ML21130A064

From kanterella
Revision as of 15:47, 20 January 2022 by StriderTol (talk | contribs) (StriderTol Bot insert)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
0 to Updated Final Safety Analysis Report, USAR Appendix G, Nuclear Safety Operational Analysis
ML21130A064
Person / Time
Site: Cooper Entergy icon.png
Issue date: 04/21/2021
From:
Nebraska Public Power District (NPPD)
To:
Office of Nuclear Reactor Regulation
Shared Package
ML21130A114 List: ... further results
References
NLS2021013
Download: ML21130A064 (61)


Text

USAR APPENDIX G NUCLEAR SAFETY OPERATIONAL ANALYSIS 1.0 ANALYTICAL OBJECTIVE G-1-1 2.0 APPROACH TO OPERATIONAL NUCLEAR SAFETY G-2-1 2.1 Comprehensiveness of the Analysis G-2-1 2.2 Systematic Approach to the Analysis G-2-1 2.3 Relationship of the NSOA to the Station Safety Analysis G-2-2 2.4 Relationship of the NSOA to Safety-Related Structures, Systems and Components G-2-3 2.4.1 Regulatory Definition of Safety-Related G-2-3 2.4.2 Methodology to Identify Safety-Related Structures, Systems, Components and Parts G-2-3 2.4.3 Safety-Related Function Identification G-2-4

2. 4 . 4 Maj or Accidents G-2-5 2.4.5 Design Basis Events G-2-5 2.5 Unacceptable Results G-2-5 2.6 Nuclear Safety Operational Criteria G-2-7 2.7 Origin of Unacceptable Results and Nuclear Safety Operational Criteria G-2-8 2.8 Plant Functions G-2-8 2.9 Event Acceptance Limits G-2-8 3.0 METHOD OF ANALYSIS G-3-1 3.1 BWR Operating States G-3-1 3.2 Selection of Events for Analysis G-3-3 3.2.1 Planned Operations G-3-3 3.2.2 Abnormal Operational Transients G-3-5
3. 2. 3 Accidents G-3-7 3.2.4 Special Events G-3-8 3.3 Applicability of Events to Operating States G-3-8 3.4 Rules for Event Analysis G-3-8 3.5 Steps in Preparing Protection Sequence, Auxiliary System and Commonality Diagrams G-3-10 4.0 DISPLAY OF NUCLEAR SAFETY OPERATIONAL ANALYSIS RESULTS G-4-1 4.1 Protection Sequence, Auxiliary System and Commonality Diagrams G-4-4 5.0 NUCLEAR SAFETY OPERATIONAL ANALYSIS FOR CNS G-5-1 5.1 Auxiliary Systems G-5-1 5.2 Planned Operations G-5-1 5.2.1 Radioactive Material Release Control G-5-3 5.2.2 Core Coolant Flow Control Rate Control G-5-4 5.2.3 Core Power Level Control G-5-4 5.2.4 Core Neutron Flux Distribution Control G-5-5 5.2.5 Reactor Vessel Water Level Control G-5-5 5.2.6 Reactor Vessel Pressure Control G-5-5 5.2.7 Nuclear System Temperature Control G-5-5 5.2.8 Nuclear System Water Quality Control G-5-6 5.2.9 Nuclear System Leakage Control G-5-6 g-1-1 08/03/00

USAR

5. 2. 10 Core Reactivity Control G-5-6
5. 2. 11 Rod Worth Control G-5-6 5.2.12 Refueling Restrictions G-5-7 5.2.13 Primary Containment Temperature and Pressure Control G-5-7 5.2.14 Stored Fuel Shielding, Cooling, and Reactivity Control G-5-7 5.2.15 Ultimate Heat Sink Availability G-5-7 5.2.16 Maintain Reactor Coolant Pressure Boundary Integrity G-5-8 5.2.17 Maintain Coolable Geometry G-5-8 5.2.18 Initial and Extended Core Cooling G-5-8 5.3 Abnormal Operational Transients G-5-8 5.4 Accidents G-5-21 5.5 Special Events G-5-26 5.6 Remainder of Nuclear Safety Operational Analysis G-5-29

6.0 CONCLUSION

S G-6-1 g-1-2 10/16/03

USAR APPENDIX G LIST OF FIGURES (At end of Appendix G)

Figure No. Title G-2-2 Block Diagram for Nuclear Safety Operational Analysis G-4-1 Format for Protection Sequence Diagrams - Planned Operation G-4-2 Format for Protection Sequence Diagrams - Events G-4-3 Format for Auxiliary System Diagrams G-4-4 Format for Commonality Diagrams G-5-1 Auxiliary Systems for Front-Line Systems G-5-2 Auxiliary Systems for Front-Line Systems G-5-3 Auxiliary Systems for Front-Line Systems G-5-4 Auxiliary Systems for Other Auxiliary Systems G-5-5 Commonality Diagrams G-5-6 Commonality Diagrams G-5-7 Commonality Diagrams G-5-8 Commonality Diagrams G-5-9 Commonality Diagrams G-5-10 Commonality Diagrams G-5-11 Protection Sequences for Planned Operation in State A G-5-12 Protection Sequences for Planned Operation in State B G-5-13 Protection Sequences for Planned Operation in State C G-5-14 Protection Sequences for Planned Operation in State D G-5-15 Protection Sequences for Planned Operation in States A, B, C & D G-5-16 Protection Sequences for Turbine Trip or Generator Load Rejection with Bypass G-5-17 Protection Sequences for Turbine Trip or Generator Load Rejection without Bypass G-5-18 Protection Sequences for Isolation of All Main Steam Lines g-2-1 08/03/00

USAR APPENDIX G LIST OF FIGURES (Cont'd)

(At end of Appendix G)

Figure No. Title G-5-19 Protection Sequences for Isolation of One Main Stearn Line G-5-20 Protection Sequences for Loss of Condenser Vacuum G-5-21 Protection Sequences for Loss of Feedwater Heating G-5-22 Protection Sequences for Shutdown Cooling (RHRS) Malfunction -

Temperature Decrease G-5-23 Protection Sequences for Inadvertent HPCI Pump Start G-5-24 Protection Sequences for Control Rod Withdrawal Error G-5-25 Protection Sequences for Pressure Regulator Failure - Open G-5-26 Protection Sequences for Inadvertent Opening of a Safety or Relief Valve G-5-27 Protection Sequences for Loss of Feedwater Flow G-5-28 Protection Sequences for Loss of Off-Site Power G-5-29 Protection Sequences for Recirculation Flow Controller Failure -

Decreasing Flow G-5-30 Protection Sequences for Trip of One Recirculation Pump G-5-31 Protection Sequences for Trip of Two Recirculation Pumps G-5-32 Protection Sequences for Recirculation Flow Controller Failure -

Increasing Flow G-5-33 Protection Sequences for Start-Up of Idle Recirculation Pump G-5-34 Protection Sequences for Loss of Shutdown Cooling G-5-35 Protection Sequences for Feedwater Controller Failure - Maximum Demand G-5-36 Protection Sequences for Control Rod Drop Accident G-5-37 Protection Sequences for Pipe Breaks Inside Primary Containment -

Sheet 1 G-5-38 Protection Sequences for Pipe Breaks Inside Primary Containment -

Sheet 2 G-5-39 Protection Sequences for Fuel Handling Accident g-2-2 08/03/00

USAR APPENDIX G LIST OF FIGURES (Cont'd)

(At end of Appendix G)

Figure No. Title G-5-40 Protection Sequences for Pipe Breaks Outside Primary Containment -

Sheet 1 G-5-41 Protection Sequences for Pipe Breaks Outside Primary Containment -

Sheet 2 G-5-42 Protection Sequences for Recirculation Pump Seizure G-5-43 Protection Sequences for Fuel Loading Error G-5-44 Protection Sequences for Shutdown From Outside the Control Room G-5-45 Protection Sequences for Shutdown Without Control Rods G-5-46 Protection Sequences for Anticipated Transients Without SCRAM G-5-47 Protection Sequences for Station Blackout g-2-3 08/03/00

USAR APPENDIX G LIST OF TABLES Table No. Title Page G-3-1 BWR Operating States G-3-2 G-4-1 Events Applicable in Each BWR Operating State G-4-2 g-3-1 07 /22/96

USAR APPENDIX G - NUCLEAR SAFETY OPERATIONAL ANALYSIS 1.0 ANALYTICAL OBJECTIVE The objective of the Nuclear Safety Operational Analysis ( NSOA) is to provide a consistent and systematic approach to plant safety. The purpose of the NSOA is to provide a methodology for establishing the plant safety requirements at the systems level. Once the systems level safety requirements have been established, further evaluation of the plant requirements can be made. This methodology is used to (1) identify the functions, and the systems that provide those functions that are relied upon to prevent or mitigate the events discussed in the station safety analyses (USAR Section XIV); (2) demonstrate that those functions and systems are available and adequate to avoid the unacceptable consequences for those events; (3) provide a systems level/qualitative-type Failure Modes and Effects Analysis (FMEA) of the functions and systems to show compliance with the single active component failure or single operator error criteria; (4) identify which systems are safety-related (essential) and which are non-safety-related (non-essential), definition provided in Section G-2.4; and (5) integrate and demonstrate that the safety design bases discussed throughout the USAR are appropriate and adequate.

In meeting the above goals, one of the original purposes of the NSOA was to provide an analytical basis for what plant equipment and parameters should be included in the proposed CNS Technical Specifications and what their limitations on operation should be. This historical purpose was rendered obsolete with the issuance of the CNS Technical Specifications by the Atomic Energy Commission in 1974.

There is a difference between the Nuclear Safety Operational Analysis (NSOA) which provides the basis for finding essentiali ty, and the station safety analyses (USAR Section XIV). Although the events analyzed are equivalent to each other, the analyses of Section XIV represent a real response of the station under certain limiting assumptions; whereas the NSOA identifies all essential protection sequences and the detailed hardware systems essential to satisfying the nuclear safety operational criteria. The NSOA represents essential station response. Chapter XIV provides the detailed analyses of the "worst cases" which correspond to one protection sequence for each event. Nuclear system pressure or radioactivity release is primarily consequence oriented while the NSOA is protection sequence oriented as well as consequence oriented. Therefore, the NSOA and station safety analyses need to be considered together in order to achieve a complete picture of how the station satisfies the nuclear safety operational criteria.

The NSOA and station safety analyses are also utilized as inputs for equipment classification in addition to other regulatory and program requirements. Equipment safety classification criteria is provided by CNS procedure.

The NSOA in conjunction with system design analyses and station safety analyses results can provide a basis for 10CFR50.59 evaluations, changes in Technical Specifications; and can ensure the adequacy of station operating procedures, maintenance procedures, and operator training programs.

Thus, the objective of the NSOA is to provide a methodology that can be used to judge plant safety.

Key terms used in this appendix are defined in USAR Section I, "Introduction and Summary."

G-1-1 08/03/00

2.0 APPROACH TO OPERATIONAL NUCLEAR SAFETY It is the objective of the NSOA to establish a consistent set of nuclear safety requirements for Cooper Nuclear Station (CNS) that are based on specified measures of nuclear safety. The measures so specified are the broadest specific safety considerations that represent conscious, reasoned judgements of the relationship between public risk and benefit. For the purposes of the NSOA, nuclear safety means the required systems must be available to satisfy the requirements of the specified measure of safety.

The specified measures of safety used in this analysis are called unacceptable results. They provide the basis for specific event acceptance limits used as the figures of merit in the station safety analysis. The specific event acceptance limits are analytically determinable limits of the consequences of different kinds of plant events and are dependant on event probability. Thus, the combination of the NSOA and the station safety analysis is event consequence oriented.

The NSOA ensures consistency by a systematic analysis of events using a consistent set of event evaluation criteria and analysis rules.

2.1 Comprehensiveness of the Analysis One objective of this analysis is to be comprehensive. This means that the analysis must be sufficiently broad in method such that (1) all plant hardware is considered and (2) the full range of plant operating conditions is considered. It is recognized that there is a fallacy in preoccupation with "worst cases" ( those that give the most severe consequences) because the protection sequences required for lesser event conditions may be different from the worst case event conditions. To assure that operational requirements are found for all equipment required for attaining acceptable consequences, all protection sequences must be identified.

Once all required sequences are identified for an event, the limiting conditions for the event can be established. This evaluation provides the basis for the specific event to be evaluated in the station safety analysis. In this way, a comprehensive level of safety is attained. Thus, the NSOA is protection sequence oriented to achieve comprehensiveness, and the station safety analysis is consequence oriented to establish conformance to the specific event acceptance limits.

2.2 Systematic Approach to the Analysis One objective of this analysis is to utiliz~ a systematic method that would contribute to the consistency and comprehensiveness of the analysis.

The desired characteristics representative of a systematic approach to selecting BWR safety and operational requirements are listed as follows:

1. Specified measures of safety-unacceptable results
2. Specified standards for required plant functions
3. Consideration of all potential planned operations
4. Systematic event selection
5. Common treatment (analysis) of all events of any one type G-2-1 08/03/00
6. Identification of required systems, limits, and restrictions from the systems analysis
7. Systematic comparison of required plant functions to standards
8. Emergence of operational limits and restrictions (technical specifications) from systems analysis
9. Specified margin of safety-event acceptance limits Figure G-2-2 illustrates the process by which the system safety functions are derived, as controlled through the CNS Technical Specifications, Offsi te Dose Assessment Manual, and Technical Requirements Manual when warranted. The process begins with the identification of a set of unacceptable results that are based on the applicable industry codes and standards and the NRC's regulations. The unacceptable results provide inputs to ( 1) the nuclear safety design criteria which establish the criteria used in the plant and systems design and configuration, ( 2) the nuclear safety operational criteria which establish the rules for the event analysis,

( 3) the required plant functions necessary for preventing the unacceptable results, and (4) the event acceptance limits which are the figures of merit used in the station safety analysis. The CNS Technical Specifications, Offsite Dose Assessment Manual, and Technical Requirements Manual establish what actions are to be taken if the required plant functions can not be performed.

The plant systems design and configuration is combined with the BWR operating states to establish the operating envelope for planned operations. The safety analysis events are then selected and categorized based on assumed system failures and are initiated from the spectrum of planned operations. Protection sequence, auxiliary system and commonality diagrams, which lead to the identification of the required systems, limits and restrictions, are generated using the rules for event analysis and are evaluated until all required plant functions are completed.

The station safety analysis is then performed to demonstrate conformance to the event acceptance limits for the limiting initial conditions and assumed system performance for each event. When the station safety analysis is completed, the system conditions necessary to perform all required plant functions are identified. At this point, the system level safety requirements are established which can be input to other safety assessments. The CNS Technical Specifications, Off site Dose Assessment Manual, and Technical Requirements Manual establish the surveillance frequencies and limiting conditions for operation, as appropriate, for systems that perform these functions.

2.3 Relationship of the NSOA to the Station Safety Analysis The main objective of the NSOA is to identify all required protection sequences and to identify the detailed systems conditions required to satisfy the nuclear safety operational criteria. The main objective of the station safety analysis in Section XIV is to provide a detailed analysis of the "worst cases." Thus, the station safety analysis is essentially consequence oriented while the NSOA is protection sequence as well as consequence oriented.

The event conditions analyzed as "worst cases" in the station safety analysis G-2-2 08/03/00

generally correspond to one, or a conservative representation of one, set of conditions for each event in the NSOA.

