ML11363A038
ML11363A038 | |
Person / Time | |
---|---|
Site: | McGuire, Mcguire |
Issue date: | 12/12/2011 |
From: | Repko R Duke Energy Carolinas |
To: | Office of Nuclear Reactor Regulation, Document Control Desk |
References | |
DUK113340058 | |
Download: ML11363A038 (151) | |
Text
DISPOSITION OF THE ORIGINAL DOCUMENT WILL BE TO Normal THE TRANSMITTAL SIGNATURE UNLESS RECIPIENT IS Date: 12/12/11 PRIORITY OTHERWISE IDENTIFIED BELOW Document Transmittal #: DUK113340058
- 1) 01749 L CGIBBY - MG01VP
- 2) 01820 J R ELKINS- ECO81
- No
- 4) 02532 RESIDENT NRC INSPECTOR MG01VP DOCUMENT TRANSMITTAL FORM OTHER ACKNOWLEDGEMENT REQUIRED E Yes IF CA OR OTHER ACKNOWLEDGEMENT REQUIRED, PLEASE
- 5) 02546 WC LIBRARY - MG01WC ACKNOWLEDGE RECEIPT BY RETURNING THIS FORM TO:
REFERENCE
- 6) 03044 MCG DOC CNTRL MISC MAN MG05DM
- 10) 03759 US NUC REG WASHINGTON, DC 13225 Hagers Ferry Road
- 11) 03796 SCIENTECH CLEARWTR, FL Huntersville, N.C. 28078
- 12) 04698 DE BORTZ EC08G TECHNICAL SPECIFICATIONS (TS)
- 13) 04809 MCG PLANT ENG. LIBR. MG05SE
- 14) 05262 J L FREEZE MG011E
- 15) 05606 J C MORTON MG01EP TECHNICAL SPECIFICATIONS (TSB)
BASES Rec'd By Page 2 of 3 Date F r -~ 7 .7 7T I .7~.7-.7 .7 .7 .7 .7 f-I.
DOCUMENT NO QACOND REV #/DATE DISTR CODE 1 2 3 4 5 6 7 8 9 10 11 12 113 14 15 TOTAL F F + 4-~ 4 4 4-4 4-4 4-~--I-----~ ~ ___
MEMO NA - 11116/11 MADM-04B V1 V1 Vl V1 V1 x Vl V1 V3 V1 V1 vi Vi vil 33 TSB LIST OF EFFECTIVE SECTIONS NA 110 11/09/11 TSB 3.3.1 ENTIRE DOC NA 119 11/09/11 TBS 3.3.2 UNIT #1 NA 119 11/09111 TBS 3.3.2 UNIT #2 NA 119 11/09111 REMARKS: PLEASE UPDATE ACCORDINGLY R T REPKO VICE PRESIDENT MCGUIRE NUCLEAR STATION BY:
B C BEAVER MGO1RC BCB/TLC
DISPOSITION OF THE ORIGINAL DOCUMENT WILL BE TO Normal THE TRANSMITTAL SIGNATURE UNLESS RECIPIENT IS Date: 12/12/11 PRIORITY OTHERWISE IDENTIFIED BELOW Document Transmittal #: DUK113340058
- 1) 08103 WESTINGHOUSE ELECTRIC CORP NSD
- No DOCUMENT TRANSMITTAL FORM OTHER ACKNOWLEDGEMENT REQUIRED E Yes IF OA OR OTHER ACKNOWLEDGEMENT REQUIRED, PLEASE ACKNOWLEDGE RECEIPT BY RETURNING THIS FORM TO:
REFERENCE MCGUIRE NUCLEAR STATION Duke Energy McGuire RECORD RETENTION #698650 DCRM MGO2DM 13225 Hagers Ferry Road Huntersville, N.C. 28078 TECHNICAL SPECIFICATIONS (TS)
TECHNICAL SPECIFICATIONS (TSB)
BASES Rec'd By Page 3 of 3 Date DOCUMENT NO QACOND REV #/ DATE DISTR CODE 1 2 3 4 5 6 7 8 9 10 Il 12 113 14 15 TOTAL MEMO NA - 11/16/11 MADM-04B Vi vi 33 TSB LIST OF EFFECTIVE SECTIONS NA 110 11/09/11 TSB 3.3.1 ENTIRE DOC NA 119 11/09111 TBS 3.3.2 UNIT #1 NA 119 11/09/11 TBS 3.3.2 UNIT #2 NA 119 11/09/11 RTREPKO REMARKS: PLEASE PLEASE UPDATE ACCORDINGLY UPDATE ACCORDINGLY R T REPKO VICE PRESIDENT MCGUIRE NUCLEAR STATION BY:
BC BEAVER MG01RC BCB/TLC
DISPOSITION OF THE ORIGINAL DOCUMENT WILL BE TO Normal THE TRANSMITTAL SIGNATURE UNLESS RECIPIENT IS Date: 12/12111 PRIORITY OTHERWISE IDENTIFIED BELOW Document Transmittal #: DUK113340058
- 1) 00003 NRI&IA MGR EC050
- 2) 00070 VICKIE BREWER- MG03OT
- 3) 00200 ME CARROLL EC08H Duke Energy QACONDITION D Yes
- No DOCUMENT TRANSMITTAL FORM OTHER ACKNOWLEDGEMENT REQUIRED E Yes
- 5) 00422 MCG BONNIE C BEAVER- MG01RC ACKNOWLEDGE RECEIPT BY RETURNING THIS FORM TO:
- 6) 00485 OPS TEST GROUP- MG01OP REFERENCE
- 7) 00568 MCG RAD PROT MG01RP MCGUIRE NUCLEAR STATION Duke Energy
- 8) 00692 MCG OPS STAFF MGR MG01OP McGuire
- 9) 00707 SERV BLDG FILE ROOM - MG01S1 DCRM MGO2DM RECORD RETENTION #698650
- 10) 00841 OPS HUMAN PERFORMANCE - MG01OP 13225 Hagers Ferry Road
- 11) 01202 KLCRANE - MG01RC Huntersville, N.C. 28078
- 12) 01492 BLUE DOT LIBRARY MG02MO TECHNICAL SPECIFICATIONS (TS)
- 13) 01503 VICKIE LMC GINNIS - MG03OT
- 14) 01545 TERESA B PUTNAM MG01OP
- 15) 01623 G LMONTGOMERY MG01WC TECHNICAL SPECIFICATIONS (TSB)
BASES Rec'd By Page 1 of 3 Date I .t _____ ____ 7 1 7 7
- i -r DOCUMENT NO QACOND REV #/ DATE DISTR CODE 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 TOTAL MEMO NA - 11/16/11 MADM-04B V1 V1 V1 V1 T1 V1 Vl V2 V1 V1 V1 V1 V1 V1 V1 33 TSB LIST OF EFFECTIVE SECTIONS NA 110 11/09/11 TSB 3.3.1 ENTIRE DOC NA 119 11/09/11 TBS 3.3.2 UNIT #1 NA 119 11/09/11 TBS 3.3.2 UNIT #2 NA 119 11/09/11 REMARKS: PLEASE UPDATE ACCORDINGLY R T REPKO VICE PRESIDENT MCGUIRE NUCLEAR STATION BY:
B C BEAVER MG01RC BCB/TLC
November 16, 2011 MEMORANDUM To: All McGuire Nuclear Station Technical Specification (TS) and Tech Spec Bases (TSB) Manual Holders
Subject:
McGuire TS and TSB Updates Attention: Facility Operating License (FOL) Included REMOVE INSERT TS Bases Manual TSB LOES (Revision 109) TSB LOES (Revision 110)
TSB 3.3.1 (Entire Section) TSB 3.3.1 (Entire Section) Rev 119 TSB 3.3.2 (Unit 1) (Entire Section) *TSB 3.3.2 (Unit 1) Rev 119 TSB 3.3.2 (Unit 2) (Entire Section) *TSB 3.3.2 (Unit 2) Rev 119
- Note: Please keep the cover sheets for TSB 3.3.2 Unit I and Unit 2 documents. You should already have these in your book.
Revision numbers may skip numbers due to Regulatory Compliance Filing System.
Please call me if you have questions.
Bonnie Beaver Regulatory Compliance 875-4180
McGuire Nuclear Station Technical Specification Bases LOES TS Bases are revised by section Page Number Revision Revision Date BASES (Revised per section) ii Revision 87 8/15/07 iii Revision 87 8/15/07 Revision 87 8/15/07 B 2.1.1 Revision 51 01/14/04 B 2.1.2 Revision 109 9/20/10 B 3.0 Revision 81 3/29/07 B 3.1.1 Revision 115 3/29/11 B 3.1.2 Revision 115 3/29/11 B 3.1.3 Revision 10 9/22/00 B 3.1.4 Revision 115 3/29/11 B 3.1.5 Revision 115 3/29/11 B 3.1.6 Revision 115 3/29/11 B 3.1.7 Revision 58 06/23/04 B 3.1.8 Revision 115 3/29/11 B 3.2.1 Revision 115 3/29/11 B 3.2.2 Revision 115 3/29/11 B 3.2.3 Revision 115 3/29/11 B 3.2.4 Revision 115 3/29/11 B 3.3.1 Revision 119 11/9/11 B 3.3.2 (Unit 1) Revision 119 11/9/11 B 3.3.2 (Unit 2) Revision 119 11/9/11 B 3.3.3 (Unit 1) Revision 115 3/29/11 B 3.3.3 (Unit 2) Revision 117 9/12/11 B 3.3.4 Revision 115 3/29/11 B 3.3.5 Revision 115 3/29/11 B 3.3.6 Not Used - Revision 87 6/29/06 B 3.4.1 Revision 115 3/29/11 B 3.4.2 Revision 0 9/30/98 B 3.4.3 Revision 115 3/29/11 McGuire Units 1 and 2 Page I Revision I 10
Page Number Amendment Revision Date B 3.4.4 Revision 115 3/29/11 B 3.4.5 Revision 115 3/29/11 B 3.4.6 Revision 115 3/29/11 B 3.4.7 Revision 115 3/29/11 B 3.4.8 Revision 115 3/29/11 B 3.4.9 Revision 115 3/29/11 B 3.4.10 Revision 102 8/17/09 B 3.4.11 Revision 115 3/29/11 B 3.4.12 Revision 115 3/29/11 B 3.4.13 Revision 115 3/29/11 B 3.4.14 Revision 115 3/29/11 B 3.4.15 Revision 115 3/29/11 B 3.4.16 Revision 115 3/29/11 B 3.4.17 Revision 115 3/29/11 B 3.4.18 Revision 86 6/25/07 B 3.5.1 Revision 115 3/29/11 B 3.5.2 Revision 116 8/18/11 B 3.5.3 Revision 57 4/29/04 B 3.5.4 (Unit 1) Revision 115 3/29/11 B 3.5.4 (Unit 2) Revision 117 9/12/11 B 3.5.5 Revision 115 3/29/11 B 3.6.1 Revision 53 2/17/04 B 3.6.2 Revision 115 3/29/11 B 3.6.3 Revision 115 3/29/11 B 3.6.4 Revision 115 3/29/11 B 3.6.5 Revision 115 3/29/11 B 3.6.6 (Unit 1) Revision 115 3/29/11 B 3.6.6 (Unit 2) Revision 117 9/12/11 B 3.6.7 Not Used - Revision 63 4/4/05 B 3.6.8 Revision 115 3/29/11 B 3.6.9 Revision 115 3/29/11 B 3.6.10 Revision 115 3/29/11 B 3.6.11 (Unit 1) Revision 115 3/29/11 B 3.6.11 (Unit 2) Revision 117 9/12/11 McGuire Units I and 2 Page 2 Revision I 10
Page Number Amendment Revision Date B 3.6.12 Revision 115 3/29/11 B 3.6.13 Revision 115 3/29/11 B 3.6.14 Revision 115 3/29/11 B 3.6.15 Revision 115 3/29/11 B 3.6.16 Revision 115 3/29/11 B 3.7.1 Revision 102 8/17/09 B 3.7.2 Revision 105 2/22/10 B 3.7.3 Revision 102 8/17/09 B 3.7.4 Revision 115 3/29/11 B 3.7.5 Revision 115 3/29/11 B 3.7.6 Revision 115 3/29/11 B 3.7.7 Revision 115 3/29/11 B 3.7.8 Revision 115 3/29/11 B 3.7.9 Revision 115 3/29/11 B 3.7.10 Revision 115 3/29/11 B 3.7.11 Revision 115 3/29/11 B 3.7.12 Revision 115 3/29/11 B 3.7.13 Revision 115 3/29/11 B 3.7.14 Revision 115 3/29/11 B 3.7.15 Revision 66 6/30/05 B 3.7.16 Revision 115 3/29/11 B 3.8.1 Revision 115 3/29/11 B 3.8.2 Revision 92 1/28/08 B 3.8.3 Revision 115 3/29/11 B 3.8.4 Revision 115 3/29/11 B 3.8.5 Revision 41 7/29/03 B 3.8.6 Revision 115 3/29/11 B 3.8.7 Revision 115 3/29/11 B 3.8.8 Revision 115 3/29/11 B 3.8.9 Revision 115 3/29/11 B 3.8.10 Revision 115 3/29/11 B 3.9.1 Revision 115 3/29/11 B 3.9.2 Revision 115 3/29/11 B 3.9.3 Revision 115 3/29/11 McGuire Units 1 and 2 Page 3 Revision I 10
Page Number Amendment Revision Date B 3.9.4 Revision 115 3/29/11 B 3.9.5 Revision 115 3/29/11 B 3.9.6 Revision 115 3/29/11 B 3.9.7 Revision 115 3/29/11 McGuire Units 1 and 2 Page 4 Revision I10
RTS Instrumentation B 3.3.1 B 3.3 INSTRUMENTATION B 3.3.1 Reactor Trip System (RTS) Instrumentation BASES BACKGROUND The RTS initiates a unit shutdown, based on the values of selected unit parameters, to protect against violating the core fuel design limits and Reactor Coolant System (RCS) pressure boundary during anticipated operational occurrences (AOOs) and to assist the Engineered Safety Features (ESF) Systems in mitigating accidents.
The protection and monitoring systems have been designed to assure safe operation of the reactor. This is achieved by specifying limiting safety system settings (LSSS) in terms of parameters directly monitored by the RTS, as well as specifying LCOs on other reactor system parameters and equipment performance.
The LSSS, defined in this specification as the Allowable Values, in conjunction with the LCOs, establish the threshold for protective system action to prevent exceeding acceptable limits during Design Basis Accidents (DBAs).
During AOOs, which are those events expected to occur one or more times during the unit life, the acceptable limits are:
- 1. The Departure from Nucleate Boiling Ratio (DNBR) shall be maintained above the Safety Limit (SL) value to prevent departure from nucleate boiling (DNB);
- 2. Fuel centerline melt shall not occur; and
Operation within the SLs of Specification 2.0, "Safety Limits (SLs)," also maintains the above values and assures that offsite dose will be within the 10 CFR 20 and 10 CFR 100 criteria during AOOs.
Accidents are events that are analyzed even though they are not expected to occur dudrng the unit life. The acceptable limit during accidents is that offsite dose shall be maintained within an acceptable fraction of 10 CFR 100 limits. Different accident categories are allowed a different fraction of these limits, based on probability of occurrence.
Meeting the acceptable dose limit for an accident category is considered having acceptable consequences for that event.
McGuire Units 1 and 2 B 3.3. 1-1 Revision No. 119
RTS Instrumentation B 3.3.1 BASES BACKGROUND (continued)
The RTS instrumentation is segmented into four distinct but interconnected categories as illustrated in UFSAR, Chapter 7 (Ref. 1),
and as identified below:
- 1. Field transmitters or process sensors: provide a measurable electronic signal based upon the physical characteristics of the parameter being measured;
- 2. Process monitoring systems, including the Process Control System, the Nuclear Instrumentation System (NIS), and various field contacts and sensors: monitors various plant parameters, provides any required signal processing, and provides digital outputs when parameters exceed predetermined limits. They may also provide outputs for control, indication, alarm, computer input, and recording;
- 3. Solid State Protection System (SSPS), including input, logic, and output bays: combines the input signals from the process monitoring systems per predetermined logic and initiates a reactor trip and ESF actuation when warranted by the process monitoring systems inputs; and
- 4. Reactor trip switchgear, including reactor trip breakers (RTBs) and bypass breakers: provides the means to interrupt power to the control rod drive mechanisms (CRDMs) and allows the rod cluster control assemblies (RCCAs), or "rods," to fall into the core and shut down the reactor. The bypass breakers allow testing of the RTBs at power.
Field Transmitters or Sensors To meet the design demands for redundancy and reliability, more than one, and often as many as four, field transmitters or sensors are used to measure unit parameters. To account for the calibration tolerances and instrument drift, which are assumed to occur between calibrations, statistical allowances are provided NOMINAL TRIP SETPOINT Values.
The OPERABILITY of each transmitter or sensor can be evaluated when its "as found" calibration data are compared against its documented acceptance criteria.
McGuire Units 1 and 2 B 3.3.1-2 Revision No. 119
RTS Instrumentation B 3.3.1 BASES BACKGROUND (continued)
Process Monitoring Systems Generally, three or four channels of process control equipment are used for the signal processing of unit parameters measured by the field instruments. The process control equipment provides signal conditioning, compatible output signals for instruments located on the main control board, and comparison of measured input signals with setpoints established by safety analyses. These setpoints are defined in UFSAR, Chapter 7 (Ref. 1), Chapter 6 (Ref. 2), and Chapter 15 (Ref. 3). If the measured value of a unit parameter exceeds the predetermined setpoint, an output from a bistable is forwarded to the SSPS for decision logic processing. Channel separation is maintained up to and through the input bays. However, not all unit parameters require four channels of sensor measurement and signal processing. Some unit parameters provide input only to the SSPS, while others provide input to the SSPS, the main control board, the unit computer, and one or more control systems.
Generally, if a parameter is used only for input to the protection circuits, three channels with a two-out-of-three logic are sufficient to provide the required reliability and redundancy. If one channel fails in a direction that would not result in a partial Function trip, the Function is still OPERABLE with a two-out-of-two logic. If one channel fails, such that a partial Function trip occurs, a trip will not occur and the Function is still OPERABLE with a one-out-of-two logic.
Generally, if a parameter is used for input to the SSPS and a control function, four channels with a two-out-of-four logic are sufficient to provide the required reliability and redundancy. The circuit must be able to withstand both an input failure to the control system, which may then require the protection function actuation, and a single failure in the other channels providing the protection function actuation. Again, a single failure will neither cause nor prevent the protection function actuation.
These requirements are described in IEEE-279-1971 (Ref. 4). The actual number of channels required for each unit parameter is specified in Reference 1.
Two logic channels are required to ensure no single random failure of a logic channel will disable the RTS. The logic channels are designed such that testing required while the reactor is at power may be accomplished without causing a trip. Provisions to allow removing logic channels from service during maintenance are unnecessary because of the logic system's designed reliability.
McGuire Units 1 and 2 B 3.3.1-3 Revision No. 119
RTS Instrumentation B 3.3.1 BASES BACKGROUND (continued)
Trip Setpoints and Allowable Values The NOMINAL TRIP SETPOINTS are the nominal values at which the bistables are set. Any bistable is considered to be properly adjusted when the "as left" value is within the band for CHANNEL CALIBRATION tolerance.
The NOMINAL TRIP SETPOINTS used in the bistables are based on the analytical limits (Ref. 1, 2, and 3). The selection of these NOMINAL TRIP SETPOINTS is such that adequate protection is provided when all sensor and processing time delays, calibration tolerances, instrumentation uncertainties, instrument drift, and severe environment errors for those RTS channels that must function in harsh environments as defined by 10 CFR 50.49 (Ref. 5) are taken into account. The actual as-left Setpoint of the bistable assures that the actual trip occurs in time to prevent an analytical limit from being exceeded.
The Allowable Value accounts for changes in random measurement errors between COTs. One example of such a change in measurement error is drift during the surveillance interval. If the COT demonstrates that the loop trips within the Allowable Value, the loop is OPERABLE. A trip within the Allowable Value ensures that tHe predictions of equipment performance used to develop the NOMINAL TRIP SETPOINT are still valid, and that the equipment will initiate a trip in response to an AOO in time to prevent an analytical limit from being exceeded (and that the consequences of DBAs will be acceptable, providing the unit is operated from within the LCOs at the onset of the AOO or DBA and the equipment functions as designed). Note that in the accompanying LCO 3.3.1, the Allowable Values of Table 3.3.1-1 are the LSSS.
Each channel of the process control equipment can be tested on line to verify that the signal or setpoint accuracy is within the specified allowance requirements. Once a designated channel is taken out of service for testing, a simulated signal is injected in place of the field instrument signal. The process equipment for the channel in test is then tested, verified, and calibrated. SRs for the channels are specified in the SRs section.
Determination of the NOMINAL TRIP SETPOINTS and Allowable Values listed in Table 3.3.1-1 incorporate all of the known uncertainties applicable for each channel. The magnitudes of these uncertainties are factored into the determination of each NOMINAL TRIP SETPOINT. All field sensors and signal processing equipment for these channels are assumed to operate within the allowances of these uncertainty magnitudes.
McGuire Units 1 and 2 B 3.3.1-4 Revision No. 119
RTS Instrumentation B 3.3.1 BASES BACKGROUND (continued)
Solid State Protection System The SSPS equipment is used for the decision logic processing of outputs from the signal processing equipment bistables. To meet the redundancy requirements, two trains of SSPS, each performing the same functions, are provided. If one train is taken out of service for maintenance or test purposes, the second train will provide reactor trip and/or ESF actuation for the unit. If both trains are taken out of service or placed in test, a reactor trip will result. Each train is packaged in its own cabinet for physical and electrical separation to satisfy separation and independence requirements. The system has been designed to trip the reactor in the event of a loss of power, directing the unit to a safe shutdown condition.
The SSPS performs the decision logic for actuating a reactor trip or ESF actuation, generates the electrical output signal that will initiate the required trip or actuation, and provides the status, permissive, and annunciator output signals to the main control room of the unit.
The outputs from the process monitoring systems are sensed by the SSPS equipment and combined into logic matrices that represent combinations indicative of various unit upset and accident transients. If a logic matrix combination is completed, the system will initiate a reactor trip or send actuation signals via master and slave relays to those components whose aggregate Function best serves to alleviate the condition and restore the unit to a stable condition. Examples are given in the Applicable Safety Analyses, LCO, and Applicability sections of this Bases.
Reactor Trip Switchgear The RTBs are in the electrical power supply line from the control rod drive motor generator set power supply to the CRDMs. Opening of the RTBs interrupts power to the CRDMs, which allows the shutdown rods and control rods to fall into the core by gravity. Each RTB is equipped with a bypass breaker to allow testing of the RTB while the unit is at power.
During normal operation the output from the SSPS is a voltage signal that energizes the undervoltage coils in the RTBs and bypass breakers, if in use. When the required logic matrix combination is completed, the SSPS output voltage signal is removed, the undervoltage coils are de-energized, the breaker trip lever is actuated by a compressed spring that is released by de-energizing the undervoltage coil, and the RTBs and bypass breakers are tripped open. This allows the shutdown rods and control rods to fall into the core. In addition to the de-energization of the McGuire Units 1 and 2 B 3.3.1-5 Revision No. 119
RTS Instrumentation B 3.3.1 BASES BACKGROUND (continued) undervoltage coils, each breaker is also equipped with a shunt trip device that is energized to trip the breaker open upon receipt of a reactor trip signal from the SSPS. Either the undervoltage coil or the shunt trip mechanism is sufficient by itself, thus providing a diverse trip mechanism.
The decision logic matrix Functions are described in the functional diagrams included in Reference 1. In addition to the reactor trip or ESF, these diagrams also describe the various "permissive interlocks" that are associated with unit conditions. Each train has a built in testing device that can test the decision logic matrix Functions and the actuation devices while the unit is at power. When any one train is taken out of service for testing, the other train is capable of providing unit monitoring and protection until the testing has been completed. The testing device is semiautomatic to minimize testing time.
APPLICABLE The RTS functions to maintain the SLs during all AOOs and mitigates SAFETY ANALYSES, the consequences of DBAs in all MODES in which the RTBs are closed.
LCO, and APPLICABILITY Each of the analyzed accidents and transients can be detected by one or more RTS Functions. The accident analysis described in Reference 3 takes credit for most RTS trip Functions. RTS trip Functions not specifically credited in the accident analysis are qualitatively credited in the safety analysis and the NRC staff approved licensing basis for the unit. These RTS trip Functions may provide protection for conditions that do not require dynamic transient analysis to demonstrate Function performance. They may also serve as backups to RTS trip Functions that were credited in the accident analysis.
The LCO requires all instrumentation performing an RTS Function, listed in Table 3.3.1-1 in the accompanying LCO, to be OPERABLE. Failure of.
any instrument renders the affected channel(s) inoperable and reduces the reliability of the affected Functions.
The LCO generally requires OPERABILITY of three or four channels in each instrumentation Function, two channels of Manual Reactor Trip in each logic Function, and two trains in each Automatic Trip Logic Function.
Four OPERABLE instrumentation channels in a two-out-of-four configuration are required when one RTS channel is also used as a control system input. This configuration accounts for the possibility of the shared channel failing in such a manner that it creates a transient that requires RTS action. In this case, the RTS will still provide protection, McGuire Units 1 and 2 B 3.3.1-6 Revision No. 119
RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) even with random failure of one of the other three protection channels.
Three operable instrumentation channels in a two-out-of-three configuration are generally required when there is no potential for control system and protection system interaction that could simultaneously create a need for RTS trip and disable one RTS channel. The two-out-of-three and two-out-of-four configurations allow one channel to be tripped during maintenance or testing without causing a reactor trip. Specific exceptions to the above general philosophy exist and are discussed below.
Reactor Trip System Functions The safety analyses and OPERABILITY requirements applicable to each RTS Function are discussed below:
- 1. Manual Reactor Trip The Manual Reactor Trip ensures that the control room operator can initiate a reactor trip at any time by using either of two reactor trip switches in the control room. A Manual Reactor Trip accomplishes the same results as any one of the automatic trip Functions. It may be used by the reactor operator to shut down the reactor whenever any parameter is rapidly trending toward its Trip Setpoint.
The LCO requires two Manual Reactor Trip channels to be OPERABLE. Each channel is controlled by a manual reactor trip switch. Each channel actuates one or more reactor trip breakers in both trains. Two independent channels are required to be OPERABLE so that no single random failure will disable the Manual Reactor Trip Function.
In MODE 1 or 2, manual initiation of a reactor trip must be OPERABLE. These are the MODES in which the shutdown rods and/or control rods are partially or fully withdrawn from the core. In MODE 3, 4, or 5, the manual initiation Function must also be OPERABLE if the shutdown rods or control rods are withdrawn or the Control Rod Drive (CRD) System is capable of withdrawing the shutdown rods or the control rods. In this condition, inadvertent control rod withdrawal is possible. In MODE 3, 4, or 5, manual initiation of a reactor trip does not have to be OPERABLE if the CRD System is not capable of withdrawing the shutdown rods or control rods. If the rods cannot be withdrawn from the core, there McGuire Units 1 and 2 B 3.3.1-7 Revision No. 119
RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) is no need to be able to trip the reactor because all of the rods are inserted. In MODE 6, the CRDMs are disconnected from the control rods and shutdown rods. Therefore, the manual initiation Function is not required.
- 2. Power Range Neutron Flux The NIS power range detectors are located external to the reactor vessel and measure neutrons leaking from the core. The NIS power range detectors provide input to the Rod Control System and the Steam Generator (SG) Water Level Control System. Therefore, the actuation logic must be able to withstand an input failure to the control system, which may then require the protection function actuation, and a single failure in the other channels providing the protection function actuation. Note that this Function also provides a signal to prevent automatic and manual rod withdrawal prior to initiating a reactor trip. Limiting further rod withdrawal may terminate the transient and eliminate the need to trip the reactor.
- a. Power Range Neutron Flux-High The Power Range Neutron Flux-High trip Function ensures that protection is provided, from all power levels, against a positive reactivity excursion leading to DNB during power operations. These can be caused by rod withdrawal or reductions in RCS temperature.
The LCO requires all four of the Power Range Neutron Flux-High channels to be OPERABLE.
In MODE 1 or 2, when a positive reactivity excursion could occur, the Power Range Neutron Flux-High trip must be OPERABLE. This Function will terminate the reactivity excursion and shut down the reactor prior to reaching a power level that could damage the fuel. In MODE 3, 4, 5, or 6, the NIS power range detectors cannot detect neutron levels in this range. In these MODES, the Power Range Neutron Flux-High does not have to be OPERABLE because the reactor is shut down and reactivity excursions into the power range are extremely unlikely. Other RTS Functions and administrative controls provide protection against reactivity additions when in MODE 3, 4, 5, or 6.
McGuire Units 1 and 2 B 3.3.1-8 Revision No. 119
RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO and APPLICABILITY (continued)
- b. Power Range Neutron Flux-Low The LCO requirement for the Power Range Neutron Flux-Low trip Function ensures that protection is provided against a positive reactivity excursion from low power or subcritical conditions.
The LCO requires all four of the Power Range Neutron Flux-Low channels to be OPERABLE.
In MODE 1, below the Power Range Neutron Flux (P-10 setpoint), and in MODE 2, the Power Range Neutron Flux-Low trip must be OPERABLE. This Function may be manually blocked by the operator when two out of four power range channels are greater than approximately 10% RTP (P-10 setpoint). This Function is automatically unblocked when three out of four power range channels are below the P-10 setpoint. Above the P-10 setpoint, positive reactivity additions are mitigated by the Power Range Neutron Flux-High trip Function.
In MODE 3, 4, 5, or 6, the Power Range Neutron Flux-Low trip Function does not have to be OPERABLE because the reactor is shut down and the NIS power range detectors cannot detect neutron levels in this range. Other RTS trip Functions and administrative controls provide protection against positive reactivity additions or power excursions in MODE 3, 4, 5, or 6.
- 3. Power Range Neutron Flux-High Positive Rate The Power Range Neutron Flux - High Positive Rate trip uses the same channels as discussed for Function 2 above.
The Power Range Neutron Flux-High Positive Rate trip Function ensures that protection is provided against rapid increases in neutron flux that are characteristic of an RCCA drive rod housing rupture and the accompanying ejection of the RCCA. This Function complements the Power Range Neutron Flux-High and Low Setpoint trip Functions to ensure that the criteria are met for a rod ejection from the power range.
-- The LCO requires all four of the Power Range Neutron Flux-High Positive Rate channels to be OPERABLE.
McGuire Units 1 and 2 B 3.3.1-9 Revision No. 119
RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
In MODE 1 or 2, when there is a potential to add a large amount of positive reactivity from a rod ejection accident (REA), the Power Range Neutron Flux-High Positive Rate trip must be OPERABLE.
In MODE 3, 4, 5, or 6, the Power Range Neutron Flux-High Positive Rate trip Function does not have to be OPERABLE because other RTS trip Functions and administrative controls will provide protection against positive reactivity additions. In MODE 6, no rods are withdrawn and the SDM is increased during refueling operations. The reactor vessel head is also removed or the closure bolts are detensioned preventing any pressure buildup. In addition, the NIS power range detectors cannot detect neutron levels present in this mode.
4A. Intermediate Range Neutron Flux (Westinghouse-supplied Instrumentation)
The Westinghouse-supplied Intermediate Range excore detector systems (utilizing compensated ion chamber detectors) are being replaced with Thermo Scientific-supplied 300i neutron flux monitoring systems (utilizing fission chamber detectors). This section of the Bases applies to the Westinghouse-supplied instrumentation. The next section of the Bases applies to the Thermo Scientific-supplied instrumentation.
The Intermediate Range Neutron Flux trip Function ensures that protection is provided against an uncontrolled RCCA bank rod withdrawal accident from a subcritical condition during startup. This trip Function provides redundant protection to the Power Range Neutron Flux-Low Setpoint trip Function. The NIS intermediate range detectors are located external to the reactor vessel and measure neutrons leaking from the core. Note that this Function also provides a signal to prevent automatic and manual rod withdrawal prior to initiating a reactor trip. Limiting further rod withdrawal may terminate the transient and eliminate the need to trip the reactor.
The LCO requires two channels of Intermediate Range Neutron Flux to be OPERABLE. Two OPERABLE channels are sufficient to ensure no single random failure will disable this trip Function.
Because this trip Function is important only during startup, there is generally no need to disable channels for testing while the Function is required to be OPERABLE. Therefore, a third channel is unnecessary.
