ML17130A898
| ML17130A898 | |
| Person / Time | |
|---|---|
| Site: | MIT Nuclear Research Reactor |
| Issue date: | 05/10/2017 |
| From: | Patrick Boyle NRC/NRR/DPR/PRLB |
| To: | Lau E Massachusetts Institute of Technology (MIT) |
| Boyle P | |
| References | |
| Download: ML17130A898 (6) | |
Text
Open Items No. Description Status Resolution
- 1. 7.4-3 Verify that information about the RPS detector or sensor devices is sufficient to verify that individual safety limits are protected by independent channels, and that LSSS and LCO settings can be established through analyses and verified experimentally.
7.4-4 Verify that the system requirements for the RPS (such as required scram times) are clearly identified and are consistent with the system requirements in the accident analyses and technical specifications (Sections 13 and 14).
TS Table 3.2.3-1, identifies the minimum number of channels required for period and power scram as 2 and the minimum number of channels for Nuclear safety channel trips for low count rate, channel in test, or channel fault is 1. Address the following:
a) In the LAR, section 7.2.6b, MIT changed the number of required operable channels from two to three. However, MIT did not update the Table 3.2.3-1 when the LAR was submitted. A revised and consistent Table 3.2.3-1 is required.
b) The channel/parameter No. 13 in Table 3.2.3-1 was renamed from Period channel level signal off-scale to Nuclear safety channel trips for low count rate, channel in test, or channel fault. The number of required channel remaining 1. However, it is not clear if the minimum required channel refers to the number of trip channels or operable channels.
- 2. 7.4-1 Verify that the reactor has operable protection capability in all operating modes and conditions (e.g., refueling, shutdown, low power, square wave, pulsing and power operation), as analyzed in the SAR. For example, at low reactor power, a reactor period scram may be needed to ensure that inadvertent transients could not propagate risks to personnel or the reactor.
The LAR described how the signal distribution module and the scram logic card operates and their safety evaluations. However, to satisfy this design criteria MIT should provide final design verification, testing and logic schematics to establish proper protection of the reactor.
- 3. 7.4-1 requires considerations be given to failures that cause actions as well as prevent actions.
Normally, a failure mode and effect analysis is performed to identify failure modes for the components or the safety system. Mirion identified the failures for the DWK 250. However, the amendment and its supplements do not provide this information for the other components.
Describe the failure modes and effects for key switch module, scram logic card, signal distribution module, etc.
File Name: Draft Open Items MIT NSS LAR 10May2017.docx Date Printed: 05/10/2017 2:40:06 PM
Open Items No. Description Status Resolution
- 4. 7.4-3 Verify that information about the RPS detector or sensor devices is sufficient to verify that individual safety limits are protected by independent channels, and that LSSS and LCO settings can be established through analyses and verified experimentally.
The LAR described how the signal distribution module and the scram logic card operates and their safety evaluations. However, to satisfy this design criteria MIT should provide final design verification, testing and logic schematics to verify that the safety limits are protected (e.g., logic to verify that the new NSS will scram logic when a setpoint is exceeded).
- 5. 7.4-4 Verify that the system requirements for the RPS (such as required scram times) are clearly identified and are consistent with the system requirements in the accident analyses and technical specifications (Sections 13 and 14).
The accident analysis in the MIT USAR, which states: use a 1.0 second scram time to determine the setpoints that will not result in any damage to the fuel. The LAR did not change this time requirement.
The Mirions documents identified the system response time requirement, as well as the system response time obtained during testing. However, the LAR and its supplement does not identify the response time of the system when all components are integrated.
Provide an analysis showing the system response time (i.e., real time) meet the requirements in the USAR when all components are integrated (e.g., signal processing time with the Mirion system and the logic cards).
- 6. 7.4-5 Verify that the automatic reactor runback or shutdown (scram) subsystem is fail-safe against malfunction. Electrical power failure should be as close to passive as can be reasonably achieved, should go to completion once initiated, and should go to completion within the time scale derived from applicable analyses in the SAR.
Section 2, item 12 of the supplemental information provided on 5/12/2016 states that each logic circuit in the Scram Logic System must be designed to be fail-safe, that is, it scrams the reactor if it fails.
Describe how this design criteria was designed, implemented, and verified.
File Name: Draft Open Items MIT NSS LAR 10May2017.docx Date Printed: 05/10/2017 2:40:06 PM
Open Items No. Description Status Resolution
- 7. 7.4-9 Verify that the RPS is designed for reliable operation in the normal range of environmental conditions anticipated within the facility.
7.4-17 Verify that the effects of electromagnetic interference/radio-frequency interference (EMI/RFI) and power surges on safety-related I&C systems, including computer-based digital systems, are adequately addressed.
The LAR states that the reactor protection system is designed for reliable operation in the normal range of environmental conditions anticipated within the facility.
Section 7.4.1.5 of the LAR described how the Mirion components meet this requirement. However, the LAR does not explain how the components being designed by MIT (e.g., scram logic card) meet these design requirements.
The supplemental information dated 5/12/2016 states that the temperature and humidity of the control room is controlled and maintained by HVAC. However, this document does not explain if the equipment is capable of operating at environmental conditions created when the HVAC is not working.
Describe how MIT components meet the design basis 7.4-9 and 7.4-17.
- 8. 7.4-10 Verify that the RPS function and time scale can be readily tested to ensure the operability of at least minimum protection for all reactor operations.
The supplemental information dated 5/12/2016 refers to a global system testing to be used to test the system after its integration. Does this include verification and validation of operation of the key switch module, scram logic card, signal distribution module and magnet power supplies, as well as system integration testing?
