NOT PROTECTIVELY MARKED. REDACTED PUBLIC VERSION HPC PCSR3 Sub-chapter Normal Operation NNB GENERATION COMPANY (HPC) LTD

Transcription

1 HPC PCSR3 Sub-chapter Page No.: i / iv NNB GENERATION COMPANY (HPC) LTD HPC PCSR3: CHAPTER 18 HUMAN FACTORS AND OPERATIONAL ASPECTS SUB-CHAPTER 18.2 NORMAL OPERATION { PI Removed } uncontrolled Published in the United Kingdom by NNB Generation Company (HPC) Limited, 40 Grosvenor Place, Victoria, London SW1X 7EN. All rights reserved. No part of this publication may be reproduced or transmitted in any form or by any means, including photocopying and recording, without the written permission of the copyright holder NNB Generation Company (HPC) Limited, application for which should be addressed to the publisher. Such written permission must also be obtained before any part of this publication is stored in a retrieval system of any nature. Requests for copies of this document should be referred to NNB Generation Company (HPC) Limited, 40 Grosvenor Place, Victoria, London SW1X 7EN. The electronic copy is the current issue and printing renders this document

2 HPC PCSR3 Sub-chapter Page No.: ii / iv APPROVAL SIGN-OFF: DOCUMENT CONTROL REVISION HISTORY { PI Removed } { PI Removed } { PI Removed } Text within this document that is enclosed within brackets { } is Sensitive Nuclear Information, Sensitive Commercial Information or Personal Information and has been removed.

3 HPC PCSR3 Sub-chapter Page No.: iii / iv TABLE OF CONTENTS 1. INTRODUCTION PRINCIPLES OF NORMAL OPERATION GENERAL REMARKS REACTOR SHUTDOWN DRAINING AND OPENING THE PRIMARY SYSTEM CORE UNLOADING CORE RELOADING CLOSING AND FILLING THE PRIMARY COOLANT SYSTEM HEATING THE PRIMARY COOLANT FROM HOT SHUTDOWN TO POWER OPERATION POWER OPERATION LOAD FOLLOWING FREQUENCY SENSITIVE MODE STRETCH-OUT OPERATION SPECIFIC OPERATIONS OPERATING PROCEDURES, STANDARD REACTOR STATES AND OPERATING LIMITS [REF. 3] NORMAL OPERATING PROCEDURES NORMAL OPERATING DOCUMENTS A DISCUSSION OF HUMAN FACTORS CONSIDERATIONS FOR NORMAL OPERATING DOCUMENTS IS PROVIDED IN SUB- CHAPTER 18.1.INTERFACES WITH OPERATING PROCEDURES FOR FAULT OPERATION DESIGN AND OPERATING LIMITS AND CONDITIONS [REF. 5] OPERATING TECHNICAL SPECIFICATIONS CHEMICAL AND RADIOCHEMICAL SPECIFICATIONS LOADING CONDITIONS ACCOUNTING [REF. 6] TO [REF. 8] SAFETY ANALYSIS BOUNDING LIMITS AND FUEL DESIGN LIMITS PERIODIC TESTING [REF. 5] GENERIC PRINCIPLES FOR PT PRODUCTION GENERIC PROCESS OF PT PRODUCTION... 41

4 HPC PCSR3 Sub-chapter Page No.: iv / iv 5.3. DEFINITION OF RULES AND REQUIREMENTS FOR PT CORE PHYSICS TESTS (RELOADING TESTING) IN-SERVICE INSPECTION AND MAINTENANCE IN-SERVICE INSPECTION MAINTENANCE AND EQUIPMENT RELIABILITY REFERENCES... 64

5 Page No.: 1 / 77 SUB-CHAPTER 18.2 NORMAL OPERATION 1. INTRODUCTION The Pre-Construction Safety Report (PCSR) aims to demonstrate that the UK EPR achieves the fundamental objective that the radiological risk to workers and the public is As Low As Reasonably Practicable (ALARP), which is the basic legal requirement underpinning UK nuclear safety regulations. The protection of the public and the environment towards radioactive substances is ensured by three successive barriers: the fuel cladding, the reactor coolant pressure boundary and the containment building. Provisions apply to each barrier according to the defence in depth concept to avoid its failure and limit the consequences of its failure, if any. The PCSR presents a detailed description of these provisions. It presents a description of the architecture of the EPR systems, their safety functions, robustness and availability requirements, and an explanation of the design codes and standards that are used in the design. Fault analyses are presented to demonstrate the adequacy between the design and all potential faults threatening the integrity of one of the three barriers. They include the Design Basis Analysis (DBA) (Plant Condition Category (PCC) see Sub-chapters 14.1 to 14.4), analysis of multiple failure events (Design Extension Condition (DEC)-A and DEC-B see Sub-chapters 14.5 to 14.6), Primary and Secondary Overpressure analysis (see Sub-chapter 3.4, section 1.5), in-containment mass and energy release analysis (see Sub-chapter 6.1 and Appendix 6A) and Probabilistic Safety Assessment (PSA) (see Chapter 16). The PCSR aims to demonstrate prior to commencement of construction, that sufficient analysis and engineering substantiation has been performed to give high confidence that the declared safety objectives of the UK EPR are met. The PCSR contains assumptions and requirements necessary to ensure the results claimed in the overall safety case. Operating documents will have to be defined in order to ensure the plant is operated consistently with these assumptions and requirements. This sub-chapter outlines the process that will provide design limits and conditions for the UK EPR. It details the arrangements for moving the PCSR to an operating mode which will ensure that the requirement and assumptions contained in the PCSR are captured in operating documents. There are several sources of parameters and values in the PCSR which form the design limits and conditions: Regarding systems design, claims typically are made on structural integrity in term of loading conditions systems will have to face (thermal hydraulics conditions in circuits and buildings, nature and number of transients to meet) and chemical provisions in circuits. Regarding faults, claims are made for each plant state on thermal-hydraulic conditions in circuits, systems performance, system availability, neutronic parameters, etc. Depending on the nature of these parameters, they will be captured in different operating documents, as described in this sub-chapter. The information presented in PCSR Sub-chapter 14.1 details the plant characteristics that apply to accident analyses. These characteristics, which are specific to a particular accident analysis, are specified in the section describing the accident analysis. That information establishes some preliminary limits and conditions applicable at this stage of the HPC EPR design.

