ML093230647
| ML093230647 | |
| Person / Time | |
|---|---|
| Site: | 05000083 |
| Issue date: | 12/22/2009 |
| From: | Ghita G, Haghighat A Univ of Florida |
| To: | NRC/NRR Adams Working Group |
| Hardesty, D NRC/NRR/DPR/PRTA 415-3724 | |
| References | |
| Download: ML093230647 (77) | |
Text
Presentation on UFTR Licensing Presentation on UFTR Licensing Amendment Application Amendment Application (Phase 0)
(Phase 0)
Alireza Haghighat Alireza Haghighat FP&L Professor FP&L Professor UFTR Director UFTR Director Gabriel Gabriel Ghita Ghita Research Scientist Research Scientist Project Coordinator Project Coordinator Nuclear & Radiological Engineering Department Nuclear & Radiological Engineering Department University of Florida University of Florida Gainesville, Florida Gainesville, Florida For presentation to the NRC, Washington DC, Oct. 16, 2009
22 Outline Outline Introduction to the reactor design Introduction to the reactor design
Core, primary loop, secondary loop, reactor cell, confinement Core, primary loop, secondary loop, reactor cell, confinement
Accident scenarios Accident scenarios Current I&C design Current I&C design
Features Features
Licensing requirement Licensing requirement Introduction to the UF Team, their functions, and support teams Introduction to the UF Team, their functions, and support teams from AREVA &
from AREVA &
Siemens Siemens Proposed TXS Protection System Proposed TXS Protection System Safety System Design Basis Safety System Design Basis D3 Analysis (considering Design Basis changes)
D3 Analysis (considering Design Basis changes)
Introduction to plans Introduction to plans
QAP QAP
V&V V&V Discussion on TXS Equipment Discussion on TXS Equipment Possibility of installation of a redundant Train for testing, be Possibility of installation of a redundant Train for testing, benchmarking and training nchmarking and training Proposed schedule Proposed schedule
33 UFTR timelines UFTR timelines Established in 1959 with a power of 10 kW Established in 1959 with a power of 10 kW In 1963, its power was increased to 100 kW In 1963, its power was increased to 100 kW In 1970, its fuel was changed from LEU to HEU In 1970, its fuel was changed from LEU to HEU In Sept. 2006, its fuel was changed from HEU to In Sept. 2006, its fuel was changed from HEU to LEU LEU
Schematic of UFTR (axial projection)
Core Graphite Shield Tank
55 Schematic of UFTR Schematic of UFTR (Horizontal projection)
(Horizontal projection)
N
66 UFTR Core UFTR Core N
77 UFTR Core UFTR Core Control blade Fuel box Graphite S1 S2 S3 RG N
88 Fuel Plate Characteristics Fuel Plate Characteristics LEU Fuel Type U3Si2-Al Fuel Meat Size Width (cm)
Thickness (cm)
Height (cm)
Fuel Plate Size Width (cm)
Thickness (cm)
Height (cm)
Cladding material 6061 Al Cladding Thickness (cm)
Fuel Enrichment (nominal) 19.75%
Meat Composition (wt% U)
Mass of 235U per Plate (nominal)
Number of Plates per Fuel Bundle
99 Core at critical condition Core at critical condition --
Fuel pattern and blade positions Fuel pattern and blade positions Safety 1, at 26.3 degrees Safety 2, at 26.3 degrees Safety 3, at 26.3 degrees Regulating, at 16.9 degrees Dummy bundle 10 fuel plates &
3 Dummy plates
10 10 Total neutron flux distribution Total neutron flux distribution
11 11 Bundle power distribution (kW)
Bundle power distribution (kW)
Schematic of the core
12 12 Core Lifetime Core Lifetime Expected end-of-life LEU core with fuel burnup of ~86.67 MWD; This is based on full-power operation time of 4 hr/day, 5 day/week, 20 years
UFRT Primary Coolant Loop Design (including locations of sensing devices)
- RTD Level Indicator Flowmeter Closed Valve (Normal Operation)
From Demineralizer Loop Coolant Storage Tank Heat Exchanger To Demineralizer Loop Rupture Disk Dump Valve Secondary Storage Well UFTR Core Air Bleed Valve To Secondary Side
- NI Fission Chamber/BF3 Ion Chamber Primary Flow L
L
14 14 Operating Region Operating Region 0
25 50 75 100 125 150 175 200 225 250 275 15 20 25 30 35 40 45 50 55 True Coolant Flow Rate, gpm True Reactor Power, kW Tin = 86 F Tin = 100 F Tin = 110 F OPERATING REGION for Max. Tin = 110 oF Figure 5. 20 mil tolerance on Water Channel Spacing and 0.065" Repositioning of Each Assembly Due to Combs True Max. Power: 125 kW LSSS Power: 119 kW Max Operating Power: 100 kW For Max, Inlet Temp. = 100 oF True Minimum Flow Rate: 39 gpm LSSS Flow Rate: 41 gpm Operating Flow Rate: 48 gpm For Max, Inlet Temp. = 110 oF True Minimum Flow Rate: 43 gpm LSSS Flow Rate: 45 gpm Operating Flow Rate: 52 gpm OPERATING REGION for Max. Tin = 100 oF
15 15 Parameter Parameter True True Limit Limit LSSS LSSS Operating Operating Values Values Power (
Power (kW kW))
125 125 119 119 100 100 Inlet Flow Rate (
Inlet Flow Rate (gpm gpm))
34 34 36 36 43 43 Inlet Temperature (
Inlet Temperature (FF))
100 100 99 99 80 80 Outlet Temperature (
Outlet Temperature (FF))
165 165 155 155 95 95 UFTR Control Parameters and Settings
Accident Scenarios & Analysis Accident Scenarios & Analysis
17 17 Accident Scenarios Accident Scenarios A rapid insertion of 0.6%
A rapid insertion of 0.6% k/k k/k reactivity.
reactivity.
This scenario represents the reactivity insertion This scenario represents the reactivity insertion resulting from the rapid ejection of the maximum resulting from the rapid ejection of the maximum worth of all moveable and non worth of all moveable and non--secured experiments secured experiments from the reactor. Cases were analyzed both with and from the reactor. Cases were analyzed both with and without reactor SCRAM.
without reactor SCRAM.
A reactivity ramp insertion of 0.06%
A reactivity ramp insertion of 0.06% k/k/s k/k/s for 10 for 10 seconds.
seconds.
This scenario represents the insertion of reactivity This scenario represents the insertion of reactivity due to control blade withdrawal at the maximum rate due to control blade withdrawal at the maximum rate allowed by the UFTR Technical Specifications. This allowed by the UFTR Technical Specifications. This accident is assumed to be terminated by reactor accident is assumed to be terminated by reactor SCRAM.
