Emergency Action Levels: Note: The Em...rg,.n..y Dire.....STED/SED should declare the Alert promptly upon determining that 15 minutes has been exceeded, or will likely be exceeded. (1) a. An UNPLANNED event results in the inability to monitor one or more of the following parameters from within the Control Room for 15 minutes or longer. Reactor Power R-GS-Pressurizer Level RCS Pressure kn-Gore*Core Exit or RCS Temperature Levels in at least (site specific numnber)two steam generators Steam Generator Auxiliary-er Emergency Feed Water Flow AND

b. ANY of the following transient events in progress.

Automatic or manual runback greater than 25% thermal reactor power Electrical load rejection greater than 25% full electrical load Reactor trip SI actuation Basis: UNPLANNED: A parameter change or an event that is not 1) the result of an intended evolution or 2) an expected plant response to a transient. The cause of the parameter change or event may be known or unknown. This IC addresses the difficulty associated with monitoring rapidly changing plant conditions during a transient without the ability to obtain SAFETY SYSTEM parameters from within the Control Room. During this condition, the margin to a potential fission product barrier challenge is reduced. It thus represents a potential substantial degradation in the level of safety of the plant. As used in this EAL, an "inability to monitor" means that values for one or more of the listed parameters cannot be determined from within the Control Room. This situation would require a loss of all of the Control Room sources for the given parameter(s). For example, the reactor power level cannot be determined from any analog, digital and recorder source within the Control Room. An event involving a loss of plant indications, annunciators and/or display systems is evaluated in accordance with 10 CFR 50.72 (and associated guidance in NUREG-1022) to determine if an NRC event report is required. The event would be reported if it significantly impaired the capability to perform emergency assessments. In particular, emergency assessments necessary to implement abnormal operating procedures, emergency operating procedures, and emergency 115

pian implementing procedures addressing emergency classification, accident assessment, or protective action decision-making. This EAL is focused on a selected subset of plant parameters associated with the key safety functions of reactivity control, core cooling and RCS heat removal. The loss of the ability to determine one or more of these parameters from within the Control Room is considered to be more significant than simply a reportable condition. In addition, if all indication sources for one or more of the listed parameters are lost, then the ability to determine the values of other SAFETY SYSTEM parameters nriay be impacted as well. For example, if the value for reactor vessel level cannot be determined from the indications and recorders on a main control board, the SPDS or the plant computer, the availability of other parameter values may be compromised as well. Fifteen minutes was selected as a threshold to exclude transient or momentary losses of indication. Escalation of the emergency classification level would be via ICs FS 1 or IC RS 1. 116

MA5 ECL: Alert Initiating Condition: Automatic or manual trip fails to shutdown the reactor to neutron tlux < 5%, and subsequent manual actions taken at the reactor ...... l c..... s^ " Control Board are not successful in shutting down the reactor. Operating Mode Applicability: 1 Emergency Action Level: Note: A manual action is any operator action, or set of actions, which causes the control rods to be rapidly inserted into the core, and does not include manually driving in control rods or implementation of boron injection strategies. (1) a_ An automatic or manual trip did not shutdown the reacto4 to neutron flUX < 5%* - "{Commete [DWS631: V29 CSFST Subcriticality AND

b. Manual actions taken at the ............... zcncal:aMCB are not successful in shutting down the reactor.

Basis: This IC addresses a failure of the RPS to initiate or complete an automatic or manual reactor trip that results in a reactor shutdown, and subsequent operator manual actions taken at the r-eaetef central zcnczlezMCB to shutdown the reactor are also unsuccessful. This condition represents an actual or potential substantial degradation of the level of safety of the plant. An emergency declaration is required even if the reactor is subsequently shutdown by an action taken away from the ............... ccnzalzcMC[B since this event entails a significant failure of the RPS. A manual action at the reactor contral ccnzz~z*MCB is any operator action, or set of actions, tzr* initiating a manual.. ...... which causes the control rods to be rapidly inserted into the core (e.g.,..,...*÷ trIp). This action does not include manually driving in control rods or implementation of boron injection strategies. If this action(s) is unsuccessful, operators would immediately pursue additional manual actions at locations away from the reaztor zcntr-! ... onolvMCB(e.g eea14y -- 

      "- '-** .. *Actions taken at back-panels or other locations within the Control Room, or any location outside the Control Room, are not considered to be "a th eeet-e*

e-onseteMCB5". The plant response to the failure of an automatic or manual reactor trip will vary based upon several factors including the reactor power level prior to the event, availability of the condenser, performance of mitigation equipment and actions, other concurrent plant conditions, etc. If the failure to shutdown the reactor is prolonged enough to cause a challenge to the core cooling or RCS heat removal safety functions, the emergency classification level will escalate to a Site Area Emergency via IC MS5. Depending upon plant responses and symptoms, escalation is also possible via IC FS1I. Absent the plant conditions needed to meet either IC MS5 or FS1I, an Alert declaration is appropriate for this event. It is recognized that plant responses or symptoms may also require an Alert declaration in accordance with the Recognition Category F ICs; however, this IC and EAL are included to ensure a timely emergency declaration. A reactor shutdown is determined in accordance with applicable Emergency Operating Procedure criteria. 117

MA9 ECL: Alert Initiating Condition: Hazardous event affecting a SAFETY SYSTEM needed for the current operating mode. Operating Mode Applicability: 1, 2, 3, 4 Emergency Action Levels: (1) a. The occurrence of ANY of the following hazardous events: Seismic event (earthquake) Internal or"external flooding event High winds or tornado strike FIRE EXPLOSION Other events with similar hazard characteristics as determined by the Shift Manager AND

b. EITHER of the following:
1. Event damage has caused indications of degraded performance in at least one train of a SAFETY SYSTEM needed for the current operating mode.

OR

2. The event has caused VISIBLE DAMAGE to a SAFETY SYSTEM component or structure needed for the current operating mode.

Basis: SAFETY SYSTEM: A system required for safe plant operation, cooling down the plant and/or placing it in the cold shutdown condition. including the ECCS. Systems classified as safety-related. FIRE: Combustion characterized by heat and light. Sources of smoke such as slipping drive belts or overheated electrical equipment do not constitute FIRES. Observation of flame is preferred but is NOT required if large quantities of smoke and beat are observed. EXPLOSION: A rapid. violent and catastrophic failure of a piece of equipment due to combustion, chemical reaction or overpressurization. A release of steam (from high energy lines or components) or an electrical component failure (caused by short circuits, grounding. arcing. etc.) should not automatically be considered an explosion. Such events may require a post-event inspection to determine if the attributes of an explosion are present. VISIBLE DAMAGE: Damage to a component or structure that is readily observable without measurements, testing, or analysis. The visual impact of the damage is sufficient to cause concern regarding the operability or reliability of the affected component or structure. This IC addresses a hazardous event that causes damage to a SAFETY SYSTEM, or a structure containing SAFETY SYSTEM components, needed for the current operating mode. This condition significantly reduces the margin to a loss or potential loss of a fission product barrier, and therefore represents an actual or potential substantial degradation of the level of safety of the plant. 118

EAL 1.b. 1 addresses damage to a SAFETY SYSTEM train that is in service/operation since indications for it will be readily available. The indications of degraded performance should be significant enough to cause concern regarding the operability or reliability of the SAFETY SYSTEM train. EAL 1.b.2 addresses damage to a SAFETY SYSTEM component that is not in service/operation or readily apparent through indications alone, or to a structure containing SAFETY SYSTEM components. Operators will make this determination based on the totality of available event and damage report information. This is intended to be a brief assessment not requiring lengthy analysis or quantification of the damage. Escalation of the emergency classification level would be via IC FS 1 or RS 1. 119

MU1 ECL: Notification of Unusual Event Initiating Condition: Loss of all offsite AC power capability to emergency buses for 15 minutes or longer. Operating Mode Applicability: 1, 2, 3, 4 Emergency Action Levels: Note:.Th Emrnz ... re......STED/SED should declare the Unusual Event promptly upon I determining that 15 minutes has been exceeded, or will likely be exceeded.I (1) Loss of ALL offsite AC power capability to BOTH AC emergency buses [5 AND E6(*ite zpecific ...... ..nzs b,.. ) for 15 minutes or longer. Basis: This IC addresses a prolonged loss of offsite power. The loss of offsite power sources renders the plant more vulnerable to a complete loss of power to AC emergency buses. This condition represents a potential reduction in the level of safety of the plant. For emergency classification purposes, "capability" means that an offsite AC power source(s) is available to the emergency buses, whether or not the buses are powered from it. Fifteen minutes was selected as a threshold to exclude transient or momentary losses of offsite power. Escalation of the emergency classification level would be via IC MA1. 120

MU2 ECL: Notification of Unusual Event Initiating Condition: UNPLANNED loss of Control Room indications for 15 minutes or longer. Operating Mode Applicability: 1, 2, 3, 4 Emergency Action Levels: Note: The Emergency Direct*orSTEI)/SED should declare the Unusual Event promptly upon determining that 15 minutes has been exceeded, or will likely be exceeded. (1) An UNPLANNED event results in the inability to monitor one or more of the following parameters from within the Control Room for 15 minutes or longer. Reactor Power RC::,-Pressurizer Level RCS Pressure 4n-,ei-eA~ore Exit Temperature Levels in at ..... (st fi num...... t*,...:,...t**least steam generators Steam Generator Awuliiy.'e,'fo Emergency Feed Water Flow Basis: UNPLANNED: A parameter change or an event that is not 1) the result of an intended evolution or 2) an expected plant response to a transient. The cause of the parameter change or event may be known or unknown. This IC addresses the difficulty associated with monitoring normal plant conditions without the ability to obtain SAFETY SYSTEM parameters from within the Control Room. This condition is a precursor to a more significant event and represents a potential degradation in the level of safety of the plant. As used in this EAL, an "inability to monitor" means that values for one or more of the listed parameters cannot be determined from within the Control Room. This situation would require a loss of all of the Control Room sources for the given parameter(s). For example, the reactor power level cannot be determined from any analog, digital and recorder source within the Control Room. An event involving a loss of plant indications, annunciators and/or display systems is evaluated in accordance with 10 CFR 50.72 (and associated gnidance in NUREG-1022) to determine if an NRC event report is required. The event would be reported if it significantly impaired the capability to perform emergency assessments. In particular, emergency assessments necessary to implement abnormal operating procedures, emergency operating procedures, and emergency plan implementing procedures addressing emergency classification, accident assessment, or protective action decision-making. This EAL is focused on a selected subset of plant parameters associated with the key safety functions of reactivity control, core cooling and RCS heat removal. The loss of the ability to determine one or more of these parameters from within the Control Room is considered to be more significant than simply a reportable condition. In addition, if all indication sources for one or more of the listed parameters are lost, then the ability to determine the values of other 121

SAFETY SYSTEM parameters may be impacted as well. For example, if the value for reactor vessel level cannot be determined from the indications and recorders on a main control board, the SPDS or the plant computer, the availability of other parameter values may be compromised as well. Fifteen minutes was selected as a threshold to exclude transient or momentary losses of indication. Escalation of the emergency classification level would be via IC MA2. 122

MU3 ECL: Notification of Unusual Event Initiating Condition: Reactor coolant activity greater than Technical Specification allowable limits. Operating Mode Applicability: 1, 2, 3, 4 Emergency Action Levels: (1 or 2) specific vke.... czcitiz mdiaticn menlter)-reading greater than 2,670 mRlhr,-site- 1 S-[ Commented Monitor Value [DWS64]: V30OEPCALC-06 Letdown OR (2) Sample analysis indicates that a reactor coolant activity value is greater thax* the Limiting Condition for Operation (LCO)nn allewa.ble limit specified in Technical Specifications 3.4.8 Reactor Coolant System Specific Activity]. [ Commented [DWS65]: V31 TS 3.4.8 Specific Activity Basis: This IC addresses a reactor coolant activity value that exceeds an allowable limit specified in Technical Specifications. This condition is a precursor to a more significant event and represents a potential degradation of the level of safety of the plant. Escalation of the emergency classification level would be via ICs FA1 or the Recognition Category R ICs. 123

MU4 ECL: Notification of Unusual Event Initiating Condition: RCS leakage for 15 minutes or longer. Operating Mode Applicability: 1, 2, 3, 4 Emergency Action Levels: (1 or 2 or 3) Note: The Emergency Di.......STEDiSED should declare the Unusual Event promptly upon determining that 15 minutes has been exceeded, or will likely be exceeded. (1) RCS unidentified or PRESSURE BOUNDARY LEAKAGE greater than to; ...... i, vekie~1 0 gpm for 15 minutes or longer. OR (2) RCS IDENTIFIED LEAKAGE greater than (*itzep....f"c.... e)2 gp fr 5 inte or longer. OR (3) Leakage from the RCS to a location outside containment greater than 25 gpm for 15 minutes or longer. Basis: II)ENTIFIED LEAKAGE

a. Leakage (except CONTROLLED LEAKAGE) into closed systems, such as pump seal or valve packing leaks that arc captured and conducted to a sumnp or collecting tank, or
b. Leakage into the containment atmosphere from sources that are both specifically located and knowvn either not to interfere w*ith thc operation of Leakage tDetection Systems or not to be P~RESSURE BOUNDARY LEAKAGE. or
c. Reactor Coolant System leakage through a steamn generator to the Secondary Coolant System (primary to secondary leakage).

PRESSURE BOUNDARY LEAKAGE

a. PRESSURE BOUND)ARY LEAKAGE shall bc leakage (except primary to secondary leakage) through a nonisolable thult in a Reactor Coolant System component body, pipe wall, or vessel wall.

This IC addresses RCS leakage which may be a precursor to a more significant event. In this case, RCS leakage has been detected and operators, following applicable procedures, have been unable to promptly isolate the leak. This condition is considered to be a potential degradation of the level of safety of the plant. EAL #1 and EAL #2 are focused on a loss of mass from the RCS due to "unidentified leakage", 

"prsueboundary leakage" or "identified leakage" (as these leakage types are defined in the plant Technical Specifications). EAL #3 addresses a RCS mass loss caused by an UNISOLABLE leak through an interfacing system. These EALs thus apply to leakage into the
                                         ........... n, generat-r t.ube leakage...in a PWR) or a containment, a secondary-side system (e.g,.,

location outside of containment. 124

The leak rate values for each EAL were selected because they are usually observable with normal Control Room indications. Lesser values typically require time-consuming calculations to determine (z.g., a maz balo:nce zaoulaticn). EAL #1 uses a lower value that reflects the greater significance of unidentified or pressure boundary leakage. The release of mass from the RCS due to the as-designed/expected operation of a relief valve does not warrant an emergency classification. For PWRs, an emergency classification would be required if a mass loss is caused by a relief valve that is not functioning as designed/expected The 15-minute threshold duration allows sufficient time for prompt operator actions to isolate the leakage, if possible. Escalation of the emergency classification level would be via ICs of Recognition Category R or F. 125

MU5 ECL: Notification of Unusual Event Initiating Condition: Automatic or manual trip fails to shutdown the reactor to neutron flux < 5%. Operating Mode Applicability: 1 be rapidly inserted into the core, and does not include manually driving in control rods or implementation of boron injection strategies. Emergency Action Levels: (1 or 2) (1) a. An automatic trip did not shutdown the reacto4 to neutron flux < 504q - -{ Commented [DW566]: V29 CSFST Suberiticality AND

b. A subsequent manual action taken at the reactor control ......... MCB is successful in shutting down the reactor.

OR (2) a. A manual trip did not shutdown the reactor to neutron flux < 5%. AND

b. EITHER of the following:

I. A subsequent manual action taken at the rea~ .................... MCB is successful in shutting down the reactor. OR

2. A subsequent automatic trip is successful in shutting down the reactor.

Basis: This IC addresses a failure of the RPS to initiate or complete an automatic or manual reactor trip that results in a reactor shutdown, and either a subsequent operator manual action taken at the reactor contrcl zonsce~e MCB or an automatic trip is successful in shutting down the reactor. This event is a precursor to a more significant condition and thus represents a potential degradation of the level of safety of the plant. Following the failure on an automatic reactor trip, operators will promptly initiate manual actions at the rzactzr czntrc, ccnzolez MCB to shutdown the reactor (z.g., initiatc a manual° reactor trip). If these manual actions are successful in shutting down the reactor, core heat generation will quickly fall to a level within the capabilities of the plant's decay heat removal systems. If an initial manual reactor trip is unsuccessful, operators will promptly take manual action at another location(s) on the ........................ MCB to shutdown the reactor-(e~g.,-initiate-a manual rea.... trip)* ..zing adi.........itch) Depending upon several factors, the initial or subsequent effort to manually trip the reactor, or a concurrent plant condition, may lead to the generation of an automatic reactor trip signal. If a subsequent manual or automatic trip is successful in shutting down the reactor, core heat generation will quickly fall to a level within the capabilities of the plant's decay heat removal systems. 126

A manual action at the MCB is any operator action, or set of actions, which causes the control rods to be rapidly inserted into the core c.g. initi...tin. manu.l..........ri.. Ths cio.de not include manually driving in control rods or implementation of boron injection strategies. Actions taken at back-panels or other locations within the Control Room, or any location outside the Control Room, are not considered to be "at the MCB". The plant response to the failure of an automatic or manual reactor trip will vary based upon several factors including the reactor power level prior to the event, availability of the condenser, performance of mitigation equipment and actions, other concurrent plant conditions, etc. If subsequent operator manual actions taken at the MCB are also unsuccessful in shutting down the reactor, then the emergency classification level will escalate to an Alert via IC MA5. Depending upon the plant response, escalation is also possible via IC FA 1. Absent the plant conditions needed to meet either IC MA5 or FAI, an Unusual Event declaration is appropriate for this event. A reactor shutdown is determined in accordance with applicable Emergency Operating Procedure criteria Should a reactor trip signal be generated as a result of plant work (z.g., RpS pe.... : ...... )- the following classification guidance should be applied.