6 Page No.: 2 / 77 Information such as plant initial conditions is reflected in the Operating Technical Specification (OTS) documents and system performance characteristics are analysed in periodic testing documentation. By presenting, in this sub-chapter, the process steps followed in the design of the EPR and the parameter values, such as initial conditions and system performance requirements, a link is made between the assumptions and requirements included in the EPR design and the information provided to the Licensee, who will be responsible for defining and developing operating documents to ensure the plant is operated consistently with these assumptions and requirements. The on-going role of the Responsible Designer in support of the Licensee is described in Chapter 22. Human Factors (HF) considerations relating to operating documents are discussed in Sub-chapter The detailed analysis to capture the safety limits in the operational documentation will be finalised as the HPC reference design is completed and will be provided in a format that allows the required safety limits to be compared with the operational documentation. One of the key elements of the EPR design approach is the use of Safety Features (SF). An SF is a group of components, actuated manually, automatically or passively, usually belonging to the same system, which contributes to the achievement of a Lower Level Safety Function (LLSF) (see Sub-chapter 3.2). The functional analysis [Ref. 2] of the requirements on these SFs provides a basis on which certain operational documents will be developed. Information on system functional requirements for individual systems is presented in relevant sub-chapters of the PCSR. During normal operation the plant must be operated: to manage normal scheduled operating transients and certain specific operations involving unplanned events (abnormal operation as house load for instance), and in a manner consistent with the assumptions of the safety case, i.e. within the safety limits established for the plant. The first objective is achieved using the principles and procedures for normal operation described in sections 2 and 3 of this sub-chapter, respectively. The second objective is achieved by establishing operating rules applicable in normal operation. The operating rules are developed in the following documentation: The OTS: The general objective of the OTS is to set out the rules which must be observed during normal operation of the nuclear plant in order to keep it within the operating domain limits justified by the safety analyses presented in the safety report. The OTS are described in section 4 below. Chemical and Radio-chemical Specifications: Chemical and radiochemical parameters are controlled and monitored in order to ensure that the safety analyses presented in the safety report are complied with. These parameters are principally related to control of coolant activity, material structural integrity (particularly for the pressure boundary), fuel performance and integrity, limitation of out of core radiation fields and any releases as a result of fault conditions.

7 Page No.: 3 / 77 The Chemical and Radiochemical Specifications are described in section 4 below. Accounting of Loading Conditions: The mechanical design of pressurised nuclear equipment is based on the analysis of primary and secondary component integrity and piping against different damage mechanisms. This demonstration of integrity must take into account normal operating conditions, incident operating conditions and accident and post-accident conditions. Accounting of loading conditions is a process for the counting and the characterisation of transients in order to verify that the number of loading conditions taken into account for mechanical design of pressurised nuclear equipment is not exceeded. The accounting of loading conditions is described in section 4 below. Safety Analysis Bounding Limits and Fuel Parameters: The bounding values of neutronic parameters defined in the nuclear design section (see Sub-chapter 4.3) are presented in a schedule of the safety analysis bounding limits along with the assessment methodology for these neutronic parameters. Typical key limits captured in these are bounding neutronic parameters taken into account in fault studies. Some key limits vary with fuel load. Key limits associated with a particular fuel load must be verified by the Licensee to ensure that they remain within the safety analysis bounding limits. The safety analysis bounding limits and fuel design limits are described in section 4 below. Periodic Tests (PTs): The objective of PTs is to verify that, for the SFs, the safety criteria defined at the design stage are achieved over the whole of the plant operating lifetime. The tests are carried out according to preset frequencies, procedures and plant configurations. PTs are described in section 5 below. In-service inspection and maintenance tests: Maintenance is defined as the actions carried out to establish and maintain high levels of system, equipment and structure reliability to support the performance of their safety duty (consistent with the OTS), while meeting availability and ALARP objectives, and complying with the rules for environmental protection, personnel safety, radiological protection and other regulatory requirements, over the lifetime of the plant. The in-service inspection and maintenance tests are identified in section 6 below. The safety case in the PCSR provides the main operating limits which bound the operating documents that will need to be put in place before the plant is commissioned and placed into service. Section Figure 1 illustrates the generic design phase sources of limits and conditions and indicates the interface between the design phase and the operating phase. It does not present the interfaces between operational documentation because of the complexity of such interfaces and dependence on the format chosen by the Licensee.

