Text

McGuire, Units 1 and 2 - Technical Specification Bases, B 3.3.2, Revision 138, ESFAS Instrumentation
	ML15356A365
Person / Time
Site:	McGuire, Mcguire
Issue date:	12/10/2015
From:	; Duke Energy Carolinas
To:	; Document Control Desk, Office of Nuclear Reactor Regulation
References
	Download: ML15356A365 (43)
	v • d • e

Distribution:

Duke En ryDate: L2J.EnergyDocument Transmittal

TR-NUC-MC-001706

1. Gardner, Troy RDO U E TT A S I ALF R :2. Mc Ginnis, Vickie L (At Mcguire)

D C M N R N M T A O M ~ Ju3. McCree, Victor M Released By:4. SCIENTECH CLAWI FL Facility:

MCGUIRE NUCLEAR STATION _J5. SERV BLDG FILE ROOM -SUBJECT 1322.5 Hagers Ferry Road6.USNCRGWSIGO,~MNS-TSB-B 3.3.2 ESFAS Instrumentation Document Manapiement

7. USNRC 0M8. WESTINGHOUSE ELEFCTRIC CO LLC Huntersville, NC 28078Pagel1of1 MNSDRMR~duke-energv.som Document ID 13 6 7 8LUCN -MC -MNS-TSB-B 3.3.2 -138 -ISSUED FYIIE FYIIE FYIIE R&AIE FYIIE R&AIE R&AIE R&AIERemarks:

RevisionI.38 ESFAS Instrumentation B 3.3.2B 3.3 INSTRUMENTATION B 3.3.2 Engineered Safety Feature Actuation System (ESFAS) Instrumentation BASESBACKGROUND The ESFAS initiates necessary safety systems, based on the values ofselected unit parameters, to protect against violating core design limitsand the Reactor Coolant System (RCS) pressure

boundary, and tomitigate accidents.

The ESFAS instrumentation is segmented into three distinct butinterconnected modules as identified below:* Field transmitters or process sensors and instrumentation:

provide a measurable electronic signal based on the physicalcharacteristics of the parameter being measured;

Signal processing equipment including analog protection system,field contacts, and protection channel sets: provide signalconditioning, bistable setpoint comparison, process algorithm actuation, compatible electrical signal output to protection systemdevices, and control board/control room/miscellaneous indications; and* Solid State Protection System (SSPS) including input, logic, andoutput bays: initiates the proper unit shutdown or engineered safety feature (ESF) actuation in accordance with the defined logicand based on the bistable outputs from the signal process controland protection system.Field Transmitters or SensorsTo meet the design demands for redundancy and reliability, more thanone, and Often as many as four, field transmitters or sensors are used tomeasure unit parameters.

In many cases, field transmitters or sensorsthat input to the ESFAS are shared with the Reactor Trip System (RTS).In some cases, the same channels also provide control system inputs.To account for calibration tolerances and instrument drift, which isassumed to occur between calibrations, statistical allowances areprovided in the NOMINAL TRIP SETPOINT and Allowable Values. TheOPERABILITY of each transmitter or sensor can be evaluated when its"as found" calibration data are compared against its documented acceptance criteria.

McGuire Unit 1 and 2 B 3.3.2-1 Revision No. 138 ESFAS Instrumentation B 3.3.2BASESBACKGROUND (continued)

Signal Processinaq Equipment Generally, three or four channels of process control equipment are usedfor the signal processing of unit parameters measured by the fieldinstruments.

The process control equipment provides signal conditioning, comparable output signals for instruments located on the main controlboard, and comparison of measured input signals with setpoints established by safety analyses.

These setpoints are defined in UFSAR,Chapter 6 (Ref. 1I), Chapter 7 (Ref. 2), and Chapter 15 (Ref. 3). If themeasured value of a unit parameter exceeds the predetermined

setpoint, an output from a bistable is forwarded to the SSPS for decision logicprocessing.

Channel separation is maintained up to and through theinput bays. However, not all unit parameters require four channels ofsensor measurement and signal processing.

Some unit parameters provide input only to the SSPS, while others provide input to the SSPS,the main control board, the unit computer, and one or more controlsystems.Generally, if a parameter is used only for input to the protection

circuits, three channels with a two-out-of-three logic are sufficient to provide therequired reliability and redundancy.

If one channel fails in a direction thatwould not result in a partial Function trip, the Function is still OPERABLEwith a two-out-of-two logic. If one channel fails such that a partialFunction trip occurs, a trip will not occur and the Function is stillOPERABLE with a one-out-of-two logic.Generally, if a parameter is used for input to the SSPS and a controlfunction, four channels with a two-out-of-four logic are sufficient to providethe required reliability and redundancy.

The circuit must be able towithstand both an input failure to the control system, which may thenrequire the protection function actuation, and a single failure in the otherchannels providing the protection function actuation.

Again, a singlefailure will neither cause nor prevent the protection function actuation.

These requirements are described in IEEE-279-1971 (Ref. 4). The actualnumber of channels required for each unit parameter is specified in theUFSAR.Trip .Setpoints and Allowable ValuesThe NOMINAL TRIP SETPOINTS are the nominal values at which thebistables are set. Any bistable is considered to be properly adjustedwhen the "as left" value is within the band for CHANNEL CALIBRATION tolerance...

McGuire Unit 1 and 2 B 3.3.2-2 Revision No. 138 ESFAS Instrumentation B 3.3.2BASESBACKGROUND (continued)

The NOMINAL TRIP SETPOINTS used in the bistables are based on theanalytical limits (Ref. 1, 2, and 3). The selection of these NOMINAL TRIPSETPOINTS is such that adequate protection is provided when all sensorand processing time delays, calibration tolerances, instrumentation uncertainties, instrument drift, and severe environment errors for thoseESFAS channels that must function in harsh environments as defined by10 CFR 50.49 (Ref. 5) are taken into account.

The actual as-left Setpointentered into the bistable assures that the actual trip occurs before theAllowable Value is reached.

The Allowable Value accounts for changesin random measurement errors detectable by a COT. One example ofsuch a change in measurement error is drift during the surveillance interval.

If the point at which the loop trips does not exceed the Allowable Value, the loop is considered OPERABLE.

A trip within the Allowable Value ensures that the consequences ofDesign Basis Accidents (DBAs) will be acceptable, providing the unit isoperated from within the LCOs at the onset of the DBA and theequipment functions as designed.

Each channel can be tested on line to verify that the signal processing equipment and setpoint accuracy is within the specified allowance requirements.

Once a designated channel is taken out of service fortesting, a simulated signal is injected in place of the field instrument signal. The process equipment for the channel in test is then tested,verified, and calibrated.

SRs for the channels are specified in the SRsection.The NOMINAL TRIP SETPOINTS and Allowable Values listed in Table3.3.2-1 incorporates all of the known uncertainties applicable for eachchannel.

The magnitudes of these uncertainties are factored into thedetermination of each NOMINAL TRIP SETPOINT.

All field sensors andsignal processing equipment for these channels are assumed to operatewithin the allowances of these uncertainty magnitudes.

Solid State Protection SystemThe SSPS equipment is used for the decision logic processing of outputsfrom the signal processing equipment bistables.

To meet the redundancy requirements, two trains of SSPS, each performing the same functions, are provided.

If one train is taken out of service for maintenance or testpurposes, the second train will provide ESF actuation for the unit. If bothtrains are taken out of service or placed in test, a reactor trip will result.Each train is packaged in its own cabinet for physical and electrical separation to satisfy separation and independence requirements.

McGuire Unit 1 and 2 B 3.3.2-3 Revision No. 138 ESFAS Instrumentation B 3.3.2BASESBACKGROUND (continued)

The SSPS performs the decision logic for most ESF equipment actuation; generates the electrical output signals that initiate the required actuation; and provides the status, permissive, and annunciator output signals to themain control room of the unit.The bistable outputs from the signal processing equipment are sensed bythe SSPS equipment and combined into logic matrices that represent combinations indicative of various transients.

If a required logic matrixcombination is completed, the system will send actuation signals viamaster and slave relays to those components whose aggregate Functionbest serves to alleviate the condition and restore the unit to a safecondition.

Examples are given in the Applicable Safety Analyses, LCO,and Applicability sections of this Bases.Each SSPS train has a built in testing device that can test the decisionlogic matrix functions and the actuation devices while the unit is at power.When any one train is taken out of service for testing, the other train iscapable of providing unit monitoring and protection until the testing hasbeen completed.

The testing device is semiautomatic to minimize testingtime.The actuation of ESF components is accomplished through master andslave relays. The SSPS energizes the master relays appropriate for thecondition of the unit. Each master relay then energiZes one or more slaverelays, which then cause actuation of the end devices.

The master andslave relays are routinely tested to ensure operation.

The test of themaster relays energizes the relay, which then operates the contacts andapplies a low voltage to the associated slave relays. The low voltage isnot sufficient to actuate the slave relays but only demonstrates signalpath continuity.

The SLAVE RELAY TEST actuates the devices if theiroperation will not interfere with continued unit operation.

For the lattercase, actual component operation is prevented by the SLAVE RELAYTEST circuit, and slave relay contact operation is verified by a continuity check of the circuit containing the slave relay.APPLICABLE Each of the analyzed accidents can be detected by one or more ESFASSAFETY ANALYSES, Functions.

One of the ESFAS Functions is the primary actuation signalLCO, and for that accident.

