ML091280276

From kanterella
Jump to navigation Jump to search
Transmittal of Technical Specification and Technical Specification Bases Manual Holders
ML091280276
Person / Time
Site: Mcguire, McGuire  Duke Energy icon.png
Issue date: 04/29/2009
From: Beaver B
Duke Energy Corp
To:
Office of Nuclear Reactor Regulation
References
DUK091190044
Download: ML091280276 (117)
v  d  e


Text

DISPOSITION OF THE ORIGINAL DOCUMENT WILL BE TO Normal THE TRANSMITTAL SIGNATURE UNLESS RECIPIENT IS Date: 04/29109 PRIORITY OTHERWISE IDENTIFIED BELOW Document Transmittal #: DUK091190044

1) 00003 NRI&IA MGR EC050
2) 00070 VICKIE BREWER - MG030T [ Yes U No Duke Energy QA CONDITION
3) 00200 ME CARROLL EC08H OTHER ACKNOWLEDGEMENT REQUIRED E Yes DOCUMENT TRANSMITTAL FORM
4) 00297 V TRAVICK, DRPIRPBI-ATLANTA IFQA OR OTHER ACKNOWLEDGEMENT REQUIRED, PLEASE
5) 00422 MCG BONNIE C BEAVER - MG01RC ACKNOWLEDGE RECEIPT BY RETURNING THIS FORM TO:

REFERENCE

6) 00485 OPS TEST GROUP - MG01OP
7) 00692 MCG OPS STAFF MGR MG01OP MCGUIRE NUCLEAR STATION Duke Energy
8) 00707 MCG SERV BLDG SAT AREA MG01S1 RECORD RETENTION # 005893 McGuire
9) 00841 OPS HUMAN PERFORMANCE - MG01OP DCRM MGO2DM
0) 01202 K LCRANE - MG01RC 13225 Hagers Ferry Road TECHNICAL SPECIFICATIONS (TS) Huntersville, N.C. 28078
1) 01400 D E HELTON - MG01OP
2) 01492 BLUE DOT LIBRARY MG01MOD AND
3) 01503 VICKIE LMC GINNIS - MG03OT TECHNICAL SPECIFICATIONS BASES
4) 01545 TERESA BPUTNAM MG01OP (TSB)
5) 01623 G LMONTGOMERY MG01WC Rec'd By Page 1 of 3 Date

_ I_.1 - I - -

DOCUMENT NO QACOND REV #1 DATE DISTR CODE 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 TOTAL rS & TSB MEMORANDUM (1 PAGE) NA --- 04/08/09 MADM-04B V1 V1 VI V1 V3 V1 V2 V1 V1 V2 T1 V1 V1 V1 V1 47 rSB LIST OF EFFECTIVE SECTIONS (4 PAGES) NA 094 04/08/09 FSB 3.3.1 (50 PAGES) NA 99 03/09/09 rBS 3.3.2 (43 PAGES) NA 99 03/09/09 FBS 3.6.2 (7 PAGES) NA 98 03/24/09 FBS 3.7.9 (9 PAGES) NA 97 01/03/09 REMARKS: PLEASE UPDATE ACCORDINGLY B H HAMILTON VICE PRESIDENT RECIPIENT # 00422 PREVIOUSLY COMPLETED MCGUIRE NUCLEAR STATION BY:

BC BEAVER MG01RC BCB/TLC

DISPOSITION OF THE ORIGINAL DOCUMENT WILL BE TO Normal THE TRANSMITTAL SIGNATURE UNLESS RECIPIENT IS Date: 04/29/09 PRIORITY OTHERWISE IDENTIFIED BELOW Document Transmittal #: DUK091190044

1) 01749 LC GIBBY - MG01VP
2) 02049 NGO PRA MANAGER EC081 Duke Energy QA CONDITION [: Yes
  • No
3) 02388 DAVID DZIADOSZ LYNCHBG, VA OTHER ACKNOWLEDGEMENT REQUIRED N Yes DOCUMENT TRANSMITTAL FORM
4) 02532 MCG NRC INSP MG-ADMIN MAIL RM IF QA OR OTHER ACKNOWLEDGEMENT REQUIRED, PLEASE
5) 02546 WC LIBRARY - MG01WC ACKNOWLEDGE RECEIPT BY RETURNING THIS FORM TO:

REFERENCE

6) 03044 MCG DOC CNTRL MISC MAN MG05DM
7) 03283 P R TUCKER MG01RP MCGUIRE NUCLEAR STATION Duke Energy
8) 03614 MCG OPS PROCEDURE GP MG010P RECORD RETENTION # 005893 McGuire
9) 03743 MCG QA TEC SUP MNT QC MG01MM DCRM MGO2DM
10) 03744 OPS TRNG MGR. MG03OT 13225 Hagers Ferry Road I1) 03759 U S NUC REG WASHINGTON, DC TECHNICAL SPECIFICATIONS (TS) Huntersville, N.C. 28078 12)03796 SCIENTECH DUNEDIN, FL AND
13) 04698 D E BORTZ EC08G TECHNICAL SPECIFICATIONS BASES
14) 04809 MCG PLANT ENG. LIBR. MG05SE (TSB)
15) 05162 MCG SHIFT WORK MGRS MG01OP Rec'd By Page 2 of 3 Date DOCUMENT NO QACOND REV #/DATE DISTR CODE 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 TOTAL TS &TSB MEMORANDUM (1 PAGE) NA --- 04/08/09 MADM-04B V1 V1 V1 V1 V1 X VI VI V1 V3 V8 V1 V1 V2 V1 47 TSB LIST OF EFFECTIVE SECTIONS (4 PAGES) NA 094 04/08/09 TSB 3.3.1 (50 PAGES) NA 99 03/09/09

-BS 3.3.2 (43 PAGES) NA 99 03/09/09 FBS 3.6.2 (7 PAGES) NA 98 03/24/09 TBS 3.7.9 (9 PAGES) NA 97 01/03/09 REMARKS: PLEASE UPDATE ACCORDINGLY B H HAMILTON VICE PRESIDENT RECIPIENT # 00422 PREVIOUSLY COMPLETED MCGUIRE NUCLEAR STATION BY:

B C BEAVER MGO1RC BCB/TLC

DISPOSITION OF THE ORIGINAL DOCUMENT WILL BE TO PRIORITY Normal THE TRANSMITTAL SIGNATURE UNLESS RECIPIENT IS Date: 04/29109 OTHERWISE IDENTIFIED BELOW Document Transmittal #: DUK091190044

1) 05262 J L FREEZE MG01iE
2) 05606 J C MORTON MG01EP Duke Energy QA CONDITION D Yes
  • No
3) 05944 FRAMATONE TECHNOLOGIES OTHER ACKNOWLEDGEMENT REQUIRED N Yes
4) 08103 WESTINGHOUSE ELECTRIC CORP NSD DOCUMENT TRANSMITTAL FORM IF QA OR OTHER ACKNOWLEDGEMENT REQUIRED, PLEASE
5) 09665 JOHN F. STANG, USNRC ACKNOWLEDGE RECEIPT BY RETURNING THIS FORM TO:

REFERENCE MCGUIRE NUCLEAR STATION Duke Energy RECORD RETENTION # 005893 McGuire DCRM MGO2DM 13225 Hagers Ferry Road TECHNICAL SPECIFICATIONS (TS). Huntersville, N.C. 28078 AND TECHNICAL SPECIFICATIONS BASES (TSB)

Rec'd By Page 3 of 3 Date I. I---- -

DOCUMENT NO QACOND REV #/ DATE DISTR CODE 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 TOTAL TS & TSB MEMORANDUM (1 PAGE) NA --- 04/08/09 MADM-04B V1 V1 V1 V1 V1 47 TSB LIST OF EFFECTIVE SECTIONS (4 PAGES) NA 094 04/08/09 TSB 3.3.1 (50 PAGES) NA 99 03/09/09 TBS 3.3.2 (43 PAGES) NA 99 03/09/09 TBS 3.6.2 (7 PAGES) NA 98 03/24/09

-BS 3.7.9 (9 PAGES) NA 97 01/03/09 REMARKS: PLEASE UPDATE ACCORDINGLY B H HAMILTON VICE PRESIDENT RECIPIENT # 00422 PREVIOUSLY COMPLETED MCGUIRE NUCLEAR STATION BY:

B C BEAVER MG01RC BCB/TLC

April 8; 2009 MEMORANDUM To: All McGuire Nuclear Station Technical Specification, and Technical Specification Bases (TSB)

Manual Holders

Subject:

McGuire Technical Specifications Bases REMOVE INSERT Technical Specification Bases Manual:

TS Bases List of Effected Sections Rev 93 TS Bases List of Effected Sections Rev 94 Tech Spec Bases: 3.3.1 (Entire Bases) Tech Spec Bases: 3.3.1 Rev 99 (Entire Bases)

Tech Spec Bases: 3.3.2 (Entire Bases) Tech Spec Bases: 3.3.2 Rev 99 (Entire Bases)

Tech Spec Bases: 3.6.2 (Entire Bases) Tech Spec Bases: 3.6.2 Rev 98 (Entire Bases)

Tech Spec Bases: 3.7.9 (Entire Bases) Tech Spec Bases: 3.7.9 Rev 97 (Entire Bases)

Revision numbers may skip numbers due to Regulatory Compliance Filing System.

Please call me if you have questions.

Bonnie Beaver Regulatory Compliance 875-4180

McGuire Nuclear Station Technical Specification Bases LOES TS Bases are revised by section Page Number Revision Revision Date BASES (Revised per section) i Revision 63 4/4/05 ii Revision 63 4/4/05 iii Revision 63 5/25/05 B 2.1.1 Revision 51 1/14/04 B 2.1.2 Revision 0 9/30/98 B 3.0 Revision 81 3/29/07 B 3.1.1 Revision 73 3/6/06 B 3.1.2 Revision 10 9/22/00 B 3.1.3 Revision 10 9/22/00 B 3.1.4 Revision 0 9/30/98 B 3.1.5 Revision 19 1/10/02 B 3.1.6 Revision 0 9/30/98 B 3.1.7 Revision 58 06/23/04 B 3.1.8 Revision 0 9/30/98 B 3.2.1 Revision 74 5/3/06 B 3.2.2 Revision 10 9/22/00 B 3.2.3 Revision 34 10/1/02 B 3.2.4 Revision 10 9/22/00 B 3.3.1 Revision 99 3/9/09 B 3.3.2 Revision 99 3/9/09 B 3.3.3 Revision 71 10/12/05 B 3.3.4 Revision 57 4/29/04 B 3.3.5 Revision 11 9/18/00 B 3.3.6 Not Used - Revision 87 6/29/06 B 3.4.1 Revision 51 1/14/04 B 3.4.2 Revision 0 9/30/98 B 3.4.3 Revision 44 7/3/03 B 3.4.4 Revision 86 6/25/07 B 3.4.5 Revision 86 6/25/07 McGuire Units 1 and 2 Page I Revision 94

Page Number Amendment Revision Date B 3.4.6 Revision 86 6/25/07 0 B 3.4.7 B 3.4.8 Revision 86 Revision 41 6/25/07 7/29/03 B 3.4.9 Revision 0 9/30/98 B 3.4.10 Revision 0 9/30/98 B 3.4.11 Revision 57 4/29/04 B 3.4.12 Revision 57 4/29/04 B 3.4.13 Revision 86 6/25/07 B 3.4.14 Revision 0 9/30/98 B 3.4.14-2 Revision 5 8/3/99 B 3.4.14-6 Revision 5 8/3/99 B 3.4.15 Revision 82 9/30/06 B 3.4.16 Revision 57 4/29/04 B 3.4.17 Revision 0 9/30/98 B 3.4.18 Revision 86 6/25/07 B 3.5.1 Revision 70 10/5/05 B 3.5.2 Revision 89 9/10/07 B 3.5.3 Revision 57 4/29/04 B 3.5.4 Revision 70 10/5/04 B 3.5.5 Revision 0 9/30/98 B 3.6.1 Revision 53 2/17/04 B 3.6..2 Revision 98 3/24/09 B 3.6.3 Revision 87 6/29/06 B 3.6.4 Revision 0 9/30/98 B 3.6.5 Revision 0 9/30/98 B 3.6.5-2 Revision 6 *10/6/99 B 3.6.6 Revision 93 04/30/07 B 3.6.7 Not Used - Revision 63 4/4/05 B 3.6.8 Revision 63 4/4/05 B 3.6.9 Revision 63 4/4/05 B 3.6.10, Revision 43 5/28/03 B 3.6.11 Revision 78 9/25/06 B 3.6.12 Revision 53 2/17/04 B 3.6.13 Revision 96 9/26/08 B 3.6.14 Revision 64 4/23/05 McGuire Units 1 and 2 Page 2 Revision 94

Page Number Amendment Revision Date B 3.6.15 Revision 0 9/30/98 0 B 3.6.16 B 3.7.1 Revision 40 Revision 0 5/8/03 9/30/98 B 3.7.2 Revision 79 10/17/06 B 3.7.3 Revision 0 9/30/98 B 3.7.4 Revision 57 4/29/04 B 3.7.5 Revision 60 10/12/04 B 3.7.6 Revision 0 9/30/98 B 3.7.7 Revision 0 9/30/98 B 3.7.8 Revision 0 9/30/98 B 3.7.9 Revision 97 1/30/09 B 3.7.10 Revision 75 6/12/06 B 3.7.11 Revision 65 6/2/05 B 3.7.12 Revision 28 5/17/02 B 3.7.13 Revision 85 2/26/07 B 3.7.14 Revision 66 6/30/05 B 3.7.15 Revision 66 6/30/05 B 3.7.16 Revision 0 9/30/98 B 3.8.1 Revision 92 1/28/08 B 3.8.2 Revision 92 1128/08 B 3.8.3 Revision 53 2/17/04 B 3.8.4 Revision 94 12/08/08 B 3.8.5 Revision 41 7/29/03 B 3.8.6 Revision 0 9/30/98 B 3.8.7 Revision 20 1/10/02 B 3.8.8 Revision 41 7/29/03 B 3.8.9 Revision 24 2/4/02 B 3.8.10 Revision 41 7/29/03 B 3.9.1 Revision 68 9/1/05 B 3.9.2 Revision 41 7/29/03 B 3.9.3 Revision 91 11/7/07 B 3.9.4 Revision 84 2/20/07 B 3.9.5 Revision 59 7/29/04 B 3.9.6 Revision 41 7/29/03 McGuire Units 1 and 2 Page 3 Revision 94

Page Number Amendment Revision Date B 3.9.7 Revision 88 9/5/07 McGuire Units 1 and 2 Page 4 Revision 94

RTS Instrumentation B 3.3.1 B 3.3 INSTRUMENTATION B 3.3.1 Reactor Trip System (RTS) Instrumentation BASES BACKGROUND The RTS initiates a unit shutdown, based on the values of selected unit parameters, to protect against violating the core fuel design limits and Reactor Coolant System (RCS) pressure boundary during anticipated operational occurrences (AOOs) and to assist the Engineered Safety Features (ESF) Systems in mitigating accidents.

The protection and monitoring systems have been designed to assure safe operation of the reactor. This is achieved by specifying limiting safety system settings (LSSS) in terms of parameters directly monitored by the RTS, as well as specifying LCOs on other reactor system parameters and equipment performance.

The LSSS, defined in this specification as the Allowable Values, in conjunction with the LCOs, establish the threshold for protective system action to prevent exceeding acceptable limits during Design Basis Accidents (DBAs).

During AOOs, which are those events expected to occur one or more times during the unit life, the acceptable limits are:

1. The Departure from Nucleate Boiling Ratio (DNBR) shall be maintained above the Safety Limit (SL) value to prevent departure from nucleate boiling (DNB);
2. Fuel centerline melt shall not occur; and
3. The RCS pressure SL of 2735 psig shall not be exceeded.

Operation within the SLs of Specification 2.0, "Safety Limits (SLs)," also maintains the above values and assures that offsite dose will be within the 10 CFR 20 and 10 CFR 100 criteria during AOOs.

Accidents are events that are analyzed even though they are not expected to occur during the unit life. The acceptable limit during accidents is that offsite dose shall be maintained within an acceptable fraction of 10 CFR 100 limits. Different accident categories are allowed a different fraction of these limits, based on probability of occurrence.

Meeting the acceptable dose limit for an accident category is considered having acceptable consequences for that event.

McGuire Units 1 and 2 B 3.3. 1-1 Revision No. 99

RTS Instrumentation B 3.3.1 BASES BACKGROUND (continued)

The RTS instrumentation is segmented into four distinct but interconnected categories as illustrated in UFSAR, Chapter 7 (Ref. 1),

and as identified below:

1. Field transmitters or process sensors: provide a measurable electronic signal based upon the physical characteristics of the parameter being measured;
2. Process monitoring systems, including the Process Control System, the Nuclear Instrumentation System (NIS), and various field contacts and sensors: monitors various plant parameters, provides any required signal processing, and provides digital outputs when parameters exceed predetermined limits. They may also provide outputs for control, indication, alarm, computer input, and recording;
3. Solid State Protection System (SSPS), including input, logic, and output bays: combines the input signals from the process monitoring systems per predetermined logic and initiates a reactor trip and ESF actuation when warranted by the process monitoring systems inputs; and
4. Reactor trip switchgear, including reactor trip breakers (RTBs) and bypass breakers: provides the means to interrupt power to the control rod drive mechanisms (CRDMs) and allows the rod cluster control assemblies (RCCAs), or "rods," to fall into the core and shut down the reactor. The bypass breakers allow testing of the RTBs at power.

Field Transmitters or Sensors To meet the design demands for redundancy and reliability, more than one, and often as many as four, field transmitters or sensors are used to measure unit parameters. To account for the calibration tolerances and instrument drift, which are assumed to occur between calibrations, statistical allowances are provided NOMINAL TRIP SETPOINT Values.

The OPERABILITY of each transmitter or sensor can be evaluated when its "as found" calibration data are compared against its documented acceptance criteria.

McGuire Units 1 and 2 B 3.3.1-2 Revision No. 99

RTS Instrumentation B 3.3.1 BASES BACKGROUND (continued)

Process Monitoring Systems Generally, three or four channels of process control equipment are used for the signal processing of unit parameters measured by the field instruments. The process control equipment provides signal conditioning, compatible output signals for instruments located on the main control board, and comparison of measured input signals with setpoints established by safety analyses. These setpoints are defined in UFSAR, Chapter 7 (Ref. 1), Chapter 6 (Ref. 2), and Chapter 15 (Ref. 3). If the measured value of a unit parameter exceeds the predetermined setpoint, an output from a bistable is forwarded to the SSPS for decision logic processing. Channel separation is maintained up to and through the input bays. However, not all unit parameters require four channels of sensor measurement and signal processing. Some unit parameters provide input only to the SSPS, while others provide input to the SSPS, the main control board, the unit computer, and one or more control systems.

Generally, if a parameter is used only for input to the protection circuits, three channels with a two-out-of-three logic are sufficient to provide the required reliability and redundancy. If one channel fails in a direction that would not result in a partial Function trip, the Function is still OPERABLE with a two-out-of-two logic. If one channel fails, such that a partial Function trip occurs, a trip will not occur and the Function is still OPERABLE with a one-out-of-two logic.

Generally, if a parameter is used for input to the SSPS and a control function, four channels with a two-out-of-four logic are sufficient to provide the required reliability and redundancy. The circuit must be able to withstand both an input failure to the control system, which may then require the protection function actuation, and a single failure in the other channels providing the protection function actuation. Again, a single failure will neither cause nor prevent the protection function actuation.

These requirements are described in IEEE-279-1971 (Ref. 4). The actual number of channels required for each unit parameter is specified in Reference 1.

Two logic channels are required to ensure no single random failure of a logic channel will disable the RTS. The logic channels are designed such that testing required while the reactor is at power may be accomplished without causing a trip. Provisions to allow removing logic channels from service during maintenance are unnecessary because of the logic system's designed reliability.

McGuire Units 1 and 2 B 3.3.1-3 Revision No. 99

RTS Instrumentation B 3.3.1 BASES BACKGROUND (continued)

Trip Setpoints and Allowable Values The NOMINAL TRIP SETPOINTS are the nominal values at which the bistables are set. Any bistable is considered to be properly adjusted when the "as left" value is within the band for CHANNEL CALIBRATION tolerance.

The NOMINAL TRIP SETPOINTS used in the bistables are based on the analytical limits (Ref. 1, 2, and 3). The selection of these NOMINAL TRIP SETPOINTS is such that adequate protection is provided when all sensor and processing time delays, calibration tolerances, instrumentation uncertainties, instrument drift, and severe environment errors for those RTS channels that must function in harsh environments as defined by 10 CFR 50.49 (Ref. 5) are taken into account. The actual as-left Setpoint of the bistable assures that the actual trip occurs in time to prevent an analytical limit from being exceeded.

The Allowable Value accounts for changes in random measurement errors between COTs. One example of such a change in measurement error is drift during the surveillance interval. If the COT demonstrates that the loop trips within the Allowable Value, the loop is OPERABLE. A trip within the Allowable Value ensures that the predictions of equipment performance used to develop the NOMINAL TRIP SETPOINT are still valid, and that the equipment will initiate a trip in response to an AOO in time to prevent an analytical limit from being exceeded (and that the consequences of DBAs will be acceptable, providing the unit is operated from within the LCOs at the onset of the AOO or DBA and the equipment functions as designed). Note that in the accompanying LCO 3.3.1, the Allowable Values of Table 3.3.1-1 are the LSSS.

Each channel of the process control equipment can be tested on line to verify that the signal or setpoint accuracy is within the specified allowance requirements. Once a designated channel is taken out of service for testing, a simulated signal is injected in place of the field instrument signal. The process equipment for the channel in test is then tested, verified, and calibrated. SRs for the channels are specified in the SRs section.

Determination of the NOMINAL TRIP SETPOINTS and Allowable Values listed in Table 3.3.1-1 incorporate all of the known uncertainties applicable for each channel. The magnitudes of these uncertainties are factored into the determination of each NOMINAL TRIP SETPOINT. All field sensors and signal processing equipment for these channels are assumed to operate within the allowances of these uncertainty magnitudes.

McGuire Units 1 and 2 B 3.3.1-4 Revision No. 99

RTS Instrumentation B 3.3.1 O BASES BACKGROUND (continued)

Solid State Protection System The SSPS equipment is used for the decision logic processing of outputs from the signal processing equipment bistables. To meet the redundancy requirements, two trains of SSPS, each performing the same functions, are provided. If one train is taken out of service for maintenance or test purposes, the second train will provide reactor trip and/or ESF actuation for the unit. If both trains are taken out of service or placed in test, a reactor trip will result. Each train is packaged in its own cabinet for physical and electrical separation to satisfy separation and independence requirements. The system has been designed to trip the reactor in the event of a loss of power, directing the unit to a safe shutdown condition.

The SSPS performs the decision logic for actuating a reactor trip or ESF actuation, generates the electrical output signal that will initiate the required trip or actuation, and provides the status, permissive, and annunciator output signals to the main control room of the unit.

The outputs from the process monitoring systems are sensed by the SSPS equipment and combined into logic matrices that represent combinations indicative of various unit upset and accident transients. If a Slogic matrix combination is completed, the system will initiate a reactor trip or send actuation signals via master and slave relays to those components whose aggregate Function best serves to alleviate the condition and restore the unit to a stable condition. Examples are given in the Applicable Safety Analyses, LCO, and Applicability sections of this Bases.

Reactor Trip Switchcqear The RTBs are in the electrical power supply line from the control rod drive motor generator set power supply to the CRDMs. Opening of the RTBs interrupts power to the CRDMs, which allows the shutdown rods and control rods to fall into the core by gravity. Each RTB is equipped with a bypass breaker to allow testing of the RTB while the unit is at power.

During normal operation the output from the SSPS is a voltage signal that energizes the undervoltage coils in the RTBs and bypass breakers, if in use. When the required logic matrix combination is completed, the SSPS output voltage signal is removed, the undervoltage coils are de-energized, the breaker trip lever is actuated by a compressed spring that is released by de-energizing the undervoltage coil, and the RTBs and bypass breakers are tripped open. This allows the shutdown rods and control rods to fall into the core. In addition to the de-energization of the McGuire Units 1 and 2 B 3.3.1-5 Revision No. 99

RTS Instrumentation B 3.3.1 BASES BACKGROUND (continued) undervoltage coils, each breaker is also equipped with a shunt trip device that is energized to trip the breaker open upon receipt of a reactor trip signal from the SSPS. Either the undervoltage coil or the shunt trip mechanism is sufficient by itself, thus providing a diverse trip mechanism.

The decision logic matrix Functions are described in the functional diagrams included in Reference 1. In addition to the reactor trip or ESF, these diagrams also describe the various "permissive interlocks" that are associated with unit conditions. Each train has a built in testing device that can test the decision logic matrix Functions and the actuation devices while the unit is at power. When any one train is taken out of service for testing, the other train is capable of providing unit monitoring and protection until the testing has been completed. The testing device is semiautomatic to minimize testing time.

APPLICABLE The RTS functions to maintain the SLs during all AOOs and mitigates SAFETY ANALYSES,the consequences of DBAs in all MODES in which the RTBs are closed.

LCO, and APPLICABILITY Each of the analyzed accidents and transients can be detected by one or more RTS Functions. The accident analysis described in Reference 3 takes credit for most RTS trip Functions. RTS trip Functions not specifically credited in the accident analysis are qualitatively credited in the safety analysis and the NRC staff approved licensing basis for the unit. These RTS trip Functions may provide protection for conditions that do not require dynamic transient analysis to demonstrate Function performance. They may also serve as backups to RTS trip Functions that were credited in the accident analysis.

The LCO requires all instrumentation performing an RTS Function, listed in Table 3.3.1-1 in the accompanying LCO, to be OPERABLE. Failure of any instrument renders the affected channel(s) inoperable and reduces the reliability of the affected Functions.

The LCO generally requires OPERABILITY of three or four channels in each instrumentation Function, two channels of Manual Reactor Trip in each logic Function, and two trains in each Automatic Trip Logic Function.

