Afrri Amendment 19

ML100840590
Person / Time
Site:	Armed Forces Radiobiology Research Institute
Issue date:	01/23/1990
From:	Alexander Adams Office of Nuclear Reactor Regulation
To:	Irving G US Dept of the Army
Montgomery C
References
Download: ML100840590 (15)
v • d • e

Text

- "

f'\\!J I M I t";!! f r-lLE C Py July 23, 1990 nocket No. 50-170 J NOT RtknJVE

?x+.ed-Colonel George W. Irving, III, BSC, USAF Director

,L}{lrtc.,q fo I:. -3</

Armed Forces Radiobiology Research Institute Bethesda, Maryland 20814-5415

Dear Colonel Irving:

SUBJECT:

ISSUANCE OF AMENDMENT NO. 19 TO FACILITY OPERATING LICENSE NO. R ARMED FORCES RADIOBIOLOGY RESEARCH INSTITUTE (AFRRI)

The Commission has issued the t:nclosed Amendment No. 19 to Facility Operating License No. R-84 for the AFRRI TRIGA Research Reactor.

The amendment consist5 of changes to the Technical Specifications in response to your submittal dated April 30, 1990 as supplemented on June 19, 1990 and July 13, 1990.

The amendment approves the installation of a microprocessor based instrumenta-tion and control system on the AFRRI research reactor. The Technical Specifi-cations are amended to reflect the new system.

A copy of the related Safety Evaluation supporting Amendment No. 19 is enclosed.

Ericlosures:

Sincerely,

/SI Alexander Adams, Jr., Project Manager Non-Power Reactor, Decommissioning and Environmental Project Directorate Division of Reactor Projects - III, IV, V and Special Projects Office of Nuclear Reactor Regulation

1.

Amendment No. 19

2.

Safety Evaluation cc w/enclosures:

See next page DISTRIBUTION:

Docket file NRC & Local PDRs PDHP r/f WTravers EHyl ton AAdams OGC DHagan

[AA Ar1ENOMENT 19J pruJP/.-4::A

~ton 7 I(') /90 EJordan GHi11 (4)

WJones JCalvo ACRS (10)

GPA/PA OC/LFMB Plant file PDNP:~

AAdam :.j 7/\\'o! 0

Docket ~o. 50-170 UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, 0. C. 20555 July 23, 1990 Colonel George W. Irving, III, BSC, USAF Director Armed Forces Radiobiology Research Institut~

Bethesda, Maryland 20814-5415

Dear Colonel Irving:

SUBJECT:

ISSUANCE OF AMENDMENT NO. 19 TO FACILITY OPERATING LICENSE NO. R ARMED FORCES RADIOBIOLOGY RESEARCH INSTITUTE (AFRRI)

The Commission has issued the enclosed Amendment No. 19 to Facility Operating License No. R-84 for the AFRRI TRIGA Research Reactor. The amendment consists of changes to the Technical Specifications in response to your submittal dated April 30, 1990 as supplemented on June 19, 1990, and July 13, 1990.

The amendment approves the installation of a microprocessor based instrumenta-tion and control system on the AFRRI research reactor. The Technical Specifi-cations are amended to reflect the new system.

A copy of the related Safety Evaluation supporting Amendment No. 19 is enclosed.

Enclosures:

1.

Amendment No. 19

2.

Safety Evaluation cc w/enclosures:

See next page Sincerely, Alexander Adams, Jr.,

1anager Non-Power Reactor, De ning and Environmental Projec irectorate Division of Reactor Projects - III, IV, V and Special Projects Office of Nuclear Reactor Regulation

Armed Forces Radiobiology Research Institute cc:

Director, Maryland Office of Planning 301 West Preston Street Baltimore, Maryland 21201 County Executive Montgomery County Government Rockville, Maryland 20850 Reactor Facility Director Armed Forces Radiobiology Research Institute National Naval Medical Center Bethesda, Maryland 20814 Docket No. 50-170

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D. C. 20555 ARMED FORCES RADIOBIOLOGY RESEARCH INSTITUTE CCCKET NO. 50-170 AMENDMENT TO FACILITY OPERATING LICENSE Amendment No. 19 license No. R-8~

1.

