Mit Audit Report - Supporting Nuclear Safety System Upgrade, License Amendment Request

ML17283A142
Person / Time
Site:	MIT Nuclear Research Reactor
Issue date:	10/30/2017
From:	Patrick Boyle Research and Test Reactors Licensing Projects Branch
To:	Queirolo A Massachusetts Institute of Technology (MIT)
Boyle P, NRR/DLP, 415-3639
References
Download: ML17283A142 (12)
v • d • e

Text

October 30, 2017 Mr. Alberto Queirolo Director of Reactor Operations Massachusetts Institute of Technology Nuclear Reactor Laboratory Research Reactor 138 Albany Street, MS NW12-116A Cambridge, MA 02139

SUBJECT:

MASSACHUSETTS INSTITUTE OF TECHNOLOGY - REGULATORY AUDIT REPORT FOR NUCLEAR SAFETY SYSTEM UPGRADE LICENSE AMENDMENT REQUEST

Dear Mr. Queirolo:

By letter dated September 30, 2014, as supplemented by letter dated May 12, 2016 (Agencywide Documents Access and Management System (ADAMS) Accession Nos.

ML14282A039 and ML16139A786, respectively), the Massachusetts Institute of Technology (MIT) submitted an application to amend the MIT license (application) as part of the upgrade of the Nuclear Safety System (NSS) for the MIT Reactor (MITR).

The U.S. Nuclear Regulatory Commission (NRC) staff conducted an onsite regulatory audit to review the MITR NSS upgrade application on July 24-26, 2017. The intent of the audit was to gain understanding of your application and status of your facility. In addition, the regulatory audit identified information that will be required to be docketed in order to support the basis of the licensing decision and will allow the NRC staff to more efficiently gain insights on the MITR NSS custom built components. The request for additional information related to this audit report is in ADAMS under accession number ML17237B992 and will become publically available after it is sent to you as an official agency record.

The NRC staff has provided a copy of the audit report as an enclosure to this letter. We appreciate your support in providing space, the requested documentation and access to the necessary personnel and other materials that assisted in an efficiently conducted audit.

Should you have any questions on this matter, please contact me at 301-415-3936 or by e-mail at Patrick.Boyle@nrc.gov.

Sincerely,

/RA/

Patrick G. Boyle, Project Manager Research and Test Reactors Licensing Branch Division of Licensing Projects Office of Nuclear Reactor Regulation Docket No. 50-20 License No. R-37

Enclosure:

As stated cc: w/enclosure: See next page

Massachusetts Institute of Technology Docket No. 50-83 cc:

City Manager City Hall Cambridge, MA 02139 Department of Environmental Protection One Winter Street Boston, MA 02108 Mr. Jack Priest, Director Radiation Control Program Department of Public Health 529 Main Street Schrafft Center, Suite 1M2A Charlestown, MA 02129 Mr. John Giarrusso, Chief Planning and Preparedness Division Massachusetts Emergency Management Agency 400 Worcester Road Framingham, MA 01702-5399 Test, Research and Training Reactor Newsletter P.O. Box 118300 University of Florida Gainesville, FL 32611-8300 Ms. Sarah M. Don, Reactor Superintendent Massachusetts Institute of Technology Nuclear Reactor Laboratory Research Reactor 138 Albany Street, MS NW12-116B Cambridge, MA 02139

ML17283A142; *concurred via e-mail NRR-106 OFFICE NRR/PRLB/PM NRR/PRLB/LA NRR/EICB/BC NRR/PRLB/BC NRR/PRLB/PM NAME PBoyle NParker MWaters AAdams PBoyle DATE 10/12/2017 10/12/2017 10/18/2017 10/26/2017 10/30/2017

Enclosure NUCLEAR REGULATORY COMMISSION INSTRUMENTATION AND CONTROL BRANCH REGULATORY AUDIT REPORT FOR MASSACHUSETTS INSTITUTE OF TECHNOLOGY NUCLEAR SAFETY SYSTEM REPLACEMENT JULY 24-26, 2017, CAMBRIDGE, MA

=

Background===

The U.S. Nuclear Regulatory Commission (NRC) staff is currently engaged in a review of the Massachusetts Institute of Technology (MIT, the licensee) request to upgrade the reactor's nuclear safety system (NSS) portion of the Reactor Protection System (RPS). By letter dated September 30, 2014, as supplemented by letters dated May 12, 2016 and July 6, 2017 (Agencywide Documents Access and Management System (ADAMS) Accession Nos. ML14282A039, ML16139A786, and ML17193A188, respectively), MIT submitted this request. MIT also incorporated by reference letters dated November 18, 2013, and June 6, 2014 (ADAMS Accession Nos. ML13339A343 and ML14161A035, respectively).

The proposed upgrade of the NSS will replace the current six channels (three for reactor period and three for reactor power level, any one of which will trip the reactor). The new system will contain four channels each of which monitors both the reactor period and the reactor power level. The new system will trip the reactor when a scram input from two separate channels occurs at the same time (concurrently). The two required channels for a reactor trip is also called two out of four scram logic, which is different from the existing one out of three scram logic utilized by the RPS. This regulatory audit was intended to assist NRC staff in confirming information submitted as part of the license amendment request (LAR).

During the review of the LAR, several open items were identified (ADAMS Accession No. ML17170A271). These open items were transmitted to MIT prior to the audit, and were included as part of the audit plan (ADAMS Accession No. ML17177A189).

Regulatory Audit Basis The NRC staff reviewed the licensees amendment application, as supplemented, to ensure that: (1) there is reasonable assurance that the health and safety of the public will not be endangered by operation in the proposed manner, (2) activities proposed will be conducted in compliance with the Commissions regulations, and (3) the issuance of the amendment will not be inimical to the common defense and security or to the health and safety of the public. The NRC staff considered the following during its review of the proposed changes.