The NSOA and station safety analysis need to be considered together. The NSOA demonstrates that all required plant functions to preclude unacceptable results for the entire spectrum of safety analysis events from all modes of planned operation are capable of being satisfied by the systems identified in the protection sequence, auxiliary system and commonality diagrams. The station safety analysis demonstrates conformance to the quantitative event acceptance limits which allows the identification of specific values of the operating envelope and protective system setpoints.

2.4 Relationship of the NSOA to Safety-Related Structures, Systems, and Components A subset of the plant functions, front-line systems and auxiliary systems identified in the protection sequence and auxiliary system diagrams, are safety-related (essential) . The following subsections describe the methodology to determine which structures, systems and components are safety-related. The plant functions and systems that are safety-related (essential) are denoted in the protection sequence and auxiliary diagrams.

2.4.1 Regulatory Definition of Safety-Related NRC regulations (10CFRl00, Appendix A or 10CFR50.49(b) (1)) define safety-related structures, systems and components as those necessary to ensure:

a. The integrity of the reactor coolant pressure boundary,
b. The capability to shut down the reactor and maintain it in a safe shutdown condition, or
c. The capability to prevent or mitigate the consequences of accidents that could result in potential off site exposures comparable to the guideline exposures of 10CFRl00 or 10CFR50.67, as applicable.

2.4.2 Methodology to Identify Safety-Related Structures, Systems, Components and Parts Safety-related structures, systems, components and parts shall be determined using the following methodology:

a. The safety-related functions that are required to prevent or mitigate accidents whose consequences could be comparable to the guideline exposures of 10CFRl00 or 10CFR50.67 shall be determined. These accidents are the Loss-of-Coolant Accident ( Pipe Break Inside Containment), Pipe Break Outside Containment Accident, Control Rod Drop Accident, and Fuel-Handling Accident.

( See USAR Section XIV.) The dose limits of 10CFRl00 are applied to the Control Rod Drop Accident and the Pipe Break Outside Containment Accident while the limits of 10CFR50.67 are applied to the Loss-of-Coolant Accident and the Fuel-Handling Accident.

b. The systems whose primary function is to provide the safety-related functions identified in part (a) shall be determined and classified safety-related.

G-2-3 02/05/10

c. The systems identified in part (b) shall be shown to be sufficient to shut down the reactor and maintain it in a safe shutdown condition and to ensure the integrity of the reactor coolant pressure boundary for the design basis events addressed in Section XIV. If those systems are not sufficient, additional safety-related systems required to shut down the reactor and maintain it in a safe shutdown condition or to ensure the integrity of the reactor coolant pressure boundary for such events shall be determined.

These additional systems, if any, shall also be classified safety-related.

d. The components, in each system identified as safety-related in parts (b) and (c), that are required to provide the safety-related functions identified in part (a) shall be determined and classified safety-related.
e. The components in non-safety-related systems that are required to provide the safety-related functions identified in part (a) due to interface requirements shall be determined and classified safety-related.
f. The parts in safety-related components that are required to provide the safety-related functions identified in part (a) shall be classified safety-related.
g. The structures that are required to provide the safety-related functions identified in part (a) shall be classified safety-related.
h. Structures, systems, components and parts not classified safety-related per the criteria of parts (a) through (g) shall be classified non-safety-related.

Special events (Events 60, 61, 62 and 63) are not design basis events and safety-related functions are not required to accommodate them.

2.4.3 Safety-Related Function Identification Safety-related plant functions are those required to ensure the primary safety-related functions. If failure of a plant function results in failure of one or more of the primary safety-related functions, then the plant function is safety-related. If all the primary safety-related functions occur without a particular plant function, then the plant function is not safety-related.

The primary safety-related functions for design basis events are:

1. The integrity of the reactor coolant pressure boundary, or
2. The capability to shut down the reactor and maintain it in a safety shutdown condition, or G-2-4 08/03/00
3. The capability to prevent or mitigate the consequences of accidents that could result in potential offsi te exposures comparable to the guideline exposures of 10CFRl00 or 10CFR50.67, as applicable.

2.4.4 Major Accidents A major accident is a design basis event with consequences that could result in potential offsite exposures comparable to the guideline exposures of 10CFR100 or 10CFR50.67, as applicable. There are four major accident events identified in Chapter XIV. These events are:

1. Control rod drop accident (Event No. 40)
2. Postulated piping breaks inside containment (Event No. 41)
3. Fuel-handling accident (Event No. 42)
4. Postulated piping breaks outside containment (Event No. 43)

Figures G-5-36 through G-5-41 identify the plant functions and front-line systems for these major accidents that are safety-related.

2.4.5 Design Basis Events The preceding subsection identifies those structures and systems that are safety-related because they are required to ensure the primary safety-related functions for major accidents; those accidents that could result in potential offsite exposures comparable to the guideline exposure in 10CFRl00. This subsection shows that those structures, systems and components are sufficient to ensure the primary safety-related functions for other design basis events. Figure G-5-16 through G-5-35 and G-5-42 and G-5-43 identify the plant functions and front-line systems for other design basis events that are safety-related.

Figures G-5-1 through G-5-3 identify the auxiliary systems that are safety-related.

2.5 Unacceptable Results The following measures of safety are unacceptable results used as the major bases for identifying system operational requirements. The unacceptable results are associated with different event categories. Those unacceptable results that are superior in importance to the others are marked with an asterisk (*).

Plant Event Category Unacceptable Result

1. Planned Operation *1-1. Release of radioactive material to the environs that exceeds the limits of 10CFR20.

G-2-5 02/05/10

1-2. Fuel failure to such an extent that, were the freed fission products released to the environs via the normal discharge paths for radioactive material, the limits of 10CFR20 would be exceeded.

1-3. Nuclear system stress in excess of that allowed by applicable industry codes.

1-4. Existence of a plant condition not considered by the station safety analyses.

2. Abnormal Operational *2-1. Release of radioactive Transients material to the environs that exceeds the limits of 10CFR20.

2-2. Exceeding any fuel limits applicable to transients as a result of transient analyses.

2-3. Nuclear system stress exceeding that allowed for transients by applicable industry codes.

3. Accidents *3-1. Radioactive material release exceeding the guideline values of 10CFRl00 or 10CFR50.67.

3-2. Exceeding any fuel limits applicable to accidents as a result of accident analyses.

3-3. Nuclear system stress exceeding that allowed for accidents by applicable industry codes.

3-4. Containment stress exceeding that allowed for accidents by applicable industry codes when containment is required.

3-5. Overexposure to radiation of plant personnel in the control room.

G-2-6 02/05/10

USAR

4. Special Events A. Shut down from outside 4-1. Inability to shut down control room reactor by manipulating controls and equipment outside the control room.

4-2. Inability to bring reactor to the cold shutdown condition from outside the control room.

B. Shut down without 4-3. Inability to shut down the control rods reactor independent of control rods.

C. Anticipated transient 4-4. Exceeding limits based on without Scram (ATWS) 10CFR50.62 D. Station Blackout 4-5 Inability to withstand and recover from a Station Blackout for the required coping duration.

The unacceptable results area associated with the different categories of plant operation and events to facilitate the systematic selection of nuclear safety and operational requirements.

2.6 Nuclear Safety Operational Criteria The following nuclear safety operational criteria are used in the preparation of the protection sequence, auxiliary system and commonality diagrams and to identify operational requirements.

Applicability Nuclear Safety Operational Criteria Planned operation, abnormal The plant shall be operated so operational transients, accidents, as to avoid unacceptable and special events results.

Abnormal operational transients and The plant shall be designed and accidents operated in such a manner that no single active component failure can prevent (1) safety-related core reactivity control, (2) safety-related core and containment heat removal,

( 3) reactor coolant pressure boundary integrity, (4) safety-related containment isolation and ( 5) safety-related containment atmosphere control and cleanup.

G-2-7 08/03/00

USAR 2.7 Origin of Unacceptable Results and Nuclear Safety Operational Criteria Most of the unacceptable results and nuclear safety operational criteria represent an extension of the general intent of the plant system and component design criteria as it applies to plant operations. The unacceptable results and nuclear safety operational criteria are

  • generally based on the NRC's regulations and industry codes and standards. Other requirements may be based on licensing commitments or nuclear steam supply system or fuel supplier design requirements.

Unacceptable result 1-4, defined in Section G.2.5 differs in origin from the other criteria and is necessary in establishing a consistent and systematic approach to plant safety. This unacceptable result required, in effect, that the plant be operated only under conditions (pressure, power, water level, etc.) for which the station safety analysis has been performed.

This requirement generally establishes the operating envelope for planned operations.

2.8 Plant Functions A set of plant functions have been identified to avoid unacceptable results. These plant functions are basically the end result of the plant systems performing their design function ( scram, containment isolation, core cooling, etc.). The plant functions, its primary related unacceptable result, and the principle reason for the plant function is provided in Section G.5.0 with respect to each of the categories of events considered in the NSOA.

2.9 Event Acceptance Limits The purpose of the station safety analysis is to demonstrate that the plant can operate in its current configuration without undue risk to public heal th and safety. To accomplish this objective, a broad spectrum of "worst case" events established through the NSOA process as described in Section G.2.4 is evaluated in the station safety analysis. Event acceptance limits are the figures of merit used in the station safety analysis to establish that an acceptable margin of safety is available.

The event acceptance limits are derived from the unacceptable results identified in Section G. 2. 7. Because of the wide variation in event probabilities and unique nature of the events, different acceptance limits are applied to the different event categories. The current event acceptance limits used in the station safety analysis and their related category are provided below.

Planned Operation

1. Technical Specification Limits and Off site Dose Assessment Manual limits for the Release of Radioactive Effluents
2. Nuclear System Design Limits for Normal Operation
3. Licensed Plant Power Level
4. Plant Operation Consistent with the Plant Safety Analysis G-2-8 08/03/00

Abnormal Operational Transients

1. Technical Specification Limits and Offsite Dose Assessment Manual limits for the Release of Radioactive Effluents
2. Reactor Coolant Pressure Safety Limit
3. Fuel Cladding Integrity Safety Limit
4. Fuel Cladding Plastic Strain Design Limit
5. Fuel Enthalpy Limit for Cladding Failure
6. Suppression Pool Temperature Limit Accidents
1. Guideline Dose Values of 10CFRl00 or 10CFR50.67
2. Nuclear System Design Limits for Accidents
3. ECCS Acceptance Criteria of 10CFR50.46
4. Containment Design Limits for Accidents
5. Peak Fuel Enthalpy Design Limit for Energy Deposition to Fuel
6. Exposure Limits for Plant Operators Special Events
1. Standby Liquid Control System Capability - Cold Reactor Shutdown Independent of Control Rods
2. Shutdown from Outside the Control Room - Cold Reactor Shutdown from Outside the Control Room.
3. Anticipated Transients Without Scram Limits Based on 10CFR50.62.
4. Station Blackout - Limits Based on 10CFR50.63.

G-2-9 02/05/10

USAR 3.0 METHOD OF ANALYSIS The nuclear safety operational analysis (NSOA) is performed under the assumption that the plant and system designs are established. The results of the analysis are the system level protection sequences. The CNS Technical Specifications, Offsi te Dose Assessment Manual, and Technical Requirements Manual establish the operational limitations and restrictions on the safety systems that are credited in these sequences, as required, to assure the nuclear safety operational criteria are satisfied. Figure G-2-2 shows the process used in the analysis.

The following inputs and treatment of results are required for the analysis of specific plant events:

1. Applicable unacceptable results (see Section G-2.5)
2. Applicable plant functions (see Section G-2.8)
3. Applicable nuclear safety operational criteria (see Section G-2.6)
4. Event selection criteria (see Section G-3.2)
5. Definition of BWR operating states (see Section G-3.1)
6. Rules for event analysis (see Section G-3.4)
7. Station safety analysis (see Section XIV)
8. Event acceptance criteria (see Section G-2.9)

With this information, each selected event can be evaluated to determine systematically the actions, systems, limits and restrictions required to avoid the unacceptable results and demonstrate the existence of acceptable margins of safety. The CNS Technical Specifications, Offsite Dose Assessment Manual, and Technical Requirements Manual establish the limits and restrictions on the operation of this equipment, as required.

3.1 BWR Operating States Four BWR operating states in which the reactor can exist are defined in Table G-3-1. The main objective in selecting operating states is to divide the BWR operating spectrum into sets of initial conditions to facilitate consideration of various events in each state. These operating states are also cross referenced to plant operating mode as defined in Technical Specification Table 1.1-1.

Each operating state includes a wide spectrum of values for important plant parameters. Within each state, these parameters are considered over their entire range to determine the bounds in terms of limitations or restrictions on their values to satisfy the nuclear safety operational criteria. Limitations on plant parameters are derived for those parameters which establish the operating envelope, are under the control of the plant operator and are the subject of plant procedures. Restrictions on plant parameters are enforced by hardware or physical constraints which prevent the operating envelope from being exceeded. These limitations and restrictions are discussed in the subsections of the safety analysis report that describe the systems associated with the parameter.

G-3-1 08/03/00

USAR TABLE G-3-1 BWR OPERATING STATES States Conditions A B C Reactor vessel head off (1) X X Reactor vessel head on X Shutdown (2) X X Not Shutdown X X Note (1): Because the reactor vessel head is off in States A and B, reactor pressure is atmospheric.

Note (2): The reactor is more than one control rod subcritical in its most reactive state.

State A Mode 5 State B Initial low power physics testing, no longer used State C Modes 3 or 4 State D Modes 1 or 2 Mode 1 Power Operation (Mode Switch Position - Run)

Mode 2 Startup (Mode Switch Position - Refuel or Startup/Hot Standby)

Mode 3 Hot Shutdown (Mode Switch Position - Shutdown)

Mode 4 Cold Shutdown (Mode Switch Position - Shutdown)

Mode 5 Refueling (Mode Switch Position - Shutdown or Refuel)

Mode definition corresponds to Technical Specification Table 1.1-1 G-3-2 08/03/00

USAR The plant parameters to be considered in this manner include the following:

1. Spent fuel pool water temperature and water level
2. Suppression pool water temperature and volume
3. Reactor coolant temperature
4. Reactor vessel water level
5. Reactor vessel pressure
6. Reactor vessel water quality
7. Reactor coolant forced circulation flow rate
8. Reactor power level (thermal and neutron flux)
9. Core neutron flux distribution
10. Feedwater temperature
11. Primary containment pressure and temperature
12. Control rod worth
13. Fuel linear heat generation rate
14. Fuel maximum average planar linear heat generation rate
15. Fuel critical power ratio
16. Radioactive effluents
17. Heat sink level
18. Fuel reactivity 3.2 Selection of Events for Analysis 3.2.1 Planned Operations Planned operation refers to normal plant operation under conditions within the normal operating envelope in the absence of significant abnormalities. Following an event (transient, accident or special event) planned operation is not considered to have resumed until the plant operating state is identical to a planned operating mode that could be attained had the event not occurred. As defined, the planned operations can be considered as a chronological sequence: refueling outage ---> achieving criticality --->

heatup ---> power operation ---> achieving shutdown ---> cooldown --->

refueling outage.

G-3-3 08/03/00

USAR The planned operations are defined below.

1. Refueling outage: Includes all the planned operations associated with a normal refueling outage except those tests in which the reactor is taken critical and returned to the shutdown condition. In a refueling outage, the Mode Switch is in the REFUEL or SHUTDOWN position. The following planned operations are normally included in a refueling outage:

(a) Planned physical movement of core components (fuel, control rods, etc.)