8 Page No.: 4 / 77 The documentation detailed in Section Figure 1 will form the core of the operating rules that will apply to HPC, supported by operating procedures and the HPC organisational structure. As these operating rules and their application frame are not yet fully developed, they will not be discussed further in this report. 2. PRINCIPLES OF NORMAL OPERATION 2.1. GENERAL REMARKS Normal operation comprises: power operation and normal scheduled operating transients such as increases in load, reductions in load, plant shutdown or start-up, and specific operations due to unplanned events, such as house load operations or loss of power sources. With the exception of refuelling shutdowns, the plant can be shut down for long or short periods for operations involving maintenance or repair, fuel saving or power grid management. The shutdown mode, i.e. hot shutdown or the Safety Injection System operating in Residual Heat Removal Mode (RIS/RRA [SIS/RHRS]) shutdown, will depend on the nature of the intervention and on the shutdown duration. During prolonged operation at hot shutdown, the boron concentration in the primary circuit, which ensures the required shutdown margin, is adjusted according to the fuel burnup and the duration of the shutdown. A switchover to cold shutdown enables refuelling operations and maintenance or repair operations which require the unit to be at cold shutdown. The main operating principles are set out below in chronological order, from reactor shutdown at the end of the fuel cycle through to power operation at the beginning of the following fuel cycle. Operation with an extended cycle is also described. Planned shutdown evolutions still present a significant challenge to core safety, especially when the reactor coolant system is depressurised or contains low levels of inventory. During station normal operation HPC will apply industry operational best practices in the positive control of plant at all stages from reactor at power to plant shutdown and depressurised REACTOR SHUTDOWN The initial mode considered is the state of the reactor during power operation at the end of a fuel cycle. Unit shutdown begins with a reduction in the turbine load. The power level for disconnection from the grid and turbine shutdown will depend on the turbine generator unit chosen. The control rod system is switched from average temperature control mode to "flux level control" mode at 25% Nominal Power (NP). The turbine can be disconnected from the grid below 25% NP. The load is then automatically transferred to the Main Steam Bypass system (GCT [MSB]).

9 Page No.: 5 / 77 The control rods are inserted manually from 5% NP to shut down the reactor. The primary coolant temperature is ensured through the control of the pressure on the secondary side, by the GCT [MSB] system, and the control of reactor power with the control rods (in automatic or manual mode). The steam generators continue to be fed and their water level is controlled by the feedwater pumps (the Motor-driven FeedWater Pump System (APA [MFWPS]) or the Startup and Shutdown feedwater System (AAD [SSS])) and the Main FeedWater System (ARE [MFWS]). The primary system is borated to maintain the required shutdown margin. Hot shutdown tests and inspections are carried out. Whilst cooling, the turbine is on its barring gear. The primary system is then cooled to approximately 120 C by the GCT [MSB] system, using the four primary pumps to circulate primary fluid through the Steam Generator (SG) tubes. The maximum cooling rate is 50 C per hour. At the same time, the primary pressure is reduced by normal pressuriser spray to approximately 25 bar a, whilst ensuring the required saturation margin. An automatic sequence ensures simultaneous cooling and depressurisation of the primary system and boration is carried out in parallel. At 120 C and 25 bar, the RIS [SIS] trains 1 and 4 are connected and started up in RRA [RHRS] mode to continue cooling the Reactor Cooling System (RCP [RCS]). The GCT [MSB] system may be isolated and the feedwater plant stopped and cooled in preparation for maintenance operations. Two primary reactor coolant pumps are shut down (loops 1 and 4). The first three Reactor Cavity Cover Slabs are removed when the RCP [RCS] system is below 120 C. Below 120 C and during the primary circuit cooling, the pressuriser level is automatically increased, one of the first steps before reaching water solid phase. Primary pressure control is then ensured by the Chemical Volume and Control System (RCV [CVCS]) letdown and the pressuriser is cooled by the normal spray. The top of the pressuriser is cooled by the pressuriser homogenisation line. When the primary temperature is less than 100 C, the RIS [SIS] system trains 2 and 3 can be connected and started up in RRA [RHRS] mode in order to increase the primary system cooling capacity. The final three Reactor Cavity Cover Slabs are removed. When the RCP [RCS] hot leg temperature is at 90 C, the Reactor Building (HR [RB]) equipment hatch may be opened to enable tools and equipment to be taken into containment. The reactor coolant oxygenation (if necessary) is performed in the RCP [RCS], as soon as the coolant and pressuriser temperatures are respectively below 80 C and 120 C. The number of primary reactor coolant pumps in operation is adjusted for efficient cooling and to allow coolant purification after the oxygenation. The last primary pump (number 3 so as to keep normal pressuriser spray available) is shut down when the radiochemical criteria are met and the temperature of the pressuriser is below 70 C. The primary system is maintained at about 55 C. Throughout the primary system cooling process, contraction is compensated by RCV [CVCS] charging pumps and the Reactor Boron and Water Make-up System (REA [RBWMS]) pumps, which draw boric acid and demineralised water from the storage tanks. Boration is continued until the required boron concentration during cold shutdown for fuel reloading is achieved. After the last reactor coolant pump has been stopped the RCV [CVCS] letdown line is connected to the RIS/RRA [SIS/RHRS] system and the primary coolant, in water solid phase, is depressurised to atmospheric pressure.