Title 10 of the Code of Federal Regulations (10 CFR), Part 50, Domestic Licensing of Production and Utilization Facilities, provides the regulatory requirements for licensing of non-power reactors.

Section 50.34(a)(7), requires each applicant for a construction permit to build a production or utilization facility to include, in its preliminary safety analysis report, a description of the quality assurance (QA) program to be applied to the design and construction of the structures, systems, and components of the facility. Furthermore, Section 50.34(b)(6)(ii) requires that each applicant for a license to operate a facility include, in the final safety analysis report, a description of the managerial and administrative controls to be used to ensure safe operation.

Section 50.36, Technical specifications, requires that each applicant for a license authorizing operation of a production or utilization facility include in his application proposed technical specifications (TSs).

On November 6, 2015, the NRC published in the Federal Register (80 FR 70850) draft interim staff guidance (ISG) to Chapter 7, Instrumentation and Control, of NUREG-1537 Part 1 and Part 2 (ADAMS Accession Nos. ML17248A545 and ML17248A546, respectively). The draft ISG updates and expands the content of Chapter 7 of NUREG-1537, Part 1 and Part 2, respectively, provides revised guidance to the licensee for preparing applications and to the NRC staff for reviewing applications for instrumentation and control systems. This guidance was used for evaluating this LAR.

Audit Activities The NRC audit team, consisting of Rossnyev Alvarado and Norbert Carte from the Office of Nuclear Reactor Regulation (NRR) Instrumentation and Control Branch, Duane Hardesty from the NRR Research and Test Reactors Licensing Branch (PRLB), Michael Shinn and Timothy Marshall from the Office of Nuclear Security and Incident Response (NSIR), and Michael Muhlheim, a Department of Energy contractor from Oak Ridge National Laboratory, visited the MIT Nuclear Reactor Laboratory, which includes the MIT reactor (MITR-II) on July 24-26, 2017, to perform the regulatory audit. The NRC staff performed the regulatory audit in accordance to the audit plan.

The following activities were performed during this audit:

1. Entrance Meeting At the entrance meeting, NRC staff explained the goals and objectives for the audit, as well as the process to be followed to conduct it. NRC staff noted that the design of the Mirion channels were not part of the scope of this audit, since this information was docketed. Facility logistics and a detailed audit schedule were discussed. In addition to the audit team, Alexander Adams Jr., Chief of PRLB, and Ed Helvenston, PRLB project manager, also attended the entrance meeting.

The MIT Assistant Director of Reactor Operations introduced a number of MIT Nuclear Reactor Lab staff, including design engineers, reactor operators, and QA manager, among others.

As part of the meeting, MIT and NRC staff discussed the schedule for completion of the safety evaluation and license amendment. In particular, the MITR-II Director asked NRC staff for a more realistic schedule for this review, he stated that this has taken a long time to get the amendment approved. NRC staff explained that if all open items identified could be successfully closed during the audit, and no conflicts with higher priorities arise, NRC staff would finalize its review and issue a license amendment by the end of the year.

2. MIT Nuclear Reactor Lab Tour and Demonstrations After the entrance meeting, MIT staff gave a tour of their nuclear reactor lab, including a tour of the control room. In the control room, MIT staff showed the proposed system, simulation system for testing, and future location of the NSS components, with the exception of the Mirion DWK 250 neutron channels, which were already installed in their final location.

Technical Evaluation Quality Assurance Section 50.34(a)(7), requires each applicant for a construction permit to build a production or utilization facility to include, in its preliminary safety analysis report, a description of the QA program to be applied to the design and construction of the structures, systems, and components of the facility. It is expected that new (e.g., replacement) systems and components meet these same criteria.

Furthermore, Section 50.34(b)(6)(ii) requires that each applicant for a license to operate a facility include, in the final safety analysis report, a description of the managerial and administrative controls to be used to ensure safe operation.

Furthermore, by letter dated September 30, 2014, MIT stated, The MITR Quality Assurance program applies to all equipment used for the RPS and for its upgrade.

The MITR-II, Administrative Procedures, Chapter 1, describes the QA program in Section 1.13.

This QA program ensures managerial verification on each stage of the design, fabrication, installation, operations and maintenance including the writing of related procedures for all reactor systems or equipment, as well as complete and accurate record of each step in the program.

To perform equipment changes, the QA program refers to Section 1.4, which describes the procedure for changes to plans, procedure, and equipment. This procedure requires that MIT staff create a QA Approval Requirements Checklist for any change. This checklist identifies the documents that need to be created or modified for the change (e.g., system requirements).

For the NSS, MIT staff created a checklist to identify all documents associated with the modification and replacement of the NSS system. However, it was not clear how the documents listed in the checklist could be traced to the documents created for the NSS system.

For example, the checklist lists the system specification. This item was signed as complete.

When NRC staff asked MIT staff which document is the system specification, MIT staff noted that it probably refers to the modified Chapter 7 of the MITR-II safety analysis report, which was submitted with the license amendment. Therefore, the NRC staff finds the link between the documents listed in the checklist and project documents is not clearly identified. Also, it was not clear to the NRC staff how design modifications to the system were recorded in the checklist since the date for the document represents the initial issue of Chapter 7, when the initial amendment was submitted to the NRC, and when additional changes to Chapter 7 were made, these were not recorded on the checklist.

During this discussion, the QA manager noted that the QA program was revised, but the checklist was not modified to match the changes to the QA program. So for the NSS replacement, MIT staff is using a checklist that is inconsistent with the requirements identified in the revised QA program. For example, the checklist identifies test procedures and then test results as documents to be created. For the NSS replacement, the checklist showed the test results completed (signed and dated), but the prerequisite item for the test procedure was not completed. The description in the revised MIT QA program, regarding the test results, states that MIT should reflect the results from performing the approved test procedure. Therefore, the NRC staff finds that MIT staff are not following their revised QA program to complete this checklist.