  • If the signal causes a plant transient that should have included an automatic reactor trip and the RPS fails to automatically shutdown the reactor, then this IC and the EALs are applicable, and should be evaluated.
  • If the signal does not cause a plant transient and the trip failure is determined through other zzmn f........... ,, then this IC and the EALs are not applicable and no mean:....g.

classification is warranted. 127

MU6 ECL: Notification of Unusual Event Initiating Condition: Loss of all onsite or offsite communications capabilities. Operating Mode Applicability: 1,2, 3, 4 Emergency Action Levels: (1 or 2 or 3) (1) Loss of ALL of the following onsite communication methods: In-Plant (PBX) Telephones Gai-Tronics Plant Radio System OR (2) Loss of ALL of the following ORO communications methods: Nuclear Alert System (NAS) Backup NAS All plant telephones Cellular telephones OR (site epezifie list of zommunientions methods) (3) Loss of ALL of the following NRC communications methods: Emergency Notitication System (ENS) All plant telephones FTS telephones in the TSC Cellular telephones Basis: This IC addresses a significant loss of on-site or offsite communications capabilities. While not a direct challenge to plant or personnel safety, this event warrants prompt notifications to OROs and the NRC. This IC should be assessed only when extraordinary means are being utilized to make owne .. uim.nt r.l.. ing of:on sit communications possible (e.g., us of. no pl....t pr ...' ....... EAL #1 addresses a total loss of the communications methods used in support of routine plant operations. 128

EAL #2 addresses a total loss of the communications methods used to notify all OROs of an emergency declaration. The OROs referred to here are the Common\* eaith of Massachusetts and State of New Hampshire. EAL #3 addresses a total loss of the communications methods used to notify the NRC of an emergency declaration. 129

MU7 ECL: Notification of Unusual Event Initiating Condition: Failure to isolate containment or loss of containment pressure control. Operating Mode Applicability: 1, 2, 3, 4 Emergency Action Levels: (1 or 2) (1) a. Failure of containment to isolate when required by an actuation signal. AND

b. ALL required penetrations are not closed within 15 minutes of the actuation signal.

OR (2) a. Containment pressure greater than 11I8 psi4site :pzcific ..... 

                                                                             ,urc),.               .. - -{ Commented [DWS67]: V25 Containment Spray Seipoint AND
b. Less than one full train of Containinent Building Spray (CBS) (site-specifie
                   ...... ,guim.....t) is operating per design for 15 minutes or longer.

oytz Basis: This IC addresses a failure of one or more containment penetrations to automatically isolate (close) when required by an actuation signal. It also addresses an event that results in high containment pressure with a concurrent failure of containment pressure control systems. Absent challenges to another fission product barrier, either condition represents potential degradation of the level of safety of the plant. For EAL #1, the containment isolation signal must be generated as the result on an off-normal/accident conditioni (e.g., a zafety in~jzcticn cr high............. p...... ; a,failure resulting from testing or maintenance does not warrant classification. The determination of containment and penetration status - isolated or not isolated - should be made in accordance with the appropriate criteria contained in the plant AOPs and EOPs. The 15-minute criterion is included to allow operators time to manually isolate the required penetrations, if possible. EAL #2 addresses a condition where containment pressure is greater than the setpoint at which containment energy (heat) removal systems are designed to automatically actuate, and less than one full train of equipment is capable of operating per design. The 15-minute criterion is included to allow operators time to manually start equipment that may not have automatically started, if possible. The inability to start the required equipment indicates that containment heat removalidepressurization systems (e.g., zcntain,"ent zprayz zr ice cendeneer fane) are either lost or performing in a degraded manner. This event would escalate to a Site Area Emergency in accordance with IC FSI if there were a concurrent loss or potential loss of either the Fuel Clad or RCS fission product barriers. 130

APPENDIX A - ACRONYMS AND ABBREVIATIONS AC ........................................................... Alternating Current AOP..................................................................... Abnormal Operating Procedure ATWS............................................................ Anticipated Transient Without Scram & .................................................................................ab k......Bco P............................................................................. Babling ater Reactor CE......................................................................................valen lIT ...................................................................... Bzo Code~tc ofnFedealz Regulations CM iN T.................................................................................Continmen CSF.............................................................................. Boriinal Safty Function CDEST.................................................................Crtcommittedy DosetiEquivaluTent DBCFR ...........................................................................Cd ofFDerinaliReuAtcioens DCT.....C....................................................................................Continmturent CSF.............................................................................CEmritclgaety FuctionLel ECSF T..............................................Cica 

             ..................                                                                             Safetgny FuCtiColngStatstree DBA........................................................................                                         esign BlasisiAcca DEer                      identLve DCF............................................................................                                                       ecatin Fcuilety DirrecyO EAL.......................................................................Emergency                                       Oeactiong              Lroevuel ECCS..................................................................Emeirgneny CoreColeciong                             l                  Sysemc ECL...............................................................Emergency.......Classification........                                        LEve EG....................................................................... Emergency OPerato nsrFacidlity EP!P............................................................. Emergency                                               p~erating Procedure O~.':!

EPA........................................................................ Environmental Proetio Agencyo PG...................................................................... g....... Pr....... ur....G..........E PRt .................................................................... Eere:yD.......Ezuhnr Pe _.. Re.,ter PRMA...........................................................Fedrl EmtriecyPwe Maaementc Agncyiu FSRG......................................................................Eminrgenafety Analysiu Relont FEMA...........................................................................Fedneral EmergencyMage ntA nc FSAR..................................................................Final....Safety....Analysis....Reportl" GE ........................................................................... ... G enperaltEmrgencym 

..................................................................................................                                                     H PCT..................................................................... HeaiCg                                    ait Tremu        erCeatur Lneimit IC..................................................................................Initatin                                                .Conitio ID..............................................................................................mete ID..................................................................................Inside.....Diameter..

ISFSI....................... Independent Spent Fuel Storage Installation (Dry Fuel Storage Facility) A-I

Keff............................................................ Effective Neutron Multiplication Factor LCO ................................................................... Limiting Condition of Operation LOCA ......................................................................... Loss of Coolant Accident MC-RMCBl.................................................................... Main Control R-oeml3oard MSIV ....................................................................... Main Steam Isolation Valve MSL ..................................................................................... Main Steam Line mR, mRem, mrem, mREM........................................... milli-Roentgen Equivalent Man MW .............................................................................................. Megawatt NEI ............................................................................. Nuclear Energy Institute NPP .................................................................................. Nuclear Power Plant NRC................................................................... Nuclear Regulatory Commission NSSS..................................................................... Nuclear Steam Supply System NORAD............................................... North American Aerospace Defense Command N.................................................................................... O...................... 

         ...............................................................................................                                                     NP*

OBE......................................................................... Operating Basis Earthquake OCA.............................................................................. Owner Controlled Area ODCMIODAM....................................... Offsite Dose Calculation-( ............. Manual ORO .................................................................... Off-site Response Organization PA .......................................................................................... Protected Area ACS .......................................... Pri.crity ctuation

.... n ....

ntrz , ... t PAG......................................................................... Protective Action Guideline C ............................................................................... d...................m PRA ............................ Probabilistic Risk Assessment/'Prebab+iliztiz Safety"A.z;esmen~t PWR ......................................................................... Pressurized Water Reactor S......................................................................................... prztecticn Sct.... PSIG .................................................................... Pounds per Square Inch Gauge R.................................................................................................. Roentgen CC .............................................................................. P.Reactzr Ce~ntrc! Console CIC ................................................. Reactor Ccre 'zc!lat'en Ceeding RCS.............................................................................. Reactor Coolant System Rem, rem, REM ............................................................. Roentgen Equivalent Man ETS ................................................... P.Radiclecgical Efflu-ent Techni5cal Specificationc+ RPS........................................................................... Reactor Protection System RPV............................................................................. Reactor Pressure Vessel RVLIS .................................................. Reactor Vessel Level Instrumentation System WCU ............................................................................ P.Rcactor Wlater Clca.nupa SAR .............................................................................. Safety Analysis Report SAS..............................................SCafety Aut....... :-SyztemSccondary Alarm Station + 4nU?.I^RC ".'a. .. prJ-.......-zr zrga.n:'zatine. zf +thz Nue1ear Enezrgy Inz:'.++t3 (NEt). A-2

SBO ............................................................ Station Blackout SCBA ............................................................. Self-Contained Breathing Apparatus SG ........................................................................................ Steam Generator SI ......................................................................................... Safety Injection !C$ ............................................................. Safcty lnfcrmsarich oand Ccnrtrel Syztem SPDS ................................................................. Safety Parameter Display System SRO ............................................................................. Senior Reactor Operator TEDE .................................................................. Total Effective Dose Equivalent TOAF ................................................................................. lTop of Active Fuel TSC ............................................................................ Technical Support Center WOG ...................................................................... Westinghouse Owners Group A-3

APPENDIX B - DEFINITIONS The following definitions are taken from Title 10, Code of Federal Regulations, and related regulatory guidance documents. Alert: Events are in progress or have occurred which involve an actual or potential substantial degradation of the level of safety of the plant or a security event that involves probable life threatening risk to site personnel or damage to site equipment because of HOSTILE ACTION. Any releases are expected to be limited to small fractions of the EPA PAG exposure levels. General Emergency: Events are in progress or have occurred which involve actual or IMMINENT substantial core degradation or melting with potential for loss of containment integrity or HOSTILE ACTION that results in an actual loss of physical control of the facility. Releases can be reasonably expected to exceed EPA PAG exposure levels offsite for more than the immediate site area. Notification of Unusual Event (NOUE): Events are in progress or have occurred which indicate a potential degradation of the level of safety of the plant or indicate a security threat to facility protection has been initiated. No releases of radioactive material requiring offsite response or monitoring are expected unless further degradation of safety systems occurs. Site Area Emergency: Events are in progress or have occurred which involve actual or likely major failures of plant functions needed for protection of the public or HOSTILE ACTION that results in intentional damage or malicious acts; 1) toward site personnel or equipment that could lead to the likely failure of or; 2) that prevent effective access to, equipment needed for the protection of the public. Any releases are not expected to result in exposure levels which exceed EPA PAG exposure levels beyond the site boundary. The following are key terms necessary for overall understanding the NEI 99-01 emergency classification scheme. Emergency Action Level (EAL): A pre-determined, observable threshold for an Initiating Condition that, when met or exceeded, places the plant in a given emergency classification level. Emergency Classification Level (ECL): One of a set of names or titles established by the US Nuclear Regulatory Commission (NRC) for grouping off-normal events or conditions according to (1) potential or actual effects or consequences, and (2) resulting onsite and offsite response actions. The emergency classification levels, in ascending order of severity, are:

  • Notification of Unusual Event (NOUE)
  • Alert
  • Site Area Emergency (SAE)
  • General Emergency (GE)

Fission Product Barrier Threshold: A pre-determined, observable threshold indicating the loss or potential loss of a fission product barrier. Initiating Condition (IC): An event or condition that aligns with the definition of one of the four emergency classification levels by virtue of the potential or actual effects or consequences. A-4

Selected terms used in Initiating Condition and Emergency Action Level statements are set in all capital letters (e.g., ALL CAPS). These words are defined terms that have specific meanings as used in this document. The definitions of these terms are provided below. CONFINEMENT BOUNDARY: (Insert a sitz zpzzificz ,,zfiniti"cn .... fo.r-thiz te.rm.) D...**vw.' Noe- The barrier(s) between spent fuel and the environment once the spent fuel is processed for dry storage. CONTAINMENT INTEGRITY: ,Izrt a..."izspecific defiitio fo t,.hiz te-rm.) DeveIepcr N e-The procedurally defined conditions or actions taken to secure containment (prilna.3-er BWR) and its associated structures, systems, and components as a functional o~ecc- ndar for" barrier to fission product release under shutdown conditions. EXPLOSION: A rapid, violent and catastrophic failure of a piece of equipment due to combustion, chemical reaction or overpressurization. A release of steam (from high energy lines or components) or an electrical component failure (caused by short circuits, grounding, arcing, etc.) should not automatically be considered an explosion. Such events may require a post-event inspection to determine if the attributes of an explosion are present. FAULTED: The term applied to a steam generator that has a steam leak on the secondary side of sufficient size to cause an uncontrolled drop in steam generator pressure or the steam generator to become completely depressurized. Dz',£bpcpr Notc -Th:.... i* applizablz tc Pt, cnly.*,, FIRE: Combustion characterized by heat and light. Sources of smoke such as slipping drive belts or overheated electrical equipment do not constitute FIRES. Observation of flame is preferred but is NOT required if large quantities of smoke and heat are observed. HOSTAGE: A person(s) held as leverage against the station to ensure that demands will be met by the station. HOSTILE ACTION: An act toward a NPP or its personnel that includes the use of violent force to destroy equipment, take HOSTAGES, and/or intimidate the licensee to achieve an end. This includes attack by air, land, or water using guns, explosives, PROJECTILEs, vehicles, or other devices used to deliver destructive force. Other acts that satisfy the overall intent may be included. HOSTILE ACTION should not be construed to include acts of civil disobedience or felonious acts that are not part of a concerted attack on the NPP. Non-terrorism-based EALs should be used to address such activities (i.e., this may include violent acts between individuals in the owner controlled area). HOSTILE FORCE: One or more individuals who are engaged in a determined assault, overtly or by stealth and deception, equipped with suitable weapons capable of killing, maiming, or causing destruction. IMMINENT: The trajectory of events or conditions is such that an EAL will be met within a relatively short period of time regardless of mitigation or corrective actions. IMPEl)L: E~ntrx' into an area requires extraordinary measures to facilitate entry of personnel into the affected room/area by installing temporary shielding, requiring use of non-routine protective eqtuipment, or rcquesting an extension in dose limits bey ond normal administrative limits. A-5

INDEPENDENT SPENT FUEL STORAGE INSTALLATION (ISFSI): A complex that is designed and constructed for the interim storage of spent nuclear fuel and other radioactive materials associated with spent fuel storage. (Dry Fuel Storage Facility) tN IAC r: Capable of being pressurized. NOPR.MAL LEVELS: Ac applied t.o rdielogical IC/EA*o, the highest reading in the pact OWNER CONTROLLED AREA: (Incert.. cite cpeeific definition far thic term. D eveleper Note Thzic termzx ic typically, taken to meanz t~he site property owned by, or otherwise under the control of, the licensee. In come acece,it may3 be appropria=te for a licencee to define a smaller 

.hee. om         tco... of theb      .nd..ma be   ...

cignif t"di'acefrom thedPratcte Are). In beoconcictent with the° dezceriptien of+the came a.e..andb.unda. cotie in th.. Seeurt Plan. PROJECTILE: An object directed toward a NPP that could cause concern for its continued operability, reliability, or personnel safety. PROTECTED AREA: (Incert a cit...... i definition,:* fr^ thic ter.m.) Dv.... c Net.. Thic.' term is typically takecn to mean ([he area under continuous access monitoring and control, and armed protection as described in the site Security Plan. REFUELING PATHWAY: The reactor refueling cavit . spent fuel pool and fuel transfer 

                                                                      ^, -er d....pio ch*_ou.^.d canal.(Ir~cc* a cite cpccific definition fcr thi term.) r, .. ,^e.l NeeTi not inclu:ding the...cor....e....

RUPTUJRE(D): The condition of a steam generator in which primary-to-secondary leakage is of to sufficient magnitude to require a safety injection. IDeveloper Note Thic...term applicable-**"-":**' SAFETY SYSTEM: A system required for safe plant operation, cooling down the plant and/or placing it in the cold shutdown condition, including the ECCS. These are typically systems classified as safety-related. Dcelpcer Noet Thic term may be modified to include the SECURITY CONDITION: Any Security Event as listed in the approved security contingency plan that constitutes a threat/compromise to site security, threat/risk to site personnel, or a potential degradation to the level of safety of the plant. A SECURITY CONDITION does not involve a HOSTILE ACTION. UNISOLABLE: An open or breached system line that cannot be isolated, remotely or locally. UNPLANNED: A parameter change or an event that is not I) the result of an intended evolution or 2) an expected plant response to a transient. The cause of the parameter change or event may be known or unknown. A-6

VISIBLE DAMAGE: Damage to a component or structure that is readily observable without measurements, testing, or analysis. The visual impact of the damage is sufficient to cause concern regarding the operability or reliability of the affected component or structure. A-7

85 INDEPENDENT SPENT FUEL STORAGE INSTALLATION (ISFSI) ICS/EALS Recognition Category "E" Initiating Condition Matrix UNUSUAL EVENT 

                * --444t-'-U1 Damage to a loaded cask CONFINEMENT BOUNDARY.

Op. Modes: All 65

EU1 ECL: Notification of Unusual Event Initiating Condition: Damage to a loaded cask CONFINEMENT BOUNDARY. Operating Mode Applicability: All Emergency Action Levels: Note: [The on-contact dose rate may be determined based on measurement of a dose rate at some dsacfrmteak (I) Damage to a loaded cask CONFINEMENT BOUNDARY as indicated by ANY of the following afi-on-contact surface radiation readings greater than: (2 :----hz~tz~~ii 1600 mrem/hr at the front bird screen 4 mrem/hr at the door centerline 4 mrem/hr at the end shield wall exterioij Comme-nt [-MiKF43]: V19 NUH OMS--HS-M Dos--e Rates Technical Specification Basis: CONFINEMENT BOUNDARY: The barrier(s) between spent fuel and the environment once the spent fuel is processed for dry storage. This IC addresses an event that results in damage to the CONFINEMENT BOUNDARY of a storage cask containing spent fuel. It applies to irradiated fuel that is licensed for dry storage beginning at the point that the loaded storage cask is sealed in the Horizontal Storage Module. The issues of concern are the creation of a potential or actual release path to the environment, degradation of one or more fuel assemblies due to environmental factors, and configuration changes which could cause challenges in removing the cask or fuel from storage. The existence of "damage" is determined by radiological survey. The technical specification multiple of"2 times", which is also used in Recognition Category R IC RU1, is used here to distinguish between non-emergency and emergency conditions. The emphasis for this classification is the degradation in the level of safety of the spent fuel cask and not the magnitude of the associated dose or dose rate. It is recognized that in the case of extreme damage to a loaded cask, the fact that the "on-contact" dose rate limit is exceeded may be determined based on measurement of a dose rate at some distance from the cask. Security-related events for ISFSIs are covered under ICs HU1 and HAl.