(b) Refueling test operations (except criticality and shutdown margin tests)

(c) Planned maintenance (d) Required inspections (e) Required surveillance testing

2. Achieving criticality: Includes all the plant actions normally accomplished in bringing the plant from a condition in which all control rods are fully inserted to a condition in which nuclear criticality is achieved and maintained. To achieve criticality, the Mode Switch is transferred to the STARTUP position from the REFUEL or SHUTDOWN position.
3. Heatup: Begins where achieving criticality ends and includes all plant actions normally accomplished in approaching nuclear system rated temperature and pressure by using nuclear power (reactor critical). Heatup extends through warmup and synchronization of the turbine-generat or. For heatup, the Mode Switch is assumed to be in the STARTUP position, but may be in the RUN position as the transition to power operation is being made.
4. Power operation: Begins where heatup ends and includes continued plant operations at power levels in excess of heatup power. In power operation, the Mode Switch is assumed to be in the RUN position.
5. Achieving shutdown: Begins where the generator is unloaded and includes all plant actions normally accomplished in achieving nuclear shutdown (more than one rod subcritical) following power operation. To achieve shutdown, the Mode Switch is generally assumed to be in the STARTUP position.

The transition from RUN to REFUEL or SHUTDOWN generally occur in achieving shutdown.

6. Cooldown: Begins where achieving shutdown ends and includes all plant actions normal to the continued removal of decay heat and the reduction of nuclear system temperature and pressure. Cooldown may be accomplished with the Mode Switch in the STARTUP, REFUEL or SHUTDOWN positions depending on the specific plant configuration and operating parameters.

It may be noticed that the exact point at which some of the planned operations and corresponding Mode Switch positions end and others begin cannot be precisely determined. It will be seen later that such precision is not required, for the protection requirements are adequately G-3-4 08/03/00

USAR defined in passing from one state to the next. The dependence of several of the planned operations on the one rod subcritical condition provides an exact point on either side of which protection ( especially scram) requirements differ. Thus, where a precise boundary between planned operations is needed, the definitions provide the needed precision.

Together, the BWR operating states and the planned operations define the normal operating envelope from which transients, accidents and special events are initiated. The BWR operating states define only the physical condition (pressure, temperature, etc.) of the reactor; the planned operations define what the plant is doing. The separation of the physical conditions from the operation being performed is deliberate and facilitates careful consideration of all possible initial conditions from which events may be postulated to occur.

3.2.2 Abnormal Operational Transients To select abnormal operational transients, eight nuclear system parameter variations are considered as possible initiating causes of threats to the fuel and nuclear system process barrier. The parameter variations are as follows:

1. Nuclear system pressure increase
2. Reactor vessel water (moderator) temperature decrease
3. Positive reactivity insertion
4. Reactor vessel coolant inventory decrease
5. Reactor core coolant flow decrease
6. Reactor core coolant flow increase
7. Core coolant temperature increase
8. Excess of coolant inventory Events that result directly in significant reactor and nuclear system pressure increases generally are initiated by a sudden reduction in steam flow. Increasing pressure collapses the voids in the core and increases core reactivity, increasing reactor vessel and nuclear system pressure and core power level which threatens overpressurizat ion of the nuclear system process barrier and overheating of the fuel.

Events that result directly in a core coolant temperature decrease are those that either increase the flow of cold water or reduce the temperature of the water being delivered to the vessel. Core coolant (moderator) temperature reduction results in an increase in core reactivity, increasing the power level which threatens overheating of the fuel.

Events that result in localized positive reactivity insertions are generally caused by errors in the movement of control rods. Localized positive reactivity insertions cause anomalies in power distribution and an increase in core power level which threatens overheating of the fuel.

Events that lead to a steam flow rate greater than the feedwater input result in a decrease in the reactor coolant inventory. Decreases in reactor coolant inventory cause a decrease in reactor water level, which threatens overheating of the fuel, and a decrease in coolant temperature, which leads to a mild depressurizatio n.

G-3-5 08/03/00

USAR Events that result in a reduction in recirculation flow rate decrease the reactor core coolant flow rate. Decreases in the reactor core coolant flow rate decrease the ability of the coolant to remove the heat generated in the core which threatens overheating of the fuel. Decreases in core coolant flow also increases core voids and decreases core reactivity which decreases core power level and increases reactor water level.

Events that result in an increase in recirculation flow rate increase the reactor core coolant flow rate. Increases in reactor core coolant flow rate result in a decrease in moderator temperature and an increase in core reactivity. An increase in core reactivity increases core power level and threatens overheating of the fuel.

Events that result directly in a core coolant temperature increase are those that increase the temperature of the water being delivered to the reactor vessel. Increases in core coolant temperature increase reactor pressure and threaten the nuclear system process barrier.

Events that lead to a feedwater flow increase greater than the steam production rate will result in an excess of coolant inventory and an increase in reactor vessel water level. Increasing the vessel water level can lead to a turbine trip which will cause a pressurization event characterized by a reactivity addition due to the void collapse which increases core reactivity, increasing reactor vessel and nuclear system pressure and core power level which threatens overpressurization of the nuclear system process barrier and overheating of the fuel.

The eight parameter variations listed above include all the effects within the nuclear system caused by abnormal operational transients that can challenge the integrity of the reactor fuel or nuclear system process barrier. The variation of any one parameter may cause a change in another listed parameter; however, for analysis purposes, challenges to the barrier integrity are evaluated by groups according to the parameter variation initiating the plant challenge. For example, positive reactivity insertions resulting from sudden pressure increases are evaluated in the group of threats stemming from nuclear system pressure increases.

Abnormal operational transients are defined as those transients that result from single active component failures or single operator errors that can reasonably be expected during any mode of plant operation. Examples of single active component failures and operator errors are identified below:

1. Opening or closing of any single valve (a check valve is not assumed to close against normal flow).
2. Starting or stopping any single component.
3. Malfunction or maloperation of any single control device.
4. Any single electrical failure.
5. Any single operator error.

Operator error is defined as an active deviation from written operating procedures or nuclear plant standard operating practices. A single operator error is the set of actions that is a direct consequence of a single reasonably expected erroneous decision. The set of actions is limited as follows:

1. Those actions that could be performed by only one person.

G-3-6 08/03/00

USAR

2. Those actions that would have constituted a correct procedure had the initial decision been correct.
3. Those actions that are subsequent to the initial operator error and that affect the designed operation of the plant, but are not necessarily directly related to the operator error.

Examples of operator errors are as follows:

1. An increase in power above the established power flow limits by control rod withdrawal in the specified sequences.
2. The selection of and attempt to completely withdraw a single control rod out of sequence.
3. An incorrect calibration of an average power range monitor.
4. Manual isolation of the main steam lines caused by operator misinterpretati on of an alarm or indication.

The five types of single active component failures or operator error are applied to the various plant systems with a consideration for a variety of plant conditions to discover events that directly result in any of the undesirable parameter variations listed. Once discovered, each event is evaluated for the threat it poses to the integrity of the radioactive material barriers.

3.2.3 Accidents Accidents are defined as hypothesized events that have the potential to affect one or more of the radioactive material barriers and are events not expected during plant operations. The accident types considered are as follows:

1. Mechanical failure of a single component having the potential for leading to the release of radioactive material from one or more barriers. The components referred to here are not those that act as radioactive material barriers.

Examples of mechanical failure are breakage of the coupling between a control rod drive and the control rod and failure of a spring used to close an isolation valve.

2. Arbitrary rupture of any single pipe or instrument line up to and including complete severance of the largest pipe in the nuclear system process barrier.

For purposes of analysis, accidents are categorized as those events that result in having the potential for releasing radioactive material as follows:

1. From the fuel with the nuclear system process barrier, primary containment, and secondary containment initially intact.
2. Directly to the primary containment.
3. Directly to the secondary containment with the primary containment initially intact.

G-3-7 08/03/00

USAR

4. Directly to the secondary containment with the primary containment not intact.
5. Outside the secondary containment.

The effects of the various accident types are investigated, with a consideration for the full spectrum of plant conditions, to examine events that result in the release of radioactive material. The accidents resulting in radiation exposures greater than any other accident considered under the same general accident assumptions are designated design basis accidents.

3. 2. 4 Special Events Four special events are evaluated to demonstrate plant capabilities required by the NRC's regulations, industry codes and standards, and licensing commitments. The adequacy of the redundant reactivity control system is demonstrated by evaluating the event "shut down without control rods". The capability to perform a safe shutdown from outside the main control room is demonstrated by evaluating the event "shutdown from outside the main control room." The plant capability to withstand the consequences of anticipated transients without scram is demonstrated by evaluating the event "anticipated transients without scram." The ability of the plant to cope with the loss of all offsite and onsite AC power is described in the "Station Blackout" event.

3.3 Applicability of Events to Operating States The first step in performing the NSOA for a given event (transient, accident or special event) is to determine in which operating states the event can occur. An event is considered applicable within an operating state if the event can be initiated from the operating envelope that characterizes the operating state. Applicability of the planned operations to the operating states follows from the definition of planned operations. A planned operation is considered applicable within an operating state if the planned operation can be conducted when the reactor exists under the physical conditions defining the operating state.

3.4 Rules for Event Analysis The following rules are followed in performing the NSOA for the various plant events:

1. A function, system, or limit shall be considered as required only if it is relied on to accomplish the plant function to avoid an unacceptable result or to satisfy the nuclear safety operational criteria.
2. The full range of initial conditions (as defined in Section G-3. 4. 3 below) shall be considered for each event analyzed, so that all protection sequences are identified.

Consideration is not limited to "worst cases," because lesser cases may require systems or actions different from the "worst case."

3. The initial conditions for transients, accidents, and special events shall be limited to the operating envelope that is allowed during the planned operations in the applicable operating state.
4. For planned operations, consideration shall be made only for functions, limits and systems to avoid unacceptable results G-3-8 08/03/00

USAR during operation in that state which establish the operating envelope (as opposed to transients, accidents, and special events, which are followed through to completion) . Planned operations are treated differently from other events because the transfer from one state to another during planned operations is deliberate. For events other than planned operations, the transfer from one state to another may be unavoidable .

5. Three types of limits or restriction s are incorporate d into the protection sequence diagrams: (1) parameter limits, (2) operating envelope limits, and (3) restriction s.

Parameter limits (P) are identified for those parameters that are used by the plant operator to initiate or terminate system operation. Parameter limits displayed on the protection sequence diagrams are identified only for parameters that are available to the operator and are the subject of plant procedures. Operating envelope limits (L) are limitations on frequently monitored process parameters which establish the operating envelope for planned operation. Restriction s (R) are associated with system hardware or physical constraints on systems or structures which prevent plant operation outside the operating envelope.

6. For transients, accidents and special events, consideratio n shall be made for the entire duration of the event and its aftermath until some mode of planned operation is resumed.

Planned operation is considered resumed when the plant procedures being followed or the equipment being used is identical to those used during any one of the defined planned operations or the plant is in a safe stable cold shutdown condition.

7. Credit for operator action shall be taken on a case-by-cas e basis, depending on the conditions that would exist at the time operator action would be required. Because transients, accidents, and special events are considered through the entire duration of the event until planned operation is resumed, manual operation of certain systems is sometimes required following the more rapid portions of the event.

Credit for operator action is taken only when the operator can reasonably be expected to accomplish the required action under the existing conditions and has the availabilit y of the necessary information to implement the required plant procedures.

8. For transients, accidents and special events, those functions, limits, and systems shall be required if there arises a unique requirement as a result of the event. If a system that was operating prior to the event (during planned operation) is to be employed in the same manner following the event and if the event did not affect the operation of the system, then the system would not appear on the protection sequence diagram.
9. The NSOA shall identify all the support or auxiliary systems required for the functioning of the front-line systems and other required auxiliary systems.

G-3-9 08/03/00

USAR

10. A system or function that plays a unique role in the response to a transient, accident, or special event shall be considered to be required unless the effects of the system or function are not included in the detailed analysis of the event.

3.5 Steps in Preparing Protection Sequence, Auxiliary System and Commonality Diagrams All information needed to perform a NSOA for each plant event has been presented in Figure G-2-2. The procedure followed in preparing protection sequence diagrams for a given event (selected according to the event selection criteria) is as follows:

1. Determine the plant operating states in which the event is applicable.
2. Identify all the required protection sequences (plant functions and front-line systems) for the event in each applicable operating state.
3. Identify all the system auxiliaries required to support the functioning of the front-line systems.

The above three steps are performed in Section G-5.0.

G-3-10 08/03/00

USAR 4.0 DISPLAY OF NUCLEAR SAFETY OPERATIONAL ANALYSIS RESULTS To fully identify and establish the plant system and component functions that are credited in satisfying the nuclear safety operational criteria, their relationships are depicted by a series of block diagrams. The CNS Technical Specifications, Offsi te Dose Assessment Manual, and Technical Requirements Manual provide the operational limitations and restrictions on this plant equipment, as required, to assure their functions can be performed.

First, Table G-4-1 indicates the operating states that are applicable for each event. Then, block diagrams are presented showing the conditions and systems required to achieve each plant function for each event. The block diagrams show only those systems necessary to provide the plant functions in such a way that the nuclear safety operational criteria are satisfied. The total plant capability to provide the plant function is not shown, only the minimum capability required to satisfy the nuclear safety operational criteria. The block diagrams also show the protection sequences for each event. The NSOA considers the following conceptual aspects:

1. The BWR operating state.
2. Types of operations or events that are possible within the operating state.
3. Relationships of certain plant functions to the unacceptable results and to specific types of operations and events.
4. Relationships of certain systems to plant functions and to specific types of operations and events.
5. Supporting or auxiliary systems required for the operation of the front-line systems.
6. Functional redundancy (the single failure criterion applied at the plant function level).
7. The results of the station safety analysis.

Each block on the protection sequence diagrams represents a finding of a system requirement for the plant function, system, limit or restriction under consideration. Requirement in this context means that the plant function, system, limit or restriction is required to satisfy the nuclear safety operational criteria.

A requirement is found through an analysis in which the plant function, system, limit or restriction being considered is completely disregarded in the analysis of the applicable planned operations or events.

If the nuclear safety operational criteria are satisfied without the plant function, system, limit or restrictions, then the plant function, system, or limit is not required. When disregarding a plant function, system or limit results in violating one or more nuclear safety operational criteria, the plant function, system, limit or restriction is considered to be required, and the resulting system function can be related to specific criteria and unacceptable results.