Based on these observations, the MIT QA program is not being followed for the NSS components developed by the MIT staff. Furthermore, it is not clear how certain aspects of the MIT QA program were being followed. Therefore, NRC staff could not determine if these NSS components were uniformly developed by the MIT staff consistent with the MIT QA program specified in the LAR. Note that the neutron channels were developed in accordance with the Mirion QA program and procedures. The Mirion neutron channels were not reviewed during the audit, since MIT docketed all their information as supplement material to the license amendment.

The NRC staff has identified Open Item #1 to request MIT to provide a summary description of its QA program as applied to the NSS design modification and how the MIT staff has implemented its QA program for this project. In addition, MIT should provide examples (e.g.,

records) that demonstrate adherence to its QA program.

Neutron Detectors The NSS upgrade includes installation of four new Mirion fission chamber detectors placed in existing ports around the reactor. Also, all four Mirion DWK 250 neutron channels are installed in the control room. MIT staff explained that two of the four channels are already being used with the current system. MIT staff performed an evaluation under 10 CFR 50.59, Changes, tests and experiments, to make use of two of the four detectors. MIT is using the unbiased values from these two channels. The unbiased value provides a pass through of the detector signal without any conditioning by the DWK-250 channel. The NRC staff reviewed the 10 CFR 50.59 evaluation for the new neutron detectors and monitors, and did not identify any discrepancies.

The Mirion DWK 250 includes a RS-232 communication port to adjust parameters, such as calibration settings. MIT staff stated this port is currently physically disabled. However, MIT staff expressed the need to use this communication and a dedicated data acquisition computer to adjust parameters. NRC staff identified Open Item #17 to request this information.

In the license amendment, MIT describes the use of a dummy cable plug that will take the place of a DWK 250 chassis during channel maintenance or repair. MIT staff explained that the purpose of the dummy cable plug is merely to allow the continuity circuit to continue to verify that the three remaining chassis are connected to their correct connectors. During operation, the dummy plug will force a trip signal on the Scram Logic Cards (SLCs). If any one of the remaining three chassis should output a trip signal, then the SLCs will produce a scram signal.

To review and approve the use of the dummy cable, NRC staff requires additional information.

Therefore, NRC staff has identified Open Item #5 to request MIT explain how the RS-232 port is going to be used and controlled and to identify the test procedures that will include it.

Testing of Mirion DWK 250 Neutron Channels During the audit, MIT staff provided the test procedures and test results for the factory acceptance testing (FAT) of the Mirion DWK 250 neutron channels. This FAT testing was based on a simulated input of the detectors (i.e., testing that included detectors in a radiation field was not performed). The DWK 250s were successfully tested. Subsequently, the Mirion DWK 250 were delivered, tested with the associated detectors in the target radiation environment, and associated adjustable parameters were set appropriately; these test procedures and results were reviewed as part of the audit.

System Descriptions and Operations - MIT Developed Components For the NSS system, MIT developed or modified the following components in-house:

Signal Distribution Module (SDM),

Scram Logic Cards,

<100 [kilowatt] (kW) Key Switch Module (KSM),

Safety System Monitoring and Status Display (Programmable Logic Controller (PLC)),

Light Emitting Diode (LED) Scram Display Panel, Drop Timer Interface Module, Magnet Power Supplies, Rundown Relay Circuit, and Withdraw Permit Circuit (WPC).

As part of the review, NRC staff reviewed the system description, logic diagrams, and testing results to verify that the system requirements were properly implemented to determine if the NSS will perform its safety functions as defined in the MIT TSs.

MIT docketed a description and operation of the components developed in-house. However, during the audit, NRC staff noted that the information docketed (e.g., system description and logic schematics) was not the latest revision that describes these components as reviewed at the audit. For example, MIT docketed R3W-256-2, DWK Safety System Global Connection Diagram, Revision 1.4, but MIT staff was using Revision 1.6. Furthermore, the NRC staff found there were modifications made to the physical system that were not reflected in the audited documents. Below are brief descriptions of the information reviewed by the NRC staff for the components developed by MIT.

In addition, NRC staff identified Open Item #2 to request MIT to provide the final and complete system descriptions and logic diagrams of all NSS components developed by MIT.

Signal Distribution Module For the discussion of the SDM, MIT staff used Drawing R3W-256-2, DWK Safety System Global Connection Diagram. However, during the audit, NRC staff noted that the version docketed (1.4) was different than the version available for the audit (1.6). Using the new version, MIT staff described operation of the SDM and input/output (I/O) signals. During this discussion, it became apparent to the NRC staff that Revision 1.6 did not include all I/O signals or show all connections to the NSS components. For example, the connections: (1) between SDM and the PLC and (2) KSM to PLC were not included in the drawing because they resulted from the latest modification to the system, which, at the time of the audit, had not been recorded by MIT staff in the system description or signal diagram.

The docketed SDM description states that signals from the four DWK 250 channels to and from the RS-232 breakout box allow access to each of the four DWK 250 channels to set adjustable parameters by a computer. However, during the audit, MIT staff noted that a final decision has not been made about using the RS-232 port in the DWK 250s and they were not certain if the RS-232 breakout box will be used. To complete the SDM review, the NRC staff requires additional information on the use of the dummy cable and the breakout box. Therefore, NRC staff identified Open Item #11 to request information about the breakout box and Open Item #17 to request information about the dummy cable. During the audit, MIT staff demonstrated how the SDM works.

Scram Logic Card For the SLC discussion, MIT staff used the supplemental information provided on July 6, 2017.

MIT staff described the logic diagram and operation of the SLC to the NRC auditors. In addition, MIT staff described the operation of the SLC for the KSMs operating mode.