Reference:

Appendix A to Certificate Of Compliance No. 1030 NUHOMS RD System Generic Technical Specifications 5.4.3. 66

06 FISSION PRODUCT BARRIER ICS/EALS Recognition Category "F" Initiating Condition Matrix 67

Fission Product Barrier Table Thresholds for LOSS or POTENTIAL LOSS of Barriers FG1 GENERAL EMERGENCY FSI SITE AREA EMERGENCY FA1 ALERT Loss of any two barriers and Loss or Loss or Potential Loss of any two barriers. Any Loss or any Potential Loss of either Potential Loss of the third barrier, the Fuel Clad or RCS barrier. Fuel Clad Barrier RCS Barrier Containment Barrier LOSS POTENTIAL LOSS LOSS POTENTIAL LOSS LOSS POTENTIAL LOSS

1. RCS or SG Tube Leakage 1. RCS or SG Tube Leakage 1.RCS or SG Tube Leakage Not Applicable A. K'orc Cooling (C) A. An automatic or A. Operation of a A. A leaking or Not Applicable CSF - O)RANGE manual F*:G--{S I)... .. m. .. ';,.,
                                                                                                 .             RUPTURED SG is entry conditions me4        actuation is required by     second charging            FAULTED outside of P.CS/r^a:z=r vzaesse keve!      EITHER of the                (-akeep* pump in           containment.                               --,Commented [DWS44]-"V20 CSFST Core Cooling le ......+ l-**-+-
                                          ..           following:                   the naonial charging spee'^i*..-4e.*.,.          1. UNISOLABLE                mode is required by RCS leakage              EITHER of the OR                           following:
2. SGtubeI. UNISOLABLE RUPTURE. RCS leakage OR
2. SG tube leakage.

B. RCS Integrity (P) CSF - RED entry conditions met with RCS press > 300 

                                                                                                                                                    - - - -[ Commented [DWS45]: V21 CSFST Integrity psztuiz-C e!d  term,.

68

Fuel Clad Barrier RCS Barrier Containment Barrier LOSS POTENTIAL LOSS LOSS POTENTIAL LOSS LOSS POTENTIAL LOSS

2. Inadequate Heat Removal 2. Inadequate Heat Removal 2. Inadequnate Heat Removal A. More Cooling (C) A. More Cooling (C) Not Applicable A.l H-eat Sink (II) CSIE - Not Applicable --A. [Core Cooling (C)

CSF - RED entry CSF - ORANGE RED entry conditions CSF - RED entry conditions met[ Goe entry conditions met. J e. nd qae,'C conditions met for I5 

         ......... .                      -..........                                                                                            minutes or Ionger.1-l-           ',Conmmented        lDWS471]tV20CSFST Core Cooling
                                                                                                                                                                            -'*        Commented CDWS4O1: V20 CSFST Core Coating B.
  • leat Sink (H) CSF - 2. Rzztc~ratizn RED entry conditions prz.....................
                                                                                                                                                                          -   - -( Commented [DW548J: v 22 CSFST Heei Sink
3. RCS Activity / Containment Radiation 3. RCS Activity / Containment Radiation 3. RCS Activity I Containment Radiation A. Post LOCA Not Applicable A. Post L()CA Radiation Not Applicable Not Applicable A. Post L,(CA Radiation Radiation Monitors Monitors Monitors RM 6576A-l or RM RM 6576A-t or RM RM 6576A-I or RM 6576B- 1 6576B3-I 6576B- I
  > 95 R/hr.                                                    >_ 16 Rihr. Ceo---!mei#                                                              1,305 R/hr.

(^;, . . ..  ;--...I.,,^ 

                                                                                                                                                                          - -   -    ICommented        [DWS51l: V23 EPCALC-tt6-01 -Red Vetoes for OR                                                                                                                                                                                    /Fission Prodoci Berrier Matrix B. RCS activity > 300 uCi/gm Dose Equivalent I1131 as determined per Procedure CS0925.01, Reactor Coolant Post Accident Sampling.

69

Fuel Clad Barrier RCS Barrier Containment Barrier LOSS POTENTIAL LOSS LOSS POTENTIAL LOSS LOSS POTENTIAL LOSS

4. Containment Integrity or Bypass 4. Containment Integrity or Bypass 4. Containment Integrity or Bypass Not Applicable Not Applicable Not Applicable Not Applicable A. Containment isolation A. *onntainment (Z) CSF -

is required RED cntry conditions AND 1nIe~tCeninment 

                                                                                                                                                          -  [*Comnmnt:el [DWS52]: V24 CSFST Containment EITHER of the                 (zt            ~ ;,

following: ... ... . .. ,

1. Containment OR integrity has been B. Containment IH2 lost based on conccntration >_6% I
                                                                                                                                                            " lCommented [DWS53]: V t4 H-2concentration in containment t) judgment.           eontainment OR                         OR
2. UNISOLABLE C. I. Containment pathway from the prcssure gfeate4 containment to t8 psi* (ste.-

1l the environmentspifcrcze [ Comrmented [DWS54]: V25 Containment Spray Setpoint exists. OR AND B. Indications of RCS 2. Less than one full leakage outside of train of containment. Conltalnmenlt Btuilding Spray tCI3S (site-operating per design for 15 _________________minutes or longer.

65. Emergc:n.cy DireeterSTED/SED 65. Emcrgrncy, DirectorSTED/SED0 65. Emergencyd Di'rectorSTED/SED 70

Fuel Clad Barrier RCS Barrier Containment Barrier LOSS POTENTIAL LOSS LOSS POTENTIAL LOSS LOSS POTENTIAL LOSS Judgment Judgment Judgment _________ A. ANY condition in A. ANY condition in the A. ANY condition in the A. ANY condition in the A. ANY condition in the A. ANY condition in the the opinion of the opinion of the opinion of the opinion of the opinion of the opinion of the 2 Dif-eeteFSTE'D!S ED DireetefSTEDiS1lD tDireetefSTE DiSEI) DiSeTeP1 )/S1 I) Diree-te*S TElI)iS ED tife-ef*STED/Sl ED that that indicates Loss that indicates that indicates Loss of that indicates that indicates Loss of indicates Potential Loss of the Fuel Clad Potential Loss of the the RCS Barrier. Potential Loss of the the Containment of the Containment Barrier. Fuel Clad Barrier. ____________ RCS Barrier. Barrier. Barrier. 71

Basis Information For Fission Product Barrier Table FUEL CLAD BARRIER THRESHOLDS: The Fuel Clad Barrier consists of the cladding material that contains the fuel pellets.

1. RCS or SG Tube Leakage There is no Loss threshold associated with RCS or SG Tube Leakage.

Potential Loss l.A This reading indicates a reduction in reactor vessel water level sufficient to allow the onset of heat-induced cladding damage.

2. Inadequate Heat Removal Loss 2.A This reading indicates temperatures within the core are sufficient to cause significant superheating of reactor coolant.

Potential Loss 2.A This reading indicates temperatures within the core are sufficient to allow the onset of heat-induced cladding damage. Potential Loss 2.B This condition indicates an extreme challenge to the ability to remove RCS heat using the steam generators (i.e., loss of an effective secondary-side heat sink). This condition represents a potential loss of the Fuel Clad Barrier. In accordance with EOPs, there may be unusual accident conditions during which operators intentionally reduce the heat removal capability of the steam generators; during these conditions, classification using threshold is not warranted. Meeting this threshold results in a Site Area Emergency because this threshold is identical to RCS Barrier Potential Loss threshold 2.A; both will be met. This condition warrants a Site Area Emergency declaration because inadequate RCS heat removal may result in fuel heat-up sufficient to damage the cladding and increase RCS pressure to the point where mass will be lost from the system. As a potential loss indication, developers should consider including a threshold the same as, or similar to, "Core Cooling Orange entry conditions met" in accordance with the guidance at the front of this section. As a potential loss indication, developers should consider including a threshold the same as, or similar to, "Heat Sink Red entry conditions met" in accordance with the guidance at the front of this section.

3. RCS Activity / Containment Radiation Loss 3.A The radiation monitor reading corresponds to an instantaneous release of all reactor coolant mass into the containment, assuming that reactor coolant activity equals 300gICi/gm dose equivalent I-131. Reactor coolant activity above this level is greater than that expected for iodine spikes and corresponds to an approximate range of 2% to 5% fuel clad damage. Since this condition indicates that a significant amount of fuel clad damage has occurred, it represents a loss of the Fuel Clad Barrier.

72

The radiation monitor reading in this threshold is higher than that specified for RCS Barrier Loss threshold 3.A since it indicates a loss of both the Fuel Clad Barrier and the RCS Barrier. Note that a combination of the two monitor readings appropriately escalates the emergency classification level to a Site Area Emergency. Loss 3.B This threshold indicates that RCS radioactivity concentration is greater than 300 igCi/gm dose equivalent I- 131. Reactor coolant activity above this level is greater than that expected for iodine spikes and corresponds to an approximate range of 2% to 5% fuel clad damage. Since this condition indicates that a significant amount of fuel clad damage has occurred, it represents a loss of the Fuel Clad Barrier. There is no Potential Loss threshold associated with RCS Activity / Containment Radiation.

4. Containment Integrity or Bypass Not Applicable (included for numbering consistency)
5. .... Ind-i .atizn
                     ^r 6..5. Em.....         Di...e......STED/SED Judgment Loss 6.A This threshold addresses any other factors that may be used by the Emergency Di'eeteSTED/SED in determining whether the Fuel Clad Barrier is lost.

Potential Loss 6.A This threshold addresses any other factors that may be used by the Emnergent7y DieeeSTED/SED) in determining whether the Fuel Clad Barrier is potentially lost. The Em ......... r*:*,ct.....STED/SED" should also consider whether or not to declare the barrier potentially lost in the event that barrier status cannot be monitored. 73

RCS BARRIER THRESHOLDS: The RCS Barrier includes the RCS primary side and its connections up to and including the pressurizer safety and relief valves, and other connections up to and including the primary isolation valves.

1. RCS or SG Tube Leakage Loss l.A This threshold is based on an UNISOLABLE RCS leak of sufficient size to require an automatic or manual actuation of the Emergency Core Cooling System (ECCS). This condition clearly represents a loss of the RCS Barrier.

This threshold is applicable to unidentified and pressure boundary leakage, as well as identified leakage. It is also applicable to UNISOLABLE RCS leakage through an interfacing system. The mass loss may be into any location - inside containment, to the secondary-side (i.e., steam generator tube leakage) or outside of containment. A steam generator with primary-to-secondary leakage of sufficient magnitude to require a safety injection is considered to be RUPTURED. Ifra RUPTURED steam generator is also FAULTED outside of containment, the declaration escalates to a Site Area Emergency since the Containment Barrier Loss threshold l.A will also be met. Potential Loss l.A This threshold is based on an UNISOLABLE RCS leak that results in the inability to maintain pressurizer level within specified limits by operation of a normally used charging (makeup) pump, but an ECCS (SI) actuation has not occurred. The threshold is met when an operating procedure, or operating crew supervision, directs that a standby charging (makeup) pump be placed in service to restore and maintain pressurizer level. This threshold is applicable to unidentified and pressure boundary leakage, as well as identified leakage. It is also applicable to UNISOLABLE RCS leakage through an interfacing system. The mass loss may be into any location - inside containment, to the secondary-side (i.e., steam generator tube leakage) or outside of containment. If a leaking steam generator is also FAULTED outside of containment, the declaration escalates to a Site Area Emergency since the Containment Barrier Loss threshold 1.A will also be met. Potential Loss 1.B This condition indicates an extreme challenge to the integrity of the RCS pressure boundary due to pressurized thermal shock - a transient that causes rapid RCS cooldown while the RCS is in Mode 3 or higher (i.e., hot and pressurized).

2. Inadequate Heat Removal There is no Loss threshold associated with Inadequate Heat Removal.

Potential Loss 2.A This condition indicates an extreme challenge to the ability to remove RCS heat using the steam generators (i.e., loss of an effective secondary-side heat sink). This condition represents a potential loss of the RCS Barrier. In accordance with EOPs, there may be unusual accident conditions during which operators intentionally reduce the heat removal capability of the steam generators; during these conditions, classification using threshold is not warranted. 74

Meeting this threshold results in a Site Area Emergency because this threshold is identical to Fuel Clad Barrier Potential Loss threshold 2.B; both will be met. This condition warrants a Site Area Emergency declaration because inadequate RCS heat removal may result in fuel heat-up sufficient to damage the cladding and increase RCS pressure to the point where mass will be lost from the system.

3. RCS Activity / Containment Radiation Loss 3.A The radiation monitor reading corresponds to an instantaneous release of all reactor coolant mass into the containment, assuming that reactor coolant activity equals Technical Specification allowable limits. This value is lower than that specified for Fuel Clad Barrier Loss threshold 3.A since it indicates a loss of the RCS Barrier only.

There is no Potential Loss threshold associated with RCS Activity / Containment Radiation.

4. Containment Integrity or Bypass Not Applicable (included for numbering consistency)
5. Othcr Ind'zat'ens Lzcz ondlcr Potential Lzzs 5.A.

&i5. Em:.crgcncy DircetcrSTED!SED Judgment Loss 6.A 

                                                                           .........y This threshold addresses any other factors that may be used by the,.*,..+
     ~Ir-ee*OSTEDJSED in determining whether the RCS Barrier is lost.

Potential Loss 6.A This threshold addresses any other factors that may be used by the*.,. ....... 

                                                                               *.e t~ir-e+eSTED/SED in determining whether the RCS Barrier is potentially lost. The
     ...... nc Di...e......STED/SED should also consider whether or not to declare the barrier potentially lost in the event that barrier status cannot be monitored.

75

CONTAINMENT BARRIER THRESHOLDS: The Containment Barrier includes the containment building and connections up to and including the outermost containment isolation valves. This barrier also includes the main steam, feedwater, and blowdown line extensions outside the containment building up to and including the outermost secondary side isolation valve. Containment Barrier thresholds are used as criteria for escalation of the ECL from Alert to a Site Area Emergency or a General Emergency.

1. RCS or SG Tube Leakage Loss l.A This threshold addresses a leaking or RUPTURED Steam Generator (SG) that is also FAULTED outside of containment. The condition of the SG, whether leaking or RUPTURED, is determined in accordance with the thresholds for RCS Barrier Potential Loss l.A and Loss I.A, respectively. This condition represents a bypass of the containment barrier.

FAULTED is a defined term within the NEI 99-01 methodology; this determination is not necessarily dependent upon entry into, or diagnostic steps within, an BOP. For example, if the pressure in a steam generator is decreasing uncontrollably [part of the FAULTED definition] and the faulted steam generator isolation procedure is not entered because EOP user rules are dictating implementation of another procedure to address a higher priority condition, the steam generator is still considered FAULTED for emergency classification purposes. The FAULTED criterion establishes an appropriate lower bound on the size of a steam release that may require an emergency classification. Steam releases of this size are readily observable with normal Control Room indications. The lower bound for this aspect of the containment barrier is analogous to the lower bound criteria specified in IC MU3 for the fuel clad barrier (i.e., RCS activity values) and IC MU4 for the RCS barrier (i.e., RCS leak rate values). This threshold also applies to prolonged steam releases necessitated by operational considerations such as the forced steaming of a leaking or RUPTURED steam generator directly to atmosphere to cooldown the plant, or to drive an auxiliary (emergency) feed water pump. These types of conditions will result in a significant and sustained release of radioactive steam to the environment (and are thus similar to a FAULTED condition). The inability to isolate the steam flow without an adverse effect on plant cooldown meets the intent of a loss of containment. Steam releases associated with the expected operation of a SG power operated relief valve or safety relief valve do not meet the intent of this threshold. Such releases may occur intermittently for a short period of time following a reactor trip as operators process through emergency operating procedures to bring the plant to a stable condition and prepare to initiate a plant cooldown. Steam releases associated with the unexpected operation of a valve (z.g., a ....uc,,...... vw,, t ',:* 

                                                         ' ah-) do meet this threshold.

Following an SG tube leak or rupture, there may be minor radiological releases through a secondary-side system component (e.g., air ejezctrz, glad zeal exha.......... .p.cking,* eta-). These types of releases do not constitute a loss or potential loss of containment but should be evaluated using the Recognition Category R ICs. The emergency classification levels resulting from primary-to-secondary leakage, with or without a steam release from the FAULTED SG, are sunmmarized below. 76

Affected SG is FAULTED Outside of Containment? P-to-S Leak Rate Yes No Less than or equal to 25 gpm No classification No classification Greater than 25 gpm Unusual Event per Unusual Event per MU4 MU4 Requires operation of a standby-second charging Site Area Emergency Alert per FA 1 (-akup pump (RCS Barrier per FS 1 PotentialLoss) Reqirs n utmaicor Site Area Emergency Alert per FA1 manual ECG-C-{SI) actuation prF (RCS BarrierLoss) prF There is no Potential Loss threshold associated with RCS or SG Tube Leakage.

2. Inadequate Heat Removal There is no Loss threshold associated with Inadequate Heat Removal.

Potential Loss 2.A This condition represents an IMMINENT core melt sequence which, if not corrected, could lead to vessel failure and an increased potential for containment failure. For this condition to occur, there must already have been a loss of the RCS Barrier and the Fuel Clad Barrier. If implementation of a procedure(s) to restore adequate core cooling is not effective (successful) within 15 minutes, it is assumed that the event trajectory will likely lead to core melting and a subsequent challenge of the Containment Barrier. The restoration procedure is considered "effective" if core exit thermocouple readings are decreasing and/or if reactor vessel level is increasing. Whether or not the procedure(s) will be effective should be apparent within 15 minutes. The Emsergeney Di'eeSTED/SED should escalate the emergency classification level as soon as it is determined that the procedure(s) will not be effective. Severe accident analyses (z.g., NUREG 11!50) have concluded that function restoration procedures can arrest core degradation in a significant fraction of core damage scenarios, and that the likelihood of containment failure is very smail in these events. Given this, it is appropriate to provide 15 minutes beyond the required entry point to determine if procedural actions can reverse the core melt sequence.

3. RCS Activity!/ Containment Radiation There is no Loss threshold associated with RCS Activity / Containment Radiation.

Potential Loss 3.A The radiation monitor reading corresponds to an instantaneous release of all reactor coolant mass into the containment, assuming that 20% of the fuel cladding has failed. This level of fuel clad failure is well above that used to determine the analogous Fuel Clad Barrier Loss and RCS Barrier Loss thresholds. 77

NUREG- 1228, Source Estimations During Incident Response to Severe Nuclear Power PlantAccidents, indicates the fuel clad failure must be greater than approximately 20% in order for there to be a major release of radioactivity requiring offsite protective actions. For this condition to exist, there must already have been a loss of the RCS Barrier and the Fuel Clad Barrier. It is therefore prudent to treat this condition as a potential loss of containment which would then escalate the emergency classification level to a General Emergency.

4. Containment Integrity or Bypass Loss 4.A These thresholds address a situation where containment isolation is required and one of two conditions exists as discussed below. Users are reminded that there may be accident and release conditions that simultaneously meet both thresholds 4.A. 1 and 4.A.2.