Four OPERABLE instrumentation channels in a two-out-of-four configuration are required when one RTS channel is also used as a control system input. This configuration accounts for the possibility of the shared channel failing in such a manner that it creates a transient that requires RTS action. In this case, the RTS will still provide protection, McGuire Units 1 and 2 B 3.3.1-6 Revision No- 99

RTS Instrumentation B 3.3.1 O BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) even with random failure of one of the other three protection channels.

Three operable instrumentation channels in .a two-out-of-three configuration are generally required when there is no potential for control system and protection system interaction that could simultaneously create a need for RTS trip and disable one RTS channel. The two-out-of-three and two-out-of-four configurations allow one channel to be tripped during maintenance or testing without causing a reactor trip. Specific exceptions to the above general philosophy exist and are discussed below.

Reactor Trip System Functions The safety analyses and OPERABILITY requirements applicable to each RTS Function are discussed below:

1. Manual Reactor Trip The Manual Reactor Trip ensures that the control room operator can initiate a reactor trip at any time by using either of two reactor trip switches in the control room. A Manual Reactor Trip accomplishes the same results as any one of the automatic trip Functions. It may be used by the reactor operator to shut down the reactor Setpoint.whenever any parameter is rapidly trending toward its Trip The LCO requires two Manual Reactor Trip channels to be OPERABLE. Each channel is controlled by a manual reactor trip switch. Each channel actuates one or more reactor trip breakers in both trains. Two independent channels are required to be OPERABLE so that no single random failure will disable the Manual Reactor Trip Function.

In MODE 1 or 2, manual initiation of a reactor trip must be OPERABLE. These are the MODES in which the shutdown rods and/or control rods are partially or fully withdrawn from the core. In MODE 3, 4, or 5, the manual initiation Function must also be OPERABLE if the shutdown rods or control rods are withdrawn or the Control Rod Drive (CRD) System is capable of withdrawing the shutdown rods or the control rods. In this condition, inadvertent control rod withdrawal is possible. In MODE 3, 4, or 5, manual initiation of a reactor trip does not have to be OPERABLE if the CRD System is not capable of withdrawing the shutdown rods or control rods. If the rods cannot be withdrawn from the core, there McGuire Units 1 and 2 B 3.3.1-7 Revision No. 99

RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) is no need to be able to trip the reactor because all of the rods are inserted. In MODE 6, the CRDMs are disconnected from the control rods and shutdown rods. Therefore, the manual initiation Function is not required.

2. Power Range Neutron Flux The NIS power range detectors are located external to the reactor vessel and measure neutrons leaking from the core. The NIS power range detectors provide input to the Rod Control System and the Steam Generator (SG) Water Level Control System. Therefore, the actuation logic must be able to withstand an input failure to the control system, which may then require the protection function actuation, and a single failure in the other channels providing the protection function actuation. Note that this Function also provides a signal to prevent automatic and manual rod withdrawal prior to initiating a reactor trip. Limiting further rod withdrawal may terminate the transient and eliminate the need to trip the reactor.
a. Power Range Neutron Flux-High The Power Range Neutron Flux-High trip Function ensures that protection is provided, from all power levels, against a positive reactivity excursion leading to DNB during power operations. These can be caused by rod withdrawal or reductions in RCS temperature.

The LCO requires all four of the Power Range Neutron Flux-High channels to be OPERABLE.

In MODE 1 or 2, when a positive reactivity excursion could occur, the Power Range Neutron Flux-High trip must be OPERABLE. This Function will terminate the reactivity excursion and shut down the reactor prior to reaching a power level that could damage the fuel. In MODE 3, 4, 5, or 6, the NIS power range detectors cannot detect neutron levels in this range. In these MODES; the Power Range Neutron Flux-High does not have to be OPERABLE because the reactor is shut down and reactivity excursions into the power range are extremely unlikely. Other RTS Functions and administrative controls provide protection against reactivity additions when in MODE 3, 4, 5, or 6.

McGuire Units 1 and 2 B 3.3.1-8 Revision No. 99

RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO and APPLICABILITY (continued)

b. Power Range Neutron Flux-Low The LCO requirement for the Power Range Neutron Flux-Low trip Function ensures that protection is provided against a positive reactivity excursion from low power or subcritical conditions.

The LCO requires all four of the Power Range Neutron Flux-Low channels to be OPERABLE.

In MODE 1, below the Power Range Neutron Flux (P-1 0 setpoint), and in MODE 2, the Power Range Neutron Flux-Low trip must be OPERABLE. This Function may be manually blocked by the operator when two out of four power range channels are greater than approximately 10% RTP (P-10 setpoint). This Function is automatically unblocked when three out of four power range channels are below the P-10 setpoint. Above the P-10 setpoint, positive reactivity additions are mitigated by the Power Range Neutron Flux-High trip Function.

In MODE 3, 4, 5, or 6, the Power Range Neutron Flux-Low trip Function does not have to be OPERABLE because the reactoris shut down and the NIS power range detectors cannot detect neutron levels in this range. Other RTS trip Functions and administrative controls provide protection against positive reactivity additions or power excursions in MODE 3, 4, 5, or 6.

3. Power Range Neutron Flux-High Positive Rate The Power Range Neutron Flux - High Positive Rate trip uses the same channels as discussed for Function 2 above.

The Power Range Neutron Flux-High Positive Rate trip Function ensures that protection is provided against rapid increases in neutron flux that are characteristic of an RCCA drive rod housing rupture and the accompanying ejection of the RCCA. This Function complements the Power Range Neutron Flux-High and Low Setpoint trip Functions to ensure that the criteria are met for a rod ejection from the power range.

The LCO requires all four of the Power Range Neutron Flux-High Positive Rate channels to be OPERABLE.

McGuire Units 1 and 2 B 3.3.1-9 Revision No. 99

RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

In MODE 1 or 2, when there is a potential to add a large amount of positive reactivity from a rod ejection accident (REA), the Power Range Neutron Flux-High Positive Rate trip must be OPERABLE.

In MODE 3, 4, 5, or 6, the Power Range Neutron Flux-High Positive Rate trip Function does not have to be OPERABLE because other RTS trip Functions and administrative controls will provide protection against positive reactivity additions. In MODE 6, no rods are withdrawn and the SDM is increased during refueling operations. The reactor vessel head is also removed or the closure bolts are detensioned preventing any pressure buildup. In addition, the NIS power range detectors cannot detect neutron levels present in this mode.

4. Intermediate Range Neutron Flux The Intermediate Range Neutron Flux trip Function ensures that protection is provided against an uncontrolled RCCA bank rod withdrawal accident from a subcritical condition'during startup. This trip Function provides redundant protection to the Power Range Neutron Flux-Low Setpoint trip Function. The NIS intermediate range detectors are located external to the reactor vessel and measure neutrons leaking from the core. Note that this Function also provides a signal to prevent automatic and manual rod withdrawal prior to initiating a reactor trip. Limiting further rod withdrawal may terminate the transient and eliminate the need to trip the reactor.

The LCO requires two channels of Intermediate Range Neutron Flux to be OPERABLE. Two OPERABLE channels are sufficient to ensure no single random failure will disable this trip Function.

Because this trip Function is important only during startup, there is generally no need to disable channels for testing while the Function is required to be OPERABLE. Therefore, a third channel is unnecessary.

In MODE 1 below the P-10 setpoint, and in MODE 2, when there is a potential for an uncontrolled RCCA bank rod withdrawal accident during reactor startup, the Intermediate Range Neutron Flux trip must be OPERABLE. Above the P-10 setpoint, the Power Range Neutron Flux-High Setpoint trip and the Power Range Neutron Flux-High Positive Rate trip provide core protection for a rod withdrawal accident. In MODE 3, 4, or 5, the Intermediate Range McGuire Units 1 and 2 B 3.3.1-10 Revision No. 99

RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Neutron Flux trip does not have to be OPERABLE because other RTS trip functions provide protection against positive reactivity additions. The reactor cannot be started up in this condition. The core also has the required SDM to mitigate the consequences of a positive reactivity addition accident. In MODE 6, all rods are fully inserted and the core has a required increased SDM. Also, the NIS intermediate range detectors cannot detect neutron~levels present in this MODE.

5. Source Range Neutron Flux The LCO requirement for the Source Range Neutron Flux trip Function ensures that protection is provided against an uncontrolled RCCA bank rod withdrawal accident from a subcritical condition during startup. This trip Function provides redundant protection to the Power Range Neutron Flux-Low Setpoint and Intermediate Range Neutron Flux trip Functions. In MODES 3, 4, and 5, administrative controls also prevent the uncontrolled withdrawal of rods. The NIS source range detectors are located external to the reactor vessel and measure neutrons leaking from the core. The NIS source range detectors do not provide any inputs to control systems. The source range trip is the only RTS automatic protection function required in MODES 3, 4, and 5 with the CRD System capable of rod withdrawal. Therefore, the functional capability at the specified Trip Setpoint is assumed to be available.

The LCO requires two channels of Source Range Neutron Flux to be OPERABLE. Two OPERABLE channels are sufficient to ensure no single random failure will disable this trip Function. The LCO also requires one channel of the Source Range Neutron Flux to be OPERABLE in MODE 3, 4, or 5 with RTBs open. In this case, the source range Function is to provide control room indication. The outputs of the Function to RTS logic are not required OPERABLE when the RTBs are open.

The Source Range Neutron Flux Function provides protection for control rod withdrawal from subcritical, boron dilution, and control rod ejection events. The Function also provides visual neutron flux indication in the control room.

In MODE 2 when below the P-6 setpoint during a reactor startup, the Source Range Neutron Flux trip must be OPERABLE. Above the P-6 setpoint, the Intermediate Range Neutron Flux trip and the McGuire Units 1 and 2 B 3.3.1-11 Revision No. 99

RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Power Range Neutron Flux-Low Setpoint trip will provide core protection for reactivity accidents. Above the P-6 setpoint, the NIS source range detectors are de-energized and inoperable.

In MODE 3, 4, or 5 with the reactor shut down, the Source Range Neutron Flux trip Function must also be OPERABLE. If the CRD System is capable of rod withdrawal, the Source Range Neutron Flux trip must be OPERABLE to provide core protection against a rod withdrawal accident. If the unit is to be in MODE 3 with the RTBs closed for > 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> the Surveillance requirement SR 3.3.1.7 must be completed within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> after entry into MODE 3. The surveillance shall include verification of the high flux at shutdown alarm setpoint of less than or equal to five times background of the average CPS Neutron Level Reading (the average CPS Reading is the most consistent value between highest and lowest CPS Neutron Level Reading).

If the CRD System is not capable of rod withdrawal, the source range detectors are not required to trip the reactor. However, their monitoring Function must be OPERABLE to monitor core neutron levels and provide indication of reactivity changes that may occur as a result of events like a boron dilution.

The neutron detector's high flux at shutdown alarm setpoint of less than or equal to five times background, in Mode 3, 4, or 5, shall be verified. Once the High Flux at Shutdown Alarm setpoints are set at five times background above steady state neutron count rate the re-verification/re-adjustment of the high flux at shutdown is not required. The neutron count rate will decrease as Mode changes are made from 3 to 4 to 5 as the system temperature decreases.

Any subsequent changes in the count rate are an indication of gamma flux (due to movement of irradiated particles in the system) which may cause the source range response to vary. Upon increase in the neutron count rate due to activities that add positive reactivity to the core, the presence of gamma flux will cease to be a factor in detector count rate.

A CHANNEL CHECK provides a comparison of the parameter indicated on one channel to a similar parameter on other channels.

This is based on the assumption that the two indicating channels should be consistent. Significant differences between the indicating source range channels can occur due to core geometry, decreasing neutron count rate as temperature is decreasing in the system, the location of the Source Assemblies (distance from the Source Detectors), and large amounts of gamma. Each channel should be McGuire Units 1 and 2 B 3.3.1-12 Revision No. 99

RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) consistent with its local condition.

The requirements for the NIS source range detectors in MODE 6 are addressed in LCO 3.9.3, "Nuclear Instrumentation."

6. Overtemperature AT The Overtemperature AT trip Function is provided to ensure that the design limit DNBR is met. This trip Function also limits the range over which the Overpower AT trip Function must provide protection. The inputs to the Overtemperature AT trip include pressurizer pressure, coolant temperature, axial power distribution, and reactor power as indicated by loop AT assuming full reactor coolant flow. Protection from violating the DNBR limit is assured for those transients that are slow with respect to delays from the core to the measurement system. The Function monitors both variation in power and flow since a decrease in flow has the same effect on AT as a power increase. The Overtemperature AT trip Function uses each loop's AT as a measure of reactor power and is compared with a setpoint that is automatically varied with the following parameters:

reactor coolant average temperature-the Trip Setpoint is varied to correct for changes in coolant density and specific heat capacity with changes in coolant temperature; pressurizer pressure-the Trip Setpoint is varied to correct for changes in system pressure; and axial power distribution-f(AI), the Trip Setpoint is varied to account for imbalances in the axial power distribution as detected by the NIS upper and lower power range detectors.

If axial peaks are greater than the design limit, as indicated by the difference between the upper and lower NIS power range detectors, the Trip Setpoint is reduced in accordance with Note 1 of Table 3.3.1-1.

McGuire Units 1 and 2 B 3.3.1-13 Revision No. 99

RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Dynamic compensation is included for system piping delays from the core to the temperature measurement system.

The Overtemperature AT trip Function is calculated for each loop as described in Note 1 of Table 3.3.1-1. Trip occurs if Overtemperature AT is indicated in two loops. The pressure and temperature signals are used for other control functions, therefore, the actuation logic must be able to withstand an input failure to the control system, which may then require the protection function actuation, and a single failure in the other channels providing the protection function actuation. Note that this Function also provides a signal to generate a turbine runback prior to reaching the Trip Setpoint. A turbine runback will reduce turbine power and reactor power. A reduction in power will normally alleviate the Overtemperature AT condition and may prevent a reactor trip.

The LCO requires all four channels of the Overtemperature AT trip Function to be OPERABLE. Note that the Overtemperature AT Function receives input from channels shared with other RTS Functions. Failures that affect multiple Functions require entry into the Conditions applicable to all affected Functions.

In MODE 1 or 2, the Overtemperature AT trip must be OPERABLE to prevent DNB. In MODE 3, 4, 5, or 6, this trip Function does not have to be OPERABLE because the reactor is not operating and there is insufficient heat production to be concerned about DNB.

7. Overpower AT The Overpower AT trip Function ensures that protection is provided to ensure the integrity of the fuel (i.e., no fuel pellet melting and less than 1% cladding strain) under all possible overpower conditions.

This trip Function also limits the required range of the Overtemperature AT trip Function and provides a backup to the Power Range Neutron Flux-High Setpoint trip. The Overpower AT trip Function ensures that the allowable heat generation rate (kW/ft) of the fuel is not exceeded. It uses the AT of each loop as a measure of reactor power with a setpoint that is automatically varied with the following parameters:

McGuire Units 1 and 2 B 3.3.1-14 Revision No. 99

RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

" reactor coolant average temperature-the Trip Setpoint is varied to correct for changes in coolant density and specific heat capacity with changes in coolant temperature; and

" rate of change of reactor coolant average temperature-including dynamic compensation for the delays between the core and the temperature measurement system.

The Overpower AT trip Function is calculated for each loop as per Note 2 of Table 3.3.1-1. Trip occurs if Overpower AT is indicated in two loops. The temperature signals are used for other control functions, therefore, the actuation logic must be able to withstand an input failure to the control system, which may then require the protection function actuation, and a single failure in the remaining channels providing the protection function actuation. Note that this Function also provides a signal to generate a turbine runback prior to reaching the Trip Setpoint. A turbine runback will reduce turbine power and reactor power. A reduction in power will normally alleviate the Overpower AT condition and may prevent a reactor trip.

The LCO requires four channels of the Overpower AT trip Function to be OPERABLE. Note that the Overpower AT trip Function receives input from channels shared with other RTS Functions.

Failures that affect multiple Functions require entry into the Conditions applicable to all affected Functions.

In MODE 1 or 2, the Overpower AT trip Function must be OPERABLE. These are the only times that enough heat is generated in the fuel to be concerned about the heat generation rates and overheating of the fuel. In MODE 3, 4, 5, or 6, this trip Function does not have to be OPERABLE because the reactor is not operating and there is insufficient heat production to be concerned about fuel overheating and fuel damage.

8. Pressurizer Pressure The same sensors provide input to the Pressurizer Pressure-High and -Low trips and the Overtemperature AT trip. The Pressurizer Pressure channels are also used to provide input to the Pressurizer Pressure Control System, therefore, the actuation logic must be able to withstand an input failure to the control system, which may then require the protection function actuation, and a single failure in the other channels providing the protection function actuation.

McGuire Units 1 and 2 B 3.3.1-15 Revision No. 99

RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

a. Pressurizer Pressure-Low The Pressurizer Pressure-Low trip Function ensures that protection is provided against violating the DNBR limit due to low pressure.

The LCO requires four channels of Pressurizer Pressure-Low to be OPERABLE.

In MODE 1, when DNB is a major concern, the Pressurizer Pressure-Low trip must be OPERABLE. This trip Function is automatically enabled on increasing power by the P-7 interlock (NIS power range P-10 or turbine impulse pressure greater than approximately 10% of full power equivalent (P-13)). On decreasing power, this trip Functionis automatically blocked below P-7. Below the P-7 setpoint, power distributions that would cause DNB concerns are unlikely.

b. Pressurizer Pressure-High The Pressurizer Pressure-High trip Function ensures that protection is provided against overpressurizing the RCS.

This trip Function operates in conjunction with the pressurizer relief and safety valves to prevent RCS overpressure conditions.

The LCO requires four channels of the Pressurizer Pressure-High to be OPERABLE.

The Pressurizer Pressure-High LSSS is selected to be below the pressurizer safety valve actuation pressure and above the power operated relief valve (PORV) setting. This setting minimizes challenges to safety valves while avoiding unnecessary reactor trips for those pressure increases that can be controlled by the PORVs.

In MODE 1 or 2, the Pressurizer Pressure-High trip must be OPERABLE to help prevent RCS overpressurization and minimize challenges to the safety valves. In MODE 3, 4, 5, or 6, the Pressurizer Pressure-High trip Function does not have to be OPERABLE because transients that could cause an overpressure condition will be slow to occur. Therefore, the operator will have sufficient time to evaluate unit McGuire Units 1 and 2 B 3.3.1-16 Revision No. 99

RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) conditions and take corrective actions. Additionally, low temperature overpressure protection systems provide overpressure protection when below MODE 4.

9. Pressurizer Water Level-High The Pressurizer Water Level-High trip Function provides a backup signal for the Pressurizer Pressure-High trip and also provides protection against water relief through the pressurizer safety valves.

These valves are designed to pass steam in order to achieve their design energy removal rate. A reactor trip is actuated prior to the pressurizer becoming water solid. The setpoints are based on percent of instrument span. The LCO requires three channels of Pressurizer Water Level-High to be OPERABLE. The pressurizer level channels are used as input to the Pressurizer Level Control System. A fourth channel is not required to address control/protection interaction concerns. The level channels do not actuate the safety valves, and the high pressure reactor trip is set below the safety valve setting. Therefore, with the slow rate of charging available, pressure overshoot due to level channel failure cannot cause the safety valve to lift before reactor high pressure trip.

In MODE 1, when there is a potential for overfilling the pressurizer, the Pressurizer Water Level-High trip must be OPERABLE. This trip Function is automatically enabled on increasing power by the P-7 interlock. On decreasing power, this trip Function is automatically blocked below P-7. Below the P-7 setpoint, transients that could raise the pressurizer water level will be slow and the operator will have sufficient time to evaluate unit conditions and take corrective actions.

10. Reactor Coolant Flow-Low
a. Reactor Coolant Flow-Low (Single Loop)

The Reactor Coolant Flow-Low (Single Loop) trip Function ensures that protection is provided against violating the DNBR limit due to low flow in one or more RCS loops, while avoiding reactor trips due to normal variations in loop flow.

Above the P-8 setpoint, which is approximately 48% RTP, a loss of flow in any RCS loop will actuate a reactor trip. The setpoints are based on the minimum flow specified in the McGuire Units 1 and 2 B 3.3.1-17 Revision No. 99

RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

COLR. Each RCS loop has three flow detectors to monitor flow. The flow signals are not used for any control system input.

The LCO requires three Reactor Coolant Flow-Low channels per loop to be OPERABLE in MODE 1 above P-8.

In MODE 1 above the P-8 setpoint, a loss of flow in one RCS loop could result in DNB conditions in the core. In MODE 1 below the P-8 setpoint, a loss of flow in two or more loops is required to actuate a reactor trip (Function 10.b) because of the lower power level and the greater margin to the design limit DNBR.

b. Reactor Coolant Flow-Low (Two Loops)

The Reactor Coolant Flow-Low (Two Loops) trip Function ensures that protection is provided against violating the DNBR limit due to low flow in two or more RCS loops while avoiding reactor trips due to normal variations in loop flow.

Above the P-7 setpoint and below the P-8 setpoint, a loss of flow in two or more loops will initiate a reactor trip. The setpoints are based on the minimum flow specified in the COLR. Each loop has three flow detectors to monitor flow.

The flow signals are not used for any control system input.

The LCO requires three Reactor Coolant Flow-Low channels per loop to be OPERABLE.

In MODE 1 above the P-7 setpoint and below the P-8 setpoint, the Reactor Coolant Flow-Low (Two Loops) trip must be OPERABLE. Below the P-7 setpoint, all reactor trips on low flow are automatically blocked since power distributions that would cause a DNB concern at this low power level are unlikely. Above the P-7 setpoint, the reactor trip on low flow in two or more RCS loops is automatically enabled. Above the P-8 setpoint, a loss of flow in any one loop will actuate a reactor trip because of the higher power level and the reduced margin to the design limit DNBR.

McGuire Units 1 and 2 B 3.3.1-18 Revision No. 99

RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

11. Undervoltaqe Reactor Coolant Pumps The Undervoltage RCPs reactor trip Function ensures that protection is provided against violating the DNBR limit due to a loss of flow in two or more RCS loops. The voltage to each RCP is monitored. Above the P-7 setpoint, a loss of voltage detected on two or more RCP buses will initiate a reactor trip. This trip Function will generate a reactor trip before the Reactor Coolant Flow-Low (Two Loops) Trip Setpoint is reached. Time delays are incorporated into the Undervoltage RCPs channels to prevent reactor trips due to momentary electrical power transients.

The LCO requires a total of four Undervoltage RCPs channels (one per bus) to be OPERABLE.

In MODE 1 above the P-7 setpoint, the Undervoltage RCP trip must be OPERABLE. Below the P-7 setpoint, all reactor trips on loss of flow are automatically blocked since power distributions that would cause a DNB concern at this low power level are unlikely. Above the P-7 setpoint, the reactor trip on loss of flow in two or more RCS loops is automatically enabled.

12. Underfrequency Reactor Coolant Pumps The Underfrequency RCPs reactor trip Function ensures that protection is provided against violating the DNBR limit due to a loss of flow in two or more RCS loops from a major network frequency disturbance. An underfrequency condition will slow down the pumps, thereby reducing their coastdown time following a pump trip. The proper coastdown time is required so that reactor heat can be removed immediately after reactor trip. The frequency of each RCP bus is monitored. Above the P-7 setpoint, a loss of frequency detected on two or more RCP buses will initiate a reactor trip. This trip Function will generate a reactor trip before the Reactor Coolant Flow-Low (Two Loops) Trip Setpoint is reached.

Time delays are incorporated into the Underfrequency RCPs channels to prevent reactor trips due to momentary electrical power transients.

The LCO requires a total of four Underfrequency RCPs channels (one per bus) to be OPERABLE.

McGuire Units 1 and 2 B 3.3.1-19 Revision No, 99

RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

In MODE 1 above the P-7 setpoint, the Underfrequency RCPs trip must be OPERABLE. Below the P-7 setpoint, all reactor trips on loss of flow are automatically blocked since power distributions that would cause a DNB concern at this low power level are unlikely.

Above the P-7 setpoint, the reactor trip on loss of flow in two or more RCS loops is automatically enabled.

13. Steam Generator Water Level-Low Low The SG Water Level-Low Low trip Function ensures that protection is provided against a loss of heat sink and actuates the AFW System prior to uncovering the SG tubes. The SGs are the heat sink for the reactor. In order to act as a heat sink, the SGs must contain a minimum amount of water. A narrow range low low level in any SG is indicative of a loss of heat sink for the reactor. The level transmitters provide input to the SG Level Control System.

Therefore, the actuation logic must be able to withstand an input failure to the control system, which may then require the protection function actuation, and a single failure in the other channels providing the protection function actuation. This Function also performs the ESFAS function of starting the AFW pumps on low low SG level.

The LCO requires four channels of SG Water Level-Low Low per SG to be OPERABLE since these channels are shared between protection and control.

In MODE 1 or 2, when the reactor requires a heat sink, the SG Water Level-Low Low trip must be OPERABLE. The normal source of water for the SGs is the Main Feedwater (MFW) System (not safety related). The MFW System is normally in operation in MODES 1, 2, 3, or 4. The AFW System is the safety related backup source of water to ensure that the SGs remain the heat sink for the reactor. In MODE 3, 4, 5, or 6, the SG Water Level-Low Low Function does not have to be OPERABLE because the reactor is not operating or even critical. Decay heat removal is accomplished by the steam generators in MODE 3 and 4 and by the Residual Heat Removal (RHR) System in MODE 4, 5, or 6.

McGuire Units 1 and 2 B 3.3.1-20 Revision No. 99

RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

14. Turbine Trip
a. Turbine Trip-Low Fluid Oil Pressure The Turbine Trip-Low Fluid Oil Pressure trip Function anticipates the loss of heat removal capabilities of the secondary system following a turbine trip. This trip Function acts to minimize the pressure/temperature transient on the reactor. Any turbine trip from a power level below the P-8 setpoint, approximately 48% power, will not actuate a reactor trip. Three pressure switches monitor the control oil pressure in the Turbine Electrohydraulic Control System. A low pressure condition sensed by two-out-of-three pressure

.switches will actuate a reactor trip. These pressure switches do not provide any input to the control system. The unit is designed to withstand a complete loss of load and not sustain core damage or challenge the RCS pressure limitations. Core protection is provided by the Pressurizer Pressure-High trip Function and RCS integrity is ensured by the pressurizer safety valves. Turbine Trip-Low fluid oil pressure is diverse to the Turbine Trip-Turbine Stop Valve Closure Function.