The Nuclear Regulatory Commission (the Commission) has found that:

A.

The application for amendment to Facility Operating License No. R-84 filed by the Armed Forces Radiobiology Research Institute (the licensee), dated April 30, 1990 as supplemented on June 19, 1990, and July 13, 1990 complies with the standards and requirements of the Atomic Energy Act of 1954, as amended (the Act), and the Commission's regulations as set forth in 10 CFR Chapter I; B.

The facility will operate in conformity with the application, the provisions of the Act, and the regulations of the Conmission; C.

There is reasonable assurance:

(i) that the activities authorized by this amendment can be conducted without endangering the health and safety of the public, and (ii) that such activities will be conducted in compliance with the Commission's regulations set forth in 10 CFR Chapter I; D.

The issuance of this amendment will not be inimical to the common defense and security or to the health and safety of the public; E.

The issuance of this amendment is in accordance with 10 CFR Part 51 of the Conmission's regulations and all applicable requirements have been satisfied; and F.

Prior notice of this amendment was not required by 10 CFR 2.105(a)(4) and publication of notice for this amendment is not required by 10 CFR 2.106(a)(2).

2.

Accordingly, the license is amended by changes to the Technical Specifications as indicated in the enclosure to this license amendment, and paragraph 2.C.(2) of License No. R-84 is hereby amended to read as follows:

(2) Technical Specifications The Technical Specifications contained in Appendix A, as revised through Amendment No. 19, are hereby incorporated in the license.

The licensee shall operate the facility in accordance with the Technical Specifications.

3.

This license amendment is effective as of its date of issuance.

Enclosure:

Appendix A Technical Specifications Changes Date of Issuance: July 23, 1990 FOR THE NUCLEAR REGULATORY COMMISSION Seym ur H. Weiss, Director Non-Power Reactor, Decommissioning and Environmental Project Directorate Division of Reactor Projects - III, IV, V and Special Projects Office of Nuclear Reactor Regulation

ENCLOSURE TO LICENSE AMENDMENT NO. 19 FACILITY OPERATING LICENSE NO. R-84 DOCKET NO. 50-170 Replace the following pages of the Appendix A Technical Specifications with the attached pages. The revised pages are identified by amendment number and contain vertical lines indicating the areas of change.

Remove 10 11 Insert 10 11

tions on reactor power level indication are included in this Section, since the power level is related to the fuel temperature.

S.2.2 REACTOR SAFETY SYSTEM Applicability This specification applies to t.he reactor sa!ety system.

Objective The objective is to specify the mmunum number of reactor safety system channels that must be operable for safe operation.

Specification The reactor shall not be operated unlen the safety systems described in Tables 2 and S are operable.

TABLE 2. MINIMUM REACTOR SAFETY SYSTEM SCRAMS Channel Fuel Temperature Percent Power, High Flux Console Manual Scram Bar High Voltage Loss to Safety Channels Pulse Time Emergency Stop (1 each exposure room, 1 on console)

Pool W a.ter Level Wa.tchdog (DAC to CSC)

Maximum Set Point 600°C 1.1 MW Closure switches 20% loss 15 seconds Closure switch 14 feet from top of core On digital console Minimum Number Steady State 2

2 1

2 0

1 1

1 in Mode Pulse 2

0 1

1 1

1 1

1 The fuel temperature and power level scrams provide protection to assure that the reactor can be shut down before the safety limit on the fuel element temperature will be exceeded. The manual scram allows the operator to shut down the system at any time if an unsafe or abnormal condition occurs. In the event of failure of the power supply for the safety channels, operation of the reactor without adequate instrumentation is prevented. The preset timer insures that the reactor power level will reduce to a low level after pulsing. The emergency stop allows penonnel trapped in a potentially huardous exposure 10 Amendment No. 19

room or the reactor operator to atop actions through the interlock system. The pool water level insures that a loaa of biological shielding would result in a reactor shutdown. The watchdog scram will insure adequate communication between the Data Acquisition Computer (DAC) and the Control System Computer (CSC) units.

