ML100141418

From kanterella
Jump to navigation Jump to search
Univ of Florida - Response to the Meeting Summary with the Univ of Florida to Discuss the Digital Instrumentation and Control Pre-Application (Phase 0) Review
ML100141418
Person / Time
Site: 05000083
Issue date: 01/11/2010
From: Haghighat A
Univ of Florida
To:
Document Control Desk, Office of Nuclear Reactor Regulation
References
Download: ML100141418 (9)


Text

UF UNIVERSITY 9f College of Engineering 202 Nuclear Science Bldg.

Department of Nuclear & Radiological Engineering PO Box 118300 Gainesville, FL 32611-8300 352-392-1401 x306 352-392-3380 Fax haghighat@ufl.edu January 11, 2010 US NRC Document Control Desk MS T-2F8 Washington DC, 20555 Re: Summary of October 16, 2009 Public Meeting Regarding Digital Instrumentation and Control Pre-Application (Phase 0) Review Please find attached a response letter to the Summary of the UFTR Pre-Application (Phase 0)

Review.

I declare under penalty of perjury that the foregoing is true and correct.

Executed on I/ I / 20 1 Sincerely, Alireza Haghighat, PhD i&3] 1/ 'I DIANA L. DAMPIER Notary Public - State of Florida My Comm. Expires Jul 20, 2013 Commission # DO894207 FP&L Professor Bonded Through National Notary Assn. J

- w .... I Director of UFTR f-otiac~~ LroLnf4- FIorildc4 1111110 0_tc0 Dwx4wO Cc Mr. Duane Hardesty, Project Manager, NRC Mr. Jack Donohue, Inspector, NRC Mr. Brian Shea, Reactor Manager, UF The Foundationfor The GatorNation /4c) 2-D An Equal Opportunity Institution &f izz'

UF UNIVERSITY 9f College of Engineering 202 Nuclear Science Bldg.

Department of Nuclear & Radiological Engineering PO Box 118300 Gainesville, FL 32611-8300 352-392-1401 x306 352-392-3380 Fax haghighat@ufl.edu January 11, 2010 Mr. Duane A. Hardesty Research & Test Reactors US Nuclear Regulatory Commission Mail Stop: O-12D03 Washington, DC 20555-0001

Dear Mr. Hardesty:

The recent summary of the Pre-Application (Phase 0) Meeting (ML093230700) (Oct. 16, 2009),

hereafter referred to as '

SUMMARY

,' indicates that the NRC's position on the UFTR Licensing Amendment Request (LAR) is to use the same Software Integrity Level, i.e., SIL4, as a power reactor, and a similar list of documents as is required for a power reactor. As I stated during the Pre-Application Meeting, and further elaborated in Attachment #1, 'Response to the NRC Review on the UFTR Pre-Application,' hereafter referred as 'RESPONSE,' I believe that we will be able to satisfy the intent of the Interim Staff Guides by employing SILl, and accordingly prepare a subset of documents listed in the NRC's summary. I believe the aforementioned power-reactor requirements will lengthen the preparation and review of this LAR, and therefore, result in unnecessary delay and cost. Hence, we request that the NRC reevaluates its conclusions based on the RESPONSE document.

Meanwhile, we have also evaluated the use of 10 CFR 50.59 Rule as a possible alternate to the LAR. (Possible use of the 10 CFR 50.59 rule was pointed during the Pre-Application meeting.)

As discussed in Attachment #2, our evaluation indicates that the aforementioned upgrade has no impact on the.UFTR accidents, their consequences and frequencies, and the UFTR Technical Specifications. Therefore, in principle we can pursue the option of 10 CFR 50.59 rather than the LAR.

To be able to address the above issues, I propose a revision to the proposed agenda for the meeting on January 19, 2010 as follows:

1:30 pm Introductions 1:40 pm Update of Proposed design and features for the safety system 2:00 pm Discussion on the University of Florida response to the NRC's review and position on the Oct. 16'h, 2009 Meeting 3:00 pm Description of documentation and License Amendment Request (LAR) format, content and requirements 3:15 pm Break The Foundationfor The Crator N~ation

3:30 pm Proposed schedule for the LAR 3:45 pm Use of the 10 CFR 50.59 Rule as an alternate to the LAR 4:00 pm Regulatory analysis 4:30 pm Public Comment Period 4:45 pm Review of Action Items and Closing Remarks 5:00 pm Adjourn I appreciate it if you would provide copies of this letter and its attachments to all the personnel who are involved in this review, so that we can resolve all the issues and finalize our plan for this licensing activity during the January 19 th meeting.

For your information, Dr. Gabriel Ghita, from the University of Florida, and Mr. Eric Wallace, Mr. Sean Kelley, and Mr. Mark Burzynski from AREVA will attend the meeting also.

Sincerely,~

Alireza Haghighat, PhD FP&L Professor Director of UFTR Attachments Cc UFTR Digital Control System Upgrade Project - Senior personnel

Attachment #1 Response to the NRC Review on the UFTR Pre-Application This is a response to the recent NRC's review of the Digital I&C Pre-Application (phase 0) for the University of Florida Training Reactor (UFTR).

We do not agree with the NRC's conclusions on the following items:

i) Recommending the use of Software Integrity Level of 4 (SIL4);

ii) Expected documents for the Tier 2 Review (i.e., Phase 1) iii) Others

1. Recommending the use of Software Integrity Level of 4 (SIL4)

The last paragraph of Section D states "Therefore, basedon the SRPfor non-power reactorsand the custom of reviewing in accordancewith the latestrevision of the endorsed regulatoryguides, it appearsthat the UFTR applicationplans should be amended to addressall required documentationfor conformance with IEEE 1012-1998 SIL4. However, the NRC will take the safety significance and complexity into considerationwhile conducting the review."

In our opinion, the above statement is equivalent to saying that the UFTR software is as safety significant as that for a power reactor protection system. Of course, this is not correct, as the UFTR is an inherently safe reactor design, regardless of the type of protection system specifically employed, so that this interpretation is far from reality.

Moreover, we believe that based on the unique and unusual safety margins of the UFTR, SIL4 is NOT necessary and simply places a significant burden and unnecessary delay in our application process.- As stated in our Pre-Application (Phase 0) meeting, we believe the UFTR application should be reviewed under SIL . The support reason for this criterion is that the UFTR has a unique design with significant conservatism, and is operated under a highly conservative system of protection and control.

In-order to elaborate on the above statement, first it is important to remind ourselves of the definition/description of different SILs presented in IEEE 1012-2004. Using this reference, in Table 1, we compare the different SILs based on their consequence and mitigation potential.

Table 1 - Comparison of different Software Integrity Levels (SILs)

_-;ii cliic __IaP tm 4 1Loss of life, loss of system, or economic or social loss I None 3 Permanent injury, major system degradation, economic or Partial to full social impact 2 Minor Complete 1 Negligible Not needed The above table indicates that there is a significant difference in both consequences and mitigation potential of different SILs, so that one has to be very careful in selecting an appropriate SIL for a given application.

The following paragraphs will provide the necessary justification for our request of using the SILl for the UFTR application. First, we summarize the unique features of the UFTR as compared to a power reactor. Second, we discuss important UFTR accident scenarios analyzed in the FSAR (Ref 1) and SSAR (Ref 2). Third, we summarize our argument for the use of SILl.

1.1 Comparison of parameters/feature of UFTR with a commercial PWR Table 2 summarizes the unique parameters/features of the UFTR as compared to a typical commercial Pressurized Water Reactor (PWR).

Table 2 - Com arison of important parameters/features of UFTR and a typical commercial PWR PaaiieerFetIf UFRATpia Power 100 kW 1000,000 kW Peak Fuel temperature 50 °C 1,882 °C Approximate total mass -20 kg -94,900 kg (enrichment=-3%)

of Uranium (enrichment = 19.75%)

Fuel type Thin plates (0.5 mm Fuel rods (5 mm diameter) thickness), Al cladding (-0.38 Air gap and Zr cladding (-0.6 mm mm thickness) thickness)

Shutdown mechanism - Control blades - Control rods

- Water dump - Negative coefficient of

- Negative coefficient of reactivity reactivity ESFAS requirement Not needed Necessary Redundancy Not needed Necessary Common cause failure Not relevant Important As the above table indicates, there are significant differences between the UFTR and a typical power reactor. The fundamental differences between the two systems are:

i) The UFTR' power level is 10,000 times lower than a commercial reactor; ii) Low power, low power density, and robust LEU fuel plate design of the UFTR yields a low residual power and a maximum fuel temperature of 50 TC as compared to 1882 TC, along with rapid heat transfer in the plate design.

iii) As a direct consequence of low fuel temperature and low residual heat, besides the use of control elements, dumping of water is another mechanism to shutdown the UFTR; iv) Accordingly, there is no need for a backup cooling system (i.e., Engineered Safety Features Actuated System) in the UFTR contrary to a power reactor. It is important to note that water (cooling) loss is considered as a major accident scenario for a power reactor, i.e., Loss of Coolant Accident (LOCA). The ability to completely and rapidly dump coolant from the UFTR core as an auxiliary safety feature to shut down the UFTR reactor emphasizes this point, since such a "dump" procedure is impossible to apply to a power reactor as a means of shutdown.

1.2 UFTR accident scenarios and their impact, consequence, and mitigation Because of the above unique features of the UFTR, all the postulated (plausible or hypothetical) accidents have negligible consequence, and no mitigation is needed. To support this statement, Table 3 compares a list of accidents which have been carefully analyzed in the FSAR (Ref 1) and SSAR (Ref 2).

Table 3 - Different accident scenarios for the UFTR - their impact, consequence, and potential for -mitigation

ACC g-ipto fi-ystell _Ciscunej Mtgad-J Sudden insertion of 0.60 Peak power = 316 kW Negligible Not Needed

%Ak/k with SCRAM Tfel(max)* = 52.2 °C Sudden insertion of 0.60 Peak power = 1,100 kW Negligible** Not Needed

%Ak/k without SCRAM Tfuel (max)* = 107 TC Ramp insertion of 0.06 Peak power = 127 kW Negligible Not Needed

%Ak/k/s in 10 s Tfuel (max)* = 52.1 °C Loss of Coolant Accident Tfuel (max)* increases by Negligible Not Needed (LOCA) at full power <17 °C Sudden insertion of 1.4 Energy release < 6.1 MW Negligible Not Needed

%Ak/k T'cladding < 300 °C Max Hypothetical Accident Public dose is several Negligible Not Needed

- Fuel handling orders of magnitude less (Uranium plate is stripped than the allowed value from fuel plate)

  • Melting pint of Al-6061 alloy cladding is 582 °C
    • Reactor is shutdown because of the inherent negative coefficient of reactivity The above table indicates that none of the accidents investigated has any impact on the integrity of the fuel and the UFTR system as a whole, therefore there are no resulting consequences and no need for any mitigation; i.e., SILl is therefore adequate for the UFTR application.

Aside from the above overwhelming evidence of the unusually safe and extremely conservative design of the UFTR, there is a significant level of conservatism in the range of operations, assigned trips, interlocks, and procedures which make any occurrence of accidents highly improbable. A detailed discussion of trips, interlocks, operation ranges, and surveillance requirements are available in the UFTR Technical Specifications.

1.3 Concluding discussion in support of use of SILl In conclusion, we believe that UFTR design, and its operating condition and requirements result in a situation that any failure of the TXS digital protection system does not impact the integrity of the reactor, and therefore has no impact on employee or public safety and health.

2. Comments on expected documents for the Tier 2 Review (i.e., Phase 1)

Because of the characteristics and licensing requirements of the UFTR, we have a few comments on a few of the requested documents, as follows:

i) On document 1, Commercial grade dedication plan - Since the UFTR does not have the quality and qualification requirements of a power reactor, we do not believe a dedication plan should be required for a system to replace an existing commercial grade system.

Note that dedication is a process to take commercial equipment and establish equivalent equipment with Class 1E ii) On document 7, EQ Testing plan - Since the UFTR has no qualification requirements for seismic, EQ, or EMI/RFI, this document is not necessary.

iii) On document 12, Reliability Analysis - Since the non-power reactors are not required to perform reliability analysis, and further because of the applicability of SIL1, this document is not necessary.

3. Others

In Section A - Quality, it is important to note that the phrase 'safety-related' should be used with the understanding that the UFTR systems are not safety-related in the power reactor sense, because, for example the safety (protection) system is single train, no EQ or seismic qualification is required, and no safety-related power supplied is necessary.

References

1. N. Diaz and W. Vernetson, "Final Safety Analysis Report (FSAR)," 1981 updated to Rev.

11, University of Florida, 1988.

2. Haghighat, UFTR HEU-to-LEU Fuel Conversion Analysis Report, Second Version, August 2009.

Attachment #2 Evaluation of the impact of the digital control upgrade on the UFTR Protection and Control This evaluation indicates how the existing analog protection and control system is replaced with the new protection and control system. The new digital system includes AREVA's Teleperm XS (TXS), Siemens' T-3000, and a Manual Reactor Scram (MRS). As discussed below the combination of TXS, T-3000, and MRS will meet or exceed the design requirements of the existing analog system.

In the new system, the RTS (Reactor Trip System) is replaced with the TELEPERM XS (TXS) technology. The TXS platform will provide the signal processing, signal validation, and protection logic function for the RTS. The TXS platform will process the existing sensor inputs associated with the RTS. The RTS will maintain the existing one-out-of-one protection system logic. The new TXS system will provide on-line self testing and diagnostic functions to improve the availability of the system and reduce maintenance burdens. All functions currently performed by the RTS will be maintained. The new equipment will meet or exceed the design requirements of the existing equipment.

In the new system, the reactor control system is replaced with the Siemens T-3000 technology.

The T-3000 platform will provide the signal processing, signal validation, and control functions for the reactor control system. The T-3000 platform will process the existing sensor inputs associated with the reactor control system. The new system will provide on-line self testing and diagnostic functions to improve the availability of the system and reduce maintenance burdens.

All functions currently performed by the reactor control system will be maintained. The new equipment will meet or exceed the design requirements of the existing equipment.

Further, the new system will include a Manual Reactor Scram (MRS), which replaces the existing push-button control-blade drive system. MRS is actuated by the reactor operator in case of observed discrepancies between the information displayed on the independent display systems of the TXS and T-3000. The new MRS will meet or exceed the design requirements of existing equipment.

It is important to emphasize that the UFTR I&C system design basis does not include explicit requirements typical of power reactors. Specifically, the UFTR design basis does not include the requirements of IEEE Std. 603-1991 or 10 CFR 50.59; or does not include environmental, seismic, or EMI/RFI qualification requirements. Based on the 10 CFR 50.59 rule, we have carefully evaluated the following items and concluded that no changes to the Technical Specifications are needed because of the new protection and control system:

L. EFFECT ON ACCIDENTS AND MALFUNCTIONS EVALUATED IN THE LICENSING BASIS DOCUMENTS

1. The proposed activity does not result in more than a minimal increase in the frequency of occurrence of an accident previously evaluated in the FSAR and SSAR.
2. The proposed activity does not result in more than a minimal increase in the likelihood of occurrence of a malfunction of an SSC (System, Structure, and Component) important to safety previously evaluated in the FSAR.
3. The proposed activity does not result in more than a minimal increase in the consequences of an accident previously evaluated in the FSAR and SSAR.
4. The proposed activity does not result in more than a minimal increase in the consequences of a malfunction of an SSC important to safety previously evaluated in the FSAR and SSAR.

U. POTENTIAL FOR CREATION OF A NEW TYPE OF UNANALYZED EVENT

5. The proposed activity does not create a possibility for an accident of a different type than previously evaluated in the UFSAR.
6. The proposed activity does not create a possibility for a malfunction of an SSC important to safety with a different result than any previously evaluated in the FSAR/SSAR.

MI. IMPACT ON FISSION PRODUCT BARRIERS

7. The proposed activity does not result in a design basis limit for a fission product barrier as described in the FSAR/SSAR being exceeded or altered.

IV. IMPACT ON EVALUATION CONSERVATISM

8. The proposed activity does not result in a departure from a method of evaluation described in the FSAR/SSAR used in establishing the design bases or in the safety analyses.