ML093230647

From kanterella
Jump to navigation Jump to search
University of Florida Phase 0 Presentation
ML093230647
Person / Time
Site: 05000083
Issue date: 12/22/2009
From: Ghita G, Haghighat A
Univ of Florida
To:
NRC/NRR Adams Working Group
Hardesty, D NRC/NRR/DPR/PRTA 415-3724
References
Download: ML093230647 (77)
v  d  e


Text

Presentation on UFTR Licensing Amendment Application (Phase 0)

Alireza Haghighat FP&L Professor UFTR Director Gabriel Ghita Research Scientist Project Coordinator Nuclear & Radiological Engineering Department University of Florida Gainesville, Florida For presentation to the NRC, Washington DC, Oct. 16, 2009

Introduction to the reactor design Core, primary loop, secondary loop, reactor cell, confinement Accident scenarios Current I&C design Features Licensing requirement Introduction to the UF Team, their functions, and support teams from AREVA &

Siemens Proposed TXS Protection System Safety System Design Basis D3 Analysis (considering Design Basis changes)

Introduction to plans QAP V&V Discussion on TXS Equipment Possibility of installation of a redundant Train for testing, benchmarking and training Proposed schedule 2

UFTR timelines Established in 1959 with a power of 10 kW In 1963, its power was increased to 100 kW In 1970, its fuel was changed from LEU to HEU In Sept. 2006, its fuel was changed from HEU to LEU 3

Schematic of UFTR (axial projection)

Shield Tank Graphite Core

Schematic of UFTR N

(Horizontal projection) 5

UFTR Core N

6

UFTR Core N S3 RG Fuel box Control blade Graphite S2 S1 7

Fuel Plate Characteristics LEU Fuel Type U3Si2-Al Fuel Meat Size Width (cm)

Thickness (cm)

Height (cm)

Fuel Plate Size Width (cm)

Thickness (cm)

Height (cm)

Cladding material 6061 Al Cladding Thickness (cm)

Fuel Enrichment (nominal) 19.75%

Meat Composition (wt% U)

Mass of 235U per Plate (nominal)

Number of Plates per Fuel Bundle 8

Core at critical condition -

Fuel pattern and blade positions Safety 3, at 26.3 degrees Regulating, at 16.9 degrees Dummy bundle 10 fuel plates &

3 Dummy plates Safety 2, at 26.3 degrees Safety 1, at 26.3 degrees 9

Total neutron flux distribution 10

Bundle power distribution (kW)

Schematic of the core 11

Core Lifetime Expected end-of-life LEU core with fuel burnup of ~86.67 MWD; This is based on full-power operation time of 4 hr/day, 5 day/week, 20 years 12

(including locations of sensing devices)

UFTR Core

- RTD L - Level Indicator Fission Chamber/BF3

- Flowmeter Ion Chamber

- Closed Valve (Normal Operation)

- NI

- Primary Flow From Demineralizer Loop Dump Valve Rupture Disk Heat Exchanger Secondary Storage Well L

Air Bleed Valve To Demineralizer Loop Coolant Storage Tank To Secondary Side

275 250 Figure 5. 20 mil tolerance on Water Channel Spacing and 0.065" Repositioning of Each Assembly Due to Combs 225 200 Tin = 86 F 175 True Reactor Power, kW Tin = 100 F True Max. Power: 125 kW 150 Tin = 110 F LSSS Power: 119 kW Max Operating Power: 100 kW 125 100 o OPERATING REGION for Max. Tin = 100 F 75 For Max, Inlet Temp. = 100 oF True Minimum Flow Rate: 39 gpm LSSS Flow Rate: 41 gpm OPERATING REGION 50 Operating Flow Rate: 48 gpm for Max. Tin = 110 o F For Max, Inlet Temp. = 110 oF True Minimum Flow Rate: 43 gpm 25 LSSS Flow Rate: 45 gpm Operating Flow Rate: 52 gpm 0

15 20 25 30 35 40 45 50 55 True Coolant Flow Rate, gpm 14

UFTR Control Parameters and Settings Parameter True LSSS Operating Limit Values Power (kW) 125 119 100 Inlet Flow Rate (gpm) 34 36 43 Inlet Temperature (F) 100 99 80 Outlet Temperature (F) 165 155 95 15

Accident Scenarios & Analysis Accident Scenarios A rapid insertion of 0.6% k/k reactivity.

This scenario represents the reactivity insertion resulting from the rapid ejection of the maximum worth of all moveable and non-secured experiments from the reactor. Cases were analyzed both with and without reactor SCRAM.

A reactivity ramp insertion of 0.06% k/k/s for 10 seconds.

This scenario represents the insertion of reactivity due to control blade withdrawal at the maximum rate allowed by the UFTR Technical Specifications. This accident is assumed to be terminated by reactor SCRAM.