After this discussion, MIT staff demonstrated operation of a spare SLC, including operation during the selection of the two different KSM modes. MIT staff also simulated operation of the SLC in the control room. During this demonstration, MIT staff used the DWK 250 test condition scram bypass key switch. This switch was installed after MIT staff performed integration of the NSS components. MIT staff stated this key switch is necessary to test the DWK 250s.

Specifically, when the key switch is not used, and a test signal is generated from a DWK 250, a trip signal is generated. So if a second DWK 250 generates another test signal, this will generate a scram signal (i.e., completed the two of four logic in the SLC for the scram). By using the key switch, MIT staff can bypass the test signal from the first DWK 250 tested.

However, MIT staff explained and demonstrated that if a fault is generated (while the test signal is bypassed) the DWK 250s failure signal will not be bypassed, instead it will be indicated in the LED Scram Display Panel and a trip signal for that DWK 250 will be generated and input to the SLC.

Since the addition of the DWK 250 test condition scram bypass resulted from testing, the docketed documents do not include information about this key switch. To review and approve the use of the key switch, NRC staff requires additional information. Therefore, NRC staff has identified Open Item #10 to request this information.

<100 kW Key Switch Module In the supplement provided on May 12, 2016, MIT described operation of the KSM. During the audit, MIT staff demonstrated operation of the KSM. MIT staff also described the design and operation of the KSM. In particular, MIT staff explained operation of the key switch contacts (poles). The KSM has two possible positions, Full Power and <100 kW Operation. The selected position of the KSM is determined by four pairs of internal poles, KS1A, KS1B, KS1C, and KS1D. MIT is not using pole KS1A for operation of the key switch. When the key switch is turned to <100 kW Operation, poles KS1B, KS1C, and KS1D activate. KS1B sends a signal to the control room Annunciator Alarm and provides local indication in the KSM. KS1C sends a signal to the PLC. KS1D sends a signal to the SLC to bypass any scrams from Low Primary Flow, Low Pressure (MP-6), or Low Pressure (MP-6A). During this mode of operation, if reactor power reaches the trip set point for <100 kW operation, the DWK 250s will output their 100 kW High Power Trips, and SLC 1 and 2 will independently interpret those trips to produce a scram signal. During the audit, NRC staff noted that the setting for the KSM was actually 80 kW, instead of 100 kW. It was not clear why this modification was made. NRC staff has identified Open Item #9 to request this information. When the key switch is turned to Full Power, pole KS1C sends a signal to the SLCs to nullify the bypass activated during the <100 kW Operation.

NRC staff asked about relays RY-4, RY-5, RY-6, RY-7 and RY-8, which are associated with the WPC, but physically located within the KSM. MIT staff showed that the RY-4 relay is deactivated when 120 volts alternating current (VAC) from the WPC is cut, and subsequently it will cut power to the blade magnet circuit and an indication will be provided in the PLC. The RY-4 relay also will open a relay contact in the magnet power supplies, therefore interrupting the current. RY-5, RY-6, RY-7 and RY-8 relays are activated when a trip function is generated in the SLC, and associated with the WPC to generate a scram.

Safety System Monitoring and Status Display MIT staff explained that the PLC is only used for monitoring and recording (time and date) of alarms. MIT is using a CLICK Micro PLC, from Automation Direct, for its Safety System Monitoring and Status Display. The PLC includes the following components: central processing unit, power supply, digital I/O, and analog outputs.

MIT staff demonstrated how the PLC receives and displays alarms. MIT staff explained that the PLC uses Secure Digital (SD) memory cards to store data. MIT staff also clarified that the SD cards do not include the PLC logic. Further, MIT showed that the card reader is not accessible from the front, only from the back. So, to remove the SD cards, MIT requires submitting a wire removal form.

During the audit, NRC staff noted that the system description for the PLC was revised to include new features not described in the material docketed. Specifically, the PLC has a reset and acknowledge pushbutton for the operator to acknowledge the alarm indications in the PLC display. However, in the docketed description, the logic for the PLC does not include the acknowledge and reset pushbutton, so it was not clear how this pushbutton was implemented.

NRC staff has identified Open Item #4 to request the updated description of the PLC and include updated logic diagrams.

The PLC receives signals from the SDM, KSM, and WPC. As mentioned before, the current Drawing R3W-256-2 does not show all these connections, and Open Item #6 has been identified to request an updated drawing.

MIT staff explained that the PLC send signals to the control rooms main annunciator panel.

These signals are optically isolated by photocouplers. During the audit, NRC staff reviewed the manufacturers data sheet for the photocoupler, PS-2832-1, which shows the configuration for one way. MIT staff also noted that the WPC status signal is not annunciated in the annunciator panel, it is just shown and recorded in the PLC.

MIT staff also explained that the DWK 250s send a signal to the PLC to indicate that the channels are connected in the correct location. This information was not described in the information docketed, and it was not very clear how this interlock signal is programmed in the PLC. As mentioned before, NRC staff has identified Open Item #4 to request the updated description of the PLC.

LED Scram Display Panel This display panel provides a visual indication of the status of the SLCs for the console operator. During the audit, NRC staff noted that the figure of the LED scram display panel in the documentation did not match the actual component. Specifically, MIT staff added a lamp test button to test all LEDs in the panel. The lamp test button was added after the system description was docketed. NRC staff has identified Open Item #10 to request the updated description of the LED Scram Display Panel.

MIT staff described and simulated operation of the LED Scram Display Panel, including reset of each channel after a trip signal was generated by each SLC. Therefore, to (re)start the reactor, all four channels should not have trip conditions and be reset. During the audit, NRC staff noted that it was not clear why the LED Scram Display Panel was not considered safety-related.

NRC staff has identified Open Item #18 to request justification of the safety classification given to the LED Scram Display Panel.