An ESFAS Function may be the primary actuation APPLICABILITY signal for more than one type of accident.

An ESFAS Function may alsobe a secondary, or backup, actuation signal for one or more otheraccidents.

Functions such as manual initiation, not specifically creditedin the accident safety analysis, McGuire Unit I and 2 B 3.3.2-4 Revision No. 138 ESFAS Instrumentation B 3.3.2BASESAPPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) are qualitatively credited in the safety analysis and the NRC staffapproved licensing basis for the unit. These Functions may provideprotection for conditions that do not require dynamic transient analysis todemonstrate Function performance.

These Functions may also serve asbackups to Functions that were credited in the accident analysis (Ref. 3).The LCO requires all instrumentation performing an ESFAS Function tobe OPERABLE.

Failure of any instrument renders the affectedchannel(s) inoperable and reduces the reliability of the affectedFunctions.

The LCO generally requires OPERABILITY of three or four channels ineach instrumentation function and two channels in each logic and manualinitiation function.

The two-out-of-three and the two-out-of-four configurations allow one channel to be tripped during maintenance ortesting without causing an ESFAS initiation.

Two logic or manualinitiation channels are required to ensure no single random failuredisables the ESFAS.The required channels of ESFAS instrumentation provide unit protection in the event of any of the analyzed accidents.

ESFAS protection functions are as follows:1. Safety Iniection Safety Injection (SI) provides two primary functions:

1. Primary side water addition to ensure maintenance orrecovery of reactor vessel water level (coverage of the activefuel for heat removal, clad integrity, and for limiting peak cladtemperature to < 22000°F);

and2. Boration to ensure recovery and maintenance ofSDM (keff< 1.0).These functions are necessary to mitigate the effects of highenergy line breaks (HELBs) both inside and outside of containment.

The SI signal is also used to initiate other Functions such as:* Phase A Isolation;

Containment Purge and Exhaust Isolation; McGuire Unit 1 and 2 B 3.3.2-5 Revision No. 138 ESFAS Instrumentation B 3.3.2BASESAPPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Reactor Trip;* Turbine Trip;* Feedwater Isolation;

Start of motor driven auxiliary feedwater (AFW) pumps;* Control room area ventilation isolation;

Enabling automatic switchover of Emergency Core CoolingSystems (EGOS) suction to containment sump;* Start of annulus ventilation system filtration trains;* Start of auxiliary building filtered ventilation exhaust systemtrains;* Start of diesel generators;

Start of nuclear service water system pumps; and* Start of component cooling water system pumps.These other functions ensure:* Isolation of nonessential systems through containment penetrations;

Trip of the turbine and reactor to limit power generation;

Isolation of main feedwater (MFW) to limit secondary sidemass losses;* Start of AFW to ensure secondary side cooling capability;

Isolation of the control room to ensure habitability;

Enabling ECCS suction from the refueling water storagetank (RWST) switchover on low RWST level to ensurecontinued cooling via use of the containment sump;* Starting of annulus ventilation and auxiliary building filteredventilation to limit offsite releases; McGuire Unit 1 and 2 B 3.3.2-6 Revision No. 138 ESFAS Instrumentation B 3.3.2BASESAPPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Starting of diesel generators for loss of offsite powerconsiderations; and* Starting of component cooling water and nuclear servicewater systems for heat removal.a. Safety Iniection-Manual Initiation The LCO requires one channel per train to be OPERABLE.

The operator can initiate SI at any time by using either of twoswitches in the control room. This action will cause actuation of all components in the same manner as any of theautomatic actuation signals.The LCO for the Manual Initiation Function ensures theproper amount of redundancy is maintained in the manualESFAS actuation circuitry to ensure the operator has manualESFAS initiation capability.

Each train consists of one push button and theinterconnecting wiring to the actuation logic cabinet.

Thisconfiguration does not allow testing at power.b. Safety Iniection-Automatic Actuation Loqic andActuation RelaysThis LCO requires two trains to be OPERABLE.

Actuation logic consists of all circuitry housed within the actuation subsystems, including the initiating relay contactsresponsible for actuating the ESF equipment.

Manual and automatic initiation of SI must be OPERABLE inMODES 1, 2, and 3. In these MODES, there is sufficient energy in the primary and secondary systems to warrantautomatic initiation of ESF systems.

In MODE 4, adequatetime is available to manually actuate required components inthe event of a DBA, but because of the large number ofcomponents actuated on a SI, actuation is simplified by theuse of the manual actuation push buttons.

Automatic actuation logic and actuation relays must be OPERABLE inMODE 4 to support system level manual initiation.

McGuire Unit 1 and 2 B 3.3.2-7 -Revision No. 138 ESFAS Instrumentation B 3.3.2BASESAPPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) rhese Functions are not required to be OPERABLE inMODES 5 and 6 because there is adequate time for theoperator to evaluate unit conditions and respond by manuallystarting individual

systems, pumps, and other equipment tomitigate the consequences of an abnormal condition oraccident.

Unit pressure and temperature are very low andmany ESF components are administratively locked out orotherwise prevented from actuating to prevent inadvertent overpressurization of unit systems.c. Safety I.niection-Containment Pressure-Higqh This signal provides protection against the following accidents:

SLB inside containment;

LOCA; and* Feed line break inside containment.

Containment Pressure-High provides no input tO any controlfunctions.

Thus, three OPERABLE channels are sufficient tosatisfy protective requirements with a two-out-of-three logic.Containment Pressure-High must be OPERABLE inMODES 1, 2, and 3 when there is sufficient energy in theprimary and secondary systems to pressurize thecontainment following a pipe break. In MODES 4, 5, and 6,there is insufficient energy in the primary or secondary systems to pressurize the containment to the design limit.d. Safety Iniection-Pressurizer Pressure-Low LowThis signal provides protection against the following accidents:

Inadvertent opening of a steam generator (SG) reliefor safety valve;* SLB;* A spectrum of rod cluster control assembly ejectionaccidents (rod ejection);

McGuire Unit I and 2 B 3.3.2-8 Revision No. 138 ESFAS Instrumentation B 3.3.2BASESAPPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Inadvertent opening of a pressurizer relief or safetyvalve;* LOCAs; and* SG Tube Rupture.Pressurizer pressure provides both control and protection functions:

input to the Pressurizer Pressure Control System,reactor trip, and SI. Therefore, the actuation logic must beable to withstand both an input failure to control system,which may then require the protection function actuation, anda single failure in the other channels providing the protection function actuation.

Thus, four OPERABLE channels arerequired to satisfy the requirements with a two-out-of-four logic.This Function must be OPERABLE in MODES 1, 2, and 3(above P-i11) to mitigate the consequences of an HELBinside containment.

This signal may be manually blocked bythe operator below the P-Il setpoint.

Automatic SI actuation below this pressure setpoint is then performed by theContainment Pressure-High signal.This Function is not required to be OPERABLE in MODE 3below the P-I1I setpoint.

Other ESF functions are used todetect accident conditions and actuate the ESF systems inthis MODE. In MODES 4, 5, and 6, this Function is notneeded for accident detection and mitigation.

2. Not Used3. Containment Isolation Containment Isolation provides isolation of the containment atmosphere, and all process systems that penetrate containment, from the environment.

This Function is necessary to prevent orlimit the release of radioactivity to the environment in the event of alarge break LOCA.There are two separate Containment Isolation

signals, Phase A andPhase B. Phase A isolation isolates all automatically isolableprocess lines, except component cooling water (CCW) and NuclearService Water System (NSWS) to ROP motor air coolers, at arelatively low containment pressure indicative of primary orMcGuire Unit 1 and 2 B 3.3.2-9 Revision No. 138 ESFAS Instrumentation B 3.3.2BASESAPPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) secondary system leaks. For these types of events, forcedcirculation cooling using the reactor coolant pumps (RCPs) andSGs is the preferred (but not required) method of decay heatremoval.

Since 0GW and NSWS are required to support RCPoperation, not isolating CCW and NSWS on the low pressurePhase A signal enhances unit safety by allowing operators to useforced RCS circulation to cool the unit. Isolating CCW and NSWSon the low pressure signal may force the use of feed and bleedcooling, which could prove more difficult to control.Phase A containment isolation is actuated automatically by SI, ormanually via the actuation circuitry.

All process lines penetrating containment, with the exception of CCW and NSWS are isolated.

0GW is not isolated at this time to permit continued operation of theRCPs with cooling water flow to the thermal barrier heatexchangers and air or oil coolers.

All process lines not equippedwith remote operated isolation valves are manually closed, orotherwise

isolated, prior to reaching MODE 4.Manual Phase A Containment Isolation is accomplished by either oftwo switches in the control room. Either switch actuates itsassociated train.The Phase B signal isolates CCW and NSWS. This occurs at arelatively high containment pressure that is indicative of a largebreak LOCA or an SLB. For these events, forced circulation usingthe RCPs is no longer desirable.

Isolating the CCW and NSWS atthe higher pressure does not pose a challenge to the containment boundary because the 0CW System and NSWS are closed loopsinside containment.

Although some system components do notmeet all of the ASME Code requirements applied to thecontainment itself, the systems are continuously pressurized to apressure greater than the Phase B setpoint.

Thus, routineoperation demonstrates the integrity of the system pressureboundary for pressures exceeding the Phase B setpoint.

Furthermore, because system pressure exceeds the Phase Bsetpoint, any system leakage prior to initiation of Phase B isolation would be into containment.