G-4-1 08/03/00

USAR TABLE G-4-1 EVENTS APPLICABLE IN EACH BWR OPERATING STATE BWR Operating State Types of Operation and Events A B C D PLANNED OPERATION

1. Refueling outage X
2. Achieving criticality X X X X
3. Heatup X
4. Power operation X
5. Achieving shutdown X X
6. Cooldown X X
7. through 10. (Numbers not used)

ABNORMAL OPERATIONAL TRANSIENTS Nuclear System Pressure Increase

11. Turbine trip or generator load rejection with bypass X
12. Turbine trip or generator load rejection without bypass X
13. Isolation of all main steam lines X X
14. Isolation of one main steam line X
15. Loss of condenser vacuum X X Moderator Temperature Decrease
16. Loss of feedwater heating X
17. Shutdown cooling (RHRS) malfunction-temperature decrease X X X X
18. Inadvertent HPCI pump start X X Reactivity Insertion
19. Control rod withdrawal error X X X X
20. Fuel loading error X X X X
21. (Number not used)

Loss of Coolant Inventory

22. Pressure regulator failure-open X X
23. Inadvertent opening of a relief or safety valve X X
24. Loss of feedwater flow X X
25. Loss of off-site power X X X X G-4-2 08/03/00

USAR TABLE G-4-1 (Continued)

BWR Operating State Types of Operation and Events A B C D Core Coolant Flow Decrease

26. Recirculation flow control failure-decreasing flow X
27. Trip of one recirculation pump X X
28. Trip of two recirculation pumps X X 28a. Recirculation pump seizure X X Core Coolant Flow Increase
29. Recirculation flow control failure-increasing flow X
30. Start-up of idle recirculation pump X X X X Core Coolant Temperature Increase
31. Loss of shutdown cooling X X X X Excess of Coolant Inventory
32. Feedwater controller failure-maximum demand X X
33. through 39. (Numbers not used)

ACCIDENTS

40. Control rod drop accident X
41. Pipe breaks inside primary containment X X
42. Fuel handling accident X X X X
43. Pipe breaks outside primary containment X X
44. through 59. (Numbers not used)

SPECIAL EVENTS

60. Shutdown from outside control room X X X X
61. Shutdown without control rods X X
62. Anticipated transients without scram X
63. Station Blackout X G-4-3 08/03/00

USAR 4.1 Protection Sequence, Auxiliary System and Commonality Diagrams Block diagrams illustrate the protection sequences for each event requiring unique plant functions. These protection sequence diagrams show only the required front-line systems. The format and conventions used for these diagrams are shown on Figures G-4-1 and G-4-2.

The format for protection sequence diagrams for planned operation is shown on Figure G-4-1 and has the following key elements:

1. Events G and H are applicable for planned operation in Operating State F.
2. A limitation on System J is required to perform Plant Function B.
3. A limitation on System N is required to perform Plant Function C.
4. Either System K or System M is required to perform Plant Function C.

The format for protection sequence diagrams for safety analysis events is shown on Figure G-4-2 and has the following key elements:

1. Event XY is applicable only in Operating States Wand Z.
2. System P is required to perform Plant Function D; Systems Q, R, S and T are required to perform Plant Function E; and Systems U and V are required to perform Plant Function F.
3. Systems Q and R, as a pair, must satisfy the single failure criterion.
4. Systems S, U and V must each satisfy the single failure criterion.
5. The existence of a parameter limit indicates that a condition has been encountered requiring operator action.
6. System V is initiated by operator action based on the parameter limit.
7. Systems U and V are safety-related (essential) and Plant Function Fis a safety function.
8. System P and Plant Function D are required only for State W; Systems Q, R, S, T, U and V and Plant Functions E and Fare required for both States Wand Z.

The auxiliary systems required for the correct functioning of the front-line or other auxiliary systems are shown on the auxiliary systems diagrams. The format used for these diagrams is shown on Figure G-4-3. The diagram indicates that auxiliary Systems A, Band Care required for proper operation of System X which can be either a front-line or an auxiliary system.

G-4-4 08/03/00

USAR The relationships of a particular auxiliary system to all other systems (front-line and auxiliary) for the required events within an operating state are shown on the commonality diagrams. The format used for commonality diagrams is shown on Figure G-4-4 and has the following key elements:

1. Auxiliary System A is required for the functioning of Systems I, J, Kand L which can be front-line or auxiliary systems.
2. The specific operating states and events for which the auxiliary support function is required are identified.
3. Auxiliary System A is required for the functioning of Systems J and K for the same events and operating states.

With the information in these four types of diagrams, it is possible to determine for each system what functions are credited in each operating state for plant event mitigation. This information can be used for evaluating the effects of non-conformance s, establishing system safety classification, and considerations whether proposed changes, tests, or experiments are unreviewed safety questions.

G-4-5 08/03/00

USAR 5.0 NUCLEAR SAFETY OPERATIONAL ANALYSIS FOR COOPER NUCLEAR STATION The results of the Nuclear Safety Operational Analysis (NSOA) for Cooper Nuclear Station events are discussed in the following paragraphs and displayed on Figures G-5-1 through G-5-46. Table G-4-1 indicates the BWR operating state in which each event is applicable.

5.1 Auxiliary Systems Figures G-5-1, G-5-2 and G-5-3 show the auxiliary systems required for the functioning of each front-line system. Figure G-5-4 shows the auxiliary systems required for the functioning of other auxiliary systems.

Cornrnonali ty of auxiliary system diagrams is shown on Figures G-5-5 through G-5-10. These figures indicate which auxiliary systems are required to function in order for the front-line or other auxiliary systems to fulfill their required functions for each event.

5.2 Planned Operations The requirements for planned operations normally involve using limits on certain key process variables and restrictions on certain plant equipment or structures. The sequence diagrams for each operating state

( Figures G-5-11 through G-5-15) show only those controls necessary to avoid unacceptable results 1-1 through 1-4 (Section G-2.7).

Following is a description of the planned operations (Events 1 through 6) as they pertain to each of the four operating states. The description of each operating state contains a definition of that state, a list of planned operations that apply to that state, and a list of the plant functions. Finally, an evaluation of the plant functions required in avoiding the unacceptable results is provided.

State A In State A, the reactor is in a shutdown condition, the vessel head is off, and the vessel is at atmospheric pressure. The applicable events for planned operations are refueling outage, achieving criticality, and cooldown (Events 1, 2 and 6, respectively).

Figure G-5-11 shows a diagram of the necessary plant functions for planned operations, the corresponding plant systems, and the events for which these functions are necessary. As indicated in the diagram, the required plant functions are as follows:

Plant Function Radioactive material release control Reactor vessel water level control Nuclear system temperature control Nuclear system water quality control Core reactivity control Refueling restrictions Stored fuel shielding, cooling, and reactivity control Maintain reactor coolant pressure boundary integrity Maintain coolable geometry Initial core cooling Extended core cooling G-5-1 08/03/00

USAR State B In State B, the reactor vessel head is off, the reactor is not shut down, and the reactor is at atmospheric pressure. Applicable planned operations are achieving criticality and achieving shutdown (Events 2 and 5, respectively) .

Figure G-5-12 shows a diagram relating the necessary plant functions for planned operations, the plant systems, and the events for which the plant functions are necessary. The required plant functions for planned operation in State Bare as follows:

Plant Function Radioactive material release control Core power level control Reactor vessel water level control Nuclear system temperature control Nuclear system water quality control Core reactivity control Rod worth control Stored fuel shielding, cooling, and reactivity control Maintain reactor coolant pressure boundary integrity Maintain coolable geometry State C In State C, the reactor vessel head is on and the reactor is shut down. Applicable planned operations are achieving criticality and cool down (Events 2 and 6, respectively).

Figure G-5-13 shows a diagram relating the necessary plant functions for planned operations, the plant systems, and the events for which the plant functions are necessary. The required plant functions for planned operation in State Care as follows:

Plant Function Radioactive material release control Reactor vessel water level control Reactor vessel pressure control Nuclear system temperature control Nuclear system water quality control Nuclear system leakage control Core reactivity control Primary containment pressure and temperature control Stored fuel shielding, cooling, and reactivity control Ultimate heat sink availability Maintain reactor coolant pressure boundary integrity Maintain coolable geometry Initial core cooling Extended core cooling State D In State D, the reactor vessel head is on and the reactor is not shut down. Applicable planned operations are achieving criticality, heat up, power operation and achieving shutdown (Events 2, 3, 4, and 5, respectively).

G-5-2 08/03/00

USAR Figure G-5-14 shows a diagram that relates the necessary plant functions for planned operations, the corresponding plant systems, and the event for which the plant functions are necessary. The required plant functions for planned operation in State Dare as follows:

Plant Function Radioactive material release control Core coolant flow rate control Core power level control Core neutron flux distribution control Reactor vessel water level control Reactor vessel pressure control Nuclear system temperature control Nuclear system water quality control Nuclear system leakage control Core reactivity control Rod worth control Primary containment temperature and pressure control Stored fuel shielding, cooling, and reactivity control Ultimate heat sink availability Maintain reactor coolant pressure boundary integrity Maintain coolable geometry The following paragraphs describe the plant functions for planned operations. Each description includes a selection of the operating states that apply to the plant function, the plant systems affected by limits or restrictions, and the unacceptable result that is avoided. The unacceptable result number is shown in parentheses and discussed in Section G-2.7 of this appendix. The four operating states are defined in Table G-3-1.

5.2.1 Radioactive Material Release Control Radioactive materials may be released to the environs in any operating state. Therefore, radioactive material release control is required in all operating states. Because of their significance in demonstrating conformance to the regulations for the release of radioactive materials, this is the only plant function for which monitoring systems are explicitly shown.

The air ejector off-gas radiation monitoring system records the radioactivity released via the air ejector off-gas line and closes the air ejector off-gas line shutoff valve on high radiation. The ERP radiation monitoring system records the radioactive release to the environs through the ERP. The process liquid radiation monitor system records the release of radioactive liquids.

The reactor building isolation ventilation radiation monitoring system records the radioactivity in the reactor building exhaust plenum and isolates the reactor building, initiates the standby gas treatment system on high radiation, and initiates the control room emergency filtration system. The radwaste/augmented radwaste building ventilation exhaust radiation monitoring system records the radioactivity released from the radwaste/augmented radwaste building to the atmosphere. The turbine building ventilation exhaust radiation monitoring system records the radioactivity released from the turbine building to the atmosphere. The MPF ventilation exhaust radiation monitoring system records the radioactivity released from the MPF to the atmosphere. The solid radwaste system is designed to record the solid radioactive waste transported off site.

The limitations placed on the air ejector off-gas radiation monitoring system, the ERP radiation monitoring system, process liquid radiation monitors, reactor building isolation ventilation radiation monitoring system, the radwaste/augmented radwaste building ventilation exhaust radiation monitoring system, the turbine building ventilation exhaust radiation monitoring system and MPF ventilation exhaust radiation monitoring system are used to demonstrate compliance with the requirements of 10CFR20 and 10CFR50 (1-1). These limitations are used to G-5-3 04/08/02

USAR establish the operating envelope for planned operations relating to the release of radioactive materials.

Restrictions are placed on the air ejector off-gas radiation monitoring system and the reactor building isolation ventilation radiation monitoring system to initiate appropriate system actions on high radiation to preserve the envelope of planned operations. These restrictions are associated with the operability of safety systems (off-gas system isolation, standby gas treatment system, and control room emergency filtration system).

A limitation is placed on the solid radwaste system to demonstrate compliance with 10CFR71 (1-1). This limitation is used to establish the operating envelope for planned operations relating to the transfer of solid radwaste.

5.2.2 Core Coolant Flow Control Rate Control In State D, the core coolant flow rate must be maintained above certain minimums (i.e., limited) to maintain the integrity of the fuel cladding (1-2) and assure the validity of the station safety analysis (1-4).

The core flow rate is a key parameter to establish the heat transfer from the fuel during power operation (Event 4) to protect the fuel cladding integrity.

It also establishes the allowable power/core flow map used as initial conditions input to the station safety analyses which are applicable to heatup, power operation and achieving shutdown (Events 3, 4, and 5). In addition, the core coolant flow rate and flow limits for the recirculation system are used as initial conditions in the station safety analysis for power operation (Event 4). Limitations are placed on these parameters to establish the operating envelope for planned operations used as input to the station safety analysis.

5.2.3 Core Power Level Control The station safety analysis pertaining to accidental positive reactivity additions has assumed as an initial condition that the neutron source level is above a specified minimum. Because a significant positive reactivity addition can only occur when the reactor is less than one rod subcri ti cal the source level need be observed only in States B and D. The minimum source level assumed in the analysis has been related to the counts-per-second readings on the source range monitors ( SRMs) ; thus, this minimum power level limit on fuel is expressed as a required SRM count level.

Observation of this limits assures the validity of the station safety analysis (1-4).

Maximum core power limits are also expressed for operating States Band D to maintain fuel integrity (1-2) and remain below the maximum power levels assumed in the plant safety analysis ( 1-4) . The maximum core power level for low reactor pressure or core flow is established to assure acceptable fuel heat transfer characteristics to maintain fuel cladding integrity. For power operation (Event 4), the maximum core power level is observed as a limit on fuel because it is used as an input to the station safety analysis.

In addition, for power operation ( Event 4) , localized core power limits are established for the reactor fuel to assure the validity of the station safety analysis. The limits on reactor fuel include minimum critical power ratio, linear heat generation rate, and maximum average planar heat generation rate.

G-5-4 04/08/02

USAR Limitations are placed on these parameters to establish the operating envelope for planned operations used as input to the station safety analysis.

5.2.4 Core Neutron Flux Distribution Control Core neutron flux distribution is limited in State D by establishing limits on the core power peaking factors. These limits are provided to assure the fuel cladding integrity ( 1-2) and are also used to establish the envelope of conditions considered in the station safety analysis ( 1-4) . Limitations are placed on these parameters to establish the operating envelope for planned operations used as input to the station safety analysis.

5.2.5 Reactor Vessel Water Level Control In any operating state, the reactor vessel water level could, unless controlled, drop to a level that will not provide adequate core cooling; therefore, reactor vessel water level control applies to all operating states. Observation of the reactor vessel water level limits is provided to assure the fuel cladding integrity ( 1-2) . These limits are also used to establish the envelope of conditions considered in the station safety analysis ( 1-4) . Limitations are placed on this parameter to establish the operating envelope for planned operations used as input to the station safety analysis.

5.2.6 Reactor Vessel Pressure Control Reactor vessel pressure control is only required in States C and D because the reactor vessel head is off in States A and B and the reactor cannot be pressurized. Limits are placed on the reactor vessel, and restrictions are placed on the residual heat removal system (RHRS) to assure the nuclear system stresses are within limits (1-3) and are used to establish the envelope of conditions considered in the station safety analysis (1-4).

In State C, a limit is placed on the reactor vessel to assure that it is not hydrostatically tested until the temperature is above the nil ductility transition temperature limit to prevent excessive stress. A limitation is placed on the reactor vessel pressure to establish the operating envelope for planned operations used as input to the station safety analysis.

In States C and D, a restriction is placed on the residual heat removal system to assure that it is not operated in the shutdown cooling mode when the reactor vessel pressure is greater than its pressure permissive to prevent excessive nuclear system stress. In States C and D, a limitation is placed on the maximum reactor vessel pressure to establish the operating envelope for planned operations used as an input to the station safety analysis. The residual heat removal system restriction is associated with the operability of a safety system (reactor vessel and primary containment isolation control system).

5.2.7 Nuclear System Temperature Control Limits are placed on nuclear system temperatures in all states to assure the nuclear system stresses are within limits ( 1-3) and are used to establish the envelope of conditions considered in the station safety analysis (1-4).

In all operating states, a limit is placed on the reactor vessel to prevent an excessive rate of change of the reactor vessel temperature to avoid excessive stress.

G-5-5 08/03/00

USAR In States C and D, a limit is placed on the reactor vessel to prevent the reactor vessel head bolting studs from being under tension when the vessel temperature is less than the minimum temperature limit to avoid excessive stress on the reactor vessel flange. Also, where it is planned operation to use the feedwater system, a limit is placed on the reactor fuel so that the feedwater temperature is maintained within the envelope of conditions considered by the station safety analysis.