Provide the global system testing and the test plan to be used. This information can be reviewed during the audit.
Provide test results to verify operation of the system, including system integration testing and results.
Also, provide information that shows the system response time and performance.
- 9. 7.4-10 Verify that the RPS function and time scale can be readily tested to ensure the operability of at least minimum protection for all reactor operations.
The supplemental information provided on 5/12/16 states that the NSS will receive pre-operational and operational testing under the Test Plan.
Please provide the Test Plan and Test Summary Report. This information can be reviewed during the audit.
File Name: Draft Open Items MIT NSS LAR 10May2017.docx Date Printed: 05/10/2017 2:40:06 PM
Open Items No. Description Status Resolution
- 10. 7.4-11 Verify that the RPS is designed to perform its protective function after experiencing a single random active failure in the RCS or RPS, and such failure will not prevent the RPS from performing its intended function, or prevent safe reactor shutdown. For a digital computer-based RPS, the applicant/licensee should have performed a defense-in-depth and diversity analysis.
The LAR and its supplements describe that the system is required to include redundancy and diversity. However, a D3 analysis was not performed to identify how the reactor can be scrammed if the system fails (e.g., due to common cause failure). If MIT is taken credit for manual scram, then an analysis should show that the operator has sufficient time to scram the reactor.
- 11. 7.4-13 Verify the physical, electrical, and communications independence of the RPS both within the RPS channels and between the RPS and non-safety related systems.
a) The LAR describes the signals from the SDM is sent to the redundant SLC. The SLC is equipped with optical isolators to ensure signal path is one-way only. Please describe how the optical isolator are configured one way only.
b) The NK 21 serial interface in the DWK 250 includes a link for a RS-232 port for external communication. Explain how this link is not used for affecting the safety functions of the NSS.
- 12. 7.4-13 Verify the physical, electrical, and communications independence of the RPS both within the RPS channels and between the RPS and non-safety related systems.
a) The LAR does not describe independence of the NSS from other non-safety related systems. Need to provide this information.
b) The SDM includes several signals routed to and from components. For example connector X15 passes signals from DK channels to scram logic card 1. Need to explain how this transfer of signals does not affect the required safety functions.
The diagram provided in the supplemental info shows the connection, but we need to review the connection inside the SLC.
- 13. 7.4-18 Verify that devices that receive signals from safety and non-safety sources prioritize the signal from the safety system.
The reactor control system controls the shim blades. Also, actuation of the protection system causes the shim blade to be de-energized. Confirm that the RPS has the highest priority and overrides the reactor control system.
File Name: Draft Open Items MIT NSS LAR 10May2017.docx Date Printed: 05/10/2017 2:40:06 PM
Open Items No. Description Status Resolution
- 14. 7.4-23 Verify that the design properly documents the permissive conditions for each operating bypass capability that is to be provided.
7.4-24 Verify that appropriate controls are provided for interlock initiation and bypass.
The NSS includes the <100 kW key switch module. When they key is in <100 kW Operation, the supplemental information dated 5/12/2016 states that The 100 kW High Power Trips from the DWK 250s will, if on, be interpreted as channel trip signals by Scram Logic Card 1 and Scram Logic Card 2.
Confirm that by selecting this position in the module, it will force the signals from the DWK 250 to trip signals. Also, explain how this is done if pole KS1A is not used (Drawing R3W-254-4, included in the supplemental information dated 5/12/2016).
- 15. 7.4-27 Verify that the RPS is designed to allow testing, calibration, and inspection. If safety system testing is required or can be performed as an option during operation, verify that the RPS retains the capability to accomplish its safety function while under test.
The supplemental information dated 5/12/2016 states that regular surveillance will be performed to ensure integrity of the system. However, the LAR does not describe how these tests are going to be performed for the new NSS and if the surveillance requirements will be modified by the digital upgrade. In addition, the surveillance requirements should consider information provided by the manufacturer.
- 16. 7.4-30 Verify that the RPS equipment is distinctly identified to indicate its safety classification and to associate equipment according to divisional or channel assignments.
7.4-34 Verify that the quality of the components and modules in the RPS is commensurate with their safety importance. Verify that the licensees QA program provides controls over the design, fabrication, installation, and modification of the RPS and experimental equipment to the extent that these impact safety-related items. For RTRs, the licensee may use the guidance of ANSI/ANS 15.8-1995, as endorsed by RG 2.5, in developing a QA program for complying with the program requirements of 10 CFR 50.34, subsections (a)(7) and (b)(6)(ii).
In the LAR, MIT stated that they followed the MITR Quality Assurance program for design, fabrication, modification and testing of all equipment. Need to review the MITR Quality Assurance program.
Also, need to verify that the equipment has been properly identified. His will be done during the audit.
- 17. Section 3.1 description of channel 8, proposed channel 6. Specifically, Channel No. 8 is a battery-operated power indication on loss of electricity, both off-site and emergency.
Describe how MIT will confirm that the batteries are fully charged to provide emergency power for emergency channel 6 (currently channel 8).
File Name: Draft Open Items MIT NSS LAR 10May2017.docx Date Printed: 05/10/2017 2:40:06 PM
Open Items No. Description Status Resolution
- 18. Design basis 7.4-2 The DWK 250 measures the neutron flux and relative change rate in counts per rate. Need to confirm the setpoint and measured values in terms of power.
Also, during testing (or audit) confirmed that MIT tested or validated the range of operability of the detectors.
19.
20.
21.
22.
23.
24.
25.
26.
27.
28.
File Name: Draft Open Items MIT NSS LAR 10May2017.docx Date Printed: 05/10/2017 2:40:06 PM