The LCO requires three channels of Turbine Trip-Low Fluid Oil Pressure to be OPERABLE in MODE 1 above P-8.

Below the P-8 setpoint, a turbine trip does not actuate a reactor trip. In MODE 2, 3, 4, 5, or 6, there is no potential for a turbine trip, and the Turbine Trip-Low Fluid Oil Pressure trip Function does not need to be OPERABLE.

b. Turbine Trip-Turbine Stop Valve Closure The Turbine Trip-Turbine Stop Valve Closure trip Function anticipates the loss of heat removal capabilities of the secondary system following a turbine trip from a power level above the P-8 setpoint, approximately 48% power. The trip Function anticipates the loss of secondary heat removal capability that occurs when the stop valves close. Tripping the reactor in anticipation of loss of secondary heat removal acts to minimize the pressure and temperature transient on the reactor. This trip Function will not and is not required to operate in the presence of a single channel failure. The unit is designed to withstand a complete loss of load and not McGuire Units 1 and 2 B 3.3.1-21 Revision No. 99

RTS Instrumentation B 3.3.1 BASES O APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) sustain core damage or challenge the RCS pressure limitations. Core protection is provided by the Pressurizer Pressure-High trip Function, and RCS integrity is ensured by the pressurizer safety valves. This trip Function is diverse to the Turbine Trip-Low Fluid Oil Pressure trip Function.

Each turbine stop valve is equipped with one limit switch that inputs to the RTS. If all four limit switches indicate that the stop valves are closed, a reactor trip is initiated.

The LSSS for this Function is set to assure channel trip occurs when the associated stop valve is completely closed.

The LCO requires four Turbine Trip-Turbine Stop Valve Closure channels, one per valve, to be OPERABLE in MODE 1 above P-8. All four channels must trip to cause reactor trip.

Below the P-8 setpoint, a load rejection can be accommodated by the Steam Dump System. In MODE 2, 3, 4, 5, or 6, there is no potential for a load rejection, and the Turbine Trip-Stop Valve Closure trip Function does not

15. Safety Iniection Input from Engineered Safety Feature Actuation System The SI Input from ESFAS ensures that if a reactor trip has not already been generated by the RTS, the ESFAS automatic actuation logic will initiate a reactor trip upon any signal that initiates SI. This is a condition of acceptability for the LOCA.

However, other transients and accidents take credit for varying levels of ESF performance and rely upon rod insertion, except for the most reactive rod that is assumed to be fully withdrawn, to ensure reactor shutdown. Therefore, a reactor trip is initiated every time an SI signal is present.

Trip Setpoint and Allowable Values are not applicable to this Function. The SI Input is provided by a manual switch or by the automatic actuation logic. Therefore, there is no measurement signal with which to associate an LSSS.

The LCO requires two trains of SI Input from ESFAS to be OPERABLE in MODE 1 or 2.

McGuire Units 1 and 2 B 3.3.1-22 Revision No. 99

RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

A reactor trip is initiated every time an SI signal is present.

Therefore, this trip Function must be OPERABLE in MODE 1 or 2, when the reactor is critical, and must be shut down in the event of an accident. In MODE 3, 4, 5, or 6, the reactor is not critical, and this trip Function does not need to be OPERABLE.

16. Reactor Trip System Interlocks Reactor protection interlocks are provided to ensure reactor trips are in the correct configuration for the current unit status. They back up operator actions to ensure protection system Functions are not bypassed during unit conditions under which the safety analysis assumes the Functions are not bypassed. Therefore, the interlock Functions do not need to be OPERABLE when the associated reactor trip functions are outside the applicable MODES. These are:
a. Intermediate Ranqe Neutron Flux, P-6 The Intermediate Range Neutron Flux, P-6 interlock is actuated when any NIS intermediate range channel goes approximately one decade above the minimum channel reading. If both channels drop below the setpoint, the permissive will automatically be defeated. The LCO requirement for the P-6 interlock ensures that the following Functions are performed:

on increasing power, the P-6 interlock allows the manual block of the NIS Source Range, Neutron Flux reactor trip. This prevents a premature block of the source range trip and allows the operator to ensure that the intermediate range is OPERABLE prior to leaving the source range. When the source range trip is blocked, the high voltage to the detectors is also removed; and on decreasing power, the P-6 interlock automatically energizes the NIS source range detectors and enables the NIS Source Range Neutron Flux reactor trip.

The LCO requires two channels of Intermediate Range Neutron Flux, P-6 interlock to be OPERABLE in MODE 2 when below the P-6 interlock setpoint.

McGuire Units 1 and 2 B 3.3.1-23 Revision No. 99

RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Above the P-6 interlock setpoint, the NIS Source Range Neutron Flux reactor trip will be blocked, and this Function will no longer be necessary.

In MODE 3, 4, 5, or 6, the P-6 interlock does not have to be OPERABLE because the NIS Source Range is providing core protection.

b. Low Power Reactor Trips Block, P-7 The Low Power Reactor Trips Block, P-7 interlock is actuated by input from either the Power Range Neutron Flux, P-1 0, or the Turbine Impulse Pressure, P-13 interlock. The LCO requirement for the P-7 interlock ensures that the following Functions are performed:

(1) on increasing power, the P-7 interlock automatically enables reactor trips on the following Functions:

Pressurizer Pressure-Low;

Undervoltage RCPs; and Underfrequency RCPs.

These reactor trips are only required when operating above the P-7 setpoint (approximately 10% power).

The reactor trips provide protection against violating the DNBR limit. Below the P-7 setpoint, the RCS is capable of providing sufficient natural circulation without any RCP running.

(2) on decreasing power, the P-7 interlock automatically blocks reactor trips on the following Functions:

Pressurizer Pressure-Low; Pressurizer Water Level-High; McGuire Units 1 and 2 B 3.3.1-24 Revision No. 99

RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Reactor Coolant Flow-Low (Two Loops);

Undervoltage RCPs; and Underfrequency RCPs.

Trip Setpoint and Allowable Value are not applicable to the P-7 interlock because it is a logic Function and thus has no parameter with which to associate an LSSS.

The P-7 interlock is a logic Function with train and not channel identity. Therefore, the LCO requires one channel per train of Low Power Reactor Trips Block, P-7 interlock to be OPERABLE in MODE 1.

The low power trips are blocked below the P-7 setpoint and unblocked above the P-7 setpoint. In MODE 2, 3, 4, 5, or 6, this Function does not have to be OPERABLE because the interlock performs its Function when power level drops below 10% power, which is in MODE 1.

c. Power Ranqe Neutron Flux, P-8 The Power Range Neutron Flux, P-8 interlock is actuated at approximately 48% power as determined by two-out-of-four NIS power range detectors. The P-8 interlock automatically enables the Reactor Coolant Flow-Low (Single Loop) reactor trip on low flow in one or more RCS loops, and the Turbine Trip-Low Fluid Oil Pressure and Turbine Trip-Turbine Stop Valve Closure reactor trips on increasing power. The LCO requirement for the Reactor Coolant Flow - Low Function ensures that protection is provided against a loss of flow in any RCS loop that could result in DNB conditions in the core when greater than approximately 48% power.

Above the P-8 setpoint, a turbine trip will cause a load rejection beyond the capacity of the Steam Dump System. A reactor trip is automatically initiated on a turbine trip when it is above the P-8 setpoint, to minimize the transient on the reactor. On decreasing power below the P-8 setpoint, the reactor trip on low flow in any loop is automatically blocked.

McGuire Units 1 and 2 B 3.3.1-25 Revision No. 99

RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

The LCO requires four channels of Power Range Neutron Flux, P-8 interlock to be OPERABLE in MODE 1.

In MODE 1, a loss of flow in one RCS loop could result in DNB conditions and, a turbine trip could cause a load rejection beyond the capacity of the Steam Dump System, so the Power Range Neutron Flux, P-8 interlock must be OPERABLE. In MODE 2, 3, 4, 5, or 6, this Function does not have to be OPERABLE because the core is not producing sufficient power to be concerned about DNB conditions and the reactor is not at a power level sufficient to have a load rejection beyond the capacity of the Steam Dump System.

d. Power Range Neutron Flux, P-10 The Power Range Neutron Flux, P-10 interlock is actuated at approximately 10% power, as determined by two-out-of-four NIS power range detectors. If power level falls below 10% RTP on 3 of 4 channels, the nuclear instrument trips will be automatically unblocked. The LCO requirement for the P-10 interlock ensures that the following Functions are performed:

on increasing power, the P-10 interlock allows the operator to manually block the Intermediate Range Neutron Flux reactor trip. Note that blocking the reactor trip also blocks the signal to prevent automatic and manual rod withdrawal; on increasing power, the P-1 0 interlock allows the operator to manually block the Power Range Neutron Flux-Low reactor trip; on increasing power, the P-10 interlock automatically provides a backup signal to block the Source Range Neutron Flux reactor trip, and also to de-energize the NIS source range detectorss; the P-1 0 interlock provides one of the two inputs to the P-7 interlock; and McGuire Units 1 and 2 B 3.3.1-26 Revision No. 99

RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

  • on decreasing power, the P-1 0 interlock automatically enables the Power Range Neutron Flux-Low reactor trip and the Intermediate Range Neutron Flux reactor trip (and rod stop).

The LCO requires four channels of Power Range Neutron Flux, P-10 interlock to be OPERABLE in MODE 1 or 2.

OPERABILITY in MODE 1 ensures the Function is available to perform its decreasing power Functions in the event of a reactor shutdown. This Function must be OPERABLE in MODE 2 to ensure that core protection is provided during a startup or shutdown by the Power Range Neutron Flux-Low and Intermediate Range Neutron Flux reactor trips. In MODE 3, 4, 5, or 6, this Function does not have to be OPERABLE because the reactor is not at power and the Source Range Neutron Flux reactor trip provides core protection.

e. Turbine Impulse Pressure, P-13 The Turbine Impulse Pressure, Pi-13 interlock is actuated when the pressure in the first stage of the high pressure turbine is greater than approximately 10% of the rated full

-power pressure. This is determined by one-out-of-two pressure detectors. The LCO requirement for this Function ensures that one of the inputs to the P-7 interlock is available.

The LCO requires two channels of Turbine Impulse Pressure, P-1 3 interlock to'be OPERABLE in MODE 1 The Turbine Impulse Chamber Pressure, P-13 interlock must be OPERABLE when the turbine generator is operating. The interlock Function is not required OPERABLE in MODE 2, 3, 4, 5, or 6 because the turbine generator is not operating.

17. Reactor Trip Breakers This trip Function applies to the RTBs exclusive of individual trip mechanisms. The LCO requires two OPERABLE trains of trip breakers. A trip breaker train consists of all trip breakers associated with a single RTS logic train that are racked in, closed, and capable of supplying power to the CRD System. Thus, the McGuire Units 1 and 2 B 3.3.1-27 Revision No. 99

RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) train may consist of the main breaker, bypass breaker, or main breaker and bypass breaker, depending upon the system configuration. Two OPERABLE trains ensure no single random failure can disable the RTS trip capability.

These trip Functions must be OPERABLE in MODE 1 or 2 when the reactor is critical. In MODE 3, 4, or 5, these RTS trip Functions must be OPERABLE when the RTBs or associated bypass breakers are closed, and the CRD System is capable of rod withdrawal.

18. Reactor Trip Breaker Undervoltaqe and Shunt Trip Mechanisms The LCO requires both the Undervoltage and Shunt Trip Mechanisms to be OPERABLE for each RTB that is in service. The trip mechanisms are not required to be OPERABLE for trip breakers that are open, racked out, incapable of supplying power to the CRD System, or declared inoperable under Function 17 above.

OPERABILITY of both trip mechanisms on each breaker ensures that no single trip mechanism failure will prevent opening any breaker on a valid signal.

These trip Functions must be OPERABLE in MODE 1 or 2 when the reactor is critical. In MODE 3, 4, or 5, these RTS trip Functions must be OPERABLE when the RTBs or associated bypass breakers are closed, and the CRD System is capable of rod withdrawal.

19. Automatic Trip Logic The LCO requirement for the RTBs (Functions 17 and 18) and Automatic Trip Logic (Function 19) ensures that means are provided to interrupt the power to allow the rods to fall into the reactor core. Each RTB is equipped with an undervoltage coil and a shunt trip coil to trip the breaker open when needed. Each train RTB has a bypass breaker to allow testing of the trip breaker while the unit is at power. The reactor trip signals generated by the RTS Automatic Trip Logic cause the RTBs and associated bypass breakers to open and shut down the reactor.

The LCO requires two trains of RTS Automatic Trip Logic to be OPERABLE. Having two OPERABLE channels ensures that random failure of a single logic channel will not prevent reactor trip.

McGuire Units 1 and 2 B 3.3.1-28 Revision No. 99

RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

These trip Functions must be OPERABLE in MODE 1 or 2 when the reactor is critical. In MODE 3, 4, or 5, these RTS trip Functions must be OPERABLE when the RTBs and associated bypass breakers are closed, and the CRD System is capable of rod withdrawal.

The RTS instrumentation satisfies Criterion 3 of 10 CFR 50.36 (Ref. 6).

ACTIONS A Note has been added to the ACTIONS to clarify the application of Completion Time rules. The Conditions of this Specification may be entered independently for each Function listed in Table 3.3.1-1. When the Required Channels in Table 3.3.1-1 are specified (e.g., on a per steam line, per loop, per SG, etc., basis), then the Condition may be entered separately for each steam line, loop, SG, etc., as appropriate.

A channel shall be OPERABLE if the point at which the channel trips is found equal to or more conservative than the Allowable Value. In the event a channel's trip setpoint is found less conservative than the Allowable Value, or the transmitter, instrument loop, signal processing electronics, or bistable is found inoperable, then all affected Functions provided by that channel must be declared inoperable and the LCO Condition(s) entered for the protection Function(s) affected. If plant conditions warrant, the trip setpoint may be set outside the NOMINAL TRIP SETPOINT calibration tolerance band as long as the trip setpoint is conservative with respect to the NOMINAL TRIP SETPOINTS. If the trip setpoint'is found outside the NOMINAL TRIP SETPOINT calibration tolerance band and non-conservative with respect to the NOMINAL TRIP SETPOINT, the setpoint shall be re-adjusted.

When the number of inoperable channels in a trip Function exceed those specified in one or other related Conditions associated with a trip Function, then the unit is outside the safety analysis. Therefore, LCO 3.0.3 must be immediately entered if applicable in the current MODE of operation.

A.1 Condition A applies to all RTS protection Functions. Condition A addresses the situation where one or more required channels for one or more Functions are inoperable at the same time. The Required Action is to refer to Table 3.3.1-1 and to take the Required Actions for the protection functions affected. The Completion Times are those from the referenced Conditions and Required Actions.

McGuire Units 1 and 2 B 3.3.1-29 Revision No. 99

RTS Instrumentation B 3.3.1 BASES ACTIONS (continued)

B.1 and B.2 Condition B applies to the Manual Reactor Trip in MODE 1 or 2. This action addresses the train orientation of the SSPS for this Function. With one channel inoperable, the inoperable channel must be restored to OPERABLE status within 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br />. In this Condition, the remaining OPERABLE channel is adequate to perform the safety function.

The Completion Time of 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> is reasonable considering that there are two automatic actuation trains and another manual initiation channel OPERABLE, and the low probabilityof an event occurring during this interval.

If the Manual Reactor Trip Function cannot be restored to OPERABLE status within the allowed 48 hour5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> Completion Time, the unit must be brought to a MODE in which the requirement does not apply. To achieve this status, the unit must be brought to at least MODE 3 within 6 additional hours (54 hours6.25e-4 days <br />0.015 hours <br />8.928571e-5 weeks <br />2.0547e-5 months <br /> total time). The 6 additional hours are reasonable, based on operating experience, to reach MODE 3 from full power operation in an orderly manner and without challenging unit systems. With the unit in MODE 3, the MODES 1 and 2 requirements for this trip Function are no longer required and Condition C is entered.

C.1 and C.2 Condition C applies to the following reactor trip Functions in MODE 3, 4, or 5 with the RTBs closed and the CRD System capable of rod withdrawal:

" RTBs;

" RTB Undervoltage and Shunt Trip Mechanisms; and

" Automatic Trip Logic.

This action addresses the train orientation of the SSPS for these Functions. With one channel or train inoperable, the inoperable channel or train must be restored to OPERABLE status within 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br />. If the affected Function(s) cannot be restored to OPERABLE status within the allowed 48 hour5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> Completion Time, the unit must be placed in a condition in which the requirement does not apply. To achieve this status, the RTBs must be opened within the next hour. The additional hour provides McGuire Units 1 and 2 B 3.3.1-30 Revision No. 99

RTS Instrumentation B 3.3.1 BASES ACTIONS (continued) sufficient time to accomplish the action in an orderly manner. With the RTBs open, these fFunctions are no longer required.

The Completion Time is reasonable considering that in this Condition, the remaining OPERABLE train is adequate to perform the safety function, and given the low probability of an event occurring during this interval.

D.1.1, D.1.2, and D.2 Condition D applies to the Power Range Neutron Flux-High and Power Range Neutron Flux-High Positive Rate Functions.

The NIS power range detectors provide input to the CRD System and the SG Water Level Control System and, therefore, have a two-out-of-four trip logic. A known inoperable channel must be placed in the tripped condition. This results in a partial trip condition requiring only one-out-of-three logic for actuation. The 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> allowed to place the inoperable channel in the tripped condition is justified in WCAP-14333-P-A (Ref. 10).

With one of the NIS power range detectors inoperable, 1/4 of the radial power distribution monitoring capability is lost. Therefore, SR 3.2.4.2 must be performed (Required Action D.1.1) within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> of THERMAL POWER exceeding 75% RTP and once per 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> thereafter.

Calculating QPTR every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> compensates for the lost monitoring capability due to the inoperable NIS power range channel and allows continued unit operation at power levels > 75% RTP. At power levels <

75% RTP, operation of the core with radial power distributions beyond the design limits, at a power level where DNB conditions may exist, is prevented. The 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> Completion Time is consistent with the surveillance Requirement Frequency in LCO 3.2.4, "QUADRANT POWER TILT RATIO (QPTR)." Required Action D.1.1 has been modified by a Note which only requires SR 3.2.4.2 to be performed if the Power Range Neutron Flux input to QPTR becomes inoperable. Failure of a component in the Power Range Neutron Flux Channel which renders the High Flux Trip Function inoperable may not affect the capability to monitor QPTR. As such, determining QPTR using movable incore detectors may not be necessary.

As an alternative to the above Actions, the plant must be placed in a MODE where this Function is no longer required OPERABLE. Seventy eight (78) hours are allowed to place the plant in MODE 3. The 78 hour9.027778e-4 days <br />0.0217 hours <br />1.289683e-4 weeks <br />2.9679e-5 months <br /> completion time includes 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> for channel corrective maintenance and an additional 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> for the MODE reduction as required by Required Action D.2. This is a reasonable time, based on operating experience, to reach MODE 3 from full power in an orderly manner and McGuire Units 1 and 2 B 3.3.1-31 Revision No. 99

RTS Instrumentation B 3.3.1 BASES ACTIONS (continued) without challenging plant systems. If Required Actions cannot be completed within their allowed Completion Times, LCO 3.0.3 must be entered.

The Required Actions have been modified by a Note that allows placing the inoperable channel in the bypass condition for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> while performing routine surveillance testing of other channels. The Note also allows placing the inoperable channel in the bypass condition to allow setpoint adjustments of other channels when required to reduce the setpoint in accordance with other Technical Specifications. The note also allows an OPERABLE channel to be placed in bypass without entering the Required Actions for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> for testing of the bypassed channel. However, only one channel may be placed in bypass at any one time. The 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> time limit is justified in Reference 10.

E.1 and E.2 Condition E applies to the following reactor trip Functions:

  • Power Range Neutron Flux-Low;
  • Overtemperature AT; Overpower AT; Pressurizer Pressure-High; and SG Water Level-Low Low.

A known inoperable channel must be placed in the tripped condition within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. Placing the channel in the tripped condition results in a partial trip condition requiring only one-out-of-three logic for actuation of the two-out-of-four trips. The 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> allowed to place the inoperable channel in the tripped condition is justified in Reference 10.

If the operable channel cannot be placed in the trip condition within the specified Completion Time, the unit must be placed in a MODE where these Functions are not required OPERABLE. An additional 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is allowed to place the unit in MODE 3. Six hours is a reasonable time, based on operating experience, to place the unit in MODE 3 from full power in an orderly manner and without challenging unit systems.

McGuire Units 1 and 2 B 3.3.1-32 Revision No. 99

RTS Instrumentation B 3.3.1 BASES ACTIONS (continued)

The Required Actions have been modified by a Note that allows placing the inoperable channel in the bypassed condition for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> while performing routine surveillance testing of the other channels. The note also allows an OPERABLE channel to be placed in bypass without entering the Required Actions for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> for testing of the bypassed channel.

However, only one channel may be placed in bypass at any one time. The 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> time limit is justified in Reference 10.

F.1 and F.2 Condition F applies to the Intermediate Range Neutron Flux trip when THERMAL POWER is above the P-6 setpoint and below the P-10 setpoint and one channel is inoperable. Above the P-6 setpoint and below the P-10 setpoint, the NIS intermediate range detector performs the monitoring Functions. If THERMAL POWER is greater than the P-6 setpoint but less than the P-10 setpoint, 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> is allowed to reduce THERMAL POWER below the P-6 setpoint or increase to THERMAL POWER above the P-10 setpoint. The NIS Intermediate Range Neutron Flux channels must be OPERABLE when the power level is above the capability of the source range, P-6, and below the capability of the power range, P-10. If THERMAL POWER is greater than the P-1 0 setpoint, the NIS power range detectors perform the monitoring and protection functions and the intermediate range is not required. The Completion Times allow for a slow and controlled power adjustment above P-10 or below P-6 and take into account the redundant capability afforded by the redundant OPERABLE channel, and the low probability of its failure during this period. This action does not require the inoperable channel to be tripped because the Function uses one-out-of-two logic. Tripping one channel would trip the reactor.

Thus, the Required Actions specified in this Condition are only applicable when channel failure does not result in reactor trip.

G.1 and G.2 Condition G applies to two inoperable Intermediate Range Neutron Flux trip channels in MODE 2 when THERMAL POWER is above the P-6 setpoint and below the P-1 0 setpoint. Required Actions specified in this Condition are only applicable when channel failures do not result in reactor trip.

Above the P-6 setpoint and below the P-10 setpoint, the NIS intermediate range detector performs the monitoring Functions. With no intermediate range channels OPERABLE, the Required Actions are to suspend operations involving positive reactivity additions immediately. This will preclude any power level increase since there are no McGuire Units 1 and 2 B 3.3.1-33 Revision No. 99

RTS Instrumentation B 3.3.1 BASES ACTIONS (continued)

OPERABLE Intermediate Range Neutron Flux channels. The operator must also reduce THERMAL POWER below the P-6 setpoint within two hours. Below P-6, the Source Range Neutron Flux channels will be able to monitor the core power level. The Completion Time of 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> will allow a slow and controlled power reduction to less than the P-6 setpoint and takes into account the low probability of occurrence of an event during this period that may require the protection afforded by the NIS Intermediate Range Neutron Flux trip. Required Action G.1 is modified by a note to indicate that normal plant control operations that individually add limited positive reactivity (e.g., temperature or boron fluctuations associated with RCS inventory management or temperature control) are not precluded by this Action.

H. 1 Condition H applies to the Intermediate Range Neutron Flux trip when THERMAL POWER is below the P-6 setpoint and one or two channels are inoperable. Below the P-6 setpoint, the NIS source range performs the monitoring and protection functions. The inoperable NIS intermediate range channel(s) must be returned to OPERABLE status prior to increasing power above the P-6 setpoint. The NIS intermediate range channels must be OPERABLE when the power level is above the capability of the source range, P-6, and below the capability of the power range, P-10.

1.1 Condition I applies to one inoperable Source Range Neutron Flux trip channel when in MODE 2, below the P-6 setpoint, and performing a reactor startup. With the unit in this Condition, below P-6, the NIS source range performs the monitoring and protection functions. With one of the two channels inoperable, operations involving positive reactivity additions shall be suspended immediately.

This will preclude any power escalation. With only one source range channel OPERABLE, core protection is severely reduced and any actions that add positive reactivity to the core must be suspended immediately.

Required Action 1.1 is modified by a note to indicate that normal plant control operations that individually add limited positive reactivity (e.g.,

temperature or boron fluctuations associated with RCS inventory management or temperature control) are not precluded by this Action.

McGuire Units 1 and 2 B 3.3.1-34 Revision No. 99

RTS Instrumentation B 3.3.1 BASES ACTIONS (continued)

J.1 Condition J applies to two inoperable Source Range Neutron Flux trip channels when in MODE 2, below the P-6 setpoint, and performing a reactor startup, or in MODE 3, 4, or 5 with the RTBs closed and the CRD System capable of rod withdrawal. With the unit in this Condition, below P-6, the NIS source range performs the monitoring and protection functions. With both source range channels inoperable, the RTBs must be opened immediately. With the RTBs open, the core is in a more stable condition and the unit enters Condition L.

K.1 and K.2 Condition K applies to one inoperable source range channel in MODE 3, 4, or 5 with the RTBs closed and the CRD System capable of rod withdrawal. With the unit in this Condition, below P-6, the NIS source range performs the monitoring and protection functions. With one of the source range channels inoperable, 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> is allowed to restore it to an OPERABLE status. If the channel cannot be returned to an OPERABLE status, 1 additional hour is allowed to open the RTBs. Once the RTBs are open, the core is in.a more stable condition and the unit enters Condition L. The allowance of 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> to restore the channel to OPERABLE status, and the additional hour to open the RTBs, are justified in Reference 7.