McGuire Units 1 and 2 B 3.3.1-10 Revision No. 119
RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
In MODE 1 below the P-10 setpoint, and in MODE 2, when there is a potential for an uncontrolled RCCA bank rod withdrawal accident during reactor startup, the Intermediate Range Neutron Flux trip must be OPERABLE. Above the P-10 setpoint, the Power Range Neutron Flux-High Setpoint trip and the Power Range Neutron Flux-High Positive Rate trip provide core protection for a rod withdrawal accident. In MODE 3, 4, or 5, the Intermediate Range Neutron Flux trip does not have to be OPERABLE because other RTS trip functions provide protection against positive reactivity additions. The reactor cannot be started up in this condition. The core also has the required SDM to mitigate the consequences of a positive reactivity addition accident. In MODE 6, all rods are fully inserted and the core has a required increased SDM. Also, the NIS intermediate range detectors cannot detect neutron levels present in this MODE.
4B. Intermediate Range Neutron Flux (Thermo Scientific-supplied Instrumentation)
The Westinghouse-supplied Intermediate Range excore detector systems (utilizing compensated ion chamber detectors) are being replaced with Thermo Scientific-supplied 300i neutron flux monitoring systems (utilizing fission chamber detectors). This section of the Bases applies to the Thermo Scientific-supplied instrumentation. The previous section of the Bases applies to the Westinghouse-supplied instrumentation.
The Intermediate Range Neutron Flux trip Function ensures that protection is provided against an uncontrolled RCCA bank rod withdrawal accident from a subcritical condition during startup. This trip Function provides redundant protection to the Power Range Neutron Flux-Low Setpoint trip Function. The NIS intermediate range detectors are located external to the reactor vessel and measure neutrons leaking from the core. Note that this Function also provides a signal to prevent automatic and manual rod withdrawal prior to initiating a reactor trip. Limiting further rod withdrawal may terminate the transient and eliminate the need to trip the reactor.
The LCO requires two channels of Intermediate Range Neutron Flux to be OPERABLE. Two OPERABLE channels are sufficient to ensure no single random failure will disable this trip Function.
Because this trip Function is important only during startup, there is generally no need to disable channels for testing while the Function McGuire Units 1 and 2 B 3.3.1-11 Revision No. 119
RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) is required to be OPERABLE. Therefore, a third channel is unnecessary.
In MODE 1 below the P-10 setpoint, and in MODE 2, when there is a potential for an uncontrolled RCCA bank rod withdrawal accident during reactor startup, the Intermediate Range Neutron Flux trip must be OPERABLE. Above the P-1O setpoint, the Power Range Neutron Flux-High Setpoint trip and the Power Range Neutron Flux-High Positive Rate trip provide core protection for a rod withdrawal accident. In MODE 3, 4, or 5, the Intermediate Range Neutron Flux trip does not have to be OPERABLE because other RTS trip functions provide protection against positive reactivity additions. The reactor cannot be started up in this condition. The core also has the required SDM to mitigate the consequences of a positive reactivity addition accident. In MODE 6, all rods are fully inserted and the core has a required increased SDM.
5A. Source Range Neutron Flux (Westingqhouse-supplied Instrumentation)
The Westinghouse-supplied Source Range excore detector systems (utilizing boron triflouride detectors) are being replaced with Thermo Scientific-supplied 300i neutron flux monitoring systems (utilizing fission chamber detectors). This section of the Bases applies to the Westinghouse-supplied instrumentation. The next section of the Bases applies to the Thermo Scientific-supplied instrumentation.
The LCO requirement for the Source Range Neutron Flux trip Function ensures that protection is provided against an uncontrolled RCCA bank rod withdrawal accident from a subcritical condition during startup. This trip Function provides redundant protection to the Power Range Neutron Flux-Low Setpoint and Intermediate Range Neutron Flux trip Functions. In MODES 3, 4, and 5, administrative controls also prevent the uncontrolled withdrawal of rods. The NIS source range detectors are located external to the reactor vessel and measure neutrons leaking from the core. The NIS source range detectors do not provide any inputs to control systems. The source range trip is the only RTS automatic protection function required in MODES 3, 4, and 5 with the CRD System capable of rod withdrawal. Therefore, the functional capability at the specified Trip Setpoint is assumed to be available.
McGuire Units 1 and 2 B 3.3.1-12 Revision No. 119
RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
The LCO requires two channels of Source Range Neutron Flux to be OPERABLE. Two OPERABLE channels are sufficient to ensure no single random failure will disable this trip Function. The LCO also requires one channel of the Source Range Neutron Flux to be OPERABLE in MODE 3, 4, or 5 with RTBs open. In this case, the source range Function is to provide control room indication. The outputs of the Function to RTS logic are not required OPERABLE when the RTBs are open.
The Source Range Neutron Flux Function provides protection for control rod withdrawal from subcritical, boron dilution, and control rod ejection events. The Function also provides visual neutron flux indication in the control room.
In MODE 2 when below the P-6 setpoint during a reactor startup, the Source Range Neutron Flux trip must be OPERABLE. Above the P-6 setpoint, the Intermediate Range Neutron Flux trip and the Power Range Neutron Flux-Low Setpoint trip will provide core protection for reactivity accidents. Above the P-6 setpoint, the NIS source range detectors are de-energized and inoperable.
In MODE 3, 4, or 5 with the reactor shut down, the Source Range Neutron Flux trip Function must also be OPERABLE. If the CRD System is capable of rod withdrawal, the Source Range Neutron Flux trip must be OPERABLE to provide core protection against a rod withdrawal accident. If the unit is to be in MODE 3 with the RTBs closed for > 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> the Surveillance requirement SR 3.3.1.7 must be completed within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> after entry into MODE 3. The surveillance shall include verification of the high flux at shutdown alarm setpoint of less than or equal to five times background of the average CPS Neutron Level Reading (the average CPS Reading is the most consistent value between highest and lowest CPS Neutron Level Reading).
If the CRD System is not capable of rod withdrawal, the source range detectors are not required to trip the reactor. However, their monitoring Function must be OPERABLE to monitor core neutron levels and provide indication of reactivity changes that may occur as a result of events like a boron dilution.
The neutron detector's high flux at shutdown alarm setpoint of less than or equal to five times background, in Mode 3, 4, or 5, shall be verified. Once the High Flux at Shutdown Alarm setpoints are set at five times background above steady state neutron count rate the re-verification/re-adjustment of the high flux at shutdown is not required. The neutron count rate will decrease as Mode changes McGuire Units 1 and 2 B 3.3.1-13 Revision No. 119
RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) are made from 3 to 4 to 5 as the system temperature decreases.
Any subsequent changes in the count rate are an indication of gamma flux (due to movement of irradiated particles in the system) which may cause the source range response to vary. Upon increase in the neutron count rate due to activities that add positive reactivity to the core, the presence of gamma flux will cease to be a factor in detector count rate.
A CHANNEL CHECK provides a comparison of the parameter indicated on one channel to a similar parameter on other channels.
This is based on the assumption that the two indicating channels should be consistent. Significant differences between the indicating source range channels can occur due to core geometry, decreasing neutron count rate as temperature is decreasing in the system, the location of the Source Assemblies (distance from the Source Detectors), and large amounts of gamma. Each channel should be consistent with its local condition.
The requirements for the NIS source range detectors in MODE 6 are addressed in LCO 3.9.3, "Nuclear Instrumentation."
5B. Source Ranqe Neutron Flux (Thermo Scientific-supplied Instrumentation)
The Westinghouse-supplied Source Range excore detector systems (utilizing boron triflouride detectors) are being replaced with Thermo Scientific-supplied 300i neutron flux monitoring systems (utilizing fission chamber detectors). This section of the Bases applies to the Thermo Scientific-supplied instrumentation.
The previous section of the Bases applies to the Westinghouse-supplied instrumentation.
The LCO requirement for the Source Range Neutron Flux trip Function ensures that protection is provided against an uncontrolled RCCA bank rod withdrawal accident from a subcritical condition during startup. This trip Function provides redundant protection to the Power Range Neutron Flux-Low Setpoint and Intermediate Range Neutron Flux trip Functions. In MODES 3, 4, and 5, administrative controls also prevent the uncontrolled withdrawal of rods. The NIS source range detectors are located external to the reactor vessel and measure neutrons leaking from the core. The NIS source range detectors do not provide any inputs to control systems. The source range trip is the only RTS automatic protection function required in MODES 3, 4, and 5 with the CRD System capable of rod withdrawal. Therefore, the McGuire Units 1 and 2 B 3.3.1-14 Revision No. 119
RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) functional capability at the specified Trip Setpoint is assumed to be available.
The LCO requires two channels of Source Range Neutron Flux to be OPERABLE. Two OPERABLE channels are sufficient to ensure no single random failure will disable this trip Function. The LCO also requires one channel of the Source Range Neutron Flux to be OPERABLE in MODE 3, 4, or 5 with RTBs open. In this case, the source range Function is to provide control room indication. The outputs of the Function to RTS logic are not required OPERABLE when the RTBs are open.
The Source Range Neutron Flux Function provides protection for control rod withdrawal from subcritical, boron dilution, and control rod ejection events. The Function also provides visual neutron flux indication in the control room.
In MODE 2 when below the P-6 setpoint during a reactor startup, the Source Range Neutron Flux trip must be OPERABLE. Above the P-6 setpoint, the Intermediate Range Neutron Flux trip and the Power Range Neutron Flux-Low Setpoint trip will provide core protection for reactivity accidents. Above the P-6 setpoint, the Source Range Neutron Flux trip is blocked.
In MODE 3, 4, or 5 with the reactor shut down, the Source Range Neutron Flux trip Function must also be OPERABLE. If the CRD System is capable of rod withdrawal, the Source Range Neutron Flux trip must be OPERABLE to provide core protection against a rod withdrawal accident. If the unit is to be in MODE 3 with the RTBs closed for > 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> the Surveillance requirement SR 3.3.1.7 must be completed within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> after entry into MODE 3.
If the CRD System is not capable of rod withdrawal, the source range detectors are not required to trip the reactor. However, their monitoring Function must be OPERABLE to monitor core neutron levels and provide indication of reactivity changes that may occur as a result of events like a boron dilution.
A CHANNEL CHECK provides a comparison of the parameter indicated on one channel to a similar parameter on other channels.
This is based on the assumption that the two indicating channels should be consistent. Significant differences between the indicating source range channels can occur due to core geometry, decreasing neutron count rate as temperature is decreasing in the system, the location of the Source Assemblies (distance from the Source McGuire Units 1 and 2 B 3.3.1-15 Revision No. 119
RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
Detectors), and large amounts of gamma. Each channel should be consistent with its local condition.
The requirements for the NIS source range detectors in MODE 6 are addressed in LCO 3.9.3, "Nuclear Instrumentation."
- 6. Overtemperature AT The Overtemperature AT trip Function is provided to ensure that the design limit DNBR is met. This trip Function also limits the range over which the Overpower AT trip Function must provide protection. The inputs to the Overtemperature AT trip include pressurizer pressure, coolant temperature, axial power distribution, and reactor power as indicated by loop AT assuming full reactor coolant flow. Protection from violating the DNBR limit is assured for those transients that are slow with respect to delays from the core to the measurement system. The Function monitors both variation in power and flow since a decrease in flow has the same effect on AT as a power increase. The Overtemperature AT trip Function uses each loop's AT as a measure of reactor power and is compared with a setpoint that is automatically varied with the following parameters:
reactor coolant average temperature-the Trip Setpoint is varied to correct for changes in coolant density and specific heat capacity with changes in coolant temperature; pressurizer pressure-the Trip Setpoint is varied to correct for changes in system pressure; and axial power distribution-f(AI), the Trip Setpoint is varied to account for imbalances in the axial power distribution as detected by the NIS upper and lower power range detectors.
If axial peaks are greater than the design limit, as indicated by the difference between the upper and lower NIS power range detectors, the Trip Setpoint is reduced in accordance with Note 1 of Table 3.3.1-1.
Dynamic compensation is included for system piping delays from the core to the temperature measurement system.
The Overtemperature AT trip Function is calculated for each loop as described in Note 1 of Table 3.3.1-1. Trip occurs if Overtemperature AT is indicated in two loops. The pressure and temperature signals are used for other control functions, therefore, the actuation logic must be able to withstand an input failure to the McGuire Units 1 and 2 B 3.3.1-16 Revision No. 119
RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) control system, which may then require the protection function actuation, and a single failure in the other channels providing the protection function actuation. Note that this Function also provides a signal to generate a turbine runback prior to reaching the Trip Setpoint. A turbine runback will reduce turbine power and reactor power. A reduction in power will normally alleviate the Overtemperature AT condition and may prevent a reactor trip.
The LCO requires all four channels of the Overtemperature AT trip Function to be OPERABLE. Note that the Overtemperature AT Function receives input from channels shared with other RTS Functions. Failures that affect multiple Functions require entry into the Conditions applicable to all affected Functions.
In MODE 1 or 2, the Overtemperature AT trip must be OPERABLE to prevent DNB. In MODE 3, 4, 5, or 6, this trip Function does not have to be OPERABLE because the reactor is not operating and there is insufficient heat production to be concerned about DNB.
- 7. Overpower AT The Overpower AT trip Function ensures that protection is provided to ensure the integrity of the fuel (i.e., no fuel pellet melting and less than 1% cladding strain) under all possible overpower conditions.
This trip Function also limits the required range of the Overtemperature AT trip Function and provides a backup to the Power Range Neutron Flux-High Setpoint trip. The Overpower AT trip Function ensures that the allowable heat generation rate (kW/ft) of the fuel is not exceeded. It uses the AT of each loop as a measure of reactor power with a setpoint that is automatically varied with the following parameters:
" reactor coolant average temperature-the Trip Setpoint is varied to correct for changes in coolant density and specific heat capacity with changes in coolant temperature; and
- rate of change of reactor coolant average temperature-including dynamic compensation for the delays between the core and the temperature measurement system.
The Overpower AT trip Function is calculated for each loop as per Note 2 of Table 3.3.1-1. Trip occurs if Overpower AT is indicated in two loops. The temperature signals are used for other control functions, therefore, the actuation logic must be able to withstand an input failure to the control system, which may then require the McGuire Units 1 and 2 B 3.3.1-17 Revision No. 119
RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) protection function actuation, and a single failure in the remaining channels providing the protection function actuation. Note that this Function also provides a signal to generate a turbine runback prior to reaching the Trip Setpoint. A turbine runback will reduce turbine power and reactor power. A reduction in power will normally alleviate the Overpower AT condition and may prevent a reactor trip.
The LCO requires four channels of the Overpower AT trip Function to be OPERABLE. Note that the Overpower AT trip Function receives input from channels shared with other RTS Functions.
Failures that affect multiple Functions require entry into the Conditions applicable to all affected Functions.
In MODE 1 or 2, the Overpower AT trip Function must be OPERABLE. These are the only times that enough heat is generated in the fuel to be concerned about the heat generation rates and overheating of the fuel. In MODE 3, 4, 5, or 6, this trip Function does not have to be OPERABLE because the reactor is not operating and there is insufficient heat production to be concerned about fuel overheating and fuel damage.
- 8. Pressurizer Pressure The same sensors provide input to the Pressurizer Pressure-High and -Low trips and the Overtemperature AT trip. The Pressurizer Pressure channels are also used to provide input to the Pressurizer Pressure Control System, therefore, the actuation logic must be able to withstand an input failure to the control system, which may then require the protection function actuation, and a single failure in the other channels providing the protection function actuation.
McGuire Units 1 and 2 B 3.3.1-18 Revision No. 119
RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
- a. Pressurizer Pressure-Low The Pressurizer Pressure-Low trip Function ensures that protection is provided against violating the DNBR limit due to low pressure.
The LCO requires four channels of Pressurizer Pressure-Low to be OPERABLE.
In MODE 1, when DNB is a major concern, the Pressurizer Pressure-Low trip must be OPERABLE. This trip Function is automatically enabled on increasing power, by the P-7 interlock (NIS power range P-10 or turbine impulse pressure greater than approximately 10% of full power equivalent (P-13)). On decreasing power, this trip Function is automatically blocked below P-7. Below the P-7 setpoint, power distributions that would cause DNB concerns are unlikely.
- b. Pressurizer Pressure-Hiqh The Pressurizer Pressure-High trip Function ensures that protection is provided against overpressurizing the RCS.
This trip Function operates in conjunction with the pressurizer relief and safety valves to prevent RCS overpressure conditions.
The LCO requires four channels of the Pressurizer Pressure-High to be OPERABLE.
The Pressurizer Pressure-High LSSS is selected to be below the pressurizer safety valve actuation pressure and above the power operated relief valve (PORV) setting. This setting minimizes challenges to safety valves while avoiding unnecessary reactor trips for those pressure increases that can be controlled by the PORVs.
In MODE 1 or 2, the Pressurizer Pressure-High trip must be OPERABLE to help prevent RCS overpressurization and minimize challenges to the safety valves. In MODE 3, 4, 5, or 6, the Pressurizer Pressure-High trip Function does not have to be OPERABLE because transients that could cause an overpressure condition will be slow to occur. Therefore, the operator will have sufficient time to evaluate unit McGuire Units 1 and 2 B 3.3.1 -19 Revision No. 119
RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) conditions and take corrective actions. Additionally, low temperature overpressure protection systems provide overpressure protection when below MODE 4.
- 9. Pressurizer Water Level-High The Pressurizer Water Level-High trip Function provides a backup signal for the Pressurizer Pressure-High trip and also provides protection against water relief through the pressurizer safety valves.
These valves are designed to pass steam in order to achieve their design energy removal rate. A reactor trip is actuated prior to the pressurizer becoming water solid. The setpoints are based on percent of instrument span. The LCO requires three channels of Pressurizer Water Level-High to be OPERABLE. The pressurizer level channels are used as input to the Pressurizer Level Control System. A fourth channel is not required to address control/protection interaction concerns. The level channels do not actuate the safety valves, and the high pressure reactor trip is set below the safety valve setting. Therefore, with the slow rate of charging available, pressure overshoot due to level channel failure cannot cause the safety valve to lift before reactor high pressure trip.
In MODE 1, when there is a potential for overfilling the pressurizer, the Pressurizer Water Level-High trip must be OPERABLE. This trip Function is automatically enabled on increasing power by the P-7 interlock. On decreasing power, this trip Function is automatically blocked below P-7. Below the P-7 setpoint, transients that could raise the pressurizer water level will be slow and the operator will have sufficient time to evaluate unit conditions and take corrective actions.
- 10. Reactor Coolant Flow-Low
- a. Reactor Coolant Flow-Low (Single Loop)
The Reactor Coolant Flow-Low (Single Loop) trip Function ensures that protection is provided against violating the DNBR limit due to low flow in one or more RCS loops, while avoiding reactor trips due to normal variations in loop flow.
Above the P-8 setpoint, which is approximately 48% RTP, a loss of flow in any RCS loop will actuate a reactor trip. The setpoints are based on the minimum flow specified in the McGuire Units 1 and 2 B 3.3.1-20 Revision No. 119
RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
COLR. Each RCS loop has three flow detectors to monitor flow. The flow signals are not used for any control system input.
The LCO requires three Reactor Coolant Flow-Low channels per loop to be OPERABLE in MODE 1 above P-8.
In MODE 1 above the P-8 setpoint, a loss of flow in one RCS loop could result in DNB conditions in the core. In MODE 1 below the P-8 setpoint, a loss of flow in two or more loops is required to actuate a reactor trip (Function 10.b) because of the lower power level and the greater margin to the design limit DNBR.
- b. Reactor Coolant Flow-Low (Two Loops)
The Reactor Coolant Flow-Low (Two Loops) trip Function ensures that protection is provided against violating the DNBR limit due to low flow in two or more RCS loops while avoiding reactor trips due to normal variations in loop flow.
Above the P-7 setpoint and below the P-8 setpoint, a loss of flow in two or more loops will initiate a reactor trip. The setpoints are based on the minimum flow specified in the COLR. Each loop has three flow detectors to monitor flow.
The flow signals are not used for any control system input.
The LCO requires three Reactor Coolant Flow-Low channels per loop to be OPERABLE.
In MODE 1 above the P-7 setpoint and below the P-8 setpoint, the Reactor Coolant Flow-Low (Two Loops) trip must be OPERABLE. Below the P-7 setpoint, all reactor trips on low flow are automatically blocked since power distributions that would cause a DNB concern at this low power level are unlikely. Above the P-7 setpoint, the reactor trip on low flow in two or more RCS loops is automatically enabled. Above the P-8 setpoint, a loss of flow in any one loop will actuate a reactor trip because of the higher power level and the reduced margin to the design limit DNBR.
McGuire Units 1 and 2 B 3.3.1-21 Revision No. 119
RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
- 11. Undervoltaqe Reactor Coolant Pumps The Undervoltage RCPs reactor trip Function ensures that protection is provided against violating the DNBR limit due to a loss of flow in two or more RCS loops. The voltage to each RCP is monitored. Above the P-7 setpoint, a loss of voltage detected on two or more RCP buses will initiate a reactor trip. This trip Function will generate a reactor trip before the Reactor Coolant Flow-Low (Two Loops) Trip Setpoint is reached. Time delays are incorporated into the Undervoltage RCPs channels to prevent reactor trips due to momentary electrical power transients.
The LCO requires a total of four Undervoltage RCPs channels (one per bus) to be OPERABLE.
In MODE 1 above the P-7 setpoint, the Undervoltage RCP trip must be OPERABLE. Below the P-7 setpoint, all reactor trips on loss of flow are automatically blocked since power distributions that would cause a DNB concern at this low power level are unlikely. Above the P-7 setpoint, the reactor trip on loss of flow in two or more RCS loops is automatically enabled.
- 12. Underfrequency Reactor Coolant Pumps The Underfrequency RCPs reactor trip Function ensures that protection is provided against violating the DNBR limit due to a loss of flow in two or more RCS loops from a major network frequency disturbance. An underfrequency condition will slow down the pumps, thereby reducing their coastdown time following a pump trip. The proper coastdown time is required so that reactor heat can be removed immediately after reactor trip. The frequency of each RCP bus is monitored. Above the P-7 setpoint, a loss of frequency detected on two or more RCP buses will initiate a reactor trip. This trip Function will generate a reactor trip before the Reactor Coolant Flow-Low (Two Loops) Trip Setpoint is reached.
Time delays are incorporated into the Underfrequency RCPs channels to prevent reactor trips due to momentary electrical power transients.
The LCO requires a total of four Underfrequency RCPs channels (one per bus) to be OPERABLE.
McGuire Units 1 and 2 B 3.3.1-22 Revision No. 119
RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
In MODE 1 above the P-7 setpoint, the Underfrequency RCPs trip must be OPERABLE. Below the P-7 setpoint, all reactor trips on loss of flow are automatically blocked since power distributions that would cause a DNB concern at this low power level are unlikely.
Above the P-7 setpoint, the reactor trip on loss of flow in two or more RCS loops is automatically enabled.
- 13. Steam Generator Water Level-Low Low The SG Water Level-Low Low trip Function ensures that protection is provided against a loss of heat sink and actuates the AFW System prior to uncovering the SG tubes. The SGs are the heat sink for the reactor. In order to act as a heat sink, the SGs must contain a minimum amount of water. A narrow range low low level in any SG is indicative of a loss of heat sink for the reactor. The level transmitters provide input to the SG Level Control System.
Therefore, the actuation logic must be able to withstand an input failure to the control system, which may then require the protection function actuation, and a single failure in the other channels providing the protection function actuation. This Function also performs the ESFAS function of starting the AFW pumps on low low SG level.
The LCO requires four channels of SG Water Level-Low Low per SG to be OPERABLE since these channels are shared between protection and control.
In MODE 1 or 2, when the reactor requires a heat sink, the SG Water Level-Low Low trip must be OPERABLE. The normal source of water for the SGs is the Main Feedwater (MFW) System (not safety related). The MFW System is normally in operation in MODES 1, 2, 3, or 4. The AFW System is the safety related backup source of water to ensure that the SGs remain the heat sink for the reactor. In MODE 3, 4, 5, or 6, the SG Water Level-Low Low Function does not have to be OPERABLE because the reactor is not operating or even critical. Decay heat removal is accomplished by the steam generators in MODE 3 and 4 and by the Residual Heat Removal (RHR) System in MODE 4, 5, or 6.
McGuire Units 1 and 2 B 3.3.1-23 Revision No. 119
RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
- 14. Turbine Trip
- a. Turbine Trip-Low Fluid Oil Pressure The Turbine Trip-Low Fluid Oil Pressure trip Function anticipates the loss of heat removal capabilities of the secondary system following a turbine trip. This trip Function acts to minimize the pressure/temperature transient on the reactor. Any turbine trip from a power level below the P-8 setpoint, approximately 48% power, will not actuate a reactor trip. Three pressure switches monitor the control oil pressure in the Turbine Electrohydraulic Control System. A low pressure condition sensed by two-out-of-three pressure switches will actuate a reactor trip. These pressure switches do not provide any input to the control system. The unit is designed to withstand a complete loss of load and not sustain core damage or challenge the RCS pressure limitations. Core protection is provided by the Pressurizer Pressure-High trip Function and RCS integrity is ensured by the pressurizer safety valves. Turbine Trip-Low fluid oil pressure is diverse to the Turbine Trip-Turbine Stop Valve Closure Function.
The LCO requires three channels of Turbine Trip-Low Fluid Oil Pressure to be OPERABLE in MODE 1 above P-8.
Below the P-8 setpoint, a turbine trip does not actuate a reactor trip. In MODE 2, 3, 4, 5, or 6, there is no potential for a turbine trip, and the Turbine Trip-Low Fluid Oil Pressure trip Function does not need to be OPERABLE.
- b. Turbine Trip-Turbine Stop Valve Closure The Turbine Trip-Turbine Stop Valve Closure trip Function anticipates the loss of heat removal capabilities of the secondary system following a turbine trip from a power level above the P-8 setpoint, approximately 48% power. The trip Function anticipates the loss of secondary heat removal capability that occurs when the stop valves close. Tripping the reactor in anticipation of loss of secondary heat removal acts to minimize the pressure and temperature transient on the reactor. This trip Function will not and is not required to operate in the presence of a single channel failure. The unit is designed to withstand a complete loss of load and not McGuire Units 1 and 2 B 3.3.1-24 Revision No. 119
RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) sustain core damage or challenge the RCS pressure limitations. Core protection is provided by the Pressurizer Pressure-High trip Function, and RCS integrity is ensured by the pressurizer safety valves. This trip Function is diverse to the Turbine Trip-Low Fluid Oil Pressure trip Function.
Each turbine stop valve is equipped with one limit switch that inputs to the RTS. If all four limit switches indicate that the stop valves are closed, a reactor trip is initiated.
The LSSS for this Function is set to assure channel trip occurs when the associated stop valve is completely closed.
The LCO requires four Turbine Trip-Turbine Stop Valve Closure channels, one per valve, to be OPERABLE in MODE 1 above P-8. All four channels must trip to cause reactor trip.
Below the P-8 setpoint, a load rejection can be accommodated by the Steam Dump System. In MODE 2, 3, 4, 5, or 6, there is no potential for a load rejection, and the Turbine Trip-Stop Valve Closure trip Function does not need to be OPERABLE.
- 15. Safety Iniection Input from Engineered Safety Feature Actuation System The SI Input from ESFAS ensures that if a reactor trip has not already been generated by the RTS, the ESFAS automatic actuation logic will initiate a reactor trip upon any signal that initiates SI. This is a condition of acceptability for the LOCA.
However, other transients and accidents take credit for varying levels of ESF performance and rely upon rod insertion, except for the most reactive rod that is assumed to be fully withdrawn, to ensure reactor shutdown. Therefore, a reactor trip is initiated every time an SI signal is present.
Trip Setpoint and Allowable Values are not applicable to this Function. The SI Input is provided by a manual switch or by the automatic actuation logic. Therefore, there is no measurement signal with which to associate an LSSS.
The LCO requires two trains of SI Input from ESFAS to be OPERABLE in MODE 1 or 2.
McGuire Units 1 and 2 B 3.3.1-25 Revision No. 119
RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
A reactor trip is initiated every time an SI signal is present.
Therefore, this trip Function must be OPERABLE in MODE 1 or 2, when the reactor is critical, and must be shut down in the event of an accident. In MODE 3, 4, 5, or 6, the reactor is not critical, and this trip Function does not need to be OPERABLE.
- 16. Reactor Trip System Interlocks Reactor protection interlocks are provided to ensure reactor trips are in the correct configuration for the current unit status. They back up operator actions to ensure protection system Functions are not bypassed during unit conditions under which the safety analysis assumes the Functions are not bypassed. Therefore, the interlock Functions do not need to be OPERABLE when the associated reactor trip functions are outside the applicable MODES. These are:
al. Intermediate Range Neutron Flux, P-6 (Westinghouse-supplied Instrumentation)
The Westinghouse-supplied Intermediate Range excore detector systems (utilizing compensated ion chamber detectors) are being replaced with Thermo Scientific-supplied 300i neutron flux monitoring systems.(utilizing fission chamber detectors). This section of the Bases applies to the Westinghouse-supplied instrumentation. The next section of the Bases applies to the Thermo Scientific-supplied instrumentation.
The Intermediate Range Neutron Flux, P-6 interlock is actuated when any NIS intermediate range channel goes approximately one decade above the minimum channel reading. If both channels drop below the setpoint, the permissive will automatically be defeated. The LCO requirement for the P-6 interlock ensures that the following Functions are performed:
on increasing power, the P-6 interlock allows the manual block of the NIS Source Range, Neutron Flux reactor trip. This prevents a premature block of the source range trip and allows the operator to ensure that the intermediate range is OPERABLE prior to leaving the source range. When the source range trip is blocked, the high voltage to the detectors is also removed; and McGuire Units 1 and 2 B 3.3.1-26 Revision No. 119
RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) on decreasing power, the P-6 interlock automatically energizes the NIS source range detectors and enables the NIS Source Range Neutron Flux reactor trip.
The LCO requires two channels of Intermediate Range Neutron Flux, P-6 interlock to be OPERABLE in MODE 2 when below the P-6 interlock setpoint.
Above the P-6 interlock setpoint, the NIS Source Range Neutron Flux reactor trip will be blocked, and this Function will no longer be necessary.
In MODE 3, 4, 5, or 6, the P-6 interlock does not have to be OPERABLE because the NIS Source Range is providing core protection.
a2. Intermediate Ranqe Neutron Flux, P-6 (Thermo Scientific-supplied Instrumentation)
The Westinghouse-supplied Intermediate Range excore detector systems (utilizing compensated ion chamber detectors) are being replaced with Thermo Scientific-supplied 300i neutron flux monitoring systems (utilizing fission chamber detectors). This section of the Bases applies to the Thermo Scientific-supplied instrumentation. The previous section of the Bases applies to the Westinghouse-supplied instrumentation.
The Intermediate Range Neutron Flux, P-6 interlock is actuated when any NIS intermediate range channel goes approximately three decades above the minimum channel reading. If both channels drop below the setpoint, the permissive will automatically be defeated. The LCO requirement for the P-6 interlock ensures that the following Functions are performed:
McGuire Units 1 and 2 B 3.3.1-27 Revision No. 119
RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) on increasing power, the P-6 interlock allows the manual block of the NIS Source Range, Neutron Flux reactor trip.
This prevents a premature block of the source range trip and allows the operator to ensure that the intermediate range is OPERABLE prior to leaving the source range; and
- on decreasing power, the P-6 interlock automatically enables the NIS Source Range Neutron Flux reactor trip.
The LCO requires two channels of Intermediate Range Neutron Flux, P-6 interlock to be OPERABLE in MODE 2 when below the P-6 interlock setpoint.
Above the P-6 interlock setpoint, the NIS Source Range Neutron Flux reactor trip will be blocked, and this Function will no longer be necessary.
In MODE 3, 4, 5, or 6, the P-6 interlock does not have to be OPERABLE because the NIS Source Range is providing core protection.
- b. Low Power Reactor Trips Block, P-7 The Low Power Reactor Trips Block, P-7 interlock is actuated by input from either the Power Range Neutron Flux, P-1 0, or the Turbine Impulse Pressure, P-13 interlock. The LCO requirement for the P-7 interlock ensures that the following Functions are performed:
(1) on increasing power, the P-7 interlock automatically enables reactor trips on the following Functions:
Pressurizer Pressure-Low; Pressurizer Water Level-High; Reactor Coolant Flow-Low (Two Loops);
Undervoltage RCPs; and Underfrequency RCPs.
McGuire Units 1 and 2 B 3.3.1-28 Revision No. 119
RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
These reactor trips are only required when operating above the P-7 setpoint (approximately 10% power).
The reactor trips provide protection against violating the DNBR limit. Below the P-7 setpoint, the RCS is capable of providing sufficient natural circulation without any RCP running.
(2) on decreasing power, the P-7 interlock automatically blocks reactor trips on the following Functions:
a Pressurizer Pressure-Low;
- Pressurizer Water Level-High;
- Reactor Coolant Flow-Low (Two Loops);
Trip Setpoint and Allowable Value are not applicable to the P-7 interlock because it is a logic Function and thus has no parameter with which to associate an LSSS.
The P-7 interlock is a logic Function with train and not channel identity. Therefore, the LCO requires one channel per train of Low Power Reactor Trips Block, P-7 interlock to be OPERABLE in MODE 1.
