ML17321B066
ML17321B066 | |
Person / Time | |
---|---|
Site: | Purdue University |
Issue date: | 12/20/2017 |
From: | Cindy Montgomery Research and Test Reactors Licensing Projects Branch |
To: | Bean R Purdue University Research Reactor, Indiana |
Montgomery C, NRR/DLP, 415-3398 | |
References | |
Download: ML17321B066 (36) | |
Text
December 20, 2017 Dr. Robert Bean, Director Purdue University Radiation Laboratory School of Nuclear Engineering 400 Central Drive West Lafayette, IN 47904-2017
SUBJECT:
PURDUE UNIVERSITY - REGULATORY AUDIT REPORT FOR DIGITAL CONTROL AND INSTRUMENTATION UPGRADE LICENSE AMENDMENT REQUEST
Dear Dr. Bean:
The U.S. Nuclear Regulatory Commission (NRC) is continuing its review of the Purdue University license amendment request dated February 27 and 28, and June 21, 2017 (Agencywide Documents Access and Management System Accession Package Nos. ML17061A257 and ML17220A077), for upgrading the instrumentation and control (I&C) systems for the Purdue University Reactor (PUR-1).
The NRC staff conducted an onsite regulatory audit to review the PUR-1 upgrade application on August 22-24, 2017. The intent of the audit was to gain understanding of your application and status of your facility. In addition, the regulatory audit identified information that will be required to be docketed in order to support the basis of the licensing decision and will allow the NRC staff to more efficiently gain insights on the PUR-1 digital I&C upgrade. The request for additional information related to this audit report is in ADAMS under accession number ML17300B451.
The NRC staff has provided a copy of the audit report as an enclosure to this letter. We appreciate your support in providing space, the requested documentation and access to the necessary personnel and other materials that assisted in an efficiently conducted audit.
R. Bean If you have any questions regarding this review, please contact me at 301-415-3398, or by electronic mail at Cindy.Montgomery@nrc.gov.
Sincerely,
/RA/
Cindy K. Montgomery, Project Manager Research and Test Reactors Licensing Branch Division of Licensing Projects Office of Nuclear Reactor Regulation Docket No. 50-182 License No. R-87
Enclosure:
As stated cc: See next page
ML17321B066 *concurrence via e-mail NRR-106 OFFICE NRR/DLP/PM NRR/DE/EICB NRR/DLP/LA* NRR/DLP/BC NRR/DLP/PM NAME CMontgomery MWaters NParker AAdams CMontgomery DATE 11/15/2017 12/12/2017 12/7/2017 12/20/2017 12/20/2017 Purdue University Docket No. 50-182 cc:
Leah Jamieson, Dean of Engineering Purdue University School of Nuclear Engineering 400 Central Drive West Lafayette, IN 47907 Mayor City of West Lafayette 609 W. Navajo West Lafayette, IN 47906 John H. Ruyack, Manager Epidemiology Res Center/Indoor & Radiological Health Indiana Department of Health 2525 N. Shadeland Avenue, Suite E3 Indianapolis, IN 46219 Howard W. Cundiff, P.E., Director Consumer Protection Indiana State Department of Health 2 North Meridian Street, 5D Indianapolis, IN 46204 Clive Townsend, Reactor Supervisor Purdue University School of Nuclear Engineering 400 Central Drive West Lafayette, IN 47907 Test, Research and Training Reactor Newsletter P.O. Box 118300 University of Florida Gainesville, FL 32611
OFFICE OF NUCLEAR REACTOR REGULATION REGULATORY AUDIT REPORT REGARDING LICENSE AMENDMENT REQUEST TO UPGRADE THE INSTRUMENTATION AND CONTROL SYSTEMS AT THE PURDUE UNIVERSITY REACTOR AUGUST 22-24, 2017 LICENSE NO. R-87; DOCKET NO. 50-182
Background
The U.S. Nuclear Regulatory Commission (NRC) staff is currently engaged in a review of the Purdue University request to upgrade the instrumentation and control (I&C) systems for Purdue University Reactor Number One (PUR-1), submitted by letters dated February 27 and 28, and June 21, 2017 (Agencywide Documents Access and Management System Accession Package Nos. ML17061A257 and ML17220A077, respectively).
The proposed upgrade of the I&C systems will replace the current neutron flux detector equipment, reactor operator console (ROC), reactor protection system (RPS) and the reactor control system (RCS) for PUR-1 with new digital systems. This regulatory audit was intended to assist NRC staff in gaining understanding, verifying information, and/or identifying information that will require docketing to support the basis of the license amendment request (LAR). During the review of the LAR, several open items were identified and provided to Purdue in advance; these are discussed in this audit report.
