License Amendment Request for Upgrade of the Nuclear Safety System in the Mit Reactor Protection System, Docket No. 50-20, License R-37

ML17193A188
Person / Time
Site:	MIT Nuclear Research Reactor
Issue date:	07/01/2017
From:	Lau E Massachusetts Institute of Technology (MIT)
To:	Office of Nuclear Reactor Regulation
References
Download: ML17193A188 (28)
v • d • e

Text

NUCLEAR REACTOR LABORATORY AN INTERDEPARTMENTAL CENTER OF MASSACHUSETIS INSTITUTE OF TECHNOLOGY In-Core Experiment Loops EDWARD S. LAU 138 Albany Street, Cambridge, MA 02139-4296 Activation Analysis Assistant Director of Telefax No. (617) 324-0042 Nuclear Medicine Reactor Operations Tel. No. (617) 253-4211 NTD Silicon Facility Tours Education & Training 6 July 20I 7 U.S. Nuclear Regulatory Commission Washington, D.C. 20555 Attn.: Document Control Desk

Subject:

Re: License Amendment Request for upgrade of the Nuclear Safety System in the MIT Reactor Protection System, Docket No. 50-20, License R-37 The Massachusetts Institute of Technology hereby submits additional material to be placed on the docket, in followup to the 30 September 20I4 License Amendment Request (LAR) and the I2 May 20I6 additional material, for its Facility Operating License No. R-37. The requested amendment is for upgrade of the reactor's nuclear safety system in the Reactor Protection System with new analog instrumentation and digital neutron flux monitors.

This submittal contains the following two documents:

I) Scram Logic Card Modules (SLC)

2) Signal Distribution Module (SDM) (revision of a document submitted on I2 May 2016)

And the eleven drawings referenced by the Scram Logic Card Module document:

a) R3W-263-2 Rev. 0 Sheet I of I I, RPS Scram Logic Card Main Schematic b) R3W-263-2 Rev. 0 Sheet 2 of I I, ESD and Surge Protection (SC2) c) R3W-263-2 Rev. 0 Sheet 3 of I I, Channel Logic (SC3) d) R3W-263-2 Rev. 0 Sheet 4 of I I, Channel Logic (SC4) e) R3W-263-2 Rev. 0 Sheet 5 of I I, Channel Logic (SC5) f) R3W-263-2 Rev. 0 Sheet 6 of I I, Channel Logic (SC6) g) R3W-263-2 Rev. 0 Sheet 7 of I l, Alarm Latch (SC7) h) R3W-263-2 Rev. 0 Sheet 8ofI1, Alarm Indicator (SC8) i) R3W-263-2 Rev. 0 Sheet 9 of I I, 2 out of 4 (SC9) j) R3W-263-2 Rev. 0 Sheet 10 of I I, 2 out of 4 (SCIO) k) R3W-263-2 Rev. 0 Sheet I I of I 1, Optocoupled Schmitt Trigger Filter Input (SCI)

Material to Docket for Upgrade ofNSS 6 July 2017 Page 2 of2 None of the drawings or text in this submittal contains any proprietary information. All of it has had previous thorough discussion with the appropriate branch of NRC. This submittal establishes official documentation of the additional material.

Sincerely, Edward S. Lau, NE Assistant Director of Reactor Operations MIT Research Reactor I declare under penalty of perjury that the foregoing is tru

~=

Executed on of'o6bo1 r __C___.~ ......::=~~=IP'c....=-=-==------

Date Signa e EL/st

Enclosures:

As stated.

cc: USNRC - Senior Project Manager Research and Test Reactors Licensing Branch Division of Policy and Rulemaking Office of Nuclear Reactor Regulation USNRC - Senior Reactor Inspector Research and Test Reactors Oversight Branch Division of Policy and Rulemaking Office of Nuclear Reactor Regulation

Page 1 of 11 QIA File #E-2012-1 Digital Upgrade for Nuclear Safety System "Scram Logic Card Modules" Description of the Scram Logic Card Modules An identical pair of Scram Logic Cards housed in separate modules within the same NIM bin (NIM Bin #1 in Figure One) process the two-out-of-four scram logic decision independently in parallel. A scram decision and hence a scram signal output from either scram logic printed-circuit card will trigger the reactor's scram function, namely interrupting magnet current, dropping the shim blades by gravity into the reactor core, and thereby shutting down the reactor. The Scram Logic Cards are located downstream from the Signal Distribution Module which passes along DWK 250 trip signals and inputs them into both circuit cards simultaneously.

-- - - -- - - --- - --- - - : NIM Oin 1 I

I IYreo Sgfl.11P*opacarori detector Ch. 1

--+ lo Cffecl a StrJm OPI c.i o* A

• Gap "o'oOon LED Scram Dfsplay '

I '

I

• ------------------

• N IM Bin2 detecto r Ch. 2 --------- -------------------------- --- ----.'

I I

<lOOkW Magnet I Signal ':

Key Switch Power Supply Di stribution Module (KSM) Modules Module (SDM) Shim Blade detector Magne ts (x6)

Relay Pa n el Shim Blade Drive RS23 2 Breako ut Box Circuits (x6)

Withdraw detector Perm it Console M eters I Recorders Ch. 4 Circui t (WPC}

PLC _ _ _.,,. Console Annunciator Panel Nuclea r Safety Channels

.___ _ ___.r--~'?t>J Drop Timer Interface Module t----~.___s_ lad_e_o_ro-.

p_ r im

_ e_r _ _.