The low power trips are blocked below the P-7 setpoint and unblocked above the P-7 setpoint. In MODE 2, 3, 4, 5, or 6, this Function does not have to be OPERABLE because the interlock performs its Function when power level drops below 10% power, which is in MODE 1.
McGuire Units 1 and 2 B 3.3.1-29 Revision No. 119
RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
- c. Power Range Neutron Flux, P-8 The Power Range Neutron Flux, P-8 interlock is actuated at approximately 48% power as determined by two-out-of-four NIS power range detectors. The P-8 interlock automatically enables the Reactor Coolant Flow-Low (Single Loop) reactor trip on low flow in one or more RCS loops, and the Turbine Trip-Low Fluid Oil Pressure and Turbine Trip-Turbine Stop Valve Closure reactor trips on increasing power. The LCO requirement for the Reactor Coolant Flow - Low Function ensures that protection is provided against a loss of flow in any RCS loop that could result in DNB conditions in the core when greater than approximately 48% power.
Above the P-8 setpoint, a turbine trip will cause a load rejection beyond the capacity of the Steam Dump System. A reactor trip is automatically initiated on a turbine trip when it is above the P-8 setpoint, to minimize the transient on the reactor. On decreasing power below the P-8 setpoint, the reactor trip on low flow in any loop is automatically blocked.
The LCO requires four channels of Power Range Neutron Flux, P-8 interlock to be OPERABLE in MODE 1.
In MODE 1, a loss of flow in one RCS loop could result in DNB conditions and, a turbine trip could cause a load rejection beyond the capacity of the Steam Dump System, so the Power Range Neutron Flux, P-8 interlock must be OPERABLE. In MODE 2, 3, 4, 5, or 6, this Function does not have to be OPERABLE because the core is not producing sufficient power to be concerned about DNB conditions and the reactor is not at a power level sufficient to have a load rejection beyond the capacity of the Steam Dump System.
McGuire Units 1 and 2 B 3.3.1-30 Revision No. 119
RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
- d. Power Range Neutron Flux, P-10 The Power Range Neutron Flux, P-10 interlock is actuated at approximately 10% power, as determined by two-out-of-four NIS power range detectors. If power level falls below 10% RTP on 3 of 4 channels, the nuclear instrument trips will be automatically unblocked. The LCO requirement for the P-10 interlock ensures that the following Functions are performed:
- on increasing power, the P-10 interlock allows the operator to manually block the Intermediate Range Neutron Flux reactor trip. Note that blocking the reactor trip also blocks the signal to prevent automatic and manual rod withdrawal;
" on increasing power, the P-10 interlock allows the operator to manually block the Power Range Neutron Flux-Low reactor trip;
" on increasing power, the P-10 interlock automatically provides a backup signal to block the Source Range Neutron Flux reactor trip, and also to de-energize the NIS Westinghouse-supplied source range detectors (the Westinghouse-supplied source range detectors are being replaced with Thermo Scientific-supplied detectors that remain energized);
- the P-1 0 interlock provides one of the two inputs to the P-7 interlock; and
- on decreasing power, the P-10 interlock automatically enables the Power Range Neutron Flux-Low reactor trip and the Intermediate Range Neutron Flux reactor trip (and rod stop).
McGuire Units 1 and 2 B 3.3.1-31 Revision No. 119
RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
The LCO requires four channels of Power Range Neutron Flux, P-10 interlock to be OPERABLE in MODE 1 or 2.
OPERABILITY in MODE 1 ensures the Function is available to perform its decreasing power Functions in the event of a reactor shutdown. This Function must be OPERABLE in MODE 2 to ensure that core protection is provided during a startup or shutdown by the Power Range Neutron Flux-Low and Intermediate Range Neutron Flux reactor trips. In MODE 3, 4, 5, or 6, this Function does not have to be OPERABLE because the reactor is not at power and the Source Range Neutron Flux reactor trip provides core protection.
- e. Turbine Impulse Pressure, P-13 The Turbine Impulse Pressure, P-13 interlock is actuated when the pressure in the first stage of the high pressure turbine is greater than approximately 10% of the rated full power pressure. This is determined by one-out-of-two pressure detectors. The LCO requirement for this Function ensures that one of the inputs to the P-7 interlock is available.
The LCO requires two channels of Turbine Impulse Pressure, P-1 3 interlock to be OPERABLE in MODE 1.
The Turbine Impulse Chamber Pressure, P-13 interlock must be OPERABLE when the turbine generator is operating. The interlock Function is not required OPERABLE in MODE 2, 3, 4, 5, or 6 because the turbine generator is not operating.
- 17. Reactor Trip Breakers This trip Function applies to the RTBs exclusive of individual trip mechanisms. The LCO requires two OPERABLE trains of trip breakers. A trip breaker train consists of all trip breakers associated with a single RTS logic train that are racked in, closed, and capable of supplying power to the CRD System. Thus, the McGuire Units 1 and 2 B 3.3.1-32 Revision No. 119
RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) train may consist of the main breaker, bypass breaker, or main breaker and bypass breaker, depending upon the system configuration. Two OPERABLE trains ensure no single random failure can disable the RTS trip capability.
These trip Functions must be OPERABLE in MODE 1 or 2 when the reactor is critical. In MODE 3, 4, or 5, these RTS trip Functions must be OPERABLE when the RTBs or associated bypass breakers are closed, and the CRD System is capable of rod withdrawal.
- 18. Reactor Trip Breaker Undervoltaqe and Shunt Trip Mechanisms The LCO requires both the Undervoltage and Shunt Trip Mechanisms to be OPERABLE for each RTB that is in service. The trip mechanisms are not required to be OPERABLE for trip breakers that are open, racked out, incapable of supplying power to the CRD System, or declared inoperable under Function 17 above.
OPERABILITY of both trip mechanisms on each breaker ensures that no single trip mechanism failure will prevent opening any breaker on a valid signal.
These trip Functions must be OPERABLE in MODE 1 or 2 when the reactor is critical. In MODE 3, 4, or 5, these RTS trip Functions must be OPERABLE when the RTBs or associated bypass breakers are closed, and the CRD System is capable of rod withdrawal.
- 19. Automatic Trip Logic The LCO requirement for the RTBs (Functions 17 and 18) and Automatic Trip Logic (Function 19) ensures that means are provided to interrupt the power to allow the rods to fall into the reactor core. Each RTB is equipped with an undervoltage coil and a shunt trip coil to trip the breaker open when needed. Each train RTB has a bypass breaker to allow testing of the trip breaker while the unit is at power. The reactor trip signals generated by the RTS Automatic Trip Logic cause the RTBs and associated bypass breakers to open and shut down the reactor.
The LCO requires two trains of RTS Automatic Trip Logic to be OPERABLE. Having two OPERABLE channels ensures that random failure of a single logic channel will not prevent reactor trip.
McGuire Units 1 and 2 B 3.3.1-33 Revision No. 119
RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
These trip Functions must be OPERABLE in MODE 1 or 2 when the reactor is critical. In MODE 3, 4, or 5, these RTS trip Functions must be OPERABLE when the RTBs and associated bypass breakers are closed, and the CRD System is capable of rod withdrawal.
The RTS instrumentation satisfies Criterion 3 of 10 CFR 50.36 (Ref. 6).
ACTIONS A Note has been added to the ACTIONS to clarify the application of Completion Time rules. The Conditions of this Specification may be entered independently for each Function listed in Table 3.3.1-1. When the Required Channels in Table 3.3.1-1 are specified (e.g., on a per steam line, per loop, per SG, etc., basis), then the Condition may be entered separately for each steam line, loop, SG, etc., as appropriate.
A channel shall be OPERABLE if the point at which the channel trips is found equal to or more conservative than the Allowable Value. In the event a channel's trip setpoint is found less conservative than the Allowable Value, or the transmitter, instrument loop, signal processing electronics, or bistable is found inoperable, then all affected Functions provided by that channel must be declared inoperable and the LCO Condition(s) entered for the protection Function(s) affected. Unless otherwise specified, if plant conditions warrant, the trip setpoint may be set outside the NOMINAL TRIP SETPOINT calibration tolerance band as long as the trip setpoint is conservative with respect to the NOMINAL TRIP SETPOINTS. If the trip setpoint is found outside the NOMINAL TRIP SETPOINT calibration tolerance band and non-conservative with respect to the NOMINAL TRIP SETPOINT, the setpoint shall be re-adjusted.
When the number of inoperable channels in a trip Function exceed those specified in one or other related Conditions associated with a trip Function, then the unit is outside the safety analysis. Therefore, LCO 3.0.3 must be immediately entered if applicable in the current MODE of operation.
A.1 Condition A applies to all RTS protection Functions. Condition A addresses the situation where one or more required channels for one or more Functions are inoperable at the same time. The Required Action is to refer to Table 3.3.1-1 and to take the Required Actions for the protection functions affected. The Completion Times are those from the referenced Conditions and Required Actions.
McGuire Units 1 and 2 B 3.3.1-34 Revision No. 119
RTS Instrumentation B 3.3.1 BASES ACTIONS (continued)
B.1 and B.2 Condition B applies to the Manual Reactor Trip in MODE 1 or 2. This action addresses the train orientation of the SSPS for this Function. With one channel inoperable, the inoperable channel must be restored to OPERABLE status within 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br />. In this Condition, the remaining OPERABLE channel is adequate to perform the safety function.
The Completion Time of 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> is reasonable considering that there are two automatic actuation trains and another manual initiation channel OPERABLE, and the low probability of an event occurring during this interval.
If the Manual Reactor Trip Function cannot be restored to OPERABLE status within the allowed 48 hour5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> Completion Time, the unit must be brought to a MODE in which the requirement does not apply. To achieve this status, the unit must be brought to at least MODE 3 within 6 additional hours (54 hours6.25e-4 days <br />0.015 hours <br />8.928571e-5 weeks <br />2.0547e-5 months <br /> total time). The 6 additional hours are reasonable, based on operating experience, to reach MODE 3 from full power operation in an orderly manner and without challenging unit systems. With the unit in MODE 3, the MODES 1 and 2 requirements for this trip Function are no longer required and Condition C is entered.
C.1 and C.2 Condition C applies to the following reactor trip Functions in MODE 3, 4, or 5 with the RTBs closed and the CRD System capable of rod withdrawal:
- Manual Reactor Trip;
" RTBs;
- RTB Undervoltage and Shunt Trip Mechanisms; and
- Automatic Trip Logic.
This action addresses the train orientation of the SSPS for these Functions. With one channel or train inoperable, the inoperable channel or train must be restored to OPERABLE status within 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br />. If the affected Function(s) cannot be restored to OPERABLE status within the allowed 48 hour5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> Completion Time, the unit must be placed in a condition in which the requirement does not apply. To achieve this status, the RTBs must be opened within the next hour. The additional hour provides McGuire Units 1 and 2 B 3.3.1-35 Revision No. 119
RTS Instrumentation B 3.3.1 BASES ACTIONS (continued) sufficient time to accomplish the action in an orderly manner. With the RTBs open, these Functions are no longer required.
The Completion Time is reasonable considering that in this Condition, the remaining OPERABLE train is adequate to perform the safety function, and given the low probability of an event occurring during this interval.
D.1.1, D.1.2, and D.2 Condition D applies to the Power Range Neutron Flux-High and Power Range Neutron Flux-High Positive Rate Functions.
The NIS power range detectors provide input to the CRD System and the SG Water Level Control System and, therefore, have a two-out-of-four trip logic. A known inoperable channel must be placed in the tripped condition. This results in a partial trip condition requiring only one-out-of-three logic for actuation. The 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> allowed to place the inoperable channel in the tripped condition is justified in WCAP-14333-P-A (Ref. 10).
With one of the NIS power range detectors inoperable, 1/4 of the radial power distribution monitoring capability is lost. Therefore, SR 3.2.4.2 must be performed (Required Action D.1.1) within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> of THERMAL POWER exceeding 75% RTP and once per 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> thereafter.
Calculating QPTR every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> compensates for the lost monitoring capability due to the inoperable NIS power range channel and allows continued unit operation at power levels > 75% RTP. At power levels <
75% RTP, operation of the core with radial power distributions beyond the design limits, at a power level where DNB conditions may exist, is prevented. The 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> Completion Time is consistent with the surveillance Requirement Frequency in LCO 3.2.4, "QUADRANT POWER TILT RATIO (QPTR)." Required Action D.1.1 has been modified by a Note which only requires SR 3.2.4.2 to be performed if the Power Range Neutron Flux input to QPTR becomes inoperable. Failure of a component in the Power Range Neutron Flux Channel which renders the High Flux Trip Function inoperable may not affect the capability to monitor QPTR. As such, determining QPTR using movable incore detectors may not be necessary.
As an alternative to the above Actions, the plant must be placed in a MODE where this Function is no longer required OPERABLE. Seventy eight (78) hours are allowed to place the plant in MODE 3. The 78 hour9.027778e-4 days <br />0.0217 hours <br />1.289683e-4 weeks <br />2.9679e-5 months <br /> completion time includes 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> for channel corrective maintenance and an additional 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> for the MODE reduction as required by Required Action D.2. This is a reasonable time, based on operating experience, to reach MODE 3 from full power in an orderly manner and McGuire Units 1 and 2 B 3.3.1-36 Revision No. 119
RTS Instrumentation B 3.3.1 BASES ACTIONS (continued) without challenging plant systems. If Required Actions cannot be completed within their allowed Completion Times, LCO 3.0.3 must be entered.
The Required Actions have been modified by a Note that allows placing the inoperable channel in the bypass condition for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> while performing routine surveillance testing of other channels. The Note also allows placing the inoperable channel in the bypass condition to allow setpoint adjustments of other channels when required to reduce the setpoint in accordance with other Technical Specifications. The note also allows an OPERABLE channel to be placed in bypass for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> for testing of the bypassed channel. However, only one channel may be placed in bypass at any one time. The 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> time limit is justified in Reference 10.
E.1 and E.2 Condition E applies to the following reactor trip Functions:
- Power Range Neutron Flux-Low;
- Overtemperature AT;
- Overpower AT;
- Pressurizer Pressure-High; and
- SG Water Level-Low Low.
A known inoperable channel must be placed in the tripped condition within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. Placing the channel in the tripped condition results in a partial trip condition requiring only one-out-of-three logic for actuation of the two-out-of-four trips. The 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> allowed to place the inoperable channel in the tripped condition is justified in Reference 10.
If the operable channel cannot be placed in the trip condition within the specified Completion Time, the unit must be placed in a MODE where these Functions are not required OPERABLE. An additional 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is allowed to place the unit in MODE 3. Six hours is a reasonable time, based on operating experience, to place the unit in MODE 3 from full power in an orderly manner and without challenging unit systems.
McGuire Units 1 and 2 B 3.3.1-37 Revision No. 119
RTS Instrumentation B 3.3.1 BASES ACTIONS (continued)
The Required Actions have been modified by a Note that allows placing the inoperable channel in the bypassed condition for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> while performing routine surveillance testing of the other channels. The note also allows an OPERABLE channel to be placed in bypass for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> fori testing of the bypassed channel. However, only one channel may be placed in bypass at any one time. The 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> time limit is justified in Reference 10.
F.1 and F.2 Condition F applies to the Intermediate Range Neutron Flux trip when THERMAL POWER is above the P-6 setpoint and below the P-10 setpoint and one channel is inoperable. Above the P-6 setpoint and below the P-10 setpoint, the NIS intermediate range detector performs the monitoring Functions. If THERMAL POWER is greater than the P-6 setpoint but less than the P-10 setpoint, 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> is allowed to reduce THERMAL POWER below the P-6 setpoint or increase to THERMAL POWER above the P-10 setpoint. The NIS Intermediate Range Neutron Flux channels must be OPERABLE when the power level is above the capability of the source range, P-6, and below the capability of the power range, P-10. If THERMAL POWER is greater than the P-10 setpoint, the NIS power range detectors perform the monitoring and protection functions and the intermediate range is not required. The Completion Times allow for a slow and controlled power adjustment above P-10 or below P-6 and take into account the redundant capability afforded by the redundant OPERABLE channel, and the low probability of its failure during this period. This action does not require the inoperable channel to be tripped because the Function uses one-out-of-two logic. Tripping one channel would trip the reactor.
Thus, the Required Actions specified in this Condition are only applicable when channel failure does not result in reactor trip.
G.1 and G.2 Condition G applies to two inoperable Intermediate Range Neutron Flux trip channels in MODE 2 when THERMAL POWER is above the P-6 setpoint and below the P-10 setpoint. Required Actions specified in this Condition are only applicable when channel failures do not result in reactor trip.
Above the P-6 setpoint and below the P-10 setpoint, the NIS intermediate range detector performs the monitoring Functions. With no intermediate range channels OPERABLE, the Required Actions are to suspend operations involving positive reactivity additions immediately. This will preclude any power level increase since there are no McGuire Units 1 and 2 B 3.3.1-38 Revision No. 119
RTS Instrumentation B 3.3.1 BASES ACTIONS (continued)
OPERABLE Intermediate Range Neutron Flux channels. The operator must also reduce THERMAL POWER below the P-6 setpoint within two hours. Below P-6, the Source Range Neutron Flux channels will be able to monitor the core power level. The Completion Time of 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> will allow a slow and controlled power reduction to less than the P-6 setpoint and takes into account the low probability of occurrence of an event during this period that may require the protection afforded by the NIS Intermediate Range Neutron Flux trip. Required Action G. 1 is modified by a note to indicate that normal plant control operations that individually add limited positive reactivity (e.g., temperature or boron fluctuations associated with RCS inventory management or temperature control) are not precluded by this Action.
H.1 Condition H applies to the Intermediate Range Neutron Flux trip when THERMAL POWER is below the P-6 setpoint and one or two channels are inoperable. Below the P-6 setpoint, the NIS source range performs the monitoring and protection functions. The inoperable NIS intermediate range channel(s) must be returned to OPERABLE status prior to increasing power above the P-6'setpoint. The NIS intermediate range channels must be OPERABLE when the power level is above the capability of the source range, P-6, and below the capability of the power range, P-10.
1.1 Condition I applies to one inoperable Source Range Neutron Flux trip channel when in MODE 2, below the P-6 setpoint, and performing a reactor startup. With the unit in this Condition, below P-6, the NIS source range performs the monitoring and protection functions. With one of the two channels inoperable, operations involving positive reactivity additions shall be suspended immediately.
This will preclude any power escalation. With only one source range channel OPERABLE, core protection is severely reduced and any actions that add positive reactivity to the core must be suspended immediately.
Required Action 1.1 is modified by a note to indicate that normal plant control operations that individually add limited positive reactivity (e.g.,
temperature or boron fluctuations associated with RCS inventory management or temperature control) are not precluded by this Action.
McGuire Units 1 and 2 B 3.3.1-39 Revision No. 119
RTS Instrumentation B 3.3.1 BASES ACTIONS (continued)
J. 1 Condition J applies to two inoperable Source Range Neutron Flux trip channels when in MODE 2, below the P-6 setpoint, and performing a reactor startup, or in MODE 3, 4, or 5 with the RTBs closed and the CRD System capable of rod withdrawal. With the unit in this Condition, below P-6, the NIS source range performs the monitoring and protection functions. With both source range channels inoperable, the RTBs must be opened immediately. With the RTBs open, the core is in a more stable condition and the unit enters Condition L.
K.1 and K.2 Condition K applies to one inoperable source range channel in MODE 3, 4, or 5 with the RTBs closed and the CRD System capable of rod withdrawal. With the unit in this Condition, below P-6, the NIS source range performs the monitoring and protection functions. With one of the source range channels inoperable, 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> is allowed to restore it to an OPERABLE status. If the channel cannot be returned to an OPERABLE status, 1 additional hour is allowed to open the RTBs. Once the RTBs are open, the core is in a more stable condition and the unit enters Condition L. The allowance of 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> to restore the channel to OPERABLE status, and the additional hour to open the RTBs, are justified in Reference 7.
L.1, L.2, and L.3 Condition L applies when the required number of OPERABLE Source Range Neutron Flux channels is not met in MODE 3, 4, or 5 with the RTBs open. With the unit in this Condition, the NIS source range performs a monitoring function. With less than the required number of source range channels OPERABLE, operations involving positive reactivity additions shall be suspended immediately. In addition to suspension of positive reactivity additions, all valves that could add unborated water to the RCS must be closed within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> as specified in LCO 3.9.2. The isolation of unborated water sources will preclude a boron dilution accident.
Also, the SDM must be verified within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> and once every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> thereafter as per SR 3.1.1.1, SDM verification. With no source range channels OPERABLE, core monitoring is severely reduced. Verifying the SDM within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> allows sufficient time to perform the calculations and determine that the SDM requirements are met. The SDM must also be verified once per 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> thereafter to ensure that the core reactivity has not changed. Required Action L.1 precludes any positive reactivity McGuire Units 1 and 2 B 3.3.1-40 Revision No. 119
RTS Instrumentation B 3.3.1 BASES ACTIONS (continued) additions; therefore, core reactivity should not be increasing, and a 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> Frequency is adequate. The Completion Times of within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> and once per 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> are based on operating experience in performing the Required Actions and the knowledge that unit conditions will change slowly. Required Action L.1 is modified by a note which permits plant temperature changes provided the temperature change is accounted for in the calculated SDM and that Keff remains < 0.99. Introduction of temperature changes including temperature increases when a positive MTC exists, must be evaluated to ensure they do not result in a loss of required SDM or adequate margin to criticality.
M.1 and M.2 Condition M applies to the following reactor trip Functions:
- Pressurizer Pressure-Low; Pressurizer Water Level-High; Reactor Coolant Flow-Low (Two Loops):
Undervoltage RCPs; and Underfrequency RCPs.
With one channel inoperable, the inoperable channel must be placed in the tripped condition within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. Placing the channel in the tripped condition results in a partial trip condition requiring only one additional channel to initiate a reactor trip above the P-7 setpoint (and below the P-8 setpoint for the Reactor Coolant Flow-Low (Two Loops) Function). These Functions do not have to be OPERABLE below the P-7 setpoint because, for the Pressurizer Water Level-High function, transients are slow enough for manual action; and for the other functions, power distributions that would cause a DNB concern at this low power level are unlikely. The 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> allowed to place the channel in the tripped condition is justified in Reference 10. An additional 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is allowed to reduce THERMAL POWER to below P-7 if the inoperable channel cannot be restored to OPERABLE status or placed in trip within the specified Completion Time.
Allowance of this time interval takes into consideration the redundant capability provided by the remaining redundant OPERABLE channel, and the low probability of occurrence of an event during this period that may require the protection afforded by the Functions associated with Condition M.
McGuire Units 1 and 2 B 3.3.1-41 Revision No. 119
RTS Instrumentation B 3.3.1 BASES ACTIONS (continued)
The Required Actions have been modified by a Note that allows placing the inoperable channel in the bypassed condition for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> while performing routine surveillance testing of the other channels. The note also allows an OPERABLE channel to be placed in bypass for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> for testing of the bypassed channel. However, only one channel may be placed in bypass at any one time. The 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> time limit is justified in Reference 10.
N.1 and N.2 Condition N applies to the Reactor Coolant Flow-Low (Single Loop) reactor trip Function. With one channel inoperable, the inoperable channel must be placed in trip within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. If the channel cannot be restored to OPERABLE status or the channel placed in trip within the 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />, then THERMAL POWER must be reduced below the P-8 setpoint within the next 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />. This places the unit in a MODE where the LCO is no longer applicable. This trip Function does not have to be OPERABLE below the P-8 setpoint because other RTS trip Functions provide core protection below the P-8 setpoint. The 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> allowed to restore the channel to OPERABLE status or place in trip and the 4 additional hours allowed to reduce THERMAL POWER to below the P-8 setpoint are justified in Reference 10.
The Required Actions have been modified by a Note that allows placing the inoperable channel in the bypassed condition for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> while performing routine surveillance testing of the other channels. The note also allows an OPERABLE channel to be placed in bypass for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> for testing of the bypassed channel. However, only one channel may be placed in bypass at any one time.. The 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> time limit is justified in Reference 10.
0.1, 0.2, P.1, and P.2 Condition 0 and P apply to Turbine Trip on Low Fluid Oil Pressure or on Turbine Stop Valve Closure. With a channel inoperable, the inoperable channel must be placed in the trip condition within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. If placed in the tripped condition, this results in a partial trip condition requiring fewer additional channel to initiate a reactor trip. If the channel cannot be restored to OPERABLE status or placed in the trip condition, then power must be reduced below the P-8 setpoint within the next 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />. The 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> allowed to place the inoperable channel in the tripped condition and the 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> allowed for reducing power are justified in Reference 10.
McGuire Units 1 and 2 B 3.3.1-42 Revision No. 119
RTS Instrumentation B 3.3.1 BASES ACTIONS (continued)
The Required Actions of Condition 0 have been modified by a Note that allows placing the inoperable channel in the bypassed condition for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> while performing routine surveillance testing of the other channels. The note also allows an OPERABLE channel to be placed in bypass for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> for testing of the bypassed channel. However, only one channel may be placed in bypass at any one time. The 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> time limit is justified in Reference 10.
Q.1 and Q.2 Condition Q applies to the SI Input from ESFAS reactor trip and the RTS Automatic Trip Logic in MODES 1 and 2. These actions address the train orientation of the RTS for these Functions. With one train inoperable, 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> are allowed to restore the train to OPERABLE status (Required Action Q. 1) or the unit must be placed in MODE 3 within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />.
The Completion Time of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> (Required Action Q.1) is reasonable considering that in this Condition, the remaining OPERABLE train is adequate to perform the safety function and given the low probability of an event during this interval. The 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> allowed to restore the inoperable RTS Automatic Trip Logic train to OPERABLE status is justified in Reference 10. The additional Completion Time of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> (Required Action Q.2) is reasonable, based on operating experience, to reach MODE 3 from full power in an orderly manner and without challenging unit systems.
The Required Actions have been modified by a Note that allows bypassing one train up to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> for surveillance testing, provided the other train is OPERABLE. The 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> time limit for testing the RTS Automatic Trip Logic train may include testing the RTB also, if both the Logic test and RTB test are conducted within the 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> time limit. The 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> time limit is justified in Reference 10.
R.1 and R.2 Condition R applies to the RTBs in MODES 1 and 2. These actions address the train orientation of the RTS for the RTBs. With one train inoperable, 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> is allowed for train corrective maintenance to restore the train to OPERABLE status or the unit must be placed in MODE 3 within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. The 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Completion Time is justified in Reference 11. The Completion Time of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is reasonable, based on operating experience, to reach MODE 3 from full power in an orderly manner and without challenging unit systems. Placing the unit in MODE 3 removes the requirement for this particular Function.
McGuire Units 1 and 2 B 3.3.1-43 Revision No. 119
RTS Instrumentation B 3.3.1 BASES ACTIONS (continued)
The Required Actions have been modified by a Note. The Note allows one RTB to be bypassed for up to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> for surveillance testing, provided the other RTB is OPERABLE. The 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> time limit is justified in Reference 11.
S.1 and S.2 Condition S applies to the P-6 and P-10 interlocks. With one or more channel(s) inoperable for one-out-of-two or two-out-of-four coincidence logic, the associated interlock must be verified to be in its required state for the existing unit condition within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> or the unit must be placed in MODE 3 within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. Verifying the interlock status, by visual observation of the control room status lights, manually accomplishes the interlock's Function. The Completion Time of 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> is based on operating experience and the minimum amount of time allowed for manual operator actions. The Completion Time of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is reasonable, based on operating experience, to reach MODE 3 from full power in an orderly manner and without challenging unit systems. The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> and 6 hour6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> Completion Times are equal to the time allowed by LCO 3.0.3 for shutdown actions in the event of a complete loss of RTS Function.
T. 1 and T.2 Condition T applies to the P-7, P-8, and P-13 interlocks. With one or more channel(s) inoperable for one-out-of-two or two-out-of-four coincidence logic, the associated interlock must be verified to be in its required state for the existing unit condition within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> or the unit must be placed in MODE 2 within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. These actions are conservative for the case where power level is being raised. Verifying the interlock status, by visual observation of the control room status lights, manually accomplishes the interlock's Function. The Completion Time of 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> is based on operating experience and the minimum amount of time allowed for manual operator actions. The Completion Time of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is reasonable, based on operating experience, to reach MODE 2 from full power in an orderly manner and without challenging unit systems.
McGuire Units 1 and 2 B 3.3.1-44 Revision No. 119
RTS Instrumentation B 3.3.1 BASES ACTIONS (continued)
U.1 and U.2 Condition U applies to the RTB Undervoltage and Shunt Trip Mechanisms, or diverse trip features, in MODES 1 and 2. With one of the diverse trip features inoperable, it must be restored to an OPERABLE status within 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> or the unit must be placed in a MODE where the requirement does not apply. This is accomplished by placing the unit in MODE 3 within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> (54 hours6.25e-4 days <br />0.015 hours <br />8.928571e-5 weeks <br />2.0547e-5 months <br /> total time). With both diverse trip features inoperable, the reactor trip breaker is inoperable and Condition R is entered. The Completion Time of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is a reasonable time, based on operating experience, to reach MODE 3 from full power in an orderly manner and without challenging unit systems.
With the unit in MODE 3, the MODES 1 and 2 requirement for this function is no longer required and Condition C is entered. The affected RTB shall not be bypassed while one of the diverse features is inoperable except for the time required to perform maintenance to one of the diverse features. The allowable time for performing maintenance of the diverse features is 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> for the reasons stated under Condition R.
The Completion Time of 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> for Required Action U.1 is reasonable considering that in this Condition there is one remaining diverse feature for the affected RTB, and one OPERABLE RTB capable of performing the safety function and given the low probability of an event occurring during this interval.
V.1 With two RTS trains inoperable, no automatic capability is available to shut down the reactor, and immediate plant shutdown in accordance with LCO 3.0.3 is required.
SURVEILLANCE The SRs for each RTS Function are identified by the SRs column of REQUIREMENTS Table 3.3.1-1 for that Function.
A Note has been added to the SR Table stating that Table 3.3.1-1 determines which SRs apply to which RTS Functions.
Note that each channel of process protection supplies both trains of the RTS. When testing Channel I, Train A and Train B must be examined.
Similarly, Train A and Train B must be examined when testing Channel II, McGuire Units 1 and 2 B 3.3.1-45 Revision No. 119
RTS Instrumentation B 3.3.1 BASES SURVEILLANCE REQUIREMENTS (continued)
Channel III, and Channel IV (if applicable). The CHANNEL CALIBRATION and COTs are performed in a manner that is consistent with the assumptions used in analytically calculating the required channel accuracies.
Performing the Neutron Flux Instrumentation surveillances meets the License Renewal Commitments for License Renewal Program for Neutron Flux Instrumentation Circuits per UFSAR Chapter 18, Table 18-1 and License Renewal Commitments Specification MCS-1274.00-00-0016, Section 4.44.
SR 3.3.1.1 Performance of the CHANNEL CHECK ensures that gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying that the instrumentation continues to operate properly between each CHANNEL CALIBRATION.
Agreement criteria are determined by the unit staff based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the sensor or the signal processing equipment has drifted outside its limit.
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
SR 3.3.1.2 SR 3.3.1.2 compares the calorimetric heat balance calculation to the NIS channel output. If the calorimetric exceeds the NIS channel output by
> 2% RTP, the NIS is not declared inoperable, but must be adjusted. If the NIS channel output cannot be properly adjusted, the channel is declared inoperable.
McGuire Units 1 and 2 B 3.3.1-46 Revision No. 119
RTS Instrumentation B 3.3.1 BASES SURVEILLANCE REQUIREMENTS (continued)
Two Notes modify SR 3.3.1.2. The first Note indicates that the NIS channel output shall be adjusted consistent with the calorimetric results if the absolute difference between the NIS channel output and the calorimetric is > 2% RTP. The second Note clarifies that this Surveillance is required only if reactor power is > 15% RTP and that 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> is allowed for completing the first Surveillance after reaching 15% RTP. At lower power levels, calorimetric data are inaccurate.
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
SR 3.3.1.3 SR 3.3.1.3 compares the incore system to the NIS channel output. If the absolute difference in AFD is > 3%, the NIS channel is still OPERABLE, but must be readjusted.
If the NIS channel cannot be properly readjusted, the channel is declared inoperable. This Surveillance is performed to verify the f(AI) input to the overtemperature AT Function and overpower AT Function.
Two Notes modify SR 3.3.1.3. Note 1 indicates that the excore NIS channel shall be adjusted if the absolute difference between the incore and excore AFD is > 3%. Note 2 clarifies that the Surveillance is required only if reactor power is > 15% RTP and that 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> is allowed for completing the first Surveillance after reaching 15% RTP.
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
S R 3.3.1.4 SR 3.3.1.4 is the performance of a TADOT. This test shall verify OPERABILITY by actuation of the end devices.