10 Page No.: 6 / DRAINING AND OPENING THE PRIMARY SYSTEM One RIS [SIS] system train in RRA [RHRS] mode is stopped and configured to Safety Injection (SI) mode prior to primary system draining. Before the opening of the primary system, degassing may be required according to the radiochemical characteristics of the primary circuit. The degassing of the primary system and removal of corrosion products via the Coolant Degasification System (TEP4 [CDS]) degasser, following the draining of the primary system under air, is the preferred method as it simplifies operations and limits operating constraints. The primary system is drained to the level of the Reactor Pressure Vessel (RPV) flange by the RCV [CVCS] letdown line (via the RIS/RCV [SIS/CVCS] connection) and the excess volume of primary coolant is transferred to the Coolant Storage and Treatment System (TEP [CSTS]) storage tanks for recycling. In the event that the TEP4 [CDS] system degasser is unavailable, the primary system can be drained to the ¾ loop level under nitrogen. The primary system is drained to ¾ loop level by the RCV [CVCS] system letdown line (via the RIS/RCV [SIS/CVCS] system connection) and the excess volume of primary coolant is transferred to the TEP [CSTS] storage tanks for recycling. The primary system is then swept by injecting nitrogen via the reactor coolant pumps and the vessel head vent. Venting is carried out by the vacuum pump linked to the pressuriser vent and the gaseous effluent treated by the Gaseous Waste Processing System (TEG [GWPS]). The level is stabilised and then controlled at the ¾ loop level which prevents uncovering of the core and ensures safe RIS/RRA [SIS/RHRS] operation. In order to reduce the discharge to the stack, and then the environment, the radiochemical characteristics of the primary system must be within acceptable levels before changing the alignment for the coolant sweeping from TEG [GWPS] system to the Containment Sweep Ventilation System (EBA [CSVS]) system. Following the changeover to the EBA [CSVS] system the primary system is air-swept to remove any nitrogen in order to obtain the characteristics required to open the primary system. The level of the primary system is then increased to the level of the RPV flange. The electrical connections of the rod control system mechanisms and core instrumentation are removed. The mechanical seals are removed, thereby opening the primary system. After the thermal insulation of the vessel head has been removed, the multi-stud tensioning machine is positioned to carry out vessel head opening operations. Whilst the vessel head is being removed, the compartments of the reactor refuelling cavity are filled with borated water from the In-Containment Refuelling Water Storage Tank (IRWST) CORE UNLOADING When the cavity is full, the core instrumentation, including the lances of the system for measuring neutron flux using aeroballs, is removed and the control rod drive shafts are unlatched. When the internals are withdrawn and placed in the reactor internal storage pool, fuel unloading operations can begin (for information, approximately 70 hours, after the generator discoupling) using the handling devices (loading machine, transfer tube, fuel handling crane). The primary coolant temperature is maintained below 50 C by the RIS/RRA [SIS/RHRS] system.

11 Page No.: 7 / 77 The decay heat of the unloaded fuel elements adds to that of the fuel elements already stored in the fuel building spent fuel pool. Thus, the second cooling train of the Fuel Pool Cooling (and Purification) System (PTR [FPCS/FPPS]) is started up prior to the unloading of the core to maintain the pool temperature below 50 C. At the end of the core unloading, the spent fuel pool in the Fuel Building (HK [FB]) is isolated from the HR [RB]. Once the core is unloaded the plant enters a different mode of operation in which the risks are different since the fuel storage racks are passive devices which contain high levels of neutron absorbers and the main primary systems have no fuel to cool. Depending on the scheduled work, the sluice gate between the vessel compartment and the internals storage compartment is placed in position. The RCP [RCS] system can be drained, if needed, to the level of the vessel flange into the IRWST using the PTR [FPCS/FPPS] purification pumps, then to the ¾ loop level into the TEP [CSTS] storage tanks by the RCV [CVCS] letdown line and finally to reach the low loop level by gravity to the TEP [CSTS] system. Maintenance tasks can be carried out in this 'Fully Unloaded Reactor' state for example inspection of steam generator tubes. In the fuel building, changing of rod cluster control assemblies is carried out if necessary. After closing the primary components (i.e. steam generator manways), the vessel refuelling cavity is filled with borated water from the IRWST. Protection of core cooling and potential borated inventory addition will also be protected by the use of administrative controls and other operational contingency plans, especially during periods of low RCP [RCS] inventory. Such approaches are based on industry best practices and use risk informed approaches to plant availability during normal plant shutdown periods CORE RELOADING The sluice gates are then removed, the transfer tube opened and the fuel is loaded into the vessel by means of the handling devices (fuel handling crane, transfer tube, refuelling machine). The primary temperature is maintained below 50 C by the RIS/RRA [SIS/RHRS]. Core loading and mapping operations are performed. Once the loading is completed, the transfer tube is closed. The upper internals are put back in position, the control rod drive shafts latched, the aeroball lances and the core instrumentation inserted CLOSING AND FILLING THE PRIMARY COOLANT SYSTEM The reactor building pool compartments are drained down to the RPV flange, with the water being transferred to the IRWST using the purification pumps, demineralisers and filters of the PTR [FPCS/FPPS]. The bottom of the vessel refuelling cavity and the vessel casing flange are cleaned. The reactor vessel is closed by the multi stud tensioning machine. The vessel head penetration seals are re-assembled and the vessel head vent closed. The electrical connections of the rod control system mechanisms and core instrumentation are re-installed. During these operations, the primary coolant temperature is controlled by the RIS/RRA [SIS/RHRS] system.