Figure One: Block Diagram of Nuclear Safety System with Integrated Support Modules QA#-E-2012-1 6JUL2017

Page 2ofl1 Each Scram Logic Card (SLC) is housed in a dedicated protective chassis that is constructed of standard industrial aluminum stock. Figures Two and Three show a spare SLC module that is identical to Scram Logic Cards #1 and #2. The printed-circuit card is constructed using standard industrial FR-4 board (composite material composed of woven fiberglass cloth with an epoxy resin binder), with the logic devices being high quality industrial discreet solid-state components, conforming to industrial quality standards for automotive electronics. The SLC modules do not contain a fan or any other moving parts.

Their operation is entirely analog using discrete solid-state components. The choice of all components on the circuit boards was determined in house; an ISO 9001-2008 certified electronic hardware manufacturer (Advanced Circuits) performed the printed-circuit board fabrication and card assembly. The cards were manufactured to certification IPC Class 2-A600, for dedicated-service electronic products requiring continued performance and extended life.

Figure Two : Scram Logic Circuit Card in a Scram Logic Card Module The printed circuit board, as shown in Figure Two, has four layers which are electrically insulated from each other except at vertical interconnect access (VIA) points.

Most components are mounted on the top plane of the board, but a few small ones such as capacitors are on the bottom plane. The second plane from the top supplies power to the components, and the third, a ground plane, contains the return paths.

QA#-E-2012-1 6 JUL 2017

Page 3of11 Power for the two SLC modules comes from a pair of 24V DC power supplies via the Xl 4 connector of the Signal Distribution Module. The two 24V DC power supplies are set up in parallel, connected via an auctioneering diode array, so that if one fai ls, the other will take over without interruption.

The top plane of the board has two isolated regions which are distinguishable by their different shades of green. Components in the lighter green near the perimeter of the board are supplied directly by 24V DC power. The darker green inner area operates at 5V DC* All the logic executions take place in the darker area, with signals entering the region from the top and the bottom as seen on Figure Two, and logic output leaving the region on the left and the right.

The two voltage regions are isolated from each other electrically, connecting only via optical isolators (5VDc High Speed CMOS Optocouplers and High Collector-to-Emitter Voltage Optocouplers) and an isolated board-mount 24-volt to 5-volt, medically-qualified DC-DC converter. Throughout the circuit card, Zener diodes were used to convert 24VDc to 5V DC just upstream of the various optical isolators. Where necessary, pull-down resistors and current-limiting resistors are used to ensure binary signal clarity; surge-suppression diodes are used to protect the circuit card from electrostatic discharge (ESD).

MITR SAFETY SYSTEM SCRAM LOGIC MODULE fSPA11l SCRAlil LOOP A NOOllllAL SCRAM LOOP B NORMAL Figure Three: Back and Front Views of Scram Logic Card Module QA#-E-2012-1 6 JUL 2017

Page 4of11 The scram logic was designed in house, as asynchronous sequential binary logic.

Therefore, the circuits do not contain or use a clock. If only one of the four DWK 250 chassis outputs a trip signal, while the other three do not, the scram logic will not initiate a scram signal. This will prevent a reactor scram due to a false indication from only one channel, and therefore will in1prove system stability. It also allows for testing and calibration of a single channel at power without the need for a bypass device. If now another DWK 250 chassis also outputs a trip signal to the scram logic circuit, the coincidence logic will complete a decision and output a scram signal by de-energizing the circuit, thereby removing power from normally-energized relays in the magnet power supplies and the Withdraw Permit Circuit to produce a reactor scram. Therefore, two or more DWK 250 chassis outputting safety trips will result in a scram signal output by the scram logic circuit.

Furthermore, if one DWK 250 is under test, powered off, or removed from service, any trip signal from one of the other DWK 250s will result in a scram.

The design process for the scram logic went as follows: A logic diagram for the scram voting logic was first developed on paper. It was then algebraically simplified as a Boolean expression, and converted back to a reduced logic diagram. This diagram was then verified and tested with logic simulator software. The logic diagram was further verified by programming the logic design into a field-programmable gate array (FPGA) development board, the DEO-Nano from Terasic. The FPGA was then tested with an input board built in-house that simulated all possible combinations of inputs from the four DWK 250s plus the 100 kW operation key-switch.

Once the logic diagram was completed, it was entered into circuit design software with integrated circuits (IC) components selected by the in-house design engineer, to produce a simulated logic circuit. This simulated circuit was then tested to verify correct operation.

After the circuit design was completed, printable circuit board (PCB) design software was used to lay out the components and wire traces in a set two-dimensional areas to be stacked in four layers. The resulting circuit (Figure Four), in a Gerber-format (ASCII vector image) file, was sent to an intermediate manufacturer for fabrication of a prototype board. In-house testing of this prototype allowed adjustment of components, verification of voltage stability, and finalization of circuit design.