The RTB test shall include separate verification of the undervoltage and shunt trip mechanisms. Independent verification of RTB undervoltage and shunt trip Function is not required for the bypass breakers. No capability is provided for performing such a test at power. The independent test for bypass breakers is included in SIR 3.3.1.14. The bypass breaker test shall include a local shunt trip. A Note has been added to indicate that this test must be performed on the bypass breaker prior to placing it in service.
McGuire Units 1 and 2 B 3.3.1-47 Revision No. 119
RTS Instrumentation B 3.3.1 BASES SURVEILLANCE REQUIREMENTS (continued)
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
SR 3.3.1.5 SR 3.3.1.5 is the performance of an ACTUATION LOGIC TEST. The SSPS is tested using the semiautomatic tester. The train being tested is placed in the bypass condition, thus preventing inadvertent actuation.
Through the semiautomatic tester, all possible logic combinations, with and without applicable permissives, are tested for each protection function. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
SR 3.3.1.6 SR 3.3.1.6 is a calibration of the excore channels to the incore channels.
If the measurements do not agree, the excore channels are not declared inoperable but must be calibrated to agree with the incore detector measurements. If the excore channels cannot be adjusted, the channels are declared inoperable. This Surveillance is performed to verify the f(AI) input to the overtemperature AT Function and overpower AT Function.
At Beginning of Cycle (BOC), the excore channels are compared to the incore detector measurements. This comparison is typically performed prior to exceeding 75% power. Excore detectors are adjusted as necessary. This low power surveillance satisfies the initial performance of SR 3.3.1.6.
At BOC, after reaching full power steady state conditions, additional incore and excore measurements are taken and excore detectors are adjusted as necessary.
The M factors are normally only determined at BOC, but they may be changed at other points in the fuel cycle if the relationship between excore and incore measurements changes significantly.
McGuire Units 1 and 2 B 3.3.1-48 Revision No. 119
RTS Instrumentation B 3.3.1 BASES SURVEILLANCE REQUIREMENTS (continued)
A Note modifies SR 3.3.1.6. The Note states that this Surveillance is required only if reactor power is > 75% RTP and that 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> is allowed for completing the first surveillance after reaching 75% RTP.
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
SR 3.3.1.7 SR 3.3.1.7 is the performance of a COT.
A COT is performed on each required channel to ensure the channel will perform the intended Function.
The tested portion of the Loop must trip within the Allowable Values specified in Table 3.3.1-1.
The setpoint shall be left set consistent with the assumptions of the setpoint methodology.
SR 3.3.1.7 is modified by a Note that provides a 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> delay in the requirement to perform this Surveillance for source range instrumentation when entering MODE 3 from MODE 2. This Note allows a normal shutdown to proceed without a delay for testing in MODE 2 and for a short time in MODE 3 until the RTBs are open and SR 3.3.1.7 is no longer required to be performed. If the unit is to be in MODE 3 with the RTBs closed for > 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> this Surveillance must be completed within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> after entry into MODE 3. The surveillance shall include verification of the high flux at shutdown alarm setpoint of less than or equal to the average CPS Neutron Level reading (most consistent value between highest and lowest CPS Neutron Level reading) at five times background.
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
For Functions for which TSTF-493, "Clarify Application of Setpoint Methodology for LSSS Functions" (Reference 12) has been implemented, this SR is modified by two Notes as identified in Table 3.3.1-1. The first Note requires evaluation of channel performance for the condition where the as-found setting for the channel setpoint is outside its as-found tolerance but conservative with respect to the Allowable Value.
Evaluation of channel performance will verify that the channel will continue to behave in accordance with safety analysis assumptions and McGuire Units 1 and 2 B 3.3.1-49 Revision No. 119
RTS Instrumentation B 3.3.1 BASES SURVEILLANCE REQUIREMENTS (continued) the channel performance assumptions in the setpoint methodology. The purpose of the assessment is to ensure confidence in the channel performance prior to returning the channel to service. The performance of these channels will be evaluated under the station's Corrective Action Program. Entry into the Corrective Action Program will ensure required review and documentation of the condition for continued OPERABILITY.
The second Note requires that the as-left setting for the channel be returned to within the as-left tolerance of the Nominal Trip Setpoint (NTSP). Where a setpoint more conservative than the NTSP is used in the plant surveillance procedures (field setting), the as-left and as-found tolerances, as applicable, will be applied to the surveillance procedure setpoint. This will ensure that sufficient margin to the Safety Limit and/or Analytical Limit is maintained. If the as-left channel setting cannot be returned to a setting within the as-left tolerance of the NTSP, then the channel shall be declared inoperable. The second Note also requires that the methodologies for calculating the as-left and the as-found tolerances be in the UFSAR. The NOMINAL TRIP SETPOINT definition includes a provision that would allow the as-left setting for the channel to be outside the tolerance band, provided the setting is conservative with respect to the NTSP. This provision is not applicable to Functions for which the second NOTE applies.
SR 3.3.1.8 SR 3.3.1.8 is the performance of a COT as described in SR 3.3.1.7, except it is modified by a Note that this test shall include verification that the P-6, during the Intermediate Range COT, and P-10, during the Power Range COT, interlocks are in their required state for the existing unit condition. The verification is performed by visual observation of the permissive status light in the unit control room. The Frequency is modified by a Note that allows this surveillance to be satisfied if it has been performed within the frequency specified in the Surveillance Frequency Control Program or 184 days of the Frequencies prior to reactor startup and four hours after reducing power below P-10 and P-6.
The Frequency of "prior to startup" ensures this surveillance is performed prior to critical operations and applies to the source, intermediate and power range low instrument channels. The Frequency of "4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> after reducing power below P-10" (applicable to intermediate and power range low channels) and "4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> after reducing power below P-6" (applicable to source range channels) allows a normal shutdown to be completed and the unit removed from the MODE of Applicability for this surveillance without a delay to perform the testing required by this surveillance. The Frequency thereafter applies if the plant remains in the MODE of Applicability after the initial performances of prior to reactor startup and four hours after reducing power below P-10 or P-6. The MODE of McGuire Units 1 and 2 B 3.3.1-50 Revision No. 119
RTS Instrumentation B 3.3.1 BASES SURVEILLANCE REQUIREMENTS (continued)
Applicability for this surveillance is < P-1 0 for the power range low and intermediate range channels and < P-6 for the source range channels.
Once the unit is in MODE 3, this surveillance is no longer required. If power is to be maintained < P-10 or < P-6 for more than 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />, then the testing required by this surveillance must be performed prior to the expiration of the 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> limit. Four hours is a reasonable time to complete the required testing or place the unit in a MODE where this surveillance is no longer required. This test ensures that the NIS source, intermediate, and power range low channels are OPERABLE prior to taking the reactor critical and after reducing power into the applicable MODE (< P-10 or < P-
- 6) for periods > 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
For Functions for which TSTF-493, "Clarify Application of Setpoint Methodology for LSSS Functions" (Reference 12) has been implemented, this SR is modified by two Notes as identified in Table 3.3.1-1. The first Note requires evaluation of channel performance for the condition where the as-found setting for the channel setpoint is outside its as-found tolerance but conservative with respect to the Allowable Value.
Evaluation of channel performance will verify that the channel will continue to behave in accordance with safety analysis assumptions and the channel performance assumptions in the setpoint methodology. The purpose of the assessment is to ensure confidence in the channel performance prior to returning the channel to service. The performance of these channels will be evaluated under the station's Corrective Action Program. Entry into the Corrective Action Program will ensure required review and documentation of the condition for continued OPERABILITY.
The second Note requires that the as-left setting for the channel be returned to within the as-left tolerance of the Nominal Trip Setpoint (NTSP). Where a setpoint more conservative than the NTSP is used in the plant surveillance procedures (field setting), the as-left and as-found tolerances, as applicable, will be applied to the surveillance procedure setpoint. This will ensure that sufficient margin to the Safety Limit and/or Analytical Limit is maintained. If the as-left channel setting cannot be returned to a setting within the as-left tolerance of the NTSP, then the channel shall be declared inoperable. The second Note also requires that the methodologies for calculating the as-left and the as-found tolerances be in the UFSAR. The NOMINAL TRIP SETPOINT definition includes a provision that would allow the as-left setting for the channel to be outside the tolerance band, provided the setting is conservative with respect to the NTSP. This provision is not applicable to Functions for which the second NOTE applies.
McGuire Units 1 and 2 B 3.3.1-51 Revision No. 119
RTS Instrumentation B 3.3.1 BASES SURVEILLANCE REQUIREMENTS (continued)
SR 3.3.1.9 SR 3.3.1.9 is the performance of a TADOT. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
The SR is modified by a Note that excludes verification of setpoints from the TADOT. Since this SR applies to RCP undervoltage and underfrequency relays, setpoint verification is accomplished during the CHANNEL CALIBRATION.
SR 3.3.1.10 The CHANNEL CALIBRATION may be performed at power or during refueling based on testing capability. Channel unavailability evaluations in References 10 and 11 have conservatively assumed that the CHANNEL CALIBRAITON is performed at power with the channel in bypass.
CHANNEL CALIBRATION is a complete check of the instrument loop, including the sensor. The test verifies that the channel responds to a measured parameter within the necessary range and accuracy.
CHANNEL CALIBRATIONS must be performed consistent with the assumptions of the setpoint methodology.
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
SR 3.3.1.10 is modified by a Note stating that this test shall include verification that the time constants are adjusted to the prescribed values where applicable. The applicable time constants are shown in Table 3.3.1-1.
SR 3.3.1.11 SR 3.3.1.11 is the performance of a CHANNEL CALIBRATION, as described in SR 3.3.1.10. Two notes modify this SR. Note 1 states that neutron detectors are excluded from the CHANNEL CALIBRATION. The CHANNEL CALIBRATION for the power range neutron detectors consists of a normalization of the detectors based on a power calorimetric and flux map performed above 15% RTP. The high McGuire Units 1 and 2 B 3.3.1-52 Revision No. 119
RTS Instrumentation B 3.3.1 BASES SURVEILLANCE REQUIREMENTS (continued) voltage detector saturation curve is evaluated and compared to the manufacturer's data. The Westinghouse-supplied boron-triflouride (BF 3 )
source range neutron detectors and compensated ion chamber intermediate range neutron detectors are being replaced with Thermo Scientific-supplied fission chamber source and intermediate range neutron detectors. The CHANNEL CALIBRATION for the BF 3 source range neutron detectors consists of two methods. Method 1 consists of obtaining the discriminator curves for source range, evaluating those curves, and comparing the curves to the manufacturer's data (adjustments to the discriminator voltage are performed as required).
Method 2 consists of performing waveform analysis. This analysis process monitors the actual number and amplitude of the Neutron/Gamma pulses being generated by the SR detector. The high voltage is adjusted to optimize the amplitude of the pulses while maintaining as low as possible high voltage value in order to prolong the detector life. The discriminator voltage is then adjusted, as required, to reasonably ensure that the neutron pulses are being counted by the source range instrumentation and the unwanted gamma pulses are not being counted as neutron pulses.
The CHANNEL CALIBRATION for the compensated ion chamber intermediate range neutron detectors consists of the high voltage detector plateau for intermediate range, evaluating those curves, and comparing the curves to the manufacturer's data. The CHANNEL CALIBRATION for the fission chamber source and intermediate range neutron detectors consists of verifying that the channels respond correctly to test inputs with the necessary range and accuracy.
Note 2 states that this Surveillance is not required for the NIS power range detectors for entry into MODE 2 or 1. Note 3 applies to the compensated ion chamber intermediate range neutron detectors, and states that this Surveillance is not required to be performed for entry into MODE 2 or 1. Notes 2 and 3 are required because the unit must be in at least MODE 2 to perform the test for the compensated ion chamber intermediate range detectors and MODE 1 for the power range detectors.
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
For Functions for which TSTF-493, "Clarify Application of Setpoint Methodology for LSSS Functions" (Reference 12) has been implemented, this SR is modified by two Notes as identified in Table 3.3.1-1. The first Note requires evaluation of channel performance for the condition where the as-found setting for the channel setpoint is outside its as-found tolerance but conservative with respect to the Allowable Value.
McGuire Units 1 and 2 B 3.3.1-53 Revision No. 119
RTS Instrumentation B 3.3-1 BASES SURVEILLANCE REQUIREMENTS (continued)
Evaluation of channel performance will verify that the channel will continue to behave in accordance with safety analysis assumptions and the channel performance assumptions in the setpoint methodology. The purpose of the assessment is to ensure confidence in the channel performance prior to returning the channel to service. The performance of these channels will be evaluated under the station's Corrective Action Program. Entry into the Corrective Action Program will ensure required review and documentation of the condition for continued OPERABILITY.
The second Note requires that the as-left setting for the channel be returned to within the as-left tolerance of the Nominal Trip Setpoint (NTSP). Where a setpoint more conservative than the NTSP is used in the plant surveillance procedures (field setting), the as-left and as-found tolerances, as applicable, will be applied to the surveillance procedure setpoint. This will ensure that sufficient margin to the Safety Limit and/or Analytical Limit is maintained. If the as-left channel setting cannot be returned to a setting within the as-left tolerance of the NTSP, then the channel shall be declared inoperable. The second Note also requires that the methodologies for calculating the as-left and the as-found tolerances be in the UFSAR. The NOMINAL TRIP SETPOINT definition includes a provision that would allow the as-left setting for the channel to be outside the tolerance band, provided the setting is conservative with respect to the NTSP. This provision is not applicable to Functions for which the second NOTE applies.
SR 3.3.1.12 SR 3.3.1.12 is the performance of a CHANNEL CALIBRATION, as described in SR 3.3.1.10. Calibration of the AT channels is required at the beginning of each cycle upon completion of the precision heat balance. RCS loop AT values shall be determined by precision heat balance measurements at the beginning of each cycle.
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
SR 3.3.1.13 SR 3.3.1.13 is the performance of a COT of RTS interlocks.
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
McGuire Units 1 and 2 B 3.3.1-54 Revision No. 119
RTS Instrumentation B 3.3.1 BASES SURVEILLANCE REQUIREMENTS (continued)
SR 3.3.1.14 SR 3.3.1.14 is the performance of a TADOT of the Manual Reactor Trip and the SI Input from ESFAS. The test shall independently verify the OPERABILITY of the undervoltage and shunt trip mechanisms for the Manual Reactor Trip Function for the Reactor Trip Breakers and Reactor Trip Bypass Breakers. The Reactor Trip Bypass Breaker test shall include testing of the automatic undervoltage trip.
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
The SR is modified by a Note that excludes verification of setpoints from the TADOT. The Functions affected have no setpoints associated with them.
SR 3.3.1.15 SR 3.3.1.15 is the performance of a TADOT of Turbine Trip Functions.
This TADOT is as described in SR 3.3.1.4, except that this test is performed prior to reactor startup. A Note states that this Surveillance is not required if it has been performed within the previous 31 days.
Verification of the Trip Setpoint does not have to be performed for this Surveillance. Performance of this test will ensure that the turbine trip Function is OPERABLE prior to taking the reactor critical. This test cannot be performed with the reactor at power and must therefore be performed prior to reactor startup.
SR 3.3.1.16 and SR 3.3.1.17 SR 3.3.1.16 and SR 3.3.1.17 verify that the individual channel/train actuation response times are less than or equal to the maximum values assumed in the accident analysis. Response time testing acceptance criteria are included in the UFSAR (Ref. 1). Individual component response times are not modeled in the analyses.
The analyses model the overall or total elapsed time, from the point at which the parameter exceeds the trip setpoint value at the sensor to the point at which the equipment reaches the required functional state (i.e.,
control and shutdown rods fully inserted in the reactor core).
For channels that include dynamic transfer Functions (e.g., lag, lead/lag, rate/lag, etc.), the response time test may be performed with the transfer McGuire Units 1 and 2 B 3.3.1-55 Revision No. 119
RTS Instrumentation B 3.3.1 BASES SURVEILLANCE REQUIREMENTS (continued)
Function set to one, with the resulting measured response time compared to the appropriate UFSAR response time. Alternately, the response time test can be performed with the time constants set to their nominal value, provided the required response time is analytically calculated assuming the time constants are set at their nominal values. The response time may be measured by a series of overlapping tests such that the entire response time is measured.
Response time may be verified by actual response time tests in any series of sequential, overlapping or total channel measurements, or by the summation of allocated sensor, signal processing and actuation logic response times with actual response time tests on the remainder of the channel. Allocations for sensor response times may be obtained from:
(1) historical records based on acceptable response time tests (hydraulic, noise, or power interrupt tests), (2) in place, onsite, or offsite (e.g.,
vendor) test measurements, or (3) utilizing vendor engineering specifications. WCAP-1 3632-P-A, Revision 2, "Elimination of Pressure Sensor Response Time Testing Requirements" provides the basis and methodology for using allocated sensor response times in the overall verification of the channel response time for specific sensors identified in the WCAP. Response time verification for other sensor types must be either demonstrated by test, or their equivalency to those listed in WCAP-13632-P-A, Revision 2. Any demonstration of equivalency must have been determined to be acceptable by NRC staff review.
WCAP-14036-P-A, Revision 1, "Elimination of Periodic Protection Channel Response Time Tests' provides the basis and methodology for using allocated signal processing and actuation logic response times in the overall verification of the protection system channel response time.
The allocations for sensor, signal conditioning, and actuation logic response times must be verified prior to placing the component in operational service and re-verified following maintenance that may adversely affect response time. In general, electrical repair work does not impact response time provided the parts used for repair are of the same type and value. Specific components identified in the WCAP may be replaced without verification testing. One example where response time could be affected is replacing the sensing assembly of a transmitter.
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
McGuire Units 1 and 2 B 3.3.1-56 Revision No. 119
RTS Instrumentation B 3.3.1 BASES SURVEILLANCE REQUIREMENTS (continued)
SR 3.3.1.16 is modified by a Note stating that neutron detectors are excluded from RTS RESPONSE TIME testing. This Note is necessary because of the difficulty in generating an appropriate detector input signal. Excluding the detectors is acceptable because the principles of detector operation ensure a virtually instantaneous response. The response time of the neutron flux signal portion of the channel shall be measured from detector output or input of the first electronic component in the channel.
REFERENCES 1. UFSAR, Chapter 7.
- 2. UFSAR, Chapter 6.
- 3. UFSAR, Chapter 15.
- 4. IEEE-279-1971.
- 5. 10 CFR 50.49.
- 6. 10 CFR 50.36, Technical Specifications, (c)(2)(ii).
- 7. WCAP-10271-P-A, Supplement 2, Rev. 1, June 1990.
- 8. WCAP 13632-P-A, Revision 2, "Elimination of Pressure Sensor Response Time Testing Requirements" Sep., 1995.
- 9. WCAP-14036-P-A, Revision 1, "Elimination of Periodic Protection Channel Response Time Tests" Oct., 1998.
- 10. WCAP-14333-P-A, Revision 1, October 1998.
- 11. WCAP-15376-P-A, Revision 1, March 2003.
- 12. Technical Specification Task Force, Improved Standard Technical Specifications Change Traveler, TSTF-493, "Clarify Application of Setpoint Methodology for LSSS Functions", Revision 4.
McGuire Units 1 and 2 B 3.3.1-57 Revision No. 119
-LNIT 1- License Amendment No. 365/245 (ECCS Water Management Modification) was implemented on Unit I onl' during I EOC2 I.
Until the ECCS amendment can be implemented on Unit 2, there will be separate Bases documents for Unit I and Unit 2 for Bases 3.3.2, 3.3.3. 3.5.4. 3.6.6. and 3.6.11. ECCS Water Management Modification is scheduled to be imotlemnented on Unit 2 durino the fall 2012 outa2e.
ESFAS Instrumentation B 3.3.2
. B 3.3 INSTRUMENTATION B 3.3.2 Engineered Safety Feature Actuation System (ESFAS) Instrumentation BASES BACKGROUND The ESFAS initiates necessary safety systems, based on the values of selected unit parameters, to protect against violating core design limits and the Reactor Coolant System (RCS) pressure boundary, and to mitigate accidents.
The ESFAS instrumentation is segmented into three distinct but interconnected modules as identified below:
Field transmitters or process sensors and instrumentation:
provide a measurable electronic signal based on the physical characteristics of the parameter being measured; Signal processing equipment including analog protection system, field contacts, and protection channel sets: provide signal conditioning, bistable setpoint comparison, process algorithm actuation, compatible electrical signal output to protection system devices, and control board/control room/miscellaneous indications; and Solid State Protection System (SSPS) including input, logic, and output bays: initiates the proper unit shutdown or engineered safety feature (ESF) actuation in accordance with the defined logic and based on the bistable outputs from the signal process control and protection system.
Field Transmitters or Sensors To meet the design demands for redundancy and reliability, more than one, and often as many as four, field transmitters or sensors are used to measure unit parameters. In many cases, field transmitters or sensors that input to the ESFAS are shared with the Reactor Trip System (RTS).
In some cases, the same channels also provide control system inputs.
To account for calibration tolerances and instrument drift, which is assumed to occur between calibrations, statistical allowances are provided in the NOMINAL TRIP SETPOINT and Allowable Values. The OPERABILITY of each transmitter or sensor can be evaluated when its itas found" calibration data are compared against its documented acceptance criteria.
B McGuire Unit 1 B 3.3.2-1 Revision No. 119
ESFAS Instrumentation B 3.3.2 BASES BACKGROUND (continued)
Signal Processing Equipment Generally, three or four channels of process control equipment are used for the signal processing of unit parameters measured by the field instruments. The process control equipment provides signal conditioning, comparable output signals for instruments located on the main control board, and comparison of measured input signals with setpoints established by safety analyses. These setpoints are defined in UFSAR, Chapter 6 (Ref. 1), Chapter 7 (Ref. 2), and Chapter 15 (Ref. 3). If the measured value of a unit parameter exceeds the predetermined setpoint, an output from a bistable is forwarded to the SSPS for decision logic processing. Channel separation is maintained up to and through the input bays. However, not all unit parameters require four channels of sensor measurement and signal processing. Some unit parameters provide input only to the SSPS, while others provide input to the SSPS, the main control board, the unit computer, and one or more control systems.
Generally, if a parameter is used only for input to the protection circuits, three channels with a two-out-of-three logic are sufficient to provide the required reliability and redundancy. If one channel fails in a direction that would not result in a partial Function trip, the Function is still OPERABLE with a two-out-of-two logic. If one channel fails such that a partial Function trip occurs, a trip will not occur and the Function is still OPERABLE with a one-out-of- two logic.
Generally, if a parameter is used for input to the SSPS and a control function, four channels with a two-out-of-four logic are sufficient to provide the required reliability and redundancy. The circuit must be able to withstand both an input failure to the control system, which may then require the protection function actuation, and a single failure in the other channels providing the protection function actuation. Again, a single failure will neither cause nor prevent the protection function actuation.
These requirements are described in IEEE-279-1971 (Ref. 4). The actual number of channels required for each unit parameter is specified in the UFSAR.
Trip Setpoints and Allowable Values The NOMINAL TRIP SETPOINTS are the nominal values at which the bistables are set. Any bistable is considered to be properly adjusted when the "as left" value is within the band for CHANNEL CALIBRATION tolerance.
McGuire Unit 1 B 3.3.2-2 Revision No. 119
ESFAS Instrumentation B 3.3.2 BASES BACKGROUND (continued)
The NOMINAL TRIP SETPOINTS used in the bistables are based on the analytical limits (Ref. 1, 2, and 3). The selection of these NOMINAL TRIP SETPOINTS is such that adequate protection is provided when all sensor and processing time delays, calibration tolerances, instrumentation uncertainties, instrument drift, and severe environment errors for those ESFAS channels that must function in harsh environments as defined by 10 CFR 50.49 (Ref. 5) are taken into account. The actual as-left Setpoint entered into the bistable assures that the actual trip occurs before the Allowable Value is reached. The Allowable Value accounts for changes in random measurement errors detectable by a COT. One example of such a change in measurement error is drift during the surveillance interval. If the point at which the loop trips does not exceed the Allowable Value, the loop is considered OPERABLE.
A trip within the Allowable Value ensures that the consequences of Design Basis Accidents (DBAs) will be acceptable, providing the unit is operated from within the LCOs at the onset of the DBA and the equipment functions as designed.
Each channel can be tested on line to verify that the signal processing equipment and setpoint accuracy is within the specified allowance requirements. Once a designated channel is taken out of service for testing, a simulated signal is injected in place of the field instrument signal. The process equipment for the channel in test is then tested, verified, and calibrated. SRs for the channels are specified in the SR section.
The NOMINAL TRIP SETPOINTS and Allowable Values listed in Table 3.3.2-1 incorporates all of the known uncertainties applicable for each channel. The magnitudes of these uncertainties are factored into the determination of each NOMINAL TRIP SETPOINT. All field sensors and signal processing equipment for these channels are assumed to operate within the allowances of these uncertainty magnitudes.
Solid State Protection System The SSPS equipment is used for the decision logic processing of outputs from the signal processing equipment bistables. To meet the redundancy requirements, two trains of SSPS, each performing the same functions, are provided. If one train is taken out of service for maintenance or test purposes, the second train will provide ESF actuation for the unit. If both trains are taken out of service or placed in test, a reactor trip will result.
Each train is packaged in its own cabinet for physical and electrical separation to satisfy separation and independence requirements.
McGuire Unit 1 B 3.3.2-3 Revision No. 119
ESFAS Instrumentation B 3.3.2 BASES BACKGROUND (continued)
The SSPS performs the decision logic for most ESF equipment actuation; generates the electrical output signals that initiate the required actuation; and provides the status, permissive, and annunciator output signals to the main control room of the unit.
The bistable outputs from the signal processing equipment are sensed by the SSPS equipment and combined into logic matrices that represent combinations indicative of various transients. If a required logic matrix combination is completed, the system will send actuation signals via master and slave relays to those components whose aggregate Function best serves to alleviate the condition and restore the unit to a safe condition. Examples are given in the Applicable Safety Analyses, LCO, and Applicability sections of this Bases.
Each SSPS train has a built in testing device that can test the decision logic matrix functions and the actuation devices while the unit is at power.
When any one train is taken out of service for testing, the other train is capable of providing unit monitoring and protection until the testing has been completed. The testing device is semiautomatic to minimize testing time.
The actuation of ESF components is accomplished through master and slave relays. The SSPS energizes the master relays appropriate for the condition of the unit. Each master relay then energizes one or more slave relays, which then cause actuation of the end devices. The master and slave relays are routinely tested to ensure operation. The test of the master relays energizes the relay, which then operates the contacts and applies a low voltage to the associated slave relays. The low voltage is not sufficient to actuate the slave relays but only demonstrates signal path continuity. The SLAVE RELAY TEST actuates the devices iftheir operation will not interfere with continued unit operation. For the latter case, actual component operation is prevented by the SLAVE RELAY TEST circuit, and slave relay contact operation is verified by a continuity check of the circuit containing the slave relay.
APPLICABLE Each of the analyzed accidents can be detected by one or more ESFAS SAFETY ANALYSES, Functions. One of the ESFAS Functions is the primary actuation signal LCO, and for that accident. An ESFAS Function may be the primary actuation APPLICABILITY signal for more than one type of accident. An ESFAS Function may also be a secondary, or backup, actuation signal for one or more other accidents. Functions such as manual initiation, not specifically credited in the accident safety analysis, McGuire Unit 1 B 3.3.2-4 Revision No. 119
ESFAS Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) are qualitatively credited in the safety analysis and the NRC staff approved licensing basis for the unit. These Functions may provide protection for conditions that do not require dynamic transient analysis to demonstrate Function performance. These Functions may also serve as backups to Functions that were credited in the accident analysis (Ref. 3).
The LCO requires all instrumentation performing an ESFAS Function to be OPERABLE. Failure of any instrument renders the affected channel(s) inoperable and reduces the reliability of the affected Functions.
The LCO generally requires OPERABILITY of three or four channels in each instrumentation function and two channels in each logic and manual initiation function. The two-out-of-three and the two-out-of-four configurations allow one channel to be tripped during maintenance or testing without causing an ESFAS initiation. Two logic or manual initiation channels are required to ensure no single random failure disables the ESFAS.
The required channels of ESFAS instrumentation provide unit protection in the event of any of the analyzed accidents. ESFAS protection functions are as follows:
- 1. Safety Iniection Safety Injection (SI) provides two primary functions:
- 1. Primary side water addition to ensure maintenance or recovery of reactor vessel water level (coverage of the active fuel for heat removal, clad integrity, and for limiting peak clad temperature to < 22000 F); and
These functions are necessary to mitigate the effects of high energy line breaks (HELBs) both inside and outside of containment.
The SI signal is also used to initiate other Functions such as:
Phase A Isolation; Containment Purge and Exhaust Isolation; McGuire Unit 1 B 3.3.2-5 Revision No. 119
ESFAS Instrumentation B 3.3.2 BASES
. APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
- Feedwater Isolation;
- Start of motor driven auxiliary feedwater (AFW) pumps;
- Control room area ventilation isolation;
- Enabling automatic switchover of Emergency Core Cooling Systems (ECCS) suction to containment sump; 0 Start of annulus ventilation system filtration trains;
- Start of auxiliary building filtered ventilation exhaust system trains;
- Start of diesel generators; 0 Start of nuclear service water system pumps; and
- Start of component cooling water system pumps.
These other functions ensure:
- Isolation of nonessential systems through containment penetrations; 0 Trip of the turbine and reactor to limit power generation;
- Start of AFW to ensure secondary side cooling capability;
- Isolation of the control room to ensure habitability;
- Enabling ECCS suction from the refueling water storage tank (RWST) switchover on low RWST level to ensure continued cooling via use of the containment sump;
- Starting of annulus ventilation and auxiliary building filtered ventilation to limit offsite releases; McGuire Unit 1 B 3.3.2-6 Revision No. 119
ESFAS Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
Starting of diesel generators for loss of offsite power considerations; and Starting of component cooling water and nuclear service water systems for heat removal.
- a. Safety Iniection-Manual Initiation The LCO requires one channel per train to be OPERABLE.
The operator can initiate Sl at any time by using either of two switches in the control room. This action will cause actuation of all components in the same manner as any of the automatic actuation signals.
The LCO for the Manual Initiation Function ensures the proper amount of redundancy is maintained in the manual ESFAS actuation circuitry to ensure the operator has manual ESFAS initiation capability.
Each train consists of one push button and the interconnecting wiring to the actuation logic cabinet. This configuration does not allow testing at power.
- b. Safety Iniection-Automatic Actuation Loqic and Actuation Relays This LCO requires two trains to be OPERABLE. Actuation logic consists of all circuitry housed within the actuation subsystems, including the initiating relay contacts responsible for actuating the ESF equipment.
Manual and automatic initiation of SI must be OPERABLE in MODES 1, 2, and 3. In these MODES, there is sufficient energy in the primary and secondary systems to warrant automatic initiation of ESF systems. In MODE 4, adequate time is available to manually actuate required components in the event of a DBA, but because of the large number of components actuated on a SI, actuation is simplified by the use of the manual actuation push buttons. Automatic actuation logic and actuation relays must be OPERABLE in MODE 4 to support system level manual initiation.
McGuire Unit 1 B 3.3.2-7 Revision No. 119
ESFAS Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
These Functions are not required to be OPERABLE in MODES 5 and 6 because there is adequate time for the operator to evaluate unit conditions and respond by manually starting individual systems, pumps, and other equipment to mitigate the consequences of an abnormal condition or accident. Unit pressure and temperature are very low and many ESF components are administratively locked out or otherwise prevented from actuating to prevent inadvertent overpressurization of unit systems.
- c. Safety Inlection-Containment Pressure-High This signal provides protection against the following accidents:
- SLB inside containment;
- LOCA; and
- Feed line break inside containment.
Containment Pressure-High provides no input to any control functions. Thus, three OPERABLE channels are sufficient to satisfy protective requirements with a two-out-of-three logic.
Containment Pressure-High must be OPERABLE in MODES 1, 2, and 3 when there is sufficient energy in the primary and secondary systems to pressurize the containment following a pipe break. In MODES 4, 5, and 6, there is insufficient energy in the primary or secondary systems to pressurize the containment.
- d. Safety Iniection-Pressurizer Pressure-Low Low This signal provides protection against the following accidents:
Inadvertent opening of a steam generator (SG) relief or safety valve;
- SLB; A spectrum of rod cluster control assembly ejection accidents (rod ejection);
McGuire Unit 1 B 3.3.2-8 Revision No. 119
ESFAS Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
Inadvertent opening of a pressurizer relief or safety valve;
Pressurizer pressure provides both control and protection functions: input to the Pressurizer Pressure Control System, reactor trip, and SI. Therefore, the actuation logic must be able to withstand both an input failure to control system, which may then require the protection function actuation, and a single failure in the other channels providing the protection function actuation. Thus, four OPERABLE channels are required to satisfy the requirements with a two-out-of-four logic.