For State D, a limit is placed on the temperature differential between the recirculation system and the reactor vessel for starting the recirculation pumps to prevent excessive stress in the reactor vessel.

Limitations are placed on these parameters to establish the operating envelope for planned operations used as input to the station safety analysis.

5.2.8 Nuclear System Water Quality Control Limits are placed on nuclear system water quality to assure the nuclear system stresses are within limits (1-3) and are used to establish the envelope of conditions considered in the station safety analysis (1-4). In all operating states, water of improper water quality could produce excessive stress as a result of chemical corrosion. Therefore, a limit is placed on reactor coolant quality (chemical) in all operating states. For States C and D, an additional limit is placed on reactor coolant activity to assure the validity of the station safety analysis of the main steam line break accident.

Limitations are placed on these parameters to establish the operating envelope for planned operations used as input to the station safety analysis.

5.2.9 Nuclear System Leakage Control Limits are placed on excessive nuclear system leakage to assure the nuclear systems stresses are within limits (1-3) and are used to establish the envelope of conditions considered in the station safety analysis ( 1-4) .

Because excessive nuclear system leakage could occur while the reactor vessel is pressurized, limits are applied only to the reactor vessel in States C and D. Observing these limits prevents vessel damage due to excessive stress and assures adequate makeup system capability. Limitations are placed on these parameters to establish the operating envelope for planned operations used as input to the station safety analysis.

5.2.10 Core Reactivity Control Limits are placed on reactor core reactivity to establish the envelope of conditions considered in the station safety analysis (1-4). In all operating states, limits are imposed on the control rod drive system to assure adequate control of core reactivity so that core reactivity remains within the envelope of conditions considered by the station safety analysis. In State A during a refueling outage, a limit is specified on the core loading (fuel) to assure that the core reactivity is maintained within the envelope of conditions considered by the station safety analysis. Limitations are placed on these parameters to establish the operating envelope for planned operations used as input to the station safety analysis.

5. 2 .11 Rod Worth Control Any time the reactor is not shut down and is generating less than 10 percent power (States B and D), restrictions are imposed on the systems which constrain the control rod pattern to assure that the control rod worth is maintained within the envelope of conditions considered by the station G-5-6 08/03/00

USAR safety analysis of the control rod drop accident (1-4). A limitation on the control rod drive system is provided to establish the operating envelope for planned operations used as input to the station safety analysis. Restrictions are placed on the rod worth minimizer to block the movement of an out of sequence control rod that would cause a significant pattern error. The rod worth minimizer has been reviewed in the licensing process and is classified as non-safety-related (non-essential) because it is a backup to operating procedures. The basis for the acceptability of this approach is provided in Section VII "Instrumentation and Controls."

5.2.12 Refueling Restrictions By definition, planned operation Event 1, refueling outage, applies only to State A. Observing the limitations on the reactor fuel in coordination with the limitations on the operation of the control rod drive system is used to establish the envelope of conditions considered by the station safety analysis. The fuel handling equipment restrictions are associated with the operability of a safety system (refueling interlocks)

5. 2 .13 Primary Containment Temperature and Pressure Control Limits are placed on primary containment and the suppression pool water storage in States C and D to establish the envelope of conditions considered in the station safety analysis (1-4). These limits establish the environment in which the required equipment can perform their design functions. Limits on the pressure suppression pool apply to the water temperature and water volume to assure that it has the capability of absorbing the energy discharged during the applicable safety analyses. Limitations on these parameters are used to establish the operating envelope for planned operations used as input to the station safety analysis.

5.2.14 Stored Fuel Shielding, Cooling, and Reactivity Control Limits and restrictions are placed on new and spent fuel storage which are applicable in all operating states to assure fuel cladding integrity (1-2) and stresses are within limits (1-3) and are used to establish the envelope of conditions considered in the station safety analysis (1-4).

Observing the restrictions on the spent fuel storage positions assures that the spent fuel reactivity remains within the envelope of conditions considered by the station safety analysis. Observing the limits on water level assures shielding in order to maintain conditions within the envelope of conditions considered by the station safety analysis and provides the fuel pool cooling necessary to assure fuel cladding integrity. A limit is imposed on water temperature to avoid excessive pool stress.

A restriction is imposed on the new fuel storage arrangement to assure that the fuel storage geometry is maintained within the envelope of conditions considered by the station safety analysis. The Technical Specifications do not allow fuel storage in the new fuel storage racks.

The limitations on water level and temperature are used to establish the operating envelope for planned operations used as input to the station safety analysis.

5.2.15 Ultimate Heat Sink Availability In States C and D, limits are placed on the river water level to assure the availability of the ultimate heat sink within the envelope of conditions considered in the station safety analysis (1-4). This limitation is G-5-7 02/05/07

USAR used to establish the operating envelope for planned operations used as input to the station safety analysis.

5.2.16 Maintain Reactor Coolant Pressure Boundary Integrity The reactor coolant pressure boundary functions as a radioactive material barrier in all operating states. The integrity of this barrier is maintained to limit the release of radioactivity during planned operations

( unacceptable result 1-1) and provides a volume in which the core can be adequately cooled (unacceptable result 1-2).

5.2.17 Maintain Coolable Geometry The reactor vessel internals are designed to provide correct coolant distribution and provide a floodable volume in which the core can be adequately cooled thus limiting fuel damage (unacceptable results 1-1 and 1-2) . In addition, maintaining core geometry ensures that the control rod movement is not impaired (unacceptable result 1-4).

5.2.18 Initial and Extended Core Cooling In order to support the planned operations of cooldown and*

refueling, the functions of initial and extended core cooling must be provided following reactor shutdown. The availability of core cooling is therefore required in BWR Operating States A and C. Providing adequate core cooling is necessary to avoid unacceptable results 1-1 and 1-2.

5.3 Abnormal Operational Transients The plant functions and protection sequences for abnormal operational transients are described in the following paragraphs. The protection sequence block diagrams show the protection sequences as performed by the front-line systems. The auxiliaries for the front-line and supporting auxiliary systems are indicated in the auxiliary system diagrams (Figures G-5-1 through G-5-4). A summary of the required auxiliary systems are presented in the commonality diagrams (Figures G-5-5 through G-5-10).

The following list relates the plant functions for transients with the primary unacceptable results for transients:

Related Unacceptable Plant Function Result Reason Function Required Scram 2-2 To satisfy the fuel cladding 2-3 integrity safety limit, the reactor coolant pressure safety limit and the energy release to the suppression pool limit.

Pressure relief 2-3 To satisfy the reactor coolant pressure safety limit.

Core cooling 2-2 To assure adequate cooling of the fuel for the events that result in the loss of the normal cooling systems.

G-5-8 08/03/00

USAR Related Unacceptable Plant Function Result Reason Function Required Reactor vessel 2-2 To assure adequate cooling of isolation the fuel by reducing the outflow of coolant from the reactor vessel, thereby limiting the decrease in reactor vessel water level.

Rod movement block 2-2 To satisfy the fuel cladding integrity safety limit and the increase in local heat flux limit.

Described below are each of the abnormal operational transients identified through the NSOA process. Because the NSOA process covers the entire spectrum of potential initiating conditions, the transients considered in the NSOA can have a number of different paths depending on the potential failure modes and the systems' response considering the different initial conditions within the normal operating envelope.

The different potential paths are identified by a decision block on the protection sequence diagrams. The analysis identifies the various plant conditions which may initiate a different set of plant responses. Any plant trips or system initiations which can be attributed to the decision blocks are considered nonessential because all paths are considered by the NSOA, and the limiting case is evaluated in the station safety analysis. Thus, the failure consequences are considered in the NSOA. All of the potential paths to achieve the required plant functions are shown on the protection sequence diagrams for each transient in which they are encountered.

There are two complex paths which are encountered in a number of transients. These deserve special attention because they initiate system trips which require additional plant functions. These are the potential paths that can occur due to a high reactor water level trip and can initiate due to the operation of the high pressure water makeup systems.

A high reactor water level trip may occur in transients that involve a rapid decrease in recirculation flow, an excess of feedwater flow, or a rapid reactor depressurizatio n. A high reactor water level trip will initiate a main turbine and feedwater turbine trip, if they were not previously lost due to the initiating event. Depending on the event sequence, the pressurization event initiated by the main turbine trip may be sufficient to operate the pressure relief system which opens the relief valves and initiates the low-low set circuitry. Also, the turbine trip will initiate a reactor scram if the reactor was not previously scrammed as a result of the initiating event. The feedwater turbine trip will cause a loss of feedwater, and the water level will decrease to the Level 2 water level setpoint unless there is operator action taken to restore and maintain water level. If the Level 2 water level setpoint is reached, the high pressure makeup systems (high pressure coolant injection [HPCI] and the reactor core isolation cooling [RCIC]) will be initiated to restore water level.

A number of protection sequences involve the operation of the high pressure makeup systems (HPCI and RCIC). Depending on the event sequence, the operation of these systems may result in a mild depressurizatio n. If the plant is in MODE 1 and the depressurizatio n is large enough, a reactor vessel isolation on low main steam line pressure will occur. Depending on the event sequence, the pressurization event initiated by the closure of the main steam G-5-9 08/03/00

USAR line isolation valves may be sufficient to open the relief valves and initiate the low-low set circuitry. Also, the closure of the main steam line isolation valves will initiate a reactor scram if the reactor was not previously scrammed as a result of the initiating event.

Event 11 - Turbine Trip or Generator Load Rejection with Bypass A turbine trip or generator load rejection with bypass can only occur in operating State D with the main turbine operating. Turbine trips

( turbine stop valve closure) and genera tor load rejections ( turbine control valve fast closure) with bypass are similar abnormal operational transients with the event severity dependent on a number of plant parameters and system configuration. However, the resulting protection sequences are basically the same. Depending on the initial reactor power level, plant functions may be required to avoid unacceptable results. Figure G-5-16 shows the protection sequences for this event.

If the reactor power level is less than 30 percent of rated power the turbine bypass system will operate to bypass the steam generated in the reactor to the main condenser, and planned operation will continue.

The 30 percent reactor rated power bypass capability was an input parameter for the turbine power/scram bypass setpoint analysis basis from the SAR transient analysis. Below 30 percent of reactor rated power, the scram signal due to turbine control valve fast closure and turbine stop valve closure is bypassed because the Neutron Monitoring System high flux scram and high pressure scram are adequate to protect the reactor pressure vessel. Below about 25 percent of rated power, the bypass system will transfer steam around the turbine and avoid reactor scram. Between about 25 percent and 30 percent power, a high RPV pressure scram will result unless operator action can reduce power to within the bypass capacity. Reactor rated power of 30 percent is approximately equivalent to 30 percent of rated supply pressure during normal system operation ( turbine bypass valves closed) . In order to compensate for reduced supply pressure during bypass valve testing, the actual scram bypass setpoint is implemented at less than or equal to 25 percent of rated turbine supply pressure. Scram bypasses are described in USAR Section VII-2.3.8.

If the reactor power level is greater than 30 percent of rated power, a fast closure of the turbine control valves or closure of the turbine stop valves will initiate a reactor scram. The pressure relief system will be operated to limit the pressure increase.

If the pressure increase is sufficient, the recirculation pumps may be tripped on high reactor pressure (ATWS-RPT) which may cause a level swell sufficient to trip the feedwater pump turbines. As a result of continuing water boil-off following a trip of the feedwater pump turbines, the high pressure makeup systems (HPCI and RCIC) will be initiated on Level 2 water level to restore water level. Isolation of the main steam lines may result due to low turbine inlet pressure or due to vessel Level 1 level in Mode 1. At this point, initial core cooling has been accomplished, and operator action is required to reach a stable cold shutdown condition. The protection sequences to reach MODE 4 are bounded by the sequences provided for the loss of shutdown cooling (Event 31).

Event 12 - Turbine Trip or Generator Load Rejection without Bypass A turbine trip or generator load rejection without bypass can only occur in operating State D with the main turbine operating. Turbine trips

( turbine stop valve closure) and genera tor load rejections ( turbine control valve fast closure) without bypass are similar abnormal operational transients G-5-10 03/28/19

USAR with the event severity dependent on a number of plant parameters and system configuration. Figure G-5-17 shows the protection sequences for this event.

If the reactor power level is greater than 30 percent, a fast closure of the turbine control valves or closure of the turbine stop valves will initiate a reactor scram. If the reactor power level is less than 30 percent, a scram will be initiated on high neutron flux or high reactor pressure. The pressure relief system will be operated to limit the pressure increase.

If the pressure increase is sufficient, the recirculation pumps may be tripped on high reactor pressure (ATWS-RPT) which may cause a level swell sufficient to trip the feedwater pump turbines. As a result of continuing water boil-off following a trip of the feedwater pump turbines, the high pressure makeup systems (HPCI and RCIC) will be initiated on Level 2 water level to restore water level. Isolation of the main steam lines may result due to low turbine inlet pressure or due to vessel Level 1 level in Mode 1. At this point, initial core cooling has been accomplished, and operator action is required to reach a stable cold shutdown condition. The protection sequences to reach MODE 4 are bounded by the sequences provided for the loss of shutdown cooling (Event 31).

Event 13 - Isolation of All Main Steam Lines Isolation of the main steam lines can result in an abnormal operational transient only in operating States C and D. In operating States A and B, the main steam lines are continuously isolated. Figure G-5-18 shows the protection sequences for this event.

Isolation of all main steam lines is most severe in operating State D during power operation. In State D with the reactor mode switch in "RUN", a scram will be initiated by the position switches on the main steam line isolation valves (MS IVs) . When the reactor mode switch is not in "RUN",

the event is relatively slow and the power level and pressure increase can be controlled by operator action by initiating reactor shutdown if the reactor is critical.

The pressure relief system will be operated to limit the pressure increase. The steam supply to the feedwater pump turbines is isolated due to the closure of the MSIVs. As a result of continuing water boil-off following loss of the feedwater pump steam supply, the high pressure makeup systems (HPCI and RCIC) will be initiated on Level 2 water level to restore water level. At this point, initial core cooling has been accomplished, and operator action is required to reach a stable cold shutdown condition. The protection sequences to reach MODE 4 are bounded by the sequences provided for the loss of shutdown cooling (Event 31).

Event 14 - Isolation of One Main Steam Line Isolation of one main steam line causes a significant transient only in State D during high power operation. Scram is the only plant function required to avoid fuel damage and limit the nuclear system pressure increase.

Because the feedwater system and main condenser remain in operation throughout the event, no unique requirement arises for core cooling. As shown on Figure G-5-19, scram is initiated on high neutron flux if required for this event.

Event 15 - Loss of Condenser Vacuum A loss of vacuum in the main condenser can occur at any time steam pressure is available and the condenser is in use; it is applicable to G-5-11 08/03/00

USAR operating States C and D. A loss of condenser vacuum will initiate either (1) a turbine trip (turbine stop valve closure), followed by a closure of the turbine bypass valves and closure of the MS IVs or, ( 2) closure of the MS IVs with reactor scram. (Either sequence (1) or (2) will provide adequate protection of the condenser from an overpressure.) The severity of the transient is directly dependent upon the rate at which the vacuum is lost. The most severe case, i.e., that of the extremely unlikely case of an instantaneous loss of condenser vacuum, the resulting transient will be similar to that described under "Turbine Trip with Bypass Failure." The normal loss of vacuum due to steam jet air ejector or similar problems produces a very slow rate of loss of vacuum (minutes, not seconds). For the hypothetical case with a conservative 2 inches Hg per second vacuum decay rate, the turbine bypass valve and MSIV closure would follow main turbine and feedwater trips after they initiate the transient. This transient, therefore, is similar to a normal turbine trip with bypass. In the event that the turbine stop valves have closed, the effect of MSIV closure will be minimal since the closure of main turbine stop valves and subsequently the bypass valves have already shut off the main steam line flow. Figure G-5-20 shows the protection sequences for this event.