12 Page No.: 8 / 77 If a vacuum is necessary then the primary system is then drained down to ¾ loop level by the RCV [CVCS] letdown line (via the RIS/RCV [SIS/CVCS] connection) so that the gas-filled parts of the vessel, pressuriser and steam generator tubes are connected together. The RCP [RCS] level is automatically controlled by the RCV [CVCS] so as to prevent uncovering the core and ensure safe RIS/RRA [SIS/RHRS]. The vacuum pump located on the pressuriser vent and the vessel head is used to create a vacuum in the primary system. The resultant pressure is reduced to approximately 200 mbar to minimise the primary coolant air content. The primary system is then filled by the REA [RBWMS] system makeup using the RCV [CVCS] pumps. RCP [RCS] filling is stopped when the pressuriser is full. Two steam generators are needed and filled to their operational setpoint level. The Main Steam Relief Train (VDA [MSRT]) system is available. The feedwater plant is filled, a vacuum is created in the condenser, and the heating and chemical treatment of the feedwater plant begins HEATING THE PRIMARY COOLANT After the vacuum pump has been shut off, the primary system low pressure control by the RCV [CVCS] letdown is activated and there is a gradual rise of the primary pressure setpoint whilst the RIS/RRA [SIS/RHRS] flow rate is increased to its standard value. The residual gases in the pressuriser are evacuated and the RCP [RCS] is moved into water solid mode. The RCP [RCS] pressure is increased by automatic control of the RCV [CVCS] letdown flow through the Low Pressure (LP) letdown valve. When the RCP [RCS] pressure reaches 25 bar the pressure is stabilised, the RIS/RCV [SIS/CVCS] connection is isolated, the pressure being sufficient to enable normal RCP/RCV [RCS/CVCS] letdown. The primary reactor coolant pumps and the RIS/RRA (SIS/RHRS) pumps are started up at a minimum RCS pressure of 25 bar. The spray lines are used to homogenise the pressuriser. After the reactor coolant pumps have started up, the RCP [RCS] is heated at stabilised pressure up to 90 C using the motive power supplied by the four pumps and the fuel decay heat. The heating rate is limited to 40 C per hour which is the maximum rate assumed by the Primary/Secondary system control optimisation and validation transients. The Low head Safety Injection (LHSI) heat exchangers are automatically by-passed and initially LHSI trains 1 and 4 are connected to the RCP [RCS] in RIS/RRA [RIS/RHR] mode and can be used to maintain the rate of RCP [RCS] temperature rise below 40 C per hour if necessary. From 50 C hydrazine is added to reduce the concentration of oxygen in the primary circuit. The pressuriser steam bubble is then formed in the pressuriser. Once the pressuriser level is below 90%, the pressuriser pressure control may be selected to two-phase pressure control. The RCP [RCS] heat-up is then restarted up to 120 C. Only LHSI trains 1 and 4 should be used for the control of the RCP [RCS] temperature above 100 C due to design considerations. At the same time as these operations are being carried out on the primary circuit, the secondary circuit is made available. The condenser placed under vacuum and the GCT [MSB] system is available. The feedwater plant is heated and chemically treated. Above 120 C, the four steam generators are required to be available and can be supplied by the AAD [SSS] system. When the RCP [RCS] temperature reaches 120 C, the last two RIS [SIS] trains (trains 1 and 4) still connected in RRA [RHRS] mode are isolated. Temperature control is then ensured via the SGs (the GCT [MSB] and AAD [SSS] systems).

13 Page No.: 9 / 77 During the heatup process, the excess coolant volume which arises due to primary coolant expansion is drawn off through the RCV [CVCS] letdown line (automatic control of the pressuriser level) to the TEP [CSTS] storage tanks. At the same time, the pressure is progressively and automatically increased until it reaches hot shutdown conditions. From cold shutdown, after the diphasic transition, the pressuriser level is controlled by the RCV [CVCS] high pressure letdown. The pressure is controlled using the pressuriser heaters and normal spray and the temperature is ensured by the SGs. The SG levels are controlled by means of ARE [MFWS] very low load valves, and their pressure controlled by the GCT [MSB] system. The turbine generator unit is on its barring gear in anticipation of its use in the operating sequence which is preceded by this sequence FROM HOT SHUTDOWN TO POWER OPERATION In hot shutdown, following refuelling operations, various low power physics and other periodic tests are carried out (see section 5 of this sub-chapter), such as measurements of rod drop time. The primary coolant temperature is ensured by the GCT [MSB] system. The first set of tests is carried out at zero power. The primary coolant is diluted by injection of demineralised water from the REA [RBWMS] system using the RCV [CVCS] charging pumps during which the remaining set of tests at zero power are carried out. After criticality has been obtained power is then increased by gradual dilution of the primary circuit. The SGs are supplied by the start-up and shutdown pump (AAD [SSS]), then by the feedwater pumps (APA [MFWPS]) using the ARE [MFWS] system. The turbine is commissioned, the generator is connected to the main grid and power is gradually increased. At 25% NP Average temperature control mode is activated. At this power level, the main Nuclear Steam Supply System (NSSS) parameters (core and primary/secondary related) are in automatic mode (see Sub-chapter 5.1) and power is gradually stepped up to 100% by boron dilution POWER OPERATION LOAD FOLLOWING FREQUENCY SENSITIVE MODE In basic operation, only long-term reactivity effects (fuel burnup, build-up of xenon and, to a lesser extent, samarium) need to be compensated for by gradually diluting the primary coolant to a boron concentration of approximately 5 ppm to 10 ppm at the end of the fuel cycle. If required by the UK National Grid the plant may be required to provide frequency sensitive operation or small load adjustments to assist system stability and frequency control. Where this is required it shall not challenge any nuclear safety limits at any time or environmental limits as far as reasonably practicable (see load following and power variation in Sub-chapter 3.4). All RCP [RCS] control loops are entirely automatic. Rod Control Cluster Assemblies (RCCAs) are inserted or extracted by core regulation (temperature and power distribution control) to compensate for rapid changes in reactivity. Slow variations (xenon changes) are compensated for by modifying the boron concentration or moving the RCCAs. In addition to boration and dilution needs, the primary coolant is chemically treated in order to meet chemical and primary activity criteria. The corresponding fluid volumes may be recycled.