This Function must be OPERABLE in MODES 1, 2, and 3 (above P-1 1) to mitigate the consequences of an HELB inside containment. This signal may be manually blocked by the operator below the P-1 1 setpoint. Automatic Sl actuation below this pressure setpoint is then performed by the Containment Pressure-High signal.
This Function is not required to be OPERABLE in MODE 3 below the P-1 1 setpoint. Other ESF functions are used to detect accident conditions and actuate the ESF systems in this MODE. In MODES 4, 5, and 6, this Function is not needed for accident detection and mitigation.
- 2. Containment Spray Containment Spray provides two primary functions:
- 1. Lowers containment pressure and temperature after an HELB in containment; and
- 2. Reduces the amount of radioactive iodine in the containment atmosphere.
These functions are necessary to:
Ensure the pressure boundary integrity of the containment structure; and McGuire Unit 1 B 3.3.2-9 Revision No. 119
ESFAS Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
Limit the release of radioactive iodine to the environment in the event of a failure of the containment structure.
After the RHR pumps have been aligned for containment sump recirculation, containment spray pumps are. aligned to the sump.
Once adequate sump level and containment pressure above 3 PSIG have been confirmed, one spray pump is manually started.
The second train of containment spray is available in the event of the failure of the first train.
- 3. Containment Isolation Containment Isolation provides isolation of the containment atmosphere, and all process systems that penetrate containment, from the environment. This Function is necessary to prevent or limit the release of radioactivity to the environment in the event of a large break LOCA.
There are two separate Containment Isolation signals, Phase A and Phase B. Phase A isolation isolates all automatically isolable process lines, except component cooling water (CCW) and Nuclear Service Water System (NSWS) to RCP motor air coolers, at a relatively low containment pressure indicative of primary or secondary system leaks. For these types of events, forced circulation cooling using the reactor coolant pumps (RCPs) and SGs is the preferred (but not required) method of decay heat removal. Since CCW and NSWS are required to support RCP operation, not isolating CCW and NSWS on the low pressure Phase A signal enhances unit safety by allowing operators to use forced RCS circulation to cool the unit. Isolating CCW and NSWS on the low pressure signal may force the use of feed and bleed cooling, which could prove more difficult to control.
Phase A containment isolation is actuated automatically by SI, or manually via the actuation circuitry. All process lines penetrating containment, with the exception of CCW and NSWS are isolated.
CCW is not isolated at this time to permit continued operation of the RCPs with cooling water flow to the thermal barrier heat exchangers and air or oil coolers. All process lines not equipped with remote operated isolation valves are manually closed, or otherwise isolated, prior to reaching MODE 4.
McGuire Unit 1 B 3.3.2-10 Revision No. 119
ESFAS Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
Manual Phase A Containment Isolation is accomplished by either of two switches in the control room. Either switch actuates its associated train.
The Phase B signal isolates CCW and NSWS. This occurs at a relatively high containment pressure that is indicative of a large break LOCA or an SLB. For these events, forced circulation using the RCPs is no longer desirable. Isolating the CCW and NSWS at the higher pressure does not pose a challenge to the containment boundary because the CCW System and NSWS are closed loops inside containment. Although some system components do not meet all of the ASME Code requirements applied to the containment itself, the systems are continuously pressurized to a pressure greater than the Phase B setpoint. Thus, routine operation demonstrates the integrity of the system pressure boundary for pressures exceeding the Phase B setpoint.
Furthermore, because system pressure exceeds the Phase B setpoint, any system leakage prior to initiation of Phase B isolation would be into containment. Therefore, the combination of CCW System and NSWS design and Phase B isolation ensures there is not a potential path for radioactive release from containment.
Phase B containment isolation is actuated by Containment Pressure-High High, or manually, via the automatic actuation logic, as previously discussed. For containment pressure to reach a value high enough to actuate Containment Pressure-High High, a LOCA or SLB must have occurred. RCP operation will no longer be required and CCW to the RCPs and NSWS to the RCP motor coolers is, therefore, no longer necessary. The RCPs can be operated with seal injection flow alone and without CCW flow to the thermal barrier heat exchanger.
McGuire Unit 1 B 3.3.2-11 Revision No. 119
ESFAS Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
Manual Phase B Containment Isolation is accomplished by pushbuttons on the Main Control Board.
- a. Containment Isolation-Phase A Isolation (1) Phase A Isolation-Manual Initiation Manual Phase A Containment Isolation is actuated by either of two switches in the control room. Either switch actuates both trains.
(2) Phase A Isolation-Automatic Actuation Loqic and Actuation Relays Automatic Actuation Logic and Actuation Relays consist of the same features and operate in the same manner as described for ESFAS Function 1 .b.
Manual and automatic initiation of Phase A Containment Isolation must be OPERABLE in MODES 1, 2, and 3, when there is a potential for an accident to occur. In MODE 4, adequate time is available to manually actuate required components in the event of a DBA, but because of the large number of components actuated on a Phase A Containment Isolation, actuation is simplified by the use of the manual actuation push buttons. Automatic actuation logic and actuation relays must be OPERABLE in MODE 4 to support system level manual initiation. In MODES 5 and 6, there is insufficient energy in the primary or secondary systems to pressurize the containment to require Phase A Containment Isolation. There also is adequate time for the operator to evaluate unit conditions and manually actuate individual isolation valves in response to abnormal or accident conditions.
McGuire Unit 1 B 3.3.2-12 Revision No. 119
ESFAS Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
(3) Phase A Isolation-Safety Injection Phase A Containment Isolation is also initiated by all Functions that initiate SI. The Phase A Containment Isolation requirements for these Functions are the same as the requirements for their SI function.
Therefore, the requirements are not repeated in Table 3.3.2-1. Instead, Function 1, SI, is referenced for all initiating Functions and requirements.
- b. Containment Isolation-Phase B Isolation Phase B Containment Isolation is accomplished by Manual Initiation, Automatic Actuation Logic and Actuation Relays, and by Containment Pressure channels The Containment Pressure trip of Phase B Containment Isolation is energized to trip in order to minimize the potential of spurious trips that may damage the RCPs.
(1) Phase B Isolation-Manual Initiation (2) Phase B Isolation-Automatic Actuation Logic and Actuation Relays Manual and automatic initiation of Phase B containment isolation must be OPERABLE in MODES 1, 2, and 3, when there is a potential for an accident to occur. In MODE 4, adequate time is available to manually actuate required components in the event of a DBA. However, because of the large number of components actuated on a Phase B containment isolation, actuation is simplified by the use of the manual actuation push buttons. Automatic actuation logic and actuation relays must be OPERABLE in MODE 4 to support system level manual initiation. In MODES 5 and 6, there is insufficient energy in the primary or secondary systems to pressurize the containment to require McGuire Unit 1 B 3.3.2-13 Revision No. 119
ESFAS Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
Phase B containment isolation. There also is adequate time for the operator to evaluate unit conditions and manually actuate individual isolation valves in response to abnormal or accident
.conditions.
(3) Phase B Isolation-Containment Pressure - High Higqh The basis for containment pressure MODE applicability is as discussed for ESFAS Function 2.c above.
- 4. Steam Line Isolation Isolation of the main steam lines provides protection in the event of an SLB inside or outside containment. Rapid isolation of the steam lines will limit the steam break accident to the blowdown from one SG, at most. For an SLB upstream of the main steam isolation valves (MSIVs), inside or outside of containment, closure of the MSIVs limits the accident to the blowdown from only the affected SG. For an SLB downstream of the MSIVs, closure of the MSIVs terminates the accident as soon as the steam lines depressurize.
Steam Line Isolation also mitigates the effects of a feed line break and ensures a source of steam for the turbine driven AFW pump during a feed line break.
- a. Steam Line Isolation-Manual Initiation Manual initiation of Steam Line Isolation can be accomplished from the control room. There are two system level switches in the control room and either switch can initiate action to immediately close all MSIVs. The LCO requires two channels to be OPERABLE. Individual valves may also be closed using individual hand switches in the control room. The LCO requires four individual channels to be OPERABLE.
- b. Steam Line Isolation-Automatic Actuation Logic and Actuation Relays Automatic actuation logic and actuation relays consist of the same features and operate in the same manner as described for ESFAS Function 1.b.
McGuire Unit 1 B 3.3.2-14 Revision No. 119
ESFAS Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
Manual and automatic initiation of steam line isolation must be OPERABLE in MODES 1, 2, and 3 when there is sufficient energy in the RCS and SGs to have an SLB or other accident. This could result in the release of significant quantities of energy and cause a cooldown of the primary system. The Steam Line Isolation Function is required in MODES 2 and 3 unless all MSIVs are closed and de-activated. In MODES 4, 5, and 6, there is insufficient energy in the RCS and SGs to experience an SLB or other accident releasing significant quantities of energy.
- c. Steam Line Isolation-Containment Pressure-High High This Function actuates closure of the MSIVs in the event of a LOCA or an SLB inside containment to maintain three unfaulted SGs as a heat sink for the reactor, and to limit the mass and energy release to containment. The Containment Pressure - High High function is described in ESFAS Function 2.C.
Containment Pressure-High High must be OPERABLE in MODES 1, 2, and 3, when there is sufficient energy in the primary and secondary side to pressurize the containment following a pipe break. This would cause a significant increase in the containment pressure, thus allowing detection and closure of the MSIVs. The Steam Line Isolation Function remains OPERABLE in MODES 2 and 3 unless all MSIVs are closed and de-activated. In MODES 4, 5, and 6, there is not enough energy in the primary and secondary sides to pressurize the containment to the Containment Pressure-High High setpoint.
- d. Steam Line Isolation-Steam Line Pressure (1) Steam Line Pressure-Low Steam Line Pressure-Low provides closure of the MSIVs in the event of an SLB to maintain three unfaulted SGs as a heat sink for the reactor, and to limit the mass and energy release to containment.
This Function provides closure of the MSIVs in the event of a feed line break to ensure a supply of steam for the turbine driven AFW pump.
McGuire Unit 1 B 3.3.2-15 Revision No. 119
ESFAS Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
Steam Line Pressure-Low Function must be OPERABLE in MODES 1, 2, and 3 (above P-11), with any main steam valve open, when a secondary side break or stuck open valve could result in the rapid depressurization of the steam lines. This signal may be manually blocked by the operator below the P-11 setpoint. Below P-1 1, an inside containment SLB will be terminated by automatic actuation via Containment Pressure-High High. Stuck valve transients and outside containment SLBs will be terminated by the Steam Line Pressure-Negative Rate-High signal for Steam Line Isolation below P-1 1 when Steam Line Isolation Steam Line Pressure-Low has been manually blocked. The Steam Line Isolation Function is required in MODES 2 and 3 unless all MSIVs are closed and de-activated. This Function is not required to be OPERABLE in MODES 4, 5, and 6 because there is insufficient energy in the secondary side of the unit to have an accident.
(2) Steam Line Pressure-Negative Rate-High Steam Line Pressure-Negative Rate-High provides closure of the MSIVs for an SLB when less than the P-1i1 setpoint, to maintain at least one unfaulted SG as a heat sink for the reactor, and to limit the mass and energy release to containment. When the operator manually blocks the Steam Line Pressure-Low main steam isolation signal when less than the P-1i1 setpoint, the Steam Line Pressure-Negative Rate-High signal is automatically enabled. Steam Line Pressure-Negative Rate-High provides no input to any control functions.
Thus, three OPERABLE channels are sufficient to satisfy requirements with a two-out-of-three logic on each steam line.
Steam Line Pressure-Negative Rate-High must be OPERABLE in MODE 3 when less than the P-1 1 setpoint, when a secondary side break or stuck open valve could result in the rapid depressurization of the steam line(s). In MODES 1 and 2, and in MODE 3, when above the P-11 setpoint, this signal is automatically disabled and the Steam Line Pressure-Low signal is automatically enabled. The Steam Line Isolation Function is required to be OPERABLE in McGuire Unit 1 B 3.3.2-16 Revision No. 119
ESFAS Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
MODES 2 and 3 unless all MSIVs are closed and de-activated. In MODES 4, 5, and 6, there is insufficient energy in the primary and secondary sides to have an SLB or other accident that would result in a release of significant enough quantities of energy to cause a cooldown of the RCS.
- 5. Turbine Trip and Feedwater Isolation The primary functions of the Turbine Trip and Feedwater Isolation signals are to prevent damage to the turbine due to water in the steam lines, stop the excessive flow of feedwater into the SGs, and to limit the energy released into containment. These Functions are necessary to mitigate the effects of a high water level in the SGs, which could result in carryover of water into the steam lines and excessive cooldown of the primary system. The SG high water level is due to excessive feedwater flows. Feedwater isolation serves to limit the energy released into containment upon a feedwater line or steam line break inside containment.
The Functions are actuated when the level in any SG exceeds the high high setpoint, and performs the following functions:
0 Trips the main turbine; 0 Trips the MFW pumps; and
- Initiates feedwater isolation (shuts the MFW control valves, bypass feedwater control valves, feedwater isolation valves, and the MFW to AFW nozzle bypass valves).
Turbine Trip and Feedwater Isolation signals are both actuated by SG Water Level-High High, or by an Sl signal. The RTS also initiates a turbine trip signal whenever a reactor trip (P-4) is generated. A Feedwater Isolation signal is also generated by a reactor trip (P-4) coincident with Tavg-Low and on a high water level in the reactor building doghouse. The MFW System is also taken out of operation and the AFW System is automatically started. The Sl signal was discussed previously.
- a. Turbine Trip (1) Turbine Trip-Automatic Actuation Loqic and Actuation Relays Automatic Actuation Logic and Actuation Relays consist of McGuire Unit 1 B 3.3.2-17 Revision No. 119
ESFAS Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) the same features and operate in the same manner as described for ESFAS Function 1.b.
(2) Turbine Trip-Steam Generator Water Level-High High (P-14)
This signal prevents damage to the turbine due to water in the steam lines. The ESFAS SG water level instruments provide input to the SG Water Level Control System. Therefore, the actuation logic must be able to withstand both an input failure to the control system (which may then require the protection function actuation) and a single failure in the other channels providing the protection function actuation. Only three protection channels are necessary to satisfy the protective requirements. The setpoints are based on percent of narrow range instrument span.
(3) Turbine Trip-Safety Iniection Turbine Trip is also initiated by all Functions that initiate SI. Therefore, the requirements are not repeated in Table 3.3.2-1. Instead Function 1, SI, is referenced for all initiating functions and requirements.
Item 5.a.(1) is referenced for the applicable MODES.
The Turbine Trip Function must be OPERABLE in MODES 1 and 2. In lower MODES, the turbine generator is not in service and this Function is not required to be OPERABLE.
- b. Feedwater Isolation (1) Feedwater Isolation-Automatic Actuation Logic and Actuation Relays Automatic Actuation Logic and Actuation Relays consist of the same features and operate in the same APPLICABLE manner as described for ESFAS Function 1.b.
McGuire Unit 1 B 3.3.2-18 Revision No. 119
ESFAS Instrumentation B 3.3.2 BASES SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
(2) Feedwater Isolation-Steam Generator Water Level-High High (P-14)
This signal provides protection against excessive feedwater flow. The ESFAS SG water level instruments provide input to the SG Water Level Control System. Therefore, the actuation logic must be able to withstand both an input failure to the control system (which may then require the protection function actuation) and a single failure in the other channels providing the protection function actuation. Only three protection channels are necessary to satisfy the protective requirements. The setpoints are based on percent of narrow range instrument span.
(3) Feedwater Isolation-Safety Ineection Feedwater Isolation is also initiated by all Functions that initiate SI. The Feedwater Isolation Function requirements for these Functions are the same as the requirements for their SI function. Therefore, the requirements are not repeated in Table 3.3.2-1.
Instead Function 1, SI, is referenced for all initiating functions and requirements. Item 5.b.(1) is referenced for the applicable MODES.
(4) Feedwater Isolation - RCS T.,-Low Coincident With Reactor Trip (P-4)
This signal provides protection against excessive cooldown, which could subsequently introduce a positive reactivity excursion after a plant trip. There are four channels of RCS Tavg-Low (one per loop), with a two-out-of-four logic required coincident with a reactor trip signal (P-4) to initiate a feedwater isolation.
The P-4 interlock is discussed in Function 8.a.
(5) Turbine Trip and Feedwater Isolation - Doghouse Water Level - High High This signal initiates a Feedwater Isolation. The signal terminates forward feedwater flow in the event of a .
postulated pipe break in the main feedwater piping in the doghouses to prevent flooding safety related equipment essential to the safe shutdown of the plant.
McGuire Unit 1 B 3.3.2-19 Revision No. 119
ESFAS Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
The level instrumentation consists of six level switches (three per train) in each of the two reactor building doghouses. A high-high level detected by two-out-of-three switches in either train in the inboard or outboard doghouse will initiate a feedwater isolation. This signal initiates Feedwater Isolation for the specific doghouse where the High-High level is detected and trips both main feedwater pumps thus causing a main turbine trip.
The Feedwater Isolation Function must be OPERABLE in MODES 1 and 2 and also in MODE 3 (except for the functions listed in Table 3.3.2-1).
Feedwater Isolation is not required OPERABLE when all MFIVs, MFCVs, and associated bypass valves are closed and de-activated or isolated by a closed manual valve. In lower MODES, the MFW System is not in service and this Function is not required to be OPERABLE.
- 6. Auxiliary Feedwater The AFW System is designed to provide a secondary side heat sink for the reactor in the event that the MFW System is not available. The system has two motor driven pumps and a turbine driven pump, making it available during normal and accident operation. The normal source of water for the AFW System is the non-safety related AFW Storage Tank (Water Tower). A low suction pressure to the AFW pumps will automatically realign the pump suctions to the Nuclear Service Water System (NSWS)(safety related). The AFW System is aligned so that upon a pump start, flow is initiated to the respective SGs immediately.
- a. Auxiliary Feedwater-Automatic Actuation LoQic and Actuation Relays Automatic actuation logic and actuation relays consist of the same features and operate in the same manner as described for ESFAS Function 1.b.
- b. Auxiliary Feedwater-Steam Generator Water Level-Low Low SG Water Level-Low Low provides protection against a loss of heat sink. A feed line break, inside or outside of containment, or a loss of MFW, would result in a loss of SG water level. SG Water Level-Low Low provides input to the SG Level Control System.
McGuire Unit 1 B 3.3.2-20 Revision No. 119
ESFAS Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
Therefore, the actuation logic must be able to withstand both an input failure to the control system which may then require a protection function actuation and a single failure in the other channels providing the protection function actuation. Thus, four OPERABLE channels are required to satisfy the requirements with two-out-of-four logic. The setpoints are based on percent of narrow range instrument span.
SG Water Level - Low Low in any operating SG will cause the motor driven AFW pumps to start. The system is aligned so that upon a start of the pump, water immediately begins to flow to the SGs. SG Water Level - Low Low in any two operating SGs will cause the turbine driven pumps to start.
- c. Auxiliary Feedwater-Safety Injection An SI signal starts the motor driven AFW pumps. The AFW initiation functions are the same as the requirements for their Sl function. Therefore, the requirements are not repeated in Table 3.3.2-1. Instead, Function 1, SI, is referenced for all initiating functions and requirements.
- d. Auxiliary Feedwater-Station Blackout A loss of power or degraded voltage to the service buses will be accompanied by a loss of reactor coolant pumping power and the subsequent need for some method of decay heat removal. The loss of power or degraded voltage is detected by a voltage drop on each essential service bus. Loss of power or degraded voltage to either essential service bus will start the turbine driven and motor driven AFW pumps to ensure that at least two SGs contain enough water to serve as the heat sink for reactor decay heat and sensible heat removal following the reactor trip. The turbine driven pump does not start on a loss of power coincident with a SI signal.
Functions 6.a through 6.d must be OPERABLE in MODES 1, 2, and 3 to ensure that the SGs remain the heat sink for the reactor. These Functions do not have to be OPERABLE in MODES 5 and 6 because there is not enough heat being generated in the reactor to require the SGs as a heat sink. In MODE 4, AFW actuation does not need to be OPERABLE because either AFW or residual heat removal (RHR) will already be in operation to remove decay heat or sufficient time is available to manually place either system in operation.
McGuire Unit 1 B 3.3.2-21 Revision No. 119
ESFAS Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
- e. Auxiliary Feedwater-Trip of All Main Feedwater Pumps A Trip of all MFW pumps is an indication of a loss of MFW and the subsequent need for some method of decay heat and sensible heat removal to bring the reactor back to no load temperature and pressure. Two contacts are provided in series (one from each MFW pump) in the starting circuit for each AFW pump. A trip of all MFW pumps closes both contacts and starts the motor driven AFW pumps to ensure that at least two SGs are available with water to act as the heat sink for the reactor. This function must be OPERABLE in MODES 1 and 2. This ensures that at least two SGs are provided with water to serve as the heat sink to remove reactor decay heat and sensible heat in the event of an accident.
In MODES 3, 4, and 5, the MFW pumps are normally shut down, and thus neither pump trip is indicative of a condition requiring automatic AFW initiation.
- f. Auxiliary Feedwater-Pump Suction Transfer on Suction Pressure-Low A low pressure signal in the AFW pump suction line protects the AFW pumps against a loss of the normal supply of water for the pumps, the non-safety related AFW Storage Tank (Water Tower).
Two pressure switches per train are located on the AFW pump suction line. The turbine driven AFW pump has a total of four switches. A low pressure signal sensed by two-out-of-two switches on either train will cause the emergency supply of water for the pump to be aligned. The NSWS (safety grade) is then lined up to supply the AFW pumps to ensure an adequate supply of water for the AFW System to maintain at least two of the SGs as the heat sink for reactor decay heat and sensible heat removal.
This Function must be OPERABLE in MODES 1, 2, and 3 to ensure a safety grade supply of water for the AFW System to maintain the SGs as the heat sink for the reactor. This Function does not have to be OPERABLE in MODES 5 and 6 because there is not enough heat being generated in the reactor to require the SGs as a heat sink. In MODE 4, AFW automatic suction transfer does not need to be OPERABLE because RHR will already be in operation, or sufficient time is available to place RHR in operation, to remove decay heat.
McGuire Unit 1 B 3.3.2-22 Revision No. 119
ESFAS Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
- 7. Automatic Switchover to Containment Sump At the end of the injection phase of a LOCA, the RWST will be nearly empty. Continued cooling must be provided by the ECCS to remove decay heat. The source of water for the ECCS pumps is automatically switched to the containment recirculation sump. The low head residual heat removal (RHR) pumps and containment spray pumps draw the water from the containment recirculation sump, the RHR pumps pump the water through the RHR heat exchanger, inject the water back into the RCS, and supply the cooled water to the other ECCS pumps.
Switchover from the RWST to the containment sump must occur before the RWST empties to prevent damage to the RHR pumps and a loss of core cooling capability.
- a. Automatic Switchover to Containment Sump-Refueling Water Storagqe Tank (RWST)
Level-Low Coincident With Safety Iniection During the injection phase of a LOCA, the RWST is the source of water for all ECCS pumps. A low level in the RWST coincident with an SI signal provides protection against a loss of water for the ECCS pumps and indicates the end of the injection phase of the LOCA. The RWST is equipped with three level transmitters.
These transmitters provide no control functions. Therefore, a two-out-of-three logic is adequate to initiate the protection function actuation.
Automatic switchover occurs only if the RWST low level signal is coincident with SI. This prevents accidental switchover during normal operation. Accidental switchover could damage ECCS pumps if they are attempting to take suction from an empty sump.
The automatic switchover Function requirements for the Sl Functions are the same as the requirements for their SI function.
Therefore, the requirements are not repeated in Table 3.3.2-1.
Instead, Function 1, SI, is referenced for all initiating Functions and requirements. These Functions must be OPERABLE in MODES 1, 2, and 3 when there is a potential for a LOCA to occur, to ensure a continued supply of water for the ECCS pumps. These Functions are not required to be OPERABLE in MODES 4, 5, and 6 because McGuire Unit 1 B 3.3.2-23 Revision No. 119
ESFAS Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) there is adequate time for the operator to evaluate unit conditions and respond by manually starting systems, pumps, and other equipment to mitigate the consequences of an abnormal condition or accident. System pressure and temperature are very low and many ESF components are administratively locked out or otherwise prevented from actuating to prevent inadvertent overpressurization of unit systems.
- 8. Engineered Safety Feature Actuation System Interlocks To allow some flexibility in unit operations, several interlocks are included as part of the ESFAS. These interlocks permit the operator to block some signals, automatically enable other signals, prevent some actions from occurring, and cause other actions to occur. The interlock Functions back up manual actions to ensure bypassable functions are in operation under the conditions assumed in the safety analyses.
- a. Engineered Safety Feature Actuation System Interlocks-Reactor Trip, P-4 The P-4 interlock is enabled when a reactor trip breaker (RTB) and its associated bypass breaker is open. Operators are able to reset SI 60 seconds after initiation. If a P-4 is present when SI is reset, subsequent automatic SI initiation will be blocked until the RTBs have been manually closed. This Function allows operators to take manual control of Sl systems after the initial phase of injection is complete while avoiding multiple Sl initiations. The functions of the P-4 interlock are:
Trip the main turbine; Isolate MFW with coincident low Tavg; Prevent reactuation of SI after a manual reset of SI; and Prevent opening of the MFW isolation valves if they were closed on Sl or SG Water Level-High High.
McGuire Unit 1 B 3.3.2-24 Revision No. 119
ESFAS Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
Each of the above Functions is interlocked with P-4 to avert or reduce the continued cooldown of the RCS following a reactor trip.
An excessive cooldown of the RCS following a reactor trip could cause an insertion of positive reactivity with a subsequent increase in generated power. To avoid such a situation, the noted Functions have been interlocked with P-4 as part of the design of the unit control and protection system.
None of the noted Functions serves a mitigation function in the unit licensing basis safety analyses. Only the turbine trip Function is explicitly assumed since it is an immediate consequence of the reactor trip Function. Neither turbine trip, nor any of the other three Functions associated with the reactor trip signal, is required to show that the unit licensing basis safety analysis acceptance criteria are not exceeded.
The RTB position switches that provide input to the P-4 interlock only function to energize or de-energize or open or close contacts.
Therefore, this Function has no adjustable trip setpoint with which to associate a Trip Setpoint and Allowable Value.
This Function must be OPERABLE in MODES 1, 2, and 3 when the reactor may be critical or approaching criticality. This Function does not have to be OPERABLE in MODE 4, 5, or 6 because the main turbine, the MFW System are not in operation.
b... Engqineered Safety Feature Actuation System Interlocks-Pressurizer Pressure, P-i 1 The P-1 1 interlock permits a normal unit cooldown and depressurization without actuation of Sl or main steam line isolation. With two-out-of-three pressurizer pressure channels (discussed previously) less than the P-1 1 setpoint, the operator can manually block the Pressurizer Pressure-Low Sl signal and the Steam Line Pressure-Low steam line isolation signal (previously discussed).
McGuire Unit 1 B 3.3.2-25 Revision No. 119
ESFAS Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
When the Steam Line Pressure-Low steam line isolation signal is manually blocked, a main steam isolation signal on Steam Line Pressure-Negative Rate-High is enabled. This provides protection for an SLB by closure of the MSIVs. With two-out-of-three pressurizer pressure channels above the P-1 1 setpoint, the Pressurizer Pressure-Low SI signal and the Steam Line Pressure-Low steam line isolation signal are automatically enabled. The operator can also enable these trips by use of the respective manual reset buttons. When the Steam Line Pressure-Low steam line isolation signal is enabled, the main steam isolation on Steam Line Pressure-Negative Rate-High is disabled.
This Function must be OPERABLE in MODES 1, 2, and 3 to allow an orderly cooldown and depressurization of the unit without the actuation of SI or main steam isolation. This Function does not have to be OPERABLE in MODE 4, 5, or 6 because system pressure must already be below the P-1 1 setpoint for the requirements of the heatup and cooldown curves to be met.
- c. Engineered Safety Feature Actuation System Interlocks-T , -Low Low, P-12 On increasing reactor coolant temperature, the P-12 interlock provides an arming signal to the Steam Dump System. On a decreasing temperature, the P-12 interlock removes the arming signal to the Steam Dump System to prevent an excessive cooldown of the RCS due to a malfunctioning Steam Dump System.
Since Tavg is used as an indication of bulk RCS temperature, this Function meets redundancy requirements with one OPERABLE channel in each loop. These channels are used in two-out-of-four logic.
This Function must be OPERABLE in MODES 1, 2, and 3 when a secondary side break or stuck open valve could result in the rapid depressurization of the steam lines. This Function does not have to be OPERABLE in MODE 4, 5, or 6 because there is insufficient energy in the secondary side of the unit to have an accident.
McGuire Unit 1 B 3.3.2-26 Revision No. 119
ESFAS Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
- 9. Containment Pressure Control System Permissives The Containment Pressure Control System (CPCS) protects the Containment Building from excessive depressurization by preventing inadvertent actuation or continuous operation of the Containment Spray and Containment Air Return Systems when containment pressure is at or less than the CPCS permissive setpoint. The control scheme of CPCS is comprised of eight independent control circuits (4 per train), each having a separate and independent pressure transmitter and current alarm module. Each pressure transmitter monitors the containment pressure and provides input to its respective current alarm. The current alarms are set to inhibit or terminate containment spray and containment air return fan operation when containment pressure falls below the setpoint.
The alarm modules switch back to the permissive state (allowing the systems to operate) when containment pressure is greater than or equal to the setpoint.
This function must be OPERABLE in MODES 1, 2, 3, and 4 when there is sufficient energy in the primary and secondary sides to pressurize containment following a pipe break. In MODES 5 and 6, there is insufficient energy in the primary and secondary sides to significantly pressurize the containment.
The ESFAS instrumentation satisfies Criterion 3 of 10 CFR 50.36 (Ref. 6).
ACTIONS A Note has been added in the ACTIONS to clarify the application of Completion Time rules. The Conditions of this Specification may be entered independently for each Function listed on Table 3.3.2-1. When the Required Channels in Table 3.3.2-1 are specified (e.g., on a per steam line, per loop, per SG, etc.,
basis), then the Condition may be entered separately for each steam line, loop, SG, etc., as appropriate.
A channel shall be OPERABLE if the point at which the channel trips is found equal to or more conservative than the Allowable Value. In the event a channel's trip setpoint is found less conservative than the Allowable Value, or the transmitter, instrument loop, signal processing electronics, or bistable is found inoperable, then all affected Functions provided by the channel must be declared inoperable and the LCO Condition(s) entered for the protection Function(s) affected. If plant conditions warrant, the trip setpoint may be set outside the NOMINAL TRIP SETPOINT calibration tolerance band as long as the trip setpoint is conservative with respect to the NOMINAL TRIP SETPOINT.
If the trip setpoint is found outside the NOMINAL TRIP SETPINT calibration tolerance band and non-conservative with respect to the NOMINAL TRIP SETPOINT, the setpoint shall be re-adjusted.
McGuire Unit 1 B 3.3.2-27 Revision No. 119
ESFAS Instrumentation B 3.3.2 BASES ACTIONS (continued)
When the number of inoperable channels in a trip function exceed those specified in one or other related Conditions associated with a trip function, then the unit is outside the safety analysis. Therefore, LCO 3.0.3 should be immediately entered if applicable in the current MODE of operation.
A.1 Condition A applies to all ESFAS protection functions.
Condition A addresses the situation where one or more channels or trains for one or more Functions are inoperable at the same time. The Required Action is to refer to Table 3.3.2-1 and to take the Required Actions for the protection functions affected. The Completion Times are those from the referenced Conditions and Required Actions.
B.1, B.2.1 and B.2.2 Condition B applies to manual initiation of:
- SI; Phase A Isolation; and Phase B Isolation.
This action addresses the train orientation of the SSPS for the functions listed above. If a channel or train is inoperable, 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> is allowed to return it to an OPERABLE status. Note that for containment spray and Phase B isolation, failure of one or both channels in one train renders the train inoperable.
Condition B, therefore, encompasses both situations. The specified Completion Time is reasonable considering that there are two automatic actuation trains and another manual initiation train OPERABLE for each Function, and the low probability of an event occurring during this interval. If the train cannot be restored to OPERABLE status, the unit must be placed in a MODE in which the LCO does not apply. This is done by placing the unit in at least MODE 3 within an additional 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> (54 hours6.25e-4 days <br />0.015 hours <br />8.928571e-5 weeks <br />2.0547e-5 months <br /> total time) and in MODE 5 within an additional 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br /> (84 hours9.722222e-4 days <br />0.0233 hours <br />1.388889e-4 weeks <br />3.1962e-5 months <br /> total time). The allowable Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.
McGuire Unit 1 B 3.3.2-28 Revision No. 119
ESFAS Instrumentation B 3.3.2 BASES ACTIONS (continued)
C.1, C.2.1 and C.2.2 Condition C applies to the automatic actuation logic and actuation relays for the following functions:
- SI; Phase A Isolation; and Phase B Isolation.