17

A rapid insertion of 0.6% k/k reactivity with scram (fresh fuel)

Power 100 kW 100 kW 100 kW 100 kW Steady State Condition 43 gpm, 34 gpm, 34 gpm, 43 gpm, Tin=86o F Tin=86o F Tin=109o F Tin=86o F Blade Drop Time (s) 1.0 1.0 1.0 1.5 Time to Peak Power (s) 0.14 0.14 0.14 0.14 Peak Power (kW) 316 316 316 318 Tfuel (max) at Peak Power (oC) 51.9 54.4 66.7 51.9 Tfuel(max) (oC) 52.2 54.8 67.0 52.5 Tclad(max) (oC) 52.2 54.7 67.0 52.5 Tcoolmax (oC) 44.6 47.6 59.9 44.6 18

A rapid insertion of 0.6% k/k reactivity with scram (depleted fuel)

Power 100 kW 100 kW 100 kW 100 kW Steady State Condition 43 gpm, 34 gpm, 34 gpm, 43 gpm, Tin=86o F Tin=86o F Tin=109o F Tin=86o F Blade Drop Time (s) 1 1 1 1.5 Time to Peak Power (s) 0.14 0.14 0.14 0.15 Peak Power (kW) 322 322 322 328 Tfuel (max) at Peak Power (oC) 52 54.8 67 52.1 Tfuel(max) (oC) 52.6 55.3 67.5 52.6 Tclad(max) (oC) 52.6 55.3 67.5 52.5 Tcoolmax (oC) 44.5 47.5 59.8 44.5 19

A rapid insertion of 0.6% k/k reactivity without scram (fresh fuel)

Power 100 kW 100 kW 100 kW Steady State Condition 43 gpm, 34 gpm, 34 gpm, Tin=86o F Tin=86o F Tin=109o F Time to Peak Power (s) 2.48 2.44 2.30 Peak Power (kW) 1199 1186 1112 Tfuel (max) at Peak Power (oC) 95 95 100 Tfuel(max) (oC) 107 108 109 Tclad(max) (oC) 107 108 109 Tcoolmax (oC) 101 101 102 After the sudden jump, power remains at 600 kW for 300 seconds, after which time, the coolant reaches the saturation temperature and boiling occurs in the uppermost nodes of the coolant channel; negative coefficient of reactivity will shutdown the reactor.

20

A rapid insertion of 0.6% k/k reactivity without scram (depleted fuel)

Power 100 kW 100 kW 100 kW Steady State Condition 43 gpm, 34 gpm, 34 gpm, Tin=86o F Tin=86o F Tin=109o F Time to Peak Power (s) 2.36 2.32 2.19 Peak Power (kW) 1337 1321 1235 Tfuel (max) at Peak Power (oC) 96 96 101 Tfuel(max) (oC) 108 109 110 Tclad(max) (oC) 108 109 110 Tcoolmax (oC) 101 101 102 After the sudden jump, power remains at 600 kW for 300 seconds, after which time, the coolant reaches the saturation temperature and boiling occurs in the uppermost nodes of the coolant channel; negative coefficient of reactivity will shutdown the reactor.

21

A slow insertion of 0.06% k/k/s reactivity with scram (fresh fuel)

Power 100 kW 100 kW 100 kW 100 kW Steady State Condition 43 gpm, 34 gpm, 34 gpm, 43 gpm, Tin=86o F Tin=86o F Tin=109o F Tin=86o F Blade Drop Time (s) 1.0 1.0 1.0 1.5 Time to Peak Power (s) 2.22 2.22 2.22 2.22 Peak Power (kW) 127 127 127 127 Tfuel (max) at Peak Power (oC) 52.1 54.6 66.8 52.1 Tfuel(max) (oC) 52.1 54.6 66.8 52.1 Tclad(max) (oC) 52.0 54.6 66.8 52.0 Tcoolmax (oC) 44.6 47.6 60.0 44.6 22

A slow insertion of 0.06% k/k/s reactivity with scram (depleted fuel)

Power 100 kW 100 kW 100 kW 100 kW Steady State Condition 43 gpm, 34 gpm, 34 gpm, 43 gpm, Tin=86o F Tin=86o F Tin=109o F Tin=86o F Blade Drop Time (s) 1 1 1 1.5 Time to Peak Power (s) 0.14 0.14 0.14 0.15 Peak Power (kW) 322 322 322 328 Tfuel (max) at Peak Power (oC) 52 54.8 67 52.1 Tfuel(max) (oC) 52.6 55.3 67.5 52.6 Tclad(max) (oC) 52.6 55.3 67.5 52.5 Tcoolmax (oC) 44.5 47.5 59.8 44.5 23

LOCA during full power operation The increase in fuel temperature following a LOCA results in shutdown of the

reactor, Either by the negative void coefficient of reactivity, Or by the insertion of control blades into the reactor In both cases, the fuel temperature will increase by less than 17oC (30oF)

Sudden insertion of maximum excess reactor of 1.4% k/k results in an energy release of <6.1 MW and a cladding temperature of <300 C.