Drop Timer Interface Module The NSS includes a drop timer interface module. This module measures the time from initiation of a trip signal to 80 percent insertion of a shim blade. However, NRC staff found that the LAR and its supplement do not include a sufficient description of the drop timer interface module.

During the audit, MIT staff explained that in addition to measuring this time, it works as the interface between the blade drop timer and the SDM, so the drop timer, which is an existing component (not being replaced), can receive the signals from the SDM.

MIT staff described that the drop timer requires two signals from the SDM to start the timer.

NRC staff observed the two-out-of-four logic implemented in the drop timer interface. NRC staff also noted that the module includes a power switch to operate. MIT staff explained that this was added because this module is only used when calculating the initiation of a trip signal, in accordance with the TSs. The module also includes a guarded toggle switch, called minor scram switch, to start insertion of the shim blade and perform a timer test. In this manner, the operator can measure blade drop time from forcing signals in the DWK 250s or from using the minor scram switch.

NRC staff has identified Open Item #8 for the description of the drop timer interface, including logic diagrams. In addition, MIT was asked to describe how the guarded toggle switch will be used during testing and surveillance.

Magnet Power Supplies The magnet power supplies provide electrical current to the magnets for all six shim blades in the reactor core. The supplement provided on May 12, 2016, describes operation of the magnet power supplies and Drawing R3W-253-4 shows the logic implemented. MIT staff used this information to describe operation of the magnet power supplies during the audit. NRC staff asked about the adjust knobs that can modify the magnet power supply and about the meters in the console that show magnet current for the shim blades. MIT staff explained that the knobs are used to adjust magnet power to maintain the currents at 80 milliamps. If the current is set above 80 milliamps, this could cause slower drop times of the shim blades.

MIT staff explained that the magnet power supplies consist of three modules, each providing magnet current to two shim blades. Each module interfaces with its corresponding rundown relay circuit, with magnet current passing through the rundown relay panel on its way to the magnet. The interface with the rundown relay panel is via indicator lights and reset pushbuttons. The indicator light is not illuminated when power is available and the rundown relay is energized.

During the demonstration of the SLC, MIT staff showed how the magnet power supplies function. NRC staff did not identify any discrepancies with the information docketed.

Rundown Relay Circuit As mentioned previously, the magnet current passes through the rundown relay panel on its way to the magnet. The function of this circuit is to move the blade drives to the full-in position when power to the magnet power supplies is removed.

Drawing R3W-253-4 shows the logic for this circuit. MIT staff explained how the rundown relay circuit works. Specifically, MIT staff described (and walked through the logic) the different ways to interrupt power, which are by de-energizing or opening: two relays from the SLC, two relays from the WPC in the blade's rundown relay circuit, one relay in the blade's rundown relay circuit that opens upon low current, and one relay from the WPC in the line power supply. If any one of those is open, magnet power to that shim blade is interrupted.

MIT staff also explained how the rundown relay circuit is reset, which was a new functionality added to the operation of the reactor. Specifically, each shim blade can be individually reset once the blade drive has reached the full-in position and the WPC has been reset and re-energized. MIT staff also explained that there was a master reset (pushbutton PB7), which can be used to reset all six rundown relay circuits simultaneously. MIT noted that this reset will not reset the nuclear channels.

During the system simulation, MIT staff only indicated the location of the reset buttons, since it is not possible to observe operation of this circuit. NRC staff did not identify any discrepancies with the information docketed.

Withdraw Permit Circuit The WPC is a series of relays associated with startup requirements or a reactor scram. The WPC interrupts magnet current via relays in the rundown relay panel. MIT modified the existing withdraw permit circuit to remove the relays associated with the existing period channels since period and power are combined in the NSS upgrade. MIT also made the following additions to the circuit:

With the addition of the KSM, MIT added relays RY1 (for the Core Inlet Pressure, MP-6A scram), RY2 (for the Low Flow Primary Coolant scram), and RY3 (for the Core Inlet Pressure, MP-6 scram). These relays will bypass the primary flow scrams when the KSM is selected to be in <100 kW mode.

A redundant contact to open the WPC when a scram is issued by either SLC. Currently there is a safety system scram, contact in the circuit. This relay will be identified as safety system scram (loop A). The added contact will be safety system scram (loop B), and will be redundant to loop A. A scram signal from either SLC will open both contacts for loop A and B.

Three redundant relays to operate through the rundown relay panel to interrupt magnet current to the shim blades.

Relay RY4 to interrupt electrical current from all three 24 volts direct current (VDC) magnet power supplies when the WPC is open.

NRC staff did not identify any discrepancies with the information docketed. During the system simulation, it was not possible to observe operation of this circuit.

System Power Supply NRC staff asked how power was provided to each NSS component. MIT staff explained that a common 120 VAC source feeds two 24 VDC power supplies. The 24 VDC power supplies are set up in parallel and connected via an auctioneering diode array inside the SDM. If one 24 VDC power supply fails, the other will provide power without interruption. From there power is transmitted to the SLCs and the KSM. The SDM also passes the 24 VDC power to energize the output relays of the four DWK 250 channels.

The WPC uses 120 VAC. The three magnet power supply modules have their own independent 24 VDC power supplies. Likewise, the rundown relay panel has its own 24 VDC power supply.

In the LAR, MIT noted that the renumbered neutron channel 6 (current channel 8) is battery operated power indication on loss of electricity, both off-site and emergency. During the site visit MIT staff explained that the uninterruptible power supply (UPS)/battery voltage for the emergency power channel will continue to be checked on the reactor startup checklist prior to each operating period. The UPS has the capability to provide uninterrupted power for >15 seconds, which is the transfer time from normal off-site power to on-site emergency battery power. If the on-site emergency battery power fails, the UPS will provide backup power for at least one hour.