4.A. 1 - Containment integrity has been lost, i.e., the actual containment atmospheric leak rate likely exceeds that associated with allowable leakage (or sometimes referred to as design leakage). Following the release of RCS mass into containment, containment pressure will fluctuate based on a variety of factors; a loss of containment integrity condition may (or may not) be accompanied by a noticeable drop in containment pressure. Recognizing the inherent difficulties in determining a containment leak rate during accident conditions, it is expected that the Emergency DirectorSTEDiSED) will assess this threshold using judgment, and with due consideration given to current plant conditions, and available operational and radiological data (e.g., cont.n.. n p........... readings.. n. radition..moitr .. ut.i..

... nt pe~rating sttus cf contai.nment onainm..

Following the leakage of RCS mass into containment and a rise in containment pressure, there may be minor radiological releases associated with allowable (design) containment leakage through various penetrations or system components. These releases do not constitute a loss or potential loss of containment but should be evaluated using the Recognition Category R ICs. 4.A.2 - Conditions are such that there is an UJNISOLABLE pathway for the migration of radioactive material from the containment atmosphere to the environment. As used here, the term "environment" includes the atmosphere of a room or area, outside the containment, that may, in turn, communicate with the outside-the-plant atmosphere-(-eg*. thrug , di.. hargeuof..a.. nilai.... syst m or- atmo.h.ri lekage)... Depending upon a variety of factors, this condition may or may not be accompanied by a noticeable drop in containment pressure. The existence of a filter is not considered in the threshold assessment. Filters do not remove fission product noble gases. In addition, a filter could become ineffective due to iodine and/or particulate loading beyond design limits (i.e., retention ability has been exceeded) or water saturation from steam/high humidity in the release stream. Leakage between two interfacing liquid systems, by itself, does not meet this threshold. Following the leakage of RCS mass into containment and a rise in containment pressure, there may be minor radiological releases associated with allowable (design) containment leakage through various penetrations or system components. Minor releases may also occur if a containment isolation valve(s) fails to close but the containment atmosphere escapes to a closed system. These releases do not constitute a loss or potential loss of containment but should be evaluated using the Recognition Category R ICs. 78

The status of the containment barrier during an event involving steam generator tube leakage is assessed using Loss Threshold 1.A. Loss 4.B Containment sump, temperature, pressure and/or radiation levels will increase if reactor coolant mass is leaking into the containment. If these parameters have not increased, then the reactor coolant mass may be leaking outside of containment (i.e., a containment bypass sequence). Increases in sump, temperature, pressure, flow and/or radiation level readings outside of the containment may indicate that the RCS mass is being lost outside of containment. Unexpected elevated readings and alarms on radiation monitors with detectors outside containment should be corroborated with other available indications to confirm that the source is a loss of RCS mass outside of containment. If the fuel clad barrier has not been lost, radiation monitor readings outside of containment may not increase significantly; however, other unexpected changes in sump levels, area temperatures or pressures, flow rates, etc. should be sufficient to determine if RCS mass is being lost outside of the containment. To ensure proper escalation of the emergency classification, the RCS leakage outside of containment must be related to the mass loss that is causing the RCS Loss and/or Potential Loss threshold 1.A to be met. Potential Loss 4.A If containment pressure exceeds the design pressure, there exists a potential to lose the Containment Barrier. To reach this level, there must be an inadequate core cooling condition for an extended period of time; therefore, the RCS and Fuel Clad barriers would already be lost. Thus, this threshold is a discriminator between a Site Area Emergency and Generai Emergency since there is now a potential to lose the third barrier. Potential Loss 4.B The existence of an explosive mixture means, at a minimum, that the containment atmospheric hydrogen concentration is sufficient to support a hydrogen bumn (i.e., at the lower deflagration limit). A hydrogen burn will raise containment pressure and could result in collateral equipment damage leading to a loss of containment integrity. It therefore represents a potential loss of the Containment Barrier. Potential Loss 4.C This threshold describes a condition where containment pressure is greater than the setpoint at which containment energy (heat) removal systems are designed to automatically actuate, and less than one full train of equipment is capable of operating per design. The 15-minute criterion is included to allow operators time to manually start equipment that may not have automatically started, if possible. This threshold represents a potential loss of containment in that containment heat removal/depressurization systems 

    ..... eies) are either lost or performing in a degraded manner.
5. Other !ndieat'ie, 6*5. STED/SED Judgment 79

Loss 6.A This threshold addresses any other factors that may he used by the Emergezey D*f-eefSTED/SED in determining whether the Containment Barrier is lost. Potential Loss 6.A This threshold addresses any other factors that may be used by the Em~ergencey 

  *ieeeSTEDiSED in determining whether the Containment Barrier is potentially lost.

The Emzrgenzy DirzctzrSTEDiSED should also consider whether or not to declare the barrier potentially lost in the event that barrier status cannot be monitored. 80

JL7HAZARDS AND OTHER CONDITIONS AFFECTING PLANT SAFETY ICS/EALS Recognition Category "H" Initiating Condition Matrix GENERAL SITE AREA EMREC EEGNYALERT UNUSUAL EVENT HG1 HOSTILE ACTION HS1 HOSTILE ACTION HAl HOSTILE ACTION HUI Confirmed resulting in loss of physical within the PROTECTED within the OWNER SECURITY CONDITION or control of the facility. AREA. CONTROLLED AREA or threat. Op. Modes: All Op. Modes: All airbomne attack threat within Op. Modes: All 30 minutes. Op. Modes: All HU2 Seismic event greater than OBE levels. Op. Modes: All HU3 Hazardous event. Op. Modes: All HU4 FIRE potentially degrading the level of safety of the plant. Op. Modes: All HA5 Gaseous release impeding access to equipment necessary for normal plant operations, shutdown or cooldown. Op. Modes: All HS6 Inability to control a HA6 Control Room key safety function from evacuation resulting in outside the Control Room, transfer of plant control to Op. Modes: All altemnate locations. _________________Op. Modes: All HtG7 Other conditions HS7 Other conditions HA7 Other conditions HU7 Other conditions exist which in the judgment exist which in the judgment exist which in the judgment exist which in the judgment ofthe E--mesgefie of the E-me-gefle of the Em gene*e of theE, ef-gefle 

   *ieeeSTED/SED warrant           DieeOSTEDiSED warrant              Dir--ei-fSTFD SED warrant      Dir-ee-eSTED/SED warrant declaration of a General           declaration of a Site Area          declaration of as Alert,      declaration of an Unusual Emergency.                         Emergency.                         Op. Modes: All                 Event-(NQ)U*.

Op. Modes: All Op. Modes: All Op. Modes':AII 81

HG1 ECL: General Emergency Initiating Condition: HOSTILE ACTION resulting in loss of physical control of the facility. Operating Mode Applicability: All Emergency Action Levels: (I) a. A HOSTILE ACTION is occurring or has occurred within the PROTECTED AREA as reported by "*h^,,f si'^e,-peeifik ecurity shift supervision). AND

b. EITHER of the following has occurred:

I. ANY of the following safety functions cannot be controlled or maintained. Reciiycontrol RSheat removal OR

2. Damage to spent fuel due to damaged SFP cooling system or loss of SFP integrity has occurred or is IMMINENT.

Basis: HOSTILE ACTION: An act toward a NPP or its personnel that includes the use of violent force to destroy equipment, take HOSTAGES, and/or intimidate the licensee to achieve an end. This includes attack by air, land, or water using guns, explosives, PROJECTILEs, vehicles, or other devices used to deliver destructive force. Other acts that satisfy the overall intent may be included. HOSTILE ACTION should not be construed to include acts of civil disobedience or felonious acts that are not part of a concerted attack on the NPP. PROTECTED AREA: The area under continuous access monitoring and control, and armed protection as described in the site Security Plan. IMMINENT: The trajectory of events or conditions is such that an EAL will be met within a relatively short period of time regardless of mitigation or corrective actions. This IC addresses an event in which a HOSTILE FORCE has taken physical control of the facility to the extent that the plant staff can no longer operate equipment necessary to maintain key safety functions. It also addresses a HOSTILE ACTION leading to a loss of physical control that results in actual or IMMINENT damage to spent fuel due to 1) damage to a spent fuel pool cooling system (e.g., pumps, heat ex~ochngera, cc~ntro!L, ctz.) or, 2) loss of spent fuel pool integrity such that sufficient water level cannot be maintained. Timely and accurate communications between Security Shift Supervision and the Control Room is essential for proper classification of a security-related event. Security plans and terminology are based on the guidance provided by NEI 03-12, Template for the Security Plan, Training and Qualification Plan, Safeguards Contingency Plan[and Independent Spent Fuel Storage InstallationSecurity Program]. Emergency plans and implementing procedures are public documents; therefore, EALs should not incorporate Security-sensitive information. This includes information that may be 82

advantageous to a potential adversary, such as the particulars concerning a specific threat or threat location. Security-sensitive information should be contained in non-public documents such as the Security Plan. 83

HG7 ECL: General Emergency Initiating Condition: Other conditions exist which in the judgment of the ~mergencey DiettoFSTED/SED warrant declaration of a General Emergency. Operating Mode Applicability: All Emergency Action Levels: (1) Other conditions exist which in the judgmnent of the Emergency DfirecterSTEDiSED indicate that events are in progress or have occurred which involve actual or IMMINENT substantial core degradation or melting with potential for loss of containment integrity or HOSTILE ACTION that results in an actual loss of physical control of the facility. Releases can be reasonably expected to exceed EPA Protective Action Guideline exposure levels offsite for more than the immediate site area. Basis: This IC addresses unanticipated conditions not addressed explicitly elsewhere but that warrant declaration of an emergency because conditions exist which are believed by the Emcrgezcy tieeofSTEDiSED to fall under the emergency classification level description for a General Emergency. 84

HSl ECL: Site Area Emergency Initiating Condition: HOSTILE ACTION within the PROTECTED AREA. Operating Mode Applicability: All Emergency Action Levels: Note: This Initiating Condition and EA. do not apply to an attack solely on the Dry Fuel Storage Protected Area. An attack on the Dry Fuel Storage Facility Protected Area should be considered an attack within the Ow*ner Controlled Area and classified as an Alert per Initiating Condition ItAI1. (1) A HOSTILE ACTION is occurring or has occurred within the PROTECTED AREA as reported by the (i~e-speeific-security shift supervision) Basis: [tOSTILE ACTION: An act toward a NPP or its personnel that includes the use of violent force to destroy equipment. take IIOSTAGES. and/or intimidate the licensee to achieve an end. This includes attack by air, land, or water using guns. explosives, PROJ ECTIL~s. vehicles, or other devices used to deliver destructive force. Other acts that satisfy' the overall intcnt may be included. IIOSTILI" ACTION should not be construed to include acts of civil disobedience or felonious acts that are not part of a concerted attack on the NPP. PROTIECTED AREA: The area tunder continuous access monitoring and control, and armed protection as described in the site Security Plan. This IC addresses the occurrence of a HOSTILE ACTION within the PROTECTED AREA. This event will require rapid response and assistance due to the possibility for damage to plant equipment. Timely and accurate communications between Security Shift Supervision and the Control Room is essential for proper classification of a security-related event. Security plans and terminology are based on the guidance provided by NEI 03-12, Template for the Security Plan, Training and Qualification Plan, Safeguards Contingency Plan [and Independent Spent Fuel Storage InstallationSecurity Program]. As time and conditions allow, these events require a heightened state of readiness by the plant staff and implementation of onsite protective measures (z.g.,, zvauat,'n, d~tperzal 3r sheltering). The Site Area Emergency declaration will mobilize ORO resources and have them available to develop and implement public protective actions in the unlikely event that the attack is successful in impairing multiple safety functions. This IC does not apply to a HOSTILE ACTION directed at an ISFSI PROTECTED AREA located outside the plant PROTECTED AREA; such an attack should be assessed using IC HA1. It also does not apply to incidents that are accidental events, acts of civil disobedience, or otherwise are not a HOSTILE ACTION perpetrated by a HOSTILE FORCE. Examples include the crash of a small aircraft, shots from hunters, physical disputes between employees, etc. Reporting of these types of events is adequately addressed by other EALs, or the requirements of 10 CFR § 73.71 or 10 CFR § 50.72. 85

Emergency plans and implementing procedures are public documents; therefore, EALs should not incorporate Security-sensitive information. This includes information that may be advantageous to a potential adversary, such as the particulars concerning a specific threat or threat location. Security-sensitive information should be contained in non-public documents such as the Security Plan. Escalation of the emergency classification level would be via IC HG1. 86

HS6 ECL: Site Area Emergency Initiating Condition: Inability to control a key safety function from outside the Control Room. Operating Mode Applicability: All Emergency Action Levels: Note: The Em.rg.n. Di... ec......STED/SED should declare the Site Area Emergency promptly upon determining that (site apceific num,-ber 3115 minutes-) has been exceeded, or will likely be exceeded. (1) a. An event has resulted in plant control being transferred from the Control Room to (zit ..... fi rem.... zhu..+wn p..n.... and Ieal centra,.^ zt++**Safe the Remote Shutdow n components. AND

b. Control of ANY of the following key safety functions is not reestablished within 15 minutes(eite .... ifie number zfminutez).

Recii7control Core cooling RSheat removal Basis: This IC addresses an evacuation of the Control Room that results in transfer of plant control to alternate locations, and the control of a key safety function cannot be reestablished in a timely manner. The failure to gain control of a key safety function following a transfer of plant control to alternate locations is a precursor to a challenge to one or more fission product barriers within a relatively short period of time. The determination of whether or not "control" is established at the remote safe shutdown location(s) is based on Emergency DirecterSTEDiSED judgment. The Emergency DieeoSTED/SE D is expected to make a reasonable, informed judgment within fh-ie epcii tim..................) 15 minutes whether or not the operating staff has control of key safety functions from the remote safe shutdown location(s). Escalation of the emergency classification level would be via IC FGl1 or CGl1. 87

HS7 ECL: Site Area Emergency Initiating Condition: Other conditions exist which in the judgment of the Emergencey Dif-ec-eSTED/SED warrant declaration of a Site Area Emergency. Operating Mode Applicability: All Emergency Action Levels: (1) Other conditions exist which in the judgment of the Emergezny DirzectrSTED/SED indicate that events are in progress or have occurred which involve actual or likely major failures of plant functions needed for protection of the public or HOSTILE ACTION that results in intentional damage or malicious acts, (1) toward site personnel or equipment that could lead to the likely failure of or, (2) that prevent effective access to equipment needed for the protection of the public. Any releases are not expected to result in exposure levels which exceed EPA Protective Action Guideline exposure levels beyond the site boundary. Basis: HOSTILE ACTION: An act toward a NI'P or its personnel that includes thc use of violent force to destroy equipment. take HOST AGES. andlor intimidate the licensee to achieve an end. This includes attack by air, land. or wxater using gunls. explosivcs. PROJECTILEs. vehicles, or other devices used to deliver destructive force. Other acts that satisfy the overall intent may be included. HOSTILE ACTION should not be construed to include acts of civil disobedience or felonious acts that are not part of a concerted attack on the NPP. This IC addresses unanticipated conditions not addressed explicitly elsewhere but that warrant declaration of an emergency because conditions exist which are believed by the Emer*,eaey 

   *ieeeSTED/SED to fall under the emergency classification level description for a Site Area Emergency.

88

HA1 ECL: Alert Initiating Condition: HOSTILE ACTION within the OWNER CONTROLLED AREA or airborne attack threat within 30 minutes. Operating Mode Applicability: All Emergency Action Levels: (1 or 2) (I) A HOSTILE ACTION is occurring or has occurred within the OWNER CONTROLLED AREA or the Dry Fuel Storage Facility as reported by the{(sp,,eecifie-security shift supervision-). OR (2) A validated notification from NRC of an aircraft attack threat within 30 minutes of the site. Basis: t!OSTILE ACTION: An act tow*ard a NPP or its personnel that includes the use of violent forcee to destroy equipment. take HOSTAGES, and/or intimidate the licensee to achieve an end. T'his includes attack by air, land, or wsater using guns. explosi, es. PROJE[CTILEs, vehicles, or other devices used to deliver destructive force. Other acts that satisfy the overall intent may be included. HOSTILE ACTION should not be construed to include acts of civil disobedience or felonious acts that are not part of a concerted attack on the NPP. OWNER CONTROLLED AREA: The site propertY owned by. or otherwise under the control otf the licensee. This IC addresses the occurrence of a HOSTILE ACTION within the OWNER CONTROLLED AREA or notification of an aircraft attack threat. This event will require rapid response and assistance due to the possibility of the attack progressing to the PROTECTED AREA, or the need to prepare the plant and staff for a potential aircraft impact. Timely and accurate communications between Security Shift Supervision and the Control Room is essential for proper classification of a security-related event. Security plans and terminology are based on the guidance provided by NEI 03-12, Template for the Security Plan, Training and Qualification Plan, Safeguards Contingency Plan[and Independent Spent Fuel Storage InstallationSecurity Program]. As time and conditions allow, these events require a heightened state of readiness by the plant staff and implementation of onsite protective measures (e.g.,, *v.'acuticn dispersal zr cheltering). The Alert declaration will also heighten the awareness of Offsite Response Organizations, allowing them to be better prepared should it be necessary to consider further actions. This IC does not apply to incidents that are accidental events, acts of civil disobedience, or otherwise are not a HOSTILE ACTION perpetrated by a HOSTILE FORCE. Examples include the crash of a small aircraft, shots from hunters, physical disputes between employees, etc. Reporting of these types of events is adequately addressed by other EALs, or the requirements of 10 CFR § 73.71 or 10 CFR § 50.72. 89

EAL # 1 is applicable for any HOSTILE ACTION occurring, or that has occurred, in the OWNER CONTROLLED AREA. This includes any action directed against an ISFSI that is located outside the plant PROTECTED AREA. EAL #2 addresses the threat from the impact of an aircraft on the plant, and the anticipated arrival time is within 30 minutes. The intent of this BAIL is to ensure that threat-related notifications are made in a timely manner so that plant personnel and OROs are in a heightened state of readiness. This EAL is met when the threat-related information has been validated in accordance with (site specifi prsedeure)site procedurcs. The NRC Headquarters Operations Officer (HOO) will communicate to the licensee if the threat involves an aircraft. The status and size of the plane may be provided by NORAD through the NRC. In some cases, it may not be readily apparent if an aircraft impact within the OWNER CONTROLLED AREA was intentionai (i.e., a HOSTILE ACTION). It is expected, although not certain, that notification by an appropriate Federal agency to the site would clarify this point. In this case, the appropriate federal agency is intended to be NORAD, FBI, FAA or NRC. The emergency declaration, including one based on other ICs/EALs, should not be unduly delayed while awaiting notification by a Federal agency. Escalation of the emergency classification level would be via IC HS 1. 90

HA5 ECL: Alert Initiating Condition: Gaseous release impeding access to equipment necessary for normal plant operations, shutdown or cooldown. Operating Mode Applicability: All Emergency Action Levels: Note: If the equipment in the listed room or area was already inoperable or out-of-service before the event occurred, then no emergency classification is warranted. (1) a. Release of a toxic, corrosive, asphyxiant or flammable gas into anye*-e f,!ellwing-plaentTable H-11rooms or areass. iden*ified)AND

b. Entry into the room or area is prohibited or IMPEDED.

frable Hll - 4( Commented [DWSS5]: V7 TABLE H1 Procedure References Area Mode Primary. Aux Building 25 ft elevation1234 7 ft elevation 

                        - 26 ft elevation Turbiiie Building                            1, 2, 3 Switchgear Rooms Essential                               1.2,.3,4 Non-essential Steam and Feedwater Pipe chases              1. 2. 3 Waste Process Building 25 ft elevation1.3
                        -3 ft elevation1,23
                        -31 ft elevation Containment                                    3, 4 Equipment Vaults                               3, 4 Basis:

IMPEDE: Entry' into an area requires extraordinary' measures to facilitate entry of personnel into the affected room/area by installing temporary shielding, requiring use of non-routine protective equipment. or requesting an extension in dose limits beyond normal administrative limits. This IC addresses an event involving a release of a hazardous gas that precludes or impedes access to equipment necessary to maintain normal plant operation, or required for a normal plant cooldown and shutdown. This condition represents an actual or potential substantial degradation of the level of safety of the plant. 91

An Alert declaration is warranted if entry into the affected room/area is, or may be, procedurally required during the plant operating mode in effect at the time of the gaseous release. The emergency classification is not contingent upon whether entry is actually necessary at the time of the release. Evaluation of the IC and EAL do not require atmospheric sampling; it only requires the Emergency DirectorSTED/SED's judgment that the gas concentration in the affected room/area is sufficient to preclude or significantly impede procedurally required access. This judgment may be based on a variety of factors including an existing job hazard analysis, report of ill effects on personnel, advice from a subject matter expert or operating experience with the same or similar hazards. Access should be considered as impeded if extraordinary measures are necessary to facilitate entry of personnel into the affected room/area (e.g., requiring uoe ot An emergency declaration is not warranted if any of the following conditions apply.