18 18 A rapid insertion of 0.6%
A rapid insertion of 0.6% k/k k/k reactivity with reactivity with scram scram (fresh fuel)
(fresh fuel)
Power Power 100 kW 100 kW 100 kW 100 kW 100 kW 100 kW 100 kW 100 kW Steady State Condition Steady State Condition 43 43 gpm gpm,,
Tin=86 Tin=86o o FF 34 34 gpm gpm,,
Tin=86 Tin=86oo FF 34 34 gpm gpm,,
Tin=109 Tin=109oo FF 43 43 gpm gpm,,
Tin=86 Tin=86oo FF Blade Drop Time (s)
Blade Drop Time (s) 1.0 1.0 1.0 1.0 1.0 1.0 1.5 1.5 Time to Peak Power (s)
Time to Peak Power (s) 0.14 0.14 0.14 0.14 0.14 0.14 0.14 0.14 Peak Power (kW)
Peak Power (kW) 316 316 316 316 316 316 318 318 TTfuel fuel (max) at Peak Power (
(max) at Peak Power (ooCC))
51.9 51.9 54.4 54.4 66.7 66.7 51.9 51.9 TTfuel fuel (max (max) (
) (ooCC))
52.2 52.2 54.8 54.8 67.0 67.0 52.5 52.5 TTclad clad (max (max) (
) (ooCC))
52.2 52.2 54.7 54.7 67.0 67.0 52.5 52.5 TTcool cool max max
((ooCC))
44.6 44.6 47.6 47.6 59.9 59.9 44.6 44.6
19 19 A rapid insertion of 0.6%
A rapid insertion of 0.6% k/k k/k reactivity with reactivity with scram scram (depleted fuel)
(depleted fuel)
Power Power 100 kW 100 kW 100 kW 100 kW 100 kW 100 kW 100 kW 100 kW Steady State Condition Steady State Condition 43 43 gpm gpm,,
Tin=86 Tin=86o o FF 34 34 gpm gpm,,
Tin=86 Tin=86oo FF 34 34 gpm gpm,,
Tin=109 Tin=109oo FF 43 43 gpm gpm,,
Tin=86 Tin=86oo FF Blade Drop Time (s)
Blade Drop Time (s) 11 11 11 1.5 1.5 Time to Peak Power (s)
Time to Peak Power (s) 0.14 0.14 0.14 0.14 0.14 0.14 0.15 0.15 Peak Power (kW)
Peak Power (kW) 322 322 322 322 322 322 328 328 TTfuel fuel (max) at Peak Power (
(max) at Peak Power (ooCC))
52 52 54.8 54.8 67 67 52.1 52.1 TTfuel fuel (max (max) (
) (ooCC))
52.6 52.6 55.3 55.3 67.5 67.5 52.6 52.6 TTclad clad (max (max) (
) (ooCC))
52.6 52.6 55.3 55.3 67.5 67.5 52.5 52.5 TTcool cool max max
((ooCC))
44.5 44.5 47.5 47.5 59.8 59.8 44.5 44.5
20 20 A rapid insertion of 0.6%
A rapid insertion of 0.6% k/k k/k reactivity reactivity without without scram scram (fresh fuel)
(fresh fuel)
Power Power 100 kW 100 kW 100 kW 100 kW 100 kW 100 kW Steady State Condition Steady State Condition 43 43 gpm gpm,,
Tin=86 Tin=86o o FF 34 34 gpm gpm,,
Tin=86 Tin=86oo FF 34 34 gpm gpm,,
Tin=109 Tin=109oo FF Time to Peak Power (s)
Time to Peak Power (s) 2.48 2.48 2.44 2.44 2.30 2.30 Peak Power (kW)
Peak Power (kW) 1199 1199 1186 1186 1112 1112 TTfuel fuel (max) at Peak Power (
(max) at Peak Power (ooCC))
95 95 95 95 100 100 TTfuel fuel (max (max) (
) (ooCC))
107 107 108 108 109 109 TTclad clad (max (max) (
) (ooCC))
107 107 108 108 109 109 TTcool cool max max
((ooCC))
101 101 101 101 102 102 After the sudden jump, power remains at 600 kW for 300 seconds, after which time, the coolant reaches the saturation temperature and boiling occurs in the uppermost nodes of the coolant channel; negative coefficient of reactivity will shutdown the reactor.
21 21 A rapid insertion of 0.6%
A rapid insertion of 0.6% k/k k/k reactivity reactivity without without scram scram (depleted fuel)
(depleted fuel)
Power Power 100 kW 100 kW 100 kW 100 kW 100 kW 100 kW Steady State Condition Steady State Condition 43 43 gpm gpm,,
Tin=86 Tin=86o o FF 34 34 gpm gpm,,
Tin=86 Tin=86oo FF 34 34 gpm gpm,,
Tin=109 Tin=109oo FF Time to Peak Power (s)
Time to Peak Power (s) 2.36 2.36 2.32 2.32 2.19 2.19 Peak Power (kW)
Peak Power (kW) 1337 1337 1321 1321 1235 1235 TTfuel fuel (max) at Peak Power (
(max) at Peak Power (ooCC))
96 96 96 96 101 101 TTfuel fuel (max (max) (
) (ooCC))
108 108 109 109 110 110 TTclad clad (max (max) (
) (ooCC))
108 108 109 109 110 110 TTcool cool max max
((ooCC))
101 101 101 101 102 102 After the sudden jump, power remains at 600 kW for 300 seconds, after which time, the coolant reaches the saturation temperature and boiling occurs in the uppermost nodes of the coolant channel; negative coefficient of reactivity will shutdown the reactor.