System Testing - MIT Developed Components By LAR supplement dated May 12, 2016, MIT stated:

The new Nuclear Safety System will receive pre-operational and operational testing under a Test Plan. Individual modules will be bench-tested. Global system testing will be performed both on the bench and after installation in the control room.

Once it is operational, the functions of the Nuclear Safety System will be tested periodically as per the Technical Specifications.

The new SDM board will be tested for wiring verification using a written procedure prior to first use, and periodically as part of operational checks of the nuclear safety system.

The new KSM assembly will be tested for wiring verification using a written procedure prior to first use, and periodically as part of operational checks of the nuclear safety system.

The new WPC will be tested with a written procedure prior to first use, and periodically as per the Technical Specifications for the nuclear safety system and process system scrams.

The LED Scram Display module and the PLC module will be tested for wiring verification, including the proper level of illumination of LED lights and PLC display screen, using a written procedure prior to first use. There will also be periodic operational checks.

During the audit, the NRC staff asked to examine this Test Plan. MIT staff noted that the Test Plan had not yet been drafted. Furthermore, the NRC staff noted that most of the testing on the MIT developed modules was conducted in an informal manner (i.e., not in accordance with an approved procedure). The NRC staff reviewed some results associated with this informal testing during the audit. In addition, MIT staff described how the informal testing was conducted. MIT staff stated that formal testing of these components and integrated system testing still needs to be performed. After the system is approved for use, MIT staff stated it will be integrated into the MITR-II and tested, including interfaces to MITR-II systems (prior testing included simulated interfaces). Subsequently, surveillances will be performed to assure continued operability of the system, in accordance with the TSs. Drafts of some of these surveillance tests were reviewed by the NRC staff and were found to generally include a subset of the design verification tests.

NRC staff has identified Open Items #13 and #14 for MIT to provide the description of the test approach, test procedures used to test and validate the final design of the NSS system, and the test summary report(s).

Response Time The SLC write up provided on July 6, 2017, states that the longest transition time through the SLC is 0.19 milliseconds (mS), as evaluated by manufacturers component level data sheet.

This value is derived from the input and output opto-couplers. Specifically, the measured is 0.038 mS. Then the time to open the relays that interrupt power to the magnet current is about 15 mS. The integrated system response time was measured at no more than 500 mS.

During the audit, MIT staff described the system response event tree. A diagram was provided to illustrate the process. It showed the timeline as: DWK 250, SLC, magnet power supply, rod-in proximity switch. MIT staff also showed the result from the initial testing for the system response test. Based on this result, MIT staff explained that the longest scram condition path through the SLC is approximately 0.19 mS. In addition, the magnet power supply includes a relay to remove drive current to the corresponding magnet. The response time for this relay limits the response to the scram condition. The value listed by the manufacturer is 10 mS. MIT staff showed an oscilloscope capture indicating 2.67 mS between scram condition and removal of magnet power. Also MIT staff performed a demonstration of this response time, and the time captured was 2.67 mS.

To measure system response time, the completion of a scram condition occurs when a proximity switch is tripped at 80 percent insertion of a shim blade. MIT has recorded 600 mS as the integrated system response time.

Based on the results from the initial testing, MIT calculated the response time using the worst case response from each component and determined the value to be 610.19 mS. NRC staff noted that the document was not dated and revision markings were not evident. The NRC staff was unable to determine when this test was performed and whether it accurately represented the response time for the system. NRC staff has identified Open Item #1 to request clarification on how documents and records were created and maintained for the initial testing in accordance with the MIT QA program.

In addition, MIT staff showed the results obtained after performing an informal system response time, in which MIT obtained a value equal to 500 mS. This test result has not been formally documented, even though this is the value identified in the document docketed on July 6, 2017.

NRC staff has identified Open Item #12 to request the system response time calculation that confirms the values docketed in the supplement provided on July 6, 2017.

Technical Specifications MIT submitted proposed TSs as part of the LAR. However, NRC staff noted that, at the time of the audit, MIT had not finalized the proposed changes to the MITR-II TSs, and the ones submitted were not complete. Also, surveillance test procedures were not available for audit.

MITs proposed changes to the MITR-II TSs modified Table 3.2.3-1 of TS 3.2.3, TS 3.2.7, and Table 4.2-1 of TS 4.2.1. Similar changes are also reflected in the LAR Section 7.2.6. However, NRC staff noted that the LAR and the proposed TSs are not consistent. For example, Modified TS 3.2.3, Table 3.2.3-1, identifies two operable channels for period, but the description in Section 7.2.6 in Chapter 7 of the LAR identifies 3 operable channels. Additionally, the NSS functionality, as described to the NRC staff during the audit, precludes operation at a minimum of 2 channels since the new NSS 2-out-of-4 logic would result in a scram if more than one channel were off-scale, in channel fault or placed in test. Therefore, the NRC staff does not fully understand the requirement for only 2 operable channels related to period or neutron flux level.

Similarly, the NRC staff noted that channel/parameter No. 13 in TS Table 3.2.3-1, which was renamed from Period channel level signal off-scale, to Nuclear safety channel trips for low count rate, channel in test, or channel fault, with the number of required channel remaining 1.

The purpose of this parameter, in terms of minimum number of required channels is not clear to the NRC staff since TS 3.2.3.1 requires the operability of the RPS per Table 3.2.3-1. Thus, the NRC staff is unclear if the minimum required channel refers to the number of trip channels or operable channels.

MIT provided redlines to the TSs, but did not provide justification for the proposed changes to the TSs during the audit or previously in the LAR. Neither did MIT clarify if the installation of the proposed NSS system will require changes to the surveillance frequency identified in the TSs.

In the LAR, MIT stated that they used MITR operating experience and industrial practices to determine the surveillance frequency for the nuclear safety channel. However, surveillance requirements for the NSS remain unchanged in the LAR submittal. As such, the NRC staff is uncertain how the periodicity of the surveillance frequency should be established for the new system.