If the reactor power level is greater than 30 percent, a closure of the turbine stop valves will initiate a reactor scram. If the reactor power level is less than 30 percent, a scram will be initiated on high neutron flux or high reactor pressure. The pressure relief system will be operated to limit the pressure increase.

The steam supply to the feedwater pump turbines is isolated due to the closure of the MSIVs. As a result of continuing water boil-off following a trip of the feedwater pump turbines, the high pressure makeup systems (HPCI and RCIC) will be initiated on Level 2 water level to restore water level. At this point, initial core cooling has been accomplished, and operator action is required to reach a stable cold shutdown condition. The protection sequences to reach MODE 4 are bounded by the sequences provided for the loss of shutdown cooling (Event 31).

Event 16 - Loss of Feedwater Heating Loss of feedwater heating is considered only in operating State D because significant feedwater heating does not occur in any other operating state. Scram is the only plant function required to avoid fuel damage. Because the feedwater system and main condenser remain in operation throughout the event, no unique requirement arises for pressure relief or core cooling. As shown on Figure G-5-21, scram is initiated on high neutron flux if required for this event.

Event 17 Shutdown Cooling (RHRS) Malfunction Temperature Decrease A shutdown cooling malfunction causing a moderator temperature decrease must be considered in all operating states. However, this event is not considered in States C and D if the nuclear system pressure is above the pressure permissive that permits operation of the shutdown cooling mode of the RHRS. As shown on Figure G-5-22, scram due to a high neutron flux on intermediate range neutron monitors is the only plant function that may occur if the reactor is initially critical or near critical and the slow power increase from the moderator temperature decrease is not controlled by operator action. No unique requirement arises for pressure relief and core cooling because a decrease in moderator temperature will cause a decrease in pressure if the reactor vessel is not vented, and the RHRS will continue to provide core cooling.

G-5-12 08/28/08

USAR Event 18 - Inadvertent HPCI Pump Start An inadvertent HPCI pump start is postulated to bound the unintentional start of any nuclear system pump which can add cold water to the reactor vessel and cause a decrease in moderator temperature. This event is significant in States C and D when the reactor is pressurized. An inadvertent HPCI pump start will initiate a decrease in moderator temperature which will increase the reactor power level if the reactor is critical or near critical, decrease the reactor pressure and increase the reactor vessel water inventory.

Figure G-5-23 shows the protection sequences for this event.

If high neutron flux occurs due to the power increase or if high reactor water level initiates a turbine trip, a scram will be initiated on high neutron flux or turbine stop valve position switches, respectively. If the pressure decrease is sufficient, isolation of the main steam lines may result due to low main steam line pressure in the Run Mode. If either an isolation of the main steam lines or a turbine trip occurs, the pressure relief system may be operated to limit the pressure increase.

If high reactor water level trips the feedwater pump turbines or the steam supply to the feedwater turbines is isolated due to the closure of the MSIVs, the high pressure makeup systems (HPCI and RCIC) will be initiated on Level 2 water level to restore water level. At this point, initial core cooling has been accomplished, and operator action is required to reach a stable cold shutdown condition. The protection sequences to reach MODE 4 are bounded by the sequences provided for the loss of shutdown cooling (Event 31).

Event 19 - Control Rod Withdrawal Error Because a control rod withdrawal error results in an increase of positive reactivity, it can occur under any operating condition and must be considered in all operating states. Figure G-5-24 shows the protection sequences for this event.

No unique plant function is required in operating States A and C because the core is more than one rod subcritical, and the complete withdrawal of the maximum worth control rod will not be sufficient to initiate criticality. In operating States Band D, the plant functions are dependent on the magnitude of the neutron flux increase. In operating States B and D in MODE 2, the withdrawal of a high worth control rod may cause a flux increase sufficient to initiate a reactor scram to terminate the power increase. In operating State Din MODE 1, the withdrawal of a high worth control rod may cause a local neutron flux increase sufficient for the rod block monitor system to initiate a control rod block to limit the local fuel power increase.

Because the feedwater system and main condenser remain in operation throughout the event, no unique requirement arises for pressure relief or core cooling.

It should be noted that the rod block monitor system has been reviewed in the licensing processes and is classified as non-safety-rela ted (non-essential) . Under specific conditions two MCPR limits are defined, for below 90 percent power and for equal to or above 90 percent power, which are 1.70 and 1.40 respectively. When the operating MCPR is below these values the plant is on a limiting control rod pattern and the rod block monitoring system must be operable. When above these values bypass is allowed. The rod block monitor system is non-essential because:

a. Radiological consequences of its failure are bounded by the control rod drop accident.
b. Transient does not affect the reactor coolant pressure boundary.

G-5-13 08/03/00

USAR

c. Effects of exceeding local MCPR limits do not inhibit safe shutdown.

Event 20 - Fuel Loading Error The fuel loading error is the postulated occurrence of the loading of one fuel assembly in an improper location (mislocated) or in an improper orientation (rotated). Further, it is assumed that the improper loading of a fuel assembly is not discovered and corrected as a result of the core verification program, and the plant is operated throughout the operating cycle for the design core configuration. Because the fuel loading error is applicable to all modes of planned operation, it is considered in all operating states. As shown on Figure G-5-43, no unique plant functions are required for this event because the safety analysis demonstrates that no event acceptance limits are exceeded. When this event is not analyzed as an AOT per GESTAR II amendment 28, the safety analysis demonstrates that the accident acceptance limits are not exceeded.

Event 22 - Pressure Regulator Failure-Open A pressure regulator failure causing the opening of the turbine control or bypass valves applies only in operating States C and D, because in other states the pressure regulator is not in operation. Failure of the controlling or backup pressure regulator in the open position can cause the turbine control valves to be fully opened and the turbine bypass valves to be partially opened. The increase in steam flow from this type of malfunction will initiate a reactor depressurization, a level increase due to the generation of additional voids, and a coolant inventory decrease. Depending on the magnitude of the pressure decrease or level increase as a result of this transient, plant functions may be required to avoid unacceptable results.

Figure G-5-25 shows the protection sequences for this event.

Planned operation continues if the level increase does not reach the high reactor water level trip, or if the reactor vessel depressurization does not reach the low main steam line pressure in MODE 1, or if the steam flow does not reach the high steam flow trip.

If the high reactor water level trip is reached, the main turbine and feedwater pump turbines will be tripped. If the reactor power level is greater than 30 percent, closure of the turbine stop valves will initiate a reactor scram. If a high steam flow trip or low main steam line pressure trip in MODE 1 is reached, a MSIV closure will be initiated. If a MSIV closure occurs, the position switches on the MS IVs will also initiate a scram, the steam supply to the feedwater pump turbines will be isolated. Depending on the initial conditions and the course of the event, a scram may also be initiated on high reactor pressure or low reactor water level.

The pressure relief system will be operated to limit the pressure increase following a closure of the turbine stop valves or MSIVs.

As a result of continuing water boil-off following a trip of or isolation of the steam supply to the feedwater pump turbines, the high pressure makeup systems (HPCI and RCIC) will be initiated on Level 2 water level to restore water level. At this point, initial core cooling has been accomplished, and operator action is required to reach a stable cold shutdown condition. The protection sequences to reach MODE 4 are bounded by the sequences provided for the loss of shutdown cooling (Event 31).

Event 23 - Inadvertent Opening of a Relief or Safety Valve The inadvertent opening of a relief or safety valve is considered only in operating States C and D with the reactor pressurized. The opening of G-5-14 07/14/11

USAR a safety or relief valve will initiate a mild reactor depressurizatio n transient and provide a path for steam discharge to the suppression pool, increasing suppression pool temperature. Depending on the assumptions incorporated into this event, plant functions may be required to avoid unacceptable results. Figure G-5-2 6 shows the protection sequences for this event.

In accordance with the emergency operating procedures, before the temperature in the suppression pool reaches the suppression pool temperature limit requiring initiation of pool cooling, the suppression pool cooling mode of the RHRS will be manually initiated.

If a safety valve is assumed to open in operating State D, scram may be initiated on high drywell pressure. Otherwise, the temperature in the suppression pool will continue to increase. In accordance with the emergency operating procedures, a manual scram will be initiated before the suppression pool temperature limit is reached.

The suppression pool temperature may continue to increase until the heat capacity temperature limit is exceeded. In accordance with the emergency operating procedures, a manual reactor depressurizatio n will be initiated.

If the main condenser is assumed to be available, planned operation will continue with the reactor being depressurized using the main condenser and vessel inventory being maintained by the feedwater system until the shutdown cooling mode of the RHRS can be initiated.

If the main condenser is assumed to not be available, a MSIV closure will be initiated due to low condenser vacuum. A MSIV closure will isolate the steam supply to the feedwater pump turbines. The pressure relief system will be operated to limit the pressure increase following a closure of the MS IVs. As a result of continuing water boil-off due to the isolation of the steam supply to the feedwater pump turbines, the high pressure makeup systems (HPCI and RCIC) will be initiated on Level 2 water level to restore water level. At this point, initial core cooling has been accomplished, and operator action is required to reach a stable cold shutdown condition. The protection sequences to reach MODE 4 are bounded by the sequences provided for the loss of shutdown cooling (Event 31).

Event 24 - Loss of Feedwater Flow A loss of feedwater flow can occur in operating States C and D. A loss of feedwater flow results in a net decrease in coolant inventory available for core cooling. Figure G-5-27 shows the protection sequences for this event.

In operating State D, scram will be initiated on Level 3 reactor water level. If the reactor pressure is less than the shutdown cooling pressure permissive, planned operation can continue by initiating the shutdown cooling mode of the RHRS. If reactor pressure is greater than the shutdown cooling pressure permissive, the high pressure makeup systems (HPCI and RCIC) will be initiated on Level 2 water level to restore water level.

If a low main steam line pressure trip in MODE 1 is reached, a MSIV closure will be initiated which isolates the reactor vessel. The pressure relief system will be operated to limit the pressure increase following a closure of the MS IVs. If low reactor pressure in MODE 1 does not occur, pressure relief is not required because the main condenser will continue in planned operation. At this point, initial core cooling has been accomplished, and operator action is required to reach a stable cold shutdown condition. The G-5-15 08/03/00

USAR protection sequences to reach MODE 4 are bounded by the sequences provided for the loss of shutdown cooling (Event 31).

Event 25 - Loss of Offsite Power A loss of offsite power can occur in all operating states. A loss of offsite power will cause a loss of power to all electrically driven pumps and the reactor protection motor generator sets and, in some cases, initiate a generator load rejection. Due to the additional core voiding induced by the tripping of the recirculation pumps, the reactor water level will initially increase, and the core power level will decrease. Figure G-5-28 shows the protection sequences for this event.

In operating States B and D, scram will be initiated on either

( 1) turbine control valve fast closure due to a generator load rejection, (2) turbine stop valve position switches due to a turbine trip initiated by high reactor water level, (3) MSIV position switches due to closure of the MSIVs initiated on low condenser vacuum, or (4) loss of power to the reactor protection system logic initiated by the reactor protection system motor generator sets trip or coast down.

In operating States A and Band operating States C and D with the reactor pressure less than the shutdown cooling pressure permissive, pressure relief and core cooling will be accomplished through the planned operation of the shutdown cooling system.

In operating States C and D with the reactor pressure greater than the shutdown cooling pressure permissive, reactor vessel isolation will be initiated due to loss of condenser vacuum or due to loss of power to the MSIV logic following the reactor protection system motor generator sets trip or coast down. Relief valves will be opened and the low-low set circuitry initiated to limit the pressure increase following a closure of the turbine stop valves or MS IVs or fast closure of the turbine control valves. As a result of continuing water boil-off following a trip of or the isolation of the steam supply to the feedwater pump turbines or loss of the condensate pumps, the high pressure makeup systems (HPCI and RCIC) will be initiated on Level 2 water level to restore water level. At this point, initial core cooling has been accomplished, and operator action is required to reach a stable cold shutdown condition. The protection sequences to reach MODE 4 are bounded by the sequences provided for the loss of shutdown cooling (Event 31).

Event 26 - Recirculation Flow Control Failure - Decreasing Flow A recirculation flow controller failure with a resulting decrease in recirculation flow can occur only in operating State D, because the feedwater flow interlock limits the recirculation pump speed to a minimum below a preestablished value of feedwater flow that is attainable only in power operation. A decrease in core coolant flow could be caused by a failure of an indi victual recirculation M/G set speed controller. The Recirculation Flow Control System is provided with a speed demand limiter which is set so that this situation cannot be more severe than the simultaneous tripping of both recirculation pumps. An individual recirculation M/G set speed controller could malfunction in such a way that the speed controller output signal changes in the direction of zero speed. This transient is similar but less severe than the trip of one recirculation pump. A failure of the recirculation flow controller can reduce recirculation flow and, consequently, core flow.

The reduction in core flow from this type of malfunction will initiate a reactor power decrease and a level increase due to the generation of additional voids. Depending on the magnitude of the level increase as a result of this transient, plant functions may be required to avoid unacceptable results. Figure G-5-29 shows the protection sequences for the failure of both flow controllers, which is the most severe scenario for this event.

G-5-16 04/22/02

USAR If the level increase does not reach the high reactor water level trip, planned operation will continue.

If the high reactor water level trip is reached, the main turbine and feedwater pump turbines will be tripped. If the reactor power level is greater than 30 percent, closure of the turbine stop valves will initiate a reactor scram. (30 percent was an input parameter for the turbine power/scram bypass setpoint analysis basis from the SAR transient analysis. The actual scram bypass setpoint is implemented at less than or equal to 25 percent of rated turbine supply pressure. Below about 25 percent of rated power, the bypass system will transfer steam around the turbine and avoid reactor scram.

Between about 25 percent and 30 percent power, a high RPV pressure scram will result unless operator action can reduce power to within the bypass capacity.

Scram bypasses are described in USAR Section VII-2.3.8.) If the reactor power level is less than 30 percent of rated and high reactor water level trip is not attained, then scram could occur on Level 3 reactor water level.

The pressure relief system will be operated to limit the pressure increase, if the initial reactor power level is greater than 30 percent, or if a reactor vessel isolation occurs due to low steam line pressure in the Run Mode. As a result of continuing water boil-off following a trip of the feedwater pump turbines, the high pressure makeup systems (HPCI and RCIC) will be initiated on Level 2 water level to restore water level. Isolation of the main steam lines may result due to low main steam line pressure in MODE 1. At this point, initial core cooling has been accomplished, and operator action is required to reach a stable cold shutdown condition. The protection sequences to reach MODE 4 are bounded by the sequences provided for the loss of shutdown cooling (Event 31).

Event 27 - Trip of One Recirculation Pump A trip of one recirculation pump causing a decrease in recirculation flow applies in operating States C and D. The reduction in core flow from a trip of one recirculation pump will initiate a reactor power decrease and a level increase due to the generation of additional voids. As shown on Figure G-5-30, the plant is designed to continue planned operation during this transient and no unique plant functions are required. Should a high reactor water level be predicted to occur as a result of this transient, the protection sequences will be the same as for a trip of two recirculation pumps (Event 28).