  • The plant is in an operating mode different than the mode specified for the affected room/area (i.e., entry is not required during the operating mode in effect at the time of the gaseous release). For example, the plant is in Mode 1 when the gaseous release occurs, and the procedures used for normal operation, cooldown and shutdown do not require entry into the affected room until Mode 4.
  • The gas release is a planned activity that includes compensatory measures which address the temporary inaccessibility of a room or area (e.g., fir........... so....t.. ting..."
  • The action for which room/area entry is required is of an administrative or record keeping nature (e.g., n..r..l...........r.r..utin ........

on,.

  • The access control measures are of a conservative or precautionary nature, and would not actually prevent or impede a required action.

An asphyxiant is a gas capable of reducing the level of oxygen in the body to dangerous levels. Most commonly, asphyxiants work by merely displacing air in an enclosed environment. This reduces the concentration of oxygen below the normal level of around 19%*, which can lead to breathing difficulties, unconsciousness or even death. This EAL does not apply to firefighting activities that automatically or manually activate a fire suppression system in an area. Escalation of the emergency classification level would be via Recognition Category R, C or F ICs.

References:

OS 1000.03. Plant Shutdown From Minimum Load to I-ot Standby OS 1000.04. Plant Cooldown From Hot Standby to Cold Shutdown 92

HA6 ECL: Alert Initiating Condition: Control Room evacuation resulting in transfer of plant control to alternate locations. Operating Mode Applicability: All Emergency Action Levels: (1) Entry into Procedure 0S1200.02 for control room evacuation ,2 '-event-hae resulted in plant control being transferred from the Control Room ta (site* gpezifiz remote shutdcwn 

       .... l,nd 13a1
                   ,z.,     trzl *tati:z) Remote Safe Shutdown components.

Basis: This IC addresses an evacuation of the Control Room that results in transfer of plant control to alternate locations outside the Control Room. The loss of the ability to control the plant from the Control Room is considered to be a potential substantial degradation in the level of plant safety. Following a Control Room evacuation, control of the plant will be transferred to alternate shutdown locations. The necessity to control a plant shutdown from outside the Control Room, in addition to responding to the event that required the evacuation of the Control Room, will present challenges to plant operators and other on-shift personnel. Activation of the ERO and emergency response facilities will assist in responding to these challenges. Escalation of the emergency classification level would be via IC HS6. 93

HA7 ECL: Alert Initiating Condition: Other conditions exist which in the judgment of the Em~ergency Difeet-fSTED/SED warrant declaration of an Alert. Operating Mode Applicability: All Emergency Action Levels: (1) Other conditions exist which, in the judgment of the Emergency DircztorSTEDiSED, indicate that events are in progress or have occurred which involve an actual or potential substantial degradation of the level of safety of the plant or a security event that involves probable life threatening risk to site personnel or damage to site equipment because of HOSTILE ACTION. Any releases are expected to be limited to small fractions of the EPA Protective Action Guideline exposure levels. Basis: HOSTILE ACTION: An act toward a NPP or its personnel that includes the use of violent force to destroy equipment, take H-OSTAGES, and/or intimidate the licensee to achieve an end. This includes attack by air, land, or water using guns. explosives. PROJECTILEs, vehicles, or other devices used to deliver destructive force. Other acts that satisfy the overall intent may be included. HOSTILE ACTION should not be construed to include acts of civil disobedience or felonious acts that are not part of a concerted attack on the NPP. This IC addresses unanticipated conditions not addressed explicitly elsewhere but that warrant declaration of an emergency because conditions exist which are believed by the Emfer'gency DietISTED/SED to fall under the emergency classification level description for an Alert. 94

HU1 ECL: Notification of Unusual Event Initiating Condition: Confirmed SECURITY CONDITION or threat. Operating Mode Applicability: All Emergency Action Levels: (1 or 2 or 3) (I) A SECUPATY CONDITION that does net inve!l'e' a HOSTILE ACTION a*A Code Yellow is reported by the (rite specifiz *zcur'ty zhit supzrv.izion)Security Shift Supervisor. OR (2) Notification of a credible security threat directed at the-si*Scabrook Station. OR (3) A validated notification from the NRC providing information of an aircraft threat. Basis: Code Yellow - SECURITrY CONDITION: An\ Security Event as listed in the approved security contingency plan that constitutes a threat/compromise to site security, threat/risk to site personnel, or a potential degradation to the level of safety of the plant. A SECURITY CONDITION does not involve a HOSTILE ACTION. HOSTILE ACTION: An act tow*ard a NPP or its personnel that includes the use of violent force to destroy' equipment. take HOSTAGES, and/or intimidate the licensee to achieve an end. This includes attack by air, land, or water using guns. explosives. PROJECTILEs, vehicles, or other devices used to deliver destructive force. Other acts that satisfy the overall intent may be included. HlOSTILE ACTION should not be construed to include acts of civ il disobedience or felonious acts that are not part of a concerted attack on the NPP. This IC addresses events that pose a threat to plant personnel or SAFETY SYSTEM equipment, and thus represent a potential degradation in the level of plant safety. Security events which do not meet one of these EALs are adequately addressed by the requirements of 10 CFR § 73.71 or 10 CFR § 50.72. Security events assessed as HOSTILE ACTIONS are classifiable under ICs HAl, HSI and HG1. Timely and accurate communications between Security Shift Supervision and the Control Room is essential for proper classification of a security-related event. Classification of these events will initiate appropriate threat-related notifications to plant personnel and OROs. Security plans and terminology are based on the guidance provided by NEI 03-12, Template for the Security Plan, Trainingand Qualification Plan, Safeguards Contingency Plan [and Independent Spent Fuel Storage InstallationSecurity Program]. EAL # 1 references (rite wep ifie euwp.....iei,.n)' Security. Shift Supervisor because 

                                 --...... y zh"ifao.,.t" these are the individuals trained to confirm that a security event is occurring or has occurred.

Training on security event confirmation and classification is controlled due to the nature of Safeguards and 10 CFR § 2.390 information. EAL #2 addresses the receipt of a credible security threat. The credibility of the threat is assessed in accordance with (rite zpezife rzcd.....a site prcdrs 95

EAL #3 addresses the threat from the impact of an aircraft on the plant. The NRC Headquarters Operations Officer (HOO) will communicate to the licensee if the threat involves an aircraft. The status and size of the plane may also be provided by NORAD through the NRC. Validation of the threat is performed in accordance with (s'te specific przzea,,rz)site procedures. Emergency plans and implementing procedures are public documents; therefore, EALs should not incorporate Security-sensitive information. This includes information that may be advantageous to a potential adversary, such as the particulars concerning a specific threat or threat location. Security-sensitive information should be contained in non-public documents such as the Security Plan. Escalation of the emergency classification level would be via IC HAl.

References:

0S1290.03. Response to a Security' Event. OS 1290.04. Response to an Airborne Security Event 96

HU2 ECL: Notification of Unusual Event Initiating Condition: Seismic event greater than OBE levels. Operating Mode Applicability: All Emergency Action Levels: (1) Seismic event greater than Operating Basis Earthquake (OBE) as indicated by:

a. *Fhe red "EVENT' light is lit on seismic monitoring control panel 1-SM-CP-58.

AND

b. The yellow "OBE" light is lit on seismic monitoring control panel 1-SM-CP-58.1 - -1 Commented [DWS56J: V27 EC2821S4- Seismiic Monitoring

[System Upgrade OR (2) a. Seismic monitoring system out of service AND

b. Control Room personnel feel an actual or potential seismic event AND
c. The occurrence of a seismic event is confirmed in a manner deemed appropriate by the Shift Manager Basis:

This IC addresses a seismic event that results in accelerations at the plant site greater than those specified for an Operating Basis Earthquake (OBE). An earthquake greater than an OBE but less than a Safe Shutdown Earthquake (SSE) should have no significant impact on safety-related systems, structures and components; however, some time may be required for the plant staff to ascertain the actual post-event condition of the plant (c.g., pzr'fcrm.z wal...k..1 

                                                                                ....... and* pz
                                                                                             ........ n.t.
...... e^-o. Given the time necessary to perform walk-downs and inspections, and fully understand any impacts, this event represents a potential degradation of the level of safety of the plant.

Event verification with external sources should not be necessary during or following an OBE. Earthquakes of this magnitude should be readily felt by on-site personnel and recognized as a seismic event (zg. typi-zal laza 

                            .... ...       ticac
                                              ..... in....... cfO0.g). The Shift Manager or Emergency Di.......STED!SED may seek external verification if deemed appropriate-(e~g.,-a-ea1.

Tcheek*1 int..rn............., etc.); however, the verification action must not te the USS preclude a timely emergency declaration.

Reference:

EC 282184. Seismic Monitoring System Upgrade Depending upon the plant mode at the time of the event, escalation of the emergency classification level would be via IC CA6 or MA9. 97

HU3 ECL: Notification of Unusual Event Initiating Condition: Hazardous event. Operating Mode Applicability: All Emergency Action Levels: (1 or 2 or 3 or 4-er-4) Note: EAL #4 does not apply to routine traffic impediments such as fog, snow, ice, or vehicle breakdowns or accidents. (1) A tornado strike within the PROTECTED AREA. OR (2) Internal room or area flooding of a magnitude sufficient to require manual or automatic electrical isolation of a SAFETY SYSTEM component needed for the current operating mode. OR (3) Movement of personnel within the PROTECTED AREA is IMPEDED due to an offsite event involving hazardous materials (e.g., an offsite chemical spill er te,xie gac release). OR (4) A hazardous event that results in on-site conditions sufficient to prohibit the plant staff from accessing the site via personal vehicles. Basis: PROTECTED AREA: The area under continuous access monitoring and control, and armed protection as described in the site Security Plan. SAFETY SYSTEM: A system required for safe plant operation, cooling down the plant and/or placing it in the cold shutdown condition, including the ECCS. Systems classified as safety-related. IMPEDE: Entry into an area requires extraordinary measures to facilitate entry+of personnel into the affected room/area by installing temporary, shielding, requiring use of non-routine protective equipment. or requesting an extension in dose limits beyond normal administrative limits. This IC addresses hazardous events that are considered to represent a potential degradation of the level of safety of the plant. EAL # 1 addresses a tornado striking (touching down) within the Protected Area. EAL #2 addresses flooding of a building room or area that results in operators isolating power to a SAFETY SYSTEM component due to water level or other wetting concerns. Classification is also required if the water level or related wetting causes an automatic isolation of a SAFETY SYSTEM component from its power source (.g., '**a breaker or relay t:,rip). To warrant classification, operability of the affected component must be required by Technical Specifications for the current operating mode. 98

EAL #3 addresses a hazardous materials event originating at an offsite location and of sufficient magnitude to impede the movement of personnel within the PROTECTED AREA. EAL #4 addresses a hazardous event that causes an on-site impediment to vehicle movement and significant enough to prohibit the plant staff from accessing the site using personal vehicles. Examples of such an event include site flooding caused by a hurricane, heavy rains, up-river water releases, dam failure, etc., or an on-site train derailment blocking the access road. This EAL is not intended apply to routine impediments such as fog, snow, ice, or vehicle breakdowns or accidents, but rather to more significant conditions such as the Hurricane Andrew strike on Turkey Point in 1992, the flooding around the Cooper Station during the Midwest floods of 1993, or the flooding around Ft. Calhoun Station in 2011. Escalation of the emergency classification level would be based on ICs in Recognition Categories A, F, M or C. 99

HU4 ECL: Notification of Unusual Event Initiating Condition: FIRE potentially degrading the level of safety of the plant. Operating Mode Applicability: All Emergency Action Levels: (1 or 2 or 3 or 4) Notes:

  • The Emzrgzncy DirzzctrSTED/SED should declare the Unusual Event promptly upon determining that the applicable time has been exceeded, or will likely be exceeded.
      *A containment fire alarm is considered valid upon receipt of an actuated alarm on CP-376, combined with any of the following:

o CP 376 panel - Multiple Zones Actuated o Plant Equipment - Spuriously Operating o Containment Temperature - Increasing o Containment Particulate Radiation - Increasing (1) a. A FIRE is NOT extinguished within 15-minutes of ANY of the following FIRE detection indications: IReport from the field (i.e., visual observation) Receipt of multiple (more than 1) fire alarms or indications Field verification of a single fire alarm AND

b. The FIRE is located within ANY-ofthe-fellewifng Table H2 plant rooms or areas:

Fable H21 -{ Commented [DWS57]: V28 Verification of Fire Areas Condensate Storage Tank Enclosure 

                  .....                                      Fuel Storage Building
                  ...C'ontainment                            Primary Auxiliary Building Control Building                          Service Water Pump House
                  'Cooling Tower                             Steam and Feedwater Pipe Chases

[Diesel Generator Building North Tank Farm Emergency Feedwater Pump House Startup Feedwater Pump Area Equipment Vault ________________ OR (2) a. Receipt of a single fire alarm (i.e., no other indications of a FIRE). AND

b. The FIRE is located within ANY of the Table H-2f-ottewing plant rooms or areas except Containment (see note above):

AND

c. The existence of a FIRE is not verified within 30-minutes of alarmn receipt.

OR (3) A FIRE within the plant PROTECTEI) AREA or SS4Dry Fuel Storage Facility{-fi plantz.... ith on ,IFSIcu.÷id. ,thepan Protected .,Area] POnTEC,-TE,*D, ARE not extinguished within 60-minutes of the initial report, alarm or indication. OR 100

(4) A FIRE within the plant PROTECTED AREA ef* uorv.~t '- th pa. :t Pro:t:etedArea] PROTECTED .AREA that requires firefighting support by an offsite fire response agency to extinguish. Basis: FIRE: Combustion characterized by heat and light. Sources of smoke such as slipping drixe belts or overheated electrical equipment do not constitute FIRES. Observation of flamle is preferred but is NOT required if large quantities of smoke and heat are observed. PROTECTED AREA: The area under continuous access monitoring and control, and armed protection as described in the site Security Plan. This IC addresses the magnitude and extent of FIRES that may be indicative of a potential degradation of the level of safety of the plant. With regard to containment lire alanms, there is constant air movement in containment due to the operation of the CAH system. T'he operating cooling units are drawing air to the units past the smoke detectors. It can reasonably be expected that a fire that burns for 15 minutcs wvould produce suf'ficient products of combustion to cause fire detectors in multiple zones to alarm. EAL #1 The intent of the 15-minute duration is to size the FIRE and to discriminate against small FIRES that are readily extinguished (e.g., m.c.dering* 

                                      ..       .......... paper bae.ket)*,.In addition to alarms, other indications of a FIRE could be a drop in fire main pressure, automatic activation of a suppression system, etc.