L.1, L.2, and L.3 Condition L applies when the required number of OPERABLE Source Range Neutron Flux channels is not met in MODE 3, 4, or 5 with the RTBs open. With the unit in this Condition, the NIS source range performs a monitoring function. With less than the required number of source range channels OPERABLE, operations involving positive reactivity additions shall be suspended immediately. In addition to suspension of positive reactivity additions, all valves that could *dd unborated water to the RCS must be closed within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> as specified in LCO 3.9.2. The isolation of unborated water sources will preclude a boron dilution accident.

Also, the SDM must be verified within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> and once every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> thereafter as per SR 3.1.1.1, SDM verification. With no source range channels OPERABLE, core monitoring is severely reduced. Verifying the SDM within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> allows sufficient time to perform the calculations and determine that the SDM requirements are met. The SDM must also be verified once per 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> thereafter to ensure that the core reactivity has not changed. Required Action L.1 precludes any positive reactivity McGuire Units 1 and 2 B 3.3.1-35 Revision No. 99

RTS Instrumentation B 3.3.1 BASES ACTIONS (continued) additions; therefore, core reactivity should not be increasing, and a 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> Frequency is adequate. The Completion Times of within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> and once per 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> are based on operating experience in performing the Required Actions and the knowledge that unit conditions will change slowly. Required Action L.1 is modified by a note which permits plant temperature changes provided the temperature change is accounted for in the calculated SDM and that Keff remains < 0.99. Introduction of temperature changes including temperature increases when a positive MTC exists, must be evaluated to ensure they do not result in a loss of required SDM or adequate margin to criticality.

M.1 and M.2 Condition M applies to the following reactor trip Functions:

Pressurizer Pressure-Low; Pressurizer Water Level-High; Reactor Coolant Flow-Low (Two Loops);

Undervoltage RCPs; and Underfrequency RCPs.

With one channel inoperable, the inoperable channel must be placed in the tripped condition within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. Placing the channel in the tripped condition results in a partial trip condition requiring only one additional channel to initiate a reactor trip above the P-7 setpoint (and below the P-8 setpoint for the Reactor Coolant Flow-Low (Two Loops) Function). These Functions do not have to be OPERABLE below the P-7 setpoint because, for the Pressurizer Water Level-High function, transients are slow enough for manual action; and for the other functions, power distributions that would cause a DNB concern at this low power level are unlikely. The 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> allowed to place the channel in the tripped condition is justified in Reference 10. An additional 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is allowed to reduce THERMAL POWER to below P-7 ifthe inoperable channel cannot be restored to OPERABLE status or placed in trip within the specified Completion Time.

Allowance of this time interval takes into consideration the redundant capability provided by the remaining redundant OPERABLE channel, and the low probability of occurrence of an event during this period that may require the protection afforded by the Functions associated with Condition M.

McGuire Units 1 and 2 B 3.3.1-36 Revision No. 99

RTS Instrumentation B 3.3.1 BASES ACTIONS (continued)

The Required Actions have been modified by a Note that allows placing the inoperable channel in the bypassed condition for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> while performing routine surveillance testing of the other channels. The note also allows an OPERABLE channel to be placed in bypass without entering the Required Actions for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> for testing of the bypassed channel. However, only one channel may be placed in bypass at any one time. The 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> time limit is justified in Reference 10.

N.1 and N.2 Condition N applies to the Reactor Coolant Flow-Low (Single Loop) reactor trip Function. With one channel inoperable, the inoperable channel must be placed in trip within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. If the channel cannot be restored to OPERABLE status or the channel placed in trip within the 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />, then THERMAL POWER must be reduced below the P-8 setpoint within the next 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />. This places the unit in a MODE where the LCO is no longer applicable. This trip Function does not have to be OPERABLE below the P-8 setpoint because other RTS trip Functions provide core protection below the P-8 setpoint. The 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> allowed to restore the channel to OPERABLE status or place in trip and the 4 additional hours allowed to reduce THERMAL POWER to below the P-8 setpoint are justified in Reference 10.

The Required Actions have been modified by a Note that allows placing the inoperable channel in the bypassed condition for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> while performing routine surveillance testing of the other channels. The note also allows an OPERABLE channel to be placed in bypass without entering the Required Actions for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> for testing of the bypassed channel. However, only one channel may be placed in bypass at any one time. The 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> time limit is justified in Reference 10.

0.1, 0.2, P.1, and P.2 Condition 0 and P apply to Turbine Trip on Low Fluid Oil Pressure or on Turbine Stop Valve Closure. With a channel inoperable, the inoperable channel must be placed in the trip condition within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. If placed in the tripped condition, this results in a partial trip condition requiring fewer additional channel to initiate a reactor trip. If the channel cannot be restored to OPERABLE status or placed in the trip condition, then power must be reduced below the P-8 setpoint within the next 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />. The 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> allowed to place the inoperable channel in the tripped condition and the 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> allowed for reducing power are justified in Reference 10.

McGuire Units 1 and 2 B 3.3.1-37 Revision No. 99

RTS Instrumentation B 3.3.1 BASES ACTIONS (continued)

The Required Actions of Condition 0 have been modified by a Note that allows placing the inoperable channel in the bypassed condition for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> while performing routine surveillance testing of the other channels. The note also allows an OPERABLE channel to be placed in bypass without entering the Required Actions for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> for testing of the bypassed channel. However, only one channel may be placed in bypass at any one time. The 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> time limit is justified in Reference 10.

Q.1 and Q.2 Condition Q applies to the Sl Input from ESFAS reactor trip and the RTS Automatic Trip Logic in MODES 1 and 2. These actions address the train orientation of the RTS for these Functions. With one train inoperable, 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> are allowed to restore the train to OPERABLE status (Required Action Q.1) or the unit must be placed in MODE 3 within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />.

The Completion Time of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> (Required Action Q.1) is reasonable considering that in this Condition, the remaining OPERABLE train is adequate to perform the safety function and given the low probability of an event during this interval. The 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> allowed to restore the inoperable RTS Automatic Trip Logic train to OPERABLE status is justified in Reference 10. The additional Completion Time of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> (Required Action Q.2) is reasonable, based on operating experience, to reach MODE 3 from full power in an orderly manner and without challenging unit systems.

The Required Actions have been modified by a Note that allows bypassing one train up to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> for surveillance testing, provided the other train is OPERABLE. The 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> time limit for testing the RTS Automatic Trip Logic train may include testing the RTB also, if both the Logic test and RTB test are conducted within the 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> time limit. The 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> time limit is justified in Reference 10.

R.1 and R.2 Condition R applies to the RTBs in MODES 1 and 2. These actions address the train orientation of the RTS for the RTBs. With one train inoperable, 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> is allowed for train corrective maintenance to restore the train to OPERABLE status or the unit must be placed in MODE 3 within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. The 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Completion Time is justified in Reference 11. The Completion Time of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is reasonable, based on operating experience, to reach MODE 3 from full power in an orderly manner and without challenging unit systems. Placing the unit in MODE 3 removes the requirement for this particular Function.

McGuire Units 1 and 2 B 3.3.1-38 Revision No. 99

RTS Instrumentation B 3.3.1 BASES ACTIONS (continued)

The Required Actions have been modified by a Note. The Note allows one RTB to be bypassed for up to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> for surveillance testing, provided the other RTB is OPERABLE. The 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> time limit is justified in Reference 11.

S. 1 and S.2 Condition S applies to the P-6 and P-10 interlocks. With one or more channel(s) inoperable for one-out-of-two or two-out-of-four coincidence logic, the associated interlock must be verified to be in its required state for the existing unit condition within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> or the unit must be placed in MODE 3 within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. Verifying the interlock status, by visual observation of the control room status lights, manually accomplishes the interlock's Function. The Completion Time of 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> is based on operating experience and the minimum amount of time allowed for manual operator actions. The Completion Time of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is reasonable, based on operating experience, to reach MODE 3 from full power in an orderly manner and without challenging unit systems. The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> and 6 hour6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> Completion Times are equal to the time allowed by LCO 3.0.3 for shutdown actions in the event of a complete loss of RTS Function.

T.1 and T.2 Condition T applies to the P-7, P-8, and P-13 interlocks. With one or more channel(s) inoperable for one-out-of-two or two-out-of-four coincidence logic, the associated interlock must be verified to be in its required state for the existing unit condition within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> or the unit must be placed in MODE 2 within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. These actions are conservative for the case where power level is being raised. Verifying the interlock status, by visual observation of the control room status lights, manually accomplishes the interlock's Function. The Completion Time of 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> is based on operating experience and the minimum amount of time allowed for manual operator actions. The Completion Time of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is reasonable, based on operating experience, to reach MODE 2 from full power in an orderly manner and without challenging unit systems.

McGuire Units 1 and 2 B 3.3.1-39 Revision No. 99

RTS Instrumentation B 3.3.1 BASES ACTIONS (continued)

U.1 and U.2 Condition U applies to the RTB Undervoltage and Shunt Trip Mechanisms, or diverse trip features, in MODES 1 and 2. With one of the diverse trip features inoperable, it must be restored to an OPERABLE status within 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> or the unit must be placed in a MODE where the requirement does not apply. This is accomplished by placing the unit in MODE 3 within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> (54 hours6.25e-4 days <br />0.015 hours <br />8.928571e-5 weeks <br />2.0547e-5 months <br /> total time). With both diverse trip features inoperable, the reactor trip breaker is inoperable and Condition R is entered. The Completion Time of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is a reasonable time, based on operating experience, to reach MODE 3 from full power in an orderly manner and without challenging unit systems.

With the unit in MODE 3, the MODES 1 and 2 requirement for this function is no longer required and Condition C is entered. The affected RTB shall not be bypassed while one of the diverse features is inoperable except for the time required to perform maintenance to one of the diverse features. The allowable time for performing maintenance of the diverse features is 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> for the reasons stated under Condition R.

The Completion Time of 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> for Required Action U. 1 is reasonable considering that in this Condition there is one remaining diverse feature for the affected RTB, and one OPERABLE RTB capable of performing the safety function and given the low probability of an event occurring during this interval.

V.1 With two RTS trains inoperable, no automatic capability is available to shut down the reactor, and immediate plant shutdown in accordance with LCO 3.0.3 is required.

SURVEILLANCE The SRs for each RTS Function are identified by the SRs column of REQUIREMENTS Table 3.3.1-1 for that Function.

A Note has been added to the SR Table stating that Table 3.3.1-1 determines which SRs apply to which RTS Functions.

Note that each channel of process protection supplies both trains of the RTS. When testing Channel I, Train A and Train B must be examined.

Similarly, Train A and Train B must be examined when testing Channel II, McGuire Units 1 and 2 B 3.3.1-40 Revision No. 99

RTS Instrumentation B 3.3.1 BASES SURVEILLANCE REQUIREMENTS (continued)

Channel Ill, and Channel IV (if applicable). The CHANNEL CALIBRATION and COTs are performed in a manner that is consistent with the assumptions used in analytically calculating the required channel accuracies.

Performing the Neutron Flux Instrumentation surveillances meets the License Renewal Commitments for License Renewal Program for Neutron Flux Instrumentation Circuits per UFSAR Chapter 18, Table 18-1 and License Renewal Commitments Specification MCS-1274.00-00-0016, Section 4.44.

SR 3.3.1.1 Performance of the CHANNEL CHECK once every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> ensures that gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying that the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Agreement criteria are determined by the unit staff based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the sensor or the signal processing equipment has drifted outside its limit.

The Frequency is based on operating experience that demonstrates channel failure is rare. The CHANNEL CHECK supplements less formal, but more frequent, checks of channels during normal operational use of the displays associated with the LCO required channels.

SR 3.3.1.2 compares the calorimetric heat balance calculation to the NIS channel output every 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. If the calorimetric exceeds the NIS channel output by > 2% RTP, the NIS is not declared inoperable, but must be adjusted. If the NIS channel output cannot be properly adjusted, the channel is declared inoperable.

Two Notes modify SR 3.3.1.2. The first Note indicates that the NIS channel output shall be adjusted consistent with the calorimetric results if the absolute difference between the NIS channel output and the calorimetric is > 2% RTP. The second Note clarifies that this Surveillance McGuire Units 1 and 2 B 3.3.1-41 Revision No. 99

RTS Instrumentation B 3.3.1 BASES SURVEILLANCE REQUIREMENTS (continued) is required only if reactor power is > 15% RTP and that 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> is allowed for completing the first Surveillance after reaching 15% RTP. At lower power levels, calorimetric data are inaccurate.

The Frequency of every 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> is adequate. It is based on unit operating experience, considering instrument reliability and operating history data for instrument drift. Together these factors demonstrate the change in the absolute difference between NIS and heat balance calculated powers rarely exceeds 2% in any 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> period. Maintaining the 2% agreement is only applicable during equilibrium conditions.

In addition, control room operators periodically monitor redundant indications and alarms to detect deviations in channel outputs.

SR 3.3.1.3 SR 3.3.1.3 compares the incore system to the NIS channel output every 31 EFPD. If the absolute difference in AFD is > 3%, the NIS channel is still OPERABLE, but must be readjusted.

If the NIS channel cannot be properly readjusted, the channel is declared inoperable. This Surveillance is performed to verify the f(AI) input to the overtemperature AT Function and overpower AT Function.

Two Notes modify SR 3.3.1.3. Note 1 indicates that the excore NIS channel shall be adjusted if the absolute difference between the incore and excore AFD is > 3%. Note 2 clarifies that the Surveillance is required only if reactor power is > 15% RTP and that 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> is allowed for completing the first Surveillance after reaching 15% RTP.

The Frequency of every 31 EFPD is adequate. It is based on unit operating experience, considering instrument reliability and operating history data for instrument drift. Also, the slow changes in neutron flux during the fuel cycle can be detected during this interval.

SR 3.3.1.4 SR 3.3.1.4 is the performance of a TADOT every 62 days on a STAGGERED TEST BASIS. This test shall verify OPERABILITY by actuation of the end devices.

The RTB test shall include separate verification of the undervoltage and shunt trip mechanisms. Independent verification of RTB undervoltage McGuire Units 1 and 2 B 3.3.1-42 Revision No. 99

RTS Instrumentation B 3.3.1 BASES SURVEILLANCE REQUIREMENTS (continued) and shunt trip Function is not required for the bypass breakers. No capability is provided for performing such a test at power. The independent test for bypass breakers is included in SR 3.3.1.14. The bypass breaker test shall include a local shunt trip. A Note has been added to indicate that this test must be performed on the bypass breaker prior to placing it in service.

The Frequency of every 62 days on a STAGGERED TEST BASIS is justified in Reference 11.

SR 3.3.1.5 SR 3.3.1.5 is the performance of an ACTUATION LOGIC TEST. The SSPS is tested every 92 days on a STAGGERED TEST BASIS, using the semiautomatic tester. The train being tested is placed in the bypass condition, thus preventing inadvertent actuation. Through the semiautomatic tester, all possible logic combinations, with and without applicable permissives, are tested for each protection function. The Frequency of every 92 days on a STAGGERED TEST BASIS is justified in Reference 11.

SR 3.3.1.6 SR 3.3.1.6 is a calibration of the excore channels to the incore channels.

If the measurements do not agree, the excore channels are not declared inoperable but must be calibrated to agree with the incore detector measurements. If the excore channels cannot be adjusted, the channels are declared inoperable. This Surveillance is performed to verify the f(AI) input to the overtemperature AT Function and overpower AT Function.

At Beginning of Cycle (BOC), the excore channels are compared to the incore detector measurements. This comparison is typically performed prior to exceeding 75% power. Excore detectors are adjusted as necessary. This low power surveillance satisfies the initial performance of SR 3.3.1.6 with subsequent surveillances conducted at least every 92 EFPD.

At BOC, after reaching full power steady state conditions, additional incore and excore measurements are taken at various Al conditions to determine the M factors. The M factors are normally only determined at BOC, but they may be changed at other points in the fuel cycle if the McGuire Units 1 and 2 B 3.3.1-43 Revision No. 99

RTS Instrumentation B 3.3.1 BASES SURVEILLANCE REQUIREMENTS (continued) relationship between excore and incore measurements changes significantly.

A Note modifies SR 3.3.1.6. The Note states that this Surveillance is required only if reactor power is > 75% RTP and that 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> is allowed for completing the first surveillance after reaching 75% RTP.

The Frequency of 92 EFPD is adequate. It is based on industry operating experience, considering instrument reliability and operating history data for instrument drift.

SR 3.3.1.7 SR 3.3.1.7 is the performance of a COT every 184 days.

A COT is performed on each required channel to ensure the channel will perform the intended Function.

The tested portion of the Loop must trip within the Allowable Values specified in Table 3.3.1-1.

The setpoint shall be left set consistent with the assumptions of the setpoint methodology.

SR 3.3.1.7 is modified by a Note that provides a 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> delay in the requirement to perform this Surveillance for source range instrumentation when entering MODE 3 from MODE 2. This Note allows a normal shutdown to proceed without a delay for testing in MODE 2 and for a short time in MODE 3 until the RTBs are open and SR 3.3.1.7 is no longer required to be performed. If the unit is to be in MODE 3 with the RTBs closed for > 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> this Surveillance must be completed within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> after entry into MODE 3. The surveillance shall include verification of the high flux at shutdown alarm setpoint of less than or equal to the average CPS Neutron Level reading (most consistent value between highest and lowest CPS Neutron Level reading) at five times background.

The Frequency of 184 days is justified in Reference 11.

SR 3.3.1.8 SR 3.3.1.8 is the performance of a COT as described in SR 3.3.1.7, except it is modified by a Note that this test shall include verification that the P-6, during the Intermediate Range COT, and P-10, during the Power Range COT, interlocks are in their required state for the existing unit condition. The verification is performed by visual observation of the McGuire Units 1 and 2 B 3.3.1-44 Revision No. 99

RTS Instrumentation B 3.3.1 BASES SURVEILLANCE REQUIREMENTS (continued) permissive status light in the unit control room. The Frequency is modified by a Note that allows this surveillance to be satisfied if it has been performed within 184 days of the Frequencies prior to reactor startup and four hours after reducing power below P-10 and P-6. The Frequency of "prior to startup" ensures this surveillance is performed prior to critical operations and applies to the source, intermediate and power range low instrument channels. The Frequency of "4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> after reducing power below P-10" (applicable to intermediate and power range low channels) and "4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> after reducing power below P-6" (applicable to source range channels) allows a normal shutdown to be completed and the unit removed from the MODE of Applicability for this surveillance without a delay to perform the testing required by this surveillance. The Frequency of every 184 days thereafter applies if the plant remains in the MODE of Applicability after the initial performances of prior to reactor startup and four hours after reducing power below P-10 or P-6. The MODE of Applicability for this surveillance is < P-1 0 for the power range low and intermediate range channels and < P-6 for the source range channels. Once the unit is in MODE 3, this surveillance is no longer required. If power is to be maintained < P-10 or < P-6 for more than 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />, then the testing required by this surveillance must be performed prior to the expiration of the 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> limit. Four hours is a reasonable time to complete the required testing or place the unit in a MODE where this surveillance is no longer required. This test ensures that the NIS source, intermediate, and power range low channels are OPERABLE prior to taking the reactor critical and after reducing power into the applicable MODE (< P-10 or < P-6) for periods > 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />. The Frequency of 184 days is justified in Reference 11.

SR 3.3.1.9 SR 3.3.1.9 is the performance of a TADOT and is performed every 92 days, as justified in Reference 7.

The SR is modified by a Note that excludes verification of setpoints from the TADOT. Since this SR applies to RCP undervoltage and underfrequency relays, setpoint verification is accomplished during the CHANNEL CALIBRATION.

SR 3.3.1.10 A CHANNEL CALIBRATION is performed every 18 months. The CHANNEL CALIBRATION may be performed at power or during refueling based on testing capability. Channel unavailability evaluations in McGuire Units 1 and 2 B 3.3.1-45 Revision No. 99

RTS Instrumentation B 3.3.1 BASES SURVEILLANCE REQUIREMENTS (continued)

References 10 and 11 have conservatively assumed that the CHANNEL CALIBRAITON is performed at power with the channel in bypass.

CHANNEL CALIBRATION is a complete check of the instrument loop, including the sensor. The test verifies that the channel responds to a measured parameter within the necessary range and accuracy.

CHANNEL CALIBRATIONS must be performed consistent with the assumptions of the setpoint methodology.

The Frequency of 18 months is based on the assumption of an 18 month calibration interval in the determination of the magnitude of equipment drift in the setpoint methodology.

SR 3.3.1.10 is modified by a Note statingthat this test shall include verification that the time constants are adjusted to the prescribed values where applicable. The applicable time constants are shown in Table 3.3.1-1.

SR 3.3.1.11 SR 3.3.1.11 is the performance'of a CHANNEL CALIBRATION, as described in SR 3.3.1.10, every 18 months. Two notes modify this SR.

Note 1 states that neutron detectors are excluded from the CHANNEL CALIBRATION. The CHANNEL CALIBRATION for the power range neutron detectors consists of a normalization of the detectors based on a power calorimetric and flux map performed above 15% RTP. The CHANNEL CALIBRATION for the source range neutron detectors consists of two methods. Method 1 consists of obtaining the discriminator curves for source range, evaluating those curves, and comparing the curves to the manufacturer's data (adjustments to the discriminator voltage are performed as required). Method 2 consists of performing waveform analysis. This analysis process monitors the actual number and amplitude of the Neutron/Gamma pulses being generated by the SR detector. The high voltage is adjusted to optimize the amplitude of the pulses while maintaining as low as possible high voltage value in order to prolong the detector life. The discriminator voltage is then adjusted, as required, to reasonably ensure that the neutron pulses are being counted by the source range instrumentation and the unwanted gamma pulses are not being counted as neutron pulses.

The CHANNEL CALIBRATION for the intermediate range neutron detectors consists of the high voltage detector plateau for intermediate range, evaluating those curves, and comparing the curves to the manufacturer's data. Note 2 states that this Surveillance is not required McGuire Units 1 and 2 B 3.3.1-46 Revision No. 99

RTS Instrumentation B 3.3.1 BASES SURVEILLANCE REQUIREMENTS (continued) for the NIS power range detectors for entry into MODE 2 or 1, and is not required for the NIS intermediate range detectors for entry into MODE 2, because the unit must be in at least MODE 2 to perform the test for the intermediate range detectors and MODE 1 for the power range detectors.

The 18 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a plant outage and the potential for an unplanned transient ifthe Surveillance were performed with the reactor at power. Operating experience has shown these components usually pass the Surveillance when perfbrmed on the 18 month Frequency.

SR 3.3.1.12 SR 3.3.1.12 is the performance of a CHANNEL CALIBRATION, as described in SR 3.3.1.10, every 18 months. Calibration of the AT channels is required at the beginning of each cycle upon completion of the precision heat balance. RCS loop AT values shall be determined by precision heat balance measurements at the beginning of each cycle.

The Frequency is justified by the assumption of an 18 month calibration interval in the determination of the magnitude of equipment drift in the setpoint analysis.

SR 3.3.1.13 SR 3.3.1.13 is the performance of a COT of RTS interlocks every 18 months.

The Frequency is based on the known reliability of the interlocks and the multichannel redundancy available, and has been shown to be acceptable through operating experience.

SR 3.3.1.14 SR 3.3.1.14 is the performance of a TADOT of the Manual Reactor Trip and the SI Input from ESFAS. This TADOT is performed every 18 months. The test shall independently verify the OPERABILITY of the undervoltage and shunt trip mechanisms for the Manual Reactor Trip Function for the Reactor Trip Breakers and Reactor Trip Bypass Breakers. The Reactor Trip Bypass Breaker test shall include testing of the automatic undervoltage trip.

The Frequency is based on the known reliability of the Functions and the multichannel redundancy available, and has been shown to be acceptable through operating experience.

McGuire Units 1 and 2 B 3.3.1-47 Revision No. 99

RTS Instrumentation B 3.3.1 BASES SURVEILLANCE REQUIREMENTS (continued)

The SR is modified by a Note that excludes verification of setpoints from the TADOT. The Functions affected have no setpoints associated with them.

SR 3.3.1.15 SR 3.3.1.15 is the performance of a TADOT of Turbine Trip Functions.

This TADOT is as described in SR 3.3.1.4, except that this test is performed prior to reactor startup. A Note states that this Surveillance is not required if it has been performed within the previous 31 days.

Verification of the Trip Setpoint does not have to be performed for this Surveillance. Performance of this test will ensure that the turbine trip Function is OPERABLE prior to taking the reactor critical. This test cannot be performed with the reactor at power and must therefore be performed prior to reactor startup.

SR 3.3.1.16 and SR 3.3.1.17 SR 3.3.1.16 and SR 3.3.1.17 verify that the individual channel/train actuation response times are less than or equal to the maximum values assumed in the accident analysis. Response time testing acceptance criteria are included in the UFSAR (Ref. 1). Individual component response times are not modeled in the analyses.

The analyses model the overall or total elapsed time, from the point at which the parameter exceeds the trip setpoint value at the sensor to the point at which the equipment reaches the required functional state (i.e.,

control and shutdown rods fully inserted in the reactor core).

For channels that include dynamic transfer Functions (e.g., lag, lead/lag, rate/lag, etc.), the response time test may be performed with the transfer Function set to one, with the resulting measured response time compared to the appropriate UFSAR response time. Alternately, the response time test can be performed with the time constants set to their nominal value, provided the required response time is analytically calculated assuming the time constants are set at their nominal values. The response time may be measured by a series of overlapping tests such that the entire response time is measured.

Response time may be verified by actual response time tests in any series of sequential, overlapping or total channel measurements, or by the summation of allocated sensor, signal processing and actuation logic response times with actual response time tests on the remainder of the channel. Allocations for sensor response times may be obtained from:

McGuire Units 1 and 2 B 3.3.1-48 Revision No. 99

RTS Instrumentation B 3.3.1 BASES SURVEILLANCE REQUIREMENTS (continued)

(1) historical records based on acceptable response time tests (hydraulic, noise, or power interrupt tests), (2) in place, onsite, or offsite (e.g.,

vendor) test measurements, or (3) utilizing vendor engineering specifications. WCAP-13632-P-A, Revision 2, "Elimination of Pressure Sensor Response Time Testing Requirements" provides the basis and methodology for using allocated sensor response times in the overall verification of the channel response time for specific sensors identified in the WCAP. Response time verification for other sensor types must be either demonstrated by test, or their equivalency to those listed in WCAP-13632-P-A, Revision 2. Any demonstration of equivalency must have been determined to be acceptable by NRC staff review.