Event 28 - Trip of Two Recirculation Pumps A trip of two recirculation pumps causing a decrease in recirculation flow applies in operating States C and D. The reduction in core flow from a trip of two recirculation pumps will initiate a reactor power decrease and a level increase due to the generation of additional voids.

Depending on the magnitude of the level increase as a result of this transient, plant functions may be required to avoid unacceptable results.

Figure G-5-31 shows the protection sequences for this event.

If the level increase does not reach the high reactor water level trip and reactor power level is greater than 1 percent, manual scram is initiated per abnormal procedure to reduce possible abnormal neutron flux oscillations and reactor vessel thermal stratification.

G-5-17 03/28/19

USAR It is important to note that the transient analysis does not take credit for operator actions. No scram is initiated directly by the simultaneous pump trip and the power will settle out at part-load, natural circulation conditions. As described in USAR Section XIV-5, there is essentially no increase in fuel temperature or surface heat flux during the transient. Nucleate boiling is maintained throughout the transient and no fuel damage occurs. Technical Specification 3.4.1 prevents starting recirculation pumps while the reactor is in natural circulation above 1 percent of rated thermal power. Operation in natural circulation mode, with no recirculation loops in operation, can place the reactor in a condition closer to the onset of thermal-hydraulic instabilities. However, based on the CNS submittal for adopting the BWROG Long-Term Stability System Option 1-D and operating experience, 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> is a reasonable time to reach Hot Shutdown from higher power conditions, in an orderly manner without challenging plant systems. This is reflected in Technical Specification 3.4.1.

If the high reactor water level trip is reached, the main turbine and feedwater pump turbines will be tripped. If the reactor power level is greater than 30 percent, closure of the turbine stop valves will initiate a reactor scram. (30 percent was an input parameter for the turbine power/scram bypass setpoint analysis basis from the SAR transient analysis. The actual scram bypass setpoint is implemented at less than or equal to 25 percent of rated turbine supply pressure. Below about 25 percent of rated power, the bypass system will transfer steam around the turbine and avoid reactor scram.

Between about 25 percent and 30 percent power, a high RPV pressure scram will result unless operator action can reduce power to within the bypass capacity.

Scram bypasses are described in USAR Section VII-2.3.8.) If the reactor power level is less than 30 percent of rated and high reactor water level trip is not attained, then scram could occur on Level 3 reactor water level. The pressure relief system will be operated to limit the pressure increase, if the initial reactor power level is greater than 30 percent, or a reactor vessel isolation occurs.

As a result of continuing water boil-off following a trip of the feedwater pump turbines, the high pressure makeup systems (HPCI and RCIC) will be initiated on Level 2 water level to restore water level. Isolation of the main steam lines may result due to low main steam line pressure in MODE 1. At this point, initial core cooling has been accomplished, and operator action is required to reach a stable cold shutdown condition. The protection sequences to reach MODE 4 are bounded by the sequences provided for the loss of shutdown cooling (Event 31).

Event 28a - Recirculation Pump Seizure The recirculation pump seizure event is the postulated instantaneous stoppage of one recirculation pump shaft. A seizure of a recirculation pump will cause a rapid decrease in recirculation flow and applies in operating States C and D. The reduction in core flow from a seizure of one recirculation pump will initiate a reactor power decrease and a reactor water level increase due to the generation of additional voids. Depending on the magnitude of the level increase as a result of this transient, plant functions may be required to avoid unacceptable results. Figure G-5-42 shows the protection sequences for this event.

If the level increase does not reach the high reactor water level trip, planned operation will continue.

If the high reactor water level trip is reached, the main turbine and feedwater pump turbines will be tripped. If the reactor power level is greater than 30 percent, closure of the turbine stop valves will initiate a reactor scram. If the reactor power level is less than 30 percent of rated, G-5-18 03/28/19

USAR scram will occur on Level 3 reactor water level. The pressure relief system will be operated to limit the pressure increase if the initial reactor power level is greater than 30 percent, or a reactor vessel isolation occurs.

As a result of continuing water boil-off following a trip of the feedwater pump turbines, the high pressure makeup systems (HPCI and RCIC) will be initiated on Level 2 water level to restore water level. Isolation of the main steam lines may result due to low main steam line pressure in MODE 1. At this point, initial core cooling has been accomplished, and operator action is required to reach a stable cold shutdown condition. The protection sequences to reach MODE 4 are bounded by the sequences provided for the loss of shutdown cooling (Event 31).

Event 29 - Recirculation Flow Control Failure - Increasing Flow A recirculation flow controller failure causing an increase in recirculation flow applies only in operating State D, because the feedwater flow interlock limits the recirculation pump speed to a minimum below a preestablished value of feedwater flow that is attainable only in power operation. A failure of the recirculation flow controller can increase recirculation flow and, consequently, core flow. The increase in core flow from this type of malfunction will initiate a reactor power increase.

Depending on the magnitude of the power level increase as a result of this transient, scram is the only plant function that may be required to avoid unacceptable results. The scram is initiated on high neutron flux if required for this event. Because the feedwater system and main condenser remain in operation throughout the event, no unique requirement arises for pressure relief or core cooling. Figure G-5-32 shows the protection sequences for this event.

Event 30 - Startup of Idle Recirculation Pump The startup of an idle recirculation pump can occur in any operating state. A startup of an idle recirculation loop will increase core flow, and the colder water entering the reactor vessel will reduce moderator temperature. The increase in core flow and reduction in moderator temperature will increase core reactivity and power level (States Band D). Depending on the magnitude of the power level increase as a result of this transient, scram is the only plant function that may be required to avoid unacceptable results.

The scram is initiated on high neutron flux if required for this event.

Because the feedwater system and main condenser remain in operation throughout the event, no unique requirement arises for pressure relief or core cooling.

Figure G-5-33 shows the protection sequences for this event.

Event 31 - Loss of Shutdown Cooling The shutdown cooling mode of the RHRS is designed to remove decay heat at low reactor pressure at a sufficient rate to maintain MODE 4 conditions. The loss of shutdown cooling transient was initially evaluated to assess postulated system failures when operating in the shutdown cooling mode to demonstrate alternative decay heat removal capability. Since the initial assessments, the event has become the demonstration of the plant capability to attain a cold shutdown condition from full power operation considering single failures and the unavailability of off site power. Because the capability demonstration is performed without credit for off site power, the initiating event is generally assumed to be the long term loss of offsite power and is applicable in all operating states. Figure G-5-34 shows the protection sequences for this event.

In operating States B and D, scram will be initiated on either

( 1) turbine control valve fast closure due to a generator load rejection, G-5-19 08/03/00

USAR (2) turbine stop valve position switches due to a turbine trip initiated by high reactor water level, ( 3) MSIV position switches due to closure of the MSIVs initiated on low condenser vacuum, or (4) loss of power to the reactor protection system logic initiated by the reactor protection system motor generator sets trip or coast down.

In operating States C and D, if the reactor was not isolated prior to event initiation, reactor vessel isolation will be initiated due to loss of condenser vacuum or due to loss of power to the MSIV logic following the reactor protection system motor generator sets trip or coast down.

In operating States C and D, if pressure relief is required, the pressure relief system will be operated to limit the pressure increase following a closure of the turbine stop valves or MSIVs or fast closure of the turbine control valves.

In operating States C or D with the reactor pressure greater than the shutdown cooling pressure permissive, and as a result of continuing water boil-off following a trip of or isolation of the steam supply to the feedwater pump turbines or loss of the condensate pumps, the high pressure makeup systems (HPCI and RCIC) will be initiated on Level 2 water level to restore water level. At this point, initial core cooling has been accomplished, and operator action is required to reach a stable cold shutdown condition.

The following is a discussion of the protection sequences available to attain extended core cooling. It should be noted that this set of sequences bounds the required sequences for many of the protection sequence diagrams.

Once initial core cooling has been attained in operating States C and D with the pressure greater than the shutdown cooling pressure permissive and the main condenser unavailable, the suppression pool temperature will continue to increase due to the transfer of decay heat to the suppression pool. The suppression pool cooling mode of the RHRS will be initiated by operator action in accordance with the emergency operating procedures before the suppression pool temperature limit is reached. If the operation of the suppression cooling mode of the RHRS terminates the temperature increase, extended core cooling has been accomplished.

If the suppression pool temperature continues to increase or the plant was initially in operating States C or D with the pressure less than the shutdown cooling pressure permissive, manual operation of the automatic depressurizatio n is required in accordance with the emergency operating procedures if the heat capacity temperature limit is exceeded to reduce the reactor pressure to assure the continued availability of the suppression pool.

At this point, the operator can attempt to establish the shutdown cooling mode of the RHRS regardless of the initial operating state. If the shutdown cooling mode of the RHRS is available, planned operation will continue. If the shutdown cooling mode of the RHRS is not available, extended core cooling can be attained by manually initiating the core spray system or low pressure coolant injection (LPCI) mode of the RHRS to maintain coolant inventory. ADS is used to transfer decay heat from the reactor vessel to the suppression pool in operating States C and D, and the suppression pool cooling mode of the RHRS to transfer the decay heat from the suppression pool to the ultimate heat sink.

As a demonstration of additional capability, the protection sequence for an assumed unavailability of the high pressure makeup systems is shown. For this case, extended core cooling is provided by the operator manually initiating operation of the ADS based on low reactor water level in accordance with the emergency operating procedures followed by operation of G-5-20 08/03/00

USAR the core spray system or the LPCI mode of the RHR system to restore and maintain coolant inventory. The suppression pool cooling mode of the RHR system will be initiated in accordance with the emergency operating procedures by operator action when the suppression pool temperature limit is reached to provide a path for the transfer of decay heat to the ultimate heat sink.

Event 32 - Feedwater Controller Failure-Maximum Demand A feedwater controller failure causing an excess coolant inventory in the reactor vessel is possible in operating States C and D. The increase in reactor vessel inventory will initiate a reactor power increase due to a reduction in moderator temperature. Depending on the magnitude of the power and level increase as a result of this transient, plant functions may be required to avoid unacceptable results. Figure G-5-35 shows the protection sequences for this event.

If the level increase does not reach the high reactor water level trip and the power increase does not reach the high neutron flux trip, planned operation will continue.

If the high reactor water level trip is reached, the main turbine and feedwater pump turbines will be tripped. In operating State D, if a high neutron flux trip setpoint is reached or the reactor power level is greater than 30 percent and a turbine trip occurs, the neutron monitoring system or the position switches on the turbine stop valves will initiate a reactor scram. The pressure relief system will be operated to limit the pressure increase, if the initial reactor power level is greater than 30 percent, or a reactor vessel isolation occurs.

As a result of continuing water boil-off following a trip of the feedwater pump turbines, the high pressure makeup systems (HPCI and RCIC) will be initiated on Level 2 water level to restore water level. Isolation of the main steam lines may result due to low main steam line pressure in MODE 1. At this point, initial core cooling has been accomplished, and operator action is required to reach a stable cold shutdown condition. The protection sequences to reach MODE 4 are bounded by the sequences provided for the loss of shutdown cooling (Event 31).

5.4 Accidents The plant functions and protection sequences for accidents are described in the following paragraphs. The protection sequence block diagrams show the protection sequences as performed by the front-line systems. The auxiliaries for the front-line systems are indicated in the auxiliary system diagrams (Figures G-5-1 through G-5-4) and the commonality of auxiliary diagrams (Figures G-5-5 through G-5-10).

The following list relates the plant functions for accidents with the primary unacceptable results:

Related Unacceptable Plant Function Result Reason Function Required Scram 3-2 To satisfy the fuel, reactor 3-3 coolant pressure, and 3-4 containment design limits applicable to accidents.

G-5-21 08/03/00

USAR Related Unacceptable Plant Function Result Reason Function Required Pressure relief 3-3 To satisfy the reactor coolant pressure limits applicable to accidents.

Core cooling 3-2 To satisfy fuel limits applicable to accidents.

Reactor vessel 3-1 To satisfy the guideline dose isolation 3-5 values of 10CFRl00 or 10CFR50.67 and to satisfy the radiation exposure limits to plant personnel.

Establish and maintain 3-1 To satisfy the guideline dose primary containment 3-5 values of 10CFRl00 or 10CFR50.67 and to satisfy the radiation exposure limits to plant personnel.

Establish secondary 3-1 To satisfy the guideline dose containment 3-5 values of 10CFRl00 or 10CFR50.67 and to satisfy the radiation exposure limits to plant personnel.

Containment cooling 3-4 To satisfy containment design limits applicable to accidents.

Stop rod ejection 3-2 To satisfy fuel limits (passive) applicable to accidents.

Restrict loss of 3-2 To satisfy fuel limits reactor coolant applicable to accidents.

(passive)

Control room 3-5 To satisfy the radiation environmental control exposure limits to plant personnel.

Limit reactivity 3-2 To satisfy the fuel and reactor insertion rate 3-3 coolant pressure limits (passive) applicable to accidents.

Described below are each of the accidents identified through the NSOA process. Because the NSOA process covers the entire spectrum of potential initiating conditions, the accidents considered in the NSOA can have a number of different paths depending on the potential failure modes and the systems response considering the different initial conditions within the normal operating envelope.

The different potential paths can be identified by a decision block on the protection sequence diagrams. The analysis identifies the various plant conditions which may initiate a different set of plant responses. Any plant trips or systems initiations which can be attributed to the decision blocks are considered nonessential because all paths are considered by the NSOA, and the limiting case is evaluated in the station safety analysis. Thus, the failure consequences are considered in the NSOA. All of the potential paths to achieve the required plant functions are shown on the protection sequence diagrams and for each accident in which they are encountered.

G-5-22 02/05/10

USAR Event 40 - Control Rod Drop Accident The control rod drop accident is the postulated separation of the control rod blade from the control rod drive, with the blade sticking in the fully-inserted position while the drive is withdrawn until a high worth control rod pattern is achieved, followed by the dropping of the blade to the control rod drive position. The control rod drop accident is applicable only in operating State D. The control rod drop accident is not considered in operating State B because the rod coupling integrity is checked on each rod to be withdrawn if more than one rod is to be withdrawn. No plant functions are required in operating States A and C because the reactor is more than one rod subcri ti cal. The postulated dropping of a control rod may result in a high local reactivity and power increase. Figure G-5-36 shows the protection sequences for this event.

The rate of reactivity addition is limited by the control rod velocity limiter and, for postulated failures of the control rod drive housing, rod ejection is stopped by the control rod drive housing supports.

Scram is initiated on high neutron flux. The remainder of the protection sequences are dependent on the conditions predicted to occur during the accident.

Closure of the Reactor Water Sample Valves and isolation of the mechanical vacuum pumps may be initiated due to high main steam line radiation due to the predicted fuel rod failures to control radioactive material release.

If the activity release reaches a preestablished value, operator action will be taken to close the containment isolation valves and establish primary containment and reactor vessel isolation.

If reactor vessel isolation is required, the pressure relief system will be operated to limit the pressure increase following a closure of the MSIVs. As a result of continuing water boil-off following isolation of the steam supply to the feedwater pump turbines, the high pressure makeup systems (HPCI and RCIC) will be initiated on Level 2 water level to restore water level. At this point, initial core cooling has been accomplished, and operator action is required to reach a stable cold shutdown condition. The protection sequences to reach MODE 4 are bounded by the sequences provided for the loss of shutdown cooling (Event 31).