TABLE s. MINIMUM REACTOR SAFETY SYSTEM INTERLOCKS Action Prevented Pulse initiation at power levels greater than 1 kilowatt Withdrawal of any control rod expect transient Any rod withdrawal with count rate in operational channel below 0.5 cps Simultaneous manual withdrawal of two standard rods Effective Mode Steady State Pulse X

X X

X X

The interlock preventing the initiation of a pulse at a critical level above 1 kilowatt assures that the pulse magnitude will not allow the fuel element temperature to approach the safety limit. The interlock that prevents movement of standard control rods in pulse mode will prevent the inadvertent placing of the reactor on a po9itive period while in pulse mode. Requiring a count rate to be seen by the operational ch.annela insures sufficient source neutrons to bring the reactor critical under controlled conditiom. The interlock that prevents the simultaneous manual withdrawal of two standard control rods limits the amount of reactivity added per unit time.

S.2.S FACILITY INTERLOCK SYSTEM Applicability Thia specification applies to the interlocb that prevent the accidental exposure of an individual in either exposure room.

Objective The objective ia to provide sufficient warning and interlocb to prevent movement of the reactor core to the exposure room in which someone may be working, or prevent the inadvertent movement of the core into the lead shield doors.

11 Amendment N-o. 19

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D. C. 20555 SAFETY EVALUATION BY THE OFFICE OF NUCLEAR REACTOR REGULATION SUPPORTING AMENDMErlT t:O. 19 TO FACILITY OPERATING LICENSE NO. R-84 ARMED FORCES RADIOBIOLOGY RESEARCH INSTI TUTE DOCKET NO. 50-170

1.0 INTRODUCTION

AFRRI has determined that due to the progressive obsolescence of their control console, a new reactor instrumentation and control system is needed to maintain reliable operations.

On May 11, 1988 AFRRI published their safety analysis of the new reactor instrumentation and control system.

In this report AFRRI concluded that the new system has equal or greater safety built-in than the existing system and therefore is an allowable change under 10 CFR 50.59.

10 CFR SC.59 permits licensees to make changes in the facility as described in the safety analysis report without prior Commission approval unless the proposed change, test, or experiment involves a change in the technical specifications incorporated in the license or an unreviewed safety question. A proposed change, test, or experiment shall be deemed to involve an unreviewed safety question (l) if the probability of occurrence-or the consequences of an accident or malfunction of equipment important to safet,y previously evaluated in the safoty analysis report may be increased; or (2) if a possibility for an accident or malfunction of a different typt than any evaluated pr~viously in the safety analysis report may be created; or (3) if the margin of safety as defined in the basis for any technical specification is reduced.

The staff concluded from its review of the AFRRJ safety analysis report that since (1) th~ installation of the new reactor instrumentation and control system did present an unreviewed safety question because of the possibility of an accident or malfunction of a different type than any evaluated previously and (2) additional technical specifications were required, NRC review and approval were required of the replacement computerized control system.

Pursuant to 10 CFR 50.90, the licensee submitted by letter dated April 30, 1990, as supplemented on June 19, 1990 and July 13, 1990, a request to amend Appendix A of Facility Operating License No. R-84, "Technical Specifications for the AFRP.I Reactor Facility." The licensee submittal of June 19, 1990 resubmitted the May 11, 1988 safety analy~es.

The requ~sted amendment would allow installation of th~ microprocessor based instrument and control system and add the watchdog (DAC to CSC) scram to lable 2 of the Technical Specifications, "Minimum Reactor Safety System Scrams.

11 The licensee has temporarily installed, in pardllel to their existing control console, the new digital microprocessor based instrumentation and control system provided by General Atomic~.

The transfer of control from the old to the new system (including scram) is via a series of gradual steps accompanied by tests which are expected by AFRRI to demonstrate the reliability of the new equipment while maintaining the proven performance of the existing control system.

Upon completion of all testing (described later in this SER), the new console will be used to control (except for the hardwired trip functions) both the safety and nonsafety aspects of operation of the TRIGA reactor and the old analog console will be disconnected. The new console will replace the old analog console in the control room.