14 Page No.: 10 / STRETCH-OUT OPERATION In power operation, during the operating cycle, available reactivity is compensated for by primary boration. In the natural cycle as burn-up increases, the boron concentration is continuously reduced up to 5 to 10 ppm at the end of the fuel cycle. In order to extend power operation beyond the natural end of the cycle, the fall in reactivity due to fuel depletion may be compensated for by reducing the primary temperature. When the control rods are withdrawn to their reference position (relatively extracted) and the turbine inlet valves are fully open, the power level is determined by the core reactivity balance and turbine characteristics. As there is no available built-in reactivity to ensure a constant average primary coolant temperature, the average primary coolant temperature, reactor power and steam pressure decrease steadily. The extended cycle operation, based on repeated setpoint adjustments, consumes the remaining built-in reactivity. Demonstration studies of a cycle extended by a maximum of 30 Equivalent Full Power Days (EFPD) and an early shutdown of a typical value of 25 EFPD will be provided in the pre-operational safety report SPECIFIC OPERATIONS In an event not caused by fault conditions and when normal operating procedures are not suited to the management of the event (such as loss of cooling in the fuel pool, low level in the HR [RB] fuel pool or a fuel handling accident and partial loss of the Component Cooling Water System (RRI [CCWS])), abnormal operating procedures (in case of some specific hazards, grid events as house load for instance) will be applied by the operators to replace or support normal operating procedures so as to manage the event OPERATING PROCEDURES, STANDARD REACTOR STATES AND OPERATING LIMITS [REF. 3] Before dealing with each of these operating documents, this section provides some key definitions regarding plant standard reactor states, operating procedures and operating limits, as these constitute key input data to the safety case. Then, each of the operating documents listed in section 1 of this sub-chapter is dealt with in turn, in order to provide an understanding of the inputs to each area, the process associated with each, the outputs and where these outputs are then used or specified Operating Procedures Identification of Perimeters To allow good management of a complex, high-hazard installation such as a Nuclear Power Plant (NPP) unit, it is necessary to produce operating procedures, aligned closely with hiring, training and organisation procedures, that are appropriate to all the conditions encountered by the installation, whether in "normal" conditions (installation undamaged with respect to the Safety criteria), and fault conditions, whether plausible (degraded safety), or implausible (core damage). These requirements were reinforced in particular by the Three Mile Island accident, followed seven years later by the Chernobyl accident.

15 Page No.: 11 / 77 For an EPR power plant unit, there is a need to propose a clear basis for drafting a precise policy for operational coverage, regardless of the condition encountered by the installation. It should take account of the results of the work done by the EPR Fault Operating Procedures (FOP) working group and that done under the Emergency Operating Procedure (EOP) Heritage Project (created at the end of 2004). In particular, this work was based on extensive operating feedback regarding the efficiency of State Oriented Approach procedures. A discussion of the UK EPR operating procedure concept is provided in Sub-chapter 18.1, including State Oriented procedures. Sub-chapter 18.3 provides a supplementary description of the SOA. Operation of a nuclear power plant unit such as the EPR can be split into several categories: Normal operation, Incident and accident operation "FOP" (fault operation), Post-FOP operation after successful FOP (in other words transition between the FOP and the normal operating procedures), and Post-FOP operation after failure of FOP, in other words severe accident management. Such plant operations should take account of the constraints and specificities such as: Conformity with the OTS concerning the normal operating phase, Conformity with the safety case concerning the fault operating phase, and Team organisation, which can be specific to the event: o in fault operation (number of operators including field operators and specific roles of the control room team), and o in normal operation in the case of internal and external hazards (off-site emergency, fire service, etc.). Consistently with this section, the goal of this sub-chapter is to present: How the operational documentation ensures the plant safety under normal operations, How fault operation, post-fop operation and Severe Accident (SA) management claims are met via operational documentation (for example; periodic tests made under normal conditions of plant operations demonstrate the performance of an SF and underpin fault studies requirements that claim the SF) Definitions of Safety Analysis Domains, Operating Range and Standard States Several definitions are used to characterise normal operating conditions. These are safety analysis domains, operating range and standard reactor states.

16 Page No.: 12 / Safety Analysis Domains For the EPR design, a safety analysis envelope has been defined. This envelope, used for the safety analyses, is the result of dividing the normal reactor operating range into different domains (A to F) within this range. These represent the initial conditions upon which the initiating events for incidental and accidental analyses contained in the safety case are postulated. The boundaries between the states of the safety analysis envelope are essentially defined by the protection signals and the safety and safeguard systems likely to be called upon in incidental and accidental conditions. Events postulated in the safety analysis are assumed to occur during normal operation. The initial conditions assumed in the analysis cover all possible reactor states from full power operation to cold shutdown. The following six safety analysis domains are defined in Sub-chapter 14.0 and are provided below. State A: Power states, hot and intermediate shutdown states (P > 130 bar a). In these shutdown states, all the necessary automatic reactor protection functions are available as in the power state. In fact, some protection functions may be deactivated at low power, but there always are sufficient automatic protection functions to meet the acceptance criteria if a transient occurs. State B: Intermediate shutdown, Tprim 110 C (P < 130 bar a). State B covers all shutdown states during normal plant operation where primary heat is removed by the SGs. It extends from 130 bar a to 25 bar a/110 C RCP [RCS] conditions. Above 120 C, the RIS/RHR [SIS/RHRS] is not connected to the RCP [RCS] system in normal operation. It should be noted that RIS/RRA [SIS/RHRS] can be connected to the RCP [RCS] system at 180 C in degraded situations, but this is not a normal operation state and therefore it is not considered as an initial state in the safety analysis. In state B, some of the automatic reactor protection functions available in state A may be deactivated and some that are deactivated in State A may be activated in state B. State C: Intermediate shutdown with RIS/RRA [SIS/RHRS], normal cold shutdown (the RCP [RCS] system is pressurisable) and cold shutdown for maintenance (RCP [RCS] vessel head is not lifted). The RCP [RCS] system is closed or partially open. The RCP [RCS] system is full of water or at partial loop level (e.g. for SG tubes draining and for RCP [RCS] purging). The safety analysis domain defined by state C is divided into the following three states C1, C2 and C3: State C1: RCP [RCS] system pressure between 23.5 bar a and 32 bar a, RCP [RCS] system temperature between 100 C and 120 C, RCP [RCS] system is full of water (e.g. water inventory corresponding to the pressuriser level at hot zero-power conditions when pressuriser is diphasic), two SGs are available for heat removal, at least one reactor coolant pump in operation, and