Event 41 - Pipe Breaks Inside Containment The loss of coolant accident (LOCA) is the postulated pipe break of any size pipe in the nuclear system process barrier located inside the primary containment up to and including the double-ended rupture of the largest pipe. A pipe break inside the primary containment will cause a reduction in reactor vessel water inventory and discharge of the reactor coolant to the primary containment. Because a pipe break inside the primary containment is only postulated to occur when the reactor is significantly pressurized, it can only occur in operating States C and D with the reactor pressure greater than the shutdown cooling pressure permissive. Figures G-5-37 and G-5-38 show the protection sequences for this event.

A scram is initiated on high drywell pressure or Level 3 reactor vessel water level in operating State D. High drywell pressure or Level 3 reactor water level will initiate closure of the Group 2 containment isolation valves. A Level 2 reactor water level signal will isolate RWCU. High drywell pressure or Level 2 reactor water level will initiate isolation of the secondary containment, starting of the standby gas treatment system and initiation of the control room emergency filtration system. Level 1 reactor G-5-23 04/06/05

USAR water level will initiate closure of the MSIVs to complete the primary containment isolation. The remainder of the protection sequences are dependent on the conditions predicted to occur during the accident.

If reactor vessel pressure increases as a result of the system's performance, the pressure relief system will be operated to limit the pressure increase.

As a result of the loss of reactor coolant, operation of the emergency core cooling systems is required to provide extended core cooling.

For small breaks not disabling the HPCI, initial core cooling is provided by operation of the HPCI by itself or operation of the ADS to depressurize the reactor vessel followed by operation of the LPCI mode of the RHRS and core spray systems. For intermediate breaks not disabling the HPCI, initial core cooling is provided by operation of the HPCI which also acts to depressurize the reactor vessel or operation of the ADS to depressurize the vessel followed by operation of the LPCI and core spray systems. For small and intermediate breaks disabling the HPCI, initial core cooling is provided by operation of the ADS to depressurize the reactor vessel followed by operation of the LPCI and core spray systems. Drywell spray is used to limit containment temperature.

If the ADS is not required to accomplish initial core cooling for small and intermediate breaks, the reactor vessel may remain pressurized and the suppression pool temperature may continue to increase. If the suppression pool temperature reaches the heat capacity temperature limit, operator action will be taken in accordance with the emergency operating procedures to open the ADS valves to allow the LPCI or core spray systems to operate to attain extended core cooling. If the ADS is required for initial core cooling, the reactor is sufficiently depressurized to allow the LPCI or core spray systems to attain extended core cooling.

For large breaks, the reactor vessel will depressurize as a result of the break, and the LPCI and core spray systems will provide initial core cooling. Following initial core cooling for large breaks, the reactor vessel will remain depressurized and allow the LPCI or core spray systems to attain extended core cooling. Large breaks in the recirculation system will result in reactor vessel level stabilizing at the top of the jet pumps (two-thirds core height). For these breaks a core spray system is required to provide long-term core cooling. In the event of recirculation suction line break, the recirculation pump discharge valves have a credited safety function to close.

As a result of the energy transferred to the suppression pool, the suppression pool temperature will increase until the suppression pool temperature limit is reached. Operator action will be taken to initiate the suppression pool cooling mode of the RHRS to limit the pool temperature and containment pressure increase and to transfer the decay heat to the ultimate heat sink.

If a reactor low water level (Level 3) or a high drywell pressure and/or a reactor building isolation due to a ventilation radiation monitor trip occurs, automatic action will change the operating mode of the control room ventilation system to establish control room environmental control.

After indication of fuel damage (high drywell pressure and high drywell radiation), operator action will be taken within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> to initiate SLC injection in order to control the suppression pool pH.

Event 42 - Fuel Handling Accident The fuel handling accident is the postulated accidental dropping of a fuel assembly onto the top of the core or spent fuel assemblies in the spent fuel pool. Because a fuel handling accident can potentially occur any time when fuel assemblies are being manipulated, either over the core (operating State A only) or in the spent fuel pool, this accident is considered in all operating states. Figure G-5-39 shows the protection sequences for this event.

G-5-24 02/05/10

USAR The reactor building isolation ventilation radiation monitoring system will initiate the control room emergency filtration system. Automatic action will change the operating mode of the control room ventilation system to establish control room environmental control.

The RPV water level is maintained at least 21 feet above the top of RPV flange per Technical Specification 3. 9. 6 and the spent fuel pool is maintained at the specified water level per Technical Specification 3.7.6.

If the plant is in shutdown cooling mode with the RHR Service Water Booster Pumps (RHRSWBPs) stopped and a Fuel Handling Accident were to occur, the RHRSWBPs must start to maintain the pressure in the Service Water side of the RHR heat exchanger above the pressure in the RHR side. This positive pressure establishes river water environmental control.

Event 43 - Pipe Breaks Outside the Primary Containment Pipe breaks outside the primary containment include the postulated break of any size pipe in the nuclear system process barrier located outside the primary containment up to and including the break of a main steam line. A pipe break outside the primary containment will initially cause a reduction in reactor vessel water inventory and discharge of the reactor coolant to the environment. Because a pipe break outside the primary containment is only postulated to occur when the reactor is significantly pressurized, it can only occur in operating States C and D with the reactor pressure greater than the shutdown cooling pressure permissive. Figures G-5-40 and G-5-41 show the protection sequences for this event.

In operating State D and depending on the event sequence, break size and availability of offsite power, scram may be initiated on Level 3 reactor vessel water level, the MSIV position switches, the turbine stop valve position switches or on turbine control valve fast closure. Scram may also be initiated on RPS M-G set coastdown for postulated concurrent LOOP for the MSLB event. If scram does not automatically occur, operator action will be taken to scram the reactor in accordance with the emergency operating procedures for secondary containment control.

The pipe break is isolated by various mechanisms depending on the break size and location. For large breaks, low reactor water level, system high flow or high area temperature will close the system valves as required.

For small breaks, an entry condition requiring secondary containment control (building differential pressure, area temperature, building ventilation exhaust radiation, area radiation of area water level) will be satisfied and operator action will be taken to initiate reactor vessel isolation.

For large breaks in the main steam line, the flow restrictors will restrict the rate of reactor coolant loss until the MSIVs are closed.

If reactor vessel pressure increases as a result of the system isolation, the pressure relief system will be operated to limit the pressure increase.

If feedwater is available, core cooling will be provided through the planned operation of the feedwater system. If feedwater is lost, the initial loss of reactor coolant and the subsequent water boil-off will require operation of the emergency core cooling systems to provide core cooling. For breaks not disabling the HPCI and not in the RHRS shutdown cooling system, G-5-25 03/09/07

USAR initial core cooling is provided by operation of the HPCI by its elf or by operator action in accordance with the emergency operating procedures on low reactor water level to initiate operation of the ADS to depressurize the reactor vessel followed by operation of the LPCI mode of the RHRS and core spray systems. For breaks disabling the HPCI, core cooling is provided by operator action in accordance with the emergency operating procedures on low reactor water level to initiate operation of the ADS to depressurize the reactor vessel, followed by operation of the LPCI and core spray systems. For breaks in the RHRS shutdown cooling system, initial core cooling is provided by operator action in accordance with the emergency operating procedures on low reactor water level to initiate operation of the LPCI and core spray systems followed by operation of the ADS to depressurize the reactor vessel.

If the ADS is not required to accomplish initial core cooling, the reactor vessel may remain pressurized and the suppression pool temperature may continue to increase. If the suppression pool heat capacity temperature limit is reached, operator action will be taken in accordance with the emergency operating procedures to open the ADS valves to depressurize the reactor and allow the LPCI or core spray systems to operate to attain extended core cooling.

If the ADS is required for initial core cooling, the reactor is sufficiently depressurized to allow the LPCI or core spray systems to attain extended core cooling.

As a result of the energy transferred to the suppression pool, the suppression pool temperature will increase until the temperature reaches the primary containment control entry condition in the emergency operating procedures. Operator action will be taken to initiate the suppression pool cooling mode of the RHRS to limit the pool temperature and containment pressure increase and to transfer the decay heat to the ultimate heat sink.

Note that in the event of a Main Steam Line Break accident, the CREF and SGT systems are not credited for performing the system safety functions ( see Section XIV-6. 5) . However, in the event that the overpressure condition in the Turbine Building does not damage the control room penetration seals, the CREF system will be available to reduce operator dose. Likewise, in the event that the break does not release steam outside the secondary containment, the SGT system will function to reduce operator dose. Both CREF and SGT systems are also available to mitigate a lesser pipe break event.

5.5 Special Events Special events are postulated to demonstrate some special capability of the plant, generally to demonstrate conformance to the regulations or to industry codes and standards. As such, special events do not belong in any of the other event categories. The plant functions shown on the protection sequence diagrams for special events follow directly from the requirement to demonstrate the special plant capability.

Event 60 - Shutdown from Outside Control Room The control room is designed to be continuously occupied by qualified operating personnel. There is no identified scenario which would lead to evacuation of the control room. However, reactor shutdown from outside the control room is an event which is evaluated to demonstrate the capability of the plant to reach a safe shutdown condition independent of the control room as required by the regulations. The event is applicable to any operating state. Figure G-5-44 shows the protection sequences.

G-5-26 10/16/03

USAR In State A, no sequence is shown because the reactor is already in a safe shutdown condition.

In States B and D, reactor shutdown is required. In accordance with plant procedures, this can be accomplished by manually de-energizing the reactor protection system power supply to scram the control rods.

In States C and D, the MSIVs will be closed to isolate the reactor vessel, due to the de-energizing of the power supply to the reactor protection system logic which also provides the power supply to the MSIV logic. As a result of the MSIV closure reactor pressure may increase and the pressure relief system will be operated to limit the pressure increase.

In States C and D with the reactor pressure greater than the HPCI steam line isolation pressure, the HPCI system can be started on Level 2 reactor water level and controlled locally to maintain water level. The RHRS suppression pool cooling mode will be initiated by operator action to transfer decay heat to the ultimate heat sink. Manual operation of ADS valves is used to complete the cooldown and depressurization.

Extended core cooling is established using RHR pumps in the LPCI mode to fill the vessel with water and pressurize the vessel sufficiently to provide a return path to the suppression pool through the pressure relief system.

Event 61 - Shutdown Without Control Rods Shutdown without control rods is a special event which demonstrates the capability of the standby liquid control system to shut the reactor down without any movement in the control rods. There is no identified failure mechanism which would lead to a failure of all control rods. However, reactor shutdown independent of control rods is an event which is evaluated to demonstrate the capability of the plant to shut down independent of control rods as required by the regulations. By definition, this event can only occur when the reactor is not already shut down. Therefore, this event is considered only in operating States Band D. Figure G-5-45 shows the protection sequence for this event.

In States B and D, a limit is assumed to be reached requiring reactor shutdown and the control rods cannot be inserted. The standby liquid control system will be initiated by operator action in accordance with the emergency operating procedures to inject sufficient sodium pentaborate into the reactor to enable a cold shutdown condition to be attained. This action completes reactor shutdown without control rods.

The standby liquid control system is designed to provide backup capability for reactivity control to satisfy 10CFR50 Appendix A, General Design Criterion 26.

Event 62 - Anticipated Transients Without Scram (ATWS)

The evaluation of anticipated transients without scram (ATWS) is provided to demonstrate compliance with the regulations. For this event, it is assumed that the plant is operating in a planned operating mode and a transient occurs which reaches a protection system setpoint and a scram fails to occur. By definition, this event can only occur when the reactor is in power operation. Therefore, this event is considered only in operating State D. Figure G-5-46 shows the protection sequence for this event.

Initial negative reactivity insertion is accomplished by tripping of the recirculation pumps through the ATWS recirculation pump trip (RPT)

G-5-27 10116103 I

USAR circuitry on high reactor pressure or Level 2 reactor water level. In response to exceeding an automatic scram setpoint without a scram occurring, operator action would attempt to insert control rods by initiation of a manual scram followed by manual initiation of Alternate Rod Insertion (ARI) . If control rods do not insert and the event is adding significant energy to the suppression pool, operator action will be taken to initiate the standby liquid control system. Sufficient sodium pentaborate will be injected into the reactor to enable a cold shutdown to be attained. This action completes reactor shutdown.

If the event results in a significant pressurization of the reactor vessel, the pressure relief system ( safety relief valves and safety valves) will be actuated to provide pressure relief.

If the event results in significant energy addition to the suppression pool, the suppression pool temperature will increase until the suppression pool temperature limit is reached. Operator action will be taken to initiate the suppression pool cooling mode of the RHRS to limit the pool temperature and containment pressure increase and to transfer the heat to the ultimate heat sink.

If the event results in loss of feedwater, the high pressure makeup systems (HPCI and RCIC) will initiate on Level 2 water level to restore level. At this point, initial core cooling has been accomplished, and operator action is required to reach a stable cold shutdown condition. The protection sequences to reach MODE 4 are bounded by the sequences provided for the loss of shutdown cooling (Event 31).

Event 63 - Station Blackout The evaluation of Station Blackout is provided to demonstrate compliance with 10CFRS0.63. A Station Blackout is defined as a complete loss of offsite AC power concurrent with a turbine trip and the unavailability of the onsi te AC power source. These conditions can only occur in Operating State D. Figure G-5-47 shows the protection sequence for this event.

A scram will be initiated on either (1) turbine control valve fast closure due to a generator load rejection, ( 2) turbine stop valve position switches due to a turbine trip initiated by high reactor water level, (3) MSIV position switches due to closure of the MSIVs initiated on low condenser vacuum, or (4) loss of power to the reactor protection system logic initiated by the reactor protection system motor generator sets trip or coast down.

Reactor vessel isolation will be initiated due to loss of condenser vacuum or due to loss of power to the MSIV logic following the reactor protection system motor generator sets trip or coast down. Relief valves will be opened and the low-low set circuitry initiated to limit the pressure increase following a closure of the turbine stop valves or MSIVs or fast closure of the turbine control valves. As a result of continuing water boil-off following a trip of or the isolation of the steam supply to the feedwater pump turbines or loss of the condensate pumps, the high pressure makeup systems (HPCI and RCIC) will be initiated on Level 2 water level to restore water level. With level restored, HPCI is manually secured and RCIC is manually controlled to maintain reactor water level within for the rest of the 4-hour coping duration.

G-5-28 10116103 I

USAR 5.6 Remainder of Nuclear Safety Operational Analysis With the information presented on the protection sequence block diagrams, the auxiliary systems diagrams, and the cornrnonali ty of auxiliary systems diagrams, it is possible to determine the exact functional hardware requirements for each system. This is done by considering each event in which the system is employed. This activity establishes the nuclear safety and operational requirements. These requirements, limits and restrictions are established for system components to assure that the required actions can be achieved within those established for the system by the plant functions. The remainder of the activities associated with the NSOA are then dependent on the specific purpose to be accomplished.

G-5-29 10116;03 I

USAR

6.0 CONCLUSION

S It is concluded that the nuclear safety operational criteria are satisfied when the plant is operated in accordance with the nuclear safety and operational requirement s identified through the performance of the Nuclear Safety Operational Analysis. In addition, the system level safety requirement s can be used to determine the system classificati ons of safety-rela ted or non-safety-related (essential or non-essenti al).

G-6-1 07 /22/96