Once the final design and components were chosen, the layout was sent to the final manufacturer, Advanced Circuits, for fabrication of another prototype circuit card. This prototype card was tested in house, using the same voltage as the relay contacts from the DWK 250s. Several iterations of the prototyping processes occurred until the prototype satisfied all performance requirements, at which point five assembled copies of the final design were ordered from the manufacturer. One of the five cards received an independent visual inspection to ensure the logic components matched the parts list. When in-house testing and verification were completed satisfactorily on all five circuit cards, the cards were coated with conformal acrylic polymer for surface protection. One card was mounted in each of the two Scram Logic Card chassis, one in a spare SLC chassis, and two remain unmounted as spares.

QA#-E-2012-1 6 ruL 2017

Page 5of11 Figure Four: Part of N.I. Ultiboard layout for compilation to a Gerber file - PCB-with-Components Prototype Reactor Drawing R3W-263-2 "RPS Scram Logic Card" main schematic and sub-circuits (total of 11 sheets) contains the schematics of the Scram Logic Card. These schematics divide functions of the cards into ten sub-circuits (SCs):

1. SCI - "Optocoupled Schmitt Trigger Filter Input (SCI)"

This input SC reduces the voltage from the 24V 0 c signals to 5V 0 c for the logic circuits, and de-bounces (damps any bouncing of) input signals during voltage/current transients.

2. SC2 - "ESD and Surge Protection (SC2)"

Provides ESD and surge protection to the circuit components on the PCB.

3. SC3 - "Channel Logic (SC3)"

Consolidates the I 00 kW key-switch input and trip signals from DWK 250 Channel I, and forwards the logic result to SCIO. Also passes high power trip and channel trouble indications to the SC7 alarm latch.

QA#-E-20I2-l 6 JUL 20I 7

Page 6of11

4. SC4 - "Channel Logic (SC4)"

Consolidates the l 00 kW key-switch input and trip signals from DWK 250 Channel 2, and forwards the logic result to SC 10. Also passes high power trip and channel trouble indications to the SC7 alarm latch.

5. SC5 - "Channel Logic (SC5)"

Consolidates the 100 kW key-switch input and trip signals from DWK 250 Channel 3, and forwards the logic result to SCI 0. Also passes high power trip and channel trouble indications to the SC7 alarm latch.

6. SC6 - "Channel Logic (SC6)"

Consolidates the 100 kW key-switch input and trip signals from DWK 250 Channel 4, and forwards the logic result to SC 10. Also passes high power trip and channel trouble indications to the SC7 alarm latch.

7. SC7 - "Alarm Latch (SC7)"

Latches the Schmitt-triggered trips from the DWK 250 channels, stores them until the corresponding channel reset pushbutton is depressed, and forwards the latched signals to SC9. Also initiates alarm signals for the LED Scram Display module.

8. SC8 - "Alarm Indicator (SC8)"

This output SC converts signal voltage from the 5V DC logic circuits to 24V DC for alarm indications, using optocouplers. It forwards the alarm signals for the LED Scram Display module.

9. SC9 - "2 out of 4 (SC9)"

Executes 2-out-of-4 coincidence logic based on all latched-in alarms, whether active or not yet reset. The outputs of SC9 and SCIO feed into two independent AND gates outputting to two independent solid state relays that drive the 24-volt relays in the magnet power supplies and the Withdraw Permit Circuit.

10. SC10 - "2outof4(SC10)"

Executes 2-out-of-4 coincidence logic based on the outputs of the four channel logic SCs. Automatically resets once the DWK 250s are restored to normal operating conditions.

The outputs of SC9 and SC 10 feed into two independent AND gates outputting to two independent solid state relays that drive the independent 24-volt relays in the magnet power supplies and the Withdraw Permit Circuit.

For logic operation related to scram decision-making, specifically in SC3, SC4, SC5, SC6, SC9, and SCI 0, five different types of Texas Instrument integrated circuit logic gate chips are used, ranging from 2-input to 4-input AND gates, plus OR-AND gates and AND-OR gates. All are qualified for automotive applications except the AND-OR gate. All have wide operating temperature tolerance (-40 C to 85 C or better). They all meet industrial standards for ESD protection.

QA#-E-2012-1 6 JUL 2017

Page 7of11 There are a total of 29 inputs to each SLC. Each DWK 250 chassis produces eight binary outputs: High Power, Short Period, 100 kW High Power, Low Count Rate, Internal Fault, Test, High Power Warning, and Short Period W aming. The first six of these outputs go to the SLC as channel trip inputs. In total there are 24 trip inputs coming from the four DWK 250 chassis. Another four inputs to the SLC are resets, one for each channel, for the latched alarms coming from each DWK 250. The last input is from the key-operated switch on the <100 kW Key-Switch Module (KSM). A latched-in alarm will not clear until the corresponding channel's reset pushbutton is depressed on the LED Scram Display Module.

Holding down one or more of the reset pushbuttons does not prevent a scram; likewise the LED indicator lights will still illuminate to show the corresponding trip signals.

When the KSM's key switch is turned to <100 kW Operation, a signal indicating the key switch position is sent to the two SLCs. If reactor power reaches 100 kW, the DWK 250s will output 100 kW High Power trips, and the SLCs will interpret these as high power channel trips. So if two or more DWK 250 simultaneously output the trip, the SLC will generate a scram signal. When the KSM's key switch is turned to Full Power Operation, the 100 kW High Power trips will still be generated from the DWK 250s and will all reach the SLCs, but the key switch position will signal the SLCs not to interpret them as high power channel trips. If the KS M's key switch is turned to <100 kW Operation when reactor power is already above the 100 kW scram set point, the system will scram on high power on all four channels simultaneously.