Regulatory Audit Basis The NRC staff reviewed the licensees amendment application, as supplemented, to ensure that: (1) there is reasonable assurance that the health and safety of the public will not be endangered by operation in the proposed manner, (2) activities proposed will be conducted in compliance with the Commissions regulations, and (3) the issuance of the amendment will not be inimical to the common defense and security or to the health and safety of the public. The NRC staff considered the following during its review of the proposed changes.
Title 10 of the Code of Federal Regulations (10 CFR), Part 50, Domestic Licensing of Production and Utilization Facilities, provides the regulatory requirements for licensing of non-power reactors.
Section 50.34(a)(7), requires each applicant for a construction permit to build a production or utilization facility to include, in its preliminary safety analysis report (SAR),
a description of the quality assurance program (QAP) to be applied to the design and construction of the structures, systems, and components of the facility.
Enclosure
Section 50.34(b)(6)(ii) requires that each applicant for a license to operate a facility include, in the final SAR, a description of the managerial and administrative controls to be used to ensure safe operation.
Section 50.36, Technical specifications, requires that each applicant for a license authorizing operation of a production or utilization facility include in this application proposed technical specifications (TSs).
On November 6, 2015, the NRC published in the Federal Register (FR 70850) Draft interim staff guidance (ISG) to Chapter 7, Instrumentation and Control, of NUREG-1537 Part 1 and Part 2 (ADAMS Accession Nos ML15134A484 and ML15134A486, respectively). The draft ISG updates and expands the content of Chapter 7 of NUREG-1537, Part 1 and Part 2, respectively, provides revised guidance to the licensee for preparing applications and to the NRC staff for reviewing applications for the I&C. This guidance was used for evaluating this LAR.
Audit Activities The NRC audit team, consisting of Daniel Warner, Rossnyev Alvarado, and Huda Akhavannik from the Instrumentation and Control Branch (EICB), Duane Hardesty from the Research and Test Reactors Licensing Branch (PRLB), Elizabeth Reed from the Research and Test Reactor Oversight Branch (PROB), and Casey Priester and Daphne Collins from the Office of Nuclear Security and Incident Response (NSIR), visited the PUR-1 on August 22-24, 2017, to perform the regulatory audit. NRC staff performed the regulatory audit in accordance with the audit plan (ADAMS Accession No. ML17220A243).
The following activities were performed during this audit:
- 1. ENTRANCE MEETING At the entrance meeting, NRC staff explained the goals and objectives for the audit, as well as the process to be followed to conduct it. Facility logistics and a detailed audit schedule were discussed. The Purdue team introduced a number of PUR-1 staff and vendors including reactor operators, engineers, and representatives from Mirion and Scientech. As part of the meeting, Purdue and NRC staff discussed the schedule for completion of the safety evaluation (SE) and license amendment.
- 2. PUR-1 TOUR AND DEMONSTRATIONS After the entrance meeting, Purdue staff gave a tour of their nuclear reactor, which included the control console, and lab facilities. In the reactor room, Purdue simulated operation of the reactor and the new control systems, which are operating in parallel in a monitoring mode.
- 3. TECHNICAL EVALUATION
System Description
The proposed replacement I&C systems have been designed to replicate the existing PUR-1 control console and nuclear instrumentation channels in order to minimize the
changes to the facilitys license and TS. The new console systems will be installed in the existing reactor room into the existing console frame.
The PUR-1 I&C system contains major systems including the RCS, the RPS (due to the interactions between systems, they are sometimes referred to together as the reactor protection and control system (RPCS)), the control console and display instruments, and the radiation monitoring system (RMS); these major systems interface with subsystems such as the neutron flux monitoring system (NFMS), the rod drive system, the heating, ventilation, and air conditioning (HVAC) system, and the power conditioning system.
Reactor Protection System The proposed RPS consists of an Acopian current source routed through a series of relays associated with the primary scram parameters to the magnets connecting the shim-safety rods to the control rod drives. These scram parameters include outputs from the four main neutron flux channels of the NFMS, the radiation monitors, the RCS programmable logic controller (PLC), the control console keyswitch and the two scram buttons (one is located on the control console and the other is located in the hallway outside the reactor room). If any of these parameters is offscale, if there is a power failure, if the operator workstation or another key component is not operational, if a scram button is pressed, or if the keyswitch is not positioned correctly, the associated relay contact is opened, magnet power is interrupted, and the shim-safety rods drop into the core to shut down the reactor.
Scientech prepared wiring schematic, PUR1-HDD-001-16, Rev. 3, Sheets 1 and 2.
These drawings showed all signals that generate a scram signal, which are listed in the supplement letter submitted in June, 2017. Sheet 1 of this drawing was docketed.
NRC staff requested Sheet 2 be submitted for docketing. Open Item #27 was created to request that this two other documents be docketed.