This action addresses the train orientation of the SSPS and the master and slave relays. If one train is inoperable, 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> are allowed to restore the train to OPERABLE status. The 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> allowed for restoring the inoperable train to OPERABLE status is justified in Reference 10. The specified Completion Time is reasonable considering that there is another train OPERABLE, and the low probability of an event occurring during this interval. If the train cannot be restored to OPERABLE status, the unit must be placed in a MODE in which the LCO does not apply. This is done by placing the unit in at least MODE 3 within an additional 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> (30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br /> total time) and in MODE 5 within an additional 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br /> (60 hours6.944444e-4 days <br />0.0167 hours <br />9.920635e-5 weeks <br />2.283e-5 months <br /> total time). The Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.
The Required Actions are modified by a Note that allows one train to be bypassed for up to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> for surveillance testing, provided the other train is OPERABLE. The Required Actions are not required to be met during this time, unless the train is discovered inoperable during the testing. This allowance is based on the reliability analysis assumption of WCAP-1 0271-P-A (Ref. 7) that 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> is the average time required to perform train surveillance.
If an individual SSPS slave relay or slave relay contact is incapable of actuating, then the equipment operated by the slave relay or slave relay contact is inoperable. An SSPS train is not inoperable due to an individual SSPS slave relay or slave relay contact being incapable of actuating.
D.1, D.2.1, and D.2.2 Condition D applies to:
- Containment Pressure-High;
- Pressurizer Pressure-Low Low; Steam Line Pressure-Low; McGuire Unit 1 B 3.3.2-29 Revision No. 119
ESFAS Instrumentation B 3.3.2 BASES ACTIONS (continued)
- Steam Line Pressure-Negative Rate-High;
- SG Water level-Low Low, and 0 Loss of offsite power.
If one channel is inoperable, 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> are allowed to restore the channel to OPERABLE status or to place it in the tripped condition. Generally this Condition applies to functions that operate on two-out-of-three logic.
Therefore, failure of one channel places the Function in a two-out-of-two configuration. One channel must be tripped to place the Function in a one-out-of-two configuration that satisfies redundancy requirements. The 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> allowed to restore the channel to OPERABLE status or placed in the tripped condition is justified in Reference 10.
Failure to restore the inoperable channel to OPERABLE status or place it in the tripped condition within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> requires the unit be placed in MODE 3 within the following 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and MODE 4 within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />.
The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems. In MODE 4, these Functions are no longer required OPERABLE.
The Required Actions are modified by a Note that allows the inoperable channel to be bypassed for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> for surveillance testing of other channels. The note also allows an OPERABLE channel to be placed in bypass for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> for testing of the bypassed channel. However, only one channel may be placed in bypass at any one time. The 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> allowed for testing, are justified in Reference 10.
E.1, E.2.1, and E.2.2 Condition E applies to:
0 Containment Phase B Isolation Containment Pressure - High-High, and
- Steam Line Isolation Containment Pressure - High High.
McGuire Unit 1 B 3.3.2-30 Revision No. 119
ESFAS Instrumentation B 3.3.2 BASES ACTIONS (continued)
Neither of these signals has input to a control function. Thus, two-out-of-three logic is necessary to meet acceptable protective requirements. However, a two-out-of-three design would require tripping a failed channel. This is undesirable because a single failure would then cause spurious isolation initiation. Therefore, these channels are designed with two-out-of-four logic so that a failed channel may be bypassed rather than tripped. Note that one channel may be bypassed and still satisfy the single failure criterion.
Furthermore, with one channel bypassed, a single instrumentation channel failure will not spuriously initiate isolation.
To avoid the inadvertent actuation of Phase B containment isolation, the inoperable channel should not be placed in the tripped condition. Instead it is bypassed. Restoring the channel to OPERABLE status, or placing the inoperable channel in the bypass condition within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />, is sufficient to assure that the Function remains OPERABLE and minimizes the time that the Function may be in a partial trip condition (assuming the inoperable channel has failed high). The Completion Time is further justified based on the low probability of an event occurring during this interval. Failure to restore the inoperable channel to OPERABLE status, or place it in the bypassed condition within72 hours, requires the unit be placed in MODE 3 within the following 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and MODE 4 within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems. In MODE 4, these Functions are no longer required OPERABLE.
The Required Actions are modified by a Note that allows one additional channel to be bypassed for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> for surveillance testing. Placing a second channel in the bypass condition for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> for testing purposes is acceptable based on the results of Reference 10.
F.1, F.2.1, and F.2.2 Condition F applies to:
- Manual Initiation of Steam Line Isolation; and
- P-4 Interlock.
McGuire Unit 1 B 3.3.2-31 Revision No. 119
ESFAS Instrumentation B 3.3.2 BASES ACTIONS (continued)
For the Manual Initiation and the P-4 Interlock Functions, this action addresses the train orientation of the SSPS. If a train or channel is inoperable, 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> is allowed to return it to OPERABLE status. The specified Completion Time is reasonable considering the nature of these Functions, the available redundancy, and the low probability of an event occurring during this interval. If the Function cannot be returned to OPERABLE status, the unit must be placed in MODE 3 within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and MODE 4 within the following 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />.
The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power in an orderly manner and without challenging unit systems. In MODE 4, the unit does not have any analyzed transients or conditions that require the explicit use of the protection functions noted above.
G.1 and G.2 Condition G applies to manual initiation of Steam Line Isolation.
This action addresses the operability of the manual steam line isolation function for each individual main steam isolation valve. If a channel is inoperable, 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> is allowed to return it to an OPERABLE status. If the train cannot be restored to OPERABLE status, the Conditions and Required Actions of LCO 3.7.2, "Main Steam Isolation Valves," must be entered for the associated inoperable valve. The specified Completion Time is reasonable considering that there is a system level manual initiation train for this Function and the low probability of an event occurring during this interval.
H.1, H.2.1 and H.2.2 Condition H applies to the automatic actuation logic and actuation relays for the Steam Line Isolation, Feedwater Isolation, and AFW actuation Functions.
The action addresses the train orientation of the SSPS and the master and slave relays for these functions. If one train is inoperable, 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> are allowed to restore the train to OPERABLE status. The 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> allowed for restoring the inoperable train to OPERABLE status is justified in Reference 10. The Completion Time for restoring a train to OPERABLE status is reasonable considering that there is another train OPERABLE, and the low probability of an event occurring during this interval. If the train cannot be returned to OPERABLE status, the unit must be brought to MODE 3 within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and MODE 4 within the following 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.
McGuire Unit 1 B 3.3.2-32 Revision No. 119
ESFAS Instrumentation B 3.3.2 BASES ACTIONS (continued)
Placing the unit in MODE 4 removes all requirements for OPERABILITY of the protection channels and actuation functions. In this MODE, the unit does not have analyzed transients or conditions that require the explicit use of the protection functions noted above.
The Required Actions are modified by a Note that allows one train to be bypassed for up to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> for surveillance testing provided the other train is OPERABLE. This allowance is based on the reliability analysis (Ref. 7) assumption that 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> is the average time required to perform channel surveillance.
If an individual SSPS slave relay or slave relay contact is incapable of actuating, then the equipment operated by the slave relay or slave relay contact is inoperable. An SSPS train is not inoperable due to an individual SSPS slave relay or slave relay contact being incapable of actuating.
1.1 and 1.2 Condition I applies to the automatic actuation logic and actuation relays for the Turbine Trip Function.
This action addresses the train orientation of the SSPS and the master and slave relays for this Function. If one train is inoperable, 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> are allowed to restore the train to OPERABLE status or the unit must be placed in MODE 3 within the following 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. The 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> allowed for restoring the inoperable train to OPERABLE status is justified in Reference 10. The Completion Time for restoring a train to OPERABLE status is reasonable considering that there is another train OPERABLE, and the low probability of an event occurring during this interval. The allowed Completion Time of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging unit systems. These Functions are no longer required in MODE 3. Placing the unit in MODE 3 removes all requirements for OPERABILITY of the protection channels and actuation functions. In this MODE, the unit does not have analyzed transients or conditions that require the explicit use of the protection functions noted above.
The Required Actions are modified by a Note that allows one train to be bypassed for up to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> for surveillance testing provided the other train is OPERABLE. This allowance is based on the reliability analysis (Ref. 7) assumption that 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> is the average time required to perform channel surveillance.
If an individual SSPS slave relay or slave relay contact is incapable of actuating, then the equipment operated by the slave relay or slave relay McGuire Unit 1 B 3.3.2-33 Revision No. 119
ESFAS Instrumentation B 3.3.2 BASES ACTIONS (continued) contact is inoperable. An SSPS train is not inoperable due to an individual SSPS slave relay or slave relay contact being incapable of actuating.
J.1 and J.2 Condition J applies to:
- SG Water Level-High High (P-14) for the Turbine Trip Function; and
" Tavg-LOW.
If one channel is inoperable, 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> are allowed to restore one channel to OPERABLE status or to place it in the tripped condition. If placed in the tripped condition, the Function is then in a partial trip condition where one-out-of-two logic will result in actuation. The 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> allowed to restore the channel to OPERABLE status or to place it in the tripped condition is justified in Reference
- 10. Failure to restore the inoperable channel to OPERABLE status or place it in the tripped condition within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> requires the unit to be placed in MODE 3 within the following 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. The allowed Completion Time of 78 hours9.027778e-4 days <br />0.0217 hours <br />1.289683e-4 weeks <br />2.9679e-5 months <br /> is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging unit systems. In MODE 3, these Functions are no longer required OPERABLE.
The Required Actions are modified by a Note that allows the inoperable channel to be bypassed for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> for surveillance testing of other channels. The note also allows an OPERABLE channel to be placed in bypass for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> for testing of the bypassed channel. However, only one channel may be placed in bypass at any one time. The 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> allowed to place the inoperable channel in the tripped condition, and the 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> allowed for a channel to be in the bypassed condition for testing, are justified in Reference 10.
K.1 and K.2 Condition K applies to the AFW pump start on trip of all MFW pumps.
This action addresses the relay contact orientation for the auto start function of the AFW System on loss of all MFW pumps. The OPERABILITY of the AFW System must be assured by allowing automatic start of the AFW System pumps. If a channel is inoperable, 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> is allowed to place the channel in trip. If placed in the tripped condition, the function is then in a partial trip condition where a one-out-of-one logic will result in actuation. If the channel is not placed in trip within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />, 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> are McGuire Unit 1 B 3.3.2-34 Revision No. 119
ESFAS Instrumentation B 3.3.2 BASES ACTIONS (continued) allowed to place the unit in MODE 3. The allowed Completion Time of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging unit systems. In MODE 3, the unit does not have any analyzed transients or conditions that require the explicit use of the protection function noted above.
L.1 Condition L applies to the Doghouse Water Level - High High.
The failure of one required channel in one train in either reactor building doghouse results in a loss of redundancy for the function. The function can still be initiated by the remaining operable train. The inoperable train is, required to be restored to OPERABLE status within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />, or continuous visual monitoring of the doghouse water level must be implemented in the following hour.
The allowed Completion Time is reasonable considering that the redundant train remains OPERABLE to initiate the function if required.
M.1, M.2.1 and M.2.2 Condition M applies to the Doghouse Water Level - High High.
The failure of two trains in either reactor building doghouse results in a loss of the function. Continuous visual monitoring of the doghouse water level must be implemented in the following hour.
The allowed Completion Time provides sufficient time for the operating staff to establish the required monitoring..
N.1 and N.2 Condition N applies to the Auxiliary Feedwater Pumps Suction Transfer on Suction Pressure Low.
If one or more channels on a single AFW pump is inoperable, 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> is allowed to restore the channel(s) to OPERABLE status or to declare the associated AFW pump inoperable. The failure of one or more channels on one pump disables the ability for the suction transfer on that pump.
The allowed Completion Times are reasonable, considering the remaining redundant pumps and transfer instrumentation.
McGuire Unit 1 B 3.3.2-35 Revision No. 119
ESFAS Instrumentation B 3.3.2 BASES ACTIONS (continued) 0.1 Condition 0 applies to the Auxiliary Feedwater Pumps Suction Transfer on Suction Pressure Low.
If one or more channels on more than one AFW pumps are inoperable, the ability for the suction transfer has been lost on multiple pumps. In this case, the associated AFW pumps must be declared inoperable immediately.
P.1 and P.2 Condition P applies to RWST Level-Low Coincident with Safety Injection.
RWST Level-Low Coincident with SI provides actuation of switchover to the containment sump. The inoperable channel shall be returned to OPERABLE status or placed in the trip condition within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />. This Condition applies to a function that operates on two-out-or-three logic. Therefore, failure of one channel places the Function in a two-out-or-two configuration. The channel must be tripped to place the Function in a one-out-of-two configuration that satisfies redundancy requirements. A channel placed in the trip condition shall be restored to OPERABLE status within 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br />. With one channel in the trip condition, a single failure of another channel coincident with a design basis Loss of Coolant Accident (LOCA) could result in premature automatic swapover of ECCS pumps to the containment recirculation sump. For a failure leading to early swapover, plant analyses assume operators do not have sufficient time to resolve the problem prior to ECCS pump damage.
Consequently, as a result of this premature swapover, both trains of ECCS pumps could fail due to insufficient sump water level. This could prevent the ECCS pumps from performing their post-LOCA cooling function. The allowed Completion Time of 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> is reasonable since, based on operating experience, there is a very small probability of a random failure of another RWST level channel in a given 48 hour5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> period.
Q.1, Q.2.1 and Q.2.2 Condition Q applies to the P-11 and P-12 interlocks.
With one channel inoperable, the operator must verify that the interlock is in the required state for the existing unit condition. The verification is performed by visual observation of the permissive status light in the unit control room. This action manually accomplishes the function of the interlock. Determination must be made within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />. The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Completion Time is equal to the time allowed by LCO 3.0.3 to initiate shutdown actions in the event of a complete McGuire Unit 1 B 3.3.2-36 Revision No. 119
ESFAS Instrumentation B 3.3.2 BASES ACTIONS (continued) loss of ESFAS function. If the interlock is not in the required state (or placed in the required state) for the existing unit condition, the unit must be placed in MODE 3 within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and MODE 4 within the following 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems. Placing the unit in MODE 4 removes all requirements for OPERABILITY of these interlocks.
R.1 Condition R applies to the Containment Pressure Control System Start and Terminate Permissives.
With one or more channels inoperable, the affected containment spray, containment air return fans, and hydrogen skimmer fans must be declared inoperable immediately. The supported system LCOs provide the appropriate Required Actions and Completion Times for the equipment made inoperable by the inoperable channel. The immediate Completion Time is appropriate since the inoperable channel could prevent the supported equipment from starting when required. Additionally, protection from an inadvertent actuation may not be provided if the terminate function is not OPERABLE.
S. 1 and S.2 Condition S applies to RWST Level-Low Coincident with Safety Injection.
When Required Actions cannot be completed within their Completion Time, the unit must be brought to a MODE or Condition in which the LCO requirements are not applicable. To achieve this status, the unit must be brought to at least MODE 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and MODE 4 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> of entering the Condition.
The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems. In MODE 4, the unit does not have any analyzed transients of conditions that require the explicit use of the protection functions noted above.
SURVEILLANCE The SRs for each ESFAS Function are identified by the SRs column of REQUIREMENTS Table 3.3.2-1.
A Note has been added to the SIR Table to clarify that Table 3.3.2-1 determines which SRs apply to which ESFAS Functions.
Note that each channel of process protection supplies both trains of the ESFAS. When testing channel I, train A and train B must be examined.
McGuire Unit 1 B 3.3.2-37 Revision No. 119
ESFAS Instrumentation B 3.3.2 BASES SURVEILLANCE REQUIREMENTS (continued)
Similarly, train A and train B must be examined when testing channel II, channel Ill, and channel IV (if applicable). The CHANNEL CALIBRATION and COTs are performed in a manner that is consistent with the assumptions used in analytically calculating the required channel accuracies.
SR 3.3.2.1 Performance of the CHANNEL CHECK ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.
Agreement criteria are determined by the unit staff, based on a combination of the channel instrument uncertainties, including indication and reliability. If a channel is outside the criteria, it may be an indication that the sensor or the signal processing equipment has drifted outside its limit.
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
SR 3.3.2.2 SR 3.3.2.2 is the performance of an ACTUATION LOGIC TEST using the semiautomatic tester. The train being tested is placed in the bypass condition, thus preventing inadvertent actuation. Through the semiautomatic tester, all possible logic combinations, with and without applicable permissives, are tested for each protection function. In addition, the master relay coil is pulse tested for continuity. This verifies that the logic modules are OPERABLE and that there is an intact voltage signal path to the master relay coils. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
SR 3.3.2.3 SR 3.3.2.3 is the performance of a COT on the RWST level and Containment Pressure Control Start and Terminate Permissives.
McGuire Unit 1 B 3.3.2-38 Revision No. 119
ESFAS Instrumentation B 3.3.2 BASES SURVEILLANCE REQUIREMENTS (continued)
A COT is performed on each required channel to ensure the entire channel will perform the intended Function. Setpoints must be found conservative with respect to the Allowable Values specified in Table 3.3. 2-1. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
For Functions for which TSTF-493, "Clarify Application of Setpoint Methodology for LSSS Functions," has been implemented; this SR is modified by two (2)
Notes as identified in Table 3.3.2-1. The first Note requires evaluation of channel performance for the condition where the as-found setting for the channel setpoint is outside its as-found tolerance but conservative with respect to the Allowable Value. Evaluation of channel performance will verify that the channel will continue to behave in accordance with safety analysis assumptions and the channel performance assumptions in the setpoint methodology. The purpose of the assessment is to ensure confidence in the channel performance prior to returning the channel to service. For channels determined to be OPERABLE but degraded, after returning the channel to service the performance of these channels will be evaluated under the plant Corrective Action Program. Entry into the Corrective Action Program will ensure required review and documentation of the condition. The second Note requires that the as-left setting for the channel be returned to within the as-left tolerance of the Nominal Trip Setpoint (NTSP). Where a setpoint more conservative than the NTSP is used in the plant surveillance procedures (field setting), the as-left and as-found tolerances, as applicable, will be applied to the surveillance procedure setpoint. This will ensure that sufficient margin to the Safety Limit and/or Analytical Limit is maintained. If the as-left channel setting cannot be returned to a setting within the as-left tolerance of the NTSP, then the channel shall be declared inoperable. The second Note also requires that the methodologies for calculating the as-left and the as-found tolerances by in the UFSAR.
SR 3.3.2.4 SR 3.3.2.4 is the performance of a MASTER RELAY TEST. The MASTER RELAY TEST is the energizing of the master relay, verifying contact operation and a low voltage continuity check of the slave relay coil. Upon master relay contact operation, a low voltage is injected to the slave relay coil. This voltage is insufficient to pick up the slave relay, but large enough to demonstrate signal path continuity. The time allowed for the testing (4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />) is justified in Reference 7. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
McGuire Unit 1 B 3.3.2-39 Revision No. 119
ESFAS Instrumentation B 3.3.2 BASES SURVEILLANCE REQUIREMENTS (continued)
SR 3.3.2.5 SR 3.3.2.5 is the performance of a COT.
A COT is performed on each required channel to ensure the channel will perform the intended Function. The tested portion of the loop must trip within the Allowable Values specified in Table 3.3. 2-1.
The setpoint shall be left set consistent with the assumptions of the setpoint methodology.
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
SR 3.3.2.6 SR 3.3.2.6 is the performance of a SLAVE RELAY TEST. The SLAVE RELAY TEST is the energizing of the slave relays. Contact operation is verified in one of two ways. Actuation equipment that may be operated in the design mitigation MODE is either allowed to function, or is placed in a condition where the relay contact operation can be verified without operation of the equipment.
Actuation equipment that may not be operated in the design mitigation MODE is prevented from operation by the SLAVE RELAY TEST circuit. For this latter case, contact operation is verified by a continuity check of the circuit containing the slave relay. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
SR 3.3.2.7 SR 3.3.2.7 is the performance of a TADOT. This test is a check of the Manual Actuation Functions, AFW pump start, Reactor Trip (P-4) Interlock and Doghouse Water Level - High High feedwater isolation. Each Manual Actuation Function is tested up to, and including, the master relay coils. In some instances, the test includes actuation of the end device (i.e., pump starts, valve cycles, etc.). The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program. The SR is modified by a Note that excludes verification of setpoints during the TADOT for manual initiation Functions. The manual initiation Functions have no associated setpoints.
McGuire Unit 1 B 3.3.2-40 Revision No. 119
ESFAS Instrumentation B 3.3.2 BASES SURVEILLANCE REQUIREMENTS (continued)
SR 3.3.2.8 SR 3.3.2.8 is the performance of a CHANNEL CALIBRATION.
The CHANNEL CALIBRATION may be performed at power or during refueling based on bypass testing capability. Channel unavailability evaluations in References 10 and 11 have conservatively assumed that the CHANNEL CALIBRATION is performed at power with the channel in bypass.
CHANNEL CALIBRATION is a complete check of the instrument loop, including the sensor. The test verifies that the channel responds to measured parameter within the necessary range and accuracy.
CHANNEL CALIBRATIONS must be performed consistent with the assumptions of the unit specific setpoint methodology.
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
This SR is modified by a Note stating that this test should include verification that the time constants are adjusted to the prescribed values where applicable.
The applicable time constants are shown in Table 3.3.2-1.
For Functions for which TSTF-493, "Clarify Application of Setpoint Methodology for LSSS Functions," has been implemented; this SR is modified by two (2)
Notes as identified in Table 3.3.2-1. The first Note requires evaluation of channel performance for the condition where the as-found setting for the channel setpoint is outside its as-found tolerance but conservative with respect to the Allowable Value. Evaluation of channel performance will verify that the channel will continue to behave in accordance with safety analysis assumptions and the channel performance assumptions in the setpoint methodology. The purpose of the assessment is to ensure confidence in the channel performance prior to returning the channel to service. For channels determined to be OPERABLE but degraded, after returning the channel to service the performance of these channels will be evaluated under the plant Corrective Action Program. Entry into the Corrective Action Program will ensure required review and documentation of the condition. The second Note requires that the as-left setting for the channel be returned to within the as-left tolerance of the Nominal Trip Setpoint (NTSP). Where a setpoint more conservative than the NTSP is used in the plant surveillance procedures (field setting), the as-left and as-found tolerances, as applicable, will be applied to the surveillance procedure setpoint. This will ensure that sufficient margin to the Safety Limit and/or Analytical Limit is maintained. If the as-left channel setting cannot be returned to a setting within the as-left tolerance of the NTSP, McGuire Unit 1 B 3.3.2-41 Revision No. 119
ESFAS Instrumentation B 3.3.2 BASES SURVEILLANCE REQUIREMENTS (continued) then the channel shall be declared inoperable. The second Note also requires that the methodologies for calculating the as-left and the as-found tolerances by in the UFSAR.
SR 3.3.2.9 This SR ensures the individual channel ESF RESPONSE TIMES are less than or equal to the maximum values assumed in the accident analysis. Response Time testing acceptance criteria are included in the UFSAR (Ref. 2). Individual component response times are not modeled in the analyses. The analyses model the overall or total elapsed time, from the point at which the parameter exceeds the Trip Setpoint value at the sens'or, to the point at which the equipment in both trains reaches the required functional state (e.g., pumps at rated discharge pressure, valves in full open or closed position).
For channels that include dynamic transfer functions (e.g., lag, lead/lag, rate/lag, etc.), the response time test may be performed with the transfer functions set to one with the resulting measured response time compared to the appropriate UFSAR response time. Alternately, the response time test can be performed with the time constants set to their nominal value provided the required response time is analytically calculated assuming the time constants are set at their nominal values. The response time may be measured by a series of overlapping tests such that the entire response time is measured.
Response time may be verified by actual response time tests in any series of sequential, overlapping or total channel measurements, or by the summation of allocated sensor, signal processing and actuation logic response times with actual response time tests on the remainder of the channel. Allocations for sensor response times may be obtained from: (1) historical records based on acceptable response time tests (hydraulic, noise, or power interrupt tests), (2) in place, onsite, or offsite (e.g., vendor) test measurements, or (3) utilizing vendor engineering specifications. WCAP-1 3632-P-A, Revision 2, "Elimination of Pressure Sensor Response Time Testing Requirements" provides the basis and methodology for using allocated sensor response times in the overall verification of the channel response time for specific sensors identified in the WCAP. Response time verification for other sensor types must be either demonstrated by test or their equivalency to those listed in WCAP-1 3632-P-A, Revision 2. Any demonstration of equivalency must have been determined to be acceptable by NRC staff review.
WCAP-14036-P-A, Revision 1, "Elimination of Periodic Protection Channel Response Time Tests' provides the basis and methodology for using allocated signal processing and actuation logic response times in the overall verification McGuire Unit 1 B 3.3.2-42 Revision No. 119
ESFAS Instrumentation B 3.3.2 BASES SURVEILLANCE REQUIREMENTS (continued) of the protection system channel response time. The allocations for sensor, signal conditioning, and actuation logic response times must be verified prior to placing the component in operational service and re-verified following maintenance that may adversely affect response time. In general, electrical repair work does not impact response time provided the parts used for repair are of the same type and value. Specific components identified in the WCAP may be replaced without verification testing. One example where response time could be affected is replacing the sensing assembly of a transmitter.
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
This SR is modified by a Note that clarifies that the turbine driven AFW pump is tested within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> after reaching 900 psig in the SGs.
REFERENCES 1. UFSAR, Chapter 6.
- 2. UFSAR, Chapter 7.
- 3. UFSAR, Chapter 15.
- 4. IEEE-279-1971.
- 5. 10 CFR 50.49.
- 6. 10 CFR 50.36, Technical Specifications, (c)(2)(ii).
- 7. WCAP-10271-P-A, Supplement 1 and Supplement 2, Rev. 1, May 1986 and June 1990.
- 8. WCAP 13632-P-A, Revision 2, "Elimination of Pressure Sensor Response Time Testing Requirements" Sep., 1995.
- 9. WCAP-14036-P-A, Revision 1, "Elimination of Periodic Protection Channel Response Time Tests" Oct., 1998.
- 10. WCAP-14333-P-A, Revision 1, October 1998.
- 11. WCAP-15376-P-A, Revision 1, March 2003.
McGuire Unit 1 B 3.3.2-43 Revision No. 119
UNIT 2- Until License Amendment No. 365/245 (ECCS Water Management Modification) can be implemented on Unit 2, which is scheduled during the fall outage of 2012, there will be separate documents for Unit I and Unit 2 Bases: 3.3.2, 3.3.3, 3.5.4, 3.6.6, and 3.6.11 ESFAS Instrumentation B 3.3.2 INSTRUMENTATION B 3.3 B 3.3.2 Engineered Safety Feature Actuation System (ESFAS) Instrumentation BASES BACKGROUND The ESFAS initiates necessary safety systems, based on the values of selected unit parameters, to protect against violating core design limits and the Reactor Coolant System (RCS) pressure boundary, and to mitigate accidents.
The ESFAS instrumentation is segmented into three distinct but interconnected modules as identified below:
Field transmitters or process sensors and instrumentation:
provide a measurable electronic signal based on the physical characteristics of the parameter being measured; Signal processing equipment including analog protection system, field contacts, and protection channel sets: provide signal conditioning, bistable setpoint comparison, process algorithm actuation, compatible electrical signal output to protection system devices, and control board/control room/miscellaneous indications; and Solid State Protection System (SSPS) including input, logic, and output bays: initiates the proper unit shutdown or engineered safety feature (ESF) actuation in accordance with the defined logic and based on the bistable outputs from the signal process control and protection system.
Field Transmitters or Sensors To meet the design demands for redundancy and reliability, more than one, and often as many as four, field transmitters or sensors are used to measure unit parameters. In many cases, field transmitters or sensors that input to the ESFAS are shared with the Reactor Trip System (RTS).
In some cases, the same channels also provide control system inputs.
To account for calibration tolerances and instrument drift, which is assumed to occur between calibrations, statistical allowances are provided in the NOMINAL TRIP SETPOINT and Allowable Values. The OPERABILITY of each transmitter or sensor can be evaluated when its ifas found" calibration data are compared against its documented acceptance criteria.
B McGuire Unit 2 B 3.3.2-1 Revision No. 119
ESFAS Instrumentation B 3.3.2 BASES BACKGROUND (continued)
Signal Processing Equipment Generally, three or four channels of process control equipment are used for the signal processing of unit parameters measured by the field instruments. The process control equipment provides signal conditioning, comparable output signals for instruments located on the main control board, and comparison of measured input signals with setpoints established by safety analyses. These setpoints are defined in UFSAR, Chapter 6 (Ref. 1), Chapter 7 (Ref. 2), and Chapter 15 (Ref. 3). If the
-_measured value-of-a-unit-parameter-exceeds the predetermined-setpoint,-
an output from a bistable is forwarded to the SSPS for decision logic processing. Channel separation is maintained up to and through the input bays. However, not all unit parameters require four channels of sensor measurement and signal processing. Some unit parameters provide input only to the SSPS, while others provide input to the SSPS, the main control board, the unit computer, and one or more control systems.
Generally, if a parameter is used only for input to the protection circuits, three channels with a two-out-of-three logic are sufficient to provide the required reliability and redundancy. If one channel fails in a direction that would not result in a partial Function trip, the Function is still OPERABLE with a two-out-of-two logic. If one channel fails such that a partial Function trip occurs, a trip will not occur and the Function is still OPERABLE with a one-out-of- two logic.
Generally, if a parameter is used for input to the SSPS and a control function, four channels with a two-out-of-four logic are sufficient to provide the required reliability and redundancy. The circuit must be able to withstand both an input failure to the control system, which may then require the protection function actuation, and a single failure in the other channels providing the protection function actuation. Again, a single failure will neither cause nor prevent the protection function actuation.
These requirements are described in IEEE-279-1971 (Ref. 4). The actual number of channels required for each unit parameter is specified in the UFSAR.
Trip Setpoints and Allowable Values The NOMINAL TRIP SETPOINTS are the nominal values at which the bistables are set. Any bistable is considered to be properly adjusted when the "as left" value is within the band for CHANNEL CALIBRATION tolerance.
McGuire Unit 2 B 3.3.2-2 Revision No. 119
ESFAS Instrumentation B 3.3.2 BASES BACKGROUND (continued)
The NOMINAL TRIP SETPOINTS used in the bistables are based on the analytical limits (Ref. 1, 2, and 3). The selection of these NOMINAL TRIP SETPOINTS is such that adequate protection is provided when all sensor and processing time delays, calibration tolerances, instrumentation uncertainties, instrument drift, and severe environment errors for those ESFAS channels that must function in harsh environments as defined by 10 CFR 50.49 (Ref. 5) are taken into account. The actual as-left Setpoint entered into the bistable assures that the actual trip occurs before the Allowable Value is reached. The Allowable Value accounts for changes in random measurement errors detectable by a COT. One example of such a change in measurement error is drift during the surveillance interval. If the point at which the loop trips does not exceed the Allowable Value, the loop is considered OPERABLE.
A trip within the Allowable Value ensures that the consequences of Design Basis Accidents (DBAs) will be acceptable, providing the unit is operated from within the LCOs at the onset of the DBA and the equipment functions as designed.
Each channel can be tested on line to verify that the signal processing equipment and setpoint accuracy is within the specified allowance requirements. Once a designated channel is taken out of service for testing, a simulated signal is injected in place of the field instrument signal. The process equipment for the channel in test is then tested, verified, and calibrated. SRs for the channels are specified in the SR section.
The NOMINAL TRIP SETPOINTS and Allowable Values listed in Table 3.3.2-1 incorporates all of the known uncertainties applicable for each channel. The magnitudes of these uncertainties are factored into the determination of each NOMINAL TRIP SETPOINT. All field sensors and signal processing equipment for these channels are assumed to operate within the allowances of these uncertainty magnitudes.
Solid State Protection System The SSPS equipment is used for the decision logic processing of outputs from the signal processing equipment bistables. To meet the redundancy requirements, two trains of SSPS, each performing the same functions, are provided. If one train is taken out of service for maintenance or test purposes, the second train will provide ESF actuation for the unit. If both trains are taken out of service or placed in test, a reactor trip will result.
Each train is packaged in its own cabinet for physical and electrical separation to satisfy separation and independence requirements.
McGuire Unit 2 B 3.3.2-3 Revision No. 119
ESFAS Instrumentation B 3.3.2 BASES BACKGROUND (continued)
The SSPS performs the decision logic for most ESF equipment actuation; generates the electrical output signals that initiate the required actuation; and provides the status, permissive, and annunciator output signals to the main control room of the unit.
The bistable outputs from the signal processing equipment are sensed by the SSPS equipment and combined into logic matrices that represent combinations indicative of various transients. If a required logic matrix combination is completed, the system will send actuation signals via master and slave relays to those components whose aggregate Function best serves to alleviate the condition and restore the unit to a safe condition. Examples are given in the Applicable Safety Analyses, LCO, and Applicability sections of this Bases.