There are a total of 21 outputs from each SLC. Two of the outputs feed the independent relays that de-energize the Withdraw Permit Circuit and the Magnet Power Supply modules in the event of a scram. Sixteen of the outputs feed trip indications to the LED Scram Display. The remaining three outputs feed indicator lights on the front of the SLC module.

The SLC's scram signal outputs are in 24V oc binary form to drive relays in the Withdraw Permit Circuit, in the Magnet Power Supply modules and Rundown Relay panel, and in the <l 00 kW Key-Switch Module. It is important to point out that the scram signal output is not a signal pulse that travels downstream along a transmission path. Instead, the system is always energized at 24 volts DC in the normal (no scram) operating condition.

When a scram "signal" is output, the system is actually de-energized to 0 volts, ensuring de-activation of all downstream modules and shutting down the reactor. In this way, any system failure that causes loss of signal will have the same result of a reactor scram.

QA#-E-2012-1 6 JUL 2017

Page 8of11 Safety Evaluation The Scram Logic Card (SLC) is designed with solid-state logic devices that operate at low voltage (5V 0 c) and with supporting components that operate at 24V 0 c. It is always in a powered state during normal operation. If a scram decision is made, it de-energizes, dropping power to 0 volts. If the SLC fails, it drops power to 0 volts, which is equivalent to a scram decision.

Failure Analysis While failure of a qualified printed circuit board is rare, failure of individual components, particularly logic gates, would hamper logic decision-making. Logic gates can fail because of fast voltage transients, excessive heat buildup, oxide buildup, electrical over-stress, or electrostatic discharge. All of these conditions will cause the logic gate to fail open, either directly or in the form of a short circuit which will eventually bum through into an open circuit. This failure mode will resemble a scram decision.

However, it is known that logic components could fail in an energized condition. In this case, multiple logic pathways are used within each SLC to make redundant logic decisions. For instance, there is channel logic handling for trips from each DWK 250 channel. These channel trips are also latched on separate components. The channel logic output and the latched trips are fed to two independent 2-out-of-4 coincidence circuits. The outputs of the two coincidence circuits feed into two independent AND gates outputting to two independent solid state relays that drive the 24-volt relays in the magnet power supplies and the Withdraw Permit Circuit. Deactivation of any one of these coincidence circuits, AND gates, or solid state relays will suffice in producing a reactor scram. Finally, there are two identical Scram Logic Cards that process the trips from the DWK 250 channels.

Deactivation of either SLC will produce a reactor scram.

Redundancy and Independence The two SLCs are each housed in their own aluminum chassis. Although they are mounted within the same NIM bin, their operations are completely independent, and do not interfere with each other. This multi-level redundancy and independence ensures a high degree ofreliability in the operation of the Scram Logic Cards.

Component Isolation and Qualification All logic operation takes place in a low-voltage environment (5V 0 c). The logic components are physically mounted in a low-voltage region on the PCB. This region is electrically isolated from the rest of the PCB. Signals input and output across this isolation boundary are handled by the use of optoisolators and optocouplers, and an isolated board-mount 24-volt to 5-volt DC-DC power converter. The optoisolators and optocouplers both make use of high-speed light emitting diodes (LEDs) and photoreceptor receivers, and accordingly act as one-way devices by nature of their construction. Both types have an operating temperature range of at least -40 C to 100 C. The use of these optical and isolation devices satisfies the protection requirement for the low-voltage components.

QA#-E-2012-1 6 JUL 2017

Page 9of11 Each SLC uses two solid-state output relays - one to the Withdraw Permit Circuit and the other to the magnet power supplies. These relays use infrared LEDs to optically isolate their inputs, thereby ensuring the signal path is one-way only, to protecting the SLCs. They have a fast switching speed from closed to open (maximum 0.5 milliseconds), and an operating temperature range of -40 C to 85 C.

All key components for logic operation are qualified for automotive applications, meeting industrial standards for electrical over-stress (EOS) and electrostatic discharge (ESD) protections, and allowing a wide range for operating temperature. Where necessary, diodes are used throughout the circuitry for surge suppression, and resistors to limit maximum current.

The SLCs receive their 24-volt power through the Signal Distribution Module (SOM) from two 24VDc power supplies which meet medical qualifications. These two power supplies are fed from a common 120V AC source, and have an internal fuse which will protect against surges that exceed 250V AC on that line. They also have an output overload that will trip at no more than 35V DC* In the unlikely event of an excessive line voltage surge, both power supplies will likely trip, interrupting power to the two SLCs, scramming the reactor.

Similarly, loss of off-site electrical power will shut down the SLCs, which are in a powered state during normal operation and have no internal battery backup. The SLC outputs a scram "signal" by de-energizing itself to 0 volts, thereby de-activating all downstream modules and shutting down the reactor.

Response Time Budget The operation of the Scram Logic Cards is entirely bistable-based and asynchronous.

The voltage transition from 24V DC to the 5V DC logic is accomplished with analog components, and the scram voting utilizes asynchronous sequential logic. There is no microprocessor in the signal path and thus no scan time or cycle time. As a result, the longest signal transition time through the logic card is 0.19 milliseconds, as evaluated from component-level data sheets. The actual time as measured is only ~0.038 milliseconds.