Neutron Flux Monitoring System The NFMS consists of four channels: Channel 1 - Startup Channel, Channel 2 - Log N and Period Channel, Channel 3 - Linear Power Channel, and Channel 4 - Safety Channel. As part of the amendment, these four channels have been updated to use Mirion instruments, a Yokogowa recorder, a PLC, and a display workstation. The neutron detectors inputting to each of the channels are: the fission counter chamber (WL-6376A) providing input to Channel 1, uncompensated ionization chambers (WL-8075) providing input to Channels 3 and 4, and the compensated ion chamber (WL-23084) providing input to Channel 2.
NRC staff reviewed the data sheets for each neutron detector. The data sheets were included in the Document No. MGPI PJ0000396, Part ETD, dated March 2016. The detectors specifications included the following:
- Fission counter chamber (WL-6376A), Channel 1 Meets: MIL-S-901 and MIL-STD-167 (type 1)
Maximum rating: 300 degrees Fahrenheit (°F) (150 degrees Celsius (°C))
Counter range: 1.4 - 1.4x105 nv Chamber range: 6x105 - 1.4x1010 nv
- Compensated ion chamber (WL-23084-CIC), Channel 2 Maximum rating: 300°F (150°C)
Thermal neutrons: 1.3x102 - 5.0x1010 nv
- Uncompensated ionization chambers (WL-8075), Channels 3 and 4 Maximum rating: 400°F (204.44°C)
Thermal neutrons: 2.5x103 - 2.5x1010 nv Next, the neutron detectors input to a TKV 23 preamplifier for Channel 1 and a NV 102 current to frequency converter for Channels 2 and 3. In Channel 4, the neutron detector inputs directly to the Mirion channel. NRC staff reviewed the operation limits for the converters and preamplifiers and verified that they can operate in the lab environment.
The Mirion channels are the DWK-250 (used in Channel 1), DAK-250 (used in Channels 2 and 3), and DGK 250 (used in Channel 4). During the audit, NRC staff reviewed, Documentation No. Mirion MGPI PJ0000396, Part ETD, Binders 1 of 2 and 2 of 2. NRC staff reviewed the thermal operation limits of the neutron detectors and confirmed the neutron sensitivity ranges are consistent with the safety analysis. NRC staff reviewed the ambient conditions listed for the DWK-250, DAK-250, and DGK-250:
- DGK-250, DWK-250, and DAK-250 Ambient temperature for operation, open rack: 0-70°C (32 - 158°F)
Relative humidity: 90% for up to 30 days; 75% annual average, non-condensing EMV requirements: KTA 3505-11/05 Testing of the Neutron Detectors Mirion provided factory acceptance test (FAT) results and certificate of testing for the neutron detectors. The certificate was dated March 2016. NRC staff reviewed the final acceptance test data for each of the neutron detectors. Mirion performed these tests with its QAP and inspection and test procedures.
- Fission counter chamber (WL-6376A), Channel 1, S/N 164310 This detector was inspected in accordance with 212-190-40, Acceptance Test Procedure, Rev. H, and quality assurance (QA) 150-6376A, Final Inspection, Rev. C.
The acceptance testing was completed in accordance with specifications provided in 212-190-40, Rev. H. The final acceptance test data was completed in December 2016 with P.O. number PO0002533-6. All results were acceptable.
- Compensated ion chamber (WL-23084-CIC), Channel 2, S/N 153516 This detector was inspected in accordance with 150-23084, Final Inspection, Rev. C, and QA 150-23084, Final Inspection, Rev. A, with no deviations noted. The acceptance testing was completed in accordance with specification 212-190-14, Acceptance Test Procedure, Rev. J, with results in an acceptable range. The final acceptance test data was completed in November 2016 with P.O. number PO0002533-6.
- Uncompensated ionization chambers (WL-8075), Channels 3 and 4, S/N 165203 and 161343, respectively This detector was inspected in accordance with 150-8075, Final Inspection, Rev. F, and QA150-8075, Final Inspection, Rev. F with no deviations noted. The acceptance testing was completed in accordance with specification 212-190-105, Acceptance Test Procedure, Rev. A. The final acceptance test data was completed in December 2016 with P.O. number PO0002533-6.
Testing of the Mirion Channels The Mirion channels were type tested in accordance with the stipulations found in KTA 3501/3505. DWK-250 testing was completed by testing the preamplifier by TUV-Rheinland in November 1987, the software by TUV-Nord in August 1990, and the entire channel by TUV-Rheinland in January 1991. DAK-250 testing was completed by testing the software and entire channel in June 1995 by TUV-Nord and TUV-Rheinland, respectively. The pre-amplifier was tested in May 1996 by H&B (Institute of Electrical and Electronics Engineers (IEEE) 323) and the I/F converter was tested in June 2009 by TUV-Nord. DGK-250 testing was completed by testing the electronic channel including software by TUV-Nord in July 1996 and the input board by TUV-Sudwest in June 1996.