Included in this change is the installation of three new stepping-motor control rod drives.

The primary functions of the new system will remain the same as the old system; to monitor critical parameters and provide a scram signal when needed, to provide information to the operator and to provide control for the pulse and steady-state modes of operation.

2.0 HARDWARE AND SYSTEMS ASSESSMENT This portion of the review focused on the areas of potential vulnerability or susceptibility of the new control console which might compromise its ability to present accurate information to the operator and to provide scram signals when required.

No assessment was made of the reliability of the nonsafety-related operation controls.

Issues investigated included single failure, environmental qualification, seismic qualification, surge withstand capability (SWC), elec-tromagnetic interference (EMI), failure modes and effects, reliability, error detection, and independence.

The primary review criteria for instrument and control systems for research reactors are presented in ANSI/ANS 15.15 (1978) 11Criteria for the Reactor Safety Systems of Research Reactors." The staff performed this evaluation also using criteria which apply to current vintage nuclear power plants. However, due to the inherent reactivity insertion safety feature of the TRIGA reactor design and minimal decay heat generation that cannot cause fuel damage, the staff has con-cluded that these power plant criteria may serve as guidelines and that strict adherence to the power plant criteria is generally not warranted. The exceptions are noted in the appropriate sections below.

Ouri~g the review and audit, the licensee described the new system including licensing, engineering, testing and training aspects. The vendor also partici-pated and provided additional information. The staff also had benefit of material from the U.S. Air Force, the University of Texas at Austin and the console owners group. The licensee also had an independent safety review performed by ORI, Inc. which concluded that the system was acceptable. This is the first system of this type provided by General Atomics which the staff has reviewed, therefore, there is no direct comparison that can be made to a previously licensed configuration.

At AFRRI, the Safety System Scram Circuit consists of two analog nuclear power monitor channels (NP-1000, NPP-1000) and two fuel temperature channels which are hardwired. Also wired into the scram circuit are contacts for manual scram, pulse timer, low water level, key switch and watchdog timers. The NM-1000 microprocessor based nuclear power channel monitors reactor power, but is not wired to the scram circuit at AFRRI.

2.1 Environmental and Seismic Qualification The new control system will be installed in the control room and the reactor hall. The staff considers the reactor hall (excluding within the pool itself) to be a mild environment when compared to power plant requirements and therefore the entire system can be considered to be in a mild environment. The system has been constructed in standard commercial enclosures suitable for a mild environment. The testing that has been done to date has not revealed any problems related to temperature or humidity. The new system should not be unduly susceptible to temperature or humidity problems and is therefore acceptable to the staff.

Though there have been no requirements promulgated for seismic qualification testing of research reactor control equipment. the staff reviewed the equipment to determine general ruggedness.

The equipment appears to be mounted in a good commercial quality fashion which should prevent any significant movement of components within the console and racks.

In this TRIGA reactor. an inadvertent scram does not present a challenge to reactor safety systems because a scram consists of the removal of current to the control rod magnets allowing the control rods to drop into the core by gravity.

No other equipment is required to maintain the reactor in a safe shutdown condition. The primary concern remaining would be relay contact chatter which could prevent a scram when required. The safety system scram circuits for this system are designed to scram on failure (which includes contact chatter) and therefore the staff concludes that any further testing is not warranted and the system is acceptable.

2.2 Electromagnetic Interference (EMI)

The staff reviewed the susceptibility of the new equipment to EMI due to the poten-tial for common mode interference which could disable more than one system at a time.

As discussed earlier, due to the design characteristics of the TRIGA reactor, an inadvertent scram does not present a similar challenge to safety systems that it would on a power reactor, though it might cause operational difficulties such as disrupting an experiment.

At AFRRI. optical isolators are used which will prevent conducted EMI from being transmitted between the control and safety channels. The neutron flux signal cabling is shielded to reduce the impact of radiated EMI.

Previous experience with similar equipment provided by several different vendors at other facilities has indicated that if EMI causes any perturbance in the system it will most likely cause a scram. which is acceptable to the staff for a TRIGA reactor. Based on the above, the staff concludes that EMI should not prevent a scram when required and the design is therefore acceptable.