Each SSPS train has a built in testing device that can test the decision logic matrix functions and the actuation devices while the unit is at power.
When any one train is taken out of service for testing, the other train is capable of providing unit monitoring and protection until the testing has been completed. The testing device is semiautomatic to minimize testing time.
The actuation of ESF components is accomplished through master and slave relays. The SSPS energizes the master relays appropriate for the condition of the unit. Each master relay then energizes one or more slave relays, which then cause actuation of the end devices. The master and slave relays are routinely tested to ensure operation. The test of the master relays energizes the relay, which then operates the contacts and applies a low voltage to the associated slave relays. The low voltage is not sufficient to actuate the slave relays but only demonstrates signal path continuity. The SLAVE RELAY TEST actuates the devices if their operation will not interfere with continued unit operation. For the latter case, actual component operation is prevented by the SLAVE RELAY TEST circuit, and slave relay contact operation is verified by a continuity check of the circuit containing the slave relay.
APPLICABLE Each of the analyzed accidents can be detected by one or more ESFAS SAFETY ANALYSES, Functions. One of the ESFAS Functions is the primary actuation signal LCO, and for that accident. An ESFAS Function may be the primary actuation APPLICABILITY signal for more than one type of accident. An ESFAS Function may also be a secondary, or backup, actuation signal for one or more other accidents. Functions such as manual initiation, not specifically credited in the accident safety analysis, McGuire Unit 2 B 3.3.2-4 Revision No. 119
ESFAS Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) are qualitatively credited in the safety analysis and the NRC staff approved licensing basis for the unit. These Functions may provide protection for conditions that do not require dynamic transient analysis to demonstrate Function performance. These Functions may also serve as backups to Functions that were credited in the accident analysis (Ref. 3).
The LCO requires all instrumentation performing an ESFAS Function to be OPERABLE. Failure of any instrument renders the affected channel(s) inoperable and reduces the reliability of the affected Functions.
The LCO generally requires OPERABILITY of three or four channels in each instrumentation function and two channels in each logic and manual initiation function. The two-out-of-three and the two-out-of-four configurations allow one channel to be tripped during maintenance or testing without causing an ESFAS initiation. Two logic or manual initiation channels are required to ensure no single random failure disables the ESFAS.
The required channels of ESFAS instrumentation provide unit protection in the event of any of the analyzed accidents. ESFAS protection functions are as follows:
- 1. Safety Ineection Safety Injection (SI) provides two primary functions:
- 1. Primary side water addition to ensure maintenance or recovery of reactor vessel water level (coverage of the active fuel for heat removal, clad integrity, and for limiting peak clad temperature to < 2200 0 F); and
These functions are necessary to mitigate the effects of high energy line breaks (HELBs) both inside and outside of containment.
The SI signal is also used to initiate other Functions such as:
Phase A Isolation;
- Containment Purge and Exhaust Isolation; McGuire Unit 2 B 3.3.2-5 Revision No. 119
ESFAS Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
- Feedwater Isolation;
- Start of motor driven auxiliary feedwater (AFW) pumps;
- Control room area ventilation isolation;
- Enabling automatic switchover of Emergency Core Cooling Systems (ECCS) suction to containment sump;
- Start of annulus ventilation system filtration trains;
- Start of auxiliary building filtered ventilation exhaust system trains;
- Start of diesel generators;
- Start of nuclear service water system pumps; and
- Start of component cooling water system pumps.
These other functions ensure:
- Isolation of nonessential systems through containment penetrations;
- Trip of the turbine and reactor to limit power generation;
- Start of AFW to ensure secondary side cooling capability;
- Isolation of the control room to ensure habitability;
- Enabling ECCS suction from the refueling water storage tank (RWST) switchover on low RWST level to ensure continued cooling via use of the containment sump;
- Starting of annulus ventilation and auxiliary building filtered ventilation to limit offsite releases; McGuire Unit 2 B 3.3.2-6 Revision No. 119
ESFAS Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
Starting of diesel generators for loss of offsite power considerations; and Starting of component cooling water and nuclear service water systems for heat removal.
- a. Safety Inuection-Manual Initiation The LCO requires one channel per train to be OPERABLE.
The operator can initiate SI at any time by using either of two switches in the control room. This action will cause actuation of all components in the same manner as any of the automatic actuation signals.
The LCO for the Manual Initiation Function ensures the proper amount of redundancy is maintained in the manual ESFAS actuation circuitry to ensure the operator has manual ESFAS initiation capability.
Each train consists of one push button and the interconnecting wiring to the actuation logic cabinet. This configuration does not allow testing at power.
- b. Safety Inaection-Automatic Actuation Logic and Actuation Relays This LCO requires two trains to be OPERABLE. Actuation logic consists of all circuitry housed within the actuation subsystems, including the initiating relay contacts responsible for actuating the ESF equipment.
Manual and automatic initiation of SI must be OPERABLE in MODES 1, 2, and 3. In these MODES, there is sufficient energy in the primary and secondary systems to warrant automatic initiation of ESF systems. In MODE 4, adequate time is available to manually actuate required components in the event of a DBA, but because of the large number of components actuated on a SI, actuation is simplified by the use of the manual actuation push buttons. Automatic actuation logic and actuation relays must be OPERABLE in MODE 4 to support system level manual initiation.
McGuire Unit 2 B 3.3.2-7 Revision No. 119
ESFAS Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
These Functions are not required to be OPERABLE in MODES 5 and 6 because there is adequate time for the operator to evaluate unit conditions and respond by manually starting individual systems, pumps, and other equipment to mitigate the consequences of an abnormal condition or accident. Unit pressure and temperature are very low and many ESF components are administratively locked out or otherwise prevented from actuating to prevent inadvertent overpressurization of unit systems.
- c. Safety Iniection-Containment Pressure-High This signal provides protection against the following accidents:
SLB inside containment;
- LOCA; and Feed line break inside containment.
Containment Pressure-High provides no input to any control functions. Thus, three OPERABLE channels are sufficient to satisfy protective requirements with a two-out-of-three logic.
Containment Pressure-High must be OPERABLE in MODES 1, 2, and 3 when there is sufficient energy in the primary and secondary systems to pressurize the containment following a pipe break. In MODES 4, 5, and 6, there is insufficient energy in the primary or secondary systems to pressurize the containment.
- d. Safety Iniection-Pressurizer Pressure-Low Low This signal provides protection against the following accidents:
Inadvertent opening of a steam generator (SG) relief or safety valve;
- SLB; A spectrum of rod cluster control assembly ejection accidents (rod ejection);
McGuire Unit 2 B 3.3.2-8 Revision No. 119
ESFAS Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
Inadvertent opening of a pressurizer relief or safety valve; LOCAs; and
- SG Tube Rupture.
Pressurizer pressure provides both control and protection functions: input to the Pressurizer Pressure Control System, reactor trip, and SI. Therefore, the actuation logic must be able to withstand both an input failure to control system, which may then require the protection function actuation, and a single failure in the other channels providing the protection function actuation. Thus, four OPERABLE channels are required to satisfy the requirements with a two-out-of-four logic.
This Function must be OPERABLE in MODES 1, 2, and 3 (above P-11) to mitigate the consequences of an HELB inside containment. This signal may be manually blocked by the operator below the P-1 1 setpoint. Automatic SI actuation below this pressure setpoint is then performed by the Containment Pressure-High signal.
This Function is not required to be OPERABLE in MODE 3 below the P-1 1 setpoint. Other ESF functions are used to detect accident conditions and actuate the ESF systems in this MODE. In MODES 4, 5, and 6, this Function is not needed for accident detection and mitigation.
- 2. Containment Spray Containment Spray provides two primary functions:
- 1. Lowers containment pressure and temperature after an HELB in containment; and
- 2. Reduces the amount of radioactive iodine in the containment atmosphere.
These functions are necessary to:
Ensure the pressure boundary integrity of the containment structure; and McGuire Unit 2 B 3.3.2-9 Revision No. 119
ESFAS Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
Limit the release of radioactive iodine to the environment in the event of a failure of the containment structure.
The containment spray actuation signal starts the containment spray pumps and aligns the discharge of the pumps to the containment spray nozzle headers in the upper levels of containment. Water is initially drawn from the RWST by the containment spray pumps. When the RWST reaches the low low level setpoint, the spray pump suctions are manually shifted to the containment sump if continued containment spray is required.
Containment spray is actuated manually or by Containment Pressure-High High.
- a. Containment Spray-Manual Initiation there are two manual containment spray switches, one per train, in the control room. Turning the switch will actuate the associated containment spray train in the same manner as the automatic actuation signal. Two Manual Initiation switches, one per train, are required to be OPERABLE to ensure no single failure disables the Manual Initiation Function. Note that Manual Initiation of containment spray also actuates Phase B containment isolation. Two train actuation requires operation of both Train A and Train B manual containment spray switches.
- b. Containment Spray-Automatic Actuation Logic and Actuation Relays Automatic actuation logic and actuation relays consist of the same features and operate in the same manner as described for ESFAS Function 1.b.
Manual and automatic initiation of containment spray must be OPERABLE in MODES 1, 2, and 3 when there is a potential for an accident to occur, and sufficient energy in the primary or secondary systems to pose a threat to containment integrity due to overpressure conditions. In MODE 4, adequate time is available to manually actuate required components in the event of a DBA. However, because of the large number of components actuated on a containment spray, actuation is simplified by the use of the manual actuation push buttons. Automatic actuation logic and actuation relays must be OPERABLE in Mode 4 to McGuire Unit 2 B 3.3.2-10 Revision No. 119
ESFAS Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) support system level manual initiation. In MODES 5 and 6 there is insufficient energy in the primary and secondary systems to result in containment overpressure. In MODES 5 and 6, there is also adequate time for the operators to evaluate unit conditions and respond, to mitigate the consequences of abnormal conditions by manually starting individual components.
- c. Containment Spray-Containment Pressure - High Hiqh This signal provides protection against a LOCA or an SLB inside containment.
This is one of the only Functions that requires the bistable output to energize to perform its required action. It is not desirable to have a loss of power actuate containment spray, since the consequences of an inadvertent actuation of containment spray could be serious. Note that this Function also has the inoperable channel placed in bypass rather than trip to decrease the probability of an inadvertent actuation.
Containment Pressure-High High uses four channels in a two-out-of-four logic configuration. Since containment pressure is not used for control, this arrangement exceeds the minimum redundancy requirements. Additional redundancy is warranted because this Function is energize to trip. Containment Pressure-High High must be OPERABLE in Modes 1, 2, and 3 when there is sufficient energy in the primary and secondary sides to pressurize the containment following a pipe break. In MODES 4, 5, and 6 there is insufficient energy in the primary and secondary sides to pressurize the containment and reach the Containment Pressure-High High setpoints.
- 3. Containment Isolation Containment Isolation provides isolation of the containment atmosphere, and all process systems that penetrate containment, from the environment. This Function is necessary to prevent or limit the release of radioactivity to the environment in the event of a large break LOCA.
McGuire Unit 2 B 3.3.2-11 Revision No. 119
ESFAS Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
There are two separate Containment Isolation signals, Phase A and Phase B. Phase A isolation isolates all automatically isolable process lines, except component cooling water (CCW) and Nuclear Service Water System (NSWS) to RCP motor air coolers, at a relatively low containment pressure indicative of primary or secondary system leaks. For these types of events, forced circulation cooling using the reactor coolant pumps (RCPs) and SGs is the preferred (but not required) method of decay heat removal. Since CCW and NSWS are required to support RCP operation, not isolating CCW and NSWS on the low pressure Phase A signal enhances unit safety by allowing operators to use forced RCS circulation to cool the unit. Isolating CCW and NSWS on the low pressure signal may force the use of feed and bleed cooling, which could prove more difficult to control.
Phase A containment isolation is actuated automatically by SI, or manually via the actuation circuitry. All process lines penetrating containment, with the exception of CCW and NSWS are isolated.
CCW is not isolated at this time to permit continued operation of the RCPs with cooling water flow to the thermal barrier heat exchangers and air or oil coolers. All process lines not equipped with remote operated isolation valves are manually closed, or otherwise isolated, prior to reaching MODE 4.
Manual Phase A Containment Isolation is accomplished by either of two switches in the control room. Either switch actuates its associated train.
The Phase B signal isolates CCW and NSWS. This occurs at a relatively high containment pressure that is indicative of a large break LOCA or an SLB. For these events, forced circulation using the RCPs is no longer desirable. Isolating the CCW and NSWS at the higher pressure does not pose a challenge to the containment boundary because the CCW System and NSWS are closed loops inside containment. Although some system components do not meet all of the ASME Code requirements applied to the containment itself, the systems are continuously pressurized to a pressure greater than the Phase B setpoint. Thus, routine operation demonstrates the integrity of the system pressure boundary for pressures exceeding the Phase B setpoint.
Furthermore, because system pressure exceeds the Phase B setpoint, any system leakage prior to initiation of Phase B isolation would be into containment. Therefore, the combination of CCW System and NSWS design and Phase B isolation ensures there is not a potential path for radioactive release from containment.
McGuire Unit 2 B 3.3.2-12 Revision No. 119
ESFAS Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
Phase B containment isolation is actuated by Containment Pressure-High High, or manually, via the automatic actuation logic, as previously discussed. For containment pressure to reach a value high enough to actuate Containment Pressure-High High, a large break LOCA or SLB must have occurred and containment spray must have been actuated. RCP operation will no longer be required and CCW to the RCPs and NSWS to the RCP motor coolers is, therefore, no longer necessary. The RCPs can be operated with seal injection flow alone and without CCW flow to the thermal barrier heat exchanger.
Manual Phase B Containment Isolation is accomplished by the same switches that actuate Containment Spray. When the two switches in either set are turned simultaneously, Phase B Containment Isolation and Containment Spray will be actuated in both trains.
- a. Containment Isolation-Phase A Isolation (1) Phase A Isolation-Manual Initiation Manual Phase A Containment Isolation is actuated by either of two switches in the control room. Either switch actuates both trains.
(2) Phase A Isolation-Automatic Actuation Logic and Actuation Relays Automatic Actuation Logic and Actuation Relays consist of the same features and operate in the same manner as described for ESFAS Function 1 .b.
Manual and automatic initiation of Phase A Containment Isolation must be OPERABLE in MODES 1, 2, and 3, when there is a potential for an accident to occur. In MODE 4, adequate time is available to manually actuate required components in the event of a DBA, but because of the large number of components actuated on a Phase A Containment Isolation, actuation is simplified by the use of the manual actuation push buttons. Automatic actuation logic and actuation relays must be OPERABLE in MODE 4 to support system level manual initiation. In MODES 5 and 6, there is insufficient energy in the primary or secondary systems to pressurize the containment to require Phase A Containment McGuire Unit 2 B 3.3.2-13 Revision No. 119
ESFAS Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
Isolation. There also is adequate time for the operator to evaluate unit conditions and manually actuate individual isolation valves in response to abnormal or accident conditions.
(3) Phase A Isolation-Safety Inuection Phase A Containment Isolation is also initiated by all Functions that initiate SI. The Phase A Containment Isolation requirements for these Functions are the same as the requirements for their SI function.
Therefore, the requirements are not repeated in Table 3.3.2-1. Instead, Function 1, SI, is referenced for all initiating Functions and requirements.
- b. Containment Isolation-Phase B Isolation Phase B Containment Isolation is accomplished by Manual Initiation, Automatic Actuation Logic and Actuation Relays, and by Containment Pressure channels (the same channels that actuate Containment Spray, Function 2). The Containment Pressure trip of Phase B Containment Isolation is energized to trip in order to minimize the potential of spurious trips that may damage the RCPs.
(1) Phase B Isolation-Manual Initiation (2) Phase B Isolation-Automatic Actuation Loqic and Actuation Relays Manual and automatic initiation of Phase B containment isolation must be OPERABLE in MODES 1, 2, and 3, when there is a potential for an accident to occur. In MODE 4, adequate time is -
available to manually actuate required components in the event of a DBA. However, because of the large number of components actuated on a Phase B containment isolation, actuation is simplified by the use of the manual actuation push buttons. Automatic actuation logic and actuation relays must be OPERABLE in MODE 4 to support system level manual initiation. In MODES 5 and 6, there is insufficient energy in the primary or secondary systems to pressurize the containment to require McGuire Unit 2 B 3.3.2-14 Revision No. 119
ESFAS Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
Phase B containment isolation. There also is adequate time for the operator to evaluate unit conditions and manually actuate individual isolation valves in response to abnormal or accident conditions.
(3) Phase B Isolation-Containment Pressure - High High The basis for containment pressure MODE applicability is as discussed for ESFAS Function 2.c above.
- 4. Steam Line Isolation Isolation of the main steam lines provides protection in the event of an SLB inside or outside containment. Rapid isolation of the steam lines will limit the steam break accident to the blowdown from one SG, at most. For an SLB upstream of the main steam isolation valves (MSIVs), inside or outside of containment, closure of the MSIVs limits the accident to the blowdown from only the affected SG. For an SLB downstream of the MSIVs, closure of the MSIVs terminates the accident as soon as the steam lines depressurize.
Steam Line Isolation also mitigates the effects of a feed line break and ensures a source of steam for the turbine driven AFW pump during a feed line break.
- a. Steam Line Isolation-Manual Initiation Manual initiation of Steam Line Isolation can be accomplished from the control room. There are two system level switches in the control room and either switch can initiate action to immediately close all MSIVs. The LCO requires two channels to be OPERABLE. Individual valves may also be closed using individual hand switches in the control room. The LCO requires four individual channels to be OPERABLE.
- b. Steam Line Isolation-Automatic Actuation Loqic and Actuation Relays Automatic actuation logic and actuation relays consist of the same features and operate in the same manner as described for ESFAS Function 1 .b.
McGuire Unit 2 B 3.3.2-15 Revision No. 119
ESFAS Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
Manual and automatic initiation of steam line isolation must be OPERABLE in MODES 1, 2, and 3 when there is sufficient energy in the RCS and SGs to have an SLB or other accident. This could result in the release of significant quantities of energy and cause a cooldown of the primary system. The Steam Line Isolation Function is required in MODES 2 and 3 unless all MSIVs are closed and de-activated. In MODES 4, 5, and 6, there is insufficient energy in the RCS and SGs to experience an SLB or other accident releasing significant quantities of energy.
- c. Steam Line Isolation-Containment Pressure-High High This Function actuates closure of the MSIVs in the event of a LOCA or an SLB inside containment to maintain three unfaulted SGs as a heat sink for the reactor, and to limit the mass and energy release to containment. The Containment Pressure - High High function is described in ESFAS Function 2.C.
Containment Pressure-High High must be OPERABLE in MODES 1, 2, and 3, when there is sufficient energy in the primary and secondary side to pressurize the containment following a pipe break. This would cause a significant increase in the containment pressure, thus allowing detection and closure of the MSIVs. The Steam Line Isolation Function remains OPERABLE in MODES 2 and 3 unless all MSIVs are closed and de-activated. In MODES 4, 5, and 6, there is not enough energy in the primary and secondary sides to pressurize the containment to the Containment Pressure-High High setpoint.
- d. Steam Line Isolation-Steam Line Pressure (1) Steam Line Pressure-Low Steam Line Pressure-Low provides closure of the MSIVs in the event of an SLB to maintain three unfaulted SGs as a heat sink for the reactor, and to limit the mass and energy release to containment.
This Function provides closure of the MSIVs in the event of a feed line break to ensure a supply of steam for the turbine driven AFW pump.
McGuire Unit 2 B 3.3.2-16 Revision No. 119
ESFAS Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
Steam Line Pressure-Low Function must be OPERABLE in MODES 1, 2, and 3 (above P-11), with any main steam valve open, when a secondary side break or stuck open valve could result in the rapid depressurization of the steam lines. This signal may be manually blocked by the operator below the P-11 setpoint. Below P-1 1, an inside containment SLB will be terminated by automatic actuation via Containment Pressure-High High. Stuck valve transients and outside containment SLBs will be terminated by the Steam Line Pressure-Negative Rate-High signal for Steam Line Isolation below P-1i1 when Steam Line Isolation Steam Line Pressure-Low has been manually blocked. The Steam Line Isolation Function is required in MODES 2 and 3 unless all MSIVs are closed and de-activated. This Function is not required to be OPERABLE in MODES 4, 5, and 6 because there is insufficient energy in the secondary side of the unit to have an accident.
(2) Steam Line Pressure-Negative Rate-High Steam Line Pressure-Negative Rate-High provides closure of the MSIVs for an SLB when less than the P-1 1 setpoint, to maintain at least one unfaulted SG as a heat sink for the reactor, and to limit the mass and energy release to containment. When the operator manually blocks the Steam Line Pressure-Low main steam isolation signal when less than the P-1 1 setpoint, the Steam Line Pressure-Negative Rate-High signal is automatically enabled. Steam Line Pressure-Negative Rate-High provides no input to any control functions.
Thus, three OPERABLE channels are sufficient to satisfy requirements with a two-out-of-three logic on each steam line.
Steam Line Pressure-Negative Rate-High must be OPERABLE in MODE 3 when less than the P-1 1 setpoint, when a secondary side break or stuck open valve could result in the rapid depressurization of the steam line(s). In MODES 1 and 2, and in MODE 3, when above the P-11 setpoint, this signal is automatically disabled and the Steam Line Pressure-Low signal is automatically enabled. The Steam Line Isolation Function is required to be OPERABLE in McGuire Unit 2 B 3.3.2-17 Revision No. 119
ESFAS Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
MODES 2 and 3 unless all MSIVs are closed and de-activated. In MODES 4, 5, and 6, there is insufficient energy in the primary and secondary sides to have an SLB or other accident that would result in a release of significant enough quantities of energy to cause a cooldown of the RCS.
- 5. Turbine Trip and Feedwater Isolation The primary functions of the Turbine Trip and Feedwater Isolation signals are to prevent damage to the turbine due to water in the steam lines, stop the excessive flow of feedwater into the SGs, and to limit the energy released into containment. These Functions are necessary to mitigate the effects of a high water level in the SGs, which could result in carryover of water into the steam lines and excessive cooldown of the primary system. The SG high water level is due to excessive feedwater flows. Feedwater isolation serves to limit the energy released into containment upon a feedwater line or steam line break inside containment.
The Functions are actuated when the level in any SG exceeds the high high setpoint, and performs the following functions:
- Trips the main turbine;
- Trips the MFW pumps; and 0 Initiates feedwater isolation (shuts the MFW control valves, bypass feedwater control valves, feedwater isolation valves, and the MFW to AFW nozzle bypass valves).
Turbine Trip and Feedwater Isolation signals are both actuated by SG Water Level-High High, or by an SI signal. The RTS also initiates a turbine trip signal whenever a reactor trip (P-4) is generated. A Feedwater Isolation signal is also generated by a reactor trip (P-4) coincident with Tavg-Low and on a high water level in the reactor building doghouse. The MFW System is also taken out of operation and the AFW System is automatically started. The Sl signal was discussed previously.
- a. Turbine Trip (1) Turbine Trip-Automatic Actuation Logic and Actuation Relays Automatic Actuation Logic and Actuation Relays consist of McGuire Unit 2 B 3.3.2-18 Revision No. 119
ESFAS Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) the same features and operate in the same manner as described for ESFAS Function 1.b.
(2) Turbine Trip-Steam Generator Water Level-High High (P-14)
This signal prevents damage to the turbine due to water in the steam lines. The ESFAS SG water level instruments provide input to the SG Water Level Control System. Therefore, the actuation logic must be able to withstand both an input failure to the control system (which may then require the protection function actuation) and a single failure in the other channels providing the protection function actuation. Only three protection channels are necessary to satisfy the protective requirements. The setpoints are based on percent of narrow range instrument span.
(3) Turbine Trip-Safety Iniection Turbine Trip is also initiated by all Functions that initiate SI. Therefore, the requirements are not repeated in Table 3.3.2-1. Instead Function 1, SI, is referenced for all initiating functions and requirements.
Item 5.a.(1) is referenced for the applicable MODES.
The Turbine Trip Function must be OPERABLE in MODES 1 and 2. In lower MODES, the turbine generator is not in service and this Function is not required to be OPERABLE.
- b. Feedwater Isolation (1) Feedwater Isolation-Automatic Actuation Logic and Actuation Relays Automatic Actuation Logic and Actuation Relays consist of the same features and operate in the same APPLICABLE manner as described for ESFAS Function 1.b.
McGuire Unit 2 B 3.3.2-19 Revision No. 119
ESFAS Instrumentation B 3.3.2 BASES SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
(2) Feedwater Isolation-Steam Generator Water Level-High High (P-14)
This signal provides protection against excessive feedwater flow. The ESFAS SG water level instruments provide input to the SG Water Level Control System. Therefore, the actuation logic must be able to withstand both an input failure to the control system (which may then require the protection function actuation) and a single failure in the other channels providing the protection function actuation. Only three protection channels are necessary to satisfy the protective requirements. The setpoints are based on percent of narrow range instrument span.
(3) Feedwater Isolation-Safety Injection Feedwater Isolation is also initiated by all Functions that initiate SI. The Feedwater Isolation Function requirements for these Functions are the same as the requirements for their Sl function. Therefore, the requirements are not repeated in Table 3.3.2-1.
Instead Function 1, SI, is referenced for all initiating functions and requirements. Item 5.b.(1) is referenced for the applicable MODES.
(4) Feedwater Isolation - RCS Ta_,-Low Coincident With Reactor Trip (P-4)
This signal provides protection against excessive cooldown, which could subsequently introduce a positive reactivity excursion after a plant trip. There are four channels of RCS Tavg-LOw (one per loop), with a two-out-of-four logic required coincident with a reactor trip signal (P-4) to initiate a feedwater isolation.
The P-4 interlock is discussed in Function 8.a.
(5) Turbine Trip and Feedwater Isolation - Doghouse Water Level - High High This signal initiates a Feedwater Isolation. The signal terminates forward feedwater flow in the event of a postulated pipe break in the main feedwater piping in the doghouses to prevent flooding safety related equipment essential to the safe shutdown of the plant.
McGuire Unit 2 B 3.3.2-20 Revision No. 119
ESFAS Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
The level instrumentation consists of six level switches (three per train) in each of the two reactor building doghouses. A high-high level detected by two-out-of-three switches in either train in the inboard or outboard doghouse will initiate a feedwater isolation. This signal initiates Feedwater Isolation for the specific doghouse where the High-High level is detected and trips both main feedwater pumps thus causing a main turbine trip.
The Feedwater Isolation Function must be OPERABLE in MODES 1 and 2 and also in MODE 3 (except for the functions listed in Table 3.3.2-1).
Feedwater Isolation is not required OPERABLE when all MFIVs, MFCVs, and associated bypass valves are closed and de-activated or isolated by a closed manual valve. In lower MODES, the MFW System is not in service and this Function is not required to be OPERABLE.
- 6. Auxiliary Feedwater The AFW System is designed to provide a secondary side heat sink for the reactor in the event that the MFW System is not available. The system has two motor driven pumps and a turbine driven pump, making it available during normal and accident operation. The normal source of water for the AFW System is the non-safety related AFW Storage Tank (Water Tower). A low suction pressure to the AFW pumps will automatically realign the pump suctions to the Nuclear Service Water System (NSWS)(safety related). The AFW System is aligned so that upon a pump start, flow is initiated to the respective SGs immediately.
- a. Auxiliary Feedwater-Automatic Actuation Logic and Actuation Relays Automatic actuation logic and actuation relays consist of the same features and operate in the same manner as described for ESFAS Function 1.b.
- b. Auxiliary Feedwater-Steam Generator Water Level-Low Low SG Water Level-Low Low provides protection against a loss of heat sink. A feed line break, inside or outside of containment, or a loss of MFW, would result in a loss of SG water level. SG Water Level-Low Low provides input to the SG Level Control System.
McGuire Unit 2 B 3.3.2-21 Revision No. 119
ESFAS Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
Therefore, the actuation logic must be able to withstand both an input failure to the control system which may then require a protection function actuation and a single failure in the other channels providing the protection function actuation. Thus, four OPERABLE channels are required to satisfy the requirements with two-out-of-four logic. The setpoints are based on percent of narrow range instrument span.
SG Water Level - Low Low in any operating SG will cause the motor driven AFW pumps to start. The system is aligned so that upon a start of the pump, water immediately begins to flow to the SGs. SG Water Level - Low Low in any two operating SGs will cause the turbine driven pumps to start.
- c. Auxiliary Feedwater-Safety Iniection An SI signal starts the motor driven AFW pumps. The AFW initiation functions are the same as the requirements for their SI function. Therefore, the requirements are not repeated in Table 3.3.2-1. Instead, Function 1, SI, is referenced for all initiating functions and requirements.
- d. Auxiliary Feedwater-Station Blackout A loss of power or degraded voltage to the service buses will be accompanied by a loss of reactor coolant pumping power and the subsequent need for some method of decay heat removal. The loss of power or degraded voltage is detected by a voltage drop on each essential service bus. Loss of power or degraded voltage to either essential service bus will start the turbine driven and motor driven AFW pumps to ensure that at least two SGs contain enough water to serve as the heat sink for reactor decay heat and sensible heat removal following the reactor trip. The turbine driven pump does not start on a loss of power coincident with a SI signal.
Functions 6.a through 6.d must be OPERABLE in MODES 1, 2, and 3 to ensure that the SGs remain the heat sink for the reactor. These Functions do not have to be OPERABLE in MODES 5 and 6 because there is not enough heat being generated in the reactor to require the SGs as a heat sink. In MODE 4, AFW actuation does not need to be OPERABLE because either AFW or residual heat removal (RHR) will already be in operation to remove decay heat or sufficient time is available to manually place either system in operation.
McGuire Unit 2 B 3.3.2-22 Revision No. 119
ESFAS Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
- e. Auxiliary Feedwater-Trip of All Main Feedwater Pumps A Trip of all MFW pumps is an indication of a loss of MFW and the subsequent need for some method of decay heat and sensible heat removal to bring the reactor back to no load temperature and pressure. Two contacts are provided in series (one from each MFW pump) in the starting circuit for each AFW pump. A trip of all MFW pumps closes both contacts and starts the motor driven AFW pumps to ensure that at least two SGs are available with water to act as the heat sink for the reactor. This function must be OPERABLE in MODES 1 and 2. This ensures that at least two SGs are provided with water to serve as the heat sink to remove reactor decay heat and sensible heat in the event of an accident.
In MODES 3, 4, and 5, the MFW pumps are normally shut down, and thus neither pump trip is indicative of a condition requiring automatic AFW initiation.
- f. Auxiliary Feedwater-Pump Suction Transfer on Suction Pressure-Low A low pressure signal in the AFW pump suction line protects the AFW pumps against a loss of the normal supply of water for the pumps, the non-safety related AFW Storage Tank (Water Tower).
Two pressure switches.per train are located on the AFW pump suction line. The turbine driven AFW pump has a total of four switches. A low pressure signal sensed by two-out-of-two switches on either train will cause the emergency supply of water for the pump to be aligned. The NSWS (safety grade) is then lined up to supply the AFW pumps to ensure an adequate supply of water for the AFW System to maintain at least two of the SGs as the heat sink for reactor decay heat and sensible heat removal.
This Function must be OPERABLE in MODES 1, 2, and 3 to ensure a safety grade supply of water for the AFW System to maintain the SGs as the heat sink for the reactor. This Function does not have to be OPERABLE in MODES 5 and 6 because there is not enough heat being generated in the reactor to require the SGs as a heat sink. In MODE 4, AFW automatic suction transfer does not need to be OPERABLE because RHR will already be in operation, or sufficient time is available to place RHR in operation, to remove decay heat.
McGuire Unit 2 B 3.3.2-23 Revision No. 119
ESFAS Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
- 7. Automatic Switchover to Containment Sump At the end of the injection phase of a LOCA, the RWST will be nearly empty. Continued cooling must be provided by the ECCS to remove decay heat. The source of water for the ECCS pumps is automatically switched to the containment recirculation sump. The low head residual heat removal (RHR) pumps and containment spray pumps draw the water from the containment recirculation sump, the RHR pumps pump the water through the RHR heat exchanger, inject the water back into the RCS, and supply the cooled water to the other ECCS pumps.
Switchover from the RWST to the containment sump must occur before the RWST empties to prevent damage to the RHR pumps and a loss of core cooling capability.
- a. Automatic Switchover to Containment Sump-Refueling Water Storage Tank (RWST)
Level-Low Coincident With Safety Iniection During the injection phase of a LOCA, the RWST is the source of water for all ECCS pumps. A low level in the RWST coincident with an SI signal provides protection against a loss of water for the ECCS pumps and indicates the end of the injection phase of the LOCA. The RWST is equipped with three level transmitters.
These transmitters provide no control functions. Therefore, a two-out-of-three logic is adequate to initiate the protection function actuation.
Automatic switchover occurs only if the RWST low level signal is coincident with SI. This prevents accidental switchover during normal operation. Accidental switchover could damage ECCS pumps if they are attempting to take suction from an empty sump.
The automatic switchover Function requirements for the Sl Functions are the same as the requirements for their SI function.