Based on the audit, NRC staff has identified Open Items #15 and #16 to request MIT provide the following:

a) Revised TS 3.2.3 and TS 4.2.1 with justification and bases for the changes proposed.

b) Clarify if the installation of the proposed NSS system will require changes to the surveillance frequency identified in the TSs. If so, describe how the periodicity of the surveillance frequency was determined.

c) Provide the surveillance requirements to be performed associated with these TSs.

d) Revise Section 7.2.6 of Chapter 7 for consistency with the changes proposed for the MITR-II TSs.

Environmental Qualifications In the LAR and its supplements, MIT staff stated that the components built and developed by MIT used material that met either medical qualifications or automotive standards. During the audit, MIT staff showed the bill of materials for the parts purchased. MIT staff explained that the printed boards were manufactured by Advanced Circuits. They performed advanced optical inspection (AOI) to guarantee that the parts purchased were correctly installed. Then MIT staff reviewed AOIs from Advanced Circuits. MIT staff noted that the parts used met Automotive Electronics Council (AEC) standards; in particular AEC-Q200 for active components and AEC-Q100 for passive components. Also, the cards were manufactured to certification Institute of Printed Circuits (IPCs) Class 2-A600, for dedicated-service electronic products requiring continued performance and extended life (IPC was formerly called Institute of Printed Circuits).

MIT had a certificate showing that Advanced Circuits, Inc. is ISO-9001-2008 compliant. The certificate expires in June 2018. MIT staff explained that only the 24 to 5 VDC converter used in the SLC boards are International Medical Approvals quality. MIT staff showed the data sheet for this voltage converter, showing its qualification and certification.

MIT did not perform environmental qualifications for the components developed in-house.

Instead, MIT confirmed (through the vendor data sheets) that these components will work on the environmental conditions measured in the control room. MIT staff noted that they used an over coating in the printed circuit board to guarantee that the components can work in high temperatures, values above temperatures registered and expected in the control room.

In addition, MIT staff explained that there is a dedicated air conditioning (AC) system to maintain the control room air temperature within a setting of 68 degrees Fahrenheit (°F). From the control room the operator can hear audio alarm from the AC system when it fails. MIT staff noted that there is an external back up AC system that can be connected to the control room, in case of failure with the main AC system.

The control room has an alarm to indicate if temperature reaches 78 °F. In this situation, the operator will follow a procedure for high temperature in the control room.

When in operation, the operator records cabinet temperature in an hourly log. However, humidity in the control room is not recorded. Also, the operator daily records the temperature of the building exhaust to measure outside atmospheric conditions.

System Identification and Labeling The LAR and its supplement do not identify the safety classification for the NSS components.

MIT staff explained that the Diagram R3W-263-2, DWK Safety System Global Connection Diagram, identifies the classification for the system components. The identification provided is by using darker or bold connection lines along the main trip and scram signal path and inability to restart the reactor without them. However, no clear text is included in this drawing or in the amendment. During the audit, NRC staff asked why the LED Scram Display was considered non-safety related since it includes the pushbuttons to reset the neutron channels, which are necessary to restart the reactor. NRC staff has identified Open Item #18 to request justification for not considering the LED Scram Display a safety-related component.

MIT staff noted that when components or systems are installed in the control rooms panel, the non-safety related are labelled unofficial instrument. But safety related components do not have any special markings. At the time of the audit, MIT has installed the new NSS in the control room in a temporary rack. NRC staff has identified Open Item #19 to request console layout indicating where the NSS components will be located.

In addition, NRC staff and MIT staff discussed identification and markings of the NSS components and its parts. MIT staff explained that there is no QA procedure that explicitly describe how to mark components and parts. Instead MIT uses common engineer practices to label the parts. The parts names and their identification are then entered in the binder for wire removal cable, which lists all wires, parts and components installed in the MITR. MIT staff also explained that the labels used were system specific, which meant that the drawings, wiring and logic schematics, and system descriptions were used to identify the labels used in each part.

At the time of the audit, the NSS equipment was installed in a temporary rack. At the time, MIT had not prepared the drawings to show the final location of the NSS equipment. NRC staff identified Open Item #20 to request this information.

3. Access Control and Cyber Security As part of the audit, NSIR staff reviewed access control and cyber security for the replacement NSS. In particular, NSIR staff reviewed MIT measures to prevent unauthorized access and use of the NSS.

NRC staff observed that MIT implemented measures to prevent unauthorized access to the control room, in which the NSS is installed. Use of the NSS is limited to authorized personnel.

Also, access to keys is controlled and limited to authorized personnel.

NSIR staff reviewed MIT measures followed during the design, development, and operation of the NSS. NSIR staff observed that these components are adequately protected from cyber-attack. Specifically, the design of these components does not include any network connectivity (wired or wireless).

At the time of the audit, MIT staff explained that the NSS does not use any maintenance equipment that can compromise safety and could adversely impact operation of the reactor.

However, as discussed previously, MIT has not made a final decision about the RS-232 ports in the Mirion DWK 250 channels for calibration and testing.

NRC staff noted that the controls and measures discussed during the audit are not currently documented. Open Item #21 was identified to request additional information.

4. Exit Meeting At the conclusion of the audit, NRC staff met with MIT staff and discussed the activities performed during the audit. The NRC staff addressed each of the planned audit activities outlined in the audit plan. In addition, MIT was provided with a summary of the open items identified during the audit which would be developed into draft request for additional information (RAIs).

At the end of the meeting, MIT and NRC staff discussed the schedule for completion of the approval of the LAR. NRC staff explained that there are many aspects of the NSS components being developed by MIT that are in flux and need to be completed and documented before the review of the LAR can be resumed.