Maximum Hypothetical Accident (MHA)

Fuel Handling Accident (FHA)

It is postulated that because of severe mechanical damage, the aluminum cladding is stripped from one fuel plate; it is assumed that 2.7% of the total volatile activity instantaneously escapes from the fuel plate into the reactor cell.

Estimated occupational and public doses are smaller by several orders magnitude relative to exposure limits.

24

Current UFTR Analog I&C and Operations

ARM Indicators WLM FRM (RTS, manual)

Shutdown TC Electrical Monitoring One Safety Train 26

Shutdown Mechanisms Automatic Blade Drop (BD) - Clutch current control Dump valve (DV) - Selonoid current control Manual Indicators (sirens, monitors & displays) followed by operators manual actions: BD and/or DV Passive NEGATIVE coolant void and temperature coefficient of reactivity 27

Unique Features Facts Low power (the peak power per bundle = 5 kW)

Low fuel temperature (~50 C);

Negative coefficients of reactivity; Example: Even for an unprotected insertion of 0.6% k/k , the peak fuel temperature is ~108C (fuel melting point is 582 C)

Results Under regular conditions, reactor can be shutdown by dumping the coolant No need for Engineering Safety Features Actuate System (ESFAS)

One train protection and control system No protection for single failure is needed 28

Introduction of the UF Team, their functions, and support teams from AREVA & Siemens

Project Organization UFTR UFTR Digital Control System Upgrade Project - Organization QA Management IV&V Auditor: Project Manager Lead:

William Van Prof. Alireza Haghighat Prof. Edward Dugan e Project Coordinator Dr. Gabriel Ghita, RS Prof. Mark Harrison CCB: Prof. DuWayne

f. A. Haghighat System Design & Analysis Software Development Hardware & Installation Schubring G. Ghita, RS George Fekete. UG
f. Glenn Sjoden Lead: Prof. A. Haghighat Lead: Prof. Glenn Sjoden Lead: Prof. Jim Baciak
f. James Baciak Dr. Gabriel Ghita, RS Co-lead: Dr. G. Ghita, RS Co-lead: Brian Shea, RM an Shea, RM Prof. James Baciak Prof. A. Haghighat Prof. Mark Harrison Daniel Lago, UG Matt Marzano, GR Matt Berglund, SRO Steven Brown, UG Jennifer Musgrave, UG Andrew Holcomb, UG CCB=Configuration Control Board, IV&V=Independent Verification & Validation, GR=Graduate Student, MS=Master in Science, QA=Quality Assurance, RS=Research Scientist, RM=Reactor Manager, SRO=Senior Reactor Operator, UG=Undergraduate Student 30

AREVA Corporate Sponsor AREVA PM UFTR PM Mehdi Tadjalli Eric Wallace Dr. Alireza Haghighat mbH PM Training AREVA PE Herbert Mike Fillian Sean Kelley ussbaumer UFTR Organization mens PM QA Manager Licensing Support AREVA Oldrich Mark Milo Mark Burzynski Project lokocka Team SW Lead Engineer HW Lead Engineer Jason Reed Ryan Nash Installation Support TBD 31

Proposed TXS Protection System The TXS system block consists of hardware and software that provide for the protection, control, indication, and monitoring.

Current licensed UFTR protection and control system utilizes one train, which contains two sets of nuclear instrumentation that have to be operational simultaneously for a complete coverage of reactor power.

Similar to the current UFTR protection and control system, we propose a one-train system which includes signal diversity; it is capable of identifying invalid signals and their diverse signals.

It is worth noting we are also considering a two-train design (i.e., with two levels of redundancy) for training, education and research purposes.

Figure below depicts the TXS system (with two trains), which is comprised of the following components:

Acquisition and Processing (AQP)

Voter - Voting and Actuation (VT) (needed for the two-train design)

Main Control Room (MCR)

Monitoring Service Interface (MSI)

Proposed TXS Protection System AQP: Acquisition and Processing VT: Voter MSI: Monitoring and Service Interface T-3000 control QDS: Qualified Display System system SU: Service Unit GW: Gateway RTS: Reactor Trip System

Safety System Design Basis Here, we discuss the changes to be considered for the UFTR Design Basis due to the digital protection system upgrade.

To facilitate this discussion, we will utilize the IEEE-603 Design Basis clauses.

ause # Clause Comment 4-1 The design basis events applicable to each mode of operation of the no change generating station along with the initial conditions and allowable limits of plant conditions for each such event.

4-2 The safety functions and corresponding protective actions of the no change execute features for each design basis event.

4-3 The permissive conditions for each operating bypass capability that is N/A to be provided.

4-4 The variables or combinations of variables, or both, that are to be change monitored to manually or automatically, or both, control each protective action; the analytical limit associated with each variable, the ranges (normal, abnormal, and accident conditions); and the rates of change of these variables to be accommodated until proper completion of the protective action is ensured.

4-5 The protective actions identified in clause 4-2 that may be controlled no change by manual means initially or subsequently to initiation.

4-6 For those variables in clause 4-4 that have a spatial dependence (i.e., change where the variable varies as a function of position in a particular region), the minimum number and locations of sensors required for protective purposes.

35

lause # Clause Comment 4-7 The range of transient and steady-state conditions of both motive change and control power and the environment (e.g., voltage, frequency, radiation, temperature, humidity, pressure, vibration, and electromagnetic interference) during normal, abnormal, and accident conditions throughout which the safety system shall perform.

4-8 The conditions having the potential for functional degradation of N/A safety system performance and for which provisions shall be incorporated to retain the capability for performing the safety functions (e.g., missiles, pipe breaks, fires, loss of ventilation, spurious operation of fire suppression systems, operator error, failure in non-safety-related systems).

4-9 The methods to be used to determine that the reliability of the safety N/A system design is appropriate for each safety system design and any qualitative or quantitative reliability goals that may be imposed on the system design.

4-10 The critical points in time or the plant conditions, after the onset of a change design basis event.

4-11 The equipment protective provisions that prevent the safety systems no change from accomplishing their safety functions.

4-12 Any other special design basis that may be imposed on the system change design (e.g., diversity, interlocks, regulatory agency criteria).

36

Clause 4.1 of IEEE Std. 603 The design basis events applicable to each mode of operation of the generating station along with the initial conditions and allowable limits of plant conditions for each such event (IEEE-603) he proposed protection system has two modes of operation, automatic and manual.

elow, for each Design Basis Event, the mode of system operation is provided:

Loss-of-Coolant Accident (LOCA) during the full power operation (automatic)

Slow Insertion of 0.06% k/k/s for 10 seconds (automatic)

Sudden Insertion of the Maximum Allowed Excess Reactivity of 1.4% k/k (automatic)

Sudden Insertion of the Maximum Allowed Reactivity of 0.6% k/k (automatic)

Control Blade System Malfunction (manual)

Loss of Power (manual) 37 Clauses

38 Clauses

List of Design Basis Events (Accidents)

Loss-of-Coolant Accident (LOCA)

LOCA will cause the loss of the valid flow rate meter (FRM) signal in the primary coolant loop, which will cause automatic initiation of BDT via TXS. Loss of coolant in the core due to the LOCA will also contribute to the safe shutdown of the UFTR as a result of the negative void coefficient of reactivity.

Reactivity insertion events Slow insertion of 0.06% k/k/s without scram Sudden Insertion of the Maximum Allowed Excess Reactivity (1.4% k/k)

Sudden Insertion of the Maximum Allowed Reactivity (0.6% k/k)

The above reactivity events shall cause automatic initiation of FT via TXS when any NI signal becomes invalid due to high reactor power.

Control Blade System Malfunction This anticipated operational occurrence shall be mitigated by opening the Dump Valve initiated by the MRS.

Loss of Power Loss of Power directly causes BDT, thus no execute feature must be initiated during this event.

39 Clauses

Clause 4.3 of IEEE Std. 603 The permissive conditions for each operating bypass capability that is to be provided (IEEE 603)

There is no need for an operating bypass for UFTR, thus there are no permissive conditions for this type of bypass.

40 Clauses

Clause 4.4 of IEEE Std. 603 The variables or combinations of variables, or both, that are to be monitored to manually or automatically, or both, control each protective action; the analytical limit associated with each variable, the ranges (normal, abnormal, and accident conditions); and the rates of change of these variables to be accommodated until proper completion of the protective action is ensured (IEEE 603)

The existing analog protection system has four levels of protection for the design basis events:

- pre-operation check,

- monitoring,

- interlocks, and

- trip system.

For the new digital protection system, besides the aforementioned levels, we are considering signal diversity in order to protect the system against the Common Cause Failure.

41 Clauses

Clause 4.4 of IEEE Std. 603 (contd)

Table 1 - List of components checked prior to reactor startup em Component Item Component 1 Core Vent 14 Primary Coolant Resistivity Determinations 2 Diluting Fan System 15 Blade Withdrawal Time Measurement 3 Blade Gear Box 16 Primary Coolant 4 Manometers and Magnetic Gage 17 Magnet Power Key 5 Portal Monitor 18 Log/linear recorder 6 Core Vent and Diluting Fan Systems 19 Equipment Pit Checkout and Gamma Radiation Levels 7 Shield Water 20 Water Sample Analysis 8 Demineralizer Pump 21 Air Particulate Detectors 9 Magnet Power Key 22 Radiation Monitor Console 10 Exterior lights 23 Secondary Water and Strainer 11 Neutron recorder 24 Security System Monitors 12 Primary Coolant Pump 25 Complete Records 13 Source Alarm 42 Clauses

Table 2 - Description of Monitoring parameters during operations Item Parameter 1 Main AC power line 2 Primary and secondary coolant pump power 3 Console power 4 Core ventilation fan power 5 Stack dilution fan 6 Area radiation monitor 7 Stack/vent monitor 8 Air particulate Table 3 - Description of Interlocks ID Description 1 Inhibits attempt of simultaneous withdrawal of 2 or more safety blades (mode 2*)

2 Inhibits attempt of withdrawal of regulating blade with a period (T) < 30 s (mode 2) 3 Inhibits withdrawal of blades if the source count rate is < 2 cps (mode 1**)

4 Inhibits withdrawal of blades if period (T) <10 s (mode 1) 5 Inhibits reactor operation if safety channels 1 & 2 are not operable (mode 1)

  • Mode 2: Automatic control
    • Mode 1: Manual Protection and Control 43 Clauses

Table 4 List of conditions for trip Condition Type of Trip Automatic

  • Period 3 sec FT*
  • Power 119 kW FT
  • Loss of chamber high voltage (90%) FT
  • Loss of electrical power to control console FT
  • Primary cooling system BDT**

o Loss of pump power o Low-water level in core ( 42.5")

o No outlet flow o Low inlet water flow 41 gpm

  • Secondary cooling system (at power levels > 1 kW) BDT o Loss of flow (well water 60 gpm,)

o Loss of pump power BDT

  • High primary coolant inlet temperature 99° F BDT
  • High primary coolant outlet temperature ( 155° F)

BDT

  • Shield tank - Low water level (6" below established normal level)

BDT

  • Ventilation system o Loss of power to dilution fan o Loss of power to core vent system Manual
  • Console key-switch OFF (two blades off bottom) FT
  • FT: Full Trip (including Dump Valve Trip and BDT)
    • BDT: Blade drop Trip 44 Clauses

Table 5. List of signals for each train of the proposed UFTR TXS system Reactor Feature Primary Mode of Detection AIc DId Segment of UFTR h Power Level *FCa, ICb 2 - Core ctor Period, Low

  • BF3, IC 2 - Core er Level perature *Resistive TD 10 - core, primary, secondary w Rate Flow Rate Monitor (FRM) 2 2 primary, secondary er Level Water Level Monitor* (WLM) 2 1 Core, storage tank*, shield tank a Radiation Level Area Radiation Monitor (ARM) 4 4 east, north, south, west*

Availability Fan Monitor (FM) 1 2 Core ventilation, stack dilution, stack dilution RPM Fission Chamber; bIon Chamber; cAI, Analog Input; dDI, Digital Input ndicates a new monitoring device and/or location that shall be added in the proposed system Table 6. Signal diversity within each train Sensor/Monitor Core Primary Secondary Reactor Cell Confinement FC+BF3 9 -

IC 9 -

RTD 9 - 9 - 9 -

FRM 9 - 9 - 9 -

WLM 9 - 9 -

ARM 9 - 9 -

FM 9 - 9 -

45 Clauses

Clause 4.5 of IEEE Std. 603 The protective actions identified in Clause 4-2 that may be controlled by manual means initially or subsequently to initiation (IEEE 603)

Manual reactor scram (MRS) is available in the event that TXS fails to initiate RTS. Depression of the MRS button causes the control blade drive (clutch current control) to shut off, which allows the blades to drop into the core due to gravity.

The MRS button will also provide a HW and SW interrupt for the TXS system.

This event is referred to as a blade-drop trip (BDT). If the control blades do not function properly and the core overheats, the negative void and temperature coefficients will cause the core to go subcritical and shut down even without insertion of the control blades. Therefore, instrumentation is not an absolute necessity for shutting the UFTR down because of its inherent safety features.

Clause 4.5.1 of IEEE Std. 603 The points in time and the plant conditions during which manual control is allowed (IEEE 603)

Protective action may be initiated by manual means at any time during reactor operation.

46 Clauses

Clause 4.5.2 of IEEE Std. 603 The justification for permitting initiation or control subsequent to initiation solely by manual means (IEEE 603)

Justification for permitting initiation by manual means lies in the fact that no action or inaction of the operator during a design basis event can NOT result in the uncontrolled release of radioactivity.

Clause 4.5.3 of IEEE Std. 603 The range of environmental conditions imposed upon the operator during normal, abnormal, and accident conditions throughout which the manual operations shall be performed (IEEE 603)

Environmental conditions imposed upon the operator during normal, abnormal, and accident conditions shall not be of concern, since the worst-case accident scenario does not result in the release of radioactivity.

It is also important to note that the new main control room (MCR) will be isolated from the reactor cell.

Clause 4.5.4 of IEEE Std. 603 The variables in clause 4.4 that shall be displayed for the operator to use in taking manual action (IEEE 603)

All variables listed in Table 1 shall be displayed for the operator on the Qualified Display System (QDS) of the TXS protection system and the display of the T3000 control system.

The new system has an added qualified display, i.e., QDS.

47 Clauses

Clause 4.6 of IEEE Std. 603 For those variables in item d) that have a spatial dependence (i.e., where the variable varies as a function of position in a particular region), the minimum number and locations of sensors required for protective purposes (IEEE 603)

The number and locations of sensors required for protective purposes is provided in Table 1. Loss of all valid signals from any one of the five segments of the UFTR listed in Table 3 shall result in the safe shutdown of the UFTR via BDT.

48 Clauses

Clause 4.7 of IEEE Std. 603 The range of transient and steady-state conditions of both motive and control power and the environment (e.g., voltage, frequency, radiation, temperature, humidity, pressure, vibration, and electromagnetic interference) during normal, abnormal, and accident conditions throughout which the safety system shall perform (IEEE 603)

The existing UFTR control room is located within the reactor cell, which uses the same energy supply and environmental control.

The new TXS system components are located in the MCR, which is isolated from he reactor cell. The MCR receives power and air-conditioning that is independent rom the reactor cell. Prevention of electromagnetic interference is achieved by the hielding effect of metallic front plates in each TXS cabinet. Thus, conditions within he MCR are not subject to change due the UFTR transient or steady-state onditions.

49 Clauses

Clause 4.8 of IEEE Std. 603 The conditions having the potential for functional degradation of safety system performance and for which provisions shall be incorporated to retain the capability for performing the safety functions (e.g., missiles, pipe breaks, fires, loss of ventilation, spurious operation of fire suppression systems, operator error, failure in non-safety-related systems) (IEEE 603)

Conditions having the potential for functional degradation of protection system performance are not of concern since the loss of the protection system does not result in affecting the integrity of the fuel, and therefore there is no uncontrolled release of radiation.

50 Clauses

Clause 4.9 of IEEE Std. 603 The methods to be used to determine that the reliability of the safety system design is appropriate for each safety system design and any qualitative or quantitative reliability goals that may be imposed on the system design (IEEE 603)

Reliability analysis is not required for safety assessments because of the inherent safety features of the UFTR.

51 Clauses

The critical points in time or the plant conditions, after the onset of a design basis event (IEEE 603)

Conditions having the potential for functional degradation of protection system performance are not of concern since the loss of the protection system does not result in the uncontrolled release of radiation.

Clause 4.10.1 of IEEE Std. 603 The point in time or plant conditions for which the protective actions of the safety system shall be initiated Table 5 and 6 show the conditions for interlocks, and automatic and manual initiation of the reactor trips, respectively.

Clause 4.10.2 of IEEE Std. 603 The point in time or plant conditions that define the proper completion of the safety function (IEEE 603)

Protective action is complete when either BDT or FT has been initiated. It is important to note that physical failure of the RTS does not cause an uncontrolled release of radiation. Indication of initiation shall be provided in the main control room (MCR).

52 Clauses

Clause 4.10 of IEEE Std. 603 (contd)

Clause 4.10.3 of IEEE Std. 603 The point in time or the plant conditions that require automatic control of protective actions (IEEE 603)

No automatic control is required following the RTS initiation.

Clause 4.10.4 of IEEE Std. 603 The point in time or the plant conditions that allow returning a safety system to normal (IEEE 603)

Plant conditions return to normal once enough valid signals are available to continue operation of the UFTR. Signals that their values are within the LSSS ranges are considered valid and are provided in Clause 4.4.

Clauses

Clause 4.11 of IEEE Std. 603 The equipment protective provisions that prevent the safety systems from accomplishing their safety functions (IEEE 603)

No safety functions shall be disabled as a means for protective provisions Clause 4.12 of IEEE Std. 603 Any other special design basis that may be imposed on the system design (e.g., diversity, interlocks, regulatory agency criteria) (IEEE 603)

Because the proposed system contains digital instrumentation and controls, D3 among system components is analyzed. The issue of SWCCF amongst digital equipment is addressed.

The proposed monitoring train offers signal diversity, and the protection system ncludes system diversity.

Clauses

D3 Analysis Echelon of Defense Because of the aforementioned unique features of the UFTR, the four echelons of defense (NUREG/CR-6303) reduces to three as follows:

Control System Reactor Trip System (RTS)

Monitoring and Indicator System (MIS)

Echelons of defense provide multiple barriers to radiation release for a reactor.

56

Design of the Protection System The proposed system is divided into several blocks. It shall be credibly assumed that internal failure within these blocks will be contained.

TXS : Teleperm X-window Safety; T-3000: control system; and, MRS: Manual Reactor Scram 57

System block functions System blocks address different combinations of the three echelons of defense Block Control System RTS MIS MRS 9 TXS 9 9 9 T-3000 9 9 58

Interactions between blocks All the signals within a train are input to both the TXS and T-3000 systems; this is important

because, In case of failure of the TXS system (not known to the operator), the operator can identify the situation through the T-3000 displays, and Initiate the MRS TXS maintains a unidirectional communication with T-3000 through its Gateway (GW) 59

Diversity among system blocks TXS vs T-3000 These systems, which are computer-based, have different hardware and software, resulting in monitoring diversity Manual Reactor Scram (MRS)

This block has an inherent diversity from the TXS 60

Diversity - Echelons of Defense Failure of MRS block No impact on echelons of defense: TXS will initiate RTS. T-3000 and TXS will remain functioning as a MIS.

Failure of TXS block No impact on echelons of defense: MIS echelon will only contain indication of failed TXS system (via T-3000) and therefore MRS will initiate RTS echelon Failure of T-3000 block No impact on echelons of defense: RTS initiated via MRS.

61

Effect of Common-Cause Failure Since the CCF is confined within a block, there is no impact on the echelons of defense Software errors and CCF are possible within the TXS block, but because of system diversity, these errors are not possible within the MRS block.

CCF amongst sensing equipments is possible across different sensors within the same train.

TXS processor has the necessary logic to identify the problem and initiate RTS.

62

CCF of different types Type 1 This will not result in the loss of protection due to the signal diversity between sensing equipment.

Type 2 Signal diversity may mitigate this type of failure. However, because of unique design features of the UFTR, there is no need for ESFAS.

Type 3 Signal diversity may mitigate this type of failure. However, because of unique design features of the UFTR, there is no need for ESFAS.

Software CCF Existence of the MRS, and the diversities between the TXS and T-3000 blocks are adequate for preventing a SWCCF across the protection system. In addition, loss of all protective functions does not cause any fuel failure and therefore no possibility of uncontrolled release of radioactivity.

63

Concluding Remarks on D3 The proposed system exhibits adequate D3 to address all reasonable vulnerabilities to system failure.

Vulnerability to CCF is adequately addressed by the proposed strategy primarily because of the design diversity that exists between the analog and digital means for initiating RTS.

The TXS system will also have improved reliability due to extensive signal diversity and possible redundancy of inputs.

As a final note, the analysis found that no failure of equipment or operator action/inaction can result in fuel failure and therefore uncontrolled release of radioactivity.

64

Planning & related documentations The UFTR is using a previously-approved (under NRC evaluation) digital system, with appropriate modifications due to particular characteristics of the research reactor. According to ISG-6, the UFTR falls under Tier 2 application approach.

Ref: QA1-QAPP Attachment #4 List of UFTR Documents

  1. Document ID UFTR Documents 1 UFTR-QAP UFTR QA Program 2 UFTR-QAP-01-P Conduct of Quality Assurance 3 UFTR-QA1-QAPP Quality Assurance Project Plan (QAPP) 4 UFTR-QA1-01 Software Quality Assurance Plan (SQAP) 5 UFTR-QA1-02 Software Configuration Management Plan (SCMP) 6 UFTR-QA1-03 Software Verification and Validation Plan (SVVP) 8 UFTR-QA1-05 Software Safety Plan (SSP) 9 UFTR-QA1-06.1 Software Test Plan - SIVAT Plan 10 UFTR-QA1-06.2 Factory Acceptance Test (FAT) Plan 11 UFTR-QA1-14 Safety System Design Basis 12 UFTR-QA1-100 Functional Requirements Specification (FRS) 13 UFTR-QA1-101.1 List of I/Os 14 UFTR-QA1-102.3 ID Coding 15 UFTR-QA1-103 Diversity and Defense-in-Depth (D3) Analysis 16 UFTR-QA1-104 Failure Modes Effect Analysis (FMEA) 17 UFTR-QA1-105 TELEPERM XS Cyber Security 18 UFTR-QA1-106 Reliability Analysis 19 UFTR-QA1-107 Safety Analysis 20 UFTR-QA1-108 Requirement Traceability Matrix Reviewed by AREVA Draft documents not reviewed 66

Quality Assurance Program Ref: UFTR-QAP Quality Assurance Program for UFTR Forward to ANS Quality Assurance Program Requirements for Research Reactors, ANSI/ANS-15.8-1995 (reaffirmed 2005):

It must be noted that research reactors have two characteristics which affect the type of quality assurance program that should be applied to them, when compared to power reactors:

i) Reliability of most of the components of a research reactor does not affect the health and safety of the public since failure of the component generally shuts the system down and little else occurs.

ii) A typical research reactor operates on a limited budget with its continued existence dependent upon maintaining a low-cost, reliable operation.

Because of these inherent characteristics, the quality assurance program for research reactors is applied primarily to safety-related and important items and should be graded appropriately to be economically feasible.

67

Quality Assurance Program Ref: UFTR-QAP Quality Assurance Program for UFTR Quality Assurance Program Requirements for Research Reactors, ANSI/ANS-15.8-1995 (reaffirmed 2005):

2.1 Organization It is recognized that for most research reactor facilities, the organization is small, with its personnel performing multiple functions.

(a) quality is achieved and maintained by those who have been assigned responsibility for performing the work; (b) quality achievement is verified by persons not directly performing the work 2.3.3 Design verification Design verification shall be performed by competent individuals or groups other than those who performed the design, but who may be from the same organization.

68

Ref: UFTR-QA1-03, Software Verification and Validation Plan

. Independence of the V&V organization (management, schedule, and finance)

Based on our organization size and limited resources, we have selected the third (i.e., Internal IV&V) form of independence as described in IEEE-1012-1998. In this form of independence, the development and IV&V personnel are from the same organization.

In our project, the IV&V personnel are not involved in the development, they have managerial independence, and the major portion of their budget is independent of the developers budget.

UFTR Digital Control System Upgrade Project - Organization QA Management IV&V Auditor: Lead:

Project Manager William Van Prof. Edward Dugan Prof. Alireza Haghighat ke Project Coordinator Prof. Mark Harrison Dr. Gabriel Ghita, RS CCB: Prof. DuWayne

f. A. Haghighat System Design & Analysis Software Development Hardware & Installation Schubring G. Ghita, RS George Fekete. UG
f. Glenn Sjoden Lead: Prof. A. Haghighat Lead: Prof. Glenn Sjoden Lead: Prof. Jim Baciak
f. James Baciak Dr. Gabriel Ghita, RS Co-lead: Dr. G. Ghita, RS Co-lead: Brian Shea, RM an Shea, RM Prof. James Baciak Prof. A. Haghighat Prof. Mark Harrison Daniel Lago, UG Matt Marzano, GR Matt Berglund, SRO Steven Brown, UG Jennifer Musgrave, UG Andrew Holcomb, UG CB=Configuration Control Board, IV&V=Independent Verification & Validation, GR=Graduate Student, MS=Master in Science, A=Quality Assurance, RS=Research Scientist, RM=Reactor Manager, SRO=Senior Reactor Operator, UG=Undergraduate Student 69

Ref: UFTR-QA1-03, Software Verification and Validation Plan

2. The number of the V&V personnel Quality Assurance Program Requirements for Research Reactors, ANSI/ANS-15.8-1995 (reaffirmed 2005):

2.1 Organization It is recognized that for most research reactor facilities, the organization is small, with its personnel performing multiple functions.

3. The results of the V&V effort are to be fully and carefully documented, and that each of the discrepancies be documented in a report that includes how they were resolved, tested, and accepted by the V&V organization.
4. Software Integrity Level (SIL)

The unique safety features of the UFTR allow the use of the V&V software integrity level 1 as described in IEEE 1012-1998. Following table provides the required tasks for different SI levels.

70

TXS Equipment changes The new generation of the TXS equipment is very similar to the previous generation.

SVE2 processor has not changed Analog and digital I/O modules have the same functionality and they will be used in compatibility mode Communication lines have improved and have larger data throughput QDS, SU, and GW are the same as previous generation 75

Discussion on the two-train option The proposed UFTR protection and control system includes three main components:

TXS digital protection system T-3000 digital system for monitoring and indication, and control Manual Reactor Scram (MRS) system which is invoked by the operator for initiating of RTS Similar to the current UFTR license, we intend to apply for a one-train safety system. This train, however, includes various signals (from NIs and sensors) which provide an added benefit of signal diversity. (The old system includes only NIs with no diversity.)

We are exploring the possibility of adding a redundant train for the purpose of testing and training of hardware and software

Date Task Phase Sept 2008 - Oct 2009 Preparation of QA and planning documentations Preliminary design and analysis; Training of personnel on TXS and T-3000 systems; Design, analysis and manufacturing of a new piping system Oct. 16, 2009 Presentation of the preliminary design and analysis and related 0 documentations to the NRC Oct 16 - Dec. 2009 NRC decision on the proposed design and planning; Installation of the new piping system, testing and analysis of the system; Initiate installation of new Nuclear Instrumentations (NIs) and sensors January 2010 Submittal of preliminary documentations to the NRC 1 Jan - March 2010 Review and preparation of Request for Additional Information (RAI) by the NRC; Installation and testing of NIs and sensors March -June 2010 Resolution of the NRC RAIs; Installation, testing and benchmarking of NIs and sensors July 2010 Completion and submittal of documentations for the detailed design 2 July - Sept 2010 Review and preparation of RAIs by the NRC; Initiate preparation of training documentations Sept - Dec 2010 Resolution of the NRC RAIs, Initiate Manufacturing Jan -March 2011 Manufacturing March - April 2011 Factory Testing April - May 2011 Installation May - June 2011 Integration testing and preparation of final documentations on FAT, post- 3 installation, operations and training 77

Retrieved from "https://kanterella.com/w/index.php?title=ML093230647&oldid=2560861"