Most of the time budget is for the isolation optocouplers passing input and output signals across the 24VDc I 5VDc boundary. This time budget is minuscule when compared to the opening times for the mechanical relays that interrupt shim blade magnet current, which are on the order of 15 milliseconds. The integrated system response time, which includes transit time across the SLCs and all other modules, is measured at no more than 500 milliseconds.

This was measured based on time from initiation of the trip signal at the Mirion DWK 250 to movement of each operable blade from its full-out position to its 80% inserted position, which per MITR Technical Specification 3.2.1.1 (b) must be less than one second.

Cybersecurity Since there are no programmable or re-configurable logic elements in the SLCs, and no connections external to the nuclear safety system, the SLCs are not subject to cybersecurity threats.

QA#-E-2012-1 6 JUL 2017

Page 10of11 Human Factors Human interface with the SLC modules is minimized, with no switches or adjustable controls, and only three LED indicator lights on the front of each. (See Figure Three.) A green LED indicates that power is on, and two amber LEDs indicate normal (non-scrammed) conditions in Scram Loop A and Scram Loop B in the Withdraw Permit Circuit. During normal operation, all three indicators are lit. All external cable connections to the SLC modules will be labeled and color-coded. There are two external connections for each SLC module - an I/O cable with a DB50 connector, and an output NIM bin connector. It is not physically possible to interchange the input cable and output connector. Swapping of like I/O cables between the two SLC modules could cause incorrect LED displays but would have no impact on the scram functions. The color-coded labels improve human interface for purposes of installation and maintenance. Once the SLC modules are installed, there will be no regular human interface with them. They will be handled only by or under the supervision of license reactor staff. Since the maximum voltage in the modules is only 24V 0 c, electrical hazard to instrumentation personnel is minimal. Therefore, human factors engineering remains adequate.

The SLC modules will be mounted within the protective metal cabinets of the control room console. The console cabinets will provide the modules with physical defense, including against seismic disturbance. Routine maintenance and inspection will be performed only by licensed reactor staff or under the supervision of licensed reactor staff.

The control room is attended whenever the reactor is operating. At all other times when the building is unoccupied, it is protected as per the Physical Security Plan. Therefore, access control and configuration control are assured.

Environmental Conditions The control room and its metal instrumentation cabinets are in an air-conditioned environment. The temperature is continuously maintained within a desirable setting of approximately 68 F (20 C). There is a temperature alrum with a setpoint no higher than 78 F (26 C) that is monitored whenever the reactor is operating, or is shut down with the control room attended. This air-conditioning control easily satisfies the operating requirements for all the components in the SLC modules.

If the air conditioning is off for an extended period of time while the reactor is operating, the instrumentation cabinet temperature rise may cause component malfunction.

Since all the nuclear safety system support module circuits are normally closed and energized, and they open when there is a scram condition, therefore a component malfunction will open a circuit and induce a scram. The control room containing the instrumentation cabinets is continuously attended by a licensed operator whenever the reactor is operating. There is a portable air conditioner available in the vicinity of the control room as a backup if the main system fails. Written protocols exist for operator response to a room temperature alarm condition, including shutdown should the adverse condition persist.

QA#-E-2012-1 6JUL2017

Page 11 of 11 Pre-Operational Testing and Routine Surveillance For pre-operational verification, the SLC modules were tested by simulating a trip condition for each combination of High Power, Low Count Rate, Short Period, Fault, and Test, to verify the cards initiated a scram condition for every combination of two parameters from any of the four DWK 250 channels. This test was completed in full power and

<100 kW modes on both of the SLCs as well as the spare.

Routine functional verification of the SLC modules will be performed in the reactor startup checklists so that certain tests will be completed prior to every reactor startup. The startup checklists will test the SLCs by verifying the 2-out-of-4 logic for each parameter, but will not test each combination as described above. Example of startup checklist testing for the High Power trips is as follows:

High Power Trip Channels 1 and 2 High Power Trip Channels 1 and 3 High Power Trip Channels 1 and 4 High Power Trip Channels 2 and 3 High Power Trip Channels 2 and 4 High Power Trip Channels 3 and 4.

On the startup checklists, the same testing sequence will also be performed for Low Count Rate, Short Period, Fault, and Test, for a total of 30 such tests. The tests will each be satisfied by observing a scram signal is successfully output from the two SLCs in parallel.

These pre-operational and routine surveillances are sufficient to assure the completeness and integrity of the scram logic circuits.

QA#-E-2012-1 6JUL2017

RTN +24V lsolated_lnputs SC3 CH_1 SC7 Latched_Alarms IOI I06 n: I07

!(')  ! JB IOI I--~ ~ re:,

I05 I015 D5 ro 1 0 1016 D4002BM96 Il'.*'?