2.3 Power Supplies The power supplies for the system are buffered to reduce the possible impact of minor power line fluctuations. The scram circuits for the new system are designed to scram when power is lost to them.

The NP-1000 and NPP-1000 are analog devices and will respond to power fluctuations similar to the existing analog equipment. The digital NM-1000 nuclear power channel uses a battery backed-up random access memory (RAM) to store constant data during loss of power.

Jn addition to self-diagnostics, the NM-1000 has a watchdog timer circuit which puts the NM-1000 in a tripped condition and scrams the reactor if power fluctuations prevent proper software operation. As described in the NM-1000 Software Functional Specification and Software Verification Program (March 1989), the NM-1000 is also tested to verify that the system returns to proper operation following restoration of power.

The staff finds this accept-able.

2.4 Failure Modes and Effects The May 11, 1988 safety analysis for AFRRI included an April 22, 1988 Scram Circuit Safety Analysis performed by the University of Texas at Austin. This study identified the various ways in which the reactor safety system could fail. These include:

1)

Physical System Failure (wire breaks, shorts, ground fault circuits)

2)

Limiting Safety System Setting Failure (failure to detect)

3)

System Operable Failure (loss of monitoring)

4)

Computer/Manual Control Failure (automatic and manual scram)

This study was based on a fault tree approach which predicted failure to scram for various failure modes.

The study concluded that a failure of all safety systems and therefore failure to scram was extremely unlikely. Failures attributable to the unique failure modes of the software of the NM-1000 were adequately considered and in addition, at AFRRI, the NM-1000 is not directly wired into the scram circuit. The staff concludes that the failure modes and effects of the new system were adequately considered and the design is therefore acceptable.

2. 5 Independence. Redundancy and Diversity The staff reviewed the data link between the safety channels and the nonsafety systems. The safety channels provide direct hard wired scram inputs and are also hardwired directly to independent indicators on the control console. ln addition, the safety channels provide inputs to the Non-Class lE Data Acquisi-tion Computer (OAC) through optical isolators. The optical isolators used have not been tested for maximum credible faults which the staff requires for power plant use, but have been tested by the manufacturer to standard commercial criteria. The OAC is then connected via redundant high speed serial data trunks to the Non-Class lE Control System Computer (CSC) which interfaces with the operator by controls, a keyboard and CRT displays. Since the CSC does communi-cate with the safety channels, this aspect of the system would not meet the independence requirements of a power plant. Howeve.r, the staff has concluded that the level of independence which has been mai ntained is appropriate for the AFRRI TRIGA reactor and is acceptable.

For the AFRRI facility, redundant fuel temperature (Temp 1, Temp 2) inputs are provided to the scram circuit. Redundant power level inputs (NP-1000, NPP-1000) to the scram circuit are also provided. The staff finds this redundancy

~cceptable. Several additional scram signals are provided at the control console (manual scram, system watchdog timers). At AFRRI, the NM-1000 is not wired to the scram circuit but does provide inputs to the rod withdrawal prevent interlock system. The system as installed at AFRRI meets most of the require-ments of IEEE-279-1971 "Criteria for Protection Systems for Nuclear Power Generating Stations and IEEE 379-1977 "Application of the Single-Failure Criteria to Nuclear Power Generating Station Class IE Systems," and is there-fore acceptable to the staff.

The operators are provided with information from both the analog NP monitors and the digital NM monitor. The information is displayed on both direct wired bar graphs and on a graphic CRT.

The scram is provided with automatic and manual contacts and, with the exception of the computer watchdog scram contacts, is similar to the old system. The staff considers this system sufficiently diverse and therefore is acceptable.

2.6 Iesti!!_g Extensive testing of the new system has been done by both the vendor and the licensee. A significant number of design changes took place during the testing that AFRRI performed during the phase-in of the new system. General Atomics has also reported no signifi cant safety problems with their installation. The staff has reviewed the problems discovered during testing of the system and has concluded that the resolutions appear appropriate. The staff also agrees with the assessment by the licensee that long-term operability and safety is enhanced due to installation of equipment which has spare parts available and is capable of being properly maintained.

An additional improvement is the self diagnostics feature which allows continuous on-line testing and reduces the possibility of undetected failures.

3.0 Software Assessment 3.1 Criteria The staff requires an approved verification and validation (V&V) plan for software which performs a safety function or provides information to the operator. At AFRRI, the NM-1000 provide inputs to the rod withdrawal prevent interlock system block function.

The NM-1000 software development was reviewed by the staff to determine the acceptability of the V&V plan. The staff compared the General Atomics V&V plan to Regulatory Guide 1.152 "Criteria for Program-mable Digital Computer Software in Safety-Related Systems at Nuclear Power Plants" which endorses ANSI. IEEE 7-4.3.2 - 1982 "Application Criteria for Programmable Digital Computer Systems in Safety Systems of Nuclear Power Generating Stations." The staff has concluded that this standard is appropriate for use in reviewing research reactor software.

3.2 Verification and Validation Plan The staff reviewed the verification and validation documentation provided by General Atomics. The staff also reviewed the additional validation which was performed by the AFRRI staff. Since the safety scram circuits at AFRRI are hardwired and do not require software to function the emphasis of the review was to ensure that potential software problems could not prevent a scram if required.

The hardwired scram circuit is wired so that a scram will occur even if the control software is requesting rod withdrawa 1.

An additional important feature is included to prevent software errors from interfering with safety function.

The Control System Computer (CSC) and Data Acquisition Computer (OAC) include watchdog timers which must be reset every 10 seconds by the softwdre or they will trip and provide a scram signal to the rod magnet power. The watchdog timers provide a continuous check of proper software operation. The staff finds them acceptable. Though the software was not shown to be in full compliance with Reg. Guide 1.152, the software will not impede the safety systems and is therefore acceptable.

4.0 Technical Specifications The scram circuit at AFRRI will include watchdog timer contacts which*will provide a scram upon software failure.

The staff has concluded that the presentation of correct, timely information to the reactor operator contributes to the safe operation of the reactor. Therefore, the watchdog scram inputs are added to Table 2, Minimum Reactor Safety System Scrams of the technical specifications. The operability of the watchdog scram will be verified by Technical Specification 4.2.2 which requires a channel test weekly.

The basis of Table 2 is also amended to add the watchdog scrams and safety chambers is changed to safety channels to more accurately describe the high voltage loss scram.

5.0 ENVIRONMENTAL CONSIDERATION

This amendment involves changes in the instal lation or use of facility components located within the restricted area as defined in 10 CFR Part 20.

The staff has determined that the amendment involves no significant increase in the amounts, and no significant change in the types, of any effluents that may be released offsite, and there is no significant increase in individual or cumulative occupational radiation exposure. Accordingly, this amendment meets the eligibility criteria for categorical exclusion set forth in 10 CFR 51.22(c)(9). Pursuant to 10 CFR 51.22(b), no Environmental Impact Statement or Environmental Assessment need be prepared in connection with the issuance of this amendment.

6.0 CONCLUSION

The staff concludes that the hardware design of the new General Atomics console is acceptable for use in the AFRRI TRIGA reactor. The Software design in the CSC, DAC and NMlOOO will not prevent the safety functions of the hardwired scram circuit from performing and is therefoe acceptable. The technical specifications are amended to include the watchdog scram inputs and surveillance requirements.

The staff has also concluded, based on the considerations discussed above, that:

(1) because the amendment does not involve a significant increase in the probability or consequences of accidents previously evaluated, or create the possibility of a new or different kind of accident from any accident previously evaluated, and does not involve a significant reduction in a margin of safety, the amendment does not involve a significant hazards consideration, (2) there is reasonable assurance that the health and safety of the public will not be endangered by the proposed activities, and (3) such activities will be conducted in compliance with the Commission's regulations and the issuance of this amendment will not be inimical to the common defense and security or the health and safety of the public.

Principal Contributor: James C. Stewart Dated: July 23, 1990