Upon receipt, operators will take prompt actions to confirm the validity of an initial fire alarm, indication, or report. For EAL assessment purposes, the emergency declaration clock starts at the time that the initial alarm, indication, or report was received, and not the time that a subsequent verification action was performed. Similarly, the fire duration clock also starts at the time of receipt of the initial alarm, indication or report. EAL #2 This EAL addresses receipt of a single fire alarm, and the existence of a FIRE is not verified (i.e., proved or disproved) within 30-minutes of the alarm. Upon receipt, operators will take prompt actions to confirm the validity of a single fire alarm. For EAL assessment purposes, the 30-minute clock starts at the time that the initial alarm was received, and not the time that a subsequent verification action was performed. A single fire alarm, absent other indication(s) of a FIRE, may be indicative of equipment failure or a spurious activation, and not an actual FIRE. For this reason, additional time is allowed to verify, the validity of the alarm. The 30-minute period is a reasonable amount of time to determine if an actual FIRE exists; however, after that time, and absent information to the contrary, it is assumed that an actual FIRE is in progress. If an actual FIRE is verified by a report from the field, then EAL #1 is immediately applicable, and the emergency must be declared if the FIRE is not extinguished within 15-minutes of the report. If the alarm is verified to be due to an equipment failure or a spurious activation, and this verification occurs within 30-minutes of the receipt of the alarm, then this EAL is not applicable and no emergency declaration is warranted. EAL #3 101

In addition to a FIRE addressed by EAL # 1 or EAL #2, a FIRE within the plant PROTECTED AREA not extinguished within 60-minutes may also potentially degrade the level of plant safety. This basis extends to a FIRE occurring within the PROTECTED AREA of the Dry Fuel Storage Facility. EAL #4 If a FIRE within the plant PROTECTED AREA or is of sufficient size to require a response by an offsite firefighting agency (e.g., a lecal tv':,n Fire Depa....m.nt), then the level of plant safety is potentially degraded. The dispatch of an offsite firefighting agency to the site requires an emergency declaration only if it is needed to actively support firefighting efforts because the fire is beyond the capability of the Fire Brigade to extinguish. Declaration is not necessary if the agency resources are placed on stand-by, or supporting post-extinguishment recovery or investigation actions. Basis-Related Requirements from Appendix R Appendix R to 10 CFR 50, states in part: Criterion 3 of Appendix A to this part specifies that "Structures, systems, and components important to safety shall be designed and located to minimize, consistent with other safety requirements, the probability and effect of fires and explosions." When considering the effects of fire, those systems associated with achieving and maintaining safe shutdown conditions assume major importance to safety because damage to them can lead to core damage resulting from loss of coolant through boil-off. Because fire may affect safe shutdown systems and because the loss of function of systems used to mitigate the consequences of design basis accidents under post-fire conditions does not per se impact public safety, the need to limit fire damage to systems required to achieve and maintain safe shutdown conditions is greater than the need to limit fire damage to those systems required to mitigate the consequences of design basis accidents. In addition, Appendix R to 10 CFR 50, requires, among other considerations, the use of 1-hour fire barriers for the enclosure of cable and equipment and associated non-safety circuits of one redundant train (G.2.c). As used in EAL #2, the 30-minutes to verify' a single alarm is well within this worst-case 1-hour time period. Depending upon the plant mode at the time of the event, escalation of the emergency classification level would be via IC CA6 or MA9. 102

HU7 ECL: Notification of Unusual Event Initiating Condition: Other conditions exist which in the judgment of the ...... gef... DifeetefSTED/SED warrant declaration of ana Unusual Event(O4)UE. Operating Mode Applicability: All Emergency Action Levels: (1) Other conditions exist which in the judgment of the ........ y ir*: 

                                                                               ......           SE indicate that events are in progress or have occurred which indicate a potential degradation of the level of safety of the plant or indicate a security threat to facility protection has been initiated. No releases of radioactive material requiring offsite response or monitoring are expected unless further degradation of safety systems occurs.

Basis: This IC addresses unanticipated conditions not addressed explicitly elsewhere but that warrant declaration of an emergency because conditions exist which are believed by the*,, E ........*,ey 

   *ieeeSTED/SED to fall under the emergency classification level description for a NOUE.

103

UL8SYSTEM MALFUNCTION ICS/EALS Recognition Category "M" Initiating Condition Matrix GENERAL EMERGENCY SITE AREA EMERGENCY ALERT UNUSUAL EVENT MG1 Prolonged loss of all MSI Loss of all offsite and MA1 Loss of all but one MU1 Loss of all offsite AC offsite and all onsite AC all onsite AC power to AC power source to power capability to emergency power to emergency buses, emergency buses for 15 emergency buses for 15 buses for 15 minutes or longer. Op. Modes: 1, 2, 3, 4 minutes or longer. minutes or longer. Op. Modes: 1, 2, 3. 4 ______________ Op. Modes: 1,2, 3, 4 Op. Modes: 1, 2, 3, 4 MA2 UNPLANNED loss MIU2 UNPLANNED loss of Control Room indications of Control Room indications for 15 minutes or longer with a for 15 minutes or longer. significant transient in Op. Modes: 1, 2, 3, 4 progress. Op. Modes: 1, 2, 3, 4 MUJ3 Reactor coolant activity greater than Technical Specification allowable limits. Op. Modes: 1, 2, 3, 4 MU4 RCS leakage for 15 minutes or longer. Op. Modes: 1, 2, 3, 4 M.S5 Inability to shutdown MA5 Automatic or manual MU5 Automatic or manual the reactor to neutron flux < trip falls to shutdown the trip falls to shutdown the 5% causing a challenge to core reactor to neutron flux <5%, reactor *o neutron flux < 5o/1 Coamamented [DWS58]: V29 CSFST Subcriticality cooling or RCS heat removal, and subsequent manual actions Op. Modes: 1 Op. Modes: 1 taken at the Main Control B~oardrczectz, r ceriSz cznzzlcz are not successful in shutting down the reactor. Op. Modes': I MU6 Loss of all onstte or offsite conmmunications capabilities. Op. Modes: 1, 2, 3, 4 MU7 Failure to isolate contaimnment or loss of containment pressure control. Op. Modes: 1, 2, 3, 4 MG8 Loss of all AC and MS8 Loss of all Vital DC Vttal DC power sources for 15 power for 15 minutes or minutes or longer, longer. Op. Modes: 1, 2, 3, 4 Op. Modes: 1, 2, 3, 4 MA9 Hazardous event affecting a SAFETY SYSTEM needed for the current operating mode. ____________________Op. Modes: 1, 2, 3. 4 ___________ 104

MG1 ECL: General Emergency Initiating Condition: Prolonged loss of all offsite and all onsite AC power to emergency buses. Operating Mode Applicability: 1, 2, 3, 4 Emergency Action Levels: T eS AN... [,6..(...t..STED/SED shmulrgenclar b he GnrlEmrecpopl Rpn estoratniong ofhatleasite one AC emers enc busen lxeeess ta hours wisno belikely omnedEW5] 2 0Cpn fu ctoreCona()CFRDlnr.odiin e Thi1 I addresse apoflogdLos offst anALL onieA sourcesTt power AC emergency buses. oso l ACpoe copoisEs the prormane ofoalloSFTYSSEMieuiigelcrc:oe including those necessary for emergency core cooling, containment beat removal/pressure control, spent fuel heat removal and the ultimate heat sink. A prolonged loss of these buses will lead to a loss of one or more fission product barriers. In addition, fission product barrier monitoring capabilities may be degraded under these conditions. The EAL should require declaration of a General Emergency prior to meeting the thresholds for IC FG1. This will allow additional time for implementation of offsite protective actions. Escalation of the emergency classification from Site Area Emergency will occur if it is projected that power cannot be restored to at least one AC emergency bus by the end of the analyzed station blackout coping period. Beyond this time, plant responses and event trajectory are subject to greater uncertainty, and there is an increased likelihood of challenges to multiple fission product barriers. The estimate for restoring at least one emergency bus should be based on a realistic appraisal of the situation. Mitigation actions with a low probability of success should not be used as a basis for delaying a classification upgrade. The goal is to maximize the time available to prepare for, and implement, protective actions for the public. The EAL will also require a General Emergency declaration if the loss of AC power results in parameters that indicate an inability to adequately remove decay heat from the core. This Initiating Condition is not met if either Bus E5 or E6 is energized from the Supplemental Emergency Power System (SEPS). 105

The SEPS primlary function is to supply power to one 4.16 kV emergency bus, EDE-SWG-5 (E5) or EDE-SWG-6 (E6), in the event of a loss-of-offsite-power (LOOP) and both EDGs fail to start and load. In addition (SEPS) provides back up power to the emergency buses when one of the emergency diesel generators (EDG) is out of service for up to fourteen days. SEPS can be used when it is anticipated that one of the EDGs will be inoperable for longer than the technical specification allowable outage time (AOT) of 72 hours. The design of the SEPS is capable of providing the required safety-related loads in the event of a loss of offsite power if both emergency diesel generators fail to start and load. During these events it is assumed that there is no seismic event or an event that requires safeguards actuation (SI, CBS, CVI, CI, etc.). In addition to providing power to the required loads, the total combined output of the SEPS system can supply either the RHR pump or the SI pump and one set of pressurizer heaters. These design conditions are based on Probabilistic Risk Evaluation (PRA) EE-03 -007. The SEPS consists of two 4.16 kV generators which use diesel fuel engines as the prime mover. The generator sets (gensets) SEPS-DG-2-A and SEPS-DG-2-B are capable of automatically starting, synchronizing together and energizing the SEPS electrical bus. The SEPS design requires a "dead bus" transfer back to an offsite power source, i.e., the emergency bus powered by SEPS must be dc-energized before restoring offsite power. For power restoration from the SEPS, both SEPS diesel generator sets must be functional. The use of the SEPS is recognized in the Emergency Operating Procedures

Reference:

UFSAR Section 8.3.1, AC Power Systems 106

MG8 ECL: General Emergency Initiating Condition: Loss of all AC and Vital DC power sources for 15 minutes or longer. Operating Mode Applicability: 1, 2, 3, 4 Emergency Action Levels: Note:

  • The Emergency DirecterSTED/SED should declare the General Emergency promptly upon deternining that 15 minutes has been exceeded, or will likely be exceeded.
      *For a bus to be considered energized from SEPS, both SEPS diesel generator sets must be functional.

(1) a. Loss of ALL offsite and ALL onsite AC power to BOTH AC emergency buses E5 AND E6 (ste;, ...... ... .. b,...e for 15 minutes or longer. i emergency* AND

b. Indicated voltage is less than (sitzpe zie'fiz bueu:cltage ...lue) 105 V on ALL (eite-s,peeifie Vital DC buses-) 11 A. 11 B, 11 C and lID for 15 minutes or longer.

Basis: This IC addresses a concurrent and prolonged loss of both AC and Vital DC power. A loss of all AC power compromises the performance of all SAFETY SYSTEMS requiring electric power including those necessary for emergency core cooling, containment heat removal/pressure control, spent fuel heat removal and the ultimate heat sink. A loss of Vital DC power compromises the ability to monitor and control SAFETY SYSTEMS. A sustained loss of both AC and DC power will lead to multiple challenges to fission product barriers. Fifteen minutes was selected as a threshold to exclude transient or momentary power losses. The 15-minute emergency declaration clock begins at the point when both EAL thresholds are met. This Initiating Condition is not met if either Bus E5 or E6 is energized from the Supplemental Emergency Power System (SEPS). The SEPS primary, function is to supply power to one 4.16 kV emergency bus. EDE-SWG-5 (ES) or EDE-SWG-6 (E6), in the event of a loss-of-offsite-power (LOOP) and both EDGs fail to start and load. In addition (SEPS) provides back up power to the emergency buses when one of the emergency diesel generators (EDG) is out of service for up to fourteen days. SEPS can be used when it is anticipated that one of the EDGs will be inoperable for longer than the technical specification allowable outage time (AOT) of 72 hours. The design of the SEPS is capable of providing the required safety-related loads in the event of a loss of offsite power if both emergency diesel generators fail to start and load. During these events it is assumed that there is no seismic event or an event that requires safeguards actuation (SI. CBS, CVI. CI, etc.). In addition to providing powver to the required loads, the total combined output of the SEPS system can supply either the RIHR pump or the SI pump and one set of pressurizer heaters. These design conditions are based on Probabilistic Risk Evaluation (PRA) EE-03 -007. The SEPS consists of two 4.16 kV generators which use diesel fuel engines as the prime mover. The generator sets (gensets) SEPS-DG-2-A and SEPS-DG-2-B are capable of automatically 107

starting, synchronizing together and energizing the SEPS electrical bus. The SEPS design requires a "dead bus" transfer back to an offsite power source, i.e., the emergency bus powered by SEPS must be de-energized before restoring offsite power. For power restoration from the SE PS. both SEPS diesel generator sets must be functional. T'he use of the SEPS is recognized in the Emergency Operating Procedures

Reference:

UJFSAR Section 8.3.1. AC Power Systems 108

MS1 ECL: Site Area Emergency Initiating Condition: Loss of all offsite and all onsite AC power to emergency buses for 15 minutes or longer. Operating Mode Applicability: 1, 2, 3, 4 Emergency Action Levels: Note:

  • The Emergency DirectcrS~l:DiSEiD should declare the Site Area Emergency promptly upon determining that 15 minutes has been exceeded, or will likely be exceeded.
  • For a bus to be considered energized from SEPS. both SEPS diesel generator sets must be functional.

(1) Loss of ALL offsite and ALL onsite AC power to B(YTI- AC emergency buses E5 AND 

             .........pzii E6(rt                       buz for 15 minutes or longer.

Basis: This IC addresses a total loss of AC power that compromises the performance of all SAFETY SYSTEMS requiring electric power including those necessary for emergency core cooling, containment heat removal/pressure control, spent fuel heat removal and the ultimate heat sink. In addition, fission product barrier monitoring capabilities may be degraded under these conditions. This IC represents a condition that involves actual or likely major failures of plant functions needed for the protection of the public. Fifteen minutes was selected as a threshold to exclude transient or momentary power losses. Escalation of the emergency classification level would be via ICs RG1, FG1 or MGI. This Initiating Condition is not met if either Bus E5 or E6 is energized from the Supplemental Emergency Power System (SEPS). The SEPS primar, function is to supply power to one 4.16 kV emergency bus. EDE-SWG-5 (E5) or EDE-SWG-6 (E6), in the event of a loss-of-ofk~ite-power (LOOP) and both ED~s fail to start and load. In addition (SEPS) provides back up power to the emergency buses when one of the emergency diesel generators (EDG) is out of serxice for up to fourteen days. SEPS can be used when it is antieipated that one of the EDGs will be inoperable for longer than the technical specification allowable outage time (AOT) of 72 hours. The design of the SEPS is capable of providing the required safety-related loads in the event of a loss of offsite power if both emergency diesel generators fail to start and load. During these events it is assumed that there is no seismic event or an event that requires safeguards actuation (SI. CBS. CVI. Cl. etc.). In addition to providing power to the required loads, the total combined output of the SEPS system can supply either the RHR pump or the SI pump and one set of pressurizer heaters. These design conditions are based on Probabilistic Risk Evaluation (PRA) EE-03-007. The SEPS consists of two 4.16 kV generators which use diesel fuel engines as the prime mover. The generator sets (gensets) SEPS-DG-2-A and SEPS-DG-2-B are capable of automatically starting. synchronizing together anid energizing the SEPS electrical bus. The SEPS design 109

requires a 'dead bus" transfer back to an offsite power source. i.e.. the emergency bus powered by SEPS must be dc-energized before restoring offsite power. For power restoration from the SEPS, both SEPS diesel generator sets must be functional. The use of the SEPS is recognized in the Emergency Operating Procedures

Reference:

UFSAR Section 8.3.1, AC Power Systems 110

MS5 ECL: Site Area Emergency Initiating Condition: Inability to shutdown the reactor to neutron flux < 5% causing a challenge to core cooling or RCS heat removal. Operating Mode Applicability: 1 Emergency Action Levels: (1) a. An automatic or manual trip did not shutdown the reactor to neutron flux < 5%. AND

b. All manual actions to shutdown the reactor have been unsuccessful.

AND

c. EITHER of the following conditions exist:

Core Coolin* (C CSF RED entr 'conditions met. -. -( -ICommented[DWS6O]: V20CSFST CoreCooling I -eat SinI* (H) CS[ RED entry: conditions met. I- - ICommentlxd DWS6]: V22 CSFSTHeat sink q 

                  ...t. vpeii
                          .............. of a~n inabiit te adequatel remoe hea..t'°  f.rem*....th core)

(Sit....zpeifi i.ndicatic of an inabi!lty te nadequn....y remove heat fr th.. R.pCS) Basis: This IC addresses a failure of the RPS to initiate or complete an automatic or manual reactor trip that results in a reactor shutdown, all subsequent operator actions to manually shutdown the reactor are unsuccessful, and continued power generation is challenging the capability to adequately remove heat from the core and/or the RCS. This condition will lead to fuel damage if additional mitigation actions are unsuccessful and thus warrants the declaration of a Site Area Emergency. In some instances, the emergency classification resulting from this ICiEAL may be higher than that resulting from an assessment of the plant responses and symptoms against the Recognition Category F ICs/EALs. This is appropriate in that the Recognition Category F ICs/EALs do not address the additional threat posed by a failure to shutdown the reactor. The inclusion of this IC and EAL ensures the timely declaration of a Site Area Emergency in response to prolonged failure to shutdown the reactor. A reactor shutdown is determined in accordance with applicable Emergency Operating Procedure criteria. Escalation of the emergency classification level would be via IC RGI1 or FGI1. 111

MS8 ECL: Site Area Emergency Initiating Condition: Loss of all Vital DC power for 15 minutes or longer. Operating Mode Applicability: 1, 2, 3, 4 Emergency Action Levels: INote: The EmerTgen*c, DirectzrSTED/SED should declare the Site Area Emergency promptly I upon determining that 15 minutes has been exceeded, or will likely be exceeded. (1) Indicated voltage is less thar* 105 Vkzite spezific b"u° v'ltagz .,al.) on ALL vital DC 

                                                                                                   -. - Commented [DWS62]: VI8 UFSAR 83.2 - Dcv 105 limit
                                         .. zccifiz " i....l rDC*buses-) for 15 minutes or longer.

buses ItIA. 1liB.* lIC and I ID(Z*i' Basis: This IC addresses a loss of Vital DC power which compromises the ability to monitor and control SAFETY SYSTEMS. In modes above Cold Shutdown, this condition involves a major failure of plant functions needed for the protection of the public. Fifteen minutes was selected as a threshold to exclude transient or momentary power losses. Escalation of the emergency classification level would be via ICs RGI1, FGl1 or MG8. 112

MA1 ECL: Alert Initiating Condition: Loss of all but one AC power source to emergency buses for 15 minutes or longer. Operating Mode Applicability: 1, 2, 3, 4 Emergency Action Levels: Notes:

  • The Emergency DirectorSTEI)/SED should declare the Alert promptly upon determining that 15 minutes has been exceeded, or will likely be exceeded.
  • For a bus to be considered energized from SEPS. both SEPS diesel generator sets must be functional.

(1) &---AC power capability to BOTH AC emergency, buses E5 AND E6*st-:...... ewi.ve' em~ergeney-buseS) is reduced to a single power source for 15 minutes or longer. Basis: SAFETY SYSTEM: A system required tbr safe plant operation, cooling dowxn the plant and/or placing it in the cold shutdown condition, including the ECCS. Systems classified as safety-related. This IC describes a significant degradation of offsite and onsite AC power sources such that any additional single failure would result in a loss of all AC power to SAFETY SYSTEMS. In this condition, the sole AC power source may be powering one, or more than one, train of safety-related equipment. This IC provides an escalation path from IC MU1. An "AC power source" is a source recognized in AOPs and EOPs, and capable of supplying required power to an emergency bus. Some examples of this condition are presented below.