17 Page No.: 13 / 77 RIS/RRA [SIS/RHRS] operating via two trains, the other two trains are on standby. State C2: RCP [RCS] system pressure between 23.5 bar a and 32 bar a, State C3: RCP [RCS] system temperature between 15 C and 100 C, RCP [RCS] system is full of (e.g. water inventory corresponding to a pressuriser level above 90% when pressuriser is monophasic), two SGs available for heat removal, at least one reactor coolant pump in operation, and RIS/RRA [SIS/RHRS] operating via three or four trains. RCP [RCS] system pressure between 0.2 bar a and 32 bar a, RCP [RCS] system temperature between 15 C and 55 C, RCP [RCS] system water inventory level greater or equal to 3/4 loop, two SGs available for heat removal except in the state where the RCP [RCS] vessel head is unfastened but not lifted, in which case no SG is available, no reactor coolant pump in operation, and RIS/RRA [SIS/RHRS] operating via three trains, the other train is on standby and preconfigured in LHSI mode. State D Cold shutdown for maintenance with RCP [RCS] open so that the SGs cannot be used for decay heat removal. The RCP [RCS] level is between partial loop level (¾ loop) and full reactor building pool level. Three out of four LHSI/RHR trains are in operation and RCP [RCS] temperature is between 15 C and 55 C. The fourth LHSI/RHR train is on stand-by and preconfigured in LHSI mode. State E Cold shutdown with the reactor building pool full for refuelling. State F Cold shutdown with the core fully unloaded. During this state work is performed on RCP [RCS] components. This state is not analysed with regard to core protection Operating Range In parallel to States A to F, the normal reactor operating range is grouped into distinct operating ranges:

18 Page No.: 14 / 77 Reactor at Power (RP), Normal ShutDown with SG (NSD/SG), Normal ShutDown with RIS/RRA [SIS/RHRS] (NSD/RIS-RRA), Cold ShutDown for Maintenance (SDM), ShutDown for Refuelling (SDR), and Core Fully Unloaded (CFU). These operating ranges group several standard states (see below) with similar thermal hydraulic and neutronic characteristics or similar operating purposes. The standard states are defined as the stable states of the reactor. The boundaries of these standard states are easily identifiable by the operator Standard States The standard states of the reactor are defined as the stable states of the primary circuit based on their thermo-hydraulic and neutronic characteristics. They are defined by the combination of parameters relative to the water inventory of the primary circuit, the pressure of the primary circuit, the temperature of the primary circuit, the boron concentration, the nuclear power as well as the functional configuration of the different systems and/or components. The boundaries between standard states are also defined by the most significant essential operations. The operating ranges and standard states must be defined so that they are consistent with the safety analysis envelope i.e. each standard state must be within the safety analysis envelope. However, the boundaries between the operating range and standard states are not necessarily identical to the boundaries of the safety analysis domains. The safety analysis domains, operating range and standards states are central to the definition of the key limits and conditions. The operating range parameters associated with these states are summarised in Section Table 1. Section Figure 1 shows the operating envelope that defines the reactor operating ranges. Note that these values are preliminary. The limits provided above may be slightly modified, especially at low pressure/temperature Reactor Operating Limits Operation of the RCP [RCS] system within the temperature and pressure ranges defined in Section Figure 1 ensures compliance with the safety limits associated with the second barrier. The pressure and temperature (P, T) limits for plant operations are imposed for either safety or mechanical reasons. These limits are presented and explained below. Section Figure 1 shows the allowed pressure and temperature ranges of the RCS [RCP] system during start-up, shutdown and normal operation so obtained.