Therefore, the combination of CCWSystem and NSWS design and Phase B isolation ensures there isnot a potential path for radioactive release from containment.

Phase B containment isolation is actuated by Containment Pressure-High High, or manually, via the automatic actuation logic,as previously discussed.

For containment pressure to reach avalue high enough to actuate Containment Pressure-High High, aLOCA or SLB must have occurred.

RCP operation will no longerMcGuire Unit 1 and 2 B 3.3.2-10 Revision No. 138 ESFAS Instrumentation B 3.3.2BASESAPPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) be required and CCW to the RCPs and NSWS to the RCP motorcoolers is, therefore, no longer necessary.

The RCPs can beoperated with seal injection flow alone and without CCW flow to thethermal barrier heat exchanger.

Manual Phase B Containment Isolation is accomplished bypushbuttons on the Main Control Board.a. Containment Isolation-Phase A Isolation (1) Phase A Isolation-Manual Initiation Manual Phase A Containment Isolation is actuated byeither of two switches in the control room. Eitherswitch actuates both trains.(2) Phase A Isolation-Automatic Actuation Logqic and Actuation RelaysAutomatic Actuation Logic and Actuation Relaysconsist of the same features and operate in the samemanner as described for ESFAS Function l .b.Manual and automatic initiation of Phase A Containment Isolation must be OPERABLE in MODES 1, 2, and 3, whenthere is a potential for an accident to occur. In MODE 4,adequate time is available to manually actuate requiredcomponents in the event of a DBA, but because of the largenumber of components actuated on a Phase A Containment Isolation, actuation is simplified by the use of the manualactuation push buttons.

Automatic actuation logic andactuation relays must be OPERABLE in MODE 4 to supportsystem level manual initiation.

In MODES 5 and 6, there isinsufficient energy in the primary or secondary systems topressurize the containment to require Phase A Containment Isolation.

There also is adequate time for the operator toevaluate unit conditions and manually actuate individual isolation valves in response to abnormal or accidentconditions.

McGuire Unit 1 and 2 B 3.3.2-11 Revision No. 138 ESFAS Instrumentation B 3.3.2BASESAPPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

(3) Phase A Isolation-Safety Injection Phase A Containment Isolation is also initiated by allFunctions that initiate SI. The Phase A Containment Isolation requirements for these Functions are thesame as the requirements for their SI function.

Therefore, the requirements are not repeated inTable 3.3.2-1.

Instead, Function 1, SI, is referenced for all initiating Functions and requirements.

b. Containment Isolation-Phase B Isolation Phase B Containment Isolation is accomplished by ManualInitiation, Automatic Actuation Logic and Actuation Relays,and by Containment Pressure channels The Containment Pressure trip of Phase B Containment Isolation is energized to trip in order to minimize the potential of spurious trips thatmay damage the RCPs.(1) Phase B Isolation-Manual Initiation (2) Phase B Isolation-Automatic Actuation Lo~qic and Actuation RelaysManual and automatic initiation of Phase Bcontainment isolation must be OPERABLE inMODES 1, 2, and 3, when there is a potential for anaccident to occur. In MODE 4, adequate time isavailable to manually actuate required components inthe event of a DBA. However, because of the largenumber of components actuated on a Phase Bcontainment isolation, actuation is simplified by theuse of the manual actuation push buttons.

Automatic actuation logic and actuation relays must beOPERABLE in MODE 4 to support system levelmanual initiation.

In MODES 5 and 6, there isinsufficient energy in the primary or secondary systems to pressurize the containment to requireMcGuire Unit 1 and 2 B 3.3.2-12 Revision No. 138 ESFAS Instrumentation B 3.3.2* BASESAPPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Phase B containment isolation.

There also isadequate time for the operator to evaluate unitconditions and manually actuate individual isolation valves in response to abnormal or accidentconditions.

(3) Phase B Isolation-Containment Pressure

-Higqh HigqhThe basis for containment pressure MODEapplicability is as discussed for ESFAS Function 1 .cabove.4. Steam Line Isolation Isolation of the main steam lines provides protection in the event ofan SLB inside or outside containment.

Rapid isolation of the steamlines will limit the steam break accident to the blowdown from oneSG, at most. For an SLB upstream of the main steam isolation valves (MSIVs),

inside or outside of containment, closure of theMSIVs limits the accident to the blowdown from only the affectedSG. For an SLB downstream of the MSIVs, closure of the MSIVsO terminates the accident as soon as the steam lines depressurize.

Steam Line Isolation also mitigates the effects of a feed line breakand ensures a source of steam for the turbine driven AFW pumpduring a feed line break.a. Steam Line Isolation-Manual Initiation Manual initiation of Steam Line Isolation can beaccomplished from the control room. There are two systemlevel switches in the control room and either switch caninitiate action to immediately close all MSIVs. The LCOrequires two channels to be OPERABLE.

Individual valvesmay also be closed using individual hand switches in the~control room. The LCO requires four individual channels tobe OPERABLE.

b. Steam Line Isolation-Automatic Actuation Logicand Actuation RelaysAutomatic actuation logic and actuation relays consist of thesame features and operate in the same manner as described for ESFAS Function 1.b.O McGuire Unit I and 2 B 3.3.2-13 Revision No. 138 ESFAS Instrumentation B 3.3.2BASESAPPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Manual and automatic initiation of steam line isolation must beOPERABLE in MODES 1, 2, and 3 when there is sufficient energyin the RCS and SGs to have an SLB or other accident.

This couldresult in the release of significant quantities of energy and cause acooldown of the primary system. The Steam Line Isolation Function is required in MODES 2 and 3 unless all MSIVs are closedand de-activated.

In MODES 4, 5, and 6, there is insufficient energy in the RCS and SGs to experience an SLB or other accidentreleasing significant quantities of energy.c. Steam Line Isolation-Containment Pressure-High High.This Function actuates closure of the MSIVs in the event of aLOCA or an SLB inside containment to maintain threeunfaulted SGs as a heat sink for the reactor, and to limit themass and energy release to containment.

Containment Pressure-High High must be OPERABLE inMODES 1, 2, and 3, when there is sufficient energy in theprimary and secondary side to pressurize the containment following a pipe break. This would cause a significant increase in the containment

pressure, thus allowing detection and closure of the MSIVs. The Steam Line Isolation Functionremains OPERABLE in MODES 2 and 3 unless all MSIVsare closed and de-activated.

In MODES 4, 5, and 6, there isinsufficient energy in the primary and secondary sides topressurize the containment to the design limit.Id. Steam Line Isolation-Steam Line Pressure(1) Steam Line Pressure-Low Steam Line Pressure-Low provides closure of theMSIVs in the event of an SLB to maintain threeunfaulted SGs as a heat sink for the reactor, and tolimit the mass and energy release to containment.

This Function provides closure of the MSIVs in theevent of a feed line break to ensure a supply of steamfor the turbine driven AFW pump.McGuire Unit 1 and 2 B 3.3.2-14 Revision No. 138 ESFAS Instrumentation B 3.3.2S BASESAPPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Steam Line Pressure-Low Function must be OPERABLE inMODES 1, 2, and 3 (above P-il), with any main steam valveopen, when a secondary side break or stuck open valve couldresult in the rapid depressurization of the steam lines. Thissignal may be manually blocked by the operator below the P-11 setpoint.

Below P-Il, an inside containment SLB will beterminated by automatic actuation via Containment Pressure-High High. Stuck valve transients and outside containment SLBs will be terminated by the Steam Line Pressure-Negative Rate-High signal for Steam Line Isolation below P-i11 whenSteam Line Isolation Steam Line Pressure-Low has beenmanually blocked.

The Steam Line Isolation Function isrequired in MODES 2 and 3 unless all MSIVs are closed andde-activated.

This Function is not required to be OPERABLEin MODES 4, 5, and 6 because there is insufficient energy inthe secondary side of the unit to have an accident.

(2) Steam Line Pressure-Negqative Rate-Hipqh O Steam Line Pressure-Negative Rate-High provides closure ofthe MSIVs for an SLB when less than the P-I11 setpoint, tomaintain at least one unfaulted SG as a heat sink for thereactor, and to limit the mass and energy release tocontainment.

When the operator manually blocks the SteamLine Pressure-Low main steam isolation signal when less thanthe P-Il setpoint, the Steam Line Pressure-Negative Rate-High signal is automatically enabled.

Steam Line Pressure-Negative Rate-High provides no input to any control functions.

Thus, three OPERABLE channels are sufficient to satisfyrequirements with a two-out-of-three logic on each steam line.Steam Line Pressure-Negative Rate-High must beOPERABLE in MODE 3 when less than the P-il setpoint, when a secondary side break or stuck open valve could result*in the rapid depressurization of the steam line(s).

InMODES 1 and 2, and in MODE 3, when above the P-ilsetpoint, this signal is automatically disabled and the SteamLine Pressure-Low signal is automatically enabled.

TheSteam Line Isolation Function is required to be OPERABLE inMcGuire unit 1 and 2 B 3.3.2-15 Revision No. 138 ESFAS Instrumentation B 3.3.2.BASESAPPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

MODES 2 and 3 unless all MSIVs are closed and de-activated.

In MODES 4, 5, and 6, there is insufficient energyin the primary and secondary sides to have an SLB or otheraccident that would result in a release of significant enoughquantities of energy to cause a cooldown of the RCS.5. Turbine Trip and Feedwater Isolation The primary functions of the Turbine Trip and Feedwater Isolation signalsare to prevent damage to the turbine due to water in the steam lines,stop the excessive flow of feedwater into the SGs, and to limit the energyreleased into containment.