22 22 A slow insertion of 0.06%
A slow insertion of 0.06% k/k/s k/k/s reactivity with reactivity with scram scram (fresh fuel)
(fresh fuel)
Power Power 100 kW 100 kW 100 kW 100 kW 100 kW 100 kW 100 kW 100 kW Steady State Condition Steady State Condition 43 43 gpm gpm,,
Tin=86 Tin=86o o FF 34 34 gpm gpm,,
Tin=86 Tin=86oo FF 34 34 gpm gpm,,
Tin=109 Tin=109oo FF 43 43 gpm gpm,,
Tin=86 Tin=86oo FF Blade Drop Time (s)
Blade Drop Time (s) 1.0 1.0 1.0 1.0 1.0 1.0 1.5 1.5 Time to Peak Power (s)
Time to Peak Power (s) 2.22 2.22 2.22 2.22 2.22 2.22 2.22 2.22 Peak Power (kW)
Peak Power (kW) 127 127 127 127 127 127 127 127 TTfuel fuel (max) at Peak Power (
(max) at Peak Power (ooCC))
52.1 52.1 54.6 54.6 66.8 66.8 52.1 52.1 TTfuel fuel (max (max) (
) (ooCC))
52.1 52.1 54.6 54.6 66.8 66.8 52.1 52.1 TTclad clad (max (max) (
) (ooCC))
52.0 52.0 54.6 54.6 66.8 66.8 52.0 52.0 TTcool cool max max
((ooCC))
44.6 44.6 47.6 47.6 60.0 60.0 44.6 44.6
23 23 A slow insertion of 0.06%
A slow insertion of 0.06% k/k/s k/k/s reactivity with reactivity with scram scram (depleted fuel)
(depleted fuel)
Power Power 100 kW 100 kW 100 kW 100 kW 100 kW 100 kW 100 kW 100 kW Steady State Condition Steady State Condition 43 43 gpm gpm,,
Tin=86 Tin=86o o FF 34 34 gpm gpm,,
Tin=86 Tin=86oo FF 34 34 gpm gpm,,
Tin=109 Tin=109oo FF 43 43 gpm gpm,,
Tin=86 Tin=86oo FF Blade Drop Time (s)
Blade Drop Time (s) 11 11 11 1.5 1.5 Time to Peak Power (s)
Time to Peak Power (s) 0.14 0.14 0.14 0.14 0.14 0.14 0.15 0.15 Peak Power (kW)
Peak Power (kW) 322 322 322 322 322 322 328 328 TTfuel fuel (max) at Peak Power (
(max) at Peak Power (ooCC))
52 52 54.8 54.8 67 67 52.1 52.1 TTfuel fuel (max (max) (
) (ooCC))
52.6 52.6 55.3 55.3 67.5 67.5 52.6 52.6 TTclad clad (max (max) (
) (ooCC))
52.6 52.6 55.3 55.3 67.5 67.5 52.5 52.5 TTcool cool max max
((ooCC))
44.5 44.5 47.5 47.5 59.8 59.8 44.5 44.5
24 24 Other Accidents Other Accidents LOCA during full power operation LOCA during full power operation The increase in fuel temperature following a LOCA results in shu The increase in fuel temperature following a LOCA results in shutdown of the tdown of the
- reactor, reactor, Either by the negative void coefficient of reactivity, Either by the negative void coefficient of reactivity, Or by the insertion of control blades into the reactor Or by the insertion of control blades into the reactor In both cases, the fuel temperature will increase by less than 1 In both cases, the fuel temperature will increase by less than 177ooC (30 C (30ooF)
F)
Sudden insertion of maximum excess reactor of 1.4%
Sudden insertion of maximum excess reactor of 1.4% k/k k/k results in an results in an energy release of <6.1 MW and a cladding temperature of <300 C.
energy release of <6.1 MW and a cladding temperature of <300 C.
Maximum Hypothetical Accident (MHA)
Maximum Hypothetical Accident (MHA)
Fuel Handling Accident (FHA)
Fuel Handling Accident (FHA)
It is postulated that because of severe mechanical damage, the It is postulated that because of severe mechanical damage, the aluminum cladding is stripped from one fuel plate; it is assumed aluminum cladding is stripped from one fuel plate; it is assumed that that 2.7% of the total volatile activity instantaneously escapes from 2.7% of the total volatile activity instantaneously escapes from the the fuel plate into the reactor cell.
fuel plate into the reactor cell.
Estimated occupational and public doses are smaller by several Estimated occupational and public doses are smaller by several orders magnitude relative to exposure limits.
orders magnitude relative to exposure limits.
Current Current UFTR Analog I&C UFTR Analog I&C and and Operations Operations
26 26 Current UFTR Analog Protection & Control System Current UFTR Analog Protection & Control System ARM WLM FRM TC Electrical Monitoring One Safety Train Indicators Shutdown (RTS, manual)
27 27 Shutdown Mechanisms Shutdown Mechanisms Automatic Automatic Blade Drop (BD)
Blade Drop (BD) -- Clutch current control Clutch current control Dump valve (DV)
Dump valve (DV) -- Selonoid Selonoid current control current control Manual Manual Indicators (sirens, monitors & displays) followed by Indicators (sirens, monitors & displays) followed by operators manual actions: BD and/or DV operators manual actions: BD and/or DV Passive Passive NEGATIVE coolant void and temperature coefficient NEGATIVE coolant void and temperature coefficient of reactivity of reactivity
28 28 Unique Features Unique Features Low power (the peak power per bundle = 5 kW)
Low power (the peak power per bundle = 5 kW)
Low fuel temperature (~50 C);
Low fuel temperature (~50 C);
Negative coefficients of reactivity; Negative coefficients of reactivity; Example: Even for an unprotected insertion of 0.6%
Example: Even for an unprotected insertion of 0.6% k/k k/k, the peak
, the peak fuel temperature is ~108C (fuel melting point is 582 C) fuel temperature is ~108C (fuel melting point is 582 C)
Under regular conditions, reactor can be shutdown by Under regular conditions, reactor can be shutdown by dumping the coolant dumping the coolant No need for Engineering Safety Features Actuate System No need for Engineering Safety Features Actuate System (ESFAS)
(ESFAS)
One train protection and control system One train protection and control system No protection for single failure is needed No protection for single failure is needed Facts Results
Introduction of the UF Team, Introduction of the UF Team, their functions, and support their functions, and support teams from AREVA & Siemens teams from AREVA & Siemens
30 30 Project Organization UFTR Project Organization UFTR UFTR Digital Control System Upgrade Project - Organization UFTR Digital Control System Upgrade Project - Organization Project Manager Prof. Alireza Haghighat Project Coordinator Dr. Gabriel Ghita, RS Lead: Prof. Glenn Sjoden Co-lead: Dr. G. Ghita, RS Prof. A. Haghighat Matt Marzano, GR Jennifer Musgrave, UG Lead: Prof. Jim Baciak Co-lead: Brian Shea, RM Prof. Mark Harrison Matt Berglund, SRO Andrew Holcomb, UG CCB=Configuration Control Board, IV&V=Independent Verification &
Validation, GR=Graduate Student, MS=Master in Science, QA=Quality Assurance, RS=Research Scientist, RM=Reactor Manager, SRO=Senior Reactor Operator, UG=Undergraduate Student Lead: Prof. A. Haghighat Dr. Gabriel Ghita, RS Prof. James Baciak Daniel Lago, UG Steven Brown, UG Auditor:
Dr. William Van Dyke CCB:
Prof. A. Haghighat Dr. G. Ghita, RS Prof. Glenn Sjoden Prof. James Baciak Brian Shea, RM Lead:
Prof. Edward Dugan Prof. Mark Harrison Prof. DuWayne Schubring George Fekete. UG QA Management IV&V Hardware & Installation Software Development System Design & Analysis
31 31 Project Organization AREVA + UFTR Project Organization AREVA + UFTR AREVA Corporate Sponsor Mehdi Tadjalli AREVA PM Eric Wallace AREVA PE Sean Kelley AREVA Project Team Installation Support TBD HW Lead Engineer Ryan Nash SW Lead Engineer Jason Reed Training Mike Fillian Licensing Support Mark Burzynski QA Manager Mark Milo Siemens PM Oldrich Klokocka GmbH PM Herbert Nussbaumer UFTR PM Dr. Alireza Haghighat UFTR Organization
Proposed TXS Protection System The TXS system block consists of hardware and software that provide for the protection, control, indication, and monitoring.