Mirion performed three different tests of the neutron channels. The first test was performed in Germany, and the results were documented in the MGPI H&B test record, Document No. 5-1061 F10E. NRC staff reviewed this document and noted the following from the performance and functional tests for the neutron channels.
- DWK-250, Channel 1, S/N 16.01.03236, completed in June 2016
- DAK-250, Channel 2, S/N 16.013262, completed in June 2016
- DAK-250, Channel 3, S/N 16.01.03238, completed in June 2016
- DGK 250, Channel 4, S/N 16.01.3264, completed in June 2016 The test procedures completed include: the safely relevant test, high voltage test, wiring test, functional test, power consumption, and visual test. The test record also provided the test report of the factory tests which include: general tests, shock-protection, air and leaking path, assembly distance, insulation and voltage, protective connection, voltage limiter, failure current, mechanical design, heat dissipation, etc.
Then, as part of the FAT, Mirion tested the neutron channels after they were integrated with the RPCS. Mirion provided a certificate of completion of this FAT, Document No. PJA0000433A21E, for the Mirion channels. NRC staff reviewed the following regarding these tests:
- FAT for DWK-250, Channel 1, start up wide range channel/configuration of DWK-250 and pre-amplifier TKV 23.21, Document No. PJ0000396A21, completed on August 29, 2016.
- FAT for DAK-250, Channel 2, Log N and period channel/configuration of DAK-250 and NV 102.00H, Document No. PJ0000396A22, completed on August 30, 2016.
- FAT for DAK-250, Channel 3, linear power channel/configuration DAK-250 and current-frequency converter NV 102.00H, Document No. PJ0000396A23, completed on August 30, 2016.
- FAT for DGK-250, Channel 4, safety channel, Document No. PJ0000396A24, completed on August 31, 2016. Note that during this test, Mirion tested the use of the keyswitch for simulation and calibration. Mirion also performed an informal determination of the system response time, and found that the total response time was less than 500 milliseconds.
These tests were successfully completed.
Mirion also provided the final test report for the software installed in each neutron channel. This test report includes: technical test report, test certificate, and assessment report. All tests were successfully completed. Copies of these documents were provided to Purdue. NRC staff reviewed the following test documents:
- DWK 250,Test Certificate No. 1225068496/01, dated June 1990
- DAK 250, Test Certificate No. 01225286853/001, dated June 1995
- DGK 250, Test Certificate No. 01225292163/001, dated June 2010 As part of the FAT, Mirion verified software identification and checksums for each channel. NRC reviewed the information recorded in the completed FAT. These tests were successfully completed. Also, NRC staff confirmed these values were the current values in each of the neutron channels temporarily installed in the control room, and that they will be used with the reactor after NRC approval.
To verify these variables, Purdue staff used NS01 (red key) in the Mirion channel. This allows the operator to view the parameter settings and make necessary modifications for those variables that can be changed. Mirion also performed a demonstration on how to perform a channel test. In this case, Mirion used S1 (back key) in the front panel of the Mirion channel. The display shows a list of available testing. For this demonstration, Purdue staff performed a watch-dog test. This test was satisfactorily performed.
Then Mirion performed site acceptance test (SAT) for the neutron channels when the equipment was installed at Purdue. Mirion provided a certificate of completion of SAT, Document No. PJA0000433A31E, for the Mirion channels. This document was dated December 20, 2016. Specifically, the following devices were successfully tested.
Channel 1
- DWK 250, Drawing No. P-1680001 G11/P11-12, S/N 16.01.03236
- TKV 23.21, wide range pre-amplifier, F-No. 15.01.01086
- Detector WL6367A, fission chamber, S/N 164316 Channel 2
- DAK 250, Drawing no. P-1680002 G11/P11-12, S/N 16.01.03262
- NV 102.20H, currency-frequency converter, F-No. 15.01.02980
- Detector WL23084, compensated ion chamber, S/N 153516
Channel 3
- DAK 250, Drawing No. P-1680003 G11/P11-12, S/N 16.01.03238
- NV 102.20H, currency-frequency converter, F-No. F-1361437
- Detector WL8075, uncompensated ion chamber, S/N 165203 Channel 4
- DAK 250, Drawing No. P-1680004 G11/P11-12, S/N 16.01.03264
- Detector WL8075, uncompensated ion chamber, S/N 161343 NFMS Keyswitch Testing Capabilities Each NFMS includes two key switches. The key switch enables built-in testing and simulation procedures to be activated using the front-panel of the Mirion channels.
When the key switch is enabled, a test status message is communicated on the display and on the external computer. In test mode, binary outputs may be set or reset using the NZ 12 central processor. Test signals can be generated using the different channel processors or values can be manually entered. It is also possible to use external testing equipment.
A watchdog test monitors the NZ 12 central processor by artificially interrