ML16139A786
| ML16139A786 | |
| Person / Time | |
|---|---|
| Site: | MIT Nuclear Research Reactor |
| Issue date: | 05/12/2016 |
| From: | Lau E Massachusetts Institute of Technology (MIT) |
| To: | Document Control Desk, Office of Nuclear Reactor Regulation |
| References | |
| Download: ML16139A786 (35) | |
Text
NUCLEAR REACTOR LABORATORY AN INTERDEPARTMENTAL CENTER OF MASSACHUSETTS INSTITUTE OF TECHNOLOGY In-Core Experiment Loops EDWARD S. LAU 138 Albany Street, Cambridge, MA 02139-4296 Activation Analysis Assistant Director of Telefax No. (617) 324-0042 Nuclear Medicine Reactor Operations Tel. No. (617) 253-4211 NTD Silicon Facility Tours Education & Training 12 May2016 U.S. Nuclear Regulatory Commission Washington, D.C. 20555 Attn.: Document Control Desk
Subject:
Re: License Amendment Request for upgrade of the Nuclear Safety System in the MIT Reactor Protection System, Docket No. 50-20, License R-37 The Massachusetts Institute of Technology hereby submits additional material to be placed on the docket in followup to the 30 September 2014 License Amendment Request (LAR) for its Facility Operating License No. R-37. The requested amendment is for upgrade of the reactor's nuclear safety system in the Reactor Protection System with new analog instrumentation and digital neutron flux monitors.
This submittal contains the following six documents:
- 1) Overview ofNewNuclear Safety System with Integrated Supporting Modules
- 2) Signal Distribution Module (SDM)
- 3) <100 kW Key-Switch Module (KSM)
- 4) Withdraw Permit Circuit (WPC) Modification
- 5) Magnet Power Supplies and Rundown Relays
- 6) LED Scram Display, and Safety System Monitoring & Status Display PLC And the drawings referenced by those documents:
a) R3W-256-2 Rev. 1.4 for the SDM global connections b) R3W-258-3 Rev. 2 for the SDM V2 board c) R3 W-254-4 for the Key-Switch Module d) R3W-203-4C Sheet 3-of-4 for the existing WPC e) R3W-203-4D Sheet 3-of-4 for the proposed WPC f) R3W-253-4 for magnet power supplies I rundown relays
Material to Docket for Upgrade of NSS Page 2 of2 None of the drawing or text in this submittal contains any proprietary information. All of it has had previous thorough discussion with the appropriate branch of NRC. This submittal establishes official documentation of the additional material.
Sincerely, Edward S. Lau, NE Assistant Director of Reactor Operations MIT Research Reactor I declare under penalty of perjury that the foregoing is true and correct.
Executedon o6/[~of6 C ~.___,/
Date Si ture EL/st
Enclosures:
As stated.
cc: USNRC - Senior Project Manager Research and Test Reactors Licensing Branch Division of Policy and Rulemaking Office of Nuclear Reactor Regulation USNRC - Senior Reactor Inspector Research and Test Reactors Oversight Branch Division of Policy and Rulemaking Office of Nuclear Reactor Regulation
Page 1 of6 Q/A File #E-2012-1 Digital Upgrade for Nuclear Safety System "Overview of New Nuclear Safety System with Integrated Supporting Modules" Description of Integrated Supporting Modules for New Nuclear Safety System The proposed digital nuclear safety system consists of four independent neutron flux
. monitoring channels, which detect reactor neutroriic power and reactor period, and compare those parameters against their pre-set values. If the pre-set values are reached, the flux monitors will output a trip signal. The following describes how these trip signals bring about a reactor shutdown, while they are also processed via independent modules for display and recording. These various modules are individually described and safety-evaluated in separate safety review documents*. Here the focus is on how the integrated system functions when all of these modules are connected together. See the block diagram in Figure One.
This describes the propagation of trip signals that are generated by the DWK 250 neutron flux monitors and travel throughout the various downstream modules until the signals attain their goal of scramming the reactor. It is important to note that in all cases, the propagation manifests by de-energizing signal paths, nofby energizing them.
When the reactor is operating at power within its prescribed envelope, no trip signals are generated**. - The relays that generate trip signals on the .DWK 250 monitors are closed, and the signal paths downstream:-*all are energized (fo 24 volts DC). These signal paths go through the Signal Distribution Module (SDM), the Scram Logic Cards, the <100 kW Key-
- Switch Module (K:SM)~ the Withdraw Permit Circuit (WPC), the Magnet Power Supply System, and the Rundown Relay System. The signal paths through these various modules remain energized, and there is no scram.
If the reactor is operating outside. its prescribed envelope, a trip signal ls generated. -
Relays on the DWK 250 monitors are opened, de-energizing (to zero volts DC) a series of signal paths downstream. With these signal paths de-energizing, the ultimate effect is that electrical power stops going to the electro-magnets that support the neutron-absorbing shim blades, dropping the blades.into the core by gravity and achieving shutdown of the reactor.
- "Signal Distribution Module"
"<100 kW Key-Switch Module" "Withdraw Permit Circuit Modification" "Magnet Power Supplies and Rundown Relays" "LED Scram Display, and Safety System Monitoring & Status Display PLC"
- Whenever the reactor is operating above 100 kW in Full Power Operation mode, each DWK 250 will generate the "100 kW High Power" trip signal. This signal is received by the Scram Logic Cards, where it performs a logic comparison that results, in this case, in no output of a scram signal. This is described in further detail later on.
QA#-E-2012-1 12MAY2016
Page2 of6 Each DWK 250 neutron flux monitor outputs trip signals in binary form, via eight binary output relays. Two of them are used for high power warning and short period warning. The other six are for trip functions: high power level, short period, high power 100 kW operation, low count rate, test status, and fault I equipment malfunction. These eight output relays have a 24-volt DC source applied across them, from an independent external source, rather than from the DWK. 250 chassis. The relay outputs are electrically isolated from the internal circuitry of the DWK 250. The external source is a pair of 24-volt DC power supplies, which are set up in parallel, connected via an auctioneering diode array, so that if one fails, the other will take over without interruption. The 24-volt DC power energizes the relays via the SDM. (See the Global Connection schematic diagram R3W-256-2 Rev. 1.4.)
The DWK 250 outputs a trip function signal by opening one or more of its binary output relays. This de-energizes the signal path on the SDM that connects to Scram Logic Card 1 and Card 2. Each DWK 250 has six trip signal paths through the SDM to the Scram Logic Cards, one for each of the six trip conditions listed in the previous paragraph.
Together there are 24 such signal paths going through the SDM from the four DWK 250 chassis, passing the trip signals on to Scram Logic Cards 1 and 2.
Scram Logic Cards 1 and 2 perform identical logic comparison functions, and are connected to the SDM in parallel, with optical isolation at their inputs. Each Card uses discrete logic components,_ and is therefore non-programmable. Each features a two-out-of-four voting logic in hardware to prevent false trips _from a single"DWK 250 failure; this also eliminates- the need for a safety system -channel bypass switch. For instance, if one DWK 250 outputs one or more trip signals, then the Scram Logic Card will receive the signal(s) for logic comparison, and will make a decision not to output a scram signal. If two or more DWK 250s output trip signals, the two-out-of-four voting logic is now satisfied, and the Scram Logic Card will make the decision to output a scram signal. The Scram Logic Cards themselves have optically isolated outputs. They de-energize relays in the Withdraw Permit Circuit (WPC) and the Magnet Power Supply modules: Scram Logic Cards 1 and 2 work in parallel for redundancy.
The scram signal travels downstream from the Scram Logic Cards and reaches the
<100 kW Key-Switch Module (KSM). The KSM chassis is mounted within the same Nuclear Instrument Module (NIM) bin as the Magnet Power Supply modules (NIM Bin 2 in Figure One). When a scram signal reaches this NIM bin, it is distributed to both the KSM and the Magnet Power Supply modules. This scram signal opens six relays in the Magnet Power Supply modules and five in the KSM. Opening of any of the six relays in the Magnet Power Supply modules will interrupt electrical power to the shim blade magnets directly, as will one of the relays in the KSM. Opening any of the four other relays in the KSM will open existing circuits Scram Loop A and Scram Loop B in the WPC, which in tum also results in interruption of shim blade electromagnet current, shutting down the reactor. These four relays also activate the "Safety System Scram" alarm on the main control room annunciator panel. Opening of the WPC activates the "Withdraw Permit Circuit" annunciator alarm there as well.
QA#-E-2012-1 12 MAY2016
Page 3of6 Whenever electric current to a shim blade electromagnet is interrupted, the Rundown Relay System moves the corresponding shim blade drive to its "full in" position at its normal speed. This takes place automatically to ensure that the released blade reaches its bottom position and stays there following a scram, completing the protective action once it is initiated.
When the KSM's key switch is turned to <100 kW Operation, signals indicating the key switch position are sent to the Scram Logic Cards, to the Safety System Monitoring &
Status Display Programmable Logic Controller (PLC), and to the control room's main annunciator panel. This key switch position also automatically bypasses all three of the low flow primary coolant scrams. If reactor power reaches 100 kW, the DWK 250 will output the 100 kW high power trip signal, which will be logically interpreted by Scram Logic Cards 1 and 2. When the KSM's key switch is turned to Full Power Operation, the PLC's
<100 kW Operation message will clear, and the low flow scrarr;ts are no longer bypassed. If reactor power reaches the nominal full power (6 MW), the DWK 250 will continue to output the 100 kW high power trip signal, while the Scram Logic Cards will receive the signal but will not interpret it as grounds for outputting a scram signal.
The two Scram Logic Cards and the LED Scram Display module are mounted within the Sl!flle NINI bin (NIM Bin_ 1 in_ figure One). Whenever a trip signal_ reaches the Scram Logic Cards from the DWK 250 chassis via the SDM, the Cards capture it and send it along to-the LED -Scram Display (again via the SDM), regardless of the logic decision. The LED Scram Display indicates the trip signal even if it came from a transitory condition, such that it cleared immediately at the DWK 250. This latching can be reset only by manually pushing a Channel Reset button on the LED Scram Display, one for each of the four DWK 250s. The Channel Reset button also resets the Scram Logic Cards (as they do not have their own reset buttons), and thus the lights on the LED Scram Display. This reset function is a necessary prerequisite for a reactor startup.
All of the above trip signal handling and scram signal handling functions take place via bi-stable, discrete components. There is no system clock or other timing function. In order to register the date and time of a trip event, a digital Safety System Monitoring &
Status Display PLC panel is empl()yed for real-time event logging. Each DWK 250 chassis outputs trip signals to the SDM, where the trip signals are routed separately to the PLC, as well as-to the Scram Logic Cards. The two warning signals from the DWK 250 also go directly to the PLC, via the SDM. The PLC will then display and record the names of all of these alarm indications that come in, and will pass two types (warnings and fault alarms) to the control room's main annunciator panel. The PLC has a physical, common- reset button to acknowledge and reset any alarms it registers. This reset button does not affect the LED Scram Display nor the Scram Logic Cards. The PLC has a built-in optical isolator on each of its signal input connections from the SDM, ensuring the signal flow is unidirectional into the PLC.
The six trip signals from each DWK 250 are passed via the SDM to a Drop Timer Interface module, which is equipped with optical isolators at the signal inputs, and in turn passes the signals to activate a Blade Drop Timer. The Drop Timer measures the time from initiation of a trip signal to 80% insertion of a shim blade, per Technical Specification QA#-E-2012-1 12 MAY2016
Page 4of6 requirements. The Drop-Timer Interface module is a new piece of equipment that conditions the trip signals so that they are electrically compatible with the existing Blade Drop Timer.
All the modules described above, including the DWK 250 channels, are new equipment for the proposed nuclear safety system, with the exception of the WPC (which is modified in a few places) and the Blade Drop Timer. The control room's main annunciator panel is also existing equipment. All shaded blocks depicted in Figure One are existing equipment.
Figure One: Block Diagram of Nuclear Safety System with Integrated Support Modules
- - - - - - - - - - - - - - - - - - -: NIM Bin 1 I
I
--+
Direct Signal Propagation to Effect a Scram detector Optical Isolation D Existing Equipme nt LED Scram Display I! _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
detector
<100 kW Magnet Signal Key Switch Power Supply Distribution Module (KSM) Modules Module I (SDM) Shim Blade detector Rundown Magnets (x6)
Relay Panel Shim Blade Drive RS232 Breakout Box Circuits (xG)
Withdraw DWK 250 detector Permit Ch. 4 Console Meters/ Recorders Circuit (WPC)
PLC 1-----'ll Console Annunciator Panel Nuclear Safety Channels
.___ _ ___,t------c:ilJ..J Drop Timer Interface Module 1 - - - - - l l . __ _s_1a_de_D_ro_p_T_im_e_r_ _,
QA#-E-2012-1 12 MAY2016
Page 5of6 Safety Evaluation The integrated system is highly redundant and will ensure that trip signals are propagated throughout the system to achieve their goal of scramming the reactor, meeting their intended safety functions as defined by Chapter 7 of the Safety Analysis Report. If any of the components along the scram signal path should fail, the result will be an interruption of signal path, thereby resulting in shutdown of the reactor. Components that are not along the scram signal path will not interrupt the signal paths if they fail; furthermore, their failure will not interfere with trip propagation or scram processing. Thes-e fatter components include the Safety System Monitoring & Status Display Programmable Logic Controller (PLC), the LED Scram Display, the Drop Timer Interface module, and the Blade Drop Timer.
Redundancy of scram relays and independence of activation(s) applies throughout the Nuclear Safety System, hence minimizing the risk of common-mode failure. All scram relays are mechanical relays that fail open, thereby minimizing the impact from EMF and radio frequency interference on their function.
Except the PLC, all the modules downstream of the DWK 250 chassis use low voltages and are built with discrete components that do not use microprocessors. The components are constructed only with non-programmable solid-state and discrete passive devices. As a result, signal propagation and handling are not subject to software processing delays. Additionally, there is no cybersecurity risk to this part of the system.
All the discrete components are standard industrially-rated devices. The low voltage nature of the system will maximize their operational life _span, minimize EMF production, and reduce electrical hazards to Instrumentation personnel.
The Signal Distribution Module (SDM) reduces the use of excessive wiring and cable connections for signal transmission. Where possible, optical isolators are used at interfaces between modules to ensure signal flow is unidirectional.
The Scram Logic Cards use 2-out-of-4 voting logic in order to avoid unnecessary scrams from neutron flux monitoring channel faults. This increases stability and reliability of the nuclear safety system. If one of the two Scram Logic Cards fails such that it interrupts continuity from the 24-volt DC power supply, a scram signal is the result. The Scram Logic Cards were designed to provide an active output (24 volts) at each stage of the signal processing when a Scram condition does not exist. A scram signal from either Scram Logic Card is sufficient to result in a reactor scram: Whenever a scram signal is produced, it will indicate and be logged on the PLC, including in which Card(s) it originated.
- -All the modules in the Nuclear Safety System, including the DWK 250 chassis, will -
. be rack-mounted within the protective metal cabinets of the control room console. The console cabinets will continue to provide the equipment with physical defense comparable to that.for the current systems, including against seismic disturbance. Routine maintenance and inspection will be performed only by licensed reactor staff or under the supervision of licensed reactor staff. Where necessary, certain interactions can be performed only by or under the supervision of reactor Instrumentation staff members.
QA#-E-2012-1 12MAY2016
Page 6of6 The control room is attended whenever the reactor is operating. At all other times when the building is unoccupied, it is protected as per the Physical Security Plan. Therefore, access control and configuration control are assured.
All the modules in the Nuclear Safety System, including the DWK 250 chassis, provide many indications of their operational status, trip signals, and scram signals. The console operator has a ready view of all of these, for instance, on both the LED Scram Display and the PLC. Therefore, human interface is improved. Additionally, the system is designed and constructed to require as little disconnection of cables, modules, and components for routine operation as possible. This is a major improvement over the existing Nuclear Safety System.
The new Nuclear Safety System will receive pre-operational and operational testing under a Test Plan. Individual modules will be bench-tested. Global system testing will be performed both on the bench and after installation in the control room.
Once it is operational, the functions of the Nuclear Safety System will be tested periodically as per the Technical Specifications. Therefore, regular surveillances will ensure its continued integrity.
The Nuclear Safety System provides one of the :functions of the Reactor Protection System. Even if the Nuclear Safety.System fails, there are other independent and redundant reactor protective :functions that will continue to provide an automatic scram of the reactor based on high temperature, low primary coolant flow rate, low core tank level, etc., as described in the existing MITR Safety Analysis Report. Therefore, the Reactor Protection System is highly robust and diverse.-
QA#-E-2012-1 12 MAY 2016
Page 1of4 OfA File #E-2012-1 Digital Upgrade for Nuclear Safety System "Signal Distribution Module" Description of the Signal Distribution Module The Signal Distribution Module (SDM) is a passive interface circuit between the DWK 250 digital neutron flux monitors and all components downstream. As can be seen in schematic diagram R3W-256-2 Rev. 1.4, and circuit board diagram R3W-258-3 Rev. 2, the SDM has a total of thirteen connections. In terms of signal flow, four of those connections are strictly input (signal coming from each of the four DWK 250 units), seven are input/output bidirectional, and two are strictly output. The following is a list of the connectors as they are labeled:
- 1. XlO: Receives signal from DWK 250 channel #1.
- 2. Xl 1: Receives signal from DWK 250 channel #2.
- 3. X12: Receives signal from DWK 250 channel #3.
- 4. X13: Receives signal from DWK 250 channel #4.
- 5. X14: Receives power from two 24-volt DC power supplies which are set up in parallel, connected via an auctioneering diode array, so that if one fails, the other will take over without interruption. The Xl 4 connector then passes 24-volt DC power as output to three downstream components: Scram Logic Card 1, Scram Logic Card 2, and the <100 kW Key-Switch Module, The X14 connector also passes the 24-volt DC power via connectors XlO through X13 to energize the output (scram/alarm) relays of the four DWK 250 channels. (The DWK 250 output relays are electrically isolated from the internal circuitry of the DWK 250, and rely on an external power source for their operation.)
- 6. X15: Passes signals from the four DWK 250 channels to Scram Logic Card 1.
The X15 connector receives signals back from Scram Logic Card 1 and routes them to other non-safety-related monitoring and display devices.
- 7. X16: Passes signals from the four DWK 250 channels to Scram Logic Card 2.
The Xl 6 connector receives signals back from Scram Logic Card 2 and routes them to other non-safety-related monitoring and display devices.
- 8. Xl 7: Passes signals to and from the <100 kW Key-Switch Module.
- 9. X18: Passes signals to and from an LED Scram Display module, which captures scram signals from any of the four DWK 250 channels via the Scram Logic Cards, and keeps them latched in until the Scram Display module is used to reset the two QA#-E-2012-1 12MAY2016
Page2 of4 Scram Logic Cards. (Once the scram condition no longer exists, the DWK 250 will not show what the scram was.)
- 10. X19: Passes analog signals from the four DWK 250 channels to existing console chart recorders and meters.
- 11. X20: Passes signals from the rear input/output terminal blocks of the four DWK 250 channels to and from a breakout module containing four 9-pin RS-232 ports (one per channel), plus a 15-pin RS-232 port that can interact with all four smaller ones. The breakout module will be secured from unauthorized access.
- 12. X21: Passes signals from all inputs of the SDM to a non-safety-related programmable logic controller (PLC) for monitoring and status display.
- 13. X41: Passes signals to and from -an-four DWK250 channels to a Drop Timer Interface Module, which in turn passes signals to activate a Blade Drop Timer. This setup will measure the scram time from initiation of a scram signal to 80% insertion of a shim blade.. The .Drop Time.r Interface Module conditions an input signal for compatibility with* the previously-existing Blade Drop Timer, and includes optical isolation of the SDM from the Blade Drop Timer. The Drop Timer Interface Module and the Blade Drop Timer are both mounted in_ a "NIM bin" rack which provides them an independent power source.
Safety Evaluation The Signal Distribution Module (SDM) is a new passive circuit board which
- facilitates passing of signals between various components of the new nuclear safety system.
If the board fails, such as by physical damage or other disruption to a scram signal path between a DWK 250 and the Scram Logic Cards, there will be a loss of the signal, thereby causing the- Scram Logic Cards* to produce a scram. The physical damage could include puncture, impact, fire, or high voltage surge, while other types of disruption could include radio frequency interference, overheating, or corrosion. All would result in a scram.
Because the SDM is a passive circuit board, it does not include any optical isolators.
However, there are optical isolators built into Scram Logic Card 1, Scram Logic Card 2, the Drop Timer Interface Module; and the PLC panel.
- The connection to the two 24-volt DC power supplies only passes power to the two Scram Logic'. Cards ancJ_ the <100 kW Key-Switch Module. The SPM board does not use the power for its own functions. The two power supplies are fed from a common 120-volt AC source, and have an internal fuse which will protect against surges that exceed 250 volts AC on that line. They also have an output overload that will trip at no more than 35 volts DC. In the unlikely event of an excessive line voltage surge, both power supplies will likely trip to protect themselves, interrupting power to the two Scram Logic Cards, scramming the reactor.
If the surge affects the SDM board directly, it will create physical damage as described above, again resulting in a reactor scram.
QA#-E-2012-1 12MAY2016
Page 3of4 Signals input to the SDM board from the two Scram Logic Caids are passed along to other display and status monitoring devices. If the board should be damaged in these areas, there is no effect on nuclear safety. The console operator may observe a partial loss of indications of reactor power and reactor period, but will not receive false information. There are redundant displays of reactor power and period, such as on the face of each DWK 250 chassis, that will remain operable. There are also four existing independent non-safety-related neutron flux channels or N-16 gamma channels displaying reactor power. Likewise, loss of signal output from the SDM to existing console chart recorders and meters has no effect on nuclear safety. There is redundant recording of reactor power history from the non-safety-related neutron flux channels.
Signals to and from the RS-232 breakout box will be lost should the SDM board be damaged. However, this again has no nuclear safety consequence. The breakout box allows access to each of the four DWK 250 channels .to set adjustable parameters by computer.
Such adjustments are done only by authorized individuals, and only when the channel is off line or the reactor is shut down. . The box has a cover and is secured when not in use. The computer used for this purpose is a standalone unit and is not connected to the internet. The interface software* is provided by the manufacturer of the DWK 250s. Therefore cybersecurity is maintained.
The SDM will be bench-assembled on one circuit board in a controlled environment.
The new board will then be connected to the rest of the new nuclear safety system while everything is de-energized. The module will be constructed with standard industrially-rated components. The two 24-volt DC power supplies .meet medical qualifications. The SDM contains no digital components, and is therefore not subject to cybersecurity threats.
The SDM will be mounted within the protective metal cabinets of the control room console. The console cabinets will provide the module with physical defense, including against seismic disturbance. Routine maintenance and inspection will be performed only by licensed reactor staff or under the supervision of licensed* reactor staff. The control room is attended whenever the reactor is operating. At all other times when the building is unoccupied, it is protected as per the Physical Security Plan. Therefore, access control and configuration control are assured.
The control room and its metal instrumentation cabinets are in an air-conditioned environment. The temperature is continuously maintained within a desirable setting (approximately 68 F). There is a temperature alarm (setpoint no higher than 78 F) that is monitored whenever the reactor is operating, or shut down with the control room attended.
This air-conditioning control easily satisfies the operating requirements for all the components in the SDM board.
All cables to the SDM and cable connection points on the SDM will be labeled, as will the circuit board. These markings improve the human interface for purposes of installation and maintenance. Once it is installed, there will be no regular human interface with the SDM board. It will be handled only by or under the supervision of license reactor staff. Therefore, human factors engineering remains adequate.
QA#-E-2012-1 12 MAY2016
Page 4of4 The SDM contains a continuity wiring feature that recognizes when each DWK 250 is connected to its correct connector on the SDM. Specifically, DWK 250 Unit 1 is supposed to connect to XlO via cable K-10, DWK 250 Unit 2 to Xl 1 via cable K-11, DWK 250 Unit 3 to X12 via cable K-12, and DWK 250 Unit 4 to X13 via cable K-13. If a cable is unplugged, or plugged into the wrong connector, the continuity circuit will report the misconfiguration via a fault message on the PLC that handles safety system monitoring and status display.
The same error message will be generated by the PLC if this continuity circuit fails open.
A dummy cable plug will take the place of a DWK 250 chassis in cases where one chassis is physically removed for repair/maintenance. The absent chassis will appear as a trip signal on the Scram Logic Cards. If any one of the remaining three chassis should output a trip signal, then the Scram Logic Cards will produce a scram signal. The purpose of the dummy plug is merely to allow the continuity circuit to continue to verify that the three remaining chassis are connected to their correct connectors.
The new SDM board will be tested for wiring verification using a written procedure prior to first use, and periodically as part of operational checks of the nuclear safety system.
Therefore, these pre-operational and routine surveillances are sufficient to assure the completeness and integrity of the circuitry.
QA#-E-2012-1 12MAY2016
Page 1of4 QIA File #E-2012-1 Digital Upgrade for Nuclear Safety System
"<100 kW Key-Switch Module" Description of the <100 kW Key-Switch Module The <100 kW Key-Switch Module (KSM) provides positive indication to the console operator if the reactor is set up for the <100 kW mode of operation vs. the Full Power mode of operation. The KSM chassis is labeled "Reactor Operating Mode", as shown in Figure 1 and Figure 2.
REACTOR OPERATING MODE FULL POWER <100 kW REACTOR OPERATING MO.Q!
<100 kW OPERATION ~ , ~OPERATION / OPERATION LOOP A LOOP B LOOP a SCRAM SCRAM 9CRAM 24V D.C, POWER Figure 1 Figure 2 There are only two positions for the key switch: Full Power mode, and the <100 kW mode. The switch is mechanically spring-loaded for positive detent, so it will move to rest in one of these two positions, making it extremely difficult to leave the key in a neutral position.
When the key switch is turned to <100 kW Operation, a local <100 kW Operation indicator LED light will illuminate. (See key switch pole KS 1C on Reactor Drawing R3W-254-4.) Likewise, also from pole KSlC, a signal will be sent to the Status Display programmable logic controller (PLC), and from pole KS 1B, an alarm will illuminate on the control room's main annunciator panel. Furthermore, when the key switch is selected to
<100 kW, the KSM transmits signals via pole KSlD to bypass any scram that comes from Low Flow Primary, Low Pressure MP-6, or Low Pressure MP-6A (each of which activates its own indicator on the control room's main annunciator panel). The 100 kW High Power Trips QA#-E-2012-1 12 MAY 2016
_ _J
Page 2of4 from the DWK 2SOs will, if on, be interpreted as channel trip signals by Scram Logic Card 1 and Scram Logic Card 2. (Note: As shown in Drawing R3W-2S4-4, pole KSlA exists but is not used.)
When the key switch is turned to Full Power Operation, the <100 kW local indicator, the <100 kW annunciator alarm light, and the PLC message will all clear, and the three primary flow scram bypasses are automatically removed. A local Full Power Operation indicator LED light will illuminate via key switch pole KS 1C. Furthermore, when the key switch is selected to Full Power, the KSM sends a signal via pole KS 1C to Scram Logic Card 1 and Scram Logic Card 2 which causes the DWK 2SO 100 kW High Power Trips to be bypassed.
The front of the KSM chassis has two LED lights that indicate "Loop A Scram" and "Loop B Scram", as seen in Figure 1 and Figure 2. These lights come on only when there is a scram condition in the Withdraw Permit Circuit's (WPC's) Scram Loop A or B, respectively.
Reactor Drawing R3W-2S4-4 illustrates all the above functions of the KSM. The module receives power from two 24-volt DC power supplies which are set up in parallel, connected via an auctioneering diode array, so that if one fails, the other will take over without interruption. When the KSM chassis is powered, the "24V D.C. Power" indicator LED light will be lit.
The KSM chassis is mounted within the same Nuclear Instrument Module (NIM) bin as.the Magnet Power Supply modules. When Scram Logic Card 1 or Card 2 outputs a scram signal, the signal reaches this NIM bin via connector X40, which distributes it to both the KSM and the Magnet Power Supply modules. This scram signal opens all relays downstream of the Scram Logic Cards as indicated on Drawing R3W-2S4-4. This set often 24-volt relays includes GMlA, GM2A, GM3A, GMlB, GM2B, and GM3B in the Magnet Power Supply modules, and RYS, RY6, RY7, and RY8 in the KSM. In fact, any one of the RYS -RY8 relays opening will open 120-voltrelay B3 or B4 in the WPC's Scram Loop A or Scram Loop B (physically located in the WPC), thereby resulting in a scram. Additionally, opening of an RYS - RY8 relay contact illuminates the "Loop A Scram" or "Loop B Scram" indicator LED light on the KSM chassis, and activates the Safety System Scram annunciator alarm. Opening of the RY4 relay (coil_physically located in the KSM), or the GMl - GM3 relays listed above, will directly interrupt electrical power to shim blade magnets as covered in the Magnet Power Supply System description.
Built into the back of the KSM chassis is one multi-pin connector, which combines the connecting functions of X28, X40, and X43, as they are labeled on schematic diagram R3W-2S6-2 Rev. 1.4. These connecting functions are as follows:
- 1. X28: Transmits signals to the Status Display PLC, and to Scram Logic Card 1 and Scram Logic Card 2 via the Signal Distribution Module.
- 3. X43: Transmits signals to the Withdraw Permit Circuit, the Magnet Power Supplies, and the control room's main annunciator panel.
QA#-E-2012-1 12MAY2016
Page 3of4 Safety Evaluation The <100 kW Key-Switch Module (KSM) is constructed entirely of discrete components, uses no digital devices, is not programmable, and is therefore not subject to cybersecurity threats. The KSM is not responsible for originating any scram signals. It uses 24-volt DC power. If power is lost, the 24-volt LED power indicator light and any other LED indicator light on the front of the chassis will all go out. However, when the key switch is in the <100 kW mode, the main annunciator panel will continue to have its "<100 kW Operation" alarm light on, as that alarm is powered from the annunciator panel itself. If the chassis were damaged, the effect would be the same as a loss of power.
Some of the relays associated with the Withdraw Permit Circuit (WPC) have their coils and/or contacts physically located within the KSM. These include relays RY4, RY5, RY6, RY7, and RYS. If this part of the KSM fails, such as by loss of power, physical damage, or other disruption to a circuit path, there will either be a loss of signal in the WPC, thereby causing a scram, or a power cutoff to Scram Loop A or Scram Loop B, equally causing a scram. Likewise, if the 120-volt AC power supply path to the magnet power supplies within the KSM is physically interrupted, the loss of magnet power will cause the shim blades to drop into the core, thereby causing a scram. The physical damage could include puncture, impact, fire, or high voltage surge, wlllle other types of disruption could include radio frequency interference, overheating, or corrosion. All would result in a scram.
The key sWitcli is mechamcally" spring-loaded for positive detent, so it will move to rest in one of its two positions, making it extremely difficult to leave the key in a neutral position. However, if the key switch should fail and not be in full contact with either of its two designated positions, neither mode indicator LED light will be illuminated, no respective main annunciator or PLC alarms will be lit, and none of the bypasses associated with either
_position be in effect. Accordingly, if the primary pumps are not on, all the associated low
- flow scrams will be in effect (WPC open) and will prevent a reactor startup or continued operation. If the primary pumps are on, and reactor power exceeds 100 kW, the 100 kW High Power Trips on the DWK 250s will take effect and scram the reactor.
Another failure mode of the KSM is if it no longer transmits a signal because of physical damage or other disruption as discussed above. This would have the same effects as lack of full contact within the key switch, as described in the previous paragraph. All such abnormal effects are either not safety-related, or produce outcomes more conservative than the normal configurations.
The KSM shares use of the 24-volt DC power supplies with the Scram Logic Cards.
If the 24-volt power fails, the Scram Logic Cards will produce a scram.
The KSM will be bench-assembled in a controlled environment. The new assembly will then be connected to the rest of the new nuclear safety system while everything is de-energized. The module will be constructed with standard industrially-rated components. The two 24-volt DC power supplies meet medical qualifications.
QA#-E-2012-1 12MAY2016
Page 4of4 The KSM will be mounted in the same Nuclear Instrument Module (NIM) bin as the Magnet Power Supply modules. They are all within the protective metal cabinets of the control room console, which will provide the modules with physical defense, including against seismic disturbance. Routine maintenance and inspection will be performed only by licensed reactor staff or under the supervision of licensed reactor staff. The control room is attended whenever the reactor is operating. At all other times when the building is unoccupied, it is protected as per the Physical Security Plan. Therefore, access control and configuration control are assured.
The control room and its metal instrumentation cabinets are in an air-conditioned environment. The temperature is continuously maintained within a desirable setting (approximately 68 F). There is a temperature alarm (setpoint no higher than 78 F) that is monitored whenever the reactor is operating, or shut down with the control room attended.
This air-conditioning control easily satisfies the operating requirements for all the components in the KSM.
All cables to, and cable connection points on, the KSM will be labeled, as will the NIM bin. These markings improve the human interface for purposes of installation and maintenance. Once it is installed, there will be no regular human interaction with the KSM chassis other than the key switch itself. The key switch is a standard industrial component.
The LED indicator lights adjacent to it confirm when it is latched in either of its two designated positions. Therefore, human factors engineering remains adequate.
The new KSM assembly will be tested for wiring verification using a written procedure prior to first use, and periodically as part of operational checks of the nuclear safety system. Therefore, these pre-operational and routine surveillances are sufficient to assure the completeness and integrity of the circuitry.
QA#-E-2012-1 12MAY2016
Page 1 of3 QIA File #E""!2012-1 Digital Upgrade for Nuclear Safety System "Withdraw Permit Circuit Modification" Description of Withdraw Permit Circuit and Modification The Withdraw Permit Circuit (WPC) is a startup interlock that consists of a string of relays and contacts in series. Each corresponds to either a startup requirement or to a reactor scram condition. If any of the relays and contacts in this series. lineup is open, the circuit interrupts electrical current to the electromagnets that hold the six shim blades, thereby decoupling the shim blades from their drives and effecting a scram. See MIT Reactor Drawing R3W-203-4 (Sheet 3 of 4; Revision C for the existing WPC, and Revision D for the proposed modification).
The WPC will be modified in this upgrade to the digital nuclear safety system in the following areas:
- 1. Removal of the relays and contacts that produce a two-out-of-three logic for the Period Channel Level Signal Off-Scale scram. These are no longer needed for the new nuclear safety system. (An earlier approach was to bypass all of these relays and contacts, but leave them physically in the circuit. Later we decided to remove them for simplification and maintainability of the circuit.) Twelve contacts will be removed as a result.
- 2. Addition of three relays that bypass the primary flow scrams when in the <100 kW operating mode, which uses no forced flow, as allowed by Technical Specifications.*
These relays are designated RYl (for the Core Inlet Pressure MP-6A scram), RY2 (for the Low Flow Primary Coolant scram), and RY3 (for the Core Inlet Pressure MP-6 scram). These relays will perform bypass functions that are currently implemented manually using individual upstream key-switches. For the upgrade, the relays will be permanently installed into the WPC.
- 3. Addition of three relays that operate through the rundown relay panel. The first of these relays, designated B2A, interrupts magnet current to shim blades 1 and 2. The second, designated B2B, interrupts magnet current to shim blades 3 and 4. The third, designated B2C, interrupts magnet curtentto shim blades 5 and 6. Each of these is a redundant addition in series with existing relays BlA, BlB, and BlC respectively.
- 4. Addition of one contact that opens the WPC redundantly in the case of a scram trip from the nuclear safety system. This new contact, designated B4-1 or "Safety System Scram (Loop B)", will serve a redundant function with existing contact B3-1 "Safety System Scram (Loop A)". A scram signal from Scram Logic Card 1 will open relays B3 and B4 in Loop A and Loop B respectively. Likewise, a scram signal from Scram Logic Card 2 will also open relays B3 and B4 in Loop A and Loop B respectively. In the existing system, the Safety-System Scram opens only one contact (B3-1).
QA#-E-2012-1 12MAY2016
Page 2 of3 Safety Evaluation The removal of old relays and contacts, instead of bypassing them, helps prevent cluttering the Withdraw Permit Circuit (WPC) with unused components. The removal process will be done with the circuit completely de-energized, and will not exert undue physical stress on the other existing components in the circuit.
The addition of new relays and contacts will be done by building them into several separate circuit modules in a controlled environment. These new modules will then be connected to the rest of the new nuclear safety system while the reactor is shut down and the appropriate circuits are de-energized. All existing and new relays in the WPC are standard industrially-rated mechanical relays, hence minimizing the impact from EMF and radio frequency interference on their function. All are configured to open when de-energized or upon failure. The WPC remains non-programmable and non-digital, consisting only of discrete bi-stable components, and is therefore not subject to cybersecurity threats.
New relays RYl, RY2, and RY3 (mentioned in Item 2 above) bypass three different scrams that all represent the low primary coolant flow condition when operating the reactor in the <100 kW mode. When the <100 kW mode is selected on the <100 kW Key-Switch Module, these three relays will be energized to close and bypass the scrams. A failure of any of these three new relays during a low flow condition will result in a reactor scram. When the Full Power mode is selected on the <100 kW Key-Switch Module, these three relays will remain de-energized and open, and will have no effect on the WPC.
New relays B2A, B2B, and B2C interrupt electrical current to the electromagnets of their respective pairs of shim blades. Their functions are redundant to existing relays. Like those existing relays, if they fail during operation, they will cause their pairs of shim blades to drop into the core,- shutting down the reactor.
The WPC will remain mounted in its original location within the protective metal cabinets of the control room console. The console cabinets will continue to provide the circuit with physical defense, including against seismic disturbance. Routine maintenance and inspection will be performed only by licensed reactor staff or under the supervision of licensed reactor staff. The control room is attended whenever the reactor is operating. At all other times when the building is unoccupied, it is protected as per the Physical Security Plan..
Therefore, access control and configuration control are assured.
The control room and its metal instrumentation cabinets are in an air-conditioned environment. The temperature is continuously maintained within a desirable setting (approximately 68 F). There is a temperature alarm (setpoint no higher than 78 F) that is
-nionitorea whenever the -reactor is op-eratfog, or shut doWn with the control room attended.
The air-conditioning control easily satisfies the operating requirements of all the components, which are of standard industrial qualifications. When the reactor is shut down and the building is secured, the WPC is de-energized.
All cable connections to the WPC will be labeled, as will the new circuit modules.
These markings improve the human interface for purposes of installation and maintenance.
QA#-E-2012-1 12 MAY2016
Page 3 of3 Human interface with the WPC is via key-switches in plain sight on the front of the console. The existing array of key-switches for individual scram bypasses will now be supplemented by one that switches between <100 kW and Full Power modes of operation.
When this <100 kW key-switch is turned to the <100 kW mode of operation, which automatically bypasses the three primary flow scrams, it provides one indicator light on the
<100 kW Key-Switch panel, and an alarm on the main annunciator panel denoting "<100 kW Ops Mode On". Additionally, the main annunciator panel will have the "Withdraw Permit Bypass On" alarm illuminated. These indications reinforce the console operator's awareness of operating the reactor in <100 kW mode. Furthermore, there will be indicator lights turning on at each of the three primary flow 'Scram bypass key-switches, providing visual confirmation to the console operator of the flow scram bypasses. Therefore, human factors engineering remains adequate and more than equivalent to the current system.
The new WPC will be tested with a written procedure prior to first use, and periodically as per the Technical Specifications for the nuclear safety system and process system scrams. Therefore, regular surveillances will ensure the integrity of the circuit, and the WPC will continue to perform its safety function as defined by the SAR.
QA#-E-2012-1 12MAY2016
Page 1of4 QIA File #E-2012-1 Digital Upgrade for Nuclear Safety System "Magnet Power Supplies and Rundown Relays" Description of Magnet Power Supply System The function of the magnet power supplies is to provide current (~80 milliamps DC) to the electromagnets for all six shim blades (i.e., absorber sections of the control devices) in the reactor core. Each magnet holds the weight of its shim blade, attaching it to its drive mechanism via the magnet. When current to the magnet is interrupted, the shim blade will decouple from its magnet and drive, and travel vertically by gravity into the reactor core, scramming or shutting down the reactor in less than one second.
In the existing nuclear safety system, power for the magnets originates in the electronic circuitry of the six nuclear safety amplifiers. These amplifiers provide the necessary trip signals, three on high power and three on short period, and use those signals to interrupt current to the magnets. The interruption is first applied to the magnets for a pre-selected pair of shim blades (blades 1 & 4, or blades 2 & 5, or blades 3 & 6), and then to the remaining four magnets.
The new nuclear safety system will not consist of safety amplifiers. Instead the high power and short period trips all originate from four independent Mirion DWK 250 neutron flux monitors. The new magnet power supply system will consist of three modules, with each module providing magnet current to two shim blades (blades 1 & 2, blades 3 & 4, and blades 5 & 6). Each module interfaces with its corresponding rundown relay circuit, with magnet current passing through the rundown relay panel on its way to the magnet. The function of the rundown relay system will be described in the next section.
Each magnet power supply module is a stand-alone electronic circuit, made of discrete solid-state components, with its own 24-volt DC power supply. (See Drawing R3W-253-4.) .Each module has two "current adjust" regulators, one for each associated shim blade. The regulators are semiconductor devices. The adjusted current is displayed on a meter in series with the regulator, one for each_ shim blade.
Magnet current is interrupted in each magnet power supply module via two relays that are controlled by Scram Loops A and B from the output of the Scram Logic Cards. For instance, relay contacts GMlA-1 and GMlB-1 on Drawing R3W-253-4 for shim blade 1 belong to relays GMlA and GMlB in Scram Loops A and B respectively. If Scram Loop A, or Scram Loop B, or both A and B are open, i.e. in scram condition, these relay contacts will open to interrupt magnet current to shim blade 1. Likewise, contacts GMlA-2 and GMlB-2 for shim blade 2 will open to interrupt magnet current to shim blade 2.
The Withdraw Permit Circuit (WPC) interrupts magnet current via relays in the rundown relay panel, as described in the next section. For redundancy, when the WPC is open, the 120-volt AC line power from reactor electrical circuit L21 itself will be interrupted, QA#-E-2012-1 12 MAY2016
Page 2 of 4 thereby simultaneously de-energizing all three 24-volt DC power supplies for the three magnet power supply modules. This can be seen on Drawing RJW-253-4, where relay RY4 from the WPC will open relay contact RY4- I when the WPC is open, thereby interrupting current from all three 24-volt DC magnet power supplies. The independent interruption of the magnet power supply via the nuclear safety Scram Logic Cards and the WPC provides redundancy and prevents common-mode failure.
Description of Rundown Relay System The function of the rundown relay system is to move each shim blade's drive mechanism to its "full in" position at its normal speed whenever magnet current to the shim blade's magnet is removed. When the blade's magnet current is interrupted, the blade is intended to drop by gravity into the core. Moving the drive in behind it automatically is to ensure that the blade reaches its bottom position and stays there following a scram, completing the protective action once it is initiated.
The magnet power supply circuits are constructed in three independently-powered modules, each supplying a pair of shim blade magnets. The rundown relay system, however, is all part of one panel, and uses its own 24-volt DC power supply to energize the circuits for all six shim blades.
When the magnet power supply circuit is energized, current goes through the rundown relay system via three relay contacts connected in series (BIA-I; B2A-I, & RRI-I on Drawing R3W-253-4 for shim blade I, or BIA-2, B2A-2, & RR2-I for shim blade 2).
Refays BIA and B2A are controlled by the Withdraw Permit Circuit (WPC). If the WPC is open, i.e. in scram condition, these relays interrupt magnet current to the associated shim blade. Relays RRI and RR2 also interrupt magnet current, if the magnitude of that current drops below a pre-determined value which is set by an opto-relay (UI for shim blade I, U2 for shim blade 2).
The RRI, RR2, etc., relays perform two additional functions: controlling an indicator light that shows the status of the rundown relay circuit for its corresponding shim blade, and overriding normal control of the shim blade's drive motor. The indicator light stays out whenever the magnet current is at normal operating level. It comes on when the magnet current is low or near zero; the corresponding shim blade drive will be moving in, until it reaches its full-in position. Whenever the WPC is open, the indicator lights will stay on, denoting the control overrides which prevent any shim blade drive from being moved outward. Even after the WPC is reset and re;..energized, this override condition will remain in effect until the rundown relay circuits themselves are reset by the console operator.
Additionally, the rundown relay circuits cannot be reset if the magnet current is below a pre-determined value. When the circuit is reset, the indicator lights go out.
The rundown relay circuit for each shim blade can be individually reset once the blade drive has reached the full-in position and the WPC has been reset and re-energized. A master reset (pushbutton PB7, acting via relays MRI and MR2 on Drawing RJW-253-4) is also available to reset all six rundown relay circuits simultaneously.
QA#-E-20I2-I I2MAY20I6
Page 3of4 Safety Evaluation Both the magnet power supply system and the rundown relay system will continue to perform their safety functions as defined by the SAR. Both systems were rebuilt with standard industrially-rated components. As was the case for their previous forms, they contain no digital components, being constructed only with non-programmable solid-state and discrete passive devices. Therefore, these systems are not subject to cybersecurity threats.
There are six independent ways to interrupt current to any given shim blade magnet:
two relays from the Scram Logic system (via scram loops A and B), two relays from the WPC in the blade's rundown relay circuit, one relay in the blade's rundown relay circuit that opens upon low current, and one relay from the WPC in the line power supply. If there is a nuclear safety system scram, all six of these ways will have their relays open, to ensure a reactor scram. If there is a process system scram (e.g. low flow on the primary coolant system, low pressure city water, etc.), then only four of the above ways will apply: two relays from the WPC in the blade's rundown relay circuit, one relay in the blade's rundown relay circuit that opens upon low current, and one relay from the WPC in the line power supply. Most importantly, any one of these ways will cause a magnet current interruption to shut down the reactor, and will activate the rundown relay circuit to drive all the shim blades in. (The regulating rod will also be driven in when the WPC is open, but via the existing rod control circuit.)
Five out of six of the relays mentioned above in the magnet power supply circuit and the rundown relay circuit for each shim blade are wired in series. If any one of those is open, magnet power to that shim blade is interrupted.
The three magnet power supply modules have their own independent 24-volt DC power supplies. Likewise, the rundown relay panel has its own 24-volt DC power supply.
They are independent except that the three units for the magnet power supply modules have a common relay immediately upstream that will open when the WPC is open.
In summary, redundancy of scram relays and independence of scram activation(s) minimizes the risk of common-mode failure of the magnet power supply system and the rundown relay panel. The two relays from Scram Loops A and B, and the three relays from the WPC, are all mechanical relays that fail open, hence minimizing the impact from EMF and radio frequency interference on their function.
Opto-relays, one for each shim blade, are used within the magnet power supply modules. For instance, they are shown as contacts Ul-1 and U2-1 in Drawing R3W-253-4 for shim blade 1 and shim blade 2 respectively. The opto-relays were chosen for their sensitivity to low current, i.e., less than 5 milliamps. Upon sensing current dropping to a low value, the optical portion of the relay will then deactivate the solid-state portion to de-energize the coil of relay RRl for shim blade 1, or RR2 for shim blade 2, etc.
Each 24-volt DC power supply for the three magnet current power supply modules and the rundown relay panel is protected by its own fuse against surges in line voltage on QA#-E-2012-1 12 MAY2016
Page 4of4 circuit L21. In line with each shim blade magnet, downstream of the magnet power supply and rundown relay circuits, is a fuse that prevents any power surge from damaging the magnet. Each fuse is rated for no more than 0.25 amp. Therefore, the magnet power supply system and the rundown relay circuits are adequately protected from power surges in their operating environment.
The magnet power supplies and the rundown relay panel will be rack-mounted within the protective metal cabinets of the control room console. The console cabinets will continue to provide the equipment with physical defense comparable to that for the current systems, including against seismic disturbance. Routine maintenance and inspection will be performed only by licensed reactor staff or under the supervision of licensed reactor staff.
The control room is attended whenever the reactor is operating. At all other times when the building is unoccupied, it is protected as per the Physical Security Plan. Therefore, access control and configuration control are assured.
The control room and its metal instrumentation cabinets are in an air-conditioned environment. The temperature is continuously maintained
- within a desirable setting (approximately 68 F). There is a temperature alarm (setpoint no higher than 78 F) that is monitored whenever the reactor is operating, or shut down with the control room attended.
_The_a~-conditioning control easily satisfie~_the operating requirements of all the components, which are of standard industrial qualifications. When the reactor is shut down and the building is secured, the magnet power supply system and the rundown relay circuits are de-energized.
Human interface with the magnet power supply system is via current-adjust knobs, and meters on the console showing the instantaneous magnet current for the corresponding shim blades. The interface with the rundown relay panel is via indicator lights and reset pushbuttons, as described in the previous section. These interfaces are in plain sight, and conveniently near the main part of the console for the operator. Therefore, human factors engineering is adequate and equivalent to the current system.
All cable connections to the magnet power supply system and the rundown relay panel will be labeled, and some will be color-coded. Individual modules and panels will also be labeled, as will key electronic components on circuit boards. These markings improve the human interface for purposes of installation and maintenance.
The functions of the magnet power supply system and the rundown relay panel will be tested periodically as per the Technical Specifications for the nuclear safety system.
Therefore, regular surveillances will ensure the integrity of these systems.
QA#-E-2012-1 12 MAY 2016
Page 1of6 QIA File #E-2012-1 Digital Upgrade for Nuclear Safety System "LED Scram Display, and Safety System Monitoring & Status Display PLC" Description of the LED Scram Display The LED Scram Display features two 4x4 arrays of light-emitting diode (LED) indicator lights that allow, via the outputs of the two Scram Logic Cards, the console operator to readily identify which DWK 250 chassis has produced a trip signal from its binary outputs, as shown in Figure 1 below. The upper array shows the signals output by Scram Logic Card 1, and the lower array by Scram Logic Card 2.
SAFETY SYSTEM CONDITION SCRAM LOGIC MODULE #1 CH 1 CH2 CH3 CH4 HIGH POWER EB EB EB EB SHORT PERIOD EB EB EB* EB LOW COUNT RATE EB EB EB EB TROUBLE EB EB EB EB SCRAM LOGIC MODULE #2 CH 1 CH2 CH3 CH4 HIGH POWER EB EB EB EB SHORT PERIOD EB EB EB EB LOW COUNT RATE EB EB EB EB TROUBLE EB EB EB EB CHANNEL RESET CH1 CH 2 CH3 CH4 8888 Figure 1 - Front Face Overlay for the LED Scram Display QA#-E-2012-1 12 MAY2016
Page 2of6 The LED Scram Display module receives trip condition signals from Scram Logic Card 1 and Card 2 by way of the Signal Distribution Module (SDM). (See schematic diagram R3W-256-2 Rev. 1.4.) When a DWK 250 outputs a trip signal, the signal is indicated on the DWK 250 chassis itself. If this trip is transitory, such as a momentary high power, the indicator light on the DWK 250 will go out as soon as the trip condition clears.
However, the trip signal will be retained (or "latched") in the Scram Logic Cards, which send it to the LED Scram Display module.
From each of the Scram Logic Cards, the LED Scram Display has four trip indications representing six trip conditions from each of the DWK 250 channels: High Power (full power or 100 kW set point, depending on the position of the < 100 kW key-switch), Short Period, Low Count Rate, Test, and Fault I Equipment Malfunction, with the latter two combined as Trouble.
~ IC M()OULf 11
~
CH1 CH.Z CtU CH4 sHORT PERt00 LOW couHT RATE 11!0U8LE CH2 CH>
CH1 HIGH POWER SHORT PERIOD LOW COUNT RATE Figure 2 D Rendering of LED Scram Display Module QA#-E-2012-1 12 MAY2016
Page_3 of6 The High Power light represents one of two possible high reactor power conditions from the DWK 250 chassis - the [full power] High Power trip or the High Power 100 kW Operation trip - depending on which mode of operation is selected on the <100 kW Key-Switch Module (KSM). For instance, if <100 kW Operation is selected and reactor power reaches the <100 kW operation trip set point, then the DWK 250 chassis will output the High Power 100 kW Operation trip signal. The trip signal first arrives at the Scram Logic Cards, which then output the signal to the LED Scram Display module, illuminating the High Power trip light.
If just one of the four DWK 250 chassis outputs two or more trip signals, the two Scram Logic Cards receive the trip signals for logic comparison, but will not produce a scram signal. This will show up on the LED Scram Display as multiple lights lit up all in a single colurn,n,and no scram. :However, if two or more oftheDWK 250s produce trip signals, then the two-out-of-four voting logic designed into the Scram Logic Cards is satisfied, and the Scram Logic Cards will output a scram signal to shut down the reactor. This will show up on the LED Scram Display as multiple lights lit up in the same row, with a scram.
Therefore, the LED Scram Display provides a visual illustration for the console operator of the status of the Scram Logic Cards. It will be located on the control room console where it is easily visible by the console operator.
The LED Scram Display module contains reset buttons, *one corresponding to each DWK 250 channel. The console operator needs to manually push the "Reset" button for the corresponding channel in order to clear the alarm for that channel latched in both of the Scram Logic Cards. The Reset buttons reset the Scram Logic Cards, and thus the lights on the LED Scram Display, particularly prior to restart of the reactor.
The LED Scram Display module and the Scram Logic Cards are composed of bi-stable, discrete components only, and therefore are not programmable and do not have a system clock or other timing function. Signal transmission between the LED Scram Display module and the Scram Logic Cards is via the Signal Distribution Module, which is functionally passive as covered in the Signal Distribution Module description. The Safety System Monitoring & Status Display PLC described below will register separately the date and time of alarms appearing on the LED Scram Display panel.
QA#-E-2012-1 12MAY2016
Page 4of6 Description of the Safety System Monitoring & Status Display PLC The Safety System Monitoring & Status Display PLC (a.k.a. "the PLC") operates independently of the LED Scram Display module. The main function of the PLC is to register and record the date and time when a trip signal is generated by any of the four DWK 250 chassis. In this way, the PLC provides indication of DWK 250 alarms, redundant with the LED Scram Display. The PLC is also equipped with a physical reset button that affects only the PLC itself.
- Each DWK 250 chassis outputs to the Signal Distribution Module (SDM), where its trip signals will be routed to the Scram Logic Cards as well as independently to the PLC.
Each DWK 250 chassis can generate up to eight alarm conditions: High Power Trip, Short Period Trip, High Power 100 kW Operation Trip, Low Count Rate Trip, High Power Warning, Short Period Warning, Test Trip, and Fault I Equipment Malfunction Trip. The High Power Warning and the Short Period Warning do not warrant a reactor scram, and are routed to neither the LED Scram Display panel nor the Scram Logic Cards. However, all eight alarm conditions will reach the PLC by way of the SDM. The PLC will then display and record the names of all of these alarms that come in.
When the Withdraw Permit Circuit opens, the PLC will indicate it, based on a signal from the <100 kW Key-Switch Module (KSM). Additionally, the KSM outputs its key-switch position to the PLC. When the key-switch is set to <100 kW Operation, the High Power 100 kW Operation Trip, if generated, will reach the PLC and be displayed there.
However, when the key-switch is on Full Power Operation, the PLC is programmed to ignore High Power 100 kW Operation Trip signals from the DWK 250 channels, and not display them.
The PLC generates three alarms on the control room's main annunciator panel: High Power Warning, Short Period Warning, and Trouble. An annunciator alarm of Trouble may include conditions of Low Count Rate, Test, or Fault I Equipment Malfunction. On the PLC, the console operator can see which one(s) it is. The PLC does not output any scram alarms to the annunciator panel; those come from the Scram Logic Cards via the KSM.
The PLC has a physical, common reset button to acknowledge and reset any alarms it registers. This reset button does not reset the alarms on the LED Scram Display nor the Scram Logic Cards. Furthermore, it does not by itself clear the alarms on the control room's main annunciator panel; to clear those, one must use the annunciator panel's own acknowledge and reset buttons as well.
The PLC has a built-in optical isolator on each of its signal input connections from the Signal Distribution Module. These ensure that the DWK 250 units are isolated from the PLC. Furthermore, the PLC is mechanically isolated by mechanical relays on its three outputs where it connects to the control room's main annunciator panel.
During the initial testing phase, the PLC panel will be installed in the control room but away from the main console. It will be moved near the main console for final installation. The PLC panel uses Secure Digital (SD) memory cards to store data.
QA#-E-2012-1 12 MAY2016
Page 5of6 Safety Evaluation The LED Scram Display module is composed entirely of discrete components. It is a passive device that is used for visual indication only. Therefore, it is not subject to cybersecurity threats. It does not produce any scram signals, but does have the major secondary function of resetting the Scram Logic Cards. If the module fails, such as by physical damage or other disturbance, the LED indicator lights will not light, and the reset buttons may not function. In this case if the Scram Logic Cards produce a scram, there will be no means to reset the Cards, resulting in a conservative outcome. Furthermore, because the module is a passive device, it will not generate heat or produce interference in the Signal Distribution Module or other neighboring devices.
The PLC is optically isolated at its input from the SDM. It transmits only to the control room's main annunciator panel. Optical isolators built into the PLC's inputs will protect the DWK 250 units from being affected by any potential malware in the PLC's operating software. If this isolation fails, the PLC will be left completely disconnected from the SDM. In that case, none of the trip alarms generated by the DWK 250 units will reach or be registered by the PLC.
Likewise if the PLC itself fails, none of the trip alarms generated by the DWK 250 units will be registered there. Conditions of High Power Warning, Short Period Warning, or Trouble would not be output to the control room's main annunciator panel. In that case, high power warning capability would come from another existing neutron flux monitoring channel that is not part of the nuclear safety system. Furthermore, the DWK 250 chassis have their own indicator lights for these conditions. The existing nuclear safety system does not have any high power warning or short period warning functions. Therefore, the lack of these warning capabilities in the case of PLC failure or failure of its optical isolators will not degrade operational safety. Most importantly, since the PLC is not -responsible for generation of any scram signals, its loss will not affect nuclear safety or reactor operation.
If the PLC fails, or one or more of its input optical isolators fail, a DWK 250 Trouble condition (Low Count Rate, Test, or Fault I Equipment Malfunction) will not reach the PLC, but will still light the relevant indicator(s) on the LED Scram Display. Trouble conditions from two or more DWK 250 units will still result in a scram output from the Scram Logic Cards, shutting down the reactor.
If malware corrupts the PLC, the PLC screen may provide or record inaccurate information, including the date and time, and the PLC may fail to output actual alarms, or may output any of its three annunciator alarms when they are not warranted. However, in all cases the console operator has other means in the control room to verify reactor conditions and the status of the nuclear safety channels. This failure mode of the PLC does not interfere with reactor scram functions and therefore has no impact on nuclear safety.
The PLC has network connection capability. However, there is no plan to place it on a public network, where it would have a higher probability of compromise by malware. The PLC writes its recorded data onto a Secure Digital (SD) card that has sufficient memory for the life of the equipment. In the case that the SD card will be removed for download, it will be used with a lab-specific secure computer.
QA#-E-2012-1 12MAY2016
Page 6of6 The LED Scram Display module and the PLC module will be bench-assembled in a controlled environment. The new assemblies will then be connected to the rest of the new nuclear safety system while everything is de-energized. After that, the new system will be re-activated for testing. These modules will be constructed with standard industrially-rated components. They will be mounted on the control room console, which will provide them with physical defense, including against seismic disturbance. Routine maintenance and inspection will be performed only by licensed reactor staff or under the supervision of licensed reactor staff. Password protection will be used to secure the PLC logic. The control room is attended whenever the reactor is operating. At all other times, when the building is unoccupied, it is protected as per the Physical Security Plan. Therefore, access control and configuration control are assured.
The control room and its metal instrumentation cabinets are in an air-conditioned environment. The temperature is continuously maintained within a desirable setting (approximately 68 F). There is a temperature alarm (setpoint no higher than 78 F) that is monitored whenever the reactor is operating, or shut down with the control room attended.
This air-conditioning control easily satisfies the operating requirements for all the components in the modules.
All cables to, and cable connection points on, the LED Scram Display module and the PLC module will be labeled. These markings improve the human interface for purposes of installation and maintenance. The arrangement of the LED Scrani Display module's indicator lights and reset buttons are easy to see and use. The PLC's display screen conforms to modem industrial display standards. Therefore, human factors engineering is adequate.
The LED Scram Display module and the PLC module will be tested for wiring verification, including the proper level of illumination of LED lights and PLC display screen, using a written procedure prior to first use. There will also be periodic operational checks.
Therefore, the pre-operational and routine surveillances are sufficient to assure the completeness and integrity of these modules.
QA#-E-2012-1 12 MAY2016
[K-241---------------------------!'°"-----, 120VAC
+1..------------------[ ... K-221-------------------:
[K-21 1------------~--~--:J-,.
Sou rce DWK Un it 1 DW K Unit 2 DWK Unit 3 DWK Unit 4 Exis t ing Console An nunciator
- [K-27]- 24V Supp IY [1] ... [K-25 Panel X22 DB37 Female X23 DB37 Female X24 DB37 Female X25 DB37 Female DB37 Male DB3 7 Male DB37 Mal e DB37 Male
-[K-28] - 24V Supply [2] ... [K-26]--
X36 3 POS X34 DB9 Male I DB-37 I
DB-37 I
DB-37 I
DB-37 Connector CABLE CABLE CABLE CABLE DB9 Female
[K-10] [K-11 ] [K-12] [K-13]
.... ~
Safety System Mo nito ring "'
E QI
~
ro t t t t And ~
u_
0 0 DB37 Male DB3 7 Male DB37 Male DB3 7 Male Status Di sp lay "'0co LJ")
co
[PLC] N rr>
x 0 XlODB37 Female Xll DB37 Female X12 DB37 Female Xl3 DB37 Female x
I Chasso LEDlndi catio n I
~ .!!! """
N DB-50 ro E ~"'
-I'>
..... ,., -0 -+- t Acknowledge
- CABLE-Q) u..
0 ' s N
-0 ro V> 0 [K-36]
& "'0co OJ 0
V>
3 OJ r-
~
~
[K-20] 0 0 LJ") ...... 11> 0 ro n Re set co ~
0 N
x "2S":
11
- l (lQ DW K RS232 QI n;
E
.f ~
Q) ro DB-15
~
ro E
n;
~
QI x
..... x I X44 6POS I E
~
~
u-"'"'
WW V1 .,.
"'......co Q) N
~ CABLE-+
X4 "'......co LJ")
.-1 [K-19]
u..
LJ") 0 V1 0
CJ o::>
DB-SO CJ o::> "'
0 LT1 LT1 0 co Breakout Bo x ......
rr>
x 0
.-1 co 0
0 N
x Signal Distribution Module CD V1 0
0 i-.-cABLE.... 0 CD V1 0
.,., Scram Logic Ca rd 1 11> OJ [K-14] OJ 11>
3 ro ro 3 OJ ii)
OJ ii) ~
~
QI n;
~
DB-9 ro E ~
CABLE -
~
~
u_
QI x
CJ CJ x
N "0
~
~
f.-
co
"'0
+ -
Cl'\ o::> o::>
[K-38] co 0 LT1 DB-50 LT1 0 ...... ffi 0 0 CD V1
<t i-.-cABLE....
x 0
.,., 0
.,., Scram Logic Ca rd 2 6 PIN Ma le XLR 11>
$ [K-15] $ 11>
OJ OJ 3 ro 3 6 PIN Female XLR OJ ii) ro OJ ii) ~
X19 DB25 Male DB25 Female X18 DBSO Male DBSO Female X17 DB9 Male DB9 Fema le I X39 6 POS I
~
l 7' Lu 7'
Lu ""
Lu Drop-Ti mer Interface w
'.:'.. ~
Module I DB-25
+
DB-50 DB-9 CABLE
[K-37]
CABLE Cable Chassis LED Ind ication
[K-18] [K-171
[K-16]
I I 2 POS Te rminal Str*J DB 9 Male DB25 Male DBSO Male
- X30 DB25 Female X29 DBSO Female X28 DB9 Female MASSACHUSSETIS INSTITUTE OF TECHNO LOGY 2 W!Rf. CASLf DWK Safety System Gl obal Connection Dia gram Blade Drop Ti me r < lOOKW Key -Switch
[K-39]
Existing Conso le Chart LED Scram Display Module Recorders/ Meters [Wit h Reset] R3W-256-2
f\-20:---------------------------------------------------------------
X43 20 POS Connector
[Will-.:lraw Petmit . Magne!
Power Sl~ ~i es) @I) Rev 1.4 D. Kouttron 2.10.2016
- --+-------**...L....---*-**-**-*-..L_____ .......J..-----*------~------.l _______ j __ _ .... J *******-****-~----*****L ***---~~-_L-****----~---L____~__l_____,,__l ______~:_ j 18 ! 20 !
...-.l.*-----**---'---**--*-~*- - - **--*--+---
21
'~
RS232 15 g 0
- 0 Inputs to Card 2
' ' ' ' ' j Inputs to Card MPS_1 goes to GM(1,2,3)A '""""'"'ypaSS\01)
MPS_2 goes to GM(1,2,3)B X41 -24V r.,," X17 171-009-113R001
~I u
c.
- -24V WPC 1 WPC 2 2 Lp3
--- , 6 ~*24V
,,~*24V
""""'""":tCll---_Jr *
\. ~ * ~
- 2* ~ * ~ /'100KW_BypasMOD 1L*------'"""""ll2llVI MPS 1 "~+24V MPS 2 s "..!........,--++24V I
PS 6 6 6 J1 171-009-113R001
- Drop Timer Interface HDR1X8
+24V -24V G G DC_SPLY_Good_ 1 X16 171-025-213R001 M
lfl M
IO M
I'-
M
<O M
O'I M
0 N
f'l "I'
lfl IO I'-
<O O'I 0
lfl A.o....CR4(35) ~ l 1,.-e<:O~,,_.,,~c;c.3('°36"°>)--,-,rl PSO PJ:l 7 h-,,,,.Jl\llk"'-~01);1 Meters
- m
- o.
- m o ~ o m
- m
- o
- m o )X21 s: "'s: [;! .... :;: 2 M 3:.,. ii: lfl ii:"' ii: r- ii: 3:"' ii: 0 ii: ii: Nii: Mg: 171-050-213R001 . . l/C==---mP49 P16 33 l/Crno"'1l'l;2\,.*38,,.*J--,mP48 p3~1s
<O.s: 0 N. <O .-I rl.-<NNNNNNNNNNMMMM
- 32 co a.°' llo~llo::: llo::!llo:::llo ;:;.o..~i::i.:::llo~. Status_D1splay_nonSFTYalarms
- ( .... 11. Nii. M i:i..,. ii. lfl 11."' 11. r- i:i.
llo llo llo llo llo llo llo llo llo llo llo ~ llo llo llo llo llo Q.,.,,.,\'".°'1 Pll 15 31 i'1'""""'41'm--,..,-fP47 4\67} PJO P14 14 l/l:"""""'rrn--,rnP46 PlJ JO
""lr-'J P29 l/l:"""W?2\"18i"T 1 j--,rnP4S p :12 2
QM100V-40 l\4U) P44 P2~11 ;~ '-f-------,..,.-jP43 PlO
. 4-40 Vdc Meter J3 ~-+<>-----~..-<P43 p :10 10 26 2
2 t-+-------,.,,--IP42p P9 :
'+-----~,_.P42 26 i-"=ro°"uo~,..~,1~3~,,-~mP41 ::: Pa 2~
P9 9
HDR1X3 P2S 2
- *-===--,..,...P41
- rrouDle4(31J P 24 PB 5'
-24V PMEG45A10EPD l-"°"ro°""b"°l*e'°31"'3'l"'JJ--,.,,-IP40 P23 P7 7 I -=ro~uo~"e=v,vv~'--,,,,-1 ::: P 2 J : : 2 ~
23 rouo1e2\t9J p 22 . 6 i-"=="'°"'--,,,,-IP39 P6 Dual +24Vdc * ~
F1 D3 D1
+24V rouDle.::1331 p 22 P38 P l PS 2
- f6 U/T"ro"1uo°'"e><,,,mrr,u,---,,,-i PJB P21 PS i,= 0 .,.0;;,rt,-;l4""'(f'f,-)--,,.,-tP37 P4 2
s PWR in ~4 1_,,,,,,.,,o;;;nT:...""",v*,...-,--,,-,.7rlPJ 7 p20-';-'~*~a;;;:eiQlJ2l<l);'t°-i '°""""',,,.,,.,---..,.,-t P36 P20;;-i-...,,._..~2~'---1-.__..Elos!Olc.tl2(4Z)/i 5_AMP
~ (1N6287AG 20
@3--- .
U/O=r-;r.rn---,.,-jP36
- ,,,,ort 3\41) Pl 9 P3 moo;':....+a.."'1C.ll.$<fll;'I o"'o;;;rtT-"1!<\'U,...-f--m PJS Pl9-;;1-...,..._-"l:~+__..Elosl01c.ti2l<llVI o-+-<>-+--<>" -24V 24V ~ -~ . "'"Ort1 ,.,.. "'/ PJS Pla~Lyf-L .......ort, ... 1*~1. ; P34 Pl8 Pl µ1:~~-Elos!Olc.t!A(<l5V1
~~p r~
1 1
t t 0 0 0 0 6--- 5 D2 Digital Outputs 1 o:.,_ ----<l'\yn------_,~-J*-*- ""°'
+24V PMEG45A10EPD
' ._J o+- . D4 ' ' ' WPC_1 MPS_1 WPC~ _M~_2
~ ~1N6287AG CJ-<>->--A<>.+24V 171-050-213R001 0-- -24V
' Logic Card 1 171-050-213R001 Logic Card 2 0---+--0 DC_SPLY_Good_1 Digitai_Outputs_2 o--f-<> DC_SPLY_Good_2 o-+-+-+-+24V M ResetCH1f481' M HDR1X1 PWR_IN ResetCH21471' Current J4
- Monitoring ResetCH3(481' connection t;- Current ResetCH4f451'
~ Monitoring*
HDR1x20n *soard PWR
Title:
_RPS Signal Distribution Board Sig Dist Mod V2 0 Designed by: S. Hanvy . Document N: R3W-258-3 Revision: 0 Safety Channel Reset Inputs from Scram LED Display Checked by: D. Kouttron Date: 211212016 Size: A2 Approved by: Sh.eel' *1 of 1 I I I 10 I 11 I 12 13 I 14 15 I I *18 I 19 I 20 I 21
2 3 4 5 ANNUNCIATOR ALARMS
. <100 KW +24VOC FROM SAFETY SYSTEM OPERATION ANNUNCIATOR SCRAM D D I
I I
I 120 VAC +24 voe o voe I L21 II
! I I
I SPARE LOOP A !
LOGIC CARD RYS RYS-1
.RYS-2 RY7-2 LOOP A SCRAM RYS-3
<100KW OPERATION
! FULL O POWER OPERATION 1 RYS LOOP 8 KS1A X38 120 VAC MAGNET* RY6-3 FROM WPC RY6-1 POWER RY6-2 RY8-2 SUPPLY MODULES LOOP 8 SCRAM RY,7-3 c 2 POSITION KEY SWITCH c
LOOP A RY7 RY8-,2 LOGIC TO SAFETY. SYSTEM CARD STATUS INDICATOR PLC 2 RY8 INPUT LOOP 8 (<100KW OPERATION)
RY7:-1 X37 X40 24V POWER RY8-1 )
9
<100 KW FULL POWER TO SCRAM OPERATION OPERATION LOGIC CARDS 1 AND 2
)
._____________ ----------- -------------------------------, KS1C TO SAFETY SYSTEM
)
- STATUS INDICATOR PLC
,. RY4,,-2 INPUT r.------------------ ----------- -------------------, (WPC STATUS)
I A 8 I
LOOP SCRAM LOOP SCRAM D t:r---7 B
I 83 84
< 100 KW KEY SWITCH MODULE l 0 PRIMARY FLOW, MP6, MP6A B WITHDRAW
---\,_____----! D t:r---7 SCRAM 8YP ASSES PERMIT KS1D L22 CIRCUIT L. _______________________________________ _: ___ _;_ ___ _
T RY4-1 L----'--------------------------------------------------7----------------------------------*------":'------------------------------------------------------------------------------=-------:---------- TO MAGNET POWER SUPPLIES L22 A A t@ln MASSACHUSETIS INSTITUTE OF
~ TECHNOLOGY REACTOR
<100 KW KEY SWITCH MODULE r....,-..,..--_-i:cnoo--l ~-;AWAZElSKI ..TE 2/19/18 ZONE ""'
2 3 4 5
2 3;. 4 5 120 VAC *HOT L-21 L-21 L-23 j j j ~- j 105 D D INNER OUlER BASEMENT BASEMENT AIR LOCK AIR LOCK BUILDING ISOLATION PLAlE OVERPRESSURE GASKET GASKET LATCH . SWITCH TRANSFORMER PRESSURE PRESSURE 120 VAC W2 2 SWITCH 112 J: . "" , _, ,
SWITCH SWITCH DUMP VALVE . IN LIMITS CONTROL sw-:::a SPRING LOADED 8-2A TOO B-2B
~ ~ AUTO RUN-ON.
1- ~s-u2_N_E-GA_TI_VE- dP_. ~,
-*~~1 OPEN CLOS.
MAINT.
AT 4" GOING
. OUT
- 1 LS-205
.I:,~,.~-~
____ KS-9C REG ROD NEAR E15-1 BASE'T IN TAIR LOCK DEVIATION W4.1__ . *HX *MElER
- 1 PERIOD CHANNEL LEVEL (1.5%) 144 145 E14-1 MAIN SIGNAL OFF SCALE
~LOCK <
~~~CT.
W5 a: ::c.
\_
5
,,,,""""" ~
~
(2 OF 3)
"' I
- 1 zl!!
~
I::? ;;;-
"' e:.:I a~
oa: :5 iii\';! ~ .!. ..c oa:
c ~~ c
~ 9.8 ~ ""0CJ ~ ,_ iil c
¥~MAIN 5*
CJ c <
"' >~
"'gn.
-~~FLOW
~~
~~VALVE
?
C22-1
- El-1 W38 DUMP.
CD i
I
~
'I 2
RUN-pN.
RESET PB-9
~ OUTLET 130
"'<z TEMP. RCDR z
W37 0 0 F F 146 CJ CJ
"'""i!= AUTO
"'""i!=
F13A-2 C27-1 59 ;;:
- CORE INLET PRESSURE . (P2,T11) RUN-ON.
W19
""::Jz (MP-SA)
.F14A-1 F15A-2 PERIOD CHANNEL
""z
- J
. (P9,TB16)
LEVEL SIGNAL :i:
- i: W31 *OFF SCALE PB2-1
,.I::?<
LS 28-1 DUMP VALVE POSITION F13A-1 F14A-2 (2 OF 3) MINOR SCRAM PB-8 T.D.
8 ,.<I::?
THERMAL BEAM _J SUB-CRIT. 30 SEC.
W30 REACTDR BYPASS I BY-PASS KEY S\llTCH B 106 Fl-1 { ~~~M~~Li~~E ~--------------------K_s_w_-_2~A-~----O~N'--~-----4W20 PB'-5 ALL RODS IN (PB,TB14) W21 (PB,TBl ) B W29 Pl,TI-11)
GRID LATCH ,OFf NOlE 1) C7A-1 lEST PBl-2 TD THERMAL BEAM C2G-1hMAN.
MAJOR 141 SCRAM SCRAM CIRCUIT W27 R3\l-251-3 KS1-2 CONT.
E16A E17 CLOSED PBS-~ ----
E15 E16 C22 INDICATION (KEY)
C41i-l PBS-2 C\IP CKT> W26 PB2-2 MINOR SCRAM C4E-I' READY 142 LIGHT AUTO (P9,TB16) W25 CZ-1) CONTROL L-22 L-22 120 VAC NEUTRAL CZ-D CZ-1) CZ-1)
A A tlllIES;_
- 1. W29 FOUND AT PB, FAR LEFT TB.
2.
MASSACHUSETIS INSTITUTE OF TECHNOLOGY REACTOR
~....,--_,--PROJD:nON---< 'r~A1'AZEISK1 8-19-16 PROTECTIVE SYSTEM SECTION A3
"'" @4h~orn<;;-ON---t9---19-_7_*l-:!:ou..:_NE_"°_*__J_"""_""_*_=:R~3:..:!,~-.!:.z~o~;~::-4-=4'....L~C::..-e 2 3 4 5
2 3 4 5 120 VAC HOT L-21 L-21 L-23 jj j j 105 D D INNER OUTER BASEMENT BASEMENT HOLD DOii.ti AIR LOCK AIR LOCK BUILDING PLAlE ISOLATION GASKET GASKET OVERPRESSURE LATCH TRANSFORMER PRESSURE PRESSURE SWITCH W2 2 SWITCH 120 VAC SWITCH SWITCH 112 DUMP VALVE IN LIMITS CONTROL SW-8 SPRING LOADED 8-28 8-2A TDC r:*~~~
,_ _s_u_2_N_E_G-ATI-VE~-dP~ ~ ~ ~
AUTO RUN-ON. TDC 1~
OPEN CLOS. H MAINT.
CLOSES \WiEN AT 4" GOING OUT LS-205 I:~"~' ~
KS-9C
']
REG ROD NEAR E15-1 BASE'T IN I A I R LOCK
- W41 <'-*X DEVIATION METER
- w*r E14-1 MAIN LOCK W5
']
(1.5%) 144 145
¥~~CT.
.C7A-2 c
- ",_{_ iJ '] c
"'~ ~FLOW T°'..,
~~VALVE C 2 2 ; r DUMP W38
~ W6 ']
2
¥ EH RUN-ON.
RESET PB-9
~ OUllET 130
"'<z TEMP. RCDR <
z 0 W37 (FROM E3) 0 I= I=
0 146 0
"'"" SAFETY "'""
i!'
i!' SYSTEM C27-1 59 AUTO
- CORE INLET PRESSURE *scRAM (P2,T11) RUN-ON.
""z
- J (P9,TB16)
""z
- J
- c :c
~ LS 28-1 PB2'-1 ~
< DUMP VALVE POSITION MINOR SCRAM PB-8 8 <
- E T.D. ::E THERMAL BEAM SUB-CRIT. 30 SEC.
REACTOR BYPASS BY-PASS KEY SWITCH B )06 f1-1 { ~~~MB~~LT;:~E ~~~~~~~~~~~~~~~~~~~~~K_s_w_-_2~A~,____.,.O~N'--~~....
PB-5 ALL RODS IN (P8,TB14) W21 W20 (P8,TB14) B W29 P1,TI-ll)
GRID LATCH NOlE 1) *OFF C7A-1 lEST PB1-2 C2G-1 h M A N . 141 MAJOR TO THERMAL BEAM SCRAM SCRAM CIRCUIT W27 R31J-251-3 KS1-2 CONT.
E16 E16A E17 CLOSED E15 C22 (KEY)
INDICATION C4D-1 _J ----
C\IP CKT> '1126 PBS-1!
- PB6-2 PB2-2 MINOR SCRAM 142 AUTO (P9, TB16) W25 CONTROL
<Z-1>
L-22 L-22 120 VAC NEUTRAL . <Z-1) <Z-1> . <Z-1)
A A tiQIES:..
- 1. W29 FOUND AT PB, FAR LEFT TB.
MASSACHUSETIS INSTITUTE OF TECHNOLOGY REACTOR
..,._u "" PROTECTIVE SYSTEM
"" SECTION A3 2 3 4 5
1 . 2 3 4 5 L22 CONTINUES 120 VAC RY4-1 BELOW.
L21 D D W22 120 VAC FROM
,---- -----------------~------~------------------, -------------------------------------------,
W25 SCRAM WPC* RY4 I I
~
MAGNET
- I I ~
MAGNET
- I I
~U~~y: ~~~~T ~~~T I CURRENT CURRENT CURRENT J
- SUPPL:. ADJUST ADJUST I 24 voe FROM SCRAM LOOP A GM1A PO\\£R SUPPLY FOR SHIM BLADE GM1A-2 I I 24 voe FROM SCRAM LOOP A I GM2A POWER SUPPLY FOR SHIM BLADE I Ul-1 1 AND 2 .MAGNETS GM1B-2 U2-1 I I 3 AND 4 MAGNETS I U3-1 U4-.1 I I 24 voe FROM I 24 voe FROM I I SCRAM LOOP B GM18 NOTE 1 NOTE 1 I SCRAM LOOP B I GM28 NOTE 1 NOTE 1 I L _____ _ I I r---------------- MASTER RESET B1A-2 I B1B-2 I 1
I 24V RR1 ~ B2A-1 BLADE 1 j_I---.------. RUNDO\\N
+24V'---..L~
~r M R 2 Ri'N'6'5~ B2A~2 I RR2 RR3 I I B2B-1
- BLADE 3 BLADE 4 B28-2 I RR4 24 voe POWER POWER RRH IMRH I:ESET RE~l ~R1-2j_ . RR2-1 RUNDO\\N RELAY PANEL RR3-1 RUNDO\\N IMR1-3 I:ESET RESET 1 RUNDO\\N .------..-----i-
-i MR2-1 I
RR4-1 SUPPLY PB1 PB2 PB3 PB4
'---------i I ov +24V +24V +24V +24V I SW1-2
- L21 SW1-2 L21 SW1-2 L21 I
c ~~g I c SW1-2 )>-,.-J--1,.-,)"' BLADE 2 1--~'1'--o 1 NOTE NOTE
~ME I RUNDO\\N BLADE 3 RUNDO\\N BLADE 4 1---'1'--0 1 RUNDO\\N CONTROL I }R1A-1 RR1A-2 RR3A-1 RR3A-2 RR4A-1 RR4A-2
~if I 2 I L __ OU.!__ If!_ _ _ _ _ _ _ _ _ _ _ _ _ OUT IN OUT IN BLADE 1 W22 W25 BLADE 2 BLADE 3 BLADE 4 MOTOR MOTOR MOTOR MOTOR CONTROL 120 VAC FROM CONTROL CONTROL CONTROL BLADE 1 W.P.C. BLADE 2 BLADE. 4 MAGNET MAGNET MAGNET A
FROM ABOVE B
,---- ----------------------------------~--------,
! ~ - . I I MAGNET I CURRENT CURRENT CURRENT B I SUPPL~. ADJUST ADJUST.
J I B 24 voe FROM SCRAM LOOP A GM3A POVYER SUPPLY FOR SHIM BLADE GM3A-2 I I U5-1 5 AND 6 MAGNETS GM3B-2 U6-1 I
I 24 voe FROM I GM3B NOTE 1 NOTE 1 SCRAM LOOP B I L __ .:__ __ _ I r--.----------- B1C-1 . B1C-2 RR5 . ~2C-1 BLADE 5 RUNDOWN RUNDOWN RELAY PANEL BLADE 6 RUNDOWN
~B2C-2 RR6
. RESET RESET * .
RR5-1 MR2-2 lpB PBii1 MR2-3 RR6-1 5
+24V +24V SW1-2 L21 SW1-2 L21 NOTE BLADE 6 1---'l'--O 1 RUNDOWN NOTE 1: CAPACITOR RR5A-1 RR5A-2 RR6A-1 RR6A-2 COUPLED INPUT TO A CIRCUITS FOR DETECTING A A DROPPED BLADE CONDITION OUT IN OUT IN NOTE 2: REF. DWG. R3W-204-4A BLADE 5 BLADE 6
. MOTOR CONTROL MOTOR CONTROL r.Mn MASSACHUSETTS INSTITUTE OF BLADE 6 ~ TECHNOLOGY REACTOR MAGNET MAGNET_POWER_SUPPUES_AND RUNDOWN_RELAY_PANEL z°"" REV °'TE. $-E1-t1;;iiSiG~NIER--1r-7-YI-5~...!!,!_.!_,..._""----,-__JL""°_"°_*_.!.R~3~!.'.!..._-~2::!5:'.:~~;;-1.:::4:...i_...,_.C 2 3 4 5
NUCLEAR REACTOR LABORATORY AN INTERDEPARTMENTAL CENTER OF MASSACHUSETTS INSTITUTE OF TECHNOLOGY In-Core Experiment Loops EDWARD S. LAU 138 Albany Street, Cambridge, MA 02139-4296 Activation Analysis Assistant Director of Telefax No. (617) 324-0042 Nuclear Medicine Reactor Operations Tel. No. (617) 253-4211 NTD Silicon Facility Tours Education & Training 12 May2016 U.S. Nuclear Regulatory Commission Washington, D.C. 20555 Attn.: Document Control Desk
Subject:
Re: License Amendment Request for upgrade of the Nuclear Safety System in the MIT Reactor Protection System, Docket No. 50-20, License R-37 The Massachusetts Institute of Technology hereby submits additional material to be placed on the docket in followup to the 30 September 2014 License Amendment Request (LAR) for its Facility Operating License No. R-37. The requested amendment is for upgrade of the reactor's nuclear safety system in the Reactor Protection System with new analog instrumentation and digital neutron flux monitors.
This submittal contains the following six documents:
- 1) Overview ofNewNuclear Safety System with Integrated Supporting Modules
- 2) Signal Distribution Module (SDM)
- 3) <100 kW Key-Switch Module (KSM)
- 4) Withdraw Permit Circuit (WPC) Modification
- 5) Magnet Power Supplies and Rundown Relays
- 6) LED Scram Display, and Safety System Monitoring & Status Display PLC And the drawings referenced by those documents:
a) R3W-256-2 Rev. 1.4 for the SDM global connections b) R3W-258-3 Rev. 2 for the SDM V2 board c) R3 W-254-4 for the Key-Switch Module d) R3W-203-4C Sheet 3-of-4 for the existing WPC e) R3W-203-4D Sheet 3-of-4 for the proposed WPC f) R3W-253-4 for magnet power supplies I rundown relays
Material to Docket for Upgrade of NSS Page 2 of2 None of the drawing or text in this submittal contains any proprietary information. All of it has had previous thorough discussion with the appropriate branch of NRC. This submittal establishes official documentation of the additional material.
Sincerely, Edward S. Lau, NE Assistant Director of Reactor Operations MIT Research Reactor I declare under penalty of perjury that the foregoing is true and correct.
Executedon o6/[~of6 C ~.___,/
Date Si ture EL/st
Enclosures:
As stated.
cc: USNRC - Senior Project Manager Research and Test Reactors Licensing Branch Division of Policy and Rulemaking Office of Nuclear Reactor Regulation USNRC - Senior Reactor Inspector Research and Test Reactors Oversight Branch Division of Policy and Rulemaking Office of Nuclear Reactor Regulation
Page 1 of6 Q/A File #E-2012-1 Digital Upgrade for Nuclear Safety System "Overview of New Nuclear Safety System with Integrated Supporting Modules" Description of Integrated Supporting Modules for New Nuclear Safety System The proposed digital nuclear safety system consists of four independent neutron flux
. monitoring channels, which detect reactor neutroriic power and reactor period, and compare those parameters against their pre-set values. If the pre-set values are reached, the flux monitors will output a trip signal. The following describes how these trip signals bring about a reactor shutdown, while they are also processed via independent modules for display and recording. These various modules are individually described and safety-evaluated in separate safety review documents*. Here the focus is on how the integrated system functions when all of these modules are connected together. See the block diagram in Figure One.
This describes the propagation of trip signals that are generated by the DWK 250 neutron flux monitors and travel throughout the various downstream modules until the signals attain their goal of scramming the reactor. It is important to note that in all cases, the propagation manifests by de-energizing signal paths, nofby energizing them.
When the reactor is operating at power within its prescribed envelope, no trip signals are generated**. - The relays that generate trip signals on the .DWK 250 monitors are closed, and the signal paths downstream:-*all are energized (fo 24 volts DC). These signal paths go through the Signal Distribution Module (SDM), the Scram Logic Cards, the <100 kW Key-
- Switch Module (K:SM)~ the Withdraw Permit Circuit (WPC), the Magnet Power Supply System, and the Rundown Relay System. The signal paths through these various modules remain energized, and there is no scram.
If the reactor is operating outside. its prescribed envelope, a trip signal ls generated. -
Relays on the DWK 250 monitors are opened, de-energizing (to zero volts DC) a series of signal paths downstream. With these signal paths de-energizing, the ultimate effect is that electrical power stops going to the electro-magnets that support the neutron-absorbing shim blades, dropping the blades.into the core by gravity and achieving shutdown of the reactor.
- "Signal Distribution Module"
"<100 kW Key-Switch Module" "Withdraw Permit Circuit Modification" "Magnet Power Supplies and Rundown Relays" "LED Scram Display, and Safety System Monitoring & Status Display PLC"
- Whenever the reactor is operating above 100 kW in Full Power Operation mode, each DWK 250 will generate the "100 kW High Power" trip signal. This signal is received by the Scram Logic Cards, where it performs a logic comparison that results, in this case, in no output of a scram signal. This is described in further detail later on.
QA#-E-2012-1 12MAY2016
Page2 of6 Each DWK 250 neutron flux monitor outputs trip signals in binary form, via eight binary output relays. Two of them are used for high power warning and short period warning. The other six are for trip functions: high power level, short period, high power 100 kW operation, low count rate, test status, and fault I equipment malfunction. These eight output relays have a 24-volt DC source applied across them, from an independent external source, rather than from the DWK. 250 chassis. The relay outputs are electrically isolated from the internal circuitry of the DWK 250. The external source is a pair of 24-volt DC power supplies, which are set up in parallel, connected via an auctioneering diode array, so that if one fails, the other will take over without interruption. The 24-volt DC power energizes the relays via the SDM. (See the Global Connection schematic diagram R3W-256-2 Rev. 1.4.)
The DWK 250 outputs a trip function signal by opening one or more of its binary output relays. This de-energizes the signal path on the SDM that connects to Scram Logic Card 1 and Card 2. Each DWK 250 has six trip signal paths through the SDM to the Scram Logic Cards, one for each of the six trip conditions listed in the previous paragraph.
Together there are 24 such signal paths going through the SDM from the four DWK 250 chassis, passing the trip signals on to Scram Logic Cards 1 and 2.
Scram Logic Cards 1 and 2 perform identical logic comparison functions, and are connected to the SDM in parallel, with optical isolation at their inputs. Each Card uses discrete logic components,_ and is therefore non-programmable. Each features a two-out-of-four voting logic in hardware to prevent false trips _from a single"DWK 250 failure; this also eliminates- the need for a safety system -channel bypass switch. For instance, if one DWK 250 outputs one or more trip signals, then the Scram Logic Card will receive the signal(s) for logic comparison, and will make a decision not to output a scram signal. If two or more DWK 250s output trip signals, the two-out-of-four voting logic is now satisfied, and the Scram Logic Card will make the decision to output a scram signal. The Scram Logic Cards themselves have optically isolated outputs. They de-energize relays in the Withdraw Permit Circuit (WPC) and the Magnet Power Supply modules: Scram Logic Cards 1 and 2 work in parallel for redundancy.
The scram signal travels downstream from the Scram Logic Cards and reaches the
<100 kW Key-Switch Module (KSM). The KSM chassis is mounted within the same Nuclear Instrument Module (NIM) bin as the Magnet Power Supply modules (NIM Bin 2 in Figure One). When a scram signal reaches this NIM bin, it is distributed to both the KSM and the Magnet Power Supply modules. This scram signal opens six relays in the Magnet Power Supply modules and five in the KSM. Opening of any of the six relays in the Magnet Power Supply modules will interrupt electrical power to the shim blade magnets directly, as will one of the relays in the KSM. Opening any of the four other relays in the KSM will open existing circuits Scram Loop A and Scram Loop B in the WPC, which in tum also results in interruption of shim blade electromagnet current, shutting down the reactor. These four relays also activate the "Safety System Scram" alarm on the main control room annunciator panel. Opening of the WPC activates the "Withdraw Permit Circuit" annunciator alarm there as well.
QA#-E-2012-1 12 MAY2016
Page 3of6 Whenever electric current to a shim blade electromagnet is interrupted, the Rundown Relay System moves the corresponding shim blade drive to its "full in" position at its normal speed. This takes place automatically to ensure that the released blade reaches its bottom position and stays there following a scram, completing the protective action once it is initiated.
When the KSM's key switch is turned to <100 kW Operation, signals indicating the key switch position are sent to the Scram Logic Cards, to the Safety System Monitoring &
Status Display Programmable Logic Controller (PLC), and to the control room's main annunciator panel. This key switch position also automatically bypasses all three of the low flow primary coolant scrams. If reactor power reaches 100 kW, the DWK 250 will output the 100 kW high power trip signal, which will be logically interpreted by Scram Logic Cards 1 and 2. When the KSM's key switch is turned to Full Power Operation, the PLC's
<100 kW Operation message will clear, and the low flow scrarr;ts are no longer bypassed. If reactor power reaches the nominal full power (6 MW), the DWK 250 will continue to output the 100 kW high power trip signal, while the Scram Logic Cards will receive the signal but will not interpret it as grounds for outputting a scram signal.
The two Scram Logic Cards and the LED Scram Display module are mounted within the Sl!flle NINI bin (NIM Bin_ 1 in_ figure One). Whenever a trip signal_ reaches the Scram Logic Cards from the DWK 250 chassis via the SDM, the Cards capture it and send it along to-the LED -Scram Display (again via the SDM), regardless of the logic decision. The LED Scram Display indicates the trip signal even if it came from a transitory condition, such that it cleared immediately at the DWK 250. This latching can be reset only by manually pushing a Channel Reset button on the LED Scram Display, one for each of the four DWK 250s. The Channel Reset button also resets the Scram Logic Cards (as they do not have their own reset buttons), and thus the lights on the LED Scram Display. This reset function is a necessary prerequisite for a reactor startup.
All of the above trip signal handling and scram signal handling functions take place via bi-stable, discrete components. There is no system clock or other timing function. In order to register the date and time of a trip event, a digital Safety System Monitoring &
Status Display PLC panel is empl()yed for real-time event logging. Each DWK 250 chassis outputs trip signals to the SDM, where the trip signals are routed separately to the PLC, as well as-to the Scram Logic Cards. The two warning signals from the DWK 250 also go directly to the PLC, via the SDM. The PLC will then display and record the names of all of these alarm indications that come in, and will pass two types (warnings and fault alarms) to the control room's main annunciator panel. The PLC has a physical, common- reset button to acknowledge and reset any alarms it registers. This reset button does not affect the LED Scram Display nor the Scram Logic Cards. The PLC has a built-in optical isolator on each of its signal input connections from the SDM, ensuring the signal flow is unidirectional into the PLC.
The six trip signals from each DWK 250 are passed via the SDM to a Drop Timer Interface module, which is equipped with optical isolators at the signal inputs, and in turn passes the signals to activate a Blade Drop Timer. The Drop Timer measures the time from initiation of a trip signal to 80% insertion of a shim blade, per Technical Specification QA#-E-2012-1 12 MAY2016
Page 4of6 requirements. The Drop-Timer Interface module is a new piece of equipment that conditions the trip signals so that they are electrically compatible with the existing Blade Drop Timer.
All the modules described above, including the DWK 250 channels, are new equipment for the proposed nuclear safety system, with the exception of the WPC (which is modified in a few places) and the Blade Drop Timer. The control room's main annunciator panel is also existing equipment. All shaded blocks depicted in Figure One are existing equipment.
Figure One: Block Diagram of Nuclear Safety System with Integrated Support Modules
- - - - - - - - - - - - - - - - - - -: NIM Bin 1 I
I
--+
Direct Signal Propagation to Effect a Scram detector Optical Isolation D Existing Equipme nt LED Scram Display I! _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
detector
<100 kW Magnet Signal Key Switch Power Supply Distribution Module (KSM) Modules Module I (SDM) Shim Blade detector Rundown Magnets (x6)
Relay Panel Shim Blade Drive RS232 Breakout Box Circuits (xG)
Withdraw DWK 250 detector Permit Ch. 4 Console Meters/ Recorders Circuit (WPC)
PLC 1-----'ll Console Annunciator Panel Nuclear Safety Channels
.___ _ ___,t------c:ilJ..J Drop Timer Interface Module 1 - - - - - l l . __ _s_1a_de_D_ro_p_T_im_e_r_ _,
QA#-E-2012-1 12 MAY2016
Page 5of6 Safety Evaluation The integrated system is highly redundant and will ensure that trip signals are propagated throughout the system to achieve their goal of scramming the reactor, meeting their intended safety functions as defined by Chapter 7 of the Safety Analysis Report. If any of the components along the scram signal path should fail, the result will be an interruption of signal path, thereby resulting in shutdown of the reactor. Components that are not along the scram signal path will not interrupt the signal paths if they fail; furthermore, their failure will not interfere with trip propagation or scram processing. Thes-e fatter components include the Safety System Monitoring & Status Display Programmable Logic Controller (PLC), the LED Scram Display, the Drop Timer Interface module, and the Blade Drop Timer.
Redundancy of scram relays and independence of activation(s) applies throughout the Nuclear Safety System, hence minimizing the risk of common-mode failure. All scram relays are mechanical relays that fail open, thereby minimizing the impact from EMF and radio frequency interference on their function.
Except the PLC, all the modules downstream of the DWK 250 chassis use low voltages and are built with discrete components that do not use microprocessors. The components are constructed only with non-programmable solid-state and discrete passive devices. As a result, signal propagation and handling are not subject to software processing delays. Additionally, there is no cybersecurity risk to this part of the system.
All the discrete components are standard industrially-rated devices. The low voltage nature of the system will maximize their operational life _span, minimize EMF production, and reduce electrical hazards to Instrumentation personnel.
The Signal Distribution Module (SDM) reduces the use of excessive wiring and cable connections for signal transmission. Where possible, optical isolators are used at interfaces between modules to ensure signal flow is unidirectional.
The Scram Logic Cards use 2-out-of-4 voting logic in order to avoid unnecessary scrams from neutron flux monitoring channel faults. This increases stability and reliability of the nuclear safety system. If one of the two Scram Logic Cards fails such that it interrupts continuity from the 24-volt DC power supply, a scram signal is the result. The Scram Logic Cards were designed to provide an active output (24 volts) at each stage of the signal processing when a Scram condition does not exist. A scram signal from either Scram Logic Card is sufficient to result in a reactor scram: Whenever a scram signal is produced, it will indicate and be logged on the PLC, including in which Card(s) it originated.
- -All the modules in the Nuclear Safety System, including the DWK 250 chassis, will -
. be rack-mounted within the protective metal cabinets of the control room console. The console cabinets will continue to provide the equipment with physical defense comparable to that.for the current systems, including against seismic disturbance. Routine maintenance and inspection will be performed only by licensed reactor staff or under the supervision of licensed reactor staff. Where necessary, certain interactions can be performed only by or under the supervision of reactor Instrumentation staff members.
QA#-E-2012-1 12MAY2016
Page 6of6 The control room is attended whenever the reactor is operating. At all other times when the building is unoccupied, it is protected as per the Physical Security Plan. Therefore, access control and configuration control are assured.
All the modules in the Nuclear Safety System, including the DWK 250 chassis, provide many indications of their operational status, trip signals, and scram signals. The console operator has a ready view of all of these, for instance, on both the LED Scram Display and the PLC. Therefore, human interface is improved. Additionally, the system is designed and constructed to require as little disconnection of cables, modules, and components for routine operation as possible. This is a major improvement over the existing Nuclear Safety System.
The new Nuclear Safety System will receive pre-operational and operational testing under a Test Plan. Individual modules will be bench-tested. Global system testing will be performed both on the bench and after installation in the control room.
Once it is operational, the functions of the Nuclear Safety System will be tested periodically as per the Technical Specifications. Therefore, regular surveillances will ensure its continued integrity.
The Nuclear Safety System provides one of the :functions of the Reactor Protection System. Even if the Nuclear Safety.System fails, there are other independent and redundant reactor protective :functions that will continue to provide an automatic scram of the reactor based on high temperature, low primary coolant flow rate, low core tank level, etc., as described in the existing MITR Safety Analysis Report. Therefore, the Reactor Protection System is highly robust and diverse.-
QA#-E-2012-1 12 MAY 2016
Page 1of4 OfA File #E-2012-1 Digital Upgrade for Nuclear Safety System "Signal Distribution Module" Description of the Signal Distribution Module The Signal Distribution Module (SDM) is a passive interface circuit between the DWK 250 digital neutron flux monitors and all components downstream. As can be seen in schematic diagram R3W-256-2 Rev. 1.4, and circuit board diagram R3W-258-3 Rev. 2, the SDM has a total of thirteen connections. In terms of signal flow, four of those connections are strictly input (signal coming from each of the four DWK 250 units), seven are input/output bidirectional, and two are strictly output. The following is a list of the connectors as they are labeled:
- 1. XlO: Receives signal from DWK 250 channel #1.
- 2. Xl 1: Receives signal from DWK 250 channel #2.
- 3. X12: Receives signal from DWK 250 channel #3.
- 4. X13: Receives signal from DWK 250 channel #4.
- 5. X14: Receives power from two 24-volt DC power supplies which are set up in parallel, connected via an auctioneering diode array, so that if one fails, the other will take over without interruption. The Xl 4 connector then passes 24-volt DC power as output to three downstream components: Scram Logic Card 1, Scram Logic Card 2, and the <100 kW Key-Switch Module, The X14 connector also passes the 24-volt DC power via connectors XlO through X13 to energize the output (scram/alarm) relays of the four DWK 250 channels. (The DWK 250 output relays are electrically isolated from the internal circuitry of the DWK 250, and rely on an external power source for their operation.)
- 6. X15: Passes signals from the four DWK 250 channels to Scram Logic Card 1.
The X15 connector receives signals back from Scram Logic Card 1 and routes them to other non-safety-related monitoring and display devices.
- 7. X16: Passes signals from the four DWK 250 channels to Scram Logic Card 2.
The Xl 6 connector receives signals back from Scram Logic Card 2 and routes them to other non-safety-related monitoring and display devices.
- 8. Xl 7: Passes signals to and from the <100 kW Key-Switch Module.
- 9. X18: Passes signals to and from an LED Scram Display module, which captures scram signals from any of the four DWK 250 channels via the Scram Logic Cards, and keeps them latched in until the Scram Display module is used to reset the two QA#-E-2012-1 12MAY2016
Page2 of4 Scram Logic Cards. (Once the scram condition no longer exists, the DWK 250 will not show what the scram was.)
- 10. X19: Passes analog signals from the four DWK 250 channels to existing console chart recorders and meters.
- 11. X20: Passes signals from the rear input/output terminal blocks of the four DWK 250 channels to and from a breakout module containing four 9-pin RS-232 ports (one per channel), plus a 15-pin RS-232 port that can interact with all four smaller ones. The breakout module will be secured from unauthorized access.
- 12. X21: Passes signals from all inputs of the SDM to a non-safety-related programmable logic controller (PLC) for monitoring and status display.
- 13. X41: Passes signals to and from -an-four DWK250 channels to a Drop Timer Interface Module, which in turn passes signals to activate a Blade Drop Timer. This setup will measure the scram time from initiation of a scram signal to 80% insertion of a shim blade.. The .Drop Time.r Interface Module conditions an input signal for compatibility with* the previously-existing Blade Drop Timer, and includes optical isolation of the SDM from the Blade Drop Timer. The Drop Timer Interface Module and the Blade Drop Timer are both mounted in_ a "NIM bin" rack which provides them an independent power source.
Safety Evaluation The Signal Distribution Module (SDM) is a new passive circuit board which
- facilitates passing of signals between various components of the new nuclear safety system.
If the board fails, such as by physical damage or other disruption to a scram signal path between a DWK 250 and the Scram Logic Cards, there will be a loss of the signal, thereby causing the- Scram Logic Cards* to produce a scram. The physical damage could include puncture, impact, fire, or high voltage surge, while other types of disruption could include radio frequency interference, overheating, or corrosion. All would result in a scram.
Because the SDM is a passive circuit board, it does not include any optical isolators.
However, there are optical isolators built into Scram Logic Card 1, Scram Logic Card 2, the Drop Timer Interface Module; and the PLC panel.
- The connection to the two 24-volt DC power supplies only passes power to the two Scram Logic'. Cards ancJ_ the <100 kW Key-Switch Module. The SPM board does not use the power for its own functions. The two power supplies are fed from a common 120-volt AC source, and have an internal fuse which will protect against surges that exceed 250 volts AC on that line. They also have an output overload that will trip at no more than 35 volts DC. In the unlikely event of an excessive line voltage surge, both power supplies will likely trip to protect themselves, interrupting power to the two Scram Logic Cards, scramming the reactor.
If the surge affects the SDM board directly, it will create physical damage as described above, again resulting in a reactor scram.
QA#-E-2012-1 12MAY2016
Page 3of4 Signals input to the SDM board from the two Scram Logic Caids are passed along to other display and status monitoring devices. If the board should be damaged in these areas, there is no effect on nuclear safety. The console operator may observe a partial loss of indications of reactor power and reactor period, but will not receive false information. There are redundant displays of reactor power and period, such as on the face of each DWK 250 chassis, that will remain operable. There are also four existing independent non-safety-related neutron flux channels or N-16 gamma channels displaying reactor power. Likewise, loss of signal output from the SDM to existing console chart recorders and meters has no effect on nuclear safety. There is redundant recording of reactor power history from the non-safety-related neutron flux channels.
Signals to and from the RS-232 breakout box will be lost should the SDM board be damaged. However, this again has no nuclear safety consequence. The breakout box allows access to each of the four DWK 250 channels .to set adjustable parameters by computer.
Such adjustments are done only by authorized individuals, and only when the channel is off line or the reactor is shut down. . The box has a cover and is secured when not in use. The computer used for this purpose is a standalone unit and is not connected to the internet. The interface software* is provided by the manufacturer of the DWK 250s. Therefore cybersecurity is maintained.
The SDM will be bench-assembled on one circuit board in a controlled environment.
The new board will then be connected to the rest of the new nuclear safety system while everything is de-energized. The module will be constructed with standard industrially-rated components. The two 24-volt DC power supplies .meet medical qualifications. The SDM contains no digital components, and is therefore not subject to cybersecurity threats.
The SDM will be mounted within the protective metal cabinets of the control room console. The console cabinets will provide the module with physical defense, including against seismic disturbance. Routine maintenance and inspection will be performed only by licensed reactor staff or under the supervision of licensed* reactor staff. The control room is attended whenever the reactor is operating. At all other times when the building is unoccupied, it is protected as per the Physical Security Plan. Therefore, access control and configuration control are assured.
The control room and its metal instrumentation cabinets are in an air-conditioned environment. The temperature is continuously maintained within a desirable setting (approximately 68 F). There is a temperature alarm (setpoint no higher than 78 F) that is monitored whenever the reactor is operating, or shut down with the control room attended.
This air-conditioning control easily satisfies the operating requirements for all the components in the SDM board.
All cables to the SDM and cable connection points on the SDM will be labeled, as will the circuit board. These markings improve the human interface for purposes of installation and maintenance. Once it is installed, there will be no regular human interface with the SDM board. It will be handled only by or under the supervision of license reactor staff. Therefore, human factors engineering remains adequate.
QA#-E-2012-1 12 MAY2016
Page 4of4 The SDM contains a continuity wiring feature that recognizes when each DWK 250 is connected to its correct connector on the SDM. Specifically, DWK 250 Unit 1 is supposed to connect to XlO via cable K-10, DWK 250 Unit 2 to Xl 1 via cable K-11, DWK 250 Unit 3 to X12 via cable K-12, and DWK 250 Unit 4 to X13 via cable K-13. If a cable is unplugged, or plugged into the wrong connector, the continuity circuit will report the misconfiguration via a fault message on the PLC that handles safety system monitoring and status display.
The same error message will be generated by the PLC if this continuity circuit fails open.
A dummy cable plug will take the place of a DWK 250 chassis in cases where one chassis is physically removed for repair/maintenance. The absent chassis will appear as a trip signal on the Scram Logic Cards. If any one of the remaining three chassis should output a trip signal, then the Scram Logic Cards will produce a scram signal. The purpose of the dummy plug is merely to allow the continuity circuit to continue to verify that the three remaining chassis are connected to their correct connectors.
The new SDM board will be tested for wiring verification using a written procedure prior to first use, and periodically as part of operational checks of the nuclear safety system.
Therefore, these pre-operational and routine surveillances are sufficient to assure the completeness and integrity of the circuitry.
QA#-E-2012-1 12MAY2016
Page 1of4 QIA File #E-2012-1 Digital Upgrade for Nuclear Safety System
"<100 kW Key-Switch Module" Description of the <100 kW Key-Switch Module The <100 kW Key-Switch Module (KSM) provides positive indication to the console operator if the reactor is set up for the <100 kW mode of operation vs. the Full Power mode of operation. The KSM chassis is labeled "Reactor Operating Mode", as shown in Figure 1 and Figure 2.
REACTOR OPERATING MODE FULL POWER <100 kW REACTOR OPERATING MO.Q!
<100 kW OPERATION ~ , ~OPERATION / OPERATION LOOP A LOOP B LOOP a SCRAM SCRAM 9CRAM 24V D.C, POWER Figure 1 Figure 2 There are only two positions for the key switch: Full Power mode, and the <100 kW mode. The switch is mechanically spring-loaded for positive detent, so it will move to rest in one of these two positions, making it extremely difficult to leave the key in a neutral position.
When the key switch is turned to <100 kW Operation, a local <100 kW Operation indicator LED light will illuminate. (See key switch pole KS 1C on Reactor Drawing R3W-254-4.) Likewise, also from pole KSlC, a signal will be sent to the Status Display programmable logic controller (PLC), and from pole KS 1B, an alarm will illuminate on the control room's main annunciator panel. Furthermore, when the key switch is selected to
<100 kW, the KSM transmits signals via pole KSlD to bypass any scram that comes from Low Flow Primary, Low Pressure MP-6, or Low Pressure MP-6A (each of which activates its own indicator on the control room's main annunciator panel). The 100 kW High Power Trips QA#-E-2012-1 12 MAY 2016
_ _J
Page 2of4 from the DWK 2SOs will, if on, be interpreted as channel trip signals by Scram Logic Card 1 and Scram Logic Card 2. (Note: As shown in Drawing R3W-2S4-4, pole KSlA exists but is not used.)
When the key switch is turned to Full Power Operation, the <100 kW local indicator, the <100 kW annunciator alarm light, and the PLC message will all clear, and the three primary flow scram bypasses are automatically removed. A local Full Power Operation indicator LED light will illuminate via key switch pole KS 1C. Furthermore, when the key switch is selected to Full Power, the KSM sends a signal via pole KS 1C to Scram Logic Card 1 and Scram Logic Card 2 which causes the DWK 2SO 100 kW High Power Trips to be bypassed.
The front of the KSM chassis has two LED lights that indicate "Loop A Scram" and "Loop B Scram", as seen in Figure 1 and Figure 2. These lights come on only when there is a scram condition in the Withdraw Permit Circuit's (WPC's) Scram Loop A or B, respectively.
Reactor Drawing R3W-2S4-4 illustrates all the above functions of the KSM. The module receives power from two 24-volt DC power supplies which are set up in parallel, connected via an auctioneering diode array, so that if one fails, the other will take over without interruption. When the KSM chassis is powered, the "24V D.C. Power" indicator LED light will be lit.
The KSM chassis is mounted within the same Nuclear Instrument Module (NIM) bin as.the Magnet Power Supply modules. When Scram Logic Card 1 or Card 2 outputs a scram signal, the signal reaches this NIM bin via connector X40, which distributes it to both the KSM and the Magnet Power Supply modules. This scram signal opens all relays downstream of the Scram Logic Cards as indicated on Drawing R3W-2S4-4. This set often 24-volt relays includes GMlA, GM2A, GM3A, GMlB, GM2B, and GM3B in the Magnet Power Supply modules, and RYS, RY6, RY7, and RY8 in the KSM. In fact, any one of the RYS -RY8 relays opening will open 120-voltrelay B3 or B4 in the WPC's Scram Loop A or Scram Loop B (physically located in the WPC), thereby resulting in a scram. Additionally, opening of an RYS - RY8 relay contact illuminates the "Loop A Scram" or "Loop B Scram" indicator LED light on the KSM chassis, and activates the Safety System Scram annunciator alarm. Opening of the RY4 relay (coil_physically located in the KSM), or the GMl - GM3 relays listed above, will directly interrupt electrical power to shim blade magnets as covered in the Magnet Power Supply System description.
Built into the back of the KSM chassis is one multi-pin connector, which combines the connecting functions of X28, X40, and X43, as they are labeled on schematic diagram R3W-2S6-2 Rev. 1.4. These connecting functions are as follows:
- 1. X28: Transmits signals to the Status Display PLC, and to Scram Logic Card 1 and Scram Logic Card 2 via the Signal Distribution Module.
- 3. X43: Transmits signals to the Withdraw Permit Circuit, the Magnet Power Supplies, and the control room's main annunciator panel.
QA#-E-2012-1 12MAY2016
Page 3of4 Safety Evaluation The <100 kW Key-Switch Module (KSM) is constructed entirely of discrete components, uses no digital devices, is not programmable, and is therefore not subject to cybersecurity threats. The KSM is not responsible for originating any scram signals. It uses 24-volt DC power. If power is lost, the 24-volt LED power indicator light and any other LED indicator light on the front of the chassis will all go out. However, when the key switch is in the <100 kW mode, the main annunciator panel will continue to have its "<100 kW Operation" alarm light on, as that alarm is powered from the annunciator panel itself. If the chassis were damaged, the effect would be the same as a loss of power.
Some of the relays associated with the Withdraw Permit Circuit (WPC) have their coils and/or contacts physically located within the KSM. These include relays RY4, RY5, RY6, RY7, and RYS. If this part of the KSM fails, such as by loss of power, physical damage, or other disruption to a circuit path, there will either be a loss of signal in the WPC, thereby causing a scram, or a power cutoff to Scram Loop A or Scram Loop B, equally causing a scram. Likewise, if the 120-volt AC power supply path to the magnet power supplies within the KSM is physically interrupted, the loss of magnet power will cause the shim blades to drop into the core, thereby causing a scram. The physical damage could include puncture, impact, fire, or high voltage surge, wlllle other types of disruption could include radio frequency interference, overheating, or corrosion. All would result in a scram.
The key sWitcli is mechamcally" spring-loaded for positive detent, so it will move to rest in one of its two positions, making it extremely difficult to leave the key in a neutral position. However, if the key switch should fail and not be in full contact with either of its two designated positions, neither mode indicator LED light will be illuminated, no respective main annunciator or PLC alarms will be lit, and none of the bypasses associated with either
_position be in effect. Accordingly, if the primary pumps are not on, all the associated low
- flow scrams will be in effect (WPC open) and will prevent a reactor startup or continued operation. If the primary pumps are on, and reactor power exceeds 100 kW, the 100 kW High Power Trips on the DWK 250s will take effect and scram the reactor.
Another failure mode of the KSM is if it no longer transmits a signal because of physical damage or other disruption as discussed above. This would have the same effects as lack of full contact within the key switch, as described in the previous paragraph. All such abnormal effects are either not safety-related, or produce outcomes more conservative than the normal configurations.
The KSM shares use of the 24-volt DC power supplies with the Scram Logic Cards.
If the 24-volt power fails, the Scram Logic Cards will produce a scram.
The KSM will be bench-assembled in a controlled environment. The new assembly will then be connected to the rest of the new nuclear safety system while everything is de-energized. The module will be constructed with standard industrially-rated components. The two 24-volt DC power supplies meet medical qualifications.
QA#-E-2012-1 12MAY2016
Page 4of4 The KSM will be mounted in the same Nuclear Instrument Module (NIM) bin as the Magnet Power Supply modules. They are all within the protective metal cabinets of the control room console, which will provide the modules with physical defense, including against seismic disturbance. Routine maintenance and inspection will be performed only by licensed reactor staff or under the supervision of licensed reactor staff. The control room is attended whenever the reactor is operating. At all other times when the building is unoccupied, it is protected as per the Physical Security Plan. Therefore, access control and configuration control are assured.
The control room and its metal instrumentation cabinets are in an air-conditioned environment. The temperature is continuously maintained within a desirable setting (approximately 68 F). There is a temperature alarm (setpoint no higher than 78 F) that is monitored whenever the reactor is operating, or shut down with the control room attended.
This air-conditioning control easily satisfies the operating requirements for all the components in the KSM.
All cables to, and cable connection points on, the KSM will be labeled, as will the NIM bin. These markings improve the human interface for purposes of installation and maintenance. Once it is installed, there will be no regular human interaction with the KSM chassis other than the key switch itself. The key switch is a standard industrial component.
The LED indicator lights adjacent to it confirm when it is latched in either of its two designated positions. Therefore, human factors engineering remains adequate.
The new KSM assembly will be tested for wiring verification using a written procedure prior to first use, and periodically as part of operational checks of the nuclear safety system. Therefore, these pre-operational and routine surveillances are sufficient to assure the completeness and integrity of the circuitry.
QA#-E-2012-1 12MAY2016
Page 1 of3 QIA File #E""!2012-1 Digital Upgrade for Nuclear Safety System "Withdraw Permit Circuit Modification" Description of Withdraw Permit Circuit and Modification The Withdraw Permit Circuit (WPC) is a startup interlock that consists of a string of relays and contacts in series. Each corresponds to either a startup requirement or to a reactor scram condition. If any of the relays and contacts in this series. lineup is open, the circuit interrupts electrical current to the electromagnets that hold the six shim blades, thereby decoupling the shim blades from their drives and effecting a scram. See MIT Reactor Drawing R3W-203-4 (Sheet 3 of 4; Revision C for the existing WPC, and Revision D for the proposed modification).
The WPC will be modified in this upgrade to the digital nuclear safety system in the following areas:
- 1. Removal of the relays and contacts that produce a two-out-of-three logic for the Period Channel Level Signal Off-Scale scram. These are no longer needed for the new nuclear safety system. (An earlier approach was to bypass all of these relays and contacts, but leave them physically in the circuit. Later we decided to remove them for simplification and maintainability of the circuit.) Twelve contacts will be removed as a result.
- 2. Addition of three relays that bypass the primary flow scrams when in the <100 kW operating mode, which uses no forced flow, as allowed by Technical Specifications.*
These relays are designated RYl (for the Core Inlet Pressure MP-6A scram), RY2 (for the Low Flow Primary Coolant scram), and RY3 (for the Core Inlet Pressure MP-6 scram). These relays will perform bypass functions that are currently implemented manually using individual upstream key-switches. For the upgrade, the relays will be permanently installed into the WPC.
- 3. Addition of three relays that operate through the rundown relay panel. The first of these relays, designated B2A, interrupts magnet current to shim blades 1 and 2. The second, designated B2B, interrupts magnet current to shim blades 3 and 4. The third, designated B2C, interrupts magnet curtentto shim blades 5 and 6. Each of these is a redundant addition in series with existing relays BlA, BlB, and BlC respectively.
- 4. Addition of one contact that opens the WPC redundantly in the case of a scram trip from the nuclear safety system. This new contact, designated B4-1 or "Safety System Scram (Loop B)", will serve a redundant function with existing contact B3-1 "Safety System Scram (Loop A)". A scram signal from Scram Logic Card 1 will open relays B3 and B4 in Loop A and Loop B respectively. Likewise, a scram signal from Scram Logic Card 2 will also open relays B3 and B4 in Loop A and Loop B respectively. In the existing system, the Safety-System Scram opens only one contact (B3-1).
QA#-E-2012-1 12MAY2016
Page 2 of3 Safety Evaluation The removal of old relays and contacts, instead of bypassing them, helps prevent cluttering the Withdraw Permit Circuit (WPC) with unused components. The removal process will be done with the circuit completely de-energized, and will not exert undue physical stress on the other existing components in the circuit.
The addition of new relays and contacts will be done by building them into several separate circuit modules in a controlled environment. These new modules will then be connected to the rest of the new nuclear safety system while the reactor is shut down and the appropriate circuits are de-energized. All existing and new relays in the WPC are standard industrially-rated mechanical relays, hence minimizing the impact from EMF and radio frequency interference on their function. All are configured to open when de-energized or upon failure. The WPC remains non-programmable and non-digital, consisting only of discrete bi-stable components, and is therefore not subject to cybersecurity threats.
New relays RYl, RY2, and RY3 (mentioned in Item 2 above) bypass three different scrams that all represent the low primary coolant flow condition when operating the reactor in the <100 kW mode. When the <100 kW mode is selected on the <100 kW Key-Switch Module, these three relays will be energized to close and bypass the scrams. A failure of any of these three new relays during a low flow condition will result in a reactor scram. When the Full Power mode is selected on the <100 kW Key-Switch Module, these three relays will remain de-energized and open, and will have no effect on the WPC.
New relays B2A, B2B, and B2C interrupt electrical current to the electromagnets of their respective pairs of shim blades. Their functions are redundant to existing relays. Like those existing relays, if they fail during operation, they will cause their pairs of shim blades to drop into the core,- shutting down the reactor.
The WPC will remain mounted in its original location within the protective metal cabinets of the control room console. The console cabinets will continue to provide the circuit with physical defense, including against seismic disturbance. Routine maintenance and inspection will be performed only by licensed reactor staff or under the supervision of licensed reactor staff. The control room is attended whenever the reactor is operating. At all other times when the building is unoccupied, it is protected as per the Physical Security Plan..
Therefore, access control and configuration control are assured.
The control room and its metal instrumentation cabinets are in an air-conditioned environment. The temperature is continuously maintained within a desirable setting (approximately 68 F). There is a temperature alarm (setpoint no higher than 78 F) that is
-nionitorea whenever the -reactor is op-eratfog, or shut doWn with the control room attended.
The air-conditioning control easily satisfies the operating requirements of all the components, which are of standard industrial qualifications. When the reactor is shut down and the building is secured, the WPC is de-energized.
All cable connections to the WPC will be labeled, as will the new circuit modules.
These markings improve the human interface for purposes of installation and maintenance.
QA#-E-2012-1 12 MAY2016
Page 3 of3 Human interface with the WPC is via key-switches in plain sight on the front of the console. The existing array of key-switches for individual scram bypasses will now be supplemented by one that switches between <100 kW and Full Power modes of operation.
When this <100 kW key-switch is turned to the <100 kW mode of operation, which automatically bypasses the three primary flow scrams, it provides one indicator light on the
<100 kW Key-Switch panel, and an alarm on the main annunciator panel denoting "<100 kW Ops Mode On". Additionally, the main annunciator panel will have the "Withdraw Permit Bypass On" alarm illuminated. These indications reinforce the console operator's awareness of operating the reactor in <100 kW mode. Furthermore, there will be indicator lights turning on at each of the three primary flow 'Scram bypass key-switches, providing visual confirmation to the console operator of the flow scram bypasses. Therefore, human factors engineering remains adequate and more than equivalent to the current system.
The new WPC will be tested with a written procedure prior to first use, and periodically as per the Technical Specifications for the nuclear safety system and process system scrams. Therefore, regular surveillances will ensure the integrity of the circuit, and the WPC will continue to perform its safety function as defined by the SAR.
QA#-E-2012-1 12MAY2016
Page 1of4 QIA File #E-2012-1 Digital Upgrade for Nuclear Safety System "Magnet Power Supplies and Rundown Relays" Description of Magnet Power Supply System The function of the magnet power supplies is to provide current (~80 milliamps DC) to the electromagnets for all six shim blades (i.e., absorber sections of the control devices) in the reactor core. Each magnet holds the weight of its shim blade, attaching it to its drive mechanism via the magnet. When current to the magnet is interrupted, the shim blade will decouple from its magnet and drive, and travel vertically by gravity into the reactor core, scramming or shutting down the reactor in less than one second.
In the existing nuclear safety system, power for the magnets originates in the electronic circuitry of the six nuclear safety amplifiers. These amplifiers provide the necessary trip signals, three on high power and three on short period, and use those signals to interrupt current to the magnets. The interruption is first applied to the magnets for a pre-selected pair of shim blades (blades 1 & 4, or blades 2 & 5, or blades 3 & 6), and then to the remaining four magnets.
The new nuclear safety system will not consist of safety amplifiers. Instead the high power and short period trips all originate from four independent Mirion DWK 250 neutron flux monitors. The new magnet power supply system will consist of three modules, with each module providing magnet current to two shim blades (blades 1 & 2, blades 3 & 4, and blades 5 & 6). Each module interfaces with its corresponding rundown relay circuit, with magnet current passing through the rundown relay panel on its way to the magnet. The function of the rundown relay system will be described in the next section.
Each magnet power supply module is a stand-alone electronic circuit, made of discrete solid-state components, with its own 24-volt DC power supply. (See Drawing R3W-253-4.) .Each module has two "current adjust" regulators, one for each associated shim blade. The regulators are semiconductor devices. The adjusted current is displayed on a meter in series with the regulator, one for each_ shim blade.
Magnet current is interrupted in each magnet power supply module via two relays that are controlled by Scram Loops A and B from the output of the Scram Logic Cards. For instance, relay contacts GMlA-1 and GMlB-1 on Drawing R3W-253-4 for shim blade 1 belong to relays GMlA and GMlB in Scram Loops A and B respectively. If Scram Loop A, or Scram Loop B, or both A and B are open, i.e. in scram condition, these relay contacts will open to interrupt magnet current to shim blade 1. Likewise, contacts GMlA-2 and GMlB-2 for shim blade 2 will open to interrupt magnet current to shim blade 2.
The Withdraw Permit Circuit (WPC) interrupts magnet current via relays in the rundown relay panel, as described in the next section. For redundancy, when the WPC is open, the 120-volt AC line power from reactor electrical circuit L21 itself will be interrupted, QA#-E-2012-1 12 MAY2016
Page 2 of 4 thereby simultaneously de-energizing all three 24-volt DC power supplies for the three magnet power supply modules. This can be seen on Drawing RJW-253-4, where relay RY4 from the WPC will open relay contact RY4- I when the WPC is open, thereby interrupting current from all three 24-volt DC magnet power supplies. The independent interruption of the magnet power supply via the nuclear safety Scram Logic Cards and the WPC provides redundancy and prevents common-mode failure.
Description of Rundown Relay System The function of the rundown relay system is to move each shim blade's drive mechanism to its "full in" position at its normal speed whenever magnet current to the shim blade's magnet is removed. When the blade's magnet current is interrupted, the blade is intended to drop by gravity into the core. Moving the drive in behind it automatically is to ensure that the blade reaches its bottom position and stays there following a scram, completing the protective action once it is initiated.
The magnet power supply circuits are constructed in three independently-powered modules, each supplying a pair of shim blade magnets. The rundown relay system, however, is all part of one panel, and uses its own 24-volt DC power supply to energize the circuits for all six shim blades.
When the magnet power supply circuit is energized, current goes through the rundown relay system via three relay contacts connected in series (BIA-I; B2A-I, & RRI-I on Drawing R3W-253-4 for shim blade I, or BIA-2, B2A-2, & RR2-I for shim blade 2).
Refays BIA and B2A are controlled by the Withdraw Permit Circuit (WPC). If the WPC is open, i.e. in scram condition, these relays interrupt magnet current to the associated shim blade. Relays RRI and RR2 also interrupt magnet current, if the magnitude of that current drops below a pre-determined value which is set by an opto-relay (UI for shim blade I, U2 for shim blade 2).
The RRI, RR2, etc., relays perform two additional functions: controlling an indicator light that shows the status of the rundown relay circuit for its corresponding shim blade, and overriding normal control of the shim blade's drive motor. The indicator light stays out whenever the magnet current is at normal operating level. It comes on when the magnet current is low or near zero; the corresponding shim blade drive will be moving in, until it reaches its full-in position. Whenever the WPC is open, the indicator lights will stay on, denoting the control overrides which prevent any shim blade drive from being moved outward. Even after the WPC is reset and re;..energized, this override condition will remain in effect until the rundown relay circuits themselves are reset by the console operator.
Additionally, the rundown relay circuits cannot be reset if the magnet current is below a pre-determined value. When the circuit is reset, the indicator lights go out.
The rundown relay circuit for each shim blade can be individually reset once the blade drive has reached the full-in position and the WPC has been reset and re-energized. A master reset (pushbutton PB7, acting via relays MRI and MR2 on Drawing RJW-253-4) is also available to reset all six rundown relay circuits simultaneously.
QA#-E-20I2-I I2MAY20I6
Page 3of4 Safety Evaluation Both the magnet power supply system and the rundown relay system will continue to perform their safety functions as defined by the SAR. Both systems were rebuilt with standard industrially-rated components. As was the case for their previous forms, they contain no digital components, being constructed only with non-programmable solid-state and discrete passive devices. Therefore, these systems are not subject to cybersecurity threats.
There are six independent ways to interrupt current to any given shim blade magnet:
two relays from the Scram Logic system (via scram loops A and B), two relays from the WPC in the blade's rundown relay circuit, one relay in the blade's rundown relay circuit that opens upon low current, and one relay from the WPC in the line power supply. If there is a nuclear safety system scram, all six of these ways will have their relays open, to ensure a reactor scram. If there is a process system scram (e.g. low flow on the primary coolant system, low pressure city water, etc.), then only four of the above ways will apply: two relays from the WPC in the blade's rundown relay circuit, one relay in the blade's rundown relay circuit that opens upon low current, and one relay from the WPC in the line power supply. Most importantly, any one of these ways will cause a magnet current interruption to shut down the reactor, and will activate the rundown relay circuit to drive all the shim blades in. (The regulating rod will also be driven in when the WPC is open, but via the existing rod control circuit.)
Five out of six of the relays mentioned above in the magnet power supply circuit and the rundown relay circuit for each shim blade are wired in series. If any one of those is open, magnet power to that shim blade is interrupted.
The three magnet power supply modules have their own independent 24-volt DC power supplies. Likewise, the rundown relay panel has its own 24-volt DC power supply.
They are independent except that the three units for the magnet power supply modules have a common relay immediately upstream that will open when the WPC is open.
In summary, redundancy of scram relays and independence of scram activation(s) minimizes the risk of common-mode failure of the magnet power supply system and the rundown relay panel. The two relays from Scram Loops A and B, and the three relays from the WPC, are all mechanical relays that fail open, hence minimizing the impact from EMF and radio frequency interference on their function.
Opto-relays, one for each shim blade, are used within the magnet power supply modules. For instance, they are shown as contacts Ul-1 and U2-1 in Drawing R3W-253-4 for shim blade 1 and shim blade 2 respectively. The opto-relays were chosen for their sensitivity to low current, i.e., less than 5 milliamps. Upon sensing current dropping to a low value, the optical portion of the relay will then deactivate the solid-state portion to de-energize the coil of relay RRl for shim blade 1, or RR2 for shim blade 2, etc.
Each 24-volt DC power supply for the three magnet current power supply modules and the rundown relay panel is protected by its own fuse against surges in line voltage on QA#-E-2012-1 12 MAY2016
Page 4of4 circuit L21. In line with each shim blade magnet, downstream of the magnet power supply and rundown relay circuits, is a fuse that prevents any power surge from damaging the magnet. Each fuse is rated for no more than 0.25 amp. Therefore, the magnet power supply system and the rundown relay circuits are adequately protected from power surges in their operating environment.
The magnet power supplies and the rundown relay panel will be rack-mounted within the protective metal cabinets of the control room console. The console cabinets will continue to provide the equipment with physical defense comparable to that for the current systems, including against seismic disturbance. Routine maintenance and inspection will be performed only by licensed reactor staff or under the supervision of licensed reactor staff.
The control room is attended whenever the reactor is operating. At all other times when the building is unoccupied, it is protected as per the Physical Security Plan. Therefore, access control and configuration control are assured.
The control room and its metal instrumentation cabinets are in an air-conditioned environment. The temperature is continuously maintained
- within a desirable setting (approximately 68 F). There is a temperature alarm (setpoint no higher than 78 F) that is monitored whenever the reactor is operating, or shut down with the control room attended.
_The_a~-conditioning control easily satisfie~_the operating requirements of all the components, which are of standard industrial qualifications. When the reactor is shut down and the building is secured, the magnet power supply system and the rundown relay circuits are de-energized.
Human interface with the magnet power supply system is via current-adjust knobs, and meters on the console showing the instantaneous magnet current for the corresponding shim blades. The interface with the rundown relay panel is via indicator lights and reset pushbuttons, as described in the previous section. These interfaces are in plain sight, and conveniently near the main part of the console for the operator. Therefore, human factors engineering is adequate and equivalent to the current system.
All cable connections to the magnet power supply system and the rundown relay panel will be labeled, and some will be color-coded. Individual modules and panels will also be labeled, as will key electronic components on circuit boards. These markings improve the human interface for purposes of installation and maintenance.
The functions of the magnet power supply system and the rundown relay panel will be tested periodically as per the Technical Specifications for the nuclear safety system.
Therefore, regular surveillances will ensure the integrity of these systems.
QA#-E-2012-1 12 MAY 2016
Page 1of6 QIA File #E-2012-1 Digital Upgrade for Nuclear Safety System "LED Scram Display, and Safety System Monitoring & Status Display PLC" Description of the LED Scram Display The LED Scram Display features two 4x4 arrays of light-emitting diode (LED) indicator lights that allow, via the outputs of the two Scram Logic Cards, the console operator to readily identify which DWK 250 chassis has produced a trip signal from its binary outputs, as shown in Figure 1 below. The upper array shows the signals output by Scram Logic Card 1, and the lower array by Scram Logic Card 2.
SAFETY SYSTEM CONDITION SCRAM LOGIC MODULE #1 CH 1 CH2 CH3 CH4 HIGH POWER EB EB EB EB SHORT PERIOD EB EB EB* EB LOW COUNT RATE EB EB EB EB TROUBLE EB EB EB EB SCRAM LOGIC MODULE #2 CH 1 CH2 CH3 CH4 HIGH POWER EB EB EB EB SHORT PERIOD EB EB EB EB LOW COUNT RATE EB EB EB EB TROUBLE EB EB EB EB CHANNEL RESET CH1 CH 2 CH3 CH4 8888 Figure 1 - Front Face Overlay for the LED Scram Display QA#-E-2012-1 12 MAY2016
Page 2of6 The LED Scram Display module receives trip condition signals from Scram Logic Card 1 and Card 2 by way of the Signal Distribution Module (SDM). (See schematic diagram R3W-256-2 Rev. 1.4.) When a DWK 250 outputs a trip signal, the signal is indicated on the DWK 250 chassis itself. If this trip is transitory, such as a momentary high power, the indicator light on the DWK 250 will go out as soon as the trip condition clears.
However, the trip signal will be retained (or "latched") in the Scram Logic Cards, which send it to the LED Scram Display module.
From each of the Scram Logic Cards, the LED Scram Display has four trip indications representing six trip conditions from each of the DWK 250 channels: High Power (full power or 100 kW set point, depending on the position of the < 100 kW key-switch), Short Period, Low Count Rate, Test, and Fault I Equipment Malfunction, with the latter two combined as Trouble.
~ IC M()OULf 11
~
CH1 CH.Z CtU CH4 sHORT PERt00 LOW couHT RATE 11!0U8LE CH2 CH>
CH1 HIGH POWER SHORT PERIOD LOW COUNT RATE Figure 2 D Rendering of LED Scram Display Module QA#-E-2012-1 12 MAY2016
Page_3 of6 The High Power light represents one of two possible high reactor power conditions from the DWK 250 chassis - the [full power] High Power trip or the High Power 100 kW Operation trip - depending on which mode of operation is selected on the <100 kW Key-Switch Module (KSM). For instance, if <100 kW Operation is selected and reactor power reaches the <100 kW operation trip set point, then the DWK 250 chassis will output the High Power 100 kW Operation trip signal. The trip signal first arrives at the Scram Logic Cards, which then output the signal to the LED Scram Display module, illuminating the High Power trip light.
If just one of the four DWK 250 chassis outputs two or more trip signals, the two Scram Logic Cards receive the trip signals for logic comparison, but will not produce a scram signal. This will show up on the LED Scram Display as multiple lights lit up all in a single colurn,n,and no scram. :However, if two or more oftheDWK 250s produce trip signals, then the two-out-of-four voting logic designed into the Scram Logic Cards is satisfied, and the Scram Logic Cards will output a scram signal to shut down the reactor. This will show up on the LED Scram Display as multiple lights lit up in the same row, with a scram.
Therefore, the LED Scram Display provides a visual illustration for the console operator of the status of the Scram Logic Cards. It will be located on the control room console where it is easily visible by the console operator.
The LED Scram Display module contains reset buttons, *one corresponding to each DWK 250 channel. The console operator needs to manually push the "Reset" button for the corresponding channel in order to clear the alarm for that channel latched in both of the Scram Logic Cards. The Reset buttons reset the Scram Logic Cards, and thus the lights on the LED Scram Display, particularly prior to restart of the reactor.
The LED Scram Display module and the Scram Logic Cards are composed of bi-stable, discrete components only, and therefore are not programmable and do not have a system clock or other timing function. Signal transmission between the LED Scram Display module and the Scram Logic Cards is via the Signal Distribution Module, which is functionally passive as covered in the Signal Distribution Module description. The Safety System Monitoring & Status Display PLC described below will register separately the date and time of alarms appearing on the LED Scram Display panel.
QA#-E-2012-1 12MAY2016
Page 4of6 Description of the Safety System Monitoring & Status Display PLC The Safety System Monitoring & Status Display PLC (a.k.a. "the PLC") operates independently of the LED Scram Display module. The main function of the PLC is to register and record the date and time when a trip signal is generated by any of the four DWK 250 chassis. In this way, the PLC provides indication of DWK 250 alarms, redundant with the LED Scram Display. The PLC is also equipped with a physical reset button that affects only the PLC itself.
- Each DWK 250 chassis outputs to the Signal Distribution Module (SDM), where its trip signals will be routed to the Scram Logic Cards as well as independently to the PLC.
Each DWK 250 chassis can generate up to eight alarm conditions: High Power Trip, Short Period Trip, High Power 100 kW Operation Trip, Low Count Rate Trip, High Power Warning, Short Period Warning, Test Trip, and Fault I Equipment Malfunction Trip. The High Power Warning and the Short Period Warning do not warrant a reactor scram, and are routed to neither the LED Scram Display panel nor the Scram Logic Cards. However, all eight alarm conditions will reach the PLC by way of the SDM. The PLC will then display and record the names of all of these alarms that come in.
When the Withdraw Permit Circuit opens, the PLC will indicate it, based on a signal from the <100 kW Key-Switch Module (KSM). Additionally, the KSM outputs its key-switch position to the PLC. When the key-switch is set to <100 kW Operation, the High Power 100 kW Operation Trip, if generated, will reach the PLC and be displayed there.
However, when the key-switch is on Full Power Operation, the PLC is programmed to ignore High Power 100 kW Operation Trip signals from the DWK 250 channels, and not display them.
The PLC generates three alarms on the control room's main annunciator panel: High Power Warning, Short Period Warning, and Trouble. An annunciator alarm of Trouble may include conditions of Low Count Rate, Test, or Fault I Equipment Malfunction. On the PLC, the console operator can see which one(s) it is. The PLC does not output any scram alarms to the annunciator panel; those come from the Scram Logic Cards via the KSM.
The PLC has a physical, common reset button to acknowledge and reset any alarms it registers. This reset button does not reset the alarms on the LED Scram Display nor the Scram Logic Cards. Furthermore, it does not by itself clear the alarms on the control room's main annunciator panel; to clear those, one must use the annunciator panel's own acknowledge and reset buttons as well.
The PLC has a built-in optical isolator on each of its signal input connections from the Signal Distribution Module. These ensure that the DWK 250 units are isolated from the PLC. Furthermore, the PLC is mechanically isolated by mechanical relays on its three outputs where it connects to the control room's main annunciator panel.
During the initial testing phase, the PLC panel will be installed in the control room but away from the main console. It will be moved near the main console for final installation. The PLC panel uses Secure Digital (SD) memory cards to store data.
QA#-E-2012-1 12 MAY2016
Page 5of6 Safety Evaluation The LED Scram Display module is composed entirely of discrete components. It is a passive device that is used for visual indication only. Therefore, it is not subject to cybersecurity threats. It does not produce any scram signals, but does have the major secondary function of resetting the Scram Logic Cards. If the module fails, such as by physical damage or other disturbance, the LED indicator lights will not light, and the reset buttons may not function. In this case if the Scram Logic Cards produce a scram, there will be no means to reset the Cards, resulting in a conservative outcome. Furthermore, because the module is a passive device, it will not generate heat or produce interference in the Signal Distribution Module or other neighboring devices.
The PLC is optically isolated at its input from the SDM. It transmits only to the control room's main annunciator panel. Optical isolators built into the PLC's inputs will protect the DWK 250 units from being affected by any potential malware in the PLC's operating software. If this isolation fails, the PLC will be left completely disconnected from the SDM. In that case, none of the trip alarms generated by the DWK 250 units will reach or be registered by the PLC.
Likewise if the PLC itself fails, none of the trip alarms generated by the DWK 250 units will be registered there. Conditions of High Power Warning, Short Period Warning, or Trouble would not be output to the control room's main annunciator panel. In that case, high power warning capability would come from another existing neutron flux monitoring channel that is not part of the nuclear safety system. Furthermore, the DWK 250 chassis have their own indicator lights for these conditions. The existing nuclear safety system does not have any high power warning or short period warning functions. Therefore, the lack of these warning capabilities in the case of PLC failure or failure of its optical isolators will not degrade operational safety. Most importantly, since the PLC is not -responsible for generation of any scram signals, its loss will not affect nuclear safety or reactor operation.
If the PLC fails, or one or more of its input optical isolators fail, a DWK 250 Trouble condition (Low Count Rate, Test, or Fault I Equipment Malfunction) will not reach the PLC, but will still light the relevant indicator(s) on the LED Scram Display. Trouble conditions from two or more DWK 250 units will still result in a scram output from the Scram Logic Cards, shutting down the reactor.
If malware corrupts the PLC, the PLC screen may provide or record inaccurate information, including the date and time, and the PLC may fail to output actual alarms, or may output any of its three annunciator alarms when they are not warranted. However, in all cases the console operator has other means in the control room to verify reactor conditions and the status of the nuclear safety channels. This failure mode of the PLC does not interfere with reactor scram functions and therefore has no impact on nuclear safety.
The PLC has network connection capability. However, there is no plan to place it on a public network, where it would have a higher probability of compromise by malware. The PLC writes its recorded data onto a Secure Digital (SD) card that has sufficient memory for the life of the equipment. In the case that the SD card will be removed for download, it will be used with a lab-specific secure computer.
QA#-E-2012-1 12MAY2016
Page 6of6 The LED Scram Display module and the PLC module will be bench-assembled in a controlled environment. The new assemblies will then be connected to the rest of the new nuclear safety system while everything is de-energized. After that, the new system will be re-activated for testing. These modules will be constructed with standard industrially-rated components. They will be mounted on the control room console, which will provide them with physical defense, including against seismic disturbance. Routine maintenance and inspection will be performed only by licensed reactor staff or under the supervision of licensed reactor staff. Password protection will be used to secure the PLC logic. The control room is attended whenever the reactor is operating. At all other times, when the building is unoccupied, it is protected as per the Physical Security Plan. Therefore, access control and configuration control are assured.
The control room and its metal instrumentation cabinets are in an air-conditioned environment. The temperature is continuously maintained within a desirable setting (approximately 68 F). There is a temperature alarm (setpoint no higher than 78 F) that is monitored whenever the reactor is operating, or shut down with the control room attended.
This air-conditioning control easily satisfies the operating requirements for all the components in the modules.
All cables to, and cable connection points on, the LED Scram Display module and the PLC module will be labeled. These markings improve the human interface for purposes of installation and maintenance. The arrangement of the LED Scrani Display module's indicator lights and reset buttons are easy to see and use. The PLC's display screen conforms to modem industrial display standards. Therefore, human factors engineering is adequate.
The LED Scram Display module and the PLC module will be tested for wiring verification, including the proper level of illumination of LED lights and PLC display screen, using a written procedure prior to first use. There will also be periodic operational checks.
Therefore, the pre-operational and routine surveillances are sufficient to assure the completeness and integrity of these modules.
QA#-E-2012-1 12 MAY2016
[K-241---------------------------!'°"-----, 120VAC
+1..------------------[ ... K-221-------------------:
[K-21 1------------~--~--:J-,.
Sou rce DWK Un it 1 DW K Unit 2 DWK Unit 3 DWK Unit 4 Exis t ing Console An nunciator
- [K-27]- 24V Supp IY [1] ... [K-25 Panel X22 DB37 Female X23 DB37 Female X24 DB37 Female X25 DB37 Female DB37 Male DB3 7 Male DB37 Mal e DB37 Male
-[K-28] - 24V Supply [2] ... [K-26]--
X36 3 POS X34 DB9 Male I DB-37 I
DB-37 I
DB-37 I
DB-37 Connector CABLE CABLE CABLE CABLE DB9 Female
[K-10] [K-11 ] [K-12] [K-13]
.... ~
Safety System Mo nito ring "'
E QI
~
ro t t t t And ~
u_
0 0 DB37 Male DB3 7 Male DB37 Male DB3 7 Male Status Di sp lay "'0co LJ")
co
[PLC] N rr>
x 0 XlODB37 Female Xll DB37 Female X12 DB37 Female Xl3 DB37 Female x
I Chasso LEDlndi catio n I
~ .!!! """
N DB-50 ro E ~"'
-I'>
..... ,., -0 -+- t Acknowledge
- CABLE-Q) u..
0 ' s N
-0 ro V> 0 [K-36]
& "'0co OJ 0
V>
3 OJ r-
~
~
[K-20] 0 0 LJ") ...... 11> 0 ro n Re set co ~
0 N
x "2S":
11
- l (lQ DW K RS232 QI n;
E
.f ~
Q) ro DB-15
~
ro E
n;
~
QI x
..... x I X44 6POS I E
~
~
u-"'"'
WW V1 .,.
"'......co Q) N
~ CABLE-+
X4 "'......co LJ")
.-1 [K-19]
u..
LJ") 0 V1 0
CJ o::>
DB-SO CJ o::> "'
0 LT1 LT1 0 co Breakout Bo x ......
rr>
x 0
.-1 co 0
0 N
x Signal Distribution Module CD V1 0
0 i-.-cABLE.... 0 CD V1 0
.,., Scram Logic Ca rd 1 11> OJ [K-14] OJ 11>
3 ro ro 3 OJ ii)
OJ ii) ~
~
QI n;
~
DB-9 ro E ~
CABLE -
~
~
u_
QI x
CJ CJ x
N "0
~
~
f.-
co
"'0
+ -
Cl'\ o::> o::>
[K-38] co 0 LT1 DB-50 LT1 0 ...... ffi 0 0 CD V1
<t i-.-cABLE....
x 0
.,., 0
.,., Scram Logic Ca rd 2 6 PIN Ma le XLR 11>
$ [K-15] $ 11>
OJ OJ 3 ro 3 6 PIN Female XLR OJ ii) ro OJ ii) ~
X19 DB25 Male DB25 Female X18 DBSO Male DBSO Female X17 DB9 Male DB9 Fema le I X39 6 POS I
~
l 7' Lu 7'
Lu ""
Lu Drop-Ti mer Interface w
'.:'.. ~
Module I DB-25
+
DB-50 DB-9 CABLE
[K-37]
CABLE Cable Chassis LED Ind ication
[K-18] [K-171
[K-16]
I I 2 POS Te rminal Str*J DB 9 Male DB25 Male DBSO Male
- X30 DB25 Female X29 DBSO Female X28 DB9 Female MASSACHUSSETIS INSTITUTE OF TECHNO LOGY 2 W!Rf. CASLf DWK Safety System Gl obal Connection Dia gram Blade Drop Ti me r < lOOKW Key -Switch
[K-39]
Existing Conso le Chart LED Scram Display Module Recorders/ Meters [Wit h Reset] R3W-256-2
f\-20:---------------------------------------------------------------
X43 20 POS Connector
[Will-.:lraw Petmit . Magne!
Power Sl~ ~i es) @I) Rev 1.4 D. Kouttron 2.10.2016
- --+-------**...L....---*-**-**-*-..L_____ .......J..-----*------~------.l _______ j __ _ .... J *******-****-~----*****L ***---~~-_L-****----~---L____~__l_____,,__l ______~:_ j 18 ! 20 !
...-.l.*-----**---'---**--*-~*- - - **--*--+---
21
'~
RS232 15 g 0
- 0 Inputs to Card 2
' ' ' ' ' j Inputs to Card MPS_1 goes to GM(1,2,3)A '""""'"'ypaSS\01)
MPS_2 goes to GM(1,2,3)B X41 -24V r.,," X17 171-009-113R001
~I u
c.
- -24V WPC 1 WPC 2 2 Lp3
--- , 6 ~*24V
,,~*24V
""""'""":tCll---_Jr *
\. ~ * ~
- 2* ~ * ~ /'100KW_BypasMOD 1L*------'"""""ll2llVI MPS 1 "~+24V MPS 2 s "..!........,--++24V I
PS 6 6 6 J1 171-009-113R001
- Drop Timer Interface HDR1X8
+24V -24V G G DC_SPLY_Good_ 1 X16 171-025-213R001 M
lfl M
IO M
I'-
M
<O M
O'I M
0 N
f'l "I'
lfl IO I'-
<O O'I 0
lfl A.o....CR4(35) ~ l 1,.-e<:O~,,_.,,~c;c.3('°36"°>)--,-,rl PSO PJ:l 7 h-,,,,.Jl\llk"'-~01);1 Meters
- m
- o.
- m o ~ o m
- m
- o
- m o )X21 s: "'s: [;! .... :;: 2 M 3:.,. ii: lfl ii:"' ii: r- ii: 3:"' ii: 0 ii: ii: Nii: Mg: 171-050-213R001 . . l/C==---mP49 P16 33 l/Crno"'1l'l;2\,.*38,,.*J--,mP48 p3~1s
<O.s: 0 N. <O .-I rl.-<NNNNNNNNNNMMMM
- 32 co a.°' llo~llo::: llo::!llo:::llo ;:;.o..~i::i.:::llo~. Status_D1splay_nonSFTYalarms
- ( .... 11. Nii. M i:i..,. ii. lfl 11."' 11. r- i:i.
llo llo llo llo llo llo llo llo llo llo llo ~ llo llo llo llo llo Q.,.,,.,\'".°'1 Pll 15 31 i'1'""""'41'm--,..,-fP47 4\67} PJO P14 14 l/l:"""""'rrn--,rnP46 PlJ JO
""lr-'J P29 l/l:"""W?2\"18i"T 1 j--,rnP4S p :12 2
QM100V-40 l\4U) P44 P2~11 ;~ '-f-------,..,.-jP43 PlO
. 4-40 Vdc Meter J3 ~-+<>-----~..-<P43 p :10 10 26 2
2 t-+-------,.,,--IP42p P9 :
'+-----~,_.P42 26 i-"=ro°"uo~,..~,1~3~,,-~mP41 ::: Pa 2~
P9 9
HDR1X3 P2S 2
- *-===--,..,...P41
- rrouDle4(31J P 24 PB 5'
-24V PMEG45A10EPD l-"°"ro°""b"°l*e'°31"'3'l"'JJ--,.,,-IP40 P23 P7 7 I -=ro~uo~"e=v,vv~'--,,,,-1 ::: P 2 J : : 2 ~
23 rouo1e2\t9J p 22 . 6 i-"=="'°"'--,,,,-IP39 P6 Dual +24Vdc * ~
F1 D3 D1
+24V rouDle.::1331 p 22 P38 P l PS 2
- f6 U/T"ro"1uo°'"e><,,,mrr,u,---,,,-i PJB P21 PS i,= 0 .,.0;;,rt,-;l4""'(f'f,-)--,,.,-tP37 P4 2
s PWR in ~4 1_,,,,,,.,,o;;;nT:...""",v*,...-,--,,-,.7rlPJ 7 p20-';-'~*~a;;;:eiQlJ2l<l);'t°-i '°""""',,,.,,.,---..,.,-t P36 P20;;-i-...,,._..~2~'---1-.__..Elos!Olc.tl2(4Z)/i 5_AMP
~ (1N6287AG 20
@3--- .
U/O=r-;r.rn---,.,-jP36
- ,,,,ort 3\41) Pl 9 P3 moo;':....+a.."'1C.ll.$<fll;'I o"'o;;;rtT-"1!<\'U,...-f--m PJS Pl9-;;1-...,..._-"l:~+__..Elosl01c.ti2l<llVI o-+-<>-+--<>" -24V 24V ~ -~ . "'"Ort1 ,.,.. "'/ PJS Pla~Lyf-L .......ort, ... 1*~1. ; P34 Pl8 Pl µ1:~~-Elos!Olc.t!A(<l5V1
~~p r~
1 1
t t 0 0 0 0 6--- 5 D2 Digital Outputs 1 o:.,_ ----<l'\yn------_,~-J*-*- ""°'
+24V PMEG45A10EPD
' ._J o+- . D4 ' ' ' WPC_1 MPS_1 WPC~ _M~_2
~ ~1N6287AG CJ-<>->--A<>.+24V 171-050-213R001 0-- -24V
' Logic Card 1 171-050-213R001 Logic Card 2 0---+--0 DC_SPLY_Good_1 Digitai_Outputs_2 o--f-<> DC_SPLY_Good_2 o-+-+-+-+24V M ResetCH1f481' M HDR1X1 PWR_IN ResetCH21471' Current J4
- Monitoring ResetCH3(481' connection t;- Current ResetCH4f451'
~ Monitoring*
HDR1x20n *soard PWR
Title:
_RPS Signal Distribution Board Sig Dist Mod V2 0 Designed by: S. Hanvy . Document N: R3W-258-3 Revision: 0 Safety Channel Reset Inputs from Scram LED Display Checked by: D. Kouttron Date: 211212016 Size: A2 Approved by: Sh.eel' *1 of 1 I I I 10 I 11 I 12 13 I 14 15 I I *18 I 19 I 20 I 21
2 3 4 5 ANNUNCIATOR ALARMS
. <100 KW +24VOC FROM SAFETY SYSTEM OPERATION ANNUNCIATOR SCRAM D D I
I I
I 120 VAC +24 voe o voe I L21 II
! I I
I SPARE LOOP A !
LOGIC CARD RYS RYS-1
.RYS-2 RY7-2 LOOP A SCRAM RYS-3
<100KW OPERATION
! FULL O POWER OPERATION 1 RYS LOOP 8 KS1A X38 120 VAC MAGNET* RY6-3 FROM WPC RY6-1 POWER RY6-2 RY8-2 SUPPLY MODULES LOOP 8 SCRAM RY,7-3 c 2 POSITION KEY SWITCH c
LOOP A RY7 RY8-,2 LOGIC TO SAFETY. SYSTEM CARD STATUS INDICATOR PLC 2 RY8 INPUT LOOP 8 (<100KW OPERATION)
RY7:-1 X37 X40 24V POWER RY8-1 )
9
<100 KW FULL POWER TO SCRAM OPERATION OPERATION LOGIC CARDS 1 AND 2
)
._____________ ----------- -------------------------------, KS1C TO SAFETY SYSTEM
)
- STATUS INDICATOR PLC
,. RY4,,-2 INPUT r.------------------ ----------- -------------------, (WPC STATUS)
I A 8 I
LOOP SCRAM LOOP SCRAM D t:r---7 B
I 83 84
< 100 KW KEY SWITCH MODULE l 0 PRIMARY FLOW, MP6, MP6A B WITHDRAW
---\,_____----! D t:r---7 SCRAM 8YP ASSES PERMIT KS1D L22 CIRCUIT L. _______________________________________ _: ___ _;_ ___ _
T RY4-1 L----'--------------------------------------------------7----------------------------------*------":'------------------------------------------------------------------------------=-------:---------- TO MAGNET POWER SUPPLIES L22 A A t@ln MASSACHUSETIS INSTITUTE OF
~ TECHNOLOGY REACTOR
<100 KW KEY SWITCH MODULE r....,-..,..--_-i:cnoo--l ~-;AWAZElSKI ..TE 2/19/18 ZONE ""'
2 3 4 5
2 3;. 4 5 120 VAC *HOT L-21 L-21 L-23 j j j ~- j 105 D D INNER OUlER BASEMENT BASEMENT AIR LOCK AIR LOCK BUILDING ISOLATION PLAlE OVERPRESSURE GASKET GASKET LATCH . SWITCH TRANSFORMER PRESSURE PRESSURE 120 VAC W2 2 SWITCH 112 J: . "" , _, ,
SWITCH SWITCH DUMP VALVE . IN LIMITS CONTROL sw-:::a SPRING LOADED 8-2A TOO B-2B
~ ~ AUTO RUN-ON.
1- ~s-u2_N_E-GA_TI_VE- dP_. ~,
-*~~1 OPEN CLOS.
MAINT.
AT 4" GOING
. OUT
- 1 LS-205
.I:,~,.~-~
____ KS-9C REG ROD NEAR E15-1 BASE'T IN TAIR LOCK DEVIATION W4.1__ . *HX *MElER
- 1 PERIOD CHANNEL LEVEL (1.5%) 144 145 E14-1 MAIN SIGNAL OFF SCALE
~LOCK <
~~~CT.
W5 a: ::c.
\_
5
,,,,""""" ~
~
(2 OF 3)
"' I
- 1 zl!!
~
I::? ;;;-
"' e:.:I a~
oa: :5 iii\';! ~ .!. ..c oa:
c ~~ c
~ 9.8 ~ ""0CJ ~ ,_ iil c
¥~MAIN 5*
CJ c <
"' >~
"'gn.
-~~FLOW
~~
~~VALVE
?
C22-1
- El-1 W38 DUMP.
CD i
I
~
'I 2
RUN-pN.
RESET PB-9
~ OUTLET 130
"'<z TEMP. RCDR z
W37 0 0 F F 146 CJ CJ
"'""i!= AUTO
"'""i!=
F13A-2 C27-1 59 ;;:
- CORE INLET PRESSURE . (P2,T11) RUN-ON.
W19
""::Jz (MP-SA)
.F14A-1 F15A-2 PERIOD CHANNEL
""z
- J
. (P9,TB16)
LEVEL SIGNAL :i:
- i: W31 *OFF SCALE PB2-1
,.I::?<
LS 28-1 DUMP VALVE POSITION F13A-1 F14A-2 (2 OF 3) MINOR SCRAM PB-8 T.D.
8 ,.<I::?
THERMAL BEAM _J SUB-CRIT. 30 SEC.
W30 REACTDR BYPASS I BY-PASS KEY S\llTCH B 106 Fl-1 { ~~~M~~Li~~E ~--------------------K_s_w_-_2~A-~----O~N'--~-----4W20 PB'-5 ALL RODS IN (PB,TB14) W21 (PB,TBl ) B W29 Pl,TI-11)
GRID LATCH ,OFf NOlE 1) C7A-1 lEST PBl-2 TD THERMAL BEAM C2G-1hMAN.
MAJOR 141 SCRAM SCRAM CIRCUIT W27 R3\l-251-3 KS1-2 CONT.
E16A E17 CLOSED PBS-~ ----
E15 E16 C22 INDICATION (KEY)
C41i-l PBS-2 C\IP CKT> W26 PB2-2 MINOR SCRAM C4E-I' READY 142 LIGHT AUTO (P9,TB16) W25 CZ-1) CONTROL L-22 L-22 120 VAC NEUTRAL CZ-D CZ-1) CZ-1)
A A tlllIES;_
- 1. W29 FOUND AT PB, FAR LEFT TB.
2.
MASSACHUSETIS INSTITUTE OF TECHNOLOGY REACTOR
~....,--_,--PROJD:nON---< 'r~A1'AZEISK1 8-19-16 PROTECTIVE SYSTEM SECTION A3
"'" @4h~orn<;;-ON---t9---19-_7_*l-:!:ou..:_NE_"°_*__J_"""_""_*_=:R~3:..:!,~-.!:.z~o~;~::-4-=4'....L~C::..-e 2 3 4 5
2 3 4 5 120 VAC HOT L-21 L-21 L-23 jj j j 105 D D INNER OUTER BASEMENT BASEMENT HOLD DOii.ti AIR LOCK AIR LOCK BUILDING PLAlE ISOLATION GASKET GASKET OVERPRESSURE LATCH TRANSFORMER PRESSURE PRESSURE SWITCH W2 2 SWITCH 120 VAC SWITCH SWITCH 112 DUMP VALVE IN LIMITS CONTROL SW-8 SPRING LOADED 8-28 8-2A TDC r:*~~~
,_ _s_u_2_N_E_G-ATI-VE~-dP~ ~ ~ ~
AUTO RUN-ON. TDC 1~
OPEN CLOS. H MAINT.
CLOSES \WiEN AT 4" GOING OUT LS-205 I:~"~' ~
KS-9C
']
REG ROD NEAR E15-1 BASE'T IN I A I R LOCK
- W41 <'-*X DEVIATION METER
- w*r E14-1 MAIN LOCK W5
']
(1.5%) 144 145
¥~~CT.
.C7A-2 c
- ",_{_ iJ '] c
"'~ ~FLOW T°'..,
~~VALVE C 2 2 ; r DUMP W38
~ W6 ']
2
¥ EH RUN-ON.
RESET PB-9
~ OUllET 130
"'<z TEMP. RCDR <
z 0 W37 (FROM E3) 0 I= I=
0 146 0
"'"" SAFETY "'""
i!'
i!' SYSTEM C27-1 59 AUTO
- CORE INLET PRESSURE *scRAM (P2,T11) RUN-ON.
""z
- J (P9,TB16)
""z
- J
- c :c
~ LS 28-1 PB2'-1 ~
< DUMP VALVE POSITION MINOR SCRAM PB-8 8 <
- E T.D. ::E THERMAL BEAM SUB-CRIT. 30 SEC.
REACTOR BYPASS BY-PASS KEY SWITCH B )06 f1-1 { ~~~MB~~LT;:~E ~~~~~~~~~~~~~~~~~~~~~K_s_w_-_2~A~,____.,.O~N'--~~....
PB-5 ALL RODS IN (P8,TB14) W21 W20 (P8,TB14) B W29 P1,TI-ll)
GRID LATCH NOlE 1) *OFF C7A-1 lEST PB1-2 C2G-1 h M A N . 141 MAJOR TO THERMAL BEAM SCRAM SCRAM CIRCUIT W27 R31J-251-3 KS1-2 CONT.
E16 E16A E17 CLOSED E15 C22 (KEY)
INDICATION C4D-1 _J ----
C\IP CKT> '1126 PBS-1!
- PB6-2 PB2-2 MINOR SCRAM 142 AUTO (P9, TB16) W25 CONTROL
<Z-1>
L-22 L-22 120 VAC NEUTRAL . <Z-1) <Z-1> . <Z-1)
A A tiQIES:..
- 1. W29 FOUND AT PB, FAR LEFT TB.
MASSACHUSETIS INSTITUTE OF TECHNOLOGY REACTOR
..,._u "" PROTECTIVE SYSTEM
"" SECTION A3 2 3 4 5
1 . 2 3 4 5 L22 CONTINUES 120 VAC RY4-1 BELOW.
L21 D D W22 120 VAC FROM
,---- -----------------~------~------------------, -------------------------------------------,
W25 SCRAM WPC* RY4 I I
~
MAGNET
- I I ~
MAGNET
- I I
~U~~y: ~~~~T ~~~T I CURRENT CURRENT CURRENT J
- SUPPL:. ADJUST ADJUST I 24 voe FROM SCRAM LOOP A GM1A PO\\£R SUPPLY FOR SHIM BLADE GM1A-2 I I 24 voe FROM SCRAM LOOP A I GM2A POWER SUPPLY FOR SHIM BLADE I Ul-1 1 AND 2 .MAGNETS GM1B-2 U2-1 I I 3 AND 4 MAGNETS I U3-1 U4-.1 I I 24 voe FROM I 24 voe FROM I I SCRAM LOOP B GM18 NOTE 1 NOTE 1 I SCRAM LOOP B I GM28 NOTE 1 NOTE 1 I L _____ _ I I r---------------- MASTER RESET B1A-2 I B1B-2 I 1
I 24V RR1 ~ B2A-1 BLADE 1 j_I---.------. RUNDO\\N
+24V'---..L~
~r M R 2 Ri'N'6'5~ B2A~2 I RR2 RR3 I I B2B-1
- BLADE 3 BLADE 4 B28-2 I RR4 24 voe POWER POWER RRH IMRH I:ESET RE~l ~R1-2j_ . RR2-1 RUNDO\\N RELAY PANEL RR3-1 RUNDO\\N IMR1-3 I:ESET RESET 1 RUNDO\\N .------..-----i-
-i MR2-1 I
RR4-1 SUPPLY PB1 PB2 PB3 PB4
'---------i I ov +24V +24V +24V +24V I SW1-2
- L21 SW1-2 L21 SW1-2 L21 I
c ~~g I c SW1-2 )>-,.-J--1,.-,)"' BLADE 2 1--~'1'--o 1 NOTE NOTE
~ME I RUNDO\\N BLADE 3 RUNDO\\N BLADE 4 1---'1'--0 1 RUNDO\\N CONTROL I }R1A-1 RR1A-2 RR3A-1 RR3A-2 RR4A-1 RR4A-2
~if I 2 I L __ OU.!__ If!_ _ _ _ _ _ _ _ _ _ _ _ _ OUT IN OUT IN BLADE 1 W22 W25 BLADE 2 BLADE 3 BLADE 4 MOTOR MOTOR MOTOR MOTOR CONTROL 120 VAC FROM CONTROL CONTROL CONTROL BLADE 1 W.P.C. BLADE 2 BLADE. 4 MAGNET MAGNET MAGNET A
FROM ABOVE B
,---- ----------------------------------~--------,
! ~ - . I I MAGNET I CURRENT CURRENT CURRENT B I SUPPL~. ADJUST ADJUST.
J I B 24 voe FROM SCRAM LOOP A GM3A POVYER SUPPLY FOR SHIM BLADE GM3A-2 I I U5-1 5 AND 6 MAGNETS GM3B-2 U6-1 I
I 24 voe FROM I GM3B NOTE 1 NOTE 1 SCRAM LOOP B I L __ .:__ __ _ I r--.----------- B1C-1 . B1C-2 RR5 . ~2C-1 BLADE 5 RUNDOWN RUNDOWN RELAY PANEL BLADE 6 RUNDOWN
~B2C-2 RR6
. RESET RESET * .
RR5-1 MR2-2 lpB PBii1 MR2-3 RR6-1 5
+24V +24V SW1-2 L21 SW1-2 L21 NOTE BLADE 6 1---'l'--O 1 RUNDOWN NOTE 1: CAPACITOR RR5A-1 RR5A-2 RR6A-1 RR6A-2 COUPLED INPUT TO A CIRCUITS FOR DETECTING A A DROPPED BLADE CONDITION OUT IN OUT IN NOTE 2: REF. DWG. R3W-204-4A BLADE 5 BLADE 6
. MOTOR CONTROL MOTOR CONTROL r.Mn MASSACHUSETTS INSTITUTE OF BLADE 6 ~ TECHNOLOGY REACTOR MAGNET MAGNET_POWER_SUPPUES_AND RUNDOWN_RELAY_PANEL z°"" REV °'TE. $-E1-t1;;iiSiG~NIER--1r-7-YI-5~...!!,!_.!_,..._""----,-__JL""°_"°_*_.!.R~3~!.'.!..._-~2::!5:'.:~~;;-1.:::4:...i_...,_.C 2 3 4 5