Current licensed UFTR protection and control system utilizes one train, which contains two sets of nuclear instrumentation that have to be operational simultaneously for a complete coverage of reactor power.
Similar to the current UFTR protection and control system, we propose a one-train system which includes signal diversity; it is capable of identifying invalid signals and their diverse signals.
It is worth noting we are also considering a two-train design (i.e., with two levels of redundancy) for training, education and research purposes.
Figure below depicts the TXS system (with two trains), which is comprised of the following components:
Acquisition and Processing (AQP)
Voter - Voting and Actuation (VT) (needed for the two-train design)
Main Control Room (MCR)
Monitoring Service Interface (MSI)
Proposed TXS Protection System AQP: Acquisition and Processing VT: Voter MSI: Monitoring and Service Interface QDS: Qualified Display System SU: Service Unit GW: Gateway RTS: Reactor Trip System T-3000 control system
Safety System Design Basis Safety System Design Basis Here, we discuss the changes to be considered for the UFTR Design Basis due to the digital protection system upgrade.
To facilitate this discussion, we will utilize the IEEE-603 Design Basis clauses.
35 35 Clause #
Clause Comment 4-1 The design basis events applicable to each mode of operation of the generating station along with the initial conditions and allowable limits of plant conditions for each such event.
no change 4-2 The safety functions and corresponding protective actions of the execute features for each design basis event.
no change 4-3 The permissive conditions for each operating bypass capability that is to be provided.
N/A 4-4 The variables or combinations of variables, or both, that are to be monitored to manually or automatically, or both, control each protective action; the analytical limit associated with each variable, the ranges (normal, abnormal, and accident conditions); and the rates of change of these variables to be accommodated until proper completion of the protective action is ensured.
change 4-5 The protective actions identified in clause 4-2 that may be controlled by manual means initially or subsequently to initiation.
no change 4-6 For those variables in clause 4-4 that have a spatial dependence (i.e.,
where the variable varies as a function of position in a particular region), the minimum number and locations of sensors required for protective purposes.
change
36 36 Clause #
Clause Comment 4-7 The range of transient and steady-state conditions of both motive and control power and the environment (e.g., voltage, frequency, radiation, temperature, humidity, pressure, vibration, and electromagnetic interference) during normal, abnormal, and accident conditions throughout which the safety system shall perform.
change 4-8 The conditions having the potential for functional degradation of safety system performance and for which provisions shall be incorporated to retain the capability for performing the safety functions (e.g., missiles, pipe breaks, fires, loss of ventilation, spurious operation of fire suppression systems, operator error, failure in non-safety-related systems).
N/A 4-9 The methods to be used to determine that the reliability of the safety system design is appropriate for each safety system design and any qualitative or quantitative reliability goals that may be imposed on the system design.
N/A 4-10 The critical points in time or the plant conditions, after the onset of a design basis event.
change 4-11 The equipment protective provisions that prevent the safety systems from accomplishing their safety functions.
no change 4-12 Any other special design basis that may be imposed on the system design (e.g., diversity, interlocks, regulatory agency criteria).
change
Clause 4.1 of IEEE Std. 603 Clause 4.1 of IEEE Std. 603 The design basis events applicable to each mode of operation of The design basis events applicable to each mode of operation of the the generating station along with the initial conditions and allowab generating station along with the initial conditions and allowable limits of le limits of plant conditions for each such event plant conditions for each such event (IEEE (IEEE--603) 603)
The proposed protection system has two modes of operation, automatic and manual.
Below, for each Design Basis Event, the mode of system operation is provided:
Loss-of-Coolant Accident (LOCA) during the full power operation (automatic)
Slow Insertion of 0.06% k/k/s for 10 seconds (automatic)
Sudden Insertion of the Maximum Allowed Excess Reactivity of 1.4% k/k (automatic)
Sudden Insertion of the Maximum Allowed Reactivity of 0.6% k/k (automatic)
Control Blade System Malfunction (manual)
Loss of Power (manual) 37 37 Clauses
Clause 4.2 of IEEE Std. 603 Clause 4.2 of IEEE Std. 603 38 38 Clauses
Clause 4.2 of IEEE Std. 603(cont Clause 4.2 of IEEE Std. 603(contd) d)
List of Design Basis Events (Accidents)
List of Design Basis Events (Accidents)
Loss Loss--of of--Coolant Accident (LOCA)
Coolant Accident (LOCA)
LOCA will cause the loss of the valid flow rate meter (FRM) sign LOCA will cause the loss of the valid flow rate meter (FRM) signal in the al in the primary coolant loop, which will cause automatic initiation of B primary coolant loop, which will cause automatic initiation of BDT via TXS. Loss DT via TXS. Loss of coolant in the core due to the LOCA will also contribute to t of coolant in the core due to the LOCA will also contribute to the safe shutdown he safe shutdown of the UFTR as a result of the negative void coefficient of reac of the UFTR as a result of the negative void coefficient of reactivity.
tivity.
Reactivity insertion events Reactivity insertion events
Slow insertion of 0.06%
Slow insertion of 0.06% k/k/s k/k/s without scram without scram
Sudden Insertion of the Maximum Allowed Excess Reactivity (1.4%
Sudden Insertion of the Maximum Allowed Excess Reactivity (1.4% k/k k/k))
Sudden Insertion of the Maximum Allowed Reactivity (0.6%
Sudden Insertion of the Maximum Allowed Reactivity (0.6% k/k k/k))
The above reactivity events shall cause automatic initiation of The above reactivity events shall cause automatic initiation of FT via TXS when FT via TXS when any NI signal becomes invalid due to high reactor power.
any NI signal becomes invalid due to high reactor power.
Control Blade System Malfunction Control Blade System Malfunction This anticipated operational occurrence shall be mitigated by op This anticipated operational occurrence shall be mitigated by opening the Dump ening the Dump Valve initiated by the MRS.
Valve initiated by the MRS.
Loss of Power Loss of Power Loss of Power directly causes BDT, thus no execute feature must Loss of Power directly causes BDT, thus no execute feature must be initiated be initiated during this event.
during this event.
39 39 Clauses
Clause 4.3 of IEEE Std. 603 Clause 4.3 of IEEE Std. 603 The permissive conditions for each operating bypass capability t The permissive conditions for each operating bypass capability that is to hat is to be provided be provided (IEEE 603)
(IEEE 603)
There is no need for an operating bypass for UFTR, thus there ar There is no need for an operating bypass for UFTR, thus there are no e no permissive conditions for this type of bypass.
permissive conditions for this type of bypass.