WCAP-14036-P-A, Revision 1, "Elimination of Periodic Protection Channel Response Time Tests' provides the basis and methodology for using allocated signal processing and actuation logic response times in the overall verification of the protection system channel response time.

The allocations for sensor, signal conditioning, and actuation logic response times must be verified prior to placing the component in operational service and re-verified following maintenance that may adversely affect response time. In general, electrical repair work does not impact response time provided the parts used for repair are of the same type and value. Specific components identified in the WCAP may be replaced without verification testing. One example where response time could be affected is replacing the sensing assembly of a transmitter.

As appropriate, each channel's response must be verified every 18 months on a STAGGERED TEST BASIS. Testing of the final actuation devices is included in the testing. Testing of the RTS RTDs is performed on an 18 month frequency. Response times cannot be determined during unit operation because equipment operation is required to measure response times. Experience has shown that these components usually pass this surveillance when performed at the 18 month Frequency. Therefore, the Frequency was concluded to be acceptable from a reliability standpoint.

SR 3.3.1.16 is modified by a Note stating that neutron detectors are excluded from RTS RESPONSE TIME testing. This Note is necessary because of the difficulty in generating an appropriate detector input signal. Excluding the detectors is acceptable because the principles of detector operation ensure a virtually instantaneous response. The response time of the neutron flux signal portion of the channel shall be measured from detector output or input of the first electronic component in the channel.

McGuire Units 1 and 2 B 3.3.1-49 Revision No. 99

RTS Instrumentation B 3.3.1 BASES REFERENCES 1. UFSAR, Chapter 7.

2. UFSAR, Chapter 6.
3. UFSAR, Chapter 15.
4. IEEE-279-1971.
5. 10 CFR 50.49.
6. 10 CFR 50.36, Technical Specifications, (c)(2)(ii).
7. WCAP-1 0271-P-A, Supplement 2, Rev. 1, June 1990.
8. WCAP .13632-P-A, Revision 2, "Elimination of Pressure Sensor Response Time Testing Requirements" Sep., 1995.
9. WCAP-14036-P-A, Revision 1, "Elimination of Periodic Protection Channel Response Time Tests" Oct., 1998.
10. WCAP-14333-P-A, Revision 1, October 1998.
11. WCAP-15376-P-A, Revision 1, March 2003.

McGuire Units 1 and 2 B 3.3.1-50 Revision No. 99

ESFAS Instrumentation B 3.3.2 B 3.3 INSTRUMENTATION B 3.3.2 Engineered Safety Feature Actuation System (ESFAS) Instrumentation BASES BACKGROUND The ESFAS initiates necessary safety systems, based on the values of selected unit parameters, to protect against violating core design limits and the Reactor Coolant System (RCS) pressure boundary, and to mitigate accidents.

The ESFAS instrumentation is segmented into three distinct but interconnected modules as identified below:

Field transmitters or process sensors and instrumentation:

provide a measurable electronic signal based on the physical characteristics of the parameter being measured; Signal processing equipment including analog protection system, field contacts, and protection channel sets: provide signal conditioning, bistable setpoint comparison, process algorithm actuation, compatible electrical signal output to protection system devices, and control board/control room/miscellaneous indications; and Solid State Protection System (SSPS) including input, logic, and output bays: initiates the proper unit shutdown or engineered safety feature (ESF) actuation in accordance with the defined logic and based on the bistable outputs from the signal process control and protection system.

Field Transmitters or Sensors To meet the design demands for redundancy and reliability, more than one, and often as many as four, field transmitters or sensors are used to measure unit parameters. In many cases, field transmitters or sensors that input to the ESFAS are shared with the Reactor Trip System (RTS).

In some cases, the same channels also provide control system inputs.

To account for calibration tolerances and instrument drift, which is assumed to occur between calibrations, statistical allowances are provided in the NOMINAL TRIP SETPOINT and Allowable Values. The OPERABILITY of each transmitter or sensor can be evaluated when its "as found" calibration data are compared against its documented acceptance criteria.

McGuire Units 1 and 2 B 3.3.2-1 Revision No. 99

ESFAS Instrumentation B 3.3.2 BASES BACKGROUND (continued)

Signal Processing Equipment Generally, three or four channels of process control equipment are used for the signal processing of unit parameters measured by the field instruments. The process control equipment provides signal conditioning, comparable output signals for instruments located on the main control board, and comparison of measured input signals with setpoints established by safety analyses. These setpoints are defined in UFSAR, Chapter 6 (Ref. 1), Chapter 7 (Ref. 2), and Chapter 15 (Ref. 3). If the measured value of a unit parameter exceeds the predetermined setpoint, an output from a bistable is forwarded to the SSPS for decision logic processing. Channel separation is maintained up to and through the input bays. However, not all unit parameters require four channels of sensor measurement and signal processing. Some unit parameters provide input only to the SSPS, while others provide input to the SSPS, the main control board, the unit computer, and one or more control systems.

Generally, if a parameter is used only for input to the protection circuits, three channels with a two-out-of-three logic are sufficient to provide the required reliability and redundancy. If one channel fails in a direction that would not result in a partial Function trip, the Function is still OPERABLE with a two-out-of-two logic. If one channel fails such that a partial Function trip occurs, a trip will not occur and the Function is still OPERABLE with a one-out-of- two logic.

Generally, if a parameter is used for input to the SSPS and a control function, four channels with a two-out-of-four logic are sufficient to provide the required reliability and redundancy. The circuit must be able to withstand both an input failure to the control system, which may then require the protection function actuation, and a single failure in the other channels providing the protection function actuation. Again,.a single failure will neither cause nor prevent the protection function actuation.

These requirements are described in IEEE-279-1971 (Ref. 4). The actual number of channels required for each unit parameter is specified in the UFSAR.

Trip Setpoints and Allowable Values The NOMINAL TRIP SETPOINTS are the nominal values at which the bistables are set. Any bistable is considered to be properly adjusted.

when the "as left" value is within the band for CHANNEL CALIBRATION tolerance.

McGuire Units 1 and 2 B 3.3.2-2 Revision No. 99

ESFAS Instrumentation B 3.3.2 BASES BACKGROUND (continued)

The NOMINAL TRIP SETPOINTS used in the bistables are based on the analytical limits (Ref. 1, 2, and 3). The selection of these NOMINAL TRIP SETPOINTS is such that adequate protection is provided when all sensor and processing time delays, calibration tolerances, instrumentation uncertainties, instrument drift, and severe environment errors for those ESFAS channels that must function in harsh environments as defined by 10 CFR 50.49 (Ref. 5) are taken into account. The actual as-left Setpoint entered into the bistable assures that the actual trip occurs before the Allowable Value is reached. The Allowable Value accounts for changes in random measurement errors detectable by a COT. One example of such a change in measurement error is drift during the surveillance interval. If the point at which the loop trips does not exceed the Allowable Value, the loop is considered OPERABLE.

A trip within the Allowable Value ensures that the consequences of Design Basis Accidents (DBAs) will be acceptable, providing the unit is operated from within the LCOs at the onset of the DBA and the equipment functions as designed.

Each channel can be tested on line to verify that the signal processing equipment and setpoint accuracy is within the specified allowance requirements. Once a designated channel is taken out of service for testing, a simulated signal is injected in place of the field instrument signal. The process equipment for the channel in test is then tested, verified, and calibrated. SRs for the channels are specified in the SR section.

The NOMINAL TRIP SETPOINTS and Allowable Values listed in Table 3.3.2-1 incorporates all of the known uncertainties applicable for each channel. The magnitudes of these uncertainties are factored into the determination of each NOMINAL TRIP SETPOINT. All field sensors and signal processing equipment for these channels are assumed to operate within the allowances of these uncertainty magnitudes.

Solid State Protection System The SSPS equipment is used for the decision logic processing of outputs from the signal processing equipment bistables. To meet the redundancy requirements, two trains of SSPS, each performing the same functions, are provided. If one train is taken out of service for maintenance or test purposes, the second train will provide ESF actuation for the unit. If both trains are taken out of service or placed in test, a reactor trip will result.

Each train is packaged in its own cabinet for physical and electrical separation to satisfy separation and independence requirements.

McGuire Units 1 and 2 B 3.3.2-3 Revision No. 99

ESFAS Instrumentation B 3.3.2 BASES BACKGROUND (continued)

The SSPS performs the decision logic for most ESF equipment actuation; generates the electrical output signals that initiate the required actuation; and provides the status, permissive, and annunciator output signals to the main control room of the unit.

The bistable outputs from the signal processing equipment are sensed by the SSPS equipment and combined into logic matrices that represent combinations indicative of various transients. If a required logic matrix combination is completed, the system will send actuation signals via master and slave relays to those components whose aggregate Function best serves to alleviate the condition and restore the unit to a safe condition. Examples are given in the Applicable Safety Analyses, LCO, and Applicability sections of this Bases.

Each SSPS train has a built in testing device that can test the decision logic matrix functions and the actuation devices while the unit is at power.

When any one train is taken out of service for testing, the other train is capable of providing unit monitoring and protection until the testing has been completed. The testing device is semiautomatic to minimize testing time.

The actuation of ESF components is accomplished through master and slave relays. The SSPS energizes the master relays appropriate for the condition of the unit. Each master relay then energizes one or more slave relays, which then cause actuation of the end devices. The master and slave relays are routinely tested to ensure operation. The test of the master relays energizes the relay, which then operates the contacts and applies a low voltage to the associated slave relays. The low voltage is not sufficient to actuate the slave relays but only demonstrates signal path continuity. The SLAVE RELAY TEST actuates the devices if their operation will not interfere with continued unit operation. For the latter case, actual component operation is prevented by the SLAVE RELAY TEST circuit, and slave relay contact operation is verified by a continuity check of the circuit containing the slave relay.

APPLICABLE Each of the analyzed accidents can be detected by one or more ESFAS SAFETY ANALYSES, Functions. One of the ESFAS Functions is the primary actuation signal LCO, and for that accident. An ESFAS Function may be the primary actuation APPLICABILITY signal for more than one type of accident. An ESFAS Function may also be a secondary, or backup, actuation signal for one or more other accidents. Functions such as manual initiation, not specifically credited in the accident safety analysis, McGuire Units 1 and 2 B 3.3.2-4 Revision No. 99

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) are qualitatively credited in the safety analysis and the NRC staff approved licensing basis for the unit. These Functions may provide protection for conditions that do not require dynamic transient analysis to demonstrate Function performance. These Functions may also serve as backups to Functions that were credited in the accident analysis (Ref. 3).

The LCO requires all instrumentation performing an ESFAS Function to be OPERABLE. Failure of any instrument renders the affected channel(s) inoperable and reduces the reliability of the affected Functions.

The LCO generally requires OPERABILITY of three or four channels in each instrumentation function and two channels in each logic and manual initiation function. The two-out-of-three and the two-out-of-four configurations allow one channel to be tripped during maintenance or testing without causing an ESFAS initiation. Two logic or manual initiation channels are required to ensure no single random failure disables the ESFAS.

The required channels of ESFAS instrumentation provide unit protection in the event of any of the analyzed accidents. ESFAS protection functions are as follows:

1. Safety Iniection Safety Injection (SI) provides two primary functions:
1. Primary side water addition to ensure maintenance or recovery of reactor vessel water level (coverage of the active fuel for heat removal, clad integrity, and for limiting peak clad temperature to < 22000 F); and
2. Boration to ensure recovery and maintenance of SDM (keff < 1.0).

These functions are necessary to mitigate the effects of high energy line breaks (HELBs) both inside and outside of containment.

The Sl signal is also used to initiate other Functions such as:

Phase A Isolation; Containment Purge and Exhaust Isolation; McGuire Units 1 and 2 B 3.3.2-5 Revision No. 99

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

  • Control room area ventilation isolation;
  • Start of annulus ventilation system filtration trains;
  • Start of auxiliary building filteredventilation exhaust system trains;
  • Start of diesel generators;
  • Start of component cooling water system pumps.

These other functions ensure:

  • Isolation of nonessential systems through containment penetrations;
  • Trip of the turbine and reactor to limit power generation;
  • Isolation of main feedwater (MFW) to limit secondary side mass losses;
  • Start of AFW to ensure secondary side cooling capability;
  • Isolation of the control room to ensure habitability;
  • Enabling ECCS suction from the refueling water storage tank (RWST) switchover on low RWST level to ensure continued cooling via use of the containment sump;
  • Starting of annulus ventilation and auxiliary building filtered ventilation to limit offsite releases; McGuire Units 1 and 2 B 3.3.2-6 Revision No. 99

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Starting of diesel generators for loss of offsite power considerations; and Starting of component cooling water and nuclear service water systems for heat removal.

a. Safety Iniection-Manual Initiation The LCO requires one channel per train to be OPERABLE.

The operator can initiate SI at any time by using either of two switches in the control room. This action will cause actuation of all components in the same manner as any of the automatic actuation signals.

The LCO for the Manual Initiation Function ensures the proper amount of redundancy is maintained in the manual ESFAS actuation circuitry to ensure the operator has manual ESFAS initiation capability.

Each train consists of one push button and the interconnecting wiring to the actuation logic cabinet. This configuration does not allow testing at power.

b. Safety Iniection-Automatic Actuation Logic and Actuation Relays This LCO requires two trains to be OPERABLE. Actuation logic consists of all circuitry housed within the actuation subsystems, including the initiating relay contacts responsible for actuating the ESF equipment.

Manual and automatic initiation of Sl must be OPERABLE in MODES 1, 2, and 3. In these MODES, there is sufficient energy in the primary and secondary systems to warrant automatic initiation of ESF systems. In MODE 4, adequate time is available to manually actuate required components in the event of a DBA, but because of the large number of components actuated on a SI, actuation is simplified by the use of the manual actuation push buttons. Automatic actuation logic and actuation relays must be OPERABLE in MODE 4 to support system level manual initiation.

McGuire Units 1 and 2 B 3.3.2-7 Revision No. 99

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

These Functions are not required to be OPERABLE in MODES 5 and 6 because there is adequate time for the operator to evaluate unit conditions and respond by manually starting individual systems, pumps, and other equipment to mitigate the consequences of an abnormal condition or accident. Unit pressure and temperature are very low and many ESF components are administratively locked out or otherwise prevented from actuating to prevent inadvertent overpressurization of unit systems.

c. Safety Injection-Containment Pressure-Hi~qh This signal provides protection against the following accidents:

SLB inside containment;

  • LOCA; and Feed line break inside containment.

Containment Pressure-High provides no input to any control functions. Thus, three OPERABLE channels are sufficient to satisfy protective requirements with a two-out-of-three logic.

Containment Pressure-High must be OPERABLE in MODES 1, 2, and 3 when there is sufficient energy in the primary and secondary systems to pressurize the containment following a pipe break. In MODES 4, 5, and 6, there is insufficient energy in the primary or secondary systems to pressurize the containment.

d. Safety Injection-Pressurizer Pressure-Low Low This signal provides protection against the following accidents:

Inadvertent opening of a steam generator (SG) relief or safety valve;

  • SLB; A spectrum of rod cluster control assembly ejection accidents (rod ejection);

McGuire Units 1 and 2 B 3.3.2-8 Revision No. 99

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Inadvertent opening of a pressurizer relief or safety valve; LOCAs; and SG Tube Rupture.

Pressurizer pressure provides both control and protection functions: input to the Pressurizer Pressure Control System, reactor trip, and SI. Therefore, the actuation logic must be able to withstand both an input failure to control system, which may then require the protection function actuation, and a single failure in the other channels providing the protection function actuation. Thus, four OPERABLE channels are required to satisfy the requirements with a two-out-of-four logic.

This Function must be OPERABLE in MODES 1, 2, and 3 (above P-11) to mitigate the consequences of an HELB inside containment. This signal may be manually blocked by the operator below the P-1 1 setpoint. Automatic SI actuation below this pressure setpoint is then performed by the Containment Pressure-High signal.

This Function is not required to be OPERABLE in MODE 3 below the P-1 1 setpoint. Other ESF functions are used to detect accident conditions and actuate the ESF systems in this MODE. In MODES 4, 5, and 6, this Function is not needed for accident detection and mitigation.

2. Containment Spray Containment Spray provides two primary functions:
1. Lowers containment pressure and temperature after an HELB in containment; and
2. Reduces the amount of radioactive iodine in the containment atmosphere.

These functions are necessary to:

Ensure the pressure boundary integrity of the containment structure; and McGuire Units 1 and 2 B 3.3.2-9 Revision No. 99

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Limit the release of radioactive iodine to the environment in the event of a failure of the containment structure.

The containment spray actuation signal starts the containment spray pumps and aligns the discharge of the pumps to the containment spray nozzle headers in the upper levels of containment. Water is initially drawn from the RWST by the containment spray pumps. When the RWST reaches the low low level setpoint, the spray pump suctions are manually shifted to the containment sump if continued containment spray is required.

Containment spray is actuated manually or by Containment Pressure-High High.

a. Containment Spray-Manual Initiation There are two manual containment spray switches, one per train, in the control room. Turning the switch will actuate the associated containment spray train in the same manner as the automatic actuation signal. Two Manual Initiation switches, one per train, are required to be OPERABLE to ensure no single failure disables the Manual Initiation Function. Note that Manual Initiation of containment spray also actuates Phase B containment isolation. Two train actuation requires operation of both Train A and Train B manual containment spray switches.
b. Containment Spray-Automatic Actuation Logic and Actuation Relays Automatic actuation logic and actuation relays consist of the same features and operate in the same manner as described for ESFAS Function 1.b.

Manual and automatic initiation of containment spray must be OPERABLE in MODES 1, 2, and 3 when there is a potential for an accident to occur, and sufficient energy in the primary or secondary systems to pose a threat to containment integrity due to overpressure conditions. In MODE 4, adequate time is available to manually actuate required components in the event of a DBA. However, because of the large number of components actuated on a containment spray, actuation is simplified by the use of the manual actuation push buttons. Automatic actuation logic and actuation relays must be OPERABLE in MODE 4 to McGuire Units 1 and 2 B 3.3.2-10 Revision No. 99

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) support system level manual initiation. In MODES 5 and 6, there is insufficient energy in the primary and secondary systems to result in containment overpressure. In MODES 5 and 6, there is also adequate time for the operators to evaluate unit conditions and respond, to mitigate the consequences of abnormal conditions by manually starting individual components.

c. Containment Spray-Containment Pressure - High High This signal provides protection against a LOCA or an SLB inside containment.

This is one of the only Functions that requires the bistable output to energize to perform its required action. It is not desirable to have a loss of power actuate containment spray, since the consequences of an inadvertent actuation of containment spray could be serious. Note that this Function also has the inoperable channel placed in bypass rather than trip to decrease the probability of an inadvertent actuation.

Containment Pressure-High High uses four channels in a two-out-of-four logic configuration. Since containment pressure is not used for control, this arrangement exceeds the minimum redundancy requirements. Additional redundancy is warranted because this Function is energize to trip. Containment Pressure-High High must be OPERABLE in MODES 1, 2, and 3 when there is sufficient energy in the primary and secondary sides to pressurize the containment following a pipe break. In MODES 4, 5, and 6, there is insufficient energy in the primary and secondary sides to pressurize the containment and reach the Containment Pressure-High High setpoints.

3. Containment Isolation Containment Isolation provides isolation of the containment atmosphere, and all process systems that penetrate containment, from the environment. This Function is necessary to prevent or limit the release of radioactivity to the environment in the event of a large break LOCA.

McGuire Units 1 and 2 B 3.3.2-11 Revision No. 99

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY, (continued)

There are two separate Containment Isolation signals, Phase A and Phase B. Phase A isolation isolates all automatically isolable process lines, except component cooling water (CCW) and Nuclear Service Water System (NSWS) to RCP motor air coolers, at a relatively low containment pressure indicative of primary or secondary system leaks. For these types of events, forced circulation cooling using the reactor coolant pumps (RCPs) and SGs is the preferred (but not required), method of decay heat removal. Since CCW and NSWS are required to support RCP operation, not isolating CCW and NSWS on the low pressure Phase A signal enhances unit safety by allowing operators to use forced RCS circulation to cool the unit. Isolating CCW and NSWS on the low pressure signal may force the use of feed and bleed cooling, which could prove more difficult to control.

Phase A containment isolation is actuated automatically by SI, or manually via the actuation circuitry. All process lines penetrating containment; with the exception of CCW and NSWS are isolated.

CCW is not isolated at this time to permit continued operation of the RCPs with cooling water flow to the thermal barrier heat exchangers and air or oil coolers. All process lines not equipped with remote operated isolation valves are manually closed, or

  • otherwise isolated, prior to reaching MODE 4.

Manual Phase A Containment Isolation is accomplished by either of two switches in the control room. Either switch actuates its associated train.

The Phase B signal isolates CCW and NSWS. This occurs at a relatively high containment pressure that is indicative of a large break LOCA or an SLB. For these events, forced circulation using the RCPs is no longer desirable. Isolating the CCW and NSWS at the higher pressure does not pose a challenge to the containment boundary because the CCW System and NSWS are closed loops inside containment. Although some system components do not meet all of the ASME Code requirements applied to the containment itself, the systems are continuously pressurized to a pressure greater than the Phase B setpoint. Thus, routine operation demonstrates the integrity of the system pressure boundary for pressures exceeding the Phase B setpoint.

Furthermore, because system pressure exceeds the Phase B setpoint, any system leakage prior to initiation of Phase B isolation would be into containment. Therefore, the combination of CCW System and NSWS design and Phase B isolation ensures there is not a potential path for radioactive release from containment.

McGuire Units 1 and 2 B 3.3.2-12 Revision No. 99

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Phase B containment isolation is actuated by Containment Pressure-High High, or manually, via the automatic actuation logic, as previously discussed. For containment pressure to reach a value high enough to actuate Containment Pressure-High High, a large break LOCA or SLB must have occurred and containment spray must have been actuated. RCP operation will no longer be required and CCW to the RCPs and NSWS to the RCP motor coolers is, therefore, no longer necessary. The RCPs can be operated with seal injection flow alone and without CCW flow to the thermal barrier heat exchanger.

Manual Phase B Containment Isolation is accomplished by the same switches that actuate Containment Spray. When the two switches in either set are turned simultaneously, Phase B Containment Isolation and Containment Spray will be actuated in both trains.

a. Containment Isolation-Phase A Isolation (1) Phase A Isolation-Manual Initiation Manual Phase A Containment Isolation is actuated by either of two switches in the control room. Either switch actuates both trains.

(2) Phase A Isolation-Automatic Actuation Logic and Actuation Relays Automatic Actuation Logic and Actuation. Relays consist of the same features and operate in the same manner as described for ESFAS Function 1 .b.

Manual and automatic initiation of Phase A Containment Isolation must be OPERABLE in MODES 1, 2, and 3, when there is a potential for an accident to occur. In MODE 4, adequate time is available to manually actuate required components in the event of a DBA, but because of the large number of components actuated on a Phase A Containment Isolation, actuation is simplified by the use of the manual actuation push buttons. Automatic actuation logic and actuation relays must be OPERABLE in MODE 4 to support system level manual initiation. In MODES 5 and 6, there is insufficient energy in the primary or secondary systems to pressurize the containment to require Phase A Containment McGuire Units 1 and 2 B 3.3.2-13 Revision No. 99

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Isolation. There also is adequate time for the operator to evaluate unit conditions and manually actuate individual isolation valves in response to abnormal or accident conditions.

(3) Phase A Isolation-Safety Injection Phase A Containment Isolation is also initiated by all Functions that initiate SI. The Phase A Containment Isolation requirements for these Functions are the same as the requirements for their SI function.

Therefore, the requirements are not repeated in Table 3.3.2-1. Instead, Function 1, SI, is referenced for all initiating Functions and requirements.

b. Containment Isolation-Phase B Isolation Phase B Containment Isolation is accomplished by Manual Initiation, Automatic Actuation Logic and Actuation Relays, and by Containment Pressure channels (the same channels that actuate Containment Spray, Function 2). The Containment Pressure trip of Phase B Containment Isolation is energized to trip in order to minimize the potential of spurious trips that may damage the RCPs.

(1) Phase B Isolation-Manual Initiation (2) Phase B Isolation-Automatic Actuation, Logic and Actuation Relays Manual and automatic initiation of Phase B containment isolation must be OPERABLE in MODES 1, 2, and 3, when there is a potential for an accident to occur. In MODE 4, adequate time is available to manually actuate required components in the event of a DBA. However, because of the large number of components actuated on a Phase B containment isolation, actuation is simplified by the use of the manual actuation push buttons. Automatic actuation logic and actuation relays must be OPERABLE in MODE 4 to support system level manual initiation. In MODES 5 and 6, there is insufficient energy in the primary or secondary systems to pressurize the containment to require McGuire Units 1 and 2 B 3.3.2-14 Revision No. 99

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Phase B containment isolation. There also is adequate time for the operator to evaluate unit conditions and manually actuate individual isolation valves in response to abnormal or accident conditions.

(3) Phase B Isolation-Containment Pressure - High High The basis for containment pressure MODE

-applicability is as discussed for ESFAS Function 2.c above.

4. Steam Line Isolation Isolation of the main steam lines provides protection in the event of an SLB inside or outside containment. Rapid isolation of the steam lines will limit the steam break accident to the blowdown from one SG, at most. For an SLB upstream of the main steam isolation valves (MSIVs), inside or outside of containment, closure of the MSIVs limits the accident to the blowdown from only the affected SG. For an SLB downstream of the MSIVs, closure of the MSIVs terminates the, accident as soon as the steam lines depressurize.

Steam Line Isolation also mitigates the effects of a feed line break and ensures a source of steam for the turbine driven AFW pump during a feed line break.

a. Steam Line Isolation-Manual Initiation Manual initiation of Steam Line Isolation can be accomplished from the control room. There are two system level switches in the control room and either switch can initiate action to immediately close all MSIVs. The LCO requires two channels to be OPERABLE. Individual valves may also be closed using individual hand switches in the control room. The LCO requires four individual channels to be OPERABLE.
b. Steam Line Isolation-Automatic Actuation Logic and Actuation Relays Automatic actuation logic and actuation relays consist of the same features and operate in the same manner as described for ESFAS Function 1.b.