These Functions are necessary to mitigatethe effects of a high water level in the SGs, which could result incarryover of water into the steam lines and excessive cooldown of theprimary system. The SG high water level is due to excessive feedwater flows. Feedwater isolation serves to limit the energy released intocontainment upon a feedwater line or steam line break insidecontainment.

~The Functions are actuated when the level in any SG exceeds the highO high setpoint, and performs the following functions:

Trips the main turbine;* Trips the MFW pumps; and* Initiates feedwater isolation (shuts the MFW control valves, bypassfeedwater control valves, feedwater isolation valves, and the MFWto AFW nozzle bypass valves).Turbine Trip and Feedwater Isolation signals are both actuated by SGWater Level-High High, or by an SI signal. The RTS also initiates aturbine trip signal whenever a reactor trip (P-4) is generated.

AFeedwater Isolation signal is also generated by a reactor trip (P-4)coincident with Tavg-Low and on a high water level in the reactor buildingdoghouse.

The MFW System is also taken out of operation and theAFW System is automatically started.

The SI signal was discussed previously.

a. Turbine Trip(1) Turbine Trip-Automatic Actuation Logqic and Actuation RelaysAutomatic Actuation Logic and Actuation Relays consist ofMcGuire Unit 1 and 2 B 3.3.2-16 Revision No. 138 ESFAS Instrumentation B 3.3.2S BASESAPPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) the same features and operate in the same manner asdescribed for ESFAS Function 1 .b.(2) Turbine Trip-Steam Generator Water Level-Higqh HighThis signal prevents damage to the turbine due towater in the steam lines. The ESFAS SG water levelinstruments provide input to the SG Water LevelControl System. Therefore, the actuation logic must beable to withstand both an input failure to the controlsystem (which may then require the protection functionactuation) and a single failure in the other channelsproviding the protection function actuation.

Only threeprotection channels are necessary to satisfy theprotective requirements.

The setpoints are based onpercent of narrow range instrument span.(3) Turbine Trip-Safety niectionTurbine Trip is also initiated by all Functions thatinitiate SI. Therefore, the reurmnsaenot repeated in Table 3.3.2-1.

Instead Function 1, SI, isreferenced for all initiating functions and requirements.

Item 5.a.(1) is referenced for the applicable MODES.The Turbine Trip Function must be OPERABLE in MODES 1and 2. In rower MODES, the turbine generator is not inservice and this Function is not required to be OPERABLE.

b. Feedwater Isolation (1) Feedwater Isolation-Automatic Actuation Logic andActuation RelaysAutomatic Actuation Logic and Actuation Relaysconsist of the same features and operate in the sameAPPLICABLE manner as described for ESFASFunction 1 .b.0McGuire Unit 1 and 2 B 3.3.2-17 Revision No. 138 ESFAS Instrumentation B 3.3.2* BASESSAFETY ANALYSES, LCO, and APPLICABILITY (continued)

(2) Feedwater Isolation-Steam Generator Water Level-Hi qh Higqh (P-14)This signal provides protection against excessive feedwater flow. The ESFAS SG water levelinstruments provide input to the SG Water LevelControl System. Therefore, the actuation logic must beable to withstand both an input failure to the controlsystem (which may then require the protection functionactuation) and a single failure in the other channelsproviding the protection function actuation.

Only threeprotection channels are necessary to satisfy theprotective requirements.

The setpoints are based onpercent of narrow range instrument span.(3) Feedwater Isolation-Safety I!niection Feedwater Isolation is also initiated by all Functions that initiate SI. The Feedwater Isolation Functionrequirements for these Functions are the same as therequirements for their SI function.

Therefore, therequirements are ntrepeatedinTbe3321 Instead Function 1, SI, is referenced for all initiating functions and requirements.

Item 5.b.(1) is referenced for the applicable MODES.(4) Feedwater Isolation

-RCS Tv-Low Coincident WithReactor Trip, (P-4)This signal provides protection against excessive

cooldown, which could subsequently introduce apositive reactivity excursion after a plant trip. Thereare four channels of RCS TaVg-Low (one per loop), witha two-out-of-four logic required coincident with areactor trip signal (P-4) to initiate a feedwater isolation.

The P-4 interlock is discussed in Function 8.a.(5) Turbine Trip and Feedwater Isolation

-DoghouseWater Level -High HigqhThis signal initiates a Feedwater Isolation.

The signalterminates forward feedwater flow in the event of apostulated pipe break in the main feedwater piping in thedoghouses to prevent flooding safety related equipment essential to the safe shutdown of the plant.McGuire Unit 1 and 2 B 3.3.2-18 Revision No. 138 ESFAS Instrumentation B 3.3.2BASESAPPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

The level instrumentation consists of six level switches(three per train) in each of the two reactor buildingdoghouses.

A high-high level detected by two-out-of-three switches in either train in the inboard or outboarddoghouse will initiate a feedwater isolation.

This signalinitiates Feedwater Isolation for the specific doghousewhere the High-High level is detected and trips bothmain feedwater pumps thus causing a main turbinetrip.The Feedwater Isolation Function must be OPERABLE in MODES 1 and2 and also in MODE 3 (except for the functions listed in Table 3.3.2-1).

Feedwater Isolation is not required OPERABLE when all MFIVs, MFC Vs,and associated bypass valves are closed and de-activated or isolated bya closed manual valve. In lower MODES, the MEW System is not inservice and this Function is not required to be OPERABLE.

6. Auxiliary Feedwater The AFW System is designed to provide a secondary side heat sink forthe reactor in the event that the MFW System is not available.

Thesystem has two motor driven pumps and a turbine driven pump, makingit available during normal and accident operation.

The normal source ofwater for the AFW System is the non-safety related AFW Storage Tank(Water Tower). A low suction pressure to the AFW pumps willautomatically realign the pump suctions to the Nuclear Service WaterSystem (NSWS)(safety related).

The AFW System is aligned so thatupon a pump start, flow is initiated to the respective SGs immediately.

a. Auxiliary Feedwater-Automatic Actuation Logqic and Actuation RelaysAutomatic actuation logic and actuation relays consist of the samefeatures and operate in the same manner as described for ESFASFunction 1 .b.b. Auxiliary Feedwater-Steam Generator Water Level-Low LowSG Water Level-Low Low provides protection against a loss ofheat sink. A feed line break, inside or outside of containment, or aloss of MEW, would result in a loss of SG water level. SG WaterLevel-Low Low provides input to the SG Level Control System.McGuire Unit 1 and 2 B 3.3.2-19 Revision No. 138 ESFAS Instrumentation B 3.3.2.BASES"APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Therefore, the actuation logic must be able to withstand both aninput failure to the control system which may then require aprotection function actuation and a single failure in the otherchannels providing the protection function actuation.

Thus, fourOPERABLE channels are required to satisfy the requirements withtwo-out-of-four logic. The setpoints are based on percent ofnarrow range instrument span.SG Water Level -Low Low in any operating SG will cause themotor driven AFW pumps to start. The system is aligned so thatupon a start of the pump, water immediately begins to flow to theSGs. SG Water Level -Low Low in any two operating SGs willcause the turbine driven pumps to start.c. Auxiliary Feedwater-Safety Iniection An SI signal starts the motor driven AFW pumps. The AFWinitiation functions are the same as the requirements for their SIfunction.

Therefore, the requirements are not repeated inTable 3.3.2-1.

Instead, Function 1, SI, is referenced for allinitiating functions and requirements.

d. Auxiliary Feedwater-Station Blackout

..A loss of power or degraded voltage to the service buses will beaccompanied by a loss of reactor coolant pumping power and thesubsequent need for some method of decay heat removal.

Theloss of power or degraded voltage is detected by a voltage drop oneach essential service bus. Loss of power or degraded voltage toeither essential service bus will start the turbine driven and motordriven AFW pumps to ensure that at least two SGs contain enoughwater to serve as the heat sink for reactor decay heat and sensibleheat removal following the reactor trip. The turbine driven pumpdoes not start on a loss of power coincident with a SI signal.Functions 6.a through 6.d must be OPERABLE in MODES 1, 2,and 3 to ensure that the SGs remain the heat sink for the reactor.These Functions do not have to be OPERABLE in MODES 5 and 6because there is not enough heat being generated in the reactor torequire the SGs as a heat sink. In MODE 4, AFW actuation doesnot need to be OPERABLE because either AFW or residual heatremoval (RHR) will already be in operation to remove decay heator sufficient time is available to manually place either system inoperation.

McGuire Unit I and 2 B 3.3.2-20 Revision No. 138 ESFAS Instrumentation B 3.3.2S BASESAPPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

e. Auxiliary Feedwater-Trip of All Main Feedwater PumpsA Trip of all MEW pumps is an indication of a loss of MEW and thesubsequent need for some method of decay heat and sensibleheat removal to bring the reactor back to no load temperature andpressure.

Two contacts are provided in series (one from eachME'W pump) in the starting circuit for each AFW pump. A trip of allMEW pumps closes both contacts and starts the motor driven AFWpumps to ensure that at least two SGs are available with water toact as the heat sink for the reactor.

This function must beOPERABLE in MODES 1 and 2. This ensures that at least twoSGs are provided with water to serve as the heat sink to removereactor decay heat and sensible heat in the event of an accident.