5. Open Items As results from this audit, NRC staff identified the following open items. NRC staff provided a draft copy of this list to MIT on August 1, 2017. These open items were reorganized and summarized in RAIs. RAIs were transmitted in a separate letter. Below, each open item identifies its corresponding RAI. Response of these RAIs are necessary to support NRC review.

1.

During the audit, it was not clear how certain aspects of the MIT QA program were being followed. Provide a summary description of the MIT QA program as applied to the NSS design modification and how the MIT staff has implemented its QA program for this project.

That is, describe the QA programmatic elements related to the design control and testing of the MIT-developed components of the NSS (e.g., independent QA approval of the design and testing procedures, and traceability of design changes and approvals during final development and testing). In addition, MIT should provide examples (e.g., records) that illustrate how its QA program was implemented. This open item corresponds to RAI #1.

2.

The logic schematics and system descriptions are not consistent with the information available, reviewed and discussed during the audit. Provide NSS system description, logic diagrams, schematics, test procedures, test results and operating procedures for the designed and tested NSS system. This open item corresponds to RAI #2.

3.

The amendment and supplemental information does not describe the DWK 250 test condition scram bypass, key switch. In addition, this key switch is not included in the logic schematics provided for the NSS system. Provide a description, operation, and logic schematics of the DWK 250 test condition scram bypass key switch. This description should include a summary description of how this switch is used to perform surveillance or pre-startup testing. Include a summary description of any other features included for maintenance, surveillance, or calibration purposes. This open item corresponds to RAI #2, item a.

4.

During the audit, MIT used a description for the PLC that was not docketed to the NRC.

This open item corresponds to RAI #2, item c) 1).

5.

In the amendment and its supplements, MIT described the use of a cable plug for when a DWK 250 module is removed for maintenance or trouble shooting. However, the information provided does not describe how the cable plug will be used and test procedures have not been created yet. Describe if the cable plug will be used, how it will be used during maintenance and the test procedures including it. This open item corresponds to RAI #2, item b.

6.

Drawing R3W-256-2, DWK Safety System Global Connection Diagram, does not show all connections to the NSS components. For example Revision 1.6 does not include the following connections: (1) between SDM and the PLC and (2) KSM to PLC. This open item corresponds to RAI #2, item c) 1).

7.

The DWK 250s have an interlock signal to tell the PLC if the channels are connected in the correct location. However, this information was not provided in the amendment and supplemental information. Explain how this interlock signal works and its configuration in the PLC. This open item corresponds to RAI #2, item c) 2).

8.

The amendment and supplemental information does not describe the drop timer interface.

Describe how this interface operates, how it is going to be used, and the test procedures including it. This open item corresponds to RAI #2, item d.

9.

During the audit, MIT did not provide documentation supporting the fact that the nominal trip setting for the <100 kW, operating mode was set at 80 kW. Describe how the uncertainty and drift were established for the system while operating in the <100 kW operating mode. This open item corresponds to RAI #2, item e.

10. The description of the LED Scram Display was modified to include the use of the lamp test and the DWK 250 test condition scram bypass key switch. Provide an updated description for the final design of the LED Scram Display. This open item corresponds to RAI #2, item f.

11. The SDM provide access to each of the four DWK 250 channels through the breakout box to set adjustable parameters by a dedicated computer. Clarify if the breakout box will be used in the final NSS design, and if so, how it will be used and its access controlled. This open item corresponds to RAI #2, item g.

12. The supplemental information docketed on July 6, 2017, in which MIT described the system response time is not consistent with the system response time memo reviewed during the audit. Provide the system response time calculation to confirm the actual value for the final NSS design. This open item corresponds to RAI #3.

13. The amendment and supplemental information refer to a Test Plan and a Global System Testing, that was used to test and validate the NSS system. However, these documents were not prepared nor used for factory acceptance testing of the NSS. Describe the test approach and test procedures used to test and validate the final design of the NSS system.

Additionally, provide the Test Plan and test summary report(s) that describe the results observed during testing in accordance with the test procedures for the MIT-developed components and the integrated system tests for the final NSS design. This open item corresponds to RAI #4.

14. Describe the test approach and provide the test procedure(s) that will be used to integrate the final NSS design into the MITR-II if the NSS upgrades are approved by the NRC. This open item corresponds to RAI #5.

15. MIT modified TSs 3.2.3 and 4.2.1. Provide marked up TSs and justification of the changes.

Also, Section 7.2.6 of Chapter 7 should be revised or amended for consistency with the changes proposed for TSs. This open item corresponds to RAI #6, item a.

16. Clarify if the installation of the proposed NSS system will require changes to the surveillance frequency identified in the TSs. Also, provide the surveillance requirements to be performed associated with these TSs, and revise Section 7.2.6 of Chapter 7 for consistency with the changes proposed for the MITR-II TSs. This open item corresponds to RAI #6, items b, c and d.

17. The Mirion DWK 250 includes a RS-232 port in the front panel. Currently MIT is not using this port to change parameters. However, MIT expressed interest on using this feature in the near future. Explain if the RS-232 port is going to be used, how it is going to be used and the test procedures that will include it. This open item corresponds to RAI #7.

18. The LED scram display is marked non-safety related in the amendment and its supplemental information. However, the LED scram display includes the reset switch for each nuclear channel, which should be reset after alarms and failures are cleared before restarting the reactor. Therefore it is not clear how this panel can be classified as non-safety related. Explain why the LED scram display is non-safety related. This open item corresponds to RAI #9.

19. Provide a clear description of the classification for each component of the NSS. This open item corresponds to RAI #8.

20. MIT has installed the new NSS in the control room in a temporary rack. Provide a console layout indicating where the NSS components will be located. This open item corresponds to RAI #10.

21. Document cyber security measures for how the neutron flux sensors will be configured and how these settings will be protected from unauthorized modification. This open item corresponds to RAI #11.