McGuire Units 1 and 2 B 3.3.2-15 Revision No. 99

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Manual and automatic initiation of steam line isolation must be OPERABLE in MODES 1, 2, and 3 when there is sufficient energy in the RCS and SGs to have an SLB or other accident. This could result in the release of significant quantities of energy and cause a cooldown of the primary system. The Steam Line Isolation Function is required in MODES 2 and 3 unless all MSIVs are closed and de-activated. In MODES 4, 5, and 6, there is insufficient energy in the RCS and SGs to experience an SLB or other accident releasing significant quantities of energy.

c. Steam Line Isolation-Containment Pressure-High Hiqh This Function actuates closure of the MSIVs in the event of a LOCA or an SLB inside containment to maintain three unfaulted SGs as a heat sink for the reactor, and to limit the mass and energy release to containment. The Containment Pressure - High High function is described in ESFAS Function 2.C.

Containment Pressure-High High must be OPERABLE in MODES 1, 2, and 3, when there is sufficient energy in the primary and secondary side to pressurize the containment following a pipe break. This would cause a significant increase in the containment pressure, thus allowing detection and closure of the MSIVs. The Steam Line Isolation Function remains OPERABLE in MODES 2 and 3 unless all MSIVs are closed and de-activated. In MODES 4, 5, and 6, there is not enough energy in the primary and secondary sides to pressurize the containment to the Containment Pressure-High High setpoint.

d. Steam Line Isolation-Steam Line Pressure (1) Steam Line Pressure-Low Steam Line Pressure-Low provides closure of the MSIVs in the event of an SLB to maintain three unfaulted SGs as a heat sink for the reactor, and to limit the mass and energy release to containment.

This Function provides closure of the MSIVs in the event of a feed line break to ensure a supply of steam for the turbine driven AFW pump.

McGuire Units 1 and 2 B83.3.2-16 Revision No. 99

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Steam Line Pressure-Low Function must be OPERABLE in MODES 1, 2, and 3 (above P-11), with any main steam valve open, when a secondary side break or stuck open valve could result in the rapid depressurization of the steam lines. This signal may be manually blocked by the operator below the P-11 setpoint. Below P-1 1, an inside containment SLB will be terminated by automatic actuation via Containment Pressure-High High. Stuck valve transients and outside containment SLBs will be terminated by the Steam Line Pressure-Negative Rate-High signal for Steam Line Isolation below P-1 1 when Steam Line Isolation Steam Line Pressure-Low has been manually blocked. The Steam Line Isolation Function is required in MODES 2 and 3 unless all MSIVs are closed and de-activated. This Function is not required to be OPERABLE in MODES 4, 5, and 6 because there is insufficient energy in the secondary side of the unit to have an accident.

(2) Steam Line Pressure-Neqative Rate-Higqh Steam Line Pressure-Negative Rate-High provides closure of the MSIVs for an SLB when less than the P-1 1 setpoint, to maintain at least one unfaulted SG as a heat sink for the reactor, and to limit the mass and energy release to containment. When the operator manually blocks the Steam Line Pressure-Low main steam isolation signal when less than the P-1 1 setpoint, the Steam Line Pressure-Negative Rate-High signal is automatically enabled. Steam Line Pressure-Negative Rate-High provides no input to any control functions.

Thus, three OPERABLE channels are sufficient to satisfy requirements with a two-out-of-three logic on each steam line.

Steam Line Pressure-Negative Rate-High must be OPERABLE in MODE 3 when less than the P-1 1 setpoint, when a secondary side break or stuck open valve could result in the rapid depressurization of the steam line(s). In MODES 1 and 2, and in MODE 3, when above the P-1i1 setpoint, this signal is automatically disabled and the Steam Line Pressure-Low signal is automatically enabled. The Steam Line Isolation Function is required to be OPERABLE in McGuire Units 1 and 2 B 3.3.2-17 Revision No. 99

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

MODES 2 and 3 unless all MSIVs are closed and de-activated. In MODES 4, 5, and 6, there is insufficient energy in the primary and secondary sides to have an SLB or other accident that would result in a release of significant enough quantities of energy to cause a cooldown of the RCS.

5. Turbine Trip and Feedwater Isolation The primary functions of the Turbine Trip and Feedwater Isolation signals are to prevent damage to the turbine due to water in the steam lines, stop the excessive flow of feedwater into the SGs, and to limit the energy released into containment. These Functions are necessary to mitigate the effects of a high water level in the SGs, which could result in carryover of water into the steam lines and excessive cooldown of the primary system. The SG high water level is due to excessive feedwater flows. Feedwater isolation serves to limit the energy released into containment upon a feedwater line or steam line break inside containment.

The Functions are actuated when the level in any SG exceeds the high high setpoint, and performs the following functions:.

  • Trips the MFW pumps; and

Turbine Trip and Feedwater Isolation signals are both actuated by SG Water Level-High High, or by an SI signal. The RTS also initiates a turbine trip signal whenever a reactor trip (P-4) is generated. A Feedwater Isolation signal is also generated by a reactor trip (P-4) coincident with Tavg-Low and on a high water level in the reactor building doghouse. The MFW System is also taken out of operation and the AFW System is automatically started. The SI signal was discussed previously.

a. Turbine Trip (1) Turbine Trip-Automatic Actuation Logic and Actuation Relays Automatic Actuation Logic and Actuation Relays consist of McGuire Units 1 and 2 B 3.3.2-18 Revision No. 99

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) the same features and operate in the same manner as described for ESFAS Function 1.b.

(2) Turbine Trip-Steam Generator Water Level-High High (P-14)

This signal prevents damage to the turbine due to water in the steam lines. The ESFAS SG water level instruments provide input to the SG Water Level Control System. Therefore, the actuation logic must be able to withstand both an input failure to the control system (which may then require the protection function actuation) and a single failure in the other channels providing the protection function actuation. Only three protection channels are necessary to satisfy the protective requirements. The setpoints are based on percent of narrow range instrument span.

(3) Turbine Trip-Safety Inaection Turbine Trip is also initiated by all Functions that initiate SI. Therefore, the requirements are not repeated in Table 3.3.2-1. Instead Function 1, SI, is referenced for all initiating functions and requirements.

Item 5.a.(1) is referenced for the applicable MODES.

The Turbine Trip Function must be OPERABLE in MODES 1 and 2. In lower MODES, the turbine generator is not in service and this Function is not required to be OPERABLE.

b. Feedwater Isolation (1) Feedwater Isolation-Automatic Actuation Logic and Actuation Relays Automatic Actuation Logic and Actuation Relays consist of the same features and operate in the same APPLICABLE manner as described for ESFAS Function 1.b.

McGuire Units 1 and 2 B 3.3.2-19 Revision No. 99

ESFAS Instrumentation B 3.3.2 BASES SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

(2) Feedwater Isolation-Steam Generator Water Level-High High (P-14)

This signal provides protection against excessive feedwater flow. The ESFAS SG water level instruments provide input to the SG Water Level Control System. Therefore, the actuation logic must be able to withstand both an input failure to the control system (which may then require the protection function actuation) and a single failure in the other channels providing the protection function actuation. Only three protection channels are necessary to satisfy the protective requirements. The setpoints are based on percent of narrow range instrument span.

(3) Feedwater Isolation-Safety Iniection Feedwater Isolation is also initiated by all Functions that initiate SI. The Feedwater Isolation Function requirements for these Functions are the same as the requirements for their SI function. Therefore, the requirements are not repeated in Table 3.3.2-1.

Instead Function 1, SI, is referenced for all initiating functions and requirements. Item 5.b.(1) is referenced for the applicable MODES.

(4) Feedwater Isolation - RCS TavQ-Low Coincident With Reactor Trip (P-4)

This signal provides protection against excessive cooldown, which could subsequently introduce a positive reactivity excursion after a plant trip. There are four channels of RCS Tavg-Low (one per loop), with a two-out-of-four logic required coincident with a reactor trip signal (P-4) to initiate a feedwater isolation.

The P-4 interlock is discussed in Function 8.a.

(5) Turbine Trip and Feedwater Isolation - Doghouse Water Level - High High This signal initiates a Feedwater Isolation. The signal terminates forward feedwater flow in the event of a postulated pipe break in the main feedwater piping in the doghouses to prevent flooding safety related equipment essential to the safe shutdown of the plant.

McGuire Units 1 and 2 B 3.3.2-20 Revision No. 99

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

The level instrumentation consists of six level switches (three per train) in each of the two reactor building doghouses. A high-high level detected by two-out-of-three switches in either train in the inboard or outboard doghouse will initiate a feedwater isolation. This signal initiates Feedwater Isolation for the specific doghouse where the High-High level is detected and trips both main feedwater pumps thus causing a main turbine trip.

The Feedwater Isolation Function must be OPERABLE in MODES 1 and 2 and also in MODE 3 (except for the functions listed in Table 3.3.2-1).

Feedwater Isolation is not required OPERABLE when all MFIVs, MFCVs, and associated bypass valves are closed and de-activated or isolated by a closed manual valve. In lower MODES, the MFW System is not in service and this Function is not required to be OPERABLE.

6. Auxiliary Feedwater The AFW System is designed to provide a secondary side heat sink for the reactor in the event that the MFW System is not available. The system has two motor driven pumps and a turbine driven pump, making it available during normal and accident operation. The normal source of water for the AFW System is the non-safety related AFW Storage Tank (Water Tower). A low suction pressure to the AFW pumps will automatically realign the pump suctions to the Nuclear Service Water System (NSWS)(safety related). The AFW System is aligned so that upon a pump start, flow is initiated to the respective SGs immediately.
a. Auxiliary Feedwater-Automatic Actuation Logic and Actuation Relays Automatic actuation logic and actuation relays consist of the same features and operate in the same manner as described for ESFAS Function 1.b.
b. Auxiliary Feedwater-Steam Generator Water Level-Low Low SG Water Level-Low Low provides protection against a loss of heat sink. A feed line break, inside or outside of containment, or a loss of MFW, would result in a loss of SG water level. SG Water Level-Low Low provides input to the SG Level Control System.

McGuire Units 1 and 2 B 3.3.2-21 Revision No. 99

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Therefore, the actuation logic must be able to withstand both an input failure to the control system which may then require a protection function actuation and a single failure in the other channels providing the protection function actuation. Thus, four OPERABLE channels are required to satisfy the requirements with two-out-of-four logic. The setpoints are based on percent of narrow range instrument span.

SG Water Level - Low Low in any operating SG will cause the motor driven AFW pumps to start. The system is aligned so that .

upon a start of the pump, water immediately begins to flow to the SGs. SG Water Level - Low Low in any two operating SGs will cause the turbine driven pumps to start.

c. Auxiliary Feedwater-Safety Iniection An SI signal starts the motor driven AFW pumps. The AFW initiation functions are the same as the requirements for their SI function. Therefore, the requirements are not repeated in Table 3.3.2-1. Instead, Function 1, SI, is referenced for all initiating functions and requirements.
d. Auxiliary Feedwater-Station Blackout A loss of power or degraded voltage to the service buses will be accompanied by a loss of reactor coolant pumping power and the subsequent need for some method of decay heat removal, The loss of power or degraded voltage is detected by a voltage drop on each essential service bus. Loss of power or degraded voltage to either essential service bus will start the turbine driven and motor driven AFW pumps to ensure that at least two SGs contain enough water to serve as the heat sink for reactor decay heat and sensible heat removal following the reactor trip. The turbine driven pump does not start on a loss of power coincident with a SI signal.

Functions 6.a through 6.d must be OPERABLE in MODES 1, 2, and 3 to ensure that the SGs remain the heat sink for the reactor. These Functions do not have to be OPERABLE in MODES 5 and 6 because there is not enough heat being generated in the reactor to require the SGs as a heat sink. In MODE 4, AFW actuation does not need to be OPERABLE because either AFW or residual heat removal (RHR) will already be in operation to remove decay heat or sufficient time is available to manually place either system in operation.

McGuire Units 1 and 2 B 3.3.2-22 Revision No. 99

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

e. Auxiliary Feedwater-Trip of All Main Feedwater Pumps A Trip of all MFW pumps is an indication of a loss of MFW and the subsequent need for some method of decay heat and sensible heat removal to bring the reactor back to no load temperature and pressure. Two contacts are provided in series (one from each MFW pump) in the starting circuit for each AFW pump. A trip of all MFW pumps closes both contacts and starts the motor driven AFW pumps to ensure that at least two SGs are available with water to act as the heat sink for the reactor. This function must be OPERABLE in MODES 1 and 2. This ensures that at least two SGs are provided with water to serve as the heat sink to remove reactor decay heat and sensible heat in the event of an accident.

In MODES 3, 4, and 5, the MFW pumps are normally shut down, and thus neither pump trip is indicative of a condition requiring automatic AFW initiation.

f. Auxiliary Feedwater-Pump Suction Transfer on Suction Pressure-Low A low pressure signal in the AFW pump suction line protects the AFW pumps against a loss of the normal supply of water for the pumps, the non-safety related AFW Storage Tank (Water Tower).

Two pressure switches per train are located on the AFW pump suction line. The turbine driven AFW pump has a total of four switches. A low pressure signal sensed by two-out-of-two switches on either train will cause the emergency supply of water for the pump to be aligned. The NSWS (safety grade) is then lined up to supply the AFW pumps to ensure an adequate supply of water for the AFW System to maintain at least two of the SGs as the heat sink for reactor decay heat and sensible heat removal.

This Function must be OPERABLE in MODES 1, 2, and 3 to ensure a safety grade supply of water for the AFW System to maintain the SGs as the heat sink for the reactor. This Function does not have to be OPERABLE in MODES 5 and 6 because there is not enough heat being generated in the reactor to require the SGs as a heat sink. In MODE 4, AFW automatic suction transfer does not need to be OPERABLE because RHR will already be in operation, or sufficient time is available to place RHR in operation, to remove decay heat.

McGuire Units 1 and 2 B 3.3.2-23 Revision No. 99

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

7. Automatic Switchover to Containment Sump At the end of the injection phase of a LOCA, the RWST will be nearly empty. Continued cooling must be provided by the ECCS to remove decay heat. The source of water for the ECCS pumps is automatically switched to the containment recirculation sump. The low head residual heat removal (RHR) pumps and containment spray pumps draw the water from the containment recirculation sump, the RHR pumps pump the water through the RHR heat exchanger, inject the water back into the RCS, and supply the cooled water to the other ECCS pumps.

Switchover from the RWST to the containment sump must occur before the RWST empties to prevent damage to the RHR pumps and a loss of core cooling capability.

a. Automatic Switchover to Containment Sump-Refueling Water Storage Tank (RWST)

Level-Low Coincident With Safety Iniection During the injection phase of a LOCA, the RWST is the source of water for all ECCS pumps. A low level in the RWST coincident with an SI signal provides protection against a loss of water for the ECCS pumps and indicates the end of the injection phase of the LOCA. The RWST is equipped with three level transmitters.

These transmitters provide no control functions. Therefore, a two-out-of-three logic is adequate to initiate the protection function actuation.

Automatic switchover occurs only if the RWST low level signal is coincident with SI. This prevents accidental switchover during normal operation. Accidental switchover could damage ECCS pumps if they are attempting to take suction from an empty sump.

The automatic switchover Function requirements for the SI Functions are the same as the requirements for their SI function.

Therefore, the requirements are not repeated in Table 3.3.2-1.

Instead, Function 1, SI, is referenced for all initiating Functions and requirements. These Functions must be OPERABLE in MODES 1, 2, and 3 when there is a potential for a LOCA to occur, to ensure a continued supply of water for the ECCS pumps. These Functions are not required to be OPERABLE in MODES 4, 5, and 6 because McGuire Units 1 and 2 B 3.3.2-24 Revision No. 99

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) there is adequate time for the operator to evaluate unit conditions and respond by manually starting systems, pumps, and other equipment to mitigate the consequences of an abnormal condition or accident. System pressure and temperature are very low and many ESF components are administratively locked out or otherwise prevented from actuating to prevent inadvertent overpressurization of unit systems.

8. Engineered Safety Feature Actuation System Interlocks To allow some flexibility in unit operations, several interlocks are included as part of the ESFAS. These interlocks permit the operator to block some signals, automatically enable other signals, prevent some actions from occurring, and cause other actions to occur. The interlock Functions back up manual actions to ensure bypassable functions are in operation under the conditions assumed in the safety analyses.
a. Enqineered Safety Feature Actuation System Interlocks-Reactor Trip, P-4 The P-4 interlock is enabled when a reactor trip breaker (RTB) and its associated bypass breaker is open. Operators are able to reset SI 60 seconds after initiation. If a P-4 is present when SI is reset, subsequent automatic SI initiation will be blocked until the RTBs have been manually closed. This Function allows operators to take manual control of SI systems after the initial phase of injection is complete while avoiding multiple SI initiations. The functions of the P-4 interlock are:
  • Isolate MFW with coincident low Tavg; 0 Prevent reactuation of SI after a manual reset of SI; and
  • Prevent opening of the MFW isolation valves if they were closed on SI or SG Water Level-High High.

McGuire Units 1 and 2 B 3.3.2-25 Revision No. 99

ESFAS Instrumentation

  • B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Each of the above Functions is interlocked with P-4 to avert or reduce the continued cooldown of the RCS following a reactor trip.

An excessive cooldown of the RCS following a reactor trip could cause an insertion of positive reactivity with a subsequent increase in generated power. To avoid such a situation, the noted Functions have been interlocked with P-4 as part of the design of the unit control and protection system.

None of the noted Functions serves a mitigation function in the unit licensing basis safety analyses. Only the turbine trip Function is explicitly assumed since it is an immediate consequence of the reactor trip Function. Neither turbine trip, nor any of the other three Functions associated with the reactor trip signal, is required to show that the unit licensing basis safety analysis acceptance criteria are not exceeded.

The RTB position switches that provide input to the P-4 interlock only function to energize or de-energize or open or close contacts.

Therefore, this Function has no adjustable trip setpoint with which to associate a Trip Setpoint and Allowable Value.

This Function must be OPERABLE in MODES 1, 2, and 3 when the reactor may be critical or approaching criticality. This Function does not have to be OPERABLE in MODE 4, 5, or 6 because the main turbine, the MFW System are not in operation.

b. Engineered Safety Feature Actuation System Interlocks-Pressurizer Pressure, P-11 The P-1 1 interlock permits a normal unit cooldown and depressurization without actuation of SI or main steam line isolation. With two-out-of-three pressurizer pressure channels (discussed previously) less than the P-1 1 setpoint, the operator can manually block the Pressurizer Pressure-Low SI signal and the Steam Line Pressure-Low steam line isolation signal (previously discussed).

McGuire Units 1 and 2 B 3.3.2-26 Revision No. 99

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

When the Steam Line Pressure-Low steam line isolation signal is manually blocked, a main steam isolation signal on Steam Line Pressure-Negative Rate-High is enabled. This provides protection for an SLB by closure of the MSIVs. With two-out-of-three pressurizer pressure channels above the P-1 1 setpoint, the Pressurizer Pressure-Low SI signal and the Steam Line Pressure-Low steam line isolation signal are automatically enabled. The operator can also enable these trips by use of the respective manual reset buttons. When the Steam Line Pressure-Low steam line isolation signal is enabled, the main steam isolation on Steam Line Pressure-Negative Rate-High is disabled.

This Function must be OPERABLE in MODES 1, 2, and 3 to allow an orderly cooldown and depressurization of the unit without the actuation of SI or main steam isolation. This Function does not have to be OPERABLE in MODE 4, 5, or 6 because system pressure must already be below the P-1 1 setpoint for the requirements of the heatup and cooldown curves to be met.

c. Enqineered Safety Feature Actuation System Interlocks-TvQ-Low Low, P-12 On increasing reactor coolant temperature, the P-12 interlock provides an arming signal to the Steam Dump System. On a decreasing temperature, the P-12 interlock removes the arming signal to the Steam Dump System to prevent an excessive cooldown of the RCS due to a malfunctioning Steam Dump System.

Since Tavg is used as an indication of bulk RCS temperature, this Function meets redundancy requirements with one OPERABLE channel in each loop. These channels are used in two-out-of-four logic.

This Function must be OPERABLE in MODES 1, 2, and 3 when a secondary side break or stuck open valve could result in the rapid depressurization of the steam lines. This Function does not have to be OPERABLE in MODE 4, 5, or 6 because there is insufficient energy in the secondary side of the unit to have an accident.

McGuire Units 1 and 2 B 3.3.2-27 Revision No. 99

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

9. Containment Pressure Control System Permissives The Containment Pressure Control System (CPCS) protects the Containment Building from excessive depressurization by preventing inadvertent actuation or continuous operation of the Containment Spray and Containment Air Return Systems when containment pressure is at or less than the CPCS permissive setpoint. The control scheme of CPCS is comprised of eight independent control circuits (4 per train), each having a separate and independent pressure transmitter and current alarm module. Each pressure transmitter monitors the containment pressure and provides input to its respective current alarm. The current alarms are set to inhibit or terminate containment spray and containment air return fan operation when containment pressure falls below the setpoint.

The alarm modules switch back to the permissive state (allowing the systems to operate) when containment pressure is greater than or equal to the setpoint.

This function must be OPERABLE in MODES 1, 2, 3, and 4 when there is sufficient energy in the primary and secondary sides to pressurize containment following a pipe break. In MODES 5 and 6, there is insufficient energy in the primary and secondary sides to significantly pressurize the, containment.

The ESFAS instrumentation satisfies Criterion 3 of 10 CFR 50.36 (Ref. 6).

ACTIONS A Note has been added in the ACTIONS to clarify the application of Completion Time rules. The Conditions of this Specification may be entered independently for each Function listed on Table 3.3.2-1. When the Required Channels in Table 3.3.2-1 are specified (e.g., on a per steam line, per loop, per SG, etc.,

basis), then the Condition may be entered separately for each steam line, loop, SG, etc., as appropriate.

A channel shall be OPERABLE if the point at which the channel trips is found equal to or more conservative than the Allowable Value. In the event a channel's trip setpoint is found less conservative than the Allowable Value, or the transmitter, instrument loop, signal processing electronics, or bistable is found inoperable, then all affected Functions provided by the channel must be declared inoperable and the LCO Condition(s) entered for the protection Function(s) affected. If plant conditions warrant, the trip setpoint may be set outside the NOMINAL TRIP SETPOINT calibration tolerance band as long as the trip setpoint is conservative with respect to the NOMINAL TRIP SETPOINT.

If the trip setpoint is found outside the NOMINAL TRIP SETPINT calibration tolerance band and non-conservative with respect to the NOMINAL TRIP SETPOINT, the setpoint shall be re-adjusted.

McGuire Units 1 and 2 B 3.3.2-28 Revision No. 99

ESFAS Instrumentation B 3.3.2 BASES ACTIONS (continued)

When the number of inoperable channels in a trip function exceed those specified in one or other related Conditions associated with a trip function, then the unit is outside the safety analysis. Therefore, LCO 3.0.3 should be immediately entered if applicable in the current MODE of operation.

A.1 Condition A applies to all ESFAS protection functions.

Condition A addresses the situation where one or more channels or trains for one or more Functions are inoperable at the same time. The Required Action is to refer to Table 3.3.2-1 and to take the Required Actions for the protection functions affected. The Completion Times are those from the referenced Conditions and Required Actions.

B.1, B.2.1 and B.2.2 Condition B applies to manual initiation of:

This action addresses the train orientation of the SSPS for the functions listed above. If a channel or train is inoperable, 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> is allowed to return it to an OPERABLE status. Note that for containment spray and Phase B isolation, failure of one or both channels in one train renders the train inoperable.

Condition B, therefore, encompasses both situations. The specified Completion Time is reasonable considering that there are two automatic actuation trains and another manual initiation train OPERABLE for each Function, and the low probability of an event occurring during this interval. If the train cannot be restored to OPERABLE status, the unit must be placed in a MODE in which the LCO does not apply. This is done by placing the unit in at least MODE 3 within an additional 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> (54 hours6.25e-4 days <br />0.015 hours <br />8.928571e-5 weeks <br />2.0547e-5 months <br /> total time) and in MODE 5 within an additional 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br /> (84 hours9.722222e-4 days <br />0.0233 hours <br />1.388889e-4 weeks <br />3.1962e-5 months <br /> total time). The allowable Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

McGuire Units 1 and 2 B 3.3.2-29 Revision No. 99

ESFAS Instrumentation B 3.3.2 BASES ACTIONS (continued)

C.1, C.2.1 and C.2.2 Condition C applies to the automatic actuation logic and actuation relays for the following functions:

  • Phase A Isolation; and 0 Phase B Isolation.

This action addresses the train orientation of the SSPS and the master and slave relays. If one train is inoperable, 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> are allowed to restore the train to OPERABLE status. The 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> allowed for restoring the inoperable train to OPERABLE status is justified in Reference 10. The specified Completion Time is reasonable considering that there is another train OPERABLE, and the low probability of an event occurring during this interval. If the train cannot be restored to OPERABLE status, the unit must be placed in a MODE in which the LCO does not apply. This is done by placing the unit in at least MODE 3 within an additional 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> (30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br /> total time) and in MODE 5 within an additional 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br /> (60 hours6.944444e-4 days <br />0.0167 hours <br />9.920635e-5 weeks <br />2.283e-5 months <br /> total time). The Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

The Required Actions are modified by a Note that allows one train to be bypassed for up to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> for surveillance testing, provided the other train is OPERABLE. The Required Actions are not required to be met during this time, unless the train is discovered inoperable during the testing. This allowance is based on the reliability analysis assumption of WCAP-1 0271-P-A (Ref. 7) that 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> is the average time required to perform train surveillance.

If an individual SSPS slave relay or slave relay contact is incapable of actuating, then the equipment operated by the slave relay or slave relay contact is inoperable. An SSPS train is not inoperable due to an individual SSPS slave relay or slave relay contact being incapable of actuating.

D.1, D.2.1, and D.2.2 Condition D applies to:

  • Containment Pressure-High;
  • Pressurizer Pressure-Low Low; Steam Line Pressure-Low; McGuire Units 1 and 2 B 3.3.2-30 Revision No. 99

ESFAS Instrumentation B 3.3.2 BASES ACTIONS (continued)

  • Steam Line Pressure-Negative Rate-High; SG Water Level - High High (P-14) for the Feedwater Isolation Function.

SG Water level-Low Low, and Loss of offsite power.

If one channel is inoperable, 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> are allowed to restore the channel to OPERABLE status or to place it in the tripped condition. Generally this Condition applies to functions that operate on two-out-of-three logic.

Therefore, failure of one channel places the Function in a two-out-of-two configuration. One channel must be tripped to place the Function in a one-out-of-two configuration that satisfies redundancy requirements. The 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> allowed to restore the channel to OPERABLE status or placed in the tripped condition is justified in Reference 10.

Failure to restore the inoperable channel to OPERABLE status or place it in the tripped condition within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> requires the unit be placed in MODE 3 within the following 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and MODE 4 within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />.

The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems. In MODE 4, these Functions are no longer required OPERABLE.

The Required Actions are modified by a Note that allows the inoperable channel to be bypassed for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> for surveillance testing of other channels. The note also allows an OPERABLE channel to be placed in bypass without entering the Required Actions for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> for testing of the bypassed channel. However, only one channel may be placed in bypass at any one time. The 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> allowed for testing, are justified in Reference 10.

E.1, E.2.1, and E.2.2 Condition E applies to:

  • Containment Phase B Isolation Containment Pressure - High-High, and
  • Steam Line Isolation Containment Pressure - High High.

McGuire Units 1 and 2 B 3.13.2-31 Revision No. 99

ESFAS Instrumentation, B 3.3.2 BASES ACTIONS (continued)

None of these signals has input to a control function. Thus, two-out-of-three logic is necessary to meet acceptable protective requirements. However, a two-out-of-three design would require tripping a failed channel. This is undesirable because a single failure would then cause spurious containment spray initiation. Spurious spray actuation is undesirable because of the cleanup problems presented. Therefore, these channels are designed with two-out-of-four logic so that a failed channel may be bypassed rather than tripped. Note that one channel may be bypassed and still satisfy-the single failure criterion.

Furthermore, with one channel bypassed, a single instrumentation channel failure will not spuriously initiate containment spray.

To avoid the inadvertent actuation of containment spray and Phase B containment isolation, the inoperable channel should not be placed in the tripped condition. Instead it is bypassed. Restoring the channel to OPERABLE status, or placing the inoperable channel in the bypass condition within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />, is sufficient to assure that the Function remains OPERABLE and minimizes the time that the Function may be in a partial trip condition (assuming the inoperable channel has failed high). The Completion Time is further justified based on the low probability of an event occurring during this interval. Failure to restore the inoperable channel to OPERABLE status, or place it in the bypassed condition within72 hours, requires the unit be placed in MODE 3 within the following 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and MODE 4 within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems. In MODE 4, these Functions are no longer required OPERABLE.

The Required Actions are modified by a Note that allows one additional channel to be bypassed for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> for surveillance testing. Placing a second channel in the bypass condition for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> for testing purposes is acceptable based on the results of Reference 10.

F.1, F.2.1, and F.2.2 Condition F applies to:

  • Manual Initiation of Steam Line Isolation; and P-4 Interlock.

McGuire Units 1 and 2 B 3.3.2-32 Revision No. 99

ESFAS Instrumentation B 3.3.2 BASES ACTIONS (continued)

For the Manual Initiation and the P-4 Interlock Functions, this action addresses the train orientation of the SSPS. If a train or channel is inoperable, 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> is allowed to return it to OPERABLE status. The specified Completion Time is reasonable considering the nature of these Functions, the available redundancy, and the low probability of an event occurring during this interval. If the Function cannot be returned to OPERABLE status, the unit must be placed in MODE 3 within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and MODE 4 within the following 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />.

The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power in an orderly manner and without challenging unit systems. In MODE 4, the unit does not have any analyzed transients or conditions that require the explicit use of the protection functions noted above.

G.1 and G.2 Condition G applies to manual initiation of Steam Line Isolation.

This action addresses the operability of the manual steam line isolation function for each individual main steam isolation valve. If a channel is inoperable, 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> is allowed to return it to an OPERABLE status. If the train cannot be restored to OPERABLE status, the Conditions and Required Actions of LCO 3.7.2, "Main Steam Isolation Valves," must be entered for the associated inoperable valve. The specified Completion Time is reasonable considering that there is a system level manual initiation train for this Function and the low probability of an event occurring during this interval.

H.1, H.2.1 and H.2.2 Condition H applies to the automatic actuation logic and actuation relays for the Steam Line Isolation, Feedwater Isolation, and AFW actuation Functions.

The action addresses the train orientation of the SSPS and the master and slave relays for these functions. If one train is inoperable, 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> are allowed to restore the train to OPERABLE status. The 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> allowed for restoring the inoperable train to OPERABLE status is justified in Reference 10. The Completion Time for restoring a train to OPERABLE status is reasonable considering that there is another train OPERABLE, and the low probability of an event occurring during this interval. If the train cannot be returned to OPERABLE status, the unit must be brought to MODE 3 within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and MODE 4 within the following 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

McGuire Units 1 and 2 B 3.3.2-33 Revision No. 99

ESFAS Instrumentation B 3.3.2 BASES ACTIONS (continued)

Placing the unit in MODE 4 removes all requirements for OPERABILITY of the protection channels and actuation functions. In this MODE, the unit does not have analyzed transients or conditions that require the explicit use of the protection functions noted above.

The Required Actions are modified by a Note that allows one train to be bypassed for up to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> for surveillance testing provided the other train is OPERABLE. This allowance is based on the reliability analysis (Ref. 7) assumption that 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> is the average time required to perform channel surveillance.

If an individual SSPS slave relay or slave relay contact is incapable of actuating, then the equipment operated by the slave relay or slave relay contact is inoperable. An SSPS train is not inoperable due to an individual SSPS slave relay or slave relay contact being incapable of actuating.

1.1 and 1.2 Condition I applies to the automatic actuation logicý and actuation relays for the Turbine Trip Function.

This action addresses the train orientation of the SSPS and the master and slave relays for this Function. If one train is inoperable, 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> are allowed to restore the train to OPERABLE status or the unit must be placed in MODE 3 within the following 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. The 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> allowed for restoring the inoperable train to OPERABLE status is justified in Reference 10. The Completion Time for restoring a train to OPERABLE status is reasonable considering that there is another train OPERABLE, and the low probability of an event occurring during this interval. The allowed Completion Time of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging unit systems. These Functions are no longer required in MODE 3. Placing the unit in MODE 3 removes all requirements for OPERABILITY of the protection channels and actuation functions. In this MODE, the unit does not have analyzed transients or conditions that require the explicit use of the protection functions noted above.

The Required Actions are modified by a Note that allows one train to be bypassed for up to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> for surveillance testing provided the other train is OPERABLE. This allowance is based on the reliability analysis (Ref. 7) assumption that 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> is the average time required to perform channel surveillance.

If an individual SSPS slave relay or slave relay contact is incapable of actuating, then the equipment operated by the slave relay or slave relay McGuire Units 1 and 2 B 3.3.2-34 Revision No. 99

ESFAS Instrumentation B 3.3.2 BASES ACTIONS (continued) contact is inoperable. An SSPS train is not inoperable due to an individual SSPS slave relay or slave relay contact being incapable of actuating.

J.1 and J.2 Condition J applies to:

" Tavg-LOw.

If one channel is inoperable, 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> are allowed to restore one channel to OPERABLE status or to place it in the tripped condition. If placed in the tripped condition, the Function is then in a partial trip condition where one-out-of-tWo logic will result in actuation. The 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> allowed to restore the channel to OPERABLE status or to place it in the tripped condition is justified in Reference

10. Failure to restore the inoperable channel to OPERABLE status or place it in the tripped condition within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> requires the unit to be placed in MODE 3 within the following 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. The allowed Completion Time of 78 hours9.027778e-4 days <br />0.0217 hours <br />1.289683e-4 weeks <br />2.9679e-5 months <br /> is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging unit systems. In MODE 3, these Functions are no longer required OPERABLE.

The Required Actions are modified by a Note that allows the inoperable channel to be bypassed for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> for surveillance testing of other channels. The note also allows an OPERABLE channel to be placed in bypass without entering the Required Actions for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> for testing of the bypassed channel. However, only one channel may be placed in bypass at any one time. The 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> allowed to place the inoperable channel in the tripped condition, and the 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> allowed for a channel to be in the bypassed condition for testing, are justified in Reference 10.

K.1 and K.2 Condition K applies to the AFW pump start on trip of all MFW pumps.

This action addresses the relay contact orientation for the auto start function of the AFW System on loss of all MFW pumps. The OPERABILITY of the AFW System must be assured by allowing automatic start of the AFW System pumps. If a channel is inoperable, 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> is allowed to place the channel in trip. If placed in the tripped condition, the function is then in a partial trip condition where a one-out-of-one logic will result in actuation. If the channel is not placed in trip within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />, 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> are McGuire Units 1 and 2 B 3.3.2-35 Revision No. 99

ESFAS Instrumentation B 3.3.2 BASES ACTIONS (continued) allowed to place the unit in MODE 3. The allowed Completion Time of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging unit systems.

In MODE 3, the unit does not have any analyzed transients or conditions that require the explicit use of the protection function noted above.

L. 1 Condition L applies to the Doghouse Water Level - High High.

The failure of one required channel in one train in either reactor building doghouse results in a loss of redundancy for the function. The function can still be initiated by the remaining operable train. The inoperable train is, required to be restored to OPERABLE status within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />, or continuous visual monitoring of the doghouse water level must be implemented in the following hour.

The allowed Completion Time is reasonable considering that the redundant train remains OPERABLE to initiate the function if required.

M.1, M.2.1 and M.2.2 Condition M applies to the Doghouse Water Level - High High.

The failure of two trains in either reactor building doghouse results in a loss of the function. Continuous visual monitoring of the doghouse water level must be implemented in the following hour.

The allowed Completion Time provides sufficient time for the operating staff to establish the required monitoring..

N.1 and N.2 Condition N applies to the Auxiliary Feedwater Pumps Suction Transfer on Suction Pressure Low.

If one or more channels on a single AFW pump is inoperable, 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> is allowed to restore the channel(s) to OPERABLE status or to declare the associated AFW pump inoperable. The failure of one or more channels on one pump disables the ability for the suction transfer on that pump.

The allowed Completion Times are reasonable, considering the remaining redundant pumps and transfer instrumentation.

McGuire Units 1 and 2 B 3.3.2-36 Revision No. 99

ESFAS Instrumentation B 3.3.2 BASES ACTIONS (continued) 0.1 Condition 0 applies to the Auxiliary Feedwater Pumps Suction Transfer on Suction Pressure Low.

If one or more channels on more than one AFW pumps are inoperable, the ability for the suction transfer has been lost on multiple pumps. In this case, the associated AFW pumps must be declared inoperable immediately.

P.1 and P.2 Condition P applies to RWST Level-Low Coincident with Safety Injection.

RWST Level-Low Coincident with SI provides actuation. of switchover to the containment sump. The inoperable channel shall be returned to OPERABLE status or placed in the trip condition within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />. This Condition applies to a function that operates on two-out-or-three logic. Therefore, failure of one channel places the Function in a two-out-or-two configurationl The channel must be tripped to place the Function in a one-out-of-two configuration that satisfies redundancy requirements. A channel placed in the trip condition shall be restored to OPERABLE status within 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br />. With one channel in the trip condition, a single failure of another channel coincident with a design basis Loss of Coolant Accident (LOCA) could result in premature automatic swapover of ECCS pumps to the containment recirculation-sump. For a failure leading to early swapover, plant analyses assume operators do not have sufficient time to resolve the problem prior to ECCS pump damage.

Consequently, as a result of this premature swapover, both trains of ECCS pumps could fail due to insufficient sump water level. Thiscould prevent the ECCS pumps from performing their post-LOCA cooling function. The allowed Completion Time of 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> is reasonable since, based on operating experience, there is a very small probability of a random failure of another RWST level channel in a given 48 hour5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> period.

Q.1, Q.2.1 and Q.2.2 Condition Q applies to the P-i 1 and P-1 2 interlocks.

With one channel inoperable, the operator must verify that the interlock is in the required state for the existing unit condition. The verification is performed by visual observation of the permissive status light in the unit control room. This action manually accomplishes the function of the interlock. Determination must be made within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />. The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Completion Time is equal to the time allowed by LCO 3.0.3 to initiate shutdown actions in the event of a complete McGuire Units 1 and 2 B 3.3.2-37 Revision No. 99

ESFAS Instrumentation B 3.3.2 BASES ACTIONS (continued) loss of ESFAS function. If the interlock is not in the required state (or placed in the required state) for the existing unit condition, the unit must be placed in MODE 3 within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and MODE 4 within the following 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems. Placing the unit in MODE 4 removes all requirements for OPERABILITY of these interlocks.

R.1 Condition R applies to the Containment Pressure Control System Start and Terminate Permissives.

With one or more channels inoperable, the affected containment spray, containment air return fans, and hydrogen skimmer fans must be declared inoperable immediately. The supported system LCOs provide the appropriate Required Actions and Completion Times for the equipment made inoperable by the inoperable channel. The immediate Completion Time is appropriate since the inoperable channel could prevent the supported equipment from starting when required. Additionally, protection from an inadvertent actuation may not be provided if the terminate function is not OPERABLE.

S.1 and S.2 Condition S applies to RWST Level-Low Coincident with Safety Injection.

When Required Actions cannot be completed within their Completion Time, the unit must be brought to a MODE or Condition in which the LCO requirements are not applicable. To achieve this status, the unit must be brought to at least MODE 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and MODE 4 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> of entering the Condition.

The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems. In MODE 4, the unit does not have any analyzed transients of conditions that require the explicit use of the protection functions noted above.

SURVEILLANCE The SRs for each ESFAS Function are identified by the SRs column of REQUIREMENTS Table 3.3.2-1.

A Note has been added to the SR Table to clarify that Table 3.3.2-1 determines which SRs apply to which ESFAS Functions.

Note that each channel of process protection supplies both trains of the ESFAS. When testing channel I, train A and train B must be examined.

McGuire Units 1 and 2 B 3.3.2-38 Revision No. 99

ESFAS Instrumentation B 3.3.2 BASES SURVEILLANCE REQUIREMENTS (continued)

Similarly, train A and train B must be examined when testing channel II, channel Ill, and channel IV (if applicable). The CHANNEL CALIBRATION and COTs are performed in a manner that is consistent with the assumptions used in analytically calculating the required channel accuracies.

SR 3.3.2.1 Performance of the CHANNEL CHECK once every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Agreement criteria are determined by the unit staff, based on a combination of the channel instrument uncertainties, including indication and reliability. If a channel is outside the criteria, it may be an indication that the sensor or the signal processing equipment has drifted outside its limit.

The Frequency is based on operating experience that demonstrates channel failure is rare. The CHANNEL CHECK supplements less formal, but more frequent, checks of channels during normal operational use of the displays associated with the LCO required channels.

SR 3.3.2.2 SR 3.3.2.2 is the performance of an ACTUATION LOGIC TEST. The SSPS is tested every 92 days on a STAGGERED TEST BASIS, using the semiautomatic tester. The train being tested is placed in the bypass condition, thus preventing inadvertent actuation. Through the semiautomatic tester, all possible logic combinations, with and without applicable permissives, are tested for each protection function. In addition, the master relay coil is pulse tested for continuity. This verifies that the logic modules are OPERABLE and that there is an intact voltage signal path to the master relay coils. The Frequency of every 92 days on a STAGGERED TEST BASIS is justified in Reference 11.

SR 3.3.2.3 McGuire Units 1 and 2 B 3.3.2-39 Revision No. 99

ESFAS Instrumentation B 3.3.2 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.3.2.3 is the performance of a COT on the RWST level and Containment Pressure Control Start and Terminate Permissives.

A COT is performed on each required channel to ensure the entire channel will perform the intended Function. Setpoints must be found within the Allowable Values specified in Table 3.3. 2-1. This test is performed every 31 days. The Frequency is adequate, based on operating experience, considering instrument reliability and operating history data.

SR 3.3.2.4 SR 3.3.2.4 is the performance of a MASTER RELAY TEST. The MASTER RELAY TEST is the energizing of the master relay, verifying contact operation and a low voltage continuity check of the slave relay coil. Upon master relay contact operation, a low voltage is injected to the slave relay coil. This voltage is insufficient to pick up the slave relay, but large enough to demonstrate signal path continuity. This test is performed every 92 days on a STAGGERED TEST BASIS. The time allowed for the testing (4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />) is justified in Reference 7.

The frequency of 92 days is justified in Reference 11.

SR 3.3.2.5 SR 3.3.2.5 is the performance of a COT:

A COT is performed on each required channel to ensure the channel will perform the intended Function. The tested portion of the loop must trip within the Allowable Values specified in Table 3.3. 2-1.

The setpoint shall be left set consistent with the assumptions of the setpoint methodology.

The Frequency of 184 days is justified in Reference 11.

SR 3.3.2.6 SR 3.3.2.6 is the performance of a SLAVE RELAY TEST. The SLAVE RELAY TEST is the energizing of the slave relays. Contact operation is verified in one of two ways. Actuation equipment that may be operated in the design mitigation MODE is either allowed to function, or is placed in a condition where the relay contact operation can be verified without Operation of the equipment.

Actuation equipment that may not be operated in the design mitigation MODE is prevented from operation by the SLAVE RELAY TEST circuit. For this latter case, contact operation is verified by a continuity check of the circuit containing McGuire Units 1 and 2 B 3.3.2-40 Revision No. 99

ESFAS Instrumentation B 3.3.2 BASES SURVEILLANCE REQUIREMENTS (continued) the slave relay. This test is performed every 92 days. The Frequency is adequate, based on industry operating experience, considering instrument reliability and operating history data.

SR 3.3.2.7 SR 3.3.2.7 is the performance of a TADOT. This test is a check of the Manual Actuation Functions, AFW pump start, Reactor Trip (P-4) Interlock and Doghouse Water Level - High High feedwater isolation. It is performed every 18 months. Each Manual Actuation Function is tested up to, and including, the, master relay coils. In some instances, the test includes actuation of the end device (i.e., pump starts, valve cycles, etc.). The Frequency is adequate, based on industry operating experience and is consistent with the typical refueling cycle. The SR is modified by a Note that excludes verification of setpoints during the TADOT for manual initiation Functions. The manual initiation Functions have no associated setpoints.

SR 3.3.2.8 SR 3.3.2.8 is the performance of a CHANNEL CALIBRATION.

A CHANNEL CALIBRATION is performed every 18 months. The CHANNEL CALIBRATION may be performed at power or during refueling based on bypass testing capability. Channel unavailability evaluations in References 10 and 11 have conservatively assumed that the CHANNEL CALIBRATION is performed at power with the channel in bypass.

CHANNEL CALIBRATION is a complete check of the instrument loop, including the sensor. The test verifies that the channel responds to measured parameter within the necessary range and accuracy.

CHANNEL CALIBRATIONS must be performed consistent with the assumptions of the unit specific setpoint methodology.

The Frequency of 18 months is based on the assumption of an 18 month calibration interval in the determination of the magnitude of equipment drift in the setpoint methodology.

This SR is modified by a Note stating that this test should include verification that the time constants are adjusted to the prescribed values where applicable.

The applicable time constants are shown in Table 3.3.2-1.

SR 3.3.2.9 McGuire Units 1 and 2 B 3.3.2-41 Revision No. 99

ESFAS Instrumentation B 3.3.2 BASES SURVEILLANCE REQUIREMENTS (continued)

This SR ensures the individual channel ESF RESPONSE TIMES are less than or equal to the maximum values assumed in the accident analysis. Response Time testing acceptance criteria are included in the UFSAR (Ref. 2). Individual component response times are not modeled in the analyses. The analyses model the overall or total elapsed time, from the point at which the parameter exceeds the Trip Setpoint value at the sensor, to the point at which the equipment in both trains reaches the required functional state (e.g., pumps at rated discharge pressure, valves in full open or closed position).

For channels that include dynamic transfer functions (e.g., lag, lead/lag, rate/lag, etc.), the response time test may be performed with the transfer functions set to one with the resulting measured response time compared to the appropriate UFSAR response time. Alternately, the response time test can be performed with the time constants set to their nominal value provided the required response time is analytically calculated assuming the time constants are set at their nominal values. The response time may be measured by a series of overlapping tests such that the entire response time is measured.

Response time may be verified by actual response time tests in any series of sequential, overlapping or total channel measurements, or by the summation of allocated sensor, signal processing and actuation logic response times with actual response time tests on the remainder of the channel. Allocations for sensor response times may be obtained from: (1) historical records based on acceptable response time tests (hydraulic, noise, or power interrupt tests), (2) in place, onsite, or offsite (e.g., vendor) test measurements, or (3) utilizing vendor engineering specifications. WCAP-1 3632-P-A, Revision 2, "Elimination of Pressure Sensor Response Time Testing Requirements" provides the basis and methodology for using allocated sensor response times in the overall verification of the channel response time for specific sensors identified in the WCAP. Response time verification for other sensor types must be either demonstrated by test or their equivalency to those listed in WCAP-1 3632-P-A, Revision 2. Any demonstration of equivalency must have been determined to be acceptable by NRC staff review.

WCAP-14036-P-A, Revision 1, "Elimination of Periodic Protection Channel Response Time Tests' provides the basis and methodology for using allocated signal processing and actuation logic response times in the overall verification of the protection system channel response time. The allocations for sensor, signal conditioning, and actuation logic response times must be verified prior to placing the component in operational service and re-verified following maintenance that may adversely affect response time. In general, electrical repair work does not impact response time provided the parts used for repair are of the same type and value. Specific components identified in the WCAP McGuire Units 1 and 2 B 3.3.2-42 Revision No. 99

ESFAS Instrumentation B 3.3.2 BASES SURVEILLANCE REQUIREMENTS (continued) may be replaced without verification testing. One example where response time could be affected is replacing the sensing assembly of a transmitter.

ESF RESPONSE TIME tests are conducted on an 18 month STAGGERED TEST BASIS. Testing of the final actuation devices, which make up the bulk of the response time, is included in the testing of each channel. The final actuation device in one train is tested with each channel. Therefore, staggered testing results in response time verification of these devices every 18 months.

The 18 month Frequency is consistent with the typical refueling cycle and is based on unit operating experience, which shows that random failures of instrumentation components causing serious response time degradation, but not channel failure, are infrequent occurrences.

This SR is modified by a Note that clarifies that the turbine driven AFW pump is tested within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> after reaching 900 psig in the SGs.

REFERENCES 1. UFSAR, Chapter 6.

2. UFSAR, Chapter 7.
3. UFSAR, Chapter 15.
4. IEEE-279-1971.
5. 10 CFR 50.49.
6. 10 CFR 50.36, Technical Specifications, (c)(2)(ii).
7. WCAP-1 0271-P-A, Supplement 1 and Supplement 2, Rev. 1, May 1986 and June 1990.
8. WCAP 13632-P-A, Revision 2, "Elimination of Pressure Sensor Response Time Testing Requirements" Sep., 1995.
9. WCAP-14036-P-A, Revision 1, "Elimination of Periodic Protection Channel Response Time Tests" Oct., 1998.
10. WCAP-14333-P-A, Revision 1, October 1998.
11. WCAP-15376-P-A, Revision 1, March 2003.

McGuire Units 1 and 2 B 3.3.2-43 Revision No. 99

Containment Air Locks B 3.6.2 B 3.6 CONTAINMENT SYSTEMS B 3.6.2 Containment Air Locks BASES BACKGROUND Containment air locks form part of the containment pressure boundary and provide a means for personnel access during all MODES of operation.

Each air lock is nominally a right circular cylinder, 10 ft in diameter, with a door at each end. The doors are interlocked to prevent simultaneous opening. During periods when containment is not required to be OPERABLE, the door interlock mechanism may be disabled, allowing both doors of an air lock to remain open for extended periods when frequent containment entry is necessary. Each air lock door has been designed and tested to certify its ability to withstand a pressure in excess of the maximum expected pressure following a Design Basis Accident (DBA) in containment. As such, closure of a single door supports containment OPERABILITY. Each of the doors contains double inflatable seals and local leakage rate testing capability to ensure pressure integrity.

Each personnel air lock is provided with limit switches on both doors that provide control room indication of door position. Additionally, control room indication is provided to alert the operator whenever an air lock door interlock mechanism is defeated.

The containment air locks form part of the containment pressure boundary. As such, air lock integrity and leak tightness is essential for maintaining the containment leakage rate within limit in the event of a DBA. Not maintaining air lock integrity or leak tightness may result in a leakage rate in excess of that assumed in the unit safety analyses.

APPLICABLE The DBAs that result in a release of radioactive material within SAFETY ANALYSES containment are a loss of coolant accident and a rod ejection accident (Ref. 2). In the analysis of each of these accidents, it is assumed that containment is OPERABLE such that release of fission products to the environment is.controlled by the rate of containment leakage. The containment was designed with an allowable leakage rate of 0.3% of containment air weight per day (Ref. 2). This leakage rate is McGuire Units 1 and 2 B 3.6.2-1 Revision No. 98

Containment Air Locks B 3.6.2 BASES APPLICABLE SAFETY ANALYSES (continued) defined in 10 CFR 50, Appendix J, Option B (Ref. 1), as La = 0.3% of containment air weight per day, the maximum allowable containment leakage rate at the calculated peak containment internal pressure Pa = 14.8 psig following a design basis LOCA.. This allowable leakage rate forms the basis for the acceptance criteria imposed on the SRs associated with the air locks.

The containment air locks satisfy Criterion 3 of 10 CFR 50.36 (Ref. 3).

LCO Each containment air lock forms part of the containment pressure boundary. As part of the containment pressure boundary, the air lock safety function is related to control of the containment leakage rate resulting from a DBA. Thus, each air lock's structural integrity and leak tightness are essential to the successful mitigation of such an event.