1011 Dl2 IC17 l'.)18 U1B Latched_2

~~t:=~ I')l5 ~~g !JD 1014 10:4 10:5 1C19 r:i:G

!017 121:* ro:~

IOl 9 10:1 !OJ) ro.:1 ro::  !')) ~

CD4002BM96 IV::J I*J.:J 1035

!C'.25 rc*.:1 SC4 CH 2

- ro:a 10:3 IOJti Latched_3 r0:9 I'::l i:6 IJJO

[j) l  : o: F>'? 1031 IO:D 103 1010 1032

!035 [04

!037 105 IOJ9 106

~~~~~~~~~~~~~~~~~II041 101 IO.t3 CD4002B"'t13tched 4

!045 Logic Alarm_Latch IQ47 U2B -

IO~ 9 I051 I05 3

~=t:~

1055 IC*57 c __ _ ___J scs CH 3 101 !O~

10: IU9 CD4002BM96 103 101(>

104 105 IOI';

IO' sea Logic SC6 CH 4 IO! toe ro: 109

!OJ IOlO

! C*4 105 106

!01 Channe1_L ogic Alarm_ Indicator RTN Binary_ Outputs J4 ESD and Surge Protection

+24V RTN Vee Capacitors C76 to C126 U4 Latched_ 1 are 0.1-µF bypass capacitors J3 SC9 C1 C2 ASSR-1611-001E fo r the logic ICs and are not 105 106 u.i..1o=,......u +24V WPC shown in this schematic H

2_ outof_ 4 HDR1X4 HDR1X6 Front Panel lndiciation Scram Outputs

Title:

RPS Scram Logic Card Main Schematic 105 106 RPS Scram Logic Card Designed by: Shawn W. Hanvy Document N: R3W~ 263*2 Revision :

2_outof_4 Olecked by: Dane Kouttroo Date: 5/3/2017 Size : B GND Approved by: Sheet of 11

l

+24V +24V +24V 107 016 1011 1021 017 1028 1036 018 V+ 16 i~~ IN~;

INJ IN2 1Nl4 I IN3 IN13 IN3 IN13 IN4 IN12 IN4 IN12 INS INJ 1 INS INl l 1014 101 IN6 INlO 1030 IN6 INl 0 IN7 IN9 IN7 IN9 v- INS v- INS p SP720ABTG SP720ABTG 1018 103 1016 1026 1031 RTN RTN RTN 106 1010 1020 1025 1032 1013 1022 108 1012 1033 1017 102 1015 1024 1034 105 109 1019 104 1035

+24V 1043 019 E INl V+

IN2 IN6 IN3 INS v- IN4 1044 SP721ABTG RTN F

1045 1046 Title : ESD and Surge Protection(SC2)

RPS Scram Logic Card

(' Designed by: Shawn W. Hanvy Document N: R3W-263-2 Revision: O G Checked by: Dane Kouttron Date : 5/3/2017 Size : A Approved by: Sheet 2 of 11 4 e

-,-- - *r-----=r- ---- - T _

101 U38 103

~~C1G32081DCKRQ1 105 SN74AHC1G08QDBVRQ1 F F Title : Channel_Logic(SC3)

RPS Scram Logic Card Designed by: Shawn W. Hanvy Document N: R3W-263-2 Revision : 0 Checked by: Dane Kouttron Date : 5/3/2017 Size: A Approved by: Sheet 3 of 11 4 F

FF I

101 SN74AHC1G08QDBVRQ1 Title : Channel_Logic(SC4)

RPS Scram Logic Card Designed by: Shawn W. Hanvy Document N: R3W-263-2 Revision: 0 Checked by: Dane Kouttron Date : 5/3/2017 Size: A Approved by: Sheet 4 of 11

'j .1 R

i--c

.\

101 LVC1G32081DCKRQ1 SN74AHC1G08QDBVRQ1 Title : Channel_Logic(SC5)

RPS Scram Logic Card Designed by: Shawn W. Hanvy Document N: R3W-263-2 Revision : 0 Checked by: Dane Kouttron Date : 5/3/2017 Size : A Approved by: ~ '/ Sheet 5 of 11

4 A c\

s 101 SN74AHC1G08QDBVRQ1 E

F F Title : Channel_Logic(SC6)

RPS Scram Logic Card G Designed by: Shawn W. Hanvy Document N: R3W-263-2 Revision : 0 G Checked by: Dane Kouttron Date : 5/3/2017 Size: A Approved by: /5.,. f_,.1- Sheet 6 of 11 0 '3 a 6 e

U22 U24 00 00 01 01 02 02 03 03 SN74LVC2G14-Q 4043BT SV U26A 4043BT SV Vee - Vee -

SN74LVC2G14-Q1 SN7 4LVC2G14-01 U258 U268 SN74LVC2G14-Q1 SN74LVC2G14-Q1 U27A U28 U30 1033

.:>O>-"-- - -'r-l s 0 00 so 00 RO 01 RO 01 02 02 03 1029S N74LVC2G14- ,_._--+-+-+

6 Sl 03 7 Rl 12 52 12 S2 U278 L1 R2 11 R2 33 S3 R3 R3 SN74LVC2G14-Q 5 EO SN74LVC2G14-Q1 5 EO E

U31A 4043BT SV Vee -

U32A 4043BT

- sv 6 Vee SN74LVC2G14-Q1 SN74LVC2G14-Q1 U318 U328 SN74LVC2G14-Q1 SN74LVC2G14-Q1

Title:

Alarm_Latch(SC7)

RPS Scram Logic Card Designed by: Shawn W. Hanvy Document N: R3W-263-2 Revision : O Checked by: Dane Kouttron Date : 5/3/2017 Size: A Approved by: Sheet 7 of 11 3 4

+24V RTN +24V RTN 101 U70A 109 R92 ~ 1017 -\: 1025 1ookn 100krl 102 1010

~ -\:

100kn 1011

~

100kn 1012

-\:

100kn 1013 100kn 1014

-\:

100kn 1015

~ -\:

100k0 100kn 1016 100k.O

~ 1024 ~ 1032 1ookn PS2833-4 R122 100kn R123 1ookn 100k0 GND GND Tiiie: Alarm_lndicator(SC8)

RPS Saam Logic Card Designed by: Shawn W. Hanvy Document N: R3W.263-2 Revision : O Checked by: Dane Kouttron Date: 5/312017 Size: B

~proved by: Sheet of 11

---

~---~. ---- -------r-- --: ,,

~

101 I 102

...._ 103 I

U34 105 SN74LVC1G0832DBVR 104 U35 SN74LVC1G11 IDCKRQ1 U36 106 SN74LVC1G0832DBVR SN74LVC1G11 IDCKRQ1 U37 SN74LVC1G0832DBVR Title : 2_outof_4(SC9)

RPS Scram Logic Card Designed by: Shawn W. Hanvy Document N: R3W-263-2 Revision: O Checked by: Dane Kouttron Date : 5/3/2017 Size: A Approved by: £ Sheet 9 of 11

101 102 103 U15 105 SN74LVC1G0832DBVR 104 U16 SN74LVC1G11 IDCKRQ1 U17 106 SN74LVC1G0832DBVR SN74LVC1 G11 IDCKRQ1 U18 y

SN74LVC1G0832DBVR

Title:

2_outof_ 4(SC10)

RPS Scram Logic Card Designed by: Shawn W. Hanvy Document N: R3W-263-2 Revision : 0 Checked by: Dane Kouttron Date : 5/3/2017 Size : A Approved by: ~ Sheet 10 of 11

009R111 -10llf

-+--v.-r----~~>--0

<>-~---~~-~

'""-""""("

r --------- --- - -...-----...--*