19 Page No.: 15 / 77 The main limits 1 (boundary limits) are: The pressure limit P=155 bar a. and the temperature limit T=303.3 C which correspond to normal operating conditions at Full Load and Hot Shutdown. The limit (Psat, Tsat -30 C) ensures sufficient margins to avoid saturation conditions other than in the pressuriser. The limit (Psat, Tsat -180 C) ensures that the temperature difference between the surge line and the hot leg N 3 is lower than the maximum authorised by the surge line stress analyses. This limit is not applicable when the pressuriser is in a solid state. The limit (Psat +110 bar, Tsat) prevents the reactor coolant primary-secondary differential pressure from exceeding 110 bar, this being the maximum value used for the design of the tube sheet of SGs. The conditions around the intersection of the limits P=24.5bar a. and (Psat, Tsat- 30 C) imply very low values of Net Positive Suction Head (NPSH) Between 150 C and 250 C, the NPSH criterion is limiting and a supplementary limit curve is defined called "RCP NPSH limit". P=32 bar a is the RHRS maximum connection pressure. P=24.5 bar a is the minimum pressure for Reactor Coolant Pump operation to cope with the NPSH requirement. In normal conditions, during the cool-down phase, RHR trains 1 and 4 are connected at 110 C Tave 120 C. The RCP [RCS] temperature limit for the start-up of the first reactor coolant pump after an outage with respect to RCP [RCS] homogenisation is T=65 C, however this is bounded by T 55 C, an initial condition used in the accident analyses. The minimum temperature in the RCP [RCS] T=15 C is induced by the minimum temperature of the IRWST. It should be noted that these values are preliminary. The limits provided above may be slightly modified, especially at low pressures/temperatures Optimised Pressure Temperature Curve A Pressure - Temperature (P, T) limit curve is determined using existing processes. The consequences of moving the (P, T) limit curve, determined through fast fracture analysis, as a 'rigid body' to higher temperatures on a (P, T) diagram, for example a shift to the right of the (P, T) limit curve of 10 C, 20 C or 30 C, are analysed [Ref. 4]. The (P, T) limit curve is used to provide limits for the operating pressure and temperature of the primary circuit during start-up and shutdown. The (P, T) limit curve is applicable to pressure boundary components made from ferritic steel. Such steels have a characteristic change from low to high fracture toughness through a temperature range. 1 Refer to Section Table 1 footnotes for guidance on how to read the main limits.

20 Page No.: 16 / NORMAL OPERATING PROCEDURES 3.1. NORMAL OPERATING DOCUMENTS Normal operating procedures consist of two types of documents: normal operating rules and normal operating instructions. The normal operating rules define and justify the operating strategies. The normal operating instructions, which are used by the Operators in the Main Control Room (MCR), are written using the normal operating rules and describe the precise actions to be performed by the Operators. Different normal operating procedures are necessary to manage normal scheduled operating transients and certain abnormal operations in response to unplanned events. For example: DEM1 : from shutdown state to Residual Heat Removal (RHR) system, DEM2 : from RHR system connected to hot shutdown state, and DEM3 : from hot shutdown state to full power A DISCUSSION OF HUMAN FACTORS CONSIDERATIONS FOR NORMAL OPERATING DOCUMENTS IS PROVIDED IN SUB-CHAPTER 18.1.INTERFACES WITH OPERATING PROCEDURES FOR FAULT OPERATION Procedures for fault operation are described in Sub-chapter A discussion of HF aspects is provided in Sub-chapter For each situation for which operating procedures are necessary, criteria have been established to define boundaries between the domains of normal and fault operation. For example, criteria requiring a switchover to fault operating procedures are: second barrier damaged, protection/safety systems actuated, etc. 4. DESIGN AND OPERATING LIMITS AND CONDITIONS [REF. 5] This section presents the generic principles and requirements that will be used as a basis for defining the OTS, chemical and radio-chemical specifications, allowance for occurrences of loading conditions (or design transients monitoring), safety analysis bounding limits and fuel design limits of the EPR. An overview of the process that will be used to produce these different specifications is given which demonstrates how the results obtained through the safety analyses are used to establish the parameters that must be observed during normal operation of the plant. In this way, when the requirements contained within operational documentation are met, the safe operation of the plant, within the assumptions contained in the safety case, is guaranteed. This section also justifies why the operating documents will be adequate to ensure that the safety limits and conditions will be complied with throughout the plant lifetime.

21 Page No.: 17 / 77 Finally, this section presents the boundary between GDA documentation and Licensee operational documentation OPERATING TECHNICAL SPECIFICATIONS Generic Principles for OTS production The OTS form part of the operating documentation that must be developed for the UK EPR. The general objective of the OTS is to set out the rules that must be followed to ensure that during normal operation the reactor remains within the limits justified by the safety case. For this purpose, the OTS must: specify the normal operating limits on the parameters which will ensure compliance with the parameter values assumed in the safety analyses contained in the safety case; determine the operability requirements for the safety Systems, Structures and Components (SSCs) necessary to mitigate transients, incidental scenarios and accidental scenarios considered in the safety case; and define in the event of inoperability of the required safety SSCs or any abnormal change in an operating limit, the recovery actions that are required so that the Main Safety Functions (MSFs) are achieved. For each inoperability condition or event and its associated recovery action, the OTS specify a completion time, during which the plant can be maintained in the degraded condition without compromising plant safety. This sub-chapter will address generic inoperability conditions (or events); however, the detailed HPC corrective measures and completion times await the completion of the HPC reference design OTS Scope and Criteria The scope of the HPC OTS has yet to be finalised. The content to be covered by the OTS is defined through specific criteria. Regardless of the approach adopted in developing the OTS, criteria will allow definition of parameters, systems, structures or components required to ensure the safe operation of the plant i.e. to ensure that the assumptions contained in the safety cases are complied with and that the OTS content is consistent with these assumptions. The criteria involved will be categorised by plant state and the individual system operability requirements may vary from one state to another. In addition to the requirements on safety systems, the OTS may also specify parameters, safety related systems, some safety structures or some components related to radiation release and monitoring, chemistry limits applicable to the plant and integrity of fission product barriers are also typically included. The OTS criteria also apply to the safe storage in the Spent Fuel Pool (SFP) and containment in the HK [FB] building. The OTS requirements, are complied with if the parameters remain within the limits, and SSCs covered by the criteria remain operable. The concept of operability reflects the ability of a system, or component of a system, including its necessary auxiliaries, supports and electrical power supplies, to perform its safety functions and meet listed safety objectives.