Therefore, the requirements are not repeated in Table 3.3.2-1.
Instead, Function 1, SI, is referenced for all initiating Functions and requirements. These Functions must be OPERABLE in MODES 1, 2, and 3 when there is a potential for a LOCA to occur, to ensure a continued supply of water for the ECCS pumps. These Functions are not required to be OPERABLE in MODES 4, 5, and 6 because McGuire Unit 2 B 3.3.2-24 Revision No. 119
ESFAS Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) there is adequate time for the operator to evaluate unit conditions and respond by manually starting systems, pumps, and other equipment to mitigate the consequences of an abnormal condition or accident. System pressure and temperature are very low and many ESF components are administratively locked out or otherwise prevented from actuating to prevent inadvertent overpressurization of unit systems.
- 8. Engqineered Safety Feature Actuation System Interlocks To allow some flexibility in unit operations, several interlocks are included as part of the ESFAS. These interlocks permit the operator to block some signals, automatically 6nable other signals, prevent some actions from occurring, and cause other actions to occur. The interlock Functions back up manual actions to ensure bypassable functions are in operation under the conditions assumed in the safety analyses.
- a. Enqineered Safety Feature Actuation System Interlocks-Reactor Trip, P-4 The P-4 interlock is enabled when a reactor trip breaker (RTB) and its associated bypass breaker is open. Operators are able to reset Sl 60 seconds after initiation. If a P-4 is present when SI is reset, subsequent automatic SI initiation will be blocked until the RTBs have been manually closed. This Function allows operators to take manual control of SI systems after the initial phase of injection is complete while avoiding multiple Sl initiations. The functions of the P-4 interlock are:
- Trip the main turbine;
McGuire Unit 2 B 3.3.2-25 Revision No. 119
ESFAS Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
Each of the above Functions is interlocked with P-4 to avert or reduce the continued cooldown of the RCS following a reactor trip.
An excessive cooldown of the RCS following a reactor trip could cause an insertion of positive reactivity with a subsequent increase in generated power. To avoid such a situation, the noted Functions have been interlocked with P-4 as part of the design of the unit control and protection system.
None of the noted Functions serves a mitigation function in the unit licensing basis safety analyses. Only the turbine trip Function is explicitly assumed since it is an immediate consequence of the reactor trip Function. Neither turbine trip, nor any of the other three Functions associated with the reactor trip signal, is required to show that the unit licensing basis safety analysis acceptance criteria are not exceeded.
The RTB position switches that provide input to the P-4 interlock only function to energize or de-energize or open or close contacts.
Therefore, this Function has no adjustable trip setpoint with which to associate a Trip Setpoint and Allowable Value.
This Function must be OPERABLE in MODES 1, 2, and 3 when the reactor may be critical or approaching criticality. This Function does not have to be OPERABLE in MODE 4, 5, or 6 because the main turbine, the MFW System are not in operation.
- b. Engqineered Safety Feature Actuation System Interlocks-Pressurizer Pressure, P-i 1 The P-1 1 interlock permits a normal unit cooldown and depressurization without actuation of Sl or main steam line isolation. With two-out-of-three pressurizer pressure channels (discussed previously) less than the P-1 1 setpoint, the operator can manually block the Pressurizer Pressure-Low Sl signal and the Steam Line Pressure-Low steam line isolation signal (previously discussed).
McGuire Unit 2 B 3.3.2-26 Revision No. 119
ESFAS Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
When the Steam Line Pressure-Low steam line isolation signal is manually blocked, a main steam isolation signal on Steam Line Pressure-Negative Rate-High is enabled. This provides protection for an SLB by closure of the MSIVs. With two-out-of-three pressurizer pressure channels above the P-1 1 setpoint, the Pressurizer Pressure-Low SI signal and the Steam Line Pressure-Low steam line isolation signal are automatically enabled. The operator can also enable these trips by use of the respective manual reset buttons. When the Steam Line Pressure-Low steam line isolation signal is enabled, the main steam isolation on Steam Line Pressure-Negative Rate-High is disabled.
This Function must be OPERABLE in MODES 1, 2, and 3 to allow an orderly cooldown and depressurization of the unit without the actuation of SI or main steam isolation. This Function does not have to be OPERABLE in MODE 4, 5, or 6 because system pressure must already be below the P-1 1 setpoint for the requirements of the heatup and cooldown curves to be met.
- c. Engineered Safety Feature Actuation System Interlocks-T _*-Low Low, P-12 On increasing reactor coolant temperature, the P-12 interlock provides an arming signal to the Steam Dump System. On a decreasing temperature, the P-12 interlock removes the arming signal to the Steam Dump System to prevent an excessive cooldown of the RCS due to a malfunctioning Steam Dump System.
Since Tavg is used as an indication of bulk RCS temperature, this Function meets redundancy requirements with one OPERABLE channel in each loop. These channels are used in two-out-of-four logic.
This Function must be OPERABLE in MODES 1, 2, and 3 when a secondary side break or stuck open valve could result in the rapid depressurization of the steam lines. This Function does not have to be OPERABLE in MODE 4, 5, or 6 because there is insufficient energy in the secondary side of the unit to have an accident.
McGuire Unit 2 B 3.3.2-27 Revision No. 119
ESFAS Instrumentation B 3.3.2 BA.SES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)
- 9. Containment Pressure Control System Permissives The Containment Pressure Control System (CPCS) protects the Containment Building from excessive depressurization by preventing inadvertent actuation or continuous operation of the Containment Spray and Containment Air Return Systems when containment pressure is at or less than the CPCS permissive setpoint. The control scheme of CPCS is comprised of eight independent control circuits (4 per train), each having a separate and independent pressure transmitter and current alarm module. Each pressure transmitter monitors the containment pressure and provides input to its respective current alarm. The current alarms are set to inhibit or terminate containment spray and containment air return fan operation when containment pressure falls below the setpoint.
The alarm modules switch back to the permissive state (allowing the systems to operate) when containment pressure is greater than or equal to the setpoint.
This function must be OPERABLE in MODES 1, 2, 3, and 4 when there is sufficient energy in the primary and secondary sides to pressurize containment following a pipe break. In MODES 5 and 6, there is insufficient energy in the primary and secondary sides to significantly pressurize the containment.
The ESFAS instrumentation satisfies Criterion 3 of 10 CFR 50.36 (Ref. 6).
ACTIONS A Note has been added in the ACTIONS to clarify the application of Completion Time rules. The Conditions of this Specification may be entered independently for each Function listed on Table 3.3.2-1. When the Required Channels in Table 3.3.2-1 are specified (e.g., on a per steam line, per loop, per SG, etc.,
basis), then the Condition may be entered separately for each steam line, loop, SG, etc., as appropriate.
A channel shall be OPERABLE if the point at which the channel trips is found equal to or more conservative than the Allowable Value. In the event a channel's trip setpoint is found less conservative than the Allowable Value, or the transmitter, instrument loop, signal processing electronics, or bistable is found inoperable, then all affected Functions provided by the channel must be declared inoperable and the LCO Condition(s) entered for the protection Function(s) affected. If plant conditions warrant, the trip setpoint may be set outside the NOMINAL TRIP SETPOINT calibration tolerance band as long as the trip setpoint is conservative with respect to the NOMINAL TRIP SETPOINT.
If the trip setpoint is found outside the NOMINAL TRIP SETPINT calibration tolerance band and non-conservative with respect to the NOMINAL TRIP SETPOINT, the setpoint shall be re-adjusted.
McGuire Unit 2 B 3.3.2-28 Revision No. 119
ESFAS Instrumentation B 3.3.2 BASES ACTIONS (continued)
When the number of inoperable channels in a trip function exceed those specified in one or other related Conditions associated with a trip function, then the unit is outside the safety analysis. Therefore, LCO 3.0.3 should be immediately entered if applicable in the current MODE of operation.
A.1 Condition A applies to all ESFAS protection functions.
Condition A addresses the situation where one or more channels or trains for one or more Functions are inoperable at the same time. The Required Action is to refer to Table 3.3.2-1 and to take the Required Actions for the protection functions affected. The Completion Times are those from the referenced Conditions and Required Actions.
B.1, B.2.1 and B.2.2 Condition B applies to manual initiation of:
- SI; 0 Containment Spray;
- Phase A Isolation; and
- Phase B Isolation.
This action addresses the train orientation of the SSPS for the functions listed above. If a channel or train is inoperable, 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> is allowed to return it to an OPERABLE status. Note that for containment spray and Phase B isolation, failure of one or both channels in one train renders the train inoperable.
Condition B, therefore, encompasses both situations. The specified Completion Time is reasonable considering that there are two automatic actuation trains and another manual initiation train OPERABLE for each Function, and the low probability of an event occurring during this interval. If the train cannot be restored to OPERABLE status, the unit must be placed in a MODE in which the LCO does not apply. This is done by placing the unit in at least MODE 3 within an additional 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> (54 hours6.25e-4 days <br />0.015 hours <br />8.928571e-5 weeks <br />2.0547e-5 months <br /> total time) and in MODE 5 within an additional 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br /> (84 hours9.722222e-4 days <br />0.0233 hours <br />1.388889e-4 weeks <br />3.1962e-5 months <br /> total time). The allowable Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.
McGuire Unit 2 B 3.3.2-29 Revision No. 119
ESFAS Instrumentation B 3.3.2 BASES ACTIONS (continued)
C.1, C.2.1 and C.2.2 Condition C applies to the automatic actuation logic and actuation relays for the following functions:
0 SI;
- Phase A Isolation; and
- Phase B Isolation.
This action addresses the train orientation of the SSPS and the master and slave relays. If one train is inoperable, 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> are allowed to restore the train to OPERABLE status. The 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> allowed for restoring the inoperable train to OPERABLE status is justified in Reference 10. The specified Completion Time is reasonable considering that there is another train OPERABLE, and the low probability of an event occurring during this interval. If the train cannot be restored to OPERABLE status, the unit must be placed in a MODE in which the LCO does not apply. This is done by placing the unit in at least MODE 3 within an additional 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> (30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br /> total time) and in MODE 5 within an additional 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br /> (60 hours6.944444e-4 days <br />0.0167 hours <br />9.920635e-5 weeks <br />2.283e-5 months <br /> total time). The Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.
The Required Actions are modified by a Note that allows one train to be bypassed for up to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> for surveillance testing, provided the other train is OPERABLE. The Required Actions are not required to be met during this time, unless the train is discovered inoperable during the testing. This allowance is based on the reliability analysis assumption of WCAP-10271-P-A (Ref. 7) that 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> is the average time required to perform train surveillance.
If an individual SSPS slave relay or slave relay contact is incapable of actuating, then the equipment operated by the slave relay or slave relay contact is inoperable. An SSPS train is not inoperable due to an individual SSPS slave relay or slave relay contact being incapable of actuating.
D.1, D.2.1, and D.2.2 Condition D applies to:
- Containment Pressure-High;
- Pressurizer Pressure-Low Low;
- Steam Line Pressure-Low; McGuire Unit 2 B 3.3.2-30 Revision No. 119
ESFAS Instrumentation B 3.3.2 BASES ACTIONS (continued)
- Steam Line Pressure-Negative Rate-High;
0 SG Water level-Low Low, and
- Loss of offsite power.
If one channel is inoperable, 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> are allowed to restore the channel to OPERABLE status or to place it in the tripped condition. Generally this Condition applies to functions that operate on two-out-of-three logic.
Therefore, failure of one channel places the Function in a two-out-of-two configuration. One channel must be tripped to place the Function in a one-out-of-two configuration that satisfies redundancy requirements. The 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> allowed to restore the channel to OPERABLE status or placed in the tripped condition is justified in Reference 10.
Failure to restore the inoperable channel to OPERABLE status or place it in the tripped condition within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> requires the unit be placed in MODE 3 within the following 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and MODE 4 within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />.
The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems. In MODE 4, these Functions are no longer required OPERABLE.
The Required Actions are modified by a Note that allows the inoperable channel to be bypassed for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> for surveillance testing of other channels. The note also allows an OPERABLE channel to be placed in bypass for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> for testing of the bypassed channel. However, only one channel may be placed in bypass at any one time. The 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> allowed for testing, are justified in Reference 10.
E.1, E.2.1, and E.2.2 Condition E applies to:
- Containment Spray Containment Pressure - High High;
- Containment Phase B Isolation Containment Pressure - High-High, and
- Steam Line Isolation Containment Pressure - High High.
McGuire Unit 2 B 3.3.2-31 Revision No. 119
ESFAS Instrumentation B 3.3.2 BASES ACTIONS (continued)
None of these signals has input to a control function. Thus, two-out-of-three logic is necessary to meet acceptable protective requirements. However, a two-out-of-three design would require tripping a failed channel. This is undesirable because a single failure would then cause spurious containment spray initiation. Spurious spray actuation is undesirable because of the cleanup problems presented. Therefore, these channels are designed with two-out-of-four logic so that a failed channel may be bypassed rather than tripped.
Note that one channel may be bypassed and still satisfy the single failure criterion.
Furthermore, with one channel bypassed, a single instrumentation channel failure will not spuriously initiate containment spray.
To avoid the inadvertent actuation of containment spray and Phase B containment isolation, the inoperable channel should not be placed in the tripped condition. Instead it is bypassed. Restoring the channel to OPERABLE status, or placing the inoperable channel in the bypass condition within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />, is sufficient to assure that the Function remains OPERABLE and minimizes the time that the Function may be in a partial trip condition (assuming the inoperable channel has failed high). The Completion Time is further justified based on the low probability of an event occurring during this interval. Failure to restore the inoperable channel to OPERABLE status, or place it in the bypassed condition within72 hours, requires the unit be placed in MODE 3 within the following 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and MODE 4 within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems. In MODE 4, these Functions are no longer required OPERABLE.
The Required Actions are modified by a Note that allows one additional channel to be bypassed for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> for surveillance testing. Placing a second channel in the bypass condition for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> for testing purposes is acceptable based on the results of Reference 10.
F.1, F.2.1, and F.2.2 Condition F applies to:
- Manual Initiation of Steam Line Isolation; and
- P-4 Interlock.
McGuire Unit 2 B 3.3.2-32 Revision No. 119
ESFAS Instrumentation B 3.3.2 BASES ACTIONS (continued)
For the Manual Initiation and the P-4 Interlock Functions, this action addresses the train orientation of the SSPS. If a train or channel is inoperable, 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> is allowed to return it to OPERABLE status. The specified Completion Time is reasonable considering the nature of these Functions, the available redundancy, and the low probability of an event occurring during this interval. If the Function cannot be returned to OPERABLE status, the unit must be placed in MODE 3 within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and MODE 4 within the following 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />.
The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power in an orderly manner and without challenging unit systems. In MODE 4, the unit does not have any analyzed transients or conditions that require the explicit use of the protection functions noted above.
G.1 and G.2 Condition G applies to manual initiation of Steam Line Isolation.
This action addresses the operability of the manual steam line isolation function for each individual main steam isolation valve. If a channel is inoperable, 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> is allowed to return it to an OPERABLE status. If the train cannot be restored to OPERABLE status, the Conditions and Required Actions of LCO 3.7.2, "Main Steam Isolation Valves," must be entered for the associated inoperable valve. The specified Completion Time is reasonable considering that there is a system level manual initiation train for this Function and the low probability of an event occurring during this interval.
H.1, H.2.1 and H.2.2 Condition H applies to the automatic actuation logic and actuation relays for the Steam Line Isolation, Feedwater Isolation, and AFW actuation Functions.
The action addresses the train orientation of the SSPS and the master and slave relays for these functions. If one train is inoperable, 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> are allowed to restore the train to OPERABLE status. The 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> allowed for restoring the inoperable train to OPERABLE status is justified in Reference 10. The Completion Time for restoring a train to OPERABLE status is reasonable considering that there is another train OPERABLE, and the low probability of an event occurring during this interval. If the train cannot be returned to OPERABLE status, the unit must be brought to MODE 3 within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and MODE 4 within the following 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.
McGuire Unit 2 B 3.3.2-33 Revision No. 119
ESFAS Instrumentation B 3.3.2 BASES ACTIONS (continued)
Placing the unit in MODE 4 removes all requirements for OPERABILITY of the protection channels and actuation functions. In this MODE, the unit does not have analyzed transients or conditions that require the explicit use of the protection functions noted above.
The Required Actions are modified by a Note that allows one train to be bypassed for up to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> for surveillance testing provided the other train is OPERABLE. This allowance is based on the reliability analysis (Ref. 7) assumption that 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> is the average time required to perform channel surveillance.
If an individual SSPS slave relay or slave relay contact is incapable of actuating, then the equipment operated by the slave relay or slave relay contact is inoperable. An SSPS train is not inoperable due to an individual SSPS slave relay or slave relay contact being incapable of actuating.
1.1 and 1.2 Condition I applies to the automatic actuation logic and actuation relays for the Turbine Trip Function.
This action addresses the train orientation of the SSPS and the master and slave relays for this Function. If one train is inoperable, 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> are allowed to restore the train to OPERABLE status or the unit must be placed in MODE 3 within the following 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. The 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> allowed for restoring the inoperable train to OPERABLE status is justified in Reference 10. The Completion Time for restoring a train to OPERABLE status is reasonable considering that there is another train OPERABLE, and the low probability of an event occurring during this interval. The allowed Completion Time of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging unit systems. These Functions are no longer required in MODE 3. Placing the unit in MODE 3 removes all requirements for OPERABILITY of the protection channels and actuation functions. In this MODE, the unit does not have analyzed transients or conditions that require the explicit use of the protection functions noted above.
The Required Actions are modified by a Note that allows one train to be bypassed for up to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> for surveillance testing provided the other train is OPERABLE. This allowance is based on the reliability analysis (Ref. 7) assumption that 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> is the average time required to perform channel surveillance.
If an individual SSPS slave relay or slave relay contact is incapable of actuating, then the equipment operated by the slave relay or slave relay McGuire Unit 2 B 3.3.2-34 Revision No. 119
ESFAS Instrumentation B 3.3.2 BASES ACTIONS (continued) contact is inoperable. An SSPS train is not inoperable due to an individual SSPS slave relay or slave relay contact being incapable of actuating.
J.1 and J.2 Condition J applies to:
" SG Water Level-High High (P-14) for the Turbine Trip Function; and
" Tavg-Low.
If one channel is inoperable, 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> are allowed to restore one channel to OPERABLE status or to place it in the tripped condition. If placed in the tripped condition, the Function is then in a partial trip condition where one-out-of-two logic will result in actuation. The 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> allowed to restore the channel to OPERABLE status or to place it in the tripped condition is justified in Reference
- 10. Failure to restore the inoperable channel to OPERABLE status or place it in the tripped condition within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> requires the unit to be placed in MODE 3 within the following 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. The allowed Completion Time of 78 hours9.027778e-4 days <br />0.0217 hours <br />1.289683e-4 weeks <br />2.9679e-5 months <br /> is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging unit systems. In MODE 3, these Functions are no longer required OPERABLE.
The Required Actions are modified by a Note that allows the inoperable channel to be bypassed for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> for surveillance testing of other channels. The note also allows an OPERABLE channel to be placed in bypass for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> for testing of the bypassed channel. However, only one channel may be placed in bypass at any one time. The 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> allowed to place the inoperable channel in the tripped condition, and the 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> allowed for a channel to be in the bypassed condition for testing, are justified in Reference 10.
K.1 and K.2 Condition K applies to the AFW pump start on trip of all MFW pumps.
This action addresses the relay contact orientation for the auto start function of the AFW System on loss of all MFW pumps. The OPERABILITY of the AFW System must be assured by allowing automatic start of the AFW System pumps. If a channel is inoperable, 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> is allowed to place the channel in trip. If placed in the tripped condition, the function is then in a partial trip condition where a one-out-of-one logic will result in actuation. If the channel is not placed in trip within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />, 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> are McGuire Unit 2 B 3.3.2-35 Revision No. 119
ESFAS Instrumentation B 3.3.2 BASES ACTIONS (continued) allowed to place the unit in MODE 3. The allowed Completion Time of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging unit systems. In MODE 3, the unit does not have any analyzed transients or conditions that require the explicit use of the protection function noted above.
L.1 Condition L applies to the Doghouse Water Level - High High.
The failure of one required channel in one train in either reactor building doghouse results in a loss of redundancy for the function. The function can still be initiated by the remaining operable train. The inoperable train is, required to be restored to OPERABLE status within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />, or continuous visual monitoring of the doghouse water level must be implemented in the following hour.
The allowed Completion Time is reasonable considering that the redundant train remains OPERABLE to initiate the function if required.
M.1, M.2.1 and M.2.2 Condition M applies to the Doghouse Water Level - High High.
The failure of two trains in either reactor building doghouse results in a loss of the function. Continuous visual monitoring of the doghouse water level must be implemented in the following hour.
The allowed Completion Time provides sufficient time for the operating staff to establish the required monitoring..
N.1 and N.2 Condition N applies to the Auxiliary Feedwater Pumps Suction Transfer on Suction Pressure Low.
If one or more channels on a single AFW pump is inoperable, 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> is allowed to restore the channel(s) to OPERABLE status or to declare the associated AFW pump inoperable. The failure of one or more channels on one pump disables the ability for the suction transfer on that pump.
The allowed Completion Times are reasonable, considering the remaining redundant pumps and transfer instrumentation.
McGuire Unit 2 B 3.3.2-36 Revision No. 119
ESFAS Instrumentation B 3.3.2 BASES ACTIONS (continued) 0.1 Condition 0 applies to the Auxiliary Feedwater Pumps Suction Transfer on Suction Pressure Low.
If one or more channels on more than one AFW pumps are inoperable, the ability for the suction transfer has been lost on multiple pumps. In this case, the associated AFW pumps must be declared inoperable immediately.
P.1 and P.2 Condition P applies to RWST Level-Low Coincident with Safety Injection.
RWST Level-Low Coincident with SI provides actuation of switchover to the containment sump. The inoperable channel shall be returned to OPERABLE status or placed in the trip condition within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />. This Condition applies to a function that operates on two-out-or-three logic. Therefore, failure of one channel places the Function in a two-out-or-two configuration. The channel must be tripped to place the Function in a one-out-of-two configuration that satisfies redundancy requirements. A channel placed in the trip condition shall be restored to OPERABLE status within 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br />. With one channel in the trip condition, a single failure of another channel coincident with a design basis Loss of Coolant Accident (LOCA) could result in premature automatic swapover of ECCS pumps to the containment recirculation sump. For a failure leading to early swapover, plant analyses assume operators do not have sufficient time to resolve the problem prior to ECCS pump damage.
Consequently, as a result of this premature swapover, both trains of ECCS pumps could fail due to insufficient sump water level. This could prevent the ECCS pumps from performing their post-LOCA cooling function. The allowed Completion Time of 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> is reasonable since, based on operating experience, there is a very small probability of a random failure of another RWST level channel in a given 48 hour5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> period.
Q.1, Q.2.1 and Q.2.2 Condition Q applies to the P-11 and P-12 interlocks.
With one channel inoperable, the operator must verify that the interlock is in the required state for the existing unit condition. The verification is performed by visual observation of the permissive status light in the unit control room. This action manually accomplishes the function of the interlock. Determination must be made within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />. The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Completion Time is equal to the time allowed by LCO 3.0.3 to initiate shutdown actions in the event of a complete McGuire Unit 2 B 3.3.2-37 Revision No. 119
ESFAS Instrumentation B 3.3.2 BASES ACTIONS (continued) loss of ESFAS function. If the interlock is not in the required state (or placed in the required state) for the existing unit condition, the unit must be placed in MODE 3 within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and MODE 4 within the following 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems. Placing the unit in MODE 4 removes all requirements for OPERABILITY of these interlocks.
R. 1 Condition R applies to the Containment Pressure Control System Start and Terminate Permissives.
With one or more channels inoperable, the affected containment spray, containment air return fans, and hydrogen skimmer fans must be declared inoperable immediately. The supported system LCOs provide the appropriate Required Actions and Completion Times for the equipment made inoperable by the inoperable channel. The immediate Completion Time is appropriate since the inoperable channel could prevent the supported equipment from starting when required. Additionally, protection from an inadvertent actuation may not be provided if the terminate function is not OPERABLE.
S.1 and S.2 Condition S applies to RWST Level-Low Coincident with Safety Injection.
When Required Actions cannot be completed within their Completion Time, the unit must be brought to a MODE or Condition in which the LCO requirements are not applicable. To achieve this status, the unit must be brought to at least MODE 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and MODE 4 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> of entering the Condition.
The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems. In MODE 4, the unit does not have any analyzed transients of conditions that require the explicit use of the protection functions noted above.
SURVEILLANCE The SRs for each ESFAS Function are identified by the SRs column of REQUIREMENTS Table 3.3.2-1.
A Note has been added to the SR Table to clarify that Table 3.3.2-1 determines which SRs apply to which ESFAS Functions.
Note that each channel of process protection supplies both trains of the ESFAS. When testing channel I, train A and train B must be examined.
McGuire Unit 2 B 3.3.2-38 Revision No. 119
ESFAS Instrumentation B 3.3.2 BASES SURVEILLANCE REQUIREMENTS (continued)
Similarly, train A and train B must be examined when testing channel II, channel Ill, and channel IV (if applicable). The CHANNEL CALIBRATION and COTs are performed in a manner that is consistent with the assumptions used in analytically calculating the required channel accuracies.
SR 3.3.2.1 Performance of the CHANNEL CHECK ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.
Agreement criteria are determined by the unit staff, based on a combination of the channel instrument uncertainties, including indication and reliability. If a channel is outside the criteria, it may be an indication that the sensor or the signal processing equipment has drifted outside its limit.
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
SR 3.3.2.2 SR 3.3.2.2 is the performance of an ACTUATION LOGIC TEST using the semiautomatic tester. The train being tested is placed in the bypass condition, thus preventing inadvertent actuation. Through the semiautomatic tester, all possible logic combinations, with and without applicable permissives, are tested for each protection function. In addition, the master relay coil is pulse tested for continuity. This verifies that the logic modules are OPERABLE and that there is an intact voltage signal path to the master relay coils. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
SR 3.3.2.3 SR 3.3.2.3 is the performance of a COT on the RWST level and Containment Pressure Control Start and Terminate Permissives.
McGuire Unit 2 B 3.3.2-39 Revision No. 119
ESFAS Instrumentation B 3.3.2 BASES SURVEILLANCE REQUIREMENTS (continued)
A COT is performed on each required channel to ensure the entire channel will perform the intended Function. Setpoints must be found within the Allowable Values specified in Table 3.3.2-1. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
SR 3.3.2.4 SR 3.3.2.4 is the performance of a MASTER RELAY TEST. The MASTER RELAY TEST is the energizing of the master relay, verifying contact operation and a low voltage continuity check of the slave relay coil. Upon master relay contact operation, a low voltage is injected to the slave relay coil. This voltage is insufficient to pick up the slave relay, but large enough to demonstrate signal path continuity. The time allowed for the testing (4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />) is justified in Reference 7. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
SR 3.3.2.5 SR 3.3.2.5 is the performance of a COT.
A COT is performed on each required channel to ensure the channel will perform the intended Function. The tested portion of the loop must trip within the Allowable Values specified in Table 3.3. 2-1.
The setpoint shall be left set consistent with the assumptions of the setpoint methodology.
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
SR 3.3.2.6 SR 3.3.2.6 is the performance of a SLAVE RELAY TEST. The SLAVE RELAY TEST is the energizing of the slave relays. Contact operation is verified in one of two ways. Actuation equipment that may be operated in the design mitigation MODE is either allowed to function, or is placed in a condition where the relay contact operation can be verified without operation of the equipment.
Actuation equipment that may not be operated in the design mitigation MODE is prevented from operation by the SLAVE RELAY TEST circuit. For this latter case, contact operation is verified by a continuity check of the circuit containing McGuire Unit 2 B 3.3.2-40 Revision No. 119
ESFAS Instrumentation B 3.3.2 BASES SURVEILLANCE REQUIREMENTS (continued) the slave relay. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
SR 3.3.2.7 SR 3.3.2.7 is the performance of a TADOT. This test is a check of the Manual Actuation Functions, AFW pump start, Reactor Trip (P-4) Interlock and Doghouse Water Level - High High feedwater isolation. Each Manual Actuation Function is tested up to, and including, the master relay coils. In some instances, the test includes actuation of the end device (i.e., pump starts, valve cycles, etc.). The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program. The SR is modified by a Note that excludes verification of setpoints during the TADOT for manual initiation Functions. The manual initiation Functions have no associated setpoints.
SR 3.3.2.8 SR 3.3.2.8 is the performance of a CHANNEL CALIBRATION.
The CHANNEL CALIBRATION may be performed at power or during refueling based on bypass testing capability. Channel unavailability evaluations in References 10 and 11 have conservatively assumed that the CHANNEL CALIBRATION is performed at power with the channel in bypass.
CHANNEL CALIBRATION is a complete check of the instrument loop, including the sensor. The test verifies that the channel responds to measured parameter within the necessary range and accuracy.
CHANNEL CALIBRATIONS must be performed consistent with the assumptions of the unit specific setpoint methodology.
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
This SR is modified by a Note stating that this test should include verification that the time constants are adjusted to the prescribed values where applicable.
The applicable time constants are shown in Table 3.3.2-1.
McGuire Unit 2 B 3.3.2-41 Revision No. 119
ESFAS Instrumentation B 3.3.2 BASES SURVEILLANCE REQUIREMENTS (continued)
SR 3.3.2.9 This SR ensures the individual channel ESF RESPONSE TIMES are less than or equal to the maximum values assumed in the accident analysis. Response Time testing acceptance criteria are included in the UFSAR (Ref. 2). Individual component response times are not modeled in the analyses. The analyses model the overall or total elapsed time, from the point at which the parameter exceeds the Trip Setpoint value at the sensor, to the point at which the equipment in both trains reaches the required functional state (e.g., pumps at rated discharge pressure, valves in full open or closed position).
For channels that include dynamic transfer functions (e.g., lag, lead/lag, rate/lag, etc.), the response time test may be performed with the transfer functions set to one with the resulting measured response time compared to the appropriate UFSAR response time. Alternately, the response time test can be performed with the time constants set to their nominal value provided the required response time is analytically calculated assuming the time constants are set at their nominal values. The response time may be measured by a series of overlapping tests such that the entire response time is measured.
Response time may be verified by actual response time tests in any series of sequential, overlapping or total channel measurements, or by the summation of allocated sensor, signal processing and actuation logic response times with actual response time tests on the remainder of the channel. Allocations for sensor response times may be obtained from: (1) historical records based on acceptable response time tests (hydraulic, noise, or power interrupt tests), (2) in place, onsite, or offsite (e.g., vendor) test measurements, or (3) utilizing vendor engineering specifications. WCAP-1 3632-P-A, Revision 2, "Elimination of Pressure Sensor Response Time Testing Requirements" provides the basis and methodology for using allocated sensor response times in the overall verification of the channel response time for specific sensors identified in the WCAP. Response time verification for other sensor types must be either demonstrated by test or their equivalency to those listed in WCAP-1 3632-P-A, Revision 2. Any demonstration of equivalency must have been determined to be acceptable by NRC staff review.
WCAP-14036-P-A, Revision 1, "Elimination of Periodic Protection Channel Response Time Tests' provides the basis and methodology for using allocated signal processing and actuation logic response times in the overall verification of the protection system channel response time. The allocations for sensor, signal conditioning, and actuation logic response times must be verified prior to placing the component in operational service and re-verified following maintenance that may adversely affect response time. In general, electrical repair work does not impact response time provided the parts used for repair are of the same type and value. Specific components identified in the WCAP McGuire Unit 2 B 3.3.2-42 Revision No. 119
ESFAS Instrumentation B 3.3.2 BASES SURVEILLANCE REQUIREMENTS (continued) may be replaced without verification testing. One example where response time could be affected is replacing the sensing assembly of a transmitter.
The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.
This SR is modified by a Note that clarifies that the turbine driven AFW pump is tested within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> after reaching 900 psig in the SGs.
REFERENCES 1. UFSAR, Chapter 6.
- 2. UFSAR, Chapter 7.
- 3. UFSAR, Chapter 15.
- 4. IEEE-279-1971.
- 5. 10 CFR 50.49.
- 6. 10 CFR 50.36, Technical Specifications, (c)(2)(ii).
- 7. WCAP-10271-P-A, Supplement 1 and Supplement 2, Rev. 1, May 1986 and June 1990.
- 8. WCAP 13632-P-A, Revision 2, "Elimination of Pressure Sensor Response Time Testing Requirements" Sep., 1995.
- 9. WCAP-14036-P-A, Revision 1, "Elimination of Periodic Protection Channel Response Time Tests" Oct., 1998.
- 10. WCAP-14333-P-A, Revision 1, October 1998.
- 11. WCAP-15376-P-A, Revision 1, March 2003.
McGuire Unit 2 B 3.3.2-43 Revision No. 119