In MODES 3, 4, and 5, the MEW pumps are normally shut down,and thus neither pump trip is indicative of a condition requiring automatic AEW initiation.

f. Auxiliary Feedwater-Pump Suction Transfer on Suction Pressure-Lo._wA low pressure signal in the AEW pump suction line protects theO AEW pumps against a loss of the normal supply of water for thepumps, the non-safety related AFW Storage Tank (Water Tower).Two pressure switches per train are located on the AFW pumpsuction line. The turbine driven AFW pump has a total of fourswitches.

A low pressure signal sensed by two-out-of-two switches on either train will cause the emergency supply of waterfor the pump to be aligned.

The NSWS (safety grade) is then linedup to supply the AFW pumps to ensure an adequate supply ofwater for the AFW System to maintain at least two of the SGs asthe heat sink for reactor decay heat and sensible heat removal.This Eunction must be OPERABLE in MODES 1, 2, and 3 toensure a safety grade supply of water for the AEW System tomaintain the SGs as the heat sink for the reactor.

This Eunctiondoes not have to be OPERABLE in MODES 5 and 6 because thereis not enough heat being generated in the reactor to require theSGs as a heat sink. In MODE 4, AFW automatic suction transferdoes not need to be OPERABLE because RHR will already be inoperation, or sufficient time is available to place RHR in operation, to remove decay heat.Note: The setpoints listed in this function are referenced from thecenterline of the respective pump suction flow element.

Theelevation of the centerline of the 2A MDP suction flow element islower than the other AFW pumps. The lower elevation accounts0McGuire Unit 1 and 2 B 3.3.2-21 Revision No. 138 ESFAS Instrumentation B 3.3.2BASESAPPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) for the Nominal Trip Setpoint and Allowable Value difference between the 2A MDP and the other CA pumps.7. Automatic Switchover to Containment SumpAt the end of the injection phase of a LOCA, the RWST will be nearlyempty. Continued cooling must be provided by the ECCS to removedecay heat. The source of water for the ECCS pumps is automatically switched to the containment recirculation sump. The low head residualheat removal (RHR) pumps and containment spray pumps draw thewater from the containment recirculation sump, the RHR pumps pumpthe water through the RHR heat exchanger, inject the water back into theRCS, and supply the cooled water to the other ECCS pumps.Switchover from the RWST to the containment sump must occur beforethe RWST empties to prevent damage to the RHR pumps and a loss ofcore cooling capability.

a. Automatic Switchover to Containment Sump-Refuelin~q Water Storacqe Tank (RWST])Level-Low Coincident With Safety Iniection During the injection phase of a LOCA, the RWST is the source ofwater for all EGGS pumps. A low. level in the RWST coincident with an SI signal provides protection against a loss of water for theECCS pumps and indicates the end of the injection phase of theLOCA. The RWST is equipped with three level transmitters.

These transmitters provide no control functions.

Therefore, a two-out-of-three logic is adequate to initiate the protection functionactuation.

Automatic switchover occurs only if the RWST low level signal iscoincident with SI. This prevents accidental switchover duringnormal operation.

Accidental switchover could damage EGGSpumps if they are attempting to take suction from an empty sump.The automatic switchover Function requirements for the SIFunctions are the same as the requirements for their SI function.

Therefore, the requirements are not repeated in Table 3.3.2-1.Instead, Function 1, SI, is referenced for all initiating Functions andrequirements.

These Functions must be OPERABLE in MODES 1,2, and 3 when there is a potential for a LOCA to occur, to ensure acontinued supply of water for the ECCS pumps. These Functions are not required to be OPERABLE in MODES 4, 5, and 6 becauseMcGuire Unit I and 2 B 3.3.2-22 Revision No. 138 ESFAS Instrumentation B 3.3.2BASESAPPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) there is adequate time for the operator to evaluate unit conditions and respond by manually starting

systems, pumps, and otherequipment to mitigate the consequences of an abnormal condition or accident.

System pressure and temperature are very low andmany ESF components are administratively locked out orotherwise prevented from actuating to prevent inadvertent overpressurization of unit systems.8. Engqineered Safety Feature Actuation System Interlocks To allow some flexibility in unit operations, several interlocks are includedas part of the ESFAS. These interlocks permit the operator to blocksome signals, automatically enable other signals, prevent some actionsfrom occurring, and cause other actions to occur. The interlock Functions back up manual actions to ensure bypassable functions are inoperation under the conditions assumed in the safety analyses.

a. Engqineered Safety Feature Actuation SystemInterlocks-Reactor Trip. P-4The P-4 interlock is enabled when a reactor trip breaker (RTB) andits associated bypass breaker is open. Operators are able to resetSI 60 seconds after initiation.

If a P-4 is present when SI is reset,subsequent automatic SI initiation will be blocked until the RTBshave been manually closed. This Function allows operators totake manual control of SI systems after the initial phase of injection is complete while avoiding multiple SI initiations.

The functions ofthe P-4 interlock are:* Trip the main turbine;* Isolate MFW with coincident low Tavg;* Prevent reactuation of SI after a manual reset of SI; and* Prevent opening of the MFW isolation valves if they wereclosed on SI or SG Water Level-High High.McGuire Unit 1 and 2 B 3.3.2-23 Revision No. 138 ESFAS Instrumentation B 3.3.2BASESAPPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Each of the above Functions is interlocked with P-4 to avert orreduce the continued cooldown of the ROS following a reactor trip.An excessive cooldown of the RCS following a reactor trip couldcause an insertion of positive reactivity with a subsequent increasein generated power. To avoid such a situation, the notedFunctions have been interlocked with P-4 as part of the design ofthe unit control and protection system.None of the noted Functions serves a mitigation function in the unitlicensing basis safety analyses.

Only the turbine trip Function isexplicitly assumed since it is an immediate consequence of thereactor trip Function.

Neither turbine trip, nor any of the otherthree Functions associated with the reactor trip signal, is requiredto show that the unit licensing basis safety analysis acceptance criteria are not exceeded.

The RTB position switches that provide input to the P-4 interlock only function to energize or de-energize or open or close contacts.

Therefore, this Function has no adjustable trip setpoint with whichto associate a Trip Setpoint and Allowable Value.This Function must be OPERABLE in MODES 1, 2, and 3 whenthe reactor may be critical or approaching criticality.

This Functiondoes not have to be OPERABLE in MODE 4, 5, or 6 because themain turbine, the MFW System are not in operation.

b. En~qineered Safety Feature Actuation SystemInterlocks-Pressurizer Pressure.

P-11The P-i11 interlock permits a normal unit cooldown anddepressurization without actuation of SI or main steam lineisolation.

With two-out-of-three pressurizer pressure channels(discussed previously) less than the P-li setpoint, the operatorcan manually block the Pressurizer Pressure-Low SI signal and theSteam Line Pressure-Low steam line isolation signal (previously discussed).

McGuire Unit 1 and 2 B 3.3.2-24 Revision No. 138 ESFAS Instrumentation B 3.3.2BASESAPPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

When the Steam Line Pressure-Low steam line isolation signal ismanually

blocked, a main steam isolation signal on Steam Line ,Pressure-Negative Rate-High is enabled.

This provides protection for an SLB by closure of the MSIVs. With two-out-of-three pressurizer pressure channels above the P-il setpoint, thePressurizer Pressure-Low SI signal and the Steam Line Pressure-Low steam line isolation signal are automatically enabled.

Theoperator can also enable these trips by use of the respective manual reset buttons.

When the Steam Line Pressure-Low steamline isolation signal is enabled, the main steam isolation on SteamLine Pressure-Negative Rate-High is disabled.

This Function must be OPERABLE in MODES 1, 2, and 3 to allowan orderly cooldown and depressurization of the unit without theactuation of SI or main steam isolation.

This Function does nothave to be OPERABLE in MODE 4, 5, or 6 because systempressure must already be below the P-11 setpoint for therequirements of the heatup and cooldown curves to be met.c. Engineered Safety Feature Actuation System Interlocks-Tay.n-Low Low, P-12.On increasing reactor coolant temperature, the P-12 interlock provides an arming signal to the Steam Dump System. On adecreasing temperature, the P-12 interlock removes the arming*signal to the Steam Dump System to prevent an excessive cooldown of the RCS due to a malfunctioning Steam DumpSystem.Since Tavg is used as an indication of bulk RCS temperature, thisFunction meets redundancy requirements with one OPERABLEchannel in each loop. These channels are used in two-out-of-four logic.This Function must be OPERABLE in MODES 1, 2, and 3 when asecondary side break or stuck open valve could result in the rapiddepressurization of the steam lines. This Function does not haveto be OPERABLE in MODE 4, 5, or 6 because there is insufficient energy in the secondary side of the unit to have an accident.

McGuire Unit 1 and 2 B 3.3.2-25 Revision No. 138 ESFAS Instrumentation B 3.3.2BASESAPPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

9. Containment Pressure Control System Permnissives The Containment Pressure Control System (CPCS) protects theContainment Building from excessive depressurization by preventing inadvertent actuation or continuous operation of the Containment Sprayand Containment Air Return Systems when containment pressure is at orless than the CPCS permissive setpoint.

The control scheme of CPCS iscomprised of eight independent control circuits (4 per train), each havinga separate and independent pressure transmitter and current alarmmodule. Each pressure transmitter monitors the containment pressureand provides input to its respective current alarm. The current alarmsare set to inhibit or terminate containment spray and containment airreturn fan operation when containment pressure falls below the setpoint.