Page 1of4 Q/A File #E-2012-1 Digital Upgrade for Nuclear Safety System "Signal Distribution Module" Description of the Signal Distribution Module The Signal Distribution Module (SDM) is a passive interface circuit between the DWK 250 digital neutron flux monitors and all components downstream. As can be seen in schematic diagram R3W-256-2 Rev. 1.4, and circuit board diagram R3W-258-3 Rev. 2, the SDM has a total of thirteen connections. In terms of signal flow, four of those connections are strictly input (signal coming from each of the four DWK 250 units), seven are input/output bidirectional, and two are strictly output. The following is a list of the connectors as they are labeled:

1. Xl 0: Receives signal from DWK 250 channel #1.

2. Xl l : Receives signal from DWK 250 channel #2 .

3. X12: Receives signal from DWK 250 channel #3 .

4. X13: Receives signal from DWK 250 channel #4.

5. X14: Receives power from two 24-volt DC power supplies which are set up in parallel, connected via an auctioneering diode array, so that if one fails, the other will take over without interruption. The Xl4 connector then passes 24-volt DC power as output to three downstream components: Scram Logic Card 1, Scram Logic Card 2, and the <100 kW Key-Switch Module. The Xl4 connector also passes the 24-volt DC power via connectors Xl 0 through X 13 to energize the output (scram/alarm) relays of the four DWK 250 channels. (The DWK 250 output relays are electrically isolated from the internal circuitry of the DWK 250, and rely on an external power source for their operation.)

6. Xl5: Passes signals from the four DWK 250 channels to Scram Logic Card 1.

The Xl 5 connector receives signals back from Scram Logic Card 1 and routes them to other non-safety-related monitoring and display devices.

7. Xl 6: Passes signals from the four DWK 250 channels to Scram Logic Card 2.

The X 16 connector receives signals back from Scram Logic Card 2 and routes them to other non-safety-related monitoring and display devices.

8. Xl 7: Passes signals to and from the < l 00 kW Key-Switch Module.

9. Xl8: Passes signals to and from an LED Scram Display module, which captures scram signals from any of the four DWK 250 channels via the Scram Logic Cards, and keeps them latched in until the Scram Display module is used to reset the two QA#-E-2012-1 6 JUL 2017

Page 2 of 4 Scram Logic Cards. (Once the scram condition no longer exists, the DWK 250 will not show what the scram was.)

10. X 19: Passes analog signals from the four DWK 250 channels to existing console chart recorders and meters.

11 . X20: Passes signals from the rear input/output terminal blocks of the four DWK 250 channels to and from a breakout module containing four 9-pin RS-232 ports (one per channel), plus a 15-pin RS-232 port that can interact with all four smaller ones. The breakout module will be secured from unauthorized access.

12. X21: Passes signals from all inputs of the SDM to a non-safety-related programmable logic controller (PLC) for monitoring and status display.

13. X41: Passes signals from all four DWK 250 channels to a Drop Timer Interface Module, which in tum passes a signal to activate the Blade Drop Timer. This setup will measure the scram time from initiation of a scram signal to 80% insertion of a shim blade. The Drop Timer Interface Module conditions a binary signal for compatibility with the previously-existing Blade Drop Timer, and includes optical isolation of the SDM from the Blade Drop Timer. The Drop Timer Interface Module and the Blade Drop Timer are mounted in separate "NIM bin" racks. The Blade Drop Timer in its own NIM bin receives 12 volts DC from an independent power source.

Safety Evaluation The Signal Distribution Module (SDM) is a new passive circuit board which facilitates passing of signals between various components of the new nuclear safety system.

If the board fails, such as by physical damage or other disruption to a scram signal path between a DWK 250 and the Scram Logic Cards, there will be a loss of the signal, thereby causing the Scram Logic Cards to produce a scram. The physical damage could include puncture, impact, fire, or high voltage surge, while other types of disruption could include radio frequency interference, overheating, or corrosion. All would result in a scram.

Because the SDM is a passive circuit board, it does not include any optical isolators.

However, there are optical isolators built into Scram Logic Card 1, Scram Logic Card 2, the Drop Timer Interface Module, and the PLC panel.

The connection to the two 24-volt DC power supplies only passes power to the two Scram Logic Cards and the <100 kW Key-Switch Module. The SDM board does not use the power for its own functions. The two power supplies are fed from a common 120-volt AC source, and have an internal fuse which will protect against surges that exceed 250 volts AC on that line. They also have an output overload that will trip at no more than 35 volts DC. In the unlikely event of an excessive line voltage surge, both power supplies will likely trip to protect themselves, interrupting power to the two Scram Logic Cards, scramming the reactor.