  • A loss of all offsite power with a concurrent failure of all but one emergency power source (e~.,an enratr) nste ieel
   *Aloss of all offsite power and loss of all emergency power sources (e.g., ansite diesel gneliftefsr)- with a single train of emergency buses being back-fed from the unit main generator.
  • A loss of emergency power sources (e.g., onsite .i...l g, .........) with a single train of emergency buses being back-fed from an offsite power source.

Fifteen minutes was selected as a threshold to exclude transient or momentary losses of power. Escalation of the emergency classification level would be via IC MS1. This Initiating Condition is not met if either Bus ES or E6 is energized from the Supplemental Emergency Power System (SEPS). The SEPS primary function is to supply power to one 4.16 kV emergency bus. EDE-SWG-5 (E5) or EDE-SWG-6 (E6). in the event of a loss-of-off site-power (LOOP) and both EDGs fail to 113

start and load. In addition (SEPS) provides back up power to the emergency buses when one of the emergency diesel generators (EDG) is out of service for up to fourteen days. SEPS can be used when it is anticipated that one of the EDGs will be inoperable for longer than the technical specification allowable outage time (AOl) of 72 hours. Thle design of the SEPS is capable of providing the required safety-related loads in the event of a loss of offsite power if both emergency diesel generators fail to start and load. During these events it is assumed that there is no seismic event or an event that requires safeguards actuation (SI. CBS, CVI, Ct, etc.). Inl addition to providing power to the required loads, the total combined output of the SEPS sy'stem can supply either the RHR pump or the SI pump and one set of pressurizer heaters. These design conditions are based on Probabilistic Risk Evaluation (PRA) EE-03 -007. The SEPS consists of 1two 4.16 kV generators which use diesel fuel engines as the prime mover. The generator sets (gensets) SEPS-DG-2-A and SEPS-DG-2-B are capable of automatically starting, synchronizing together and energizing the SEPS electrical bus. The SEPS design requires a "dead bus" transfer back to an offsite power source, i.e., the emergency bus powered by SEPS must be de-energized before restoring offsite power. For power restoration fr'om the SEPS. both SEPS diesel generator sets must be functional. The use of the SEPS is recognized inl the Emergency Operating Procedures

Reference:

UFSAR Section 8.3.1. AC Power Systems 114

MA2 ECL: Alert Initiating Condition: UNPLANNED loss of Control Room indications for 15 minutes or longer with a significant transient in progress. Operating Mode Applicability: 1, 2, 3, 4 Emergency Action Levels: Note: The Em...rg,.n..y Dire.....STED/SED should declare the Alert promptly upon determining that 15 minutes has been exceeded, or will likely be exceeded. (1) a. An UNPLANNED event results in the inability to monitor one or more of the following parameters from within the Control Room for 15 minutes or longer. Reactor Power R-GS-Pressurizer Level RCS Pressure kn-Gore*Core Exit or RCS Temperature Levels in at least (site specific numnber)two steam generators Steam Generator Auxiliary-er Emergency Feed Water Flow AND

b. ANY of the following transient events in progress.

Automatic or manual runback greater than 25% thermal reactor power Electrical load rejection greater than 25% full electrical load Reactor trip SI actuation Basis: UNPLANNED: A parameter change or an event that is not 1) the result of an intended evolution or 2) an expected plant response to a transient. The cause of the parameter change or event may be known or unknown. This IC addresses the difficulty associated with monitoring rapidly changing plant conditions during a transient without the ability to obtain SAFETY SYSTEM parameters from within the Control Room. During this condition, the margin to a potential fission product barrier challenge is reduced. It thus represents a potential substantial degradation in the level of safety of the plant. As used in this EAL, an "inability to monitor" means that values for one or more of the listed parameters cannot be determined from within the Control Room. This situation would require a loss of all of the Control Room sources for the given parameter(s). For example, the reactor power level cannot be determined from any analog, digital and recorder source within the Control Room. An event involving a loss of plant indications, annunciators and/or display systems is evaluated in accordance with 10 CFR 50.72 (and associated guidance in NUREG-1022) to determine if an NRC event report is required. The event would be reported if it significantly impaired the capability to perform emergency assessments. In particular, emergency assessments necessary to implement abnormal operating procedures, emergency operating procedures, and emergency 115

pian implementing procedures addressing emergency classification, accident assessment, or protective action decision-making. This EAL is focused on a selected subset of plant parameters associated with the key safety functions of reactivity control, core cooling and RCS heat removal. The loss of the ability to determine one or more of these parameters from within the Control Room is considered to be more significant than simply a reportable condition. In addition, if all indication sources for one or more of the listed parameters are lost, then the ability to determine the values of other SAFETY SYSTEM parameters nriay be impacted as well. For example, if the value for reactor vessel level cannot be determined from the indications and recorders on a main control board, the SPDS or the plant computer, the availability of other parameter values may be compromised as well. Fifteen minutes was selected as a threshold to exclude transient or momentary losses of indication. Escalation of the emergency classification level would be via ICs FS 1 or IC RS 1. 116

MA5 ECL: Alert Initiating Condition: Automatic or manual trip fails to shutdown the reactor to neutron tlux < 5%, and subsequent manual actions taken at the reactor ...... l c..... s^ " Control Board are not successful in shutting down the reactor. Operating Mode Applicability: 1 Emergency Action Level: Note: A manual action is any operator action, or set of actions, which causes the control rods to be rapidly inserted into the core, and does not include manually driving in control rods or implementation of boron injection strategies. (1) a_ An automatic or manual trip did not shutdown the reacto4 to neutron flUX < 5%* - "{Commete [DWS631: V29 CSFST Subcriticality AND

b. Manual actions taken at the ............... zcncal:aMCB are not successful in shutting down the reactor.

Basis: This IC addresses a failure of the RPS to initiate or complete an automatic or manual reactor trip that results in a reactor shutdown, and subsequent operator manual actions taken at the r-eaetef central zcnczlezMCB to shutdown the reactor are also unsuccessful. This condition represents an actual or potential substantial degradation of the level of safety of the plant. An emergency declaration is required even if the reactor is subsequently shutdown by an action taken away from the ............... ccnzalzcMC[B since this event entails a significant failure of the RPS. A manual action at the reactor contral ccnzz~z*MCB is any operator action, or set of actions, tzr* initiating a manual.. ...... which causes the control rods to be rapidly inserted into the core (e.g.,..,...*÷ trIp). This action does not include manually driving in control rods or implementation of boron injection strategies. If this action(s) is unsuccessful, operators would immediately pursue additional manual actions at locations away from the reaztor zcntr-! ... onolvMCB(e.g eea14y -- 

      "- '-** .. *Actions taken at back-panels or other locations within the Control Room, or any location outside the Control Room, are not considered to be "a th eeet-e*

e-onseteMCB5". The plant response to the failure of an automatic or manual reactor trip will vary based upon several factors including the reactor power level prior to the event, availability of the condenser, performance of mitigation equipment and actions, other concurrent plant conditions, etc. If the failure to shutdown the reactor is prolonged enough to cause a challenge to the core cooling or RCS heat removal safety functions, the emergency classification level will escalate to a Site Area Emergency via IC MS5. Depending upon plant responses and symptoms, escalation is also possible via IC FS1I. Absent the plant conditions needed to meet either IC MS5 or FS1I, an Alert declaration is appropriate for this event. It is recognized that plant responses or symptoms may also require an Alert declaration in accordance with the Recognition Category F ICs; however, this IC and EAL are included to ensure a timely emergency declaration. A reactor shutdown is determined in accordance with applicable Emergency Operating Procedure criteria. 117

MA9 ECL: Alert Initiating Condition: Hazardous event affecting a SAFETY SYSTEM needed for the current operating mode. Operating Mode Applicability: 1, 2, 3, 4 Emergency Action Levels: (1) a. The occurrence of ANY of the following hazardous events: Seismic event (earthquake) Internal or"external flooding event High winds or tornado strike FIRE EXPLOSION Other events with similar hazard characteristics as determined by the Shift Manager AND

b. EITHER of the following:
1. Event damage has caused indications of degraded performance in at least one train of a SAFETY SYSTEM needed for the current operating mode.

OR

2. The event has caused VISIBLE DAMAGE to a SAFETY SYSTEM component or structure needed for the current operating mode.

Basis: SAFETY SYSTEM: A system required for safe plant operation, cooling down the plant and/or placing it in the cold shutdown condition. including the ECCS. Systems classified as safety-related. FIRE: Combustion characterized by heat and light. Sources of smoke such as slipping drive belts or overheated electrical equipment do not constitute FIRES. Observation of flame is preferred but is NOT required if large quantities of smoke and beat are observed. EXPLOSION: A rapid. violent and catastrophic failure of a piece of equipment due to combustion, chemical reaction or overpressurization. A release of steam (from high energy lines or components) or an electrical component failure (caused by short circuits, grounding. arcing. etc.) should not automatically be considered an explosion. Such events may require a post-event inspection to determine if the attributes of an explosion are present. VISIBLE DAMAGE: Damage to a component or structure that is readily observable without measurements, testing, or analysis. The visual impact of the damage is sufficient to cause concern regarding the operability or reliability of the affected component or structure. This IC addresses a hazardous event that causes damage to a SAFETY SYSTEM, or a structure containing SAFETY SYSTEM components, needed for the current operating mode. This condition significantly reduces the margin to a loss or potential loss of a fission product barrier, and therefore represents an actual or potential substantial degradation of the level of safety of the plant. 118

EAL 1.b. 1 addresses damage to a SAFETY SYSTEM train that is in service/operation since indications for it will be readily available. The indications of degraded performance should be significant enough to cause concern regarding the operability or reliability of the SAFETY SYSTEM train. EAL 1.b.2 addresses damage to a SAFETY SYSTEM component that is not in service/operation or readily apparent through indications alone, or to a structure containing SAFETY SYSTEM components. Operators will make this determination based on the totality of available event and damage report information. This is intended to be a brief assessment not requiring lengthy analysis or quantification of the damage. Escalation of the emergency classification level would be via IC FS 1 or RS 1. 119

MU1 ECL: Notification of Unusual Event Initiating Condition: Loss of all offsite AC power capability to emergency buses for 15 minutes or longer. Operating Mode Applicability: 1, 2, 3, 4 Emergency Action Levels: Note:.Th Emrnz ... re......STED/SED should declare the Unusual Event promptly upon I determining that 15 minutes has been exceeded, or will likely be exceeded.I (1) Loss of ALL offsite AC power capability to BOTH AC emergency buses [5 AND E6(*ite zpecific ...... ..nzs b,.. ) for 15 minutes or longer. Basis: This IC addresses a prolonged loss of offsite power. The loss of offsite power sources renders the plant more vulnerable to a complete loss of power to AC emergency buses. This condition represents a potential reduction in the level of safety of the plant. For emergency classification purposes, "capability" means that an offsite AC power source(s) is available to the emergency buses, whether or not the buses are powered from it. Fifteen minutes was selected as a threshold to exclude transient or momentary losses of offsite power. Escalation of the emergency classification level would be via IC MA1. 120

MU2 ECL: Notification of Unusual Event Initiating Condition: UNPLANNED loss of Control Room indications for 15 minutes or longer. Operating Mode Applicability: 1, 2, 3, 4 Emergency Action Levels: Note: The Emergency Direct*orSTEI)/SED should declare the Unusual Event promptly upon determining that 15 minutes has been exceeded, or will likely be exceeded. (1) An UNPLANNED event results in the inability to monitor one or more of the following parameters from within the Control Room for 15 minutes or longer. Reactor Power RC::,-Pressurizer Level RCS Pressure 4n-,ei-eA~ore Exit Temperature Levels in at ..... (st fi num...... t*,...:,...t**least steam generators Steam Generator Awuliiy.'e,'fo Emergency Feed Water Flow Basis: UNPLANNED: A parameter change or an event that is not 1) the result of an intended evolution or 2) an expected plant response to a transient. The cause of the parameter change or event may be known or unknown. This IC addresses the difficulty associated with monitoring normal plant conditions without the ability to obtain SAFETY SYSTEM parameters from within the Control Room. This condition is a precursor to a more significant event and represents a potential degradation in the level of safety of the plant. As used in this EAL, an "inability to monitor" means that values for one or more of the listed parameters cannot be determined from within the Control Room. This situation would require a loss of all of the Control Room sources for the given parameter(s). For example, the reactor power level cannot be determined from any analog, digital and recorder source within the Control Room. An event involving a loss of plant indications, annunciators and/or display systems is evaluated in accordance with 10 CFR 50.72 (and associated gnidance in NUREG-1022) to determine if an NRC event report is required. The event would be reported if it significantly impaired the capability to perform emergency assessments. In particular, emergency assessments necessary to implement abnormal operating procedures, emergency operating procedures, and emergency plan implementing procedures addressing emergency classification, accident assessment, or protective action decision-making. This EAL is focused on a selected subset of plant parameters associated with the key safety functions of reactivity control, core cooling and RCS heat removal. The loss of the ability to determine one or more of these parameters from within the Control Room is considered to be more significant than simply a reportable condition. In addition, if all indication sources for one or more of the listed parameters are lost, then the ability to determine the values of other 121

SAFETY SYSTEM parameters may be impacted as well. For example, if the value for reactor vessel level cannot be determined from the indications and recorders on a main control board, the SPDS or the plant computer, the availability of other parameter values may be compromised as well. Fifteen minutes was selected as a threshold to exclude transient or momentary losses of indication. Escalation of the emergency classification level would be via IC MA2. 122

MU3 ECL: Notification of Unusual Event Initiating Condition: Reactor coolant activity greater than Technical Specification allowable limits. Operating Mode Applicability: 1, 2, 3, 4 Emergency Action Levels: (1 or 2) specific vke.... czcitiz mdiaticn menlter)-reading greater than 2,670 mRlhr,-site- 1 S-[ Commented Monitor Value [DWS64]: V30OEPCALC-06 Letdown OR (2) Sample analysis indicates that a reactor coolant activity value is greater thax* the Limiting Condition for Operation (LCO)nn allewa.ble limit specified in Technical Specifications 3.4.8 Reactor Coolant System Specific Activity]. [ Commented [DWS65]: V31 TS 3.4.8 Specific Activity Basis: This IC addresses a reactor coolant activity value that exceeds an allowable limit specified in Technical Specifications. This condition is a precursor to a more significant event and represents a potential degradation of the level of safety of the plant. Escalation of the emergency classification level would be via ICs FA1 or the Recognition Category R ICs. 123

MU4 ECL: Notification of Unusual Event Initiating Condition: RCS leakage for 15 minutes or longer. Operating Mode Applicability: 1, 2, 3, 4 Emergency Action Levels: (1 or 2 or 3) Note: The Emergency Di.......STEDiSED should declare the Unusual Event promptly upon determining that 15 minutes has been exceeded, or will likely be exceeded. (1) RCS unidentified or PRESSURE BOUNDARY LEAKAGE greater than to; ...... i, vekie~1 0 gpm for 15 minutes or longer. OR (2) RCS IDENTIFIED LEAKAGE greater than (*itzep....f"c.... e)2 gp fr 5 inte or longer. OR (3) Leakage from the RCS to a location outside containment greater than 25 gpm for 15 minutes or longer. Basis: II)ENTIFIED LEAKAGE

a. Leakage (except CONTROLLED LEAKAGE) into closed systems, such as pump seal or valve packing leaks that arc captured and conducted to a sumnp or collecting tank, or
b. Leakage into the containment atmosphere from sources that are both specifically located and knowvn either not to interfere w*ith thc operation of Leakage tDetection Systems or not to be P~RESSURE BOUNDARY LEAKAGE. or
c. Reactor Coolant System leakage through a steamn generator to the Secondary Coolant System (primary to secondary leakage).

PRESSURE BOUNDARY LEAKAGE

a. PRESSURE BOUND)ARY LEAKAGE shall bc leakage (except primary to secondary leakage) through a nonisolable thult in a Reactor Coolant System component body, pipe wall, or vessel wall.

This IC addresses RCS leakage which may be a precursor to a more significant event. In this case, RCS leakage has been detected and operators, following applicable procedures, have been unable to promptly isolate the leak. This condition is considered to be a potential degradation of the level of safety of the plant. EAL #1 and EAL #2 are focused on a loss of mass from the RCS due to "unidentified leakage", 

"prsueboundary leakage" or "identified leakage" (as these leakage types are defined in the plant Technical Specifications). EAL #3 addresses a RCS mass loss caused by an UNISOLABLE leak through an interfacing system. These EALs thus apply to leakage into the
                                         ........... n, generat-r t.ube leakage...in a PWR) or a containment, a secondary-side system (e.g,.,

location outside of containment. 124

The leak rate values for each EAL were selected because they are usually observable with normal Control Room indications. Lesser values typically require time-consuming calculations to determine (z.g., a maz balo:nce zaoulaticn). EAL #1 uses a lower value that reflects the greater significance of unidentified or pressure boundary leakage. The release of mass from the RCS due to the as-designed/expected operation of a relief valve does not warrant an emergency classification. For PWRs, an emergency classification would be required if a mass loss is caused by a relief valve that is not functioning as designed/expected The 15-minute threshold duration allows sufficient time for prompt operator actions to isolate the leakage, if possible. Escalation of the emergency classification level would be via ICs of Recognition Category R or F. 125

MU5 ECL: Notification of Unusual Event Initiating Condition: Automatic or manual trip fails to shutdown the reactor to neutron flux < 5%. Operating Mode Applicability: 1 be rapidly inserted into the core, and does not include manually driving in control rods or implementation of boron injection strategies. Emergency Action Levels: (1 or 2) (1) a. An automatic trip did not shutdown the reacto4 to neutron flux < 504q - -{ Commented [DW566]: V29 CSFST Suberiticality AND

b. A subsequent manual action taken at the reactor control ......... MCB is successful in shutting down the reactor.