The alarm modules switch back to the permissive state (allowing thesystems to operate) when containment pressure is greater than or equalto the setpoint.

This function must be OPERABLE in MODES 1, 2, 3, and 4 when thereis sufficient energy in the primary and secondary sides to pressurize containment following a pipe break. In MODES 5 and 6, there isinsufficient energy in the primary and secondary sides to significantly pressurize the containment.

The ESFAS instrumentation satisfies Criterion 3 of 10 CER 50.36 (Ref. 6).ACTIONS A Note has been added in the ACTIONS to clarify the application of Completion Time rules. The Conditions of this Specification may be entered independently for each Function listed on Table 3.3.2-1.

When the Required Channels inTable 3.3.2-1 are specified (e.g., on a per steam line, per loop, per SG, etc.,basis), then the Condition may be entered separately for each steam line, loop,SG, etc., as appropriate.

A channel shall be OPERABLE if the point at which the channel trips is foundequal to or more conservative than the Allowable Value. In the event achannel's trip setpoint is found less conservative than the Allowable Value, orthe transmitter, instrument loop, signal processing electronics, or bistable isfound inoperable, then all affected Functions provided by the channel must bedeclared inoperable and the LCO Condition(s) entered for the protection Function(s) affected.

If plant conditions

warrant, the trip setpoint may be setoutside the NOMINAL TRIP SETPOINT calibration tolerance band as long asthe trip setpoint is conservative with respect to the NOMINAL TRIP SETPOINT.

If the trip setpoint is found outside the NOMINAL TRIP SETPINT calibration tolerance band and non-conservative with respect to the NOMINAL TRIPSETPOINT, the setpoint shall be re-adjusted.

McGuire Unit 1 and 2B33226RvsoN.18 B 3.3.2-26 ESFAS Instrumentation B 3.3.2BASESACTIONS (continued)

When the number of inoperable channels in a trip function exceed thosespecified in one or other related Conditions associated with a tripfunction, then the unit is outside the safety analysis.

Therefore, LCO 3.0.3 should be immediately entered if applicable in the current MODE ofoperation.

A.._1Condition A applies to all ESFAS protection functions.

Condition A addresses the situation where one or more channels or trains forone or more Functions are inoperable at the same time. The Required Actionis to refer to Table 3.3.2-1 and to take the Required Actions for the protection functions affected.

The Completion Times are those from the referenced Conditions and Required Actions.BA.I B.2.1 and B.2.2Condition B applies to manual initiation of:* SI;* Phase A Isolation; and* Phase B Isolation.

This action addresses the train orientation of the SSPS for the functions listedabove. If a channel or train is inoperable, 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months is allowed to return it to anOPERABLE status. Note that for containment spray and Phase B isolation, failure of one or both channels in one train renders the train inoperable.

Condition B, therefore, encompasses both situations.

The specified Completion Time is reasonable considering that there are two automatic actuation trains and another manual initiation train OPERABLE for eachFunction, and the low probability of an event occurring during this interval.

Ifthe train cannot be restored to OPERABLE status, the unit must be placed in aMODE in which the LCO does not apply. This is done by placing the unit in atleast MODE 3 within an additional 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months (54 hours6.25e-4 days 0.015 hours 8.928571e-5 weeks 2.0547e-5 months total time) and in MODE 5within an additional 30 hours3.472222e-4 days 0.00833 hours 4.960317e-5 weeks 1.1415e-5 months (84 hours9.722222e-4 days 0.0233 hours 1.388889e-4 weeks 3.1962e-5 months total time). The allowable Completion Times are reasonable, based on operating experience, to reach the requiredunit conditions from full power conditions in an orderly manner and withoutchallenging unit systems.McGuire Unit 1 and 2 B 3.3.2-27 Revision No. 138 ESFAS Instrumentation B 3.3.2.i BASESACTIONS (continued)

C.1. C.2.1 and C.2.2Condition C applies to the automatic actuation logic and actuation relays for thefollowing functions:

SI;* Phase A Isolation; and* Phase B Isolation.

i This action addresses the train orientation of the SSPS and the master and: slave relays. If one train is inoperable, 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months are allowed to restore the trainto OPERABLE status. The 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months allowed for restoring the inoperable trainto OPERABLE status is justified in Reference

10. The specified Completion Time is reasonable considering that there is another train OPERABLE, and thelow probability of an event occurring during this interval.

If the train cannot berestored to OPERABLE status, the unit must be placed in a MODE in which theLCO does not apply. This is done by placing the unit in at least MODE 3 withinan additional 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months (30 hours3.472222e-4 days 0.00833 hours 4.960317e-5 weeks 1.1415e-5 months total time) and in MODE 5 within an additional 30 hours3.472222e-4 days 0.00833 hours 4.960317e-5 weeks 1.1415e-5 months (60 hours6.944444e-4 days 0.0167 hours 9.920635e-5 weeks 2.283e-5 months total time). The Completion Times are reasonable, basedO on operating experience, to reach the required unit conditions from full powerconditions in an orderly manner and without challenging unit systems.The Required Actions are modified by a Note that allows one train to bebypassed for up to 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months for surveillance

testing, provided the other train isOPERABLE.

The Required Actions are not required to be met during this time,unless the train is discovered inoperable during the testing.

This allowance isbased on the reliability analysis assumption of WCAP-1 0271-P-A (Ref. 7) that4 hours is the average time required to perform train surveillance.

If an individual SSPS slave relay or slave relay contact is incapable ofactuating, then the equipment operated by the slave relay or slave relaycontact is inoperable.

An SSPS train is not inoperable due to an individual SSPS slave relay or slave relay contact being incapable of actuating.

D.1, D.2.1. and D.2.2Condition D applies to:* Containment Pressure-High;

Pressurizer Pressure-Low Low;* Steam Line Pressure-Low; McGuire Unit I and 2 B 3.3.2-28 Revision No. 138 ESFAS Instrumentation B 3.3.2BASESACTIONS (continued)

Steam Line Pressure-Negative Rate-High;

SG Water Level -High High (P-I14) for the Feedwater Isolation Function.

SG Water level-Low Low, and* Loss of offsite power.If one channel is inoperable, 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months are allowed to restore the channel toOPERABLE status or to place it in the tripped condition.

Generally thisCondition applies to functions that operate on two-out-of-three logic.Therefore, failure of one channel places the Function in a two-out-of-two configuration.

One channel must be tripped to place the Function in a one-out-of-two configuration that satisfies redundancy requirements.

The 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months sallowed to restore the channel to OPERABLE status or placed in the trippedcondition is justified in Reference 10.Failure to restore the inoperable channel to OPERABLE status or place it in thetripped condition within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months requires the unit be placed in MODE 3 withinthe following 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and MODE 4 within the next 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months .The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions inan orderly manner and without challenging unit systems.

In MODE 4, theseFunctions are no longer required OPERABLE.

The Required Actions are modified by a Note that allows the inoperable channel to be bypassed for up to 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months for surveillance testing of otherchannels.

The note also allows an OPERABLE channel to be placed in bypassfor up to 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months for testing of the bypassed channel.

However, only onechannel may be placed in bypass at any one time. The 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months allowed fortesting, are justified in Reference 10.E.1. E.2.1. and E.2.2Condition E applies to:* Containment Phase B Isolation Containment Pressure

-High-High, and* Steam Line Isolation Containment Pressure

-High High.McGuire Unit 1 and 2 B 3.3.2-29 Revision No. 138 ESFAS Instrumentation B 3.3.2BASESACTIONS (continued)

Neither of these signals has input to a control function.

Thus, two-out-of-three logic is necessary to meet acceptable protective requirements.

However, atwo-out-of-three design would require tripping a failed channel.

This isundesirable because a single failure would then cause spurious isolation initiation.

Therefore, these channels are designed with two-out-of-four logic sothat a failed channel may be bypassed rather than tripped.

Note that onechannel may be bypassed and still satisfy the single failure criterion.

Furthermore, with one channel bypassed, a single instrumentation channelfailure will not spuriously initiate isolation.

To avoid the inadvertent actuation of Phase B containment isolation, theinoperable channel should not be placed in the tripped condition.

Instead it isbypassed.

Restoring the channel to OPERABLE status, or placing theinoperable channel in the bypass condition within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months , is sufficient toassure that the Function remains OPERABLE and minimizes the time that theFunction may be in a partial trip condition (assuming the inoperable channelhas failed high). The Completion Time is further justified based on the lowprobability of an event occurring during this interval.

Failure to restore theinoperable channel to OPERABLE status, or place it in the bypassed condition within72 hours, requires the unit be placed in MODE 3 within the following 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and MODE 4 within the next 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months . The allowed Completion Timesare reasonable, based on operating experience, to reach the required unitconditions from full power conditions in an orderly manner and withoutchallenging unit systems.

In MODE 4, these Functions are no longer requiredOPERABLE.

The Required Actions are modified by a Note that allows one additional channel to be bypassed for up to 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months for surveillance testing.

Placing asecond channel in the bypass condition for up to 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months for testing purposesis acceptable based on the results of Reference 10.F.1. F.2.1. and F.2.2.Condition F applies to:* Manual Initiation of Steam Line Isolation; and* P-4 Interlock.