40 40 Clauses
41 41 Clause 4.4 of IEEE Std. 603 Clause 4.4 of IEEE Std. 603 The variables or combinations of variables, or both, that are to be monitored to manually or automatically, or both, control each protective action; the analytical limit associated with each variable, the ranges (normal, abnormal, and accident conditions); and the rates of change of these variables to be accommodated until proper completion of the protective action is ensured (IEEE 603)
The existing analog protection system has four levels of protection for the design basis events:
pre-operation check, monitoring, interlocks, and trip system.
For the new digital protection system, besides the aforementioned levels, we are considering signal diversity in order to protect the system against the Common Cause Failure.
Clauses
Item Component Item Component 1
Core Vent 14 Primary Coolant Resistivity Determinations 2
Diluting Fan System 15 Blade Withdrawal Time Measurement 3
Blade Gear Box 16 Primary Coolant 4
Manometers and Magnetic Gage 17 Magnet Power Key 5
Portal Monitor 18 Log/linear recorder 6
Core Vent and Diluting Fan Systems 19 Equipment Pit Checkout and Gamma Radiation Levels 7
Shield Water 20 Water Sample Analysis 8
Demineralizer Pump 21 Air Particulate Detectors 9
Magnet Power Key 22 Radiation Monitor Console 10 Exterior lights 23 Secondary Water and Strainer 11 Neutron recorder 24 Security System Monitors 12 Primary Coolant Pump 25 Complete Records 13 Source Alarm 42 42 Table 1 -
List of components checked prior to reactor startup Clause 4.4 of IEEE Std. 603(cont Clause 4.4 of IEEE Std. 603(contd) d)
Clauses
43 43 Table 2 -
Description of Monitoring parameters during operations Clause 4.4 of IEEE Std. 603(cont Clause 4.4 of IEEE Std. 603(contd) d)
Item Parameter 1
2 3
4 5
6 7
8 Main AC power line Primary and secondary coolant pump power Console power Core ventilation fan power Stack dilution fan Area radiation monitor Stack/vent monitor Air particulate Table 3 -
Description of Interlocks ID Description 1
2 3
4 5
Inhibits attempt of simultaneous withdrawal of 2 or more safety blades (mode 2*)
Inhibits attempt of withdrawal of regulating blade with a period (T) < 30 s (mode 2)
Inhibits withdrawal of blades if the source count rate is < 2 cps (mode 1**)
Inhibits withdrawal of blades if period (T) <10 s (mode 1)
Inhibits reactor operation if safety channels 1 & 2 are not operable (mode 1)
- Mode 2: Automatic control
- Mode 1: Manual Protection and Control Clauses
44 44 Clause 4.4 of IEEE Std. 603(cont Clause 4.4 of IEEE Std. 603(contd) d)
Condition Type of Trip Automatic Period 3 sec Power 119 kW Loss of chamber high voltage (90%)
Loss of electrical power to control console Primary cooling system o Loss of pump power o Low-water level in core (
42.5")
o No outlet flow o Low inlet water flow 41 gpm Secondary cooling system (at power levels > 1 kW) o Loss of flow (well water 60 gpm,)
o Loss of pump power High primary coolant inlet temperature 99° F
High primary coolant outlet temperature (
155° F)
Shield tank -
Low water level (6" below established normal level)
Ventilation system o Loss of power to dilution fan o Loss of power to core vent system FT*
FT FT FT BDT**
BDT BDT BDT BDT BDT Manual Manual scram bar Console key-switch OFF (two blades off bottom)
BDT FT Table 4 List of conditions for trip
- FT: Full Trip (including Dump Valve Trip and BDT)
- BDT: Blade drop Trip Clauses
Clause 4.4 of IEEE Std. 603(cont Clause 4.4 of IEEE Std. 603(contd) d)
45 45 Reactor Feature Primary Mode of Detection AIc DId Segment of UFTR High Power Level
- FCa, ICb 2
Core Reactor Period, Low Power Level
- BF3, IC 2
Core Temperature
- Resistive TD 10 core, primary, secondary Flow Rate Flow Rate Monitor (FRM) 2 2
primary, secondary Water Level Water Level Monitor* (WLM) 2 1
Core, storage tank*, shield tank Area Radiation Level Area Radiation Monitor (ARM) 4 4
east, north, south, west*
Fan Availability Fan Monitor (FM) 1 2
Core ventilation, stack dilution, stack dilution RPM Table 5. List of signals for each train of the proposed UFTR TXS Table 5. List of signals for each train of the proposed UFTR TXS system system aFission Chamber; bIon Chamber; cAI, Analog Input; dDI, Digital Input
- Indicates a new monitoring device and/or location that shall be added in the proposed system Sensor/Monitor Core Primary Secondary Reactor Cell Confinement FC+BF3 9
IC 9
RTD 9
9 9
FRM 9
9 9
WLM 9
9 ARM 9
9 FM 9
9 Table 6. Signal diversity within each train Clauses
Clause 4.5 of IEEE Std. 603 Clause 4.5 of IEEE Std. 603 46 46 Manual reactor scram (MRS) is available in the event that TXS fails to initiate RTS. Depression of the MRS button causes the control blade drive (clutch current control) to shut off, which allows the blades to drop into the core due to gravity.
The MRS button will also provide a HW and SW interrupt for the TXS system.
This event is referred to as a blade-drop trip (BDT). If the control blades do not function properly and the core overheats, the negative void and temperature coefficients will cause the core to go subcritical and shut down even without insertion of the control blades. Therefore, instrumentation is not an absolute necessity for shutting the UFTR down because of its inherent safety features.
The protective actions identified in Clause 4-2 that may be controlled by manual means initially or subsequently to initiation (IEEE 603)
Clauses Clause 4.5.1 of IEEE Std. 603 The points in time and the plant conditions during which manual control is allowed (IEEE 603)
Protective action may be initiated by manual means at any time during reactor operation.
Clause 4.5 of IEEE Std. 603(cont Clause 4.5 of IEEE Std. 603(contd) d)
47 47 Clause 4.5.2 of IEEE Std. 603 The justification for permitting initiation or control subsequent to initiation solely by manual means (IEEE 603)
Justification for permitting initiation by manual means lies in the fact that no action or inaction of the operator during a design basis event can NOT result in the uncontrolled release of radioactivity.
Clause 4.5.3 of IEEE Std. 603 The range of environmental conditions imposed upon the operator during normal, abnormal, and accident conditions throughout which the manual operations shall be performed (IEEE 603)
Environmental conditions imposed upon the operator during normal, abnormal, and accident conditions shall not be of concern, since the worst-case accident scenario does not result in the release of radioactivity.
It is also important to note that the new main control room (MCR) will be isolated from the reactor cell.