OR (2) a. A manual trip did not shutdown the reactor to neutron flux < 5%. AND

b. EITHER of the following:

I. A subsequent manual action taken at the rea~ .................... MCB is successful in shutting down the reactor. OR

2. A subsequent automatic trip is successful in shutting down the reactor.

Basis: This IC addresses a failure of the RPS to initiate or complete an automatic or manual reactor trip that results in a reactor shutdown, and either a subsequent operator manual action taken at the reactor contrcl zonsce~e MCB or an automatic trip is successful in shutting down the reactor. This event is a precursor to a more significant condition and thus represents a potential degradation of the level of safety of the plant. Following the failure on an automatic reactor trip, operators will promptly initiate manual actions at the rzactzr czntrc, ccnzolez MCB to shutdown the reactor (z.g., initiatc a manual° reactor trip). If these manual actions are successful in shutting down the reactor, core heat generation will quickly fall to a level within the capabilities of the plant's decay heat removal systems. If an initial manual reactor trip is unsuccessful, operators will promptly take manual action at another location(s) on the ........................ MCB to shutdown the reactor-(e~g.,-initiate-a manual rea.... trip)* ..zing adi.........itch) Depending upon several factors, the initial or subsequent effort to manually trip the reactor, or a concurrent plant condition, may lead to the generation of an automatic reactor trip signal. If a subsequent manual or automatic trip is successful in shutting down the reactor, core heat generation will quickly fall to a level within the capabilities of the plant's decay heat removal systems. 126

A manual action at the MCB is any operator action, or set of actions, which causes the control rods to be rapidly inserted into the core c.g. initi...tin. manu.l..........ri.. Ths cio.de not include manually driving in control rods or implementation of boron injection strategies. Actions taken at back-panels or other locations within the Control Room, or any location outside the Control Room, are not considered to be "at the MCB". The plant response to the failure of an automatic or manual reactor trip will vary based upon several factors including the reactor power level prior to the event, availability of the condenser, performance of mitigation equipment and actions, other concurrent plant conditions, etc. If subsequent operator manual actions taken at the MCB are also unsuccessful in shutting down the reactor, then the emergency classification level will escalate to an Alert via IC MA5. Depending upon the plant response, escalation is also possible via IC FA 1. Absent the plant conditions needed to meet either IC MA5 or FAI, an Unusual Event declaration is appropriate for this event. A reactor shutdown is determined in accordance with applicable Emergency Operating Procedure criteria Should a reactor trip signal be generated as a result of plant work (z.g., RpS pe.... : ...... )- the following classification guidance should be applied.

  • If the signal causes a plant transient that should have included an automatic reactor trip and the RPS fails to automatically shutdown the reactor, then this IC and the EALs are applicable, and should be evaluated.
  • If the signal does not cause a plant transient and the trip failure is determined through other zzmn f........... ,, then this IC and the EALs are not applicable and no mean:....g.

classification is warranted. 127

MU6 ECL: Notification of Unusual Event Initiating Condition: Loss of all onsite or offsite communications capabilities. Operating Mode Applicability: 1,2, 3, 4 Emergency Action Levels: (1 or 2 or 3) (1) Loss of ALL of the following onsite communication methods: In-Plant (PBX) Telephones Gai-Tronics Plant Radio System OR (2) Loss of ALL of the following ORO communications methods: Nuclear Alert System (NAS) Backup NAS All plant telephones Cellular telephones OR (site epezifie list of zommunientions methods) (3) Loss of ALL of the following NRC communications methods: Emergency Notitication System (ENS) All plant telephones FTS telephones in the TSC Cellular telephones Basis: This IC addresses a significant loss of on-site or offsite communications capabilities. While not a direct challenge to plant or personnel safety, this event warrants prompt notifications to OROs and the NRC. This IC should be assessed only when extraordinary means are being utilized to make owne .. uim.nt r.l.. ing of:on sit communications possible (e.g., us of. no pl....t pr ...' ....... EAL #1 addresses a total loss of the communications methods used in support of routine plant operations. 128

EAL #2 addresses a total loss of the communications methods used to notify all OROs of an emergency declaration. The OROs referred to here are the Common\* eaith of Massachusetts and State of New Hampshire. EAL #3 addresses a total loss of the communications methods used to notify the NRC of an emergency declaration. 129

MU7 ECL: Notification of Unusual Event Initiating Condition: Failure to isolate containment or loss of containment pressure control. Operating Mode Applicability: 1, 2, 3, 4 Emergency Action Levels: (1 or 2) (1) a. Failure of containment to isolate when required by an actuation signal. AND

b. ALL required penetrations are not closed within 15 minutes of the actuation signal.

OR (2) a. Containment pressure greater than 11I8 psi4site :pzcific ..... 

                                                                             ,urc),.               .. - -{ Commented [DWS67]: V25 Containment Spray Seipoint AND
b. Less than one full train of Containinent Building Spray (CBS) (site-specifie
                   ...... ,guim.....t) is operating per design for 15 minutes or longer.

oytz Basis: This IC addresses a failure of one or more containment penetrations to automatically isolate (close) when required by an actuation signal. It also addresses an event that results in high containment pressure with a concurrent failure of containment pressure control systems. Absent challenges to another fission product barrier, either condition represents potential degradation of the level of safety of the plant. For EAL #1, the containment isolation signal must be generated as the result on an off-normal/accident conditioni (e.g., a zafety in~jzcticn cr high............. p...... ; a,failure resulting from testing or maintenance does not warrant classification. The determination of containment and penetration status - isolated or not isolated - should be made in accordance with the appropriate criteria contained in the plant AOPs and EOPs. The 15-minute criterion is included to allow operators time to manually isolate the required penetrations, if possible. EAL #2 addresses a condition where containment pressure is greater than the setpoint at which containment energy (heat) removal systems are designed to automatically actuate, and less than one full train of equipment is capable of operating per design. The 15-minute criterion is included to allow operators time to manually start equipment that may not have automatically started, if possible. The inability to start the required equipment indicates that containment heat removalidepressurization systems (e.g., zcntain,"ent zprayz zr ice cendeneer fane) are either lost or performing in a degraded manner. This event would escalate to a Site Area Emergency in accordance with IC FSI if there were a concurrent loss or potential loss of either the Fuel Clad or RCS fission product barriers. 130

APPENDIX A - ACRONYMS AND ABBREVIATIONS AC ........................................................... Alternating Current AOP..................................................................... Abnormal Operating Procedure ATWS............................................................ Anticipated Transient Without Scram & .................................................................................ab k......Bco P............................................................................. Babling ater Reactor CE......................................................................................valen lIT ...................................................................... Bzo Code~tc ofnFedealz Regulations CM iN T.................................................................................Continmen CSF.............................................................................. Boriinal Safty Function CDEST.................................................................Crtcommittedy DosetiEquivaluTent DBCFR ...........................................................................Cd ofFDerinaliReuAtcioens DCT.....C....................................................................................Continmturent CSF.............................................................................CEmritclgaety FuctionLel ECSF T..............................................Cica 

             ..................                                                                             Safetgny FuCtiColngStatstree DBA........................................................................                                         esign BlasisiAcca DEer                      identLve DCF............................................................................                                                       ecatin Fcuilety DirrecyO EAL.......................................................................Emergency                                       Oeactiong              Lroevuel ECCS..................................................................Emeirgneny CoreColeciong                             l                  Sysemc ECL...............................................................Emergency.......Classification........                                        LEve EG....................................................................... Emergency OPerato nsrFacidlity EP!P............................................................. Emergency                                               p~erating Procedure O~.':!

EPA........................................................................ Environmental Proetio Agencyo PG...................................................................... g....... Pr....... ur....G..........E PRt .................................................................... Eere:yD.......Ezuhnr Pe _.. Re.,ter PRMA...........................................................Fedrl EmtriecyPwe Maaementc Agncyiu FSRG......................................................................Eminrgenafety Analysiu Relont FEMA...........................................................................Fedneral EmergencyMage ntA nc FSAR..................................................................Final....Safety....Analysis....Reportl" GE ........................................................................... ... G enperaltEmrgencym 

..................................................................................................                                                     H PCT..................................................................... HeaiCg                                    ait Tremu        erCeatur Lneimit IC..................................................................................Initatin                                                .Conitio ID..............................................................................................mete ID..................................................................................Inside.....Diameter..

ISFSI....................... Independent Spent Fuel Storage Installation (Dry Fuel Storage Facility) A-I

Keff............................................................ Effective Neutron Multiplication Factor LCO ................................................................... Limiting Condition of Operation LOCA ......................................................................... Loss of Coolant Accident MC-RMCBl.................................................................... Main Control R-oeml3oard MSIV ....................................................................... Main Steam Isolation Valve MSL ..................................................................................... Main Steam Line mR, mRem, mrem, mREM........................................... milli-Roentgen Equivalent Man MW .............................................................................................. Megawatt NEI ............................................................................. Nuclear Energy Institute NPP .................................................................................. Nuclear Power Plant NRC................................................................... Nuclear Regulatory Commission NSSS..................................................................... Nuclear Steam Supply System NORAD............................................... North American Aerospace Defense Command N.................................................................................... O...................... 

         ...............................................................................................                                                     NP*

OBE......................................................................... Operating Basis Earthquake OCA.............................................................................. Owner Controlled Area ODCMIODAM....................................... Offsite Dose Calculation-( ............. Manual ORO .................................................................... Off-site Response Organization PA .......................................................................................... Protected Area ACS .......................................... Pri.crity ctuation

.... n ....

ntrz , ... t PAG......................................................................... Protective Action Guideline C ............................................................................... d...................m PRA ............................ Probabilistic Risk Assessment/'Prebab+iliztiz Safety"A.z;esmen~t PWR ......................................................................... Pressurized Water Reactor S......................................................................................... prztecticn Sct.... PSIG .................................................................... Pounds per Square Inch Gauge R.................................................................................................. Roentgen CC .............................................................................. P.Reactzr Ce~ntrc! Console CIC ................................................. Reactor Ccre 'zc!lat'en Ceeding RCS.............................................................................. Reactor Coolant System Rem, rem, REM ............................................................. Roentgen Equivalent Man ETS ................................................... P.Radiclecgical Efflu-ent Techni5cal Specificationc+ RPS........................................................................... Reactor Protection System RPV............................................................................. Reactor Pressure Vessel RVLIS .................................................. Reactor Vessel Level Instrumentation System WCU ............................................................................ P.Rcactor Wlater Clca.nupa SAR .............................................................................. Safety Analysis Report SAS..............................................SCafety Aut....... :-SyztemSccondary Alarm Station + 4nU?.I^RC ".'a. .. prJ-.......-zr zrga.n:'zatine. zf +thz Nue1ear Enezrgy Inz:'.++t3 (NEt). A-2

SBO ............................................................ Station Blackout SCBA ............................................................. Self-Contained Breathing Apparatus SG ........................................................................................ Steam Generator SI ......................................................................................... Safety Injection !C$ ............................................................. Safcty lnfcrmsarich oand Ccnrtrel Syztem SPDS ................................................................. Safety Parameter Display System SRO ............................................................................. Senior Reactor Operator TEDE .................................................................. Total Effective Dose Equivalent TOAF ................................................................................. lTop of Active Fuel TSC ............................................................................ Technical Support Center WOG ...................................................................... Westinghouse Owners Group A-3

APPENDIX B - DEFINITIONS The following definitions are taken from Title 10, Code of Federal Regulations, and related regulatory guidance documents. Alert: Events are in progress or have occurred which involve an actual or potential substantial degradation of the level of safety of the plant or a security event that involves probable life threatening risk to site personnel or damage to site equipment because of HOSTILE ACTION. Any releases are expected to be limited to small fractions of the EPA PAG exposure levels. General Emergency: Events are in progress or have occurred which involve actual or IMMINENT substantial core degradation or melting with potential for loss of containment integrity or HOSTILE ACTION that results in an actual loss of physical control of the facility. Releases can be reasonably expected to exceed EPA PAG exposure levels offsite for more than the immediate site area. Notification of Unusual Event (NOUE): Events are in progress or have occurred which indicate a potential degradation of the level of safety of the plant or indicate a security threat to facility protection has been initiated. No releases of radioactive material requiring offsite response or monitoring are expected unless further degradation of safety systems occurs. Site Area Emergency: Events are in progress or have occurred which involve actual or likely major failures of plant functions needed for protection of the public or HOSTILE ACTION that results in intentional damage or malicious acts; 1) toward site personnel or equipment that could lead to the likely failure of or; 2) that prevent effective access to, equipment needed for the protection of the public. Any releases are not expected to result in exposure levels which exceed EPA PAG exposure levels beyond the site boundary. The following are key terms necessary for overall understanding the NEI 99-01 emergency classification scheme. Emergency Action Level (EAL): A pre-determined, observable threshold for an Initiating Condition that, when met or exceeded, places the plant in a given emergency classification level. Emergency Classification Level (ECL): One of a set of names or titles established by the US Nuclear Regulatory Commission (NRC) for grouping off-normal events or conditions according to (1) potential or actual effects or consequences, and (2) resulting onsite and offsite response actions. The emergency classification levels, in ascending order of severity, are:

  • Notification of Unusual Event (NOUE)
  • Alert
  • Site Area Emergency (SAE)
  • General Emergency (GE)

Fission Product Barrier Threshold: A pre-determined, observable threshold indicating the loss or potential loss of a fission product barrier. Initiating Condition (IC): An event or condition that aligns with the definition of one of the four emergency classification levels by virtue of the potential or actual effects or consequences. A-4

Selected terms used in Initiating Condition and Emergency Action Level statements are set in all capital letters (e.g., ALL CAPS). These words are defined terms that have specific meanings as used in this document. The definitions of these terms are provided below. CONFINEMENT BOUNDARY: (Insert a sitz zpzzificz ,,zfiniti"cn .... fo.r-thiz te.rm.) D...**vw.' Noe- The barrier(s) between spent fuel and the environment once the spent fuel is processed for dry storage. CONTAINMENT INTEGRITY: ,Izrt a..."izspecific defiitio fo t,.hiz te-rm.) DeveIepcr N e-The procedurally defined conditions or actions taken to secure containment (prilna.3-er BWR) and its associated structures, systems, and components as a functional o~ecc- ndar for" barrier to fission product release under shutdown conditions. EXPLOSION: A rapid, violent and catastrophic failure of a piece of equipment due to combustion, chemical reaction or overpressurization. A release of steam (from high energy lines or components) or an electrical component failure (caused by short circuits, grounding, arcing, etc.) should not automatically be considered an explosion. Such events may require a post-event inspection to determine if the attributes of an explosion are present. FAULTED: The term applied to a steam generator that has a steam leak on the secondary side of sufficient size to cause an uncontrolled drop in steam generator pressure or the steam generator to become completely depressurized. Dz',£bpcpr Notc -Th:.... i* applizablz tc Pt, cnly.*,, FIRE: Combustion characterized by heat and light. Sources of smoke such as slipping drive belts or overheated electrical equipment do not constitute FIRES. Observation of flame is preferred but is NOT required if large quantities of smoke and heat are observed. HOSTAGE: A person(s) held as leverage against the station to ensure that demands will be met by the station. HOSTILE ACTION: An act toward a NPP or its personnel that includes the use of violent force to destroy equipment, take HOSTAGES, and/or intimidate the licensee to achieve an end. This includes attack by air, land, or water using guns, explosives, PROJECTILEs, vehicles, or other devices used to deliver destructive force. Other acts that satisfy the overall intent may be included. HOSTILE ACTION should not be construed to include acts of civil disobedience or felonious acts that are not part of a concerted attack on the NPP. Non-terrorism-based EALs should be used to address such activities (i.e., this may include violent acts between individuals in the owner controlled area). HOSTILE FORCE: One or more individuals who are engaged in a determined assault, overtly or by stealth and deception, equipped with suitable weapons capable of killing, maiming, or causing destruction. IMMINENT: The trajectory of events or conditions is such that an EAL will be met within a relatively short period of time regardless of mitigation or corrective actions. IMPEl)L: E~ntrx' into an area requires extraordinary measures to facilitate entry of personnel into the affected room/area by installing temporary shielding, requiring use of non-routine protective eqtuipment, or rcquesting an extension in dose limits bey ond normal administrative limits. A-5

INDEPENDENT SPENT FUEL STORAGE INSTALLATION (ISFSI): A complex that is designed and constructed for the interim storage of spent nuclear fuel and other radioactive materials associated with spent fuel storage. (Dry Fuel Storage Facility) tN IAC r: Capable of being pressurized. NOPR.MAL LEVELS: Ac applied t.o rdielogical IC/EA*o, the highest reading in the pact OWNER CONTROLLED AREA: (Incert.. cite cpeeific definition far thic term. D eveleper Note Thzic termzx ic typically, taken to meanz t~he site property owned by, or otherwise under the control of, the licensee. In come acece,it may3 be appropria=te for a licencee to define a smaller 

.hee. om         tco... of theb      .nd..ma be   ...

cignif t"di'acefrom thedPratcte Are). In beoconcictent with the° dezceriptien of+the came a.e..andb.unda. cotie in th.. Seeurt Plan. PROJECTILE: An object directed toward a NPP that could cause concern for its continued operability, reliability, or personnel safety. PROTECTED AREA: (Incert a cit...... i definition,:* fr^ thic ter.m.) Dv.... c Net.. Thic.' term is typically takecn to mean ([he area under continuous access monitoring and control, and armed protection as described in the site Security Plan. REFUELING PATHWAY: The reactor refueling cavit . spent fuel pool and fuel transfer 

                                                                      ^, -er d....pio ch*_ou.^.d canal.(Ir~cc* a cite cpccific definition fcr thi term.) r, .. ,^e.l NeeTi not inclu:ding the...cor....e....

RUPTUJRE(D): The condition of a steam generator in which primary-to-secondary leakage is of to sufficient magnitude to require a safety injection. IDeveloper Note Thic...term applicable-**"-":**' SAFETY SYSTEM: A system required for safe plant operation, cooling down the plant and/or placing it in the cold shutdown condition, including the ECCS. These are typically systems classified as safety-related. Dcelpcer Noet Thic term may be modified to include the SECURITY CONDITION: Any Security Event as listed in the approved security contingency plan that constitutes a threat/compromise to site security, threat/risk to site personnel, or a potential degradation to the level of safety of the plant. A SECURITY CONDITION does not involve a HOSTILE ACTION. UNISOLABLE: An open or breached system line that cannot be isolated, remotely or locally. UNPLANNED: A parameter change or an event that is not I) the result of an intended evolution or 2) an expected plant response to a transient. The cause of the parameter change or event may be known or unknown. A-6

VISIBLE DAMAGE: Damage to a component or structure that is readily observable without measurements, testing, or analysis. The visual impact of the damage is sufficient to cause concern regarding the operability or reliability of the affected component or structure. A-7}}

Retrieved from "https://kanterella.com/w/index.php?title=SBK-L-15120,_Independent_Spent_Fuel_Storage_Installation_(ISFSI)_Ics/Eals&oldid=2444944"