If the surge affects the SDM board directly, it will create physical damage as described above, again resulting in a reactor scram.

QA#-E-2012-1 6 mL 2017

Page 3 of 4 Signals input to the SDM board from the two Scram Logic Cards are passed along to other display and status monitoring devices. If the board should be damaged in these areas, there is no effect on nuclear safety. The console operator may observe a partial loss of indications of reactor power and reactor period, but will not receive false information. There are redundant displays of reactor power and period, such as on the face of each DWK 250 chassis, that will remain operable. There are also four existing independent non-safety-related neutron flux channels or N-16 gamma channels displaying reactor power. Likewise, loss of signal output from the SDM to existing console chart recorders and meters has no effect on nuclear safety. There is redundant recording of reactor power history from the non-safety-related neutron flux channels.

Signals to and from the RS-232 breakout box will be lost should the SDM board be damaged. However, this again has no nuclear safety consequence. The breakout box allows access to each of the four DWK 250 channels to set adjustable parameters by computer.

Such adjustments are done only by authorized individuals, and only when the channel is off line or the reactor is shut down. The box has a cover and is secured when not in use. The computer used for this purpose is a standalone unit and is not connected to the internet. The interface software is provided by the manufacturer of the DWK 250s. Therefore cybersecurity is maintained.

The SDM will be bench-assembled on one circuit board in a controlled environment.

The new board will then be connected to the rest of the new nuclear safety system while everything is de-energized. The module will be constructed with standard industrially-rated components. The two 24-volt DC power supplies meet medical qualifications. The SDM contains no digital components, and is therefore not subject to cybersecurity threats.

The SDM will be mounted within the protective metal cabinets of the control room console. The console cabinets will provide the module with physical defense, including against seismic disturbance. Routine maintenance and inspection will be performed only by licensed reactor staff or under the supervision of licensed reactor staff. The control room is attended whenever the reactor is operating. At all other times when the building is unoccupied, it is protected as per the Physical Security Plan. Therefore, access control and configuration control are assured.

The control room and its metal instrumentation cabinets are m an air-conditioned environment. The temperature is continuously maintained within a desirable setting (approximately 68 F). There is a temperature alarm (setpoint no higher than 78 F) that is monitored whenever the reactor is operating, or shut down with the control room attended.

This air-conditioning control easily satisfies the operating requirements for all the components in the SDM board.

All cables to the SDM and cable connection points on the SDM will be labeled, as will the circuit board. These markings improve the human interface for purposes of installation and maintenance. Once it is installed, there will be no regular human interface with the SDM board. It will be handled only by or under the supervision of license reactor staff. Therefore, human factors engineering remains adequate.

QA#-E-2012-1 6 JUL 2017

Page 4 of 4 The SDM contains a continuity wiring feature that recognizes when each DWK 250 is connected to its correct connector on the SDM. Specifically, DWK 250 Unit I is supposed to connect to XIO via cable K-10, DWK 250 Unit 2 to XI I via cable K-I I, DWK 250 Unit 3 to XI2 via cable K-12, and DWK 250 Unit 4 to XI 3 via cable K-13. If a cable is unplugged, or plugged into the wrong connector, the continuity circuit will report the misconfiguration via a fault message on the PLC that handl es safety system monitoring and status display.

The same error message will be generated by the PLC if this continuity circuit fails open.

A dummy cable plug will take the place of a DWK 250 chassis in cases where one chassis is physically removed for repair/maintenance. The absent chassis will appear as a trip signal on the Scram Logic Cards. If any one of the remaining three chassis should output a trip signal, then the Scram Logic Cards will produce a scram signal. The purpose of the dummy plug is merely to allow the continuity circuit to continue to verify that the three remaining chassis are connected to their correct connectors.

The new SDM board will be tested for wiring verification using a written procedure prior to first use, and periodically as part of operational checks of the nuclear safety system.

Therefore, these pre-operational and routine surveillances are sufficient to assure the completeness and integrity of the circuitry.

QA#-E-20I2-l 6ruL2017