McGuire Unit 1 and 2 B 3.3.2-30 Revision No. 138 ESFAS Instrumentation B 3.3.2BASESACTIONS (continued)

For the Manual Initiation and the P-4 Interlock Functions, this action addresses the train orientation of the SSPS. If a train or channel is inoperable, 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months isallowed to return it to OPERABLE status. The specified Completion Time isreasonable considering the nature of these Functions, the available redundancy, and the low probability of an event occurring during this interval.

Ifthe Function cannot be returned to OPERABLE status, the unit must be placedin MODE 3 within the next 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and MODE 4 within the following 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months .The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power in an orderlymanner and without challenging unit systems.

In MODE 4, the unit does nothave any analyzed transients or conditions that require the explicit use of theprotection functions noted above.G.1 and G.2Condition G applies to manual initiation of Steam Line Isolation.

This action addresses the operability of the manual steam line isolation functionfor each individual main steam isolation valve. If a channel is inoperable, 48hours is allowed to return it to an OPERABLE status. If the train cannot berestored to OPERABLE status, the Conditions and Required Actions of LCO3.7.2, "Main Steam Isolation Valves,"

must be entered for the associated inoperable valve. The specified Completion Time is reasonable considering that there is a system level manual initiation train for this Function and the lowprobability of an event occurring during this interval.

H.1, H.2.1 and H.2.2Condition H applies to the automatic actuation logic and actuation relays for theSteam Line Isolation, Feedwater Isolation, and AFW actuation Functions.

The action addresses the train orientation of the SSPS and the master and slaverelays for these functions.

If one train is inoperable, 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months are allowed torestore the train to OPERABLE status. The 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months allowed for restoring theinoperable train to OPERABLE status is justified in Reference

10. TheCompletion Time for restoring a train to OPERABLE status is reasonable considering that there is another train OPERABLE, and the low probability of anevent occurring during this interval.

If the train cannot be returned to OPERABLEstatus, the unit must be brought to MODE 3 within the next 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and MODE 4within the following 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from fullpower conditions in an orderly manner and without challenging unit systems.McGuire Unit 1 and 2 B 3.3.2-31 Revision No. 138 ESFAS Instrumentation B 3.3.2BASESACTIONS (continued)

Placing the unit in MODE 4 removes all requirements for OPERABILITY of theprotection channels and actuation functions.

In this MODE, the unit does nothave analyzed transients or conditions that require the explicit use of theprotection functions noted above.The Required Actions are modified by a Note that allows one train to bebypassed for up to 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months for surveillance testing provided the other train isOPERABLE.

This allowance is based on the reliability analysis (Ref. 7)assumption that 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months is the average time required to perform channelsurveillance.

If an individual SSPS slave relay or slave relay contact is incapable ofactuating, then the equipment operated by the slave relay or slave relaycontact is inoperable.

An SSPS train is not inoperable due to an individual SSPS slave relay or slave relay contact being incapable of actuating.

1.1 and 1.2Condition I applies to the automatic actuation logic and actuation relays for theTurbine Trip Function.

This action addresses the train orientation of the SSPS and the master andslave relays for this Function.

If one train is inoperable, 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months are allowed torestore the train to OPERABLE status or the unit must be placed in MODE 3within the following 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months . The 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months allowed for restoring the inoperable train to OPERABLE status is justified in Reference

10. The Completion Timefor restoring a train to OPERABLE status is reasonable considering that thereis another train OPERABLE, and the low probability of an event occurring during this interval.

The allowed Completion Time of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months is reasonable, based on operating experience, to reach MODE 3 from full power conditions inan orderly manner and without challenging unit systems.

These Functions areno longer required in MODE 3. Placing the unit in MODE 3 removes allrequirements for OPERABILITY of the protection channels and actuation functions.

In this MODE, the unit does not have analyzed transients orconditions that require the explicit use of the protection functions noted above.The Required Actions are modified by a Note that allows one train to bebypassed for up to 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months for surveillance testing provided the other train isOPERABLE.

This allowance is based on the reliability analysis (Ref. 7)assumption that 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months is the average time required to perform channelsurveillance.

If an individual SSPS slave relay or slave relay contact is incapable ofactuating, then the equipment operated by the slave relay or slave relayMcGuire Unit I and 2 B 3.3.2-32 Revision No. 138 ESFAS Instrumentation B 3.3.2BASESACTIONS (continued) contact is inoperable.

An SSPS train is not inoperable due to an individual SSPS slave relay or slave relay contact being incapable of actuating.

J.1 and J.2Condition J applies to:* SG Water Level-High High (P-14) for the Turbine Trip Function; and* Tavg-LOw.

If one channel is inoperable, 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months are allowed to restore one channel toOPERABLE status or to place it in the tripped condition.

If placed in the trippedcondition, the Function is then in a partial trip condition where one-out-of-two logic will result in actuation.

The 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months allowed to restore the channel toOPERABLE status or to place it in the tripped condition is justified in Reference

10. Failure to restore the inoperable channel to OPERABLE status or place it inthe tripped condition within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months requires the unit to be placed in MODE 3within the following 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months . The allowed Completion Time of 78 hours9.027778e-4 days 0.0217 hours 1.289683e-4 weeks 2.9679e-5 months isreasonable, based on operating experience, to reach MODE 3 from full powerconditions in an orderly manner and without challenging unit systems.

InMODE 3, these Functions are no longer required OPERABLE.

The Required Actions are modified by a Note that allows the inoperable channel to be bypassed for up to 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months for surveillance testing of otherchannels.

The note also allows an OPERABLE channel to be placed in bypassfor up to 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months for testing of the bypassed channel.

However, only onechannel may be placed in bypass at any one time. The 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months allowed toplace the inoperable channel in the tripped condition, and the 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months allowedfor a channel to be in the bypassed condition for testing, are justified inReference 10.K.1 and K.2Condition K applies to the AFW pump start on trip of all MFW pumps.This action addresses the relay contact orientation for the auto start function ofthe AFW System on loss of all MFW pumps. The OPERABILITY of the AFWSystem must be assured by allowing automatic start of the AFW Systempumps. If a channel is inoperable, 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months is allowed to place the channel in trip. If placed in the tripped condition, the function is then in a partial trip condition where a one-out-of-one logic willresult in actuation.

If the channel is not placed in trip within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months , 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months areMcGuire Unit 1 and 2 B 3.3.2-33 Revision No. 138 ESFAS Instrumentation B 3.3.2BASESACTIONS (continued) allowed to place the unit in MODE 3. The allowed Completion Time of 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months sis reasonable, based on operating experience, to reach MODE 3 from fullpower conditions in an orderly manner and without challenging unit systems.

InMODE 3, the unit does not have any analyzed transients or conditions thatrequire the explicit use of the protection function noted above.L._.1Condition L applies to the Doghouse Water Level -High High.The failure of one required channel in one train in either reactor buildingdoghouse results in a loss of redundancy for the function.

The function can stillbe initiated by the remaining operable train. The inoperable train is, required tobe restored to OPERABLE status within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months , or continuous visualmonitoring of the doghouse water level must be implemented in the following hour,The allowed Completion Time is reasonable considering that the redundant train remains OPERABLE to initiate the function if required.

M.1. M.2.1 and M.2.2.Condition M applies to the Doghouse Water Level -High High.The failure of two trains in either reactor building doghouse results in a loss ofthe function.

Continuous visual monitoring of the doghouse water level mustbe implemented in the following hour.The allowed Completion Time provides sufficient time for the operating staff toestablish the required monitoring..

N.1 and N.2Condition N applies to the Auxiliary Feedwater Pumps Suction Transfer onSuction Pressure Low.If one or more channels on a single AFW pump is inoperable, 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months isallowed to restore the channel(s) to OPERABLE status or to declare theassociated AFW pump inoperable.

The failure of one or more channels on onepump disables the ability for the suction transfer on that pump.The allowed Completion Times are reasonable, considering the remaining redundant pumps and transfer instrumentation.

McGuire Unit 1 and 2 B 3.3.2-34 Revision No. 138 ESFAS Instrumentation B 3.3.2BASESACTIONS (continued) 0_.1Condition 0 applies to the Auxiliary Feedwater Pumps Suction Transfer onSuction Pressure Low.If one or more channels on more than one AFW pumps are inoperable, the ability for the suction transfer has been lost on multiple pumps. Inthis case, the associated AFW pumps must be declared inoperable immediately.

P.1 and P.2Condition P applies to RWST Level-Low Coincident with Safety Injection.

RWST Level-Low Coincident with SI provides actuation of switchover to thecontainment sump. The inoperable channel shall be returned to OPERABLEstatus or placed in the trip condition within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months . This Condition applies to afunction that operates on two-out-or-three logic. Therefore, failure of onechannel places the Function in a two-out-or-two configuration.

The channelmust be tripped to place the Function in a one-out-of-two configuration thatsatisfies redundancy requirements.

A channel placed in the trip condition shallbe restored to OPERABLE status within 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months . With one channel in the tripcondition, a single failure of another channel coincident with a design basisLoss of Coolant Accident (LOCA) could result in premature automatic swapoverof ECCS pumps to the containment recirculation sump. For a failure leading toearly swapover, plant analyses assume operators do not havesufficient time to resolve the problem prior to ECCS pump damage.Consequently, as a result of this premature

swapover, both trains of ECCSpumps could fail due to insufficient sump water level. This could prevent theECCS pumps from performing their post-LOCA cooling function.

The allowedCompletion Time of 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months is reasonable since, based on operating experience, there is a very small probability of a random failure of anotherRWST level channel in a given 48 hour5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months period.Q.1. Q.2.1 and Q.2.2Condition Q applies to the P-Il and P-12 interlocks.

With one channel inoperable, the operator must verify that the interlock is in therequired state for the existing unit condition.

The verification is performed byvisual observation of the permissive status light in the unit control room. Thisaction manually accomplishes the function of the interlock.

Determination mustbe made within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months . The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time is equal to the timeallowed by LCO 3.0.3 to initiate shutdown actions in the event of a completeMcGuire Unit 1 and 2B33.35RvsoN.18 B 3.3.2-35 ESFAS Instrumentation B 3.3.2BASESACTIONS (continued) loss of ESFAS function.

If the interlock is not in the required state (or placed inthe required state) for the existing unit condition, the unit must be placed inMODE 3 within the next 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and MODE 4 within the following 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months . Theallowed Completion Times are reasonable, based on operating experience, toreach the required unit conditions from full power conditions in an orderlymanner and without challenging unit systems.

Placing the unit in MODE 4removes all requirements for OPERABILITY of these interlocks.

R..__Condition R applies to the Containment Pressure Control System Start andTerminate Permissives.

With one or more channels inoperable, the affected containment spray,containment air return fans, and hydrogen skimmer fans must be declaredinoperable immediately.

The supported system LCOs provide the appropriate Required Actions and Completion Times for the equipment made inoperable bythe inoperable channel.

The immediate Completion Time is appropriate sincethe inoperable channel could prevent the supported equipment from startingwhen required.

Additionally, protection from an inadvertent actuation may notbe provided if the terminate function is not OPERABLE.

S.1 and S.2Condition S applies to RWST Level-Low Coincident with Safety Injection.

When Required Actions cannot be completed within their Completion Time, theunit must be brought to a MODE or Condition in which the LCO requirements are not applicable.

To achieve this status, the unit must be brought to at leastMODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and MODE 4 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months of entering the Condition.

The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions inan orderly manner and without challenging unit systems.

In MODE 4, the unitdoes not have any analyzed transients of conditions that require the explicituse of the protection functions noted above.SURVEILLANCE The SRs for each ESFAS Function are identified by the SRs column ofREQUIREMENTS Table 3.3.2-1.A Note has been added to the SR Table to clarify that Table 3.3.2-1 determines which SRs apply to which ESFAS Functions.

Note that each channel of process protection supplies both trains of theESFAS. When testing channel I, train A and train B must be examined.

McGuire Unit 1 and 2 B 3.3.2-36 Revision No. 138 ESFAS Instrumentation B 3.3.2BASESSURVEILLANCE REQUIREMENTS (continued)

Similarly, train A and train B must be examined when testing channel II,channel Ill, and channel IV (if applicable).

The CHANNEL CALIBRATION andCOTs are performed in a manner that is consistent with the assumptions usedin analytically calculating the required channel accuracies.

SR 3.3.2.1Performance of the CHANNEL CHECK ensures that a gross failure ofinstrumentation has not occurred.

A CHANNEL CHECK is normally acomparison of the parameter indicated on one channel to a similarparameter on other channels.

It is based on the assumption that instrument channels monitoring the same parameter should read approximately the samevalue. Significant deviations between instrument channels could be anindication of excessive instrument drift in one of the channels or of something even more serious.

A CHANNEL CHECK will detect gross channel failure;thus, it is key to verifying the instrumentation continues to operate properlybetween each CHANNEL CALIBRATION.

Agreement criteria are determined by the unit staff, based on a combination ofthe channel instrument uncertainties, including indication and reliability.

If achannel is outside the criteria, it may be an indication that the sensor or thesignal processing equipment has drifted outside its limit.The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR 3.3.2.2SR 3.3.2.2 is the performance of an ACTUATION LOGIC TEST using thesemiautomatic tester. The train being tested is placed in the bypass condition, thus preventing inadvertent actuation.

Through the semiautomatic tester, allpossible logic combinations, with and without applicable permissives, aretested for each protection function.

In addition, the master relay coil is pulsetested for continuity.

This verifies that the logic modules are OPERABLE andthat there is an intact voltage signal path to the master relay coils. TheSurveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency ControlProgram.SR 3.3.2.3SR 3.3.2.3 is the performance of a COT on the RWST level andContainment Pressure Control Start and Terminate Permissives.

McGuire Unit 1 and 2 B 3.3.2-37 Revision No. 138 ESFAS Instrumentation B 3.3.2BASESSURVEILLANCE REQUI REMENTS (continued)

A COT is performed on each required channel to ensure the entire channel willperform the intended Function.

Setpoints must be found conservative withrespect to the Allowable Values specified in Table 3.3. 2-1. The Surveillance Frequency is based on operating experience, equipment reliability, and plantrisk and is controlled under the Surveillance Frequency Control Program.For Functions for which TSTF-493, "Clarify Application of Setpoint Methodology for LSSS Functions,"

has been implemented; this SR is modified by two (2)Notes as identified in Table 3.3.2-1.

The first Note requires evaluation ofchannel performance for the condition where the as-found setting for thechannel setpoint is outside its as-found tolerance but conservative with respectto the Allowable Value. Evaluation of channel performance will verify that thechannel will continue to behave in accordance with safety analysis assumptions and the channel performance assumptions in the setpoint methodology.

Thepurpose of the assessment is to ensure confidence in the channel performance prior to returning the channel to service.

For channels determined to beOPERABLE but degraded, after returning the channel to service theperformance of these channels will be evaluated under the plant Corrective Action Program.

Entry into the Corrective Action Program will ensure requiredreview and documentation of the condition.

The second Note requires that theas-left setting for the channel be returned to within the as-left tolerance of theNominal Trip Setpoint (NTSP). Where a setpoint more conservative than theNTSP is used in the plant surveillance procedures (field setting),

the as-left andas-found tolerances, as applicable, will be applied to the surveillance procedure setpoint.

This will ensure that sufficient margin to the Safety Limit and/orAnalytical Limit is maintained.

If the as-left channel setting cannot be returnedto a setting within the as-left tolerance of the NTSP, then the channel shall be-declared inoperable.

The second Note also requires that the methodologies forcalculating the as-left and the as-found tolerances be in the UFSAR.SR 3.3.2.4SR 3.3.2.4 is the performance of a MASTER RELAY TEST. The MASTERRELAY TEST is the energizing of the master relay, verifying contact operation and a low voltage continuity check of the slave relay coil. Upon master relaycontact operation, a low voltage is injected to the slave relay coil. This voltageis insufficient to pick up the slave relay, but large enough to demonstrate signalpath continuity.

The time allowed for the testing (4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months ) is justified inReference

7. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.McGuire Unit 1 and 2 B 3.3.2-38 Revision No. 138 ESFAS Instrumentation B 3.3.2BASESSURVEILLANCE REQUIREMENTS (continued)

SR 3.3.2.5SR 3.3.2.5 is the performance of a COT.A COT is performed on each required channel to ensure the channel willperform the intended Function.

The tested portion of the loop must trip withinthe Allowable Values specified in Table 3.3. 2-1.The setpoint shall be left set consistent with the assumptions of the setpointmethodology.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.SR 3.3.2.6SR 3.3.2.6 is the performance of a SLAVE RELAY TEST. The SLAVE RELAYTEST is the energizing of the slave relays. Contact operation is verified in oneof two ways. Actuation equipment that may be operated in the designmitigation MODE is either allowed to function, or is placed in a condition wherethe relay contact operation can be verified without operation of the equipment.

Actuation equipment that may not be operated in the design mitigation MODEis prevented from operation by the SLAVE RELAY TEST circuit.

For this lattercase, contact operation is verified by a continuity check of the circuit containing the slave relay. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under theSurveillance Frequency Control Program.SR 3.3.2.7SR 3.3.2.7 is the performance of a TADOT. This test is a check of the ManualActuation Functions, AFW pump start, Reactor Trip (P-4) Interlock andDoghouse Water Level -High High feedwater isolation.

Each Manual Actuation Function is tested up to, and including, the master relay coils. In someinstances, the test includes actuation of the end device (i.e., pump starts, valvecycles, etc.). The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

The SR is modified by a Note that excludesverification of setpoints during the TADOT for manual initiation Functions.

Themanual initiation Functions have no associated setpoints.

McGuire Unit 1 and 2 B 3.3.2-39 Revision No. 138 ESFAS Instrumentation B 3.3.2BASESSURVEILLANCE REQUIREMENTS (continued)

SR 3.3.2.8SR 3.3.2.8 is the performance of a CHANNEL CALIBRATION.

The CHANNEL CALIBRATION may be performed at power or during refueling based on bypass testing capability.

Channel unavailability evaluations inReferences 10 and 11 have conservatively assumed that the CHANNELCALIBRATION is performed at power with the channel in bypass.CHANNEL CALIBRATION is a complete check of the instrument loop, including the sensor. The test verifies that the channel responds to measured parameter within the necessary range and accuracy.

CHANNEL CALIBRATIONS must be performed consistent with theassumptions of the unit specific setpoint methodology.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.This SR is modified by a Note stating that this test should include verification that the time constants are adjusted to the prescribed values where applicable.

The applicable time constants are shown in Table 3.3.2-1.For Functions for which TSTF-493, "Clarify Application of Setpoint Methodology for LSSS Functions,"