Each air lock is required to be OPERABLE. For the air lock to be considered OPERABLE, the air lock interlock mechanism must be OPERABLE, the air lock must be in compliance with the Type B air lock leakage test, and both air lock doors must be OPERABLE. The interlock allows only one air lock door of an air lock to be opened at one time. This provision ensures that a gross breach of containment does not exist when containment is required to be OPERABLE. Closure of a single door in each air lock is sufficient to provide a leak tight barrier following postulated events. Nevertheless, both doors are kept closed when the air lock is not being used for normal entry into or exit from containment.

APPLICABILITY In MODES 1, 2, 3, and 4, a DBA could cause a release of radioactive material to containment. In MODES 5 and 6, the probability and consequences of these events are reduced due to the pressure and temperature limitations of these MODES. Therefore, the containment air locks are not required in MODE 5 to prevent leakage of radioactive material from containment. The requirements for the containment air locks during MODE 6 are addressed in LCO 3.9.4, "Containment Penetrations."

ACTIONS The ACTIONS are modified by a Note that allows entry and exit to perform repairs on the affected air lock component. If the outer door is inoperable, then it may be easily accessed for most repairs. It is preferred that the air lock be accessed from inside primary containment by entering through the other OPERABLE air lock. However, if this is not practicable, or if repairs on either door must be performed from the barrel McGuire Units 1 and 2 B 16.2-2 Revision No. 98

Containment Air Locks B 3.6.2 BASES ACTIONS (continued) side of the door then it is permissible to enter the air lock through the OPERABLE door, which means there is a short time during which the containment boundary is not intact (during access through the OPERABLE door). The ability to open the OPERABLE door, even if it means the containment boundary is temporarily not intact, is acceptable due to the low probability of an event that could pressurize the containment during the short time in which the OPERABLE door is expected to be open. After each entry and exit, the OPERABLE door must be immediately closed. If ALARA conditions permit, entry and exit should be via an OPERABLE air lock.

A second Note has been added to provide clarification that, for this LCO, separate Condition entry is allowed for each air lock. This is acceptable, since the Required Actions for each Condition provide appropriate compensatory actions for each inoperable air lock. Complying with the Required Actions may allow for continued operation, and a subsequent inoperable air lock is governed by subsequent Condition entry and application of associated Required Actions.

In the event the air lock leakage results in exceeding the overall containment leakage rate, Note 3 directs entry into the applicable Conditions and Required Actions of LCO 3.6.1, "Containment."

A.1, A.2, and A.3 With one air lock door in one or more containment air locks inoperable, the OPERABLE door must be verified closed (Required Action A.1) in each affected containment air lock. This ensures that a leak tight containment barrier is maintained by the use of an OPERABLE air lock door. This action must be completed within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />. This specified time period is consistent with the ACTIONS of LCO 3.6.1, which requires containment be restored to OPERABLE status within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />.

Note that for the purpose of Required Action A.1, A.2, and A.3, the bulkhead associated with an air lock door is considered to be part of the door. For example, an air lock door may be declared inoperable if the equalizing valve becomes inoperable or if it is replaced. It is appropriate to treat the associated bulkhead as part of the door because a leak path through the bulkhead is no different than a leak path past the door seals.

The remaining OPERABLE door/bulkhead provides the necessary barrier between the containment atmosphere and the environs.

McGuire Units 1 and 2 B 3.6.2-3 Revision No. 98

Containment Air Locks B 3.6.2 BASES ACTIONS (continued)

In addition, the affected air lock penetration must be isolated by locking closed the OPERABLE air lock door within the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Completion Time.

The 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Completion Time is reasonable for locking the OPERABLE air lock door, considering the OPERABLE door of the affected air lock is being maintained closed.

Required Action A.3 verifies that an air lock with an inoperable door has been isolated by the use of a locked and closed OPERABLE air lock door. This ensures that an acceptable containment leakage boundary is maintained. The Completion Time of once per 31 days is based on engineering judgment and is considered adequate in view of the low likelihood of a locked door being mispositioned and other administrative controls. Required Action A.3 is modified by a Note that applies to air lock doors located in high radiation areas and allows these doors to be verified locked closed by use of administrative means. Allowing verification by administrative means is considered acceptable, since access to these areas is typically restricted. Therefore, the probability of misalignment of the door, once it has been verified to be in the proper position, is small.

The Required Actions have been modified by two Notes. Note 1 ensures that only the Required Actions and associated Completion Times of Condition C are required if both doors in the same air lock are inoperable.

With both doors in the same air lock inoperable, an OPERABLE door is not available to be closed. Required Actions C.1 and C.2 are the appropriate remedial actions. The exception of Note 1 does not affect tracking the Completion Time from the initial entry into Condition A; only the requirement to comply with the Required Actions. Note 2 allows use of the air lock for entry and exit for 7 days under administrative controls if both air locks have an inoperable door. This 7 day restriction begins when the second air lock is discovered inoperable. Containment entry may be required on a periodic basis to perform Technical Specifications (TS) Surveillances and Required Actions, as well as other activities on equipment inside containment that are required by TS or activities on equipment that support TS-required equipment. This Note is not intended to preclude performing other activities (i.e., non-TS-required activities) if the containment is entered, using the inoperable air lock, to perform an allowed activity listed above. This allowance is acceptable due to the low probability of an event that could pressurize the containment during the short time that the OPERABLE door is expected to be open.

McGuire Units 1 and 2 B 3.6.2-4 Revision No. 98

Containment Air Locks B 3.6.2 BASES ACTIONS (continued)

B.1, B.2, and B.3 With an air lock interlock mechanism inoperable in one or more air locks, the Required Actions and associated Completion Times are consistent with those specified in Condition A.

The Required Actions have been modified by two Notes. Note 1 ensures that only the Required Actions and associated Completion Times of Condition C are required if both doors in the same air lock are inoperable.

With both doors in the same air lock inoperable, an OPERABLE door is not available to be closed. Required Actions C.1 and C.2 are the appropriate remedial actions. Note 2 allows entry into and exit from containment under the control of a dedicated individual stationed at the air lock to ensure that only one door is opened at a time (i.e., the individual performs the function of the interlock).

Required Action B.3 is modified by a Note that applies to air lock doors located in high radiation areas and allows these doors to be verified locked closed by use of administrative means. Allowing verification by administrative means is considered acceptable, since access to these areas is typically restricted. Therefore, the probability of misalignment of the door, once it has been verified to be in the proper position, is small.

C.1, C.2, and C.3 With one or more air locks inoperable for reasons other than those described in Condition A or B, Required Action C.1 requires action to be initiated immediately to evaluate. previous combined leakage rates using current air lock test results. An evaluation is acceptable, since it is overly conservative to immediately declare the containment inoperable if both doors in an air lock have failed a seal test or if the overall air lock leakage is not within limits. In many instances (e.g., only one seal per door has failed), containment remains OPERABLE, yet only 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> (per LCO 3.6.1) would be provided to restore the air lock door to OPERABLE status prior to requiring a plant shutdown. In addition, even with both doors failing the seal test, the overall containment leakage rate can still be within limits.

Required Action C.2 requires that one door in the affected containment air lock must be verified to be closed within the 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Completion Time.

This specified time period is consistent with the ACTIONS of LCO 3.6.1, which requires that containment be restored to OPERABLE status within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />.

McGuire Units 1 and 2 B 3.6.2-5 Revision No. 98

Containment Air Locks B 3.6.2 BASES Additionally, the affected air lock(s) must be restored to OPERABLE status within the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Completion Time. The specified time period is considered reasonable for restoring an inoperable air lock to OPERABLE) status, assuming that at least one door is maintained closed in each affected air lock.

D.1 and D.2 If the inoperable containment air lock cannot be restored to OPERABLE status within the required Completion Time, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and to MODE 5 within 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

SURVEILLANCE SR 3.6.2.1 REQUIREMENTS Maintaining containment air locks OPERABLE requires compliance with the leakage rate test requirements of the Containment Leakage Rate Testing Program. This SR reflects the leakage rate testing requirements with regard to air lock leakage (Type B leakage tests). The acceptance criteria were established during initial air lock and containment OPERABILITY testing. The periodic testing requirements verify that the air lock leakage does not exceed the allowed fraction of the overall containment leakage, rate. The Frequency is required by the Containment Leakage Rate Testing Program.

The SR has been modified by two Notes. Note 1 states that an inoperable air lock door does not invalidate the previous successful performance of the overall air lock leakage test. This is considered reasonable since either air lock door is capable of providing a fission product barrier in the event of a DBA. Note 2 has been added to this SR requiring the results to be evaluated against the acceptance criteria which are applicable to SR 3.6.1.1. This ensures that air lock leakage is properly accounted for in determining the combined Type B and C containment leakage rate.

SR 3.6.2.2 Door seals must be tested every 6 months to Verify the integrity of the inflatable door seal. The measured leakage rate must be less than 15 standard cubic centimeters per minute (sccm) per door seal when the seal is inflated to approximately 85 psig. This ensures that the seals will remain inflated for at least 7 days should the instrument air supply to the McGuire Units 1 and 2 B 3.6.2-6 Revision No. 98

Containment Air Locks B 3.6.2 BASES SURVEILLANCE REQUIREMENTS (continued) seals be lost. The Frequency of testing has been demonstrated to be acceptable through operating experience.

SR 3.6.2.3 The air lock interlock is designed to prevent simultaneous opening of both doors in a single air lock. Since both the inner and outer doors of an air lock are designed to withstand the maximum expected post accident containment pressure, closure of either door will support containment OPERABILITY. Thus, the door interlock feature supports containment OPERABILITY while the air lock is being used for personnel transit in and out of the containment. Periodic testing of this interlock demonstrates that the interlock will function as designed and that simultaneous opening of the inner and outer doors will not inadvertently occur. Due to the diverse permissive logic arrangement of this interlock, and given that the interlock mechanism is not normally challenged when the containment air lock door is used for entry and exit (procedures require strict adherence to single door opening), this test is only required to be performed every 18 months. The 18 month Frequency is based on the need to perform this surveillance under the conditions that apply during a plant outage, and the potential for loss of containment OPERABILITY if the surveillance were performed with the reactor at power. The 18 month Frequency for the interlock is justified based on generic operating experience. The Frequency is based on engineering judgment and is considered adequate given that the interlock is not challenged during the use of the interlock.

REFERENCES 1. 10 CFR 50, Appendix J, Option B.

2. UFSAR, Section 6.2.
3. 10 CFR 50.36, Technical Specifications, (c)(2)(ii).

McGuire Units 1 and 2 B 3.6.2-7 Revision No. 98

CRAVS B 3.7.9 B 3.7 PLANT SYSTEMS B 3.7.9 Control Room Area Ventilation System (CRAVS)

BASES BACKGROUND The CRAVS provides a protected environment from which occupants can control the unit following an uncontrolled release of radioactivity, hazardous chemicals, or smoke.

The CRAVS consists of two independent, redundant trains that draw in filtered outside air and mix this air with conditioned air recirculating through the Control Room Envelope (CRE). Each outside air pressure filter train consists of a prefilter, a high efficiency particulate air (HEPA) filter, an activated charcoal absorber section for removal of gaseous activity (principally iodines), and a fan. Ductwork, valves or dampers, doors, barriers, and instrumentation also form part of the system, as well as prefilters to remove water droplets from the air st ream. A second bank of HEPA filters follows the absorber section to collect carbon fines and provides backup in case of failure of the main HEPA filter bank.

The CRE is the area within the confines of the CRE boundary that contains the spaces that control room occupants inhabit to control the unit during normal and accident conditions. The CRE is protected during normal operation, natural events, and accident conditions. The CRE boundary.is the combination of walls, floor, roof, ducting, doors, penetrations, and equipment that physically form the CRE. The OPERABILITY of the CRE boundary must be maintained to ensure that the inleakage of unfltered air into the CRE will not exceed the inleakage assumed in the licensing basis analysis of design basis accident (DBA) consequences to CRE occupants. The CRE and its boundary are defined in the Control Room Envelope Habitability Program.

The CRAVS is an emergency system. During normal operation the CRE is provided with 100% recirculated air and the outside air pressure filter train is in the standby mode. Upon receipt of the actuating signal(s), the CRE is provided with fresh air through outside air intakes and is circulated through the system filter trains. The prefilters remove any large particles in the air, and any entrained water droplets present, to prevent excessive loading of the HEPA filters and charcoal adsorbers. Continuous operation of each train for at least 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br /> per month, with the heaters on, reduces moisture buildup on the HEPA filters and adsorbers. The heater is important to theeffectiveness of the charcoal adsorbers.

Revision No. 97 McGuire Units McGuire and 2 1 and Units 1 2 B 3.7.9-1 B 3.7.9-1 Revision No. 97

CRAVS B 3.7.9 BASES BACKGROUND (continued)

Actuation of the CRAVS places the system in the emergency mode of operation, depending on the initiation signal. The emergency radiation state initiates pressurization and filtered ventilation of the air supply to the CRE. Pressurization of the CRE minimizes infiltration of unfiltered air from the surrounding areas adjacent to the CRE boundary.

The air entering the outside air intakes is continuously monitored by radiation detectors. The detector output above the setpoint will alarm in the Control Room.

A single CRAVS train can adequately pressurize the CRE relative to atmospheric pressure. The CRAVS operation in maintaining the CRE habitable is discussed in the UFSAR, Section 6.4 (Ref. 1).

Redundant supply and recirculation trains provide the required filtration should an excessive pressure drop develop across the other filter train.

Normally open outside air intake isolation dampers are arranged in series pairs so that the failure of one damper to shut will not result in a breach of isolation. The CRAVS is designed in accordance with Seismic Category I requirements.

The CRAVS is designed to maintain a habitable environment in the CRE for 30 days of continuous occupancy after a Design Basis Accident (DBA) without exceeding a 5 rem whole body dose or its equivalent to any part of the body.

There are components that have nomenclature associated with the CRAVS but do not perform any function that impacts the control room.

These components include the Control Room Area Air Handling units, the Switchgear Air Handling units, the Battery Room Exhaust Fans and the associated ductwork, dampers, and instrumentation. These components share the CRACWS with the CRAVS but are not governed by LCO 3.7.9.

APPLICABLE The CRAVS components are arranged in redundant, safety related SAFETY ANALYSES ventilation trains. The CRAVS provides airborne radiological protection for the CRE occupants, as demonstrated by the CRE occupant dose analyses for the most limiting design basis accident - fission product release presented in the UFSAR, Chapter 15 (Ref. 2).

The CRAVS provides protection from smoke and hazardous chemicals to the CRE occupants. The analysis of hazardous chemical releases demonstrates that the toxicity limits are not exceeded in the CRE following a hazardous chemical release (Ref. 1). The evaluation of a McGuire Units 1 and 2 B 3.7.9-2 Revision No. 97

CRAVS B 3.7.9 BASES APPLICABLE SAFETY ANALYSES (continued) smoke challenge demonstrates that it will not result in the inability of the CRE occupants to control the reactor either from the control room or from the safe shutdown facility (Ref. 3).

The worst case single active failure of a component of the CRAVS, assuming a loss of offsite power, does not impair the ability of the system to perform its design function.

The CRAVS satisfies Criterion 3 of 10 CFR 50.36.

LCO Two independent and redundant CRAVS trains are required to be OPERABLE to ensure that at least one is available if a single active failure disables the other train. Total system failure, such as from a loss of both ventilation trains or from an inoperable CRE boundary, could result in exceeding a dose of 5 rem whole body or its equivalent to any part of the body to the CRE occupants in the event of a large radioactive release.

Each CRAVS train is considered OPERABLE when the individual components necessary to limit CRE occupant exposure are OPERABLE.

A CRAVS train is OPERABLE when the associated:

a. An Outside Air Pressure Filter Train fan and a Control Room Air Handling unit are OPERABLE;
b. HEPA filters and charcoal adsorbers are not excessively restricting flow, and are capable of performing their filtration functions; and
c. Ductwork, valves, and dampers are OPERABLE, and air circulation can be maintained.

In order for the CRAVS trains to be considered OPERABLE, the CRE boundary must be maintained such that the CRE occupant dose from a large radioactive release does not exceed the calculated dose in the licensing basis consequence analyses for DBAs, and that CRE occupants are protected from hazardous chemicals and smoke.

The CRAVS is shared between the two units. The system must be OPERABLE for each unit when that unit is in the MODE of Applicability.

Additionally, both normal and emergency power must also be OPERABLE because the system is shared. If a CRAVS component becomes inoperable, or normal or emergency power to a CRAVS component becomes inoperable, then the Required Actions of this LCO McGuire Units 1 and 2 B 3.7.9-3 Revision No. 97

CRAVS B 3.7.9 0 BASES LOC (continued) must be entered independently for each unit that is in the MODE of applicability of the LCO.

The LCO is modified by a Note allowing the CRE boundary to be opened intermittently under administrative controls. This Note only applies to openings in the CRE boundary that can be rapidly restored to the design condition, such as doors, hatches, floor plugs, and access panels. For entry and exit through doors, the administrative control of the opening is performed by the person(s) entering or exiting the area.

For other openings, these controls should be proceduralized and consist of stationing a dedicated individual at the opening who is in continuous communication with the operators in the CRE. This individual will have a method to rapidly close the opening and to restore the CRE boundary to a condition equivalent to the design condition when a need for CRE isolation is indicated.

APPLICABILITY In MODES 1, 2, 3, 4, 5, and 6, and during movement of irradiated fuel assemblies and during CORE ALTERATIONS, the CRAVS must be OPERABLE to ensure that the CRE will remain habitable during and following a DBA.

During movement of irradiated fuel assemblies and CORE ALTERATIONS, the CRAVS must be OPERABLE to cope with the release from a fuel handling accident.

ACTIONS A.1 When one CRAVS train is inoperable, for reasons other than an inoperable CRE boundary, action must be taken to restore OPERABLE status within 7 days. In this Condition, the remaining OPERABLE CRAVS train is adequate to perform the CRE occupant protection function. However, the overall reliability is reduced because a failure in the OPERABLE CRAVS train could result in loss of CRAVS function. The 7 day Completion Time is based on the low probability of a DBA occurring during this time period, and ability of the remaining train to provide the required capability.

McGuire Units 1 and 2 B 3.7.9-4 Revision No. 97

CRAVS B 3.7.9 BASES ACTIONS (Continued)

B.1, B.2, and B.3 If the unfiltered inleakage of potentially contaminated air past the CRE boundary and into the CRE can result in CRE occupant radiological dose greater than the calculated dose of the licensing basis analyses of DBA consequences (allowed to be up to 5 rem whole body or its equivalent to any part of the body), or inadequate protection of CRE occupants from hazardous chemicals or smoke, the CRE boundary is inoperable. Actions must be taken to restore an OPERABLE CRE boundary within 90 days.

During the period that the CRE boundary is considered inoperable, action must be initiated to implement mitigating actions to lessen the effect on CRE occupants from the potential hazards of a radiological or chemical event or a challenge from smoke. Actions must be taken within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> to verify that in the event of a DBA, the mitigating actions will ensure that CRE occupant radiological exposure will not exceed the calculated dose of the licensing basis analyses of DBA consequences, and the CRE occupants are protected from hazardous chemicals and smoke. These mitigating actions (i.e., actions that are taken to offset the consequences of the inoperable CRE boundary) should be preplanned for implementation upon entry into the condition, regardless of whether entry is intentional or unintentional. The 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Completion Time is reasonable based on the low probability of a DBA occurring during this time period, and the use of mitigating actions. The 90 day Completion Time is reasonable based on the determination that the mitigating actions will ensure protection of CRE occupants within analyzed limits while limiting the probability that CRE occupants will have to implement protective measures that may adversely affect their ability to control the reactor and maintain it in a safe shutdown condition in the event of a DBA. In addition, the 90 day Completion Time is a reasonable time to diagnose, plan and possibly repair, and test most problems with the CRE boundary.

C.1 and C.2 In MODE 1, 2, 3, or 4, if the inoperable CRAVS train or the CRE boundary cannot be restored to OPERABLE status within the required Completion Time, the unit must be placed in a MODE that minimizes accident risk. To achieve this status, the unit must be placed in at least MODE 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />, and in MODE 5 within 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

McGuire Units 1 and 2 B 3.7.9-5 Revision No. 97

CRAVS B 3.7.9 BASES ACTIONS (Continued)

D.1, D.2.1, and D.2.2 In MODE 5 or 6, or during movement of irradiated fuel assemblies, or during CORE ALTERATIONS, if the inoperable CRAVS train cannot be restored to OPERABLE status within the required Completion Time, action must be taken to immediately place the OPERABLE CRAVS train in the emergency mode. This action ensures that the remaining train is OPERABLE, that no failures preventing automatic actuation will occur, and that any active failure would be readily detected. An alternative to Required Action D.1 is to immediately suspend activities that could result in a release of radioactivity that might require isolation of the CRE. This places the unit in a condition that minimizes the accident risk. This does not preclude the movement of fuel to a safe position.

E.1 and E.2 In MODE 5 or 6, or during movement of irradiated fuel assemblies, or during CORE ALTERATIONS, with two CRAVS trains inoperable or with one or more CRAVS trains inoperable due to an inoperable CRE boundary, action must be taken immediately to suspend activities that could result in a release of radioactivity that might enter the control room.

This places the unit in a condition that minimizes the accident risk. This does not preclude the movement of fuel to a safe position.

F.1 If both CRAVS trains are inoperable in MODE 1, 2, 3, or 4 for reasons other than an inoperable CRE boundary (i.e., Condition B), the CRAVS may not be capable of performing the intended function and the unit is in a condition outside the accident analyses. Therefore, LCO 3.0.3 must be entered immediately.

G.1 and G.2 Action G.1 allows one or more CRAVS heater inoperable, with the heater restored to OPERABLE status within 7 days. Alternatively, Action G.2 requires if the heater is not returned to OPERABLE within the 7 days, a report to be initiated per Specification 5.6.6, which details the reason for the heater's inoperability and the corrective action required to return the heater to OPERABLE status.

The heaters do not affect OPERABILITY of the CRAVS filter train because charcoal absorber efficiency testing is performed at 30 0 C and 90

% relative humidity. The accident analysis shows that control room McGuire Units 1 and 2 B 3.7.9-6 Revision No. 97

CRAVS B 3.7.9 O BASES ACTIONS (Continued) radiation doses are within 10 CFR 100 limits during a DBA LOCA under these conditions.

SURVEILLANCE SR 3.7.9.1 REQUIREMENTS Standby systems should be checked periodically to ensure that they function properly. As the environment and normal operating conditions on this system are not too severe, testing each train once every month provides an adequate check of this system. Monthly heater operations dry out any moisture accumulated in the charcoal from humidity in the ambient air. Systems with heaters must be operated from the control room for Ž_10 continuous hours with the heaters energized and flow through the HEPA filters and charcoal adsorbers. Inoperable heaters are addressed by Required Actions G.1 and G.2. The inoperability of heaters between required performances of this surveillance does not affect OPERABILITY of each CRAVS train. The 31 day Frequency is based on the reliability of the equipment and the two train redundancy.

SR 3.7.9.2 This SR verifies that the required CRAVS testing is performed in accordance with the Ventilation Filter Testing Program (VFTP). The CRAVS filter tests are in accordance with Regulatory Guide 1.52 (Ref. 4).

The VFTP includes testing the performance of the HEPA filter, charcoal adsorber efficiency, minimum flow rate, and the physical properties of the activated charcoal. Specific test Frequencies and additional information are discussed in detail in the VFTP.

SR 3.7.9.3 This SR verifies that each CRAVS train starts and operates with flow through the HEPA filters and charcoal adsorbers on an actual or simulated actuation signal. The Frequency of 18 months is based on industry operating experience.

SR 3.7.9.4 This SR verifies the OPERABILITY of the CRE boundary by testing for unfiltered air inleakage past the CRE boundary and into the CRE. The details of the testing are specified in the Control Room Envelope Habitability Program.

McGuire Units 1 and 2 B 3.7.9-7 Revision No. 97

CRAVS B 3.7.9 BASES SURVEILLANCE REQUIREMENTS (continued)

The CRE is considered habitable when the radiological dose to CRE occupants calculated in the licensing basis analyses of DBA consequences is no more that 5 rem whole body or its equivalent to any part of the body and the CRE occupants are protected from hazardous chemicals and smoke. This SR verifies that the unfiltered air inleakage into the CRE is no greater than the flow rate assumed in the licensing basis analyses of DBA consequences. When unfiltered air inleakage is greater than the assumed flow rate, Condition B must be entered.

Required Acton B.3 allows time to restore the CRE boundary to OPERABLE status provided mitigating actions can ensure that the CRE remains within the licensing basis habitability limits for the occupants following an accident. Compensatory measures are discussed in Regulatory Guide 1.196, Section C.2.7.3, (Ref. 5) which endorses, with exceptions, NEI 99-03, Section 8.4 and Appendix F (Ref. 6). These compensatory measures may also be used as mitigating actions as required by Required Action B.2. Temporary analytical methods may also be used as compensatory measures to restore OPERABILITY (Ref. 7).

Options for restoring the CRE boundary to OPERABLE status include changing the licensing basis DBA consequence analysis, repairing the CRE boundary, or a combination of these actions. Depending upon the nature of the problem and the corrective action, a full scope inleakage test may not be necessary to establish that the CRE boundary has been restored to OPERABLE status.

McGuire Units 1 and 2 B 3.7.9-8 Revision No. 97

CRAVS B 3.7.9 BASES REFERENCES 1. UFSAR, Section 6.4.

2. UFSAR, Chapter 15.
3. UFSAR, Section 9.5.
4. Regulatory Guide 1.52, Rev. 2.
5. Regulatory Guide 1.196, Rev. 1.
6. NEI 99-03, June 2001, "Control Room Habitability Assessment Guidance".

.7. Letter from Eric Leeds (NRC) to James Davis (NEI) dated January 30, 2004, "NEI Draft White Paper, Use of GL 91-18 Process and Alternate Source Terms in the Context of Control Room Habitability."

Revision No. 97 McGuire Units McGuire and 2 Units 11 and 2 B 3.7.9-9 B 3.7.9-9 Revision No. 97

Retrieved from "https://kanterella.com/w/index.php?title=ML091280276&oldid=2145884"