Clause 4.5.4 of IEEE Std. 603 The variables in clause 4.4 that shall be displayed for the operator to use in taking manual action (IEEE 603)
All variables listed in Table 1 shall be displayed for the operator on the Qualified Display System (QDS) of the TXS protection system and the display of the T3000 control system.
The new system has an added qualified display, i.e., QDS.
Clauses
Clause 4.6 of IEEE Std. 603 Clause 4.6 of IEEE Std. 603 48 48 For those variables in item d) that have a spatial dependence (i.e., where the variable varies as a function of position in a particular region), the minimum number and locations of sensors required for protective purposes (IEEE 603)
The number and locations of sensors required for protective purposes is provided in Table 1. Loss of all valid signals from any one of the five segments of the UFTR listed in Table 3 shall result in the safe shutdown of the UFTR via BDT.
Clauses
Clause 4.7 of IEEE Std. 603 Clause 4.7 of IEEE Std. 603 49 49 The range of transient and steady-state conditions of both motive and control power and the environment (e.g., voltage, frequency, radiation, temperature, humidity, pressure, vibration, and electromagnetic interference) during normal, abnormal, and accident conditions throughout which the safety system shall perform (IEEE 603)
The existing UFTR control room is located within the reactor cell, which uses the same energy supply and environmental control.
The new TXS system components are located in the MCR, which is isolated from the reactor cell. The MCR receives power and air-conditioning that is independent from the reactor cell. Prevention of electromagnetic interference is achieved by the shielding effect of metallic front plates in each TXS cabinet. Thus, conditions within the MCR are not subject to change due the UFTR transient or steady-state conditions.
Clauses
50 50 Clause 4.8 of IEEE Std. 603 Clause 4.8 of IEEE Std. 603 The conditions having the potential for functional degradation of safety system performance and for which provisions shall be incorporated to retain the capability for performing the safety functions (e.g., missiles, pipe breaks, fires, loss of ventilation, spurious operation of fire suppression systems, operator error, failure in non-safety-related systems) (IEEE 603)
Conditions having the potential for functional degradation of protection system performance are not of concern since the loss of the protection system does not result in affecting the integrity of the fuel, and therefore there is no uncontrolled release of radiation.
Clauses
Clause 4.9 of IEEE Std. 603 Clause 4.9 of IEEE Std. 603 51 51 The methods to be used to determine that the reliability of the safety system design is appropriate for each safety system design and any qualitative or quantitative reliability goals that may be imposed on the system design (IEEE 603)
Reliability analysis is not required for safety assessments because of the inherent safety features of the UFTR.
Clauses
52 52 Clause 4.10 of IEEE Std. 603 Clause 4.10 of IEEE Std. 603 The critical points in time or the plant conditions, after the onset of a design basis event (IEEE 603)
Conditions having the potential for functional degradation of protection system performance are not of concern since the loss of the protection system does not result in the uncontrolled release of radiation.
Clause 4.10.1 of IEEE Std. 603 The point in time or plant conditions for which the protective actions of the safety system shall be initiated Table 5 and 6 show the conditions for interlocks, and automatic and manual initiation of the reactor trips, respectively.
Clause 4.10.2 of IEEE Std. 603 The point in time or plant conditions that define the proper completion of the safety function (IEEE 603)
Protective action is complete when either BDT or FT has been initiated. It is important to note that physical failure of the RTS does not cause an uncontrolled release of radiation. Indication of initiation shall be provided in the main control room (MCR).
Clauses
Clause 4.10 of IEEE Std. 603(cont Clause 4.10 of IEEE Std. 603(contd) d)
Clause 4.10.3 of IEEE Std. 603 The point in time or the plant conditions that require automatic control of protective actions (IEEE 603)
No automatic control is required following the RTS initiation.
Clause 4.10.4 of IEEE Std. 603 The point in time or the plant conditions that allow returning a safety system to normal (IEEE 603)
Plant conditions return to normal once enough valid signals are available to continue operation of the UFTR. Signals that their values are within the LSSS ranges are considered valid and are provided in Clause 4.4.
Clauses
Clause 4.11 of IEEE Std. 603 Clause 4.11 of IEEE Std. 603 The equipment protective provisions that prevent the safety systems from accomplishing their safety functions (IEEE 603)
No safety functions shall be disabled as a means for protective provisions Clause 4.12 of IEEE Std. 603 Clause 4.12 of IEEE Std. 603 Any other special design basis that may be imposed on the system design (e.g., diversity, interlocks, regulatory agency criteria) (IEEE 603)
Because the proposed system contains digital instrumentation and controls, D3 among system components is analyzed. The issue of SWCCF amongst digital equipment is addressed.
The proposed monitoring train offers signal diversity, and the protection system includes system diversity.
Clauses
D3 Analysis D3 Analysis
56 56 Echelon of Defense Echelon of Defense Because of the aforementioned unique features Because of the aforementioned unique features of the UFTR, the four echelons of defense of the UFTR, the four echelons of defense (NUREG/CR (NUREG/CR--6303) reduces to three as follows:
6303) reduces to three as follows:
Control System Control System Reactor Trip System (RTS)
Reactor Trip System (RTS)
Monitoring and Indicator System (MIS)
Monitoring and Indicator System (MIS)
Echelons of defense provide multiple barriers to Echelons of defense provide multiple barriers to radiation release for a reactor.
radiation release for a reactor.
57 57 Design of the Protection System Design of the Protection System The proposed system is divided into several blocks. It The proposed system is divided into several blocks. It shall be credibly assumed that internal failure within shall be credibly assumed that internal failure within these blocks will be contained.
these blocks will be contained.
TXS : Teleperm X-window Safety; T-3000: control system; and, MRS: Manual Reactor Scram
58 58 System block functions System block functions System blocks address different combinations of System blocks address different combinations of the three echelons of defense the three echelons of defense Block Control System RTS MIS MRS 9
TXS 9
9 9
T-3000 9
9
59 59 Interactions between blocks Interactions between blocks All the signals within a train are input to both the All the signals within a train are input to both the TXS and T TXS and T--3000 systems; this is important 3000 systems; this is important
- because, because, In case of failure of the TXS system (not known to the In case of failure of the TXS system (not known to the operator), the operator can identify the situation operator), the operator can identify the situation through the T through the T--3000 displays, and 3000 displays, and Initiate the MRS Initiate the MRS TXS maintains a unidirectional communication TXS maintains a unidirectional communication with T with T--3000 through its Gateway (GW) 3000 through its Gateway (GW)
60 60 Diversity among system blocks Diversity among system blocks TXS TXS vs vs TT--3000 3000 These systems, which are computer These systems, which are computer--based,
- based, have different hardware and software, have different hardware and software, resulting in monitoring diversity resulting in monitoring diversity Manual Reactor Scram (MRS)
This block has an inherent diversity from the This block has an inherent diversity from the TXS TXS
61 61 Diversity Diversity --
Echelons of Defense Echelons of Defense Failure of MRS block Failure of MRS block No impact on echelons of defense: TXS will initiate No impact on echelons of defense: TXS will initiate RTS. T RTS. T--3000 and TXS will remain functioning as a 3000 and TXS will remain functioning as a MIS.
MIS.
Failure of TXS block Failure of TXS block No impact on echelons of defense: MIS echelon will No impact on echelons of defense: MIS echelon will only contain indication of failed TXS system (via T only contain indication of failed TXS system (via T--
3000) and therefore MRS will initiate RTS echelon 3000) and therefore MRS will initiate RTS echelon Failure of T Failure of T--3000 block 3000 block No impact on echelons of defense: RTS initiated via No impact on echelons of defense: RTS initiated via MRS.
MRS.
62 62 Effect of Common Effect of Common--Cause Failure Cause Failure Since the CCF is confined within a block, there Since the CCF is confined within a block, there is no impact on the echelons of defense is no impact on the echelons of defense Software errors and CCF are possible within the Software errors and CCF are possible within the TXS block, but because of system diversity, TXS block, but because of system diversity, these errors are not possible within the MRS these errors are not possible within the MRS block.
block.
CCF amongst sensing equipments is possible CCF amongst sensing equipments is possible across different sensors within the same train.
across different sensors within the same train.
TXS processor has the necessary logic to TXS processor has the necessary logic to identify the problem and initiate RTS.
identify the problem and initiate RTS.
63 63 CCF of different types CCF of different types Type 1 Type 1
This will not result in the loss of protection due to the signal This will not result in the loss of protection due to the signal diversity diversity between sensing equipment.
between sensing equipment.
Type 2 Type 2
Signal diversity may mitigate this type of failure. However, bec Signal diversity may mitigate this type of failure. However, because of ause of unique design features of the UFTR, there is no need for ESFAS.
unique design features of the UFTR, there is no need for ESFAS.
Type 3 Type 3
Signal diversity may mitigate this type of failure. However, bec Signal diversity may mitigate this type of failure. However, because of ause of unique design features of the UFTR, there is no need for ESFAS.
unique design features of the UFTR, there is no need for ESFAS.
Existence of the MRS, and the diversities between the TXS and T Existence of the MRS, and the diversities between the TXS and T--3000 3000 blocks are adequate for preventing a SWCCF across the protection blocks are adequate for preventing a SWCCF across the protection system. In addition, loss of all protective functions does not c system. In addition, loss of all protective functions does not cause any ause any fuel failure and therefore no possibility of uncontrolled releas fuel failure and therefore no possibility of uncontrolled release of e of radioactivity.
radioactivity.
64 64 Concluding Remarks on D3 Concluding Remarks on D3 The proposed system exhibits adequate D3 to address The proposed system exhibits adequate D3 to address all reasonable vulnerabilities to system failure.
all reasonable vulnerabilities to system failure.
Vulnerability to CCF is adequately addressed by the Vulnerability to CCF is adequately addressed by the proposed strategy primarily because of the design proposed strategy primarily because of the design diversity that exists between the analog and digital diversity that exists between the analog and digital means for initiating RTS.
means for initiating RTS.
The TXS system will also have improved reliability due to The TXS system will also have improved reliability due to extensive signal diversity and possible redundancy of extensive signal diversity and possible redundancy of inputs.
inputs.
As a final note, the analysis found that no failure of As a final note, the analysis found that no failure of equipment or operator action/inaction can result in fuel equipment or operator action/inaction can result in fuel failure and therefore uncontrolled release of radioactivity.
failure and therefore uncontrolled release of radioactivity.
Planning & related documentations The UFTR is using a previously-approved (under NRC evaluation) digital system, with appropriate modifications due to particular characteristics of the research reactor. According to ISG-6, the UFTR falls under Tier 2 application approach.
66 66 List of UFTR Documents List of UFTR Documents Ref: QA1 Ref: QA1--QAPP Attachment #4 List of UFTR Documents QAPP Attachment #4 List of UFTR Documents Document ID UFTR Documents 1
UFTR-QAP UFTR QA Program 2
UFTR-QAP-01-P Conduct of Quality Assurance 3
UFTR-QA1-QAPP Quality Assurance Project Plan (QAPP) 4 UFTR-QA1-01 Software Quality Assurance Plan (SQAP) 5 UFTR-QA1-02 Software Configuration Management Plan (SCMP) 6 UFTR-QA1-03 Software Verification and Validation Plan (SVVP) 8 UFTR-QA1-05 Software Safety Plan (SSP) 9 UFTR-QA1-06.1 Software Test Plan -
SIVAT Plan 10 UFTR-QA1-06.2 Factory Acceptance Test (FAT) Plan 11 UFTR-QA1-14 Safety System Design Basis 12 UFTR-QA1-100 Functional Requirements Specification (FRS) 13 UFTR-QA1-101.1 List of I/Os 14 UFTR-QA1-102.3 ID Coding 15 UFTR-QA1-103 Diversity and Defense-in-Depth (D3) Analysis 16 UFTR-QA1-104 Failure Modes Effect Analysis (FMEA) 17 UFTR-QA1-105 TELEPERM XS Cyber Security 18 UFTR-QA1-106 Reliability Analysis 19 UFTR-QA1-107 Safety Analysis 20 UFTR-QA1-108 Requirement Traceability Matrix Reviewed by AREVA Draft documents not reviewed
67 67 Quality Assurance Program Quality Assurance Program Ref: UFTR Ref: UFTR--QAP Quality Assurance Program for UFTR QAP Quality Assurance Program for UFTR Forward to ANS Quality Assurance Program Requirements for Forward to ANS Quality Assurance Program Requirements for Research Reactors, ANSI/ANS Research Reactors, ANSI/ANS--15.8 15.8--1995 (reaffirmed 2005):
1995 (reaffirmed 2005):
It must be noted that research reactors have two characteristics It must be noted that research reactors have two characteristics which which affect the type of quality assurance program that should be appl affect the type of quality assurance program that should be applied to ied to them, when compared to power reactors:
them, when compared to power reactors:
i) Reliability of most of the components of a research reactor i) Reliability of most of the components of a research reactor does not affect the health and safety of the public since failur does not affect the health and safety of the public since failure of e of the component generally shuts the system down and little else the component generally shuts the system down and little else occurs.
occurs.
ii) A typical research reactor operates on a limited budget with ii) A typical research reactor operates on a limited budget with its its continued existence dependent upon maintaining a low continued existence dependent upon maintaining a low--cost,
- cost, reliable operation.
reliable operation.
Because of these inherent characteristics, the quality assurance Because of these inherent characteristics, the quality assurance program for research reactors is applied primarily to safety program for research reactors is applied primarily to safety--related and related and important items and should be graded appropriately to be economi important items and should be graded appropriately to be economically cally feasible feasible..
68 68 Quality Assurance Program Quality Assurance Program Ref: UFTR Ref: UFTR--QAP Quality Assurance Program for UFTR QAP Quality Assurance Program for UFTR Quality Assurance Program Requirements for Research Reactors, Quality Assurance Program Requirements for Research Reactors, ANSI/ANS ANSI/ANS--15.8 15.8--1995 (reaffirmed 2005):
1995 (reaffirmed 2005):
2.1 Organization 2.1 Organization It is recognized that for most research reactor facilities, the It is recognized that for most research reactor facilities, the organization organization is small, with its personnel performing multiple functions.
is small, with its personnel performing multiple functions.
(a) quality is achieved and maintained by those who have been (a) quality is achieved and maintained by those who have been assigned responsibility for performing the work; assigned responsibility for performing the work; (b) quality achievement is verified by persons not directly perf (b) quality achievement is verified by persons not directly performing orming the work the work 2.3.3 Design verification 2.3.3 Design verification Design verification shall be performed by competent individuals Design verification shall be performed by competent individuals or or groups other than those who performed the design, but who may be groups other than those who performed the design, but who may be from from the same organization the same organization..
69 69 Verification and Validation (V&V)
Verification and Validation (V&V)
Ref:
Ref: UFTR UFTR--QA1 QA1--03, Software Verification and Validation Plan 03, Software Verification and Validation Plan UFTR Digital Control System Upgrade Project - Organization UFTR Digital Control System Upgrade Project - Organization Project Manager Prof. Alireza Haghighat Project Coordinator Dr. Gabriel Ghita, RS Lead: Prof. Glenn Sjoden Co-lead: Dr. G. Ghita, RS Prof. A. Haghighat Matt Marzano, GR Jennifer Musgrave, UG Lead: Prof. Jim Baciak Co-lead: Brian Shea, RM Prof. Mark Harrison Matt Berglund, SRO Andrew Holcomb, UG CCB=Configuration Control Board, IV&V=Independent Verification & Validation, GR=Graduate Student, MS=Master in Science, QA=Quality Assurance, RS=Research Scientist, RM=Reactor Manager, SRO=Senior Reactor Operator, UG=Undergraduate Student Lead: Prof. A. Haghighat Dr. Gabriel Ghita, RS Prof. James Baciak Daniel Lago, UG Steven Brown, UG Auditor:
Dr. William Van Dyke CCB:
Prof. A. Haghighat Dr. G. Ghita, RS Prof. Glenn Sjoden Prof. James Baciak Brian Shea, RM Lead:
Prof. Edward Dugan Prof. Mark Harrison Prof. DuWayne Schubring George Fekete. UG QA Management IV&V Hardware & Installation Software Development System Design & Analysis Based on our organization size and limited resources, we have se Based on our organization size and limited resources, we have selected the third lected the third (i.e., Internal IV&V) form of independence as described in (i.e., Internal IV&V) form of independence as described in IEEE IEEE--1012 1012--1998 1998. In this
. In this form of independence, the development and IV&V personnel are fro form of independence, the development and IV&V personnel are from the same m the same organization.
organization.
In our project, the IV&V personnel are not involved in the devel In our project, the IV&V personnel are not involved in the development, they have opment, they have managerial independence, and the major portion of their budget i managerial independence, and the major portion of their budget is independent of s independent of the developer the developers budget s budget..
1.
1.
Independence of the V&V organization (
Independence of the V&V organization (management, schedule, and finance) management, schedule, and finance)
70 70
- 2. The number of the V&V personnel Quality Assurance Program Requirements for Research Reactors, Quality Assurance Program Requirements for Research Reactors, ANSI/ANS ANSI/ANS--15.8 15.8--1995 (reaffirmed 2005):
1995 (reaffirmed 2005):
2.1 Organization 2.1 Organization It is recognized that for most research reactor facilities, the It is recognized that for most research reactor facilities, the organization is organization is small, with its personnel performing multiple functions.
small, with its personnel performing multiple functions.
Verification and Validation Verification and Validation Ref:
Ref: UFTR UFTR--QA1 QA1--03, Software Verification and Validation Plan 03, Software Verification and Validation Plan 3.
The results of the V&V effort are to be fully and carefully documented, and that each of the discrepancies be documented in a report that includes how they were resolved, tested, and accepted by the V&V organization.
- 4. Software Integrity Level (SIL)
The unique safety features of the UFTR allow the use of the V&V software integrity level 1 as described in IEEE 1012-1998. Following table provides the required tasks for different SI levels.
75 75 TXS Equipment changes TXS Equipment changes The new generation of the TXS equipment The new generation of the TXS equipment is very similar to the previous generation.
is very similar to the previous generation.
SVE2 processor has not changed SVE2 processor has not changed Analog and digital I/O modules have the same Analog and digital I/O modules have the same functionality and they will be used in functionality and they will be used in compatibility mode compatibility mode Communication lines have improved and Communication lines have improved and have larger data throughput have larger data throughput QDS, SU, and GW are the same as previous QDS, SU, and GW are the same as previous generation generation
Discussion on the two-train option The proposed UFTR protection and control system includes three main components:
TXS digital protection system T-3000 digital system for monitoring and indication, and control Manual Reactor Scram (MRS) system which is invoked by the operator for initiating of RTS Similar to the current UFTR license, we intend to apply for a one-train safety system. This train, however, includes various signals (from NIs and sensors) which provide an added benefit of signal diversity. (The old system includes only NIs with no diversity.)
We are exploring the possibility of adding a redundant train for the purpose of testing and training of hardware and software
77 77 Proposed Schedule Date Task Phase Sept 2008 -
Oct 2009 Preparation of QA and planning documentations Preliminary design and analysis; Training of personnel on TXS and T-3000 systems; Design, analysis and manufacturing of a new piping system Oct. 16, 2009 Presentation of the preliminary design and analysis and related documentations to the NRC 0
Oct 16 -
Dec. 2009 NRC decision on the proposed design and planning; Installation of the new piping system, testing and analysis of the system; Initiate installation of new Nuclear Instrumentations (NIs) and sensors January 2010 Submittal of preliminary documentations to the NRC 1
Jan -
March 2010 Review and preparation of Request for Additional Information (RAI) by the NRC; Installation and testing of NIs and sensors March -June 2010 Resolution of the NRC RAIs; Installation, testing and benchmarking of NIs and sensors July 2010 Completion and submittal of documentations for the detailed design 2
July -
Sept 2010 Review and preparation of RAIs by the NRC; Initiate preparation of training documentations Sept -
Dec 2010 Resolution of the NRC RAIs, Initiate Manufacturing Jan -March 2011 Manufacturing March -
April 2011 Factory Testing April -
May 2011 Installation May - June 2011 Integration testing and preparation of final documentations on FAT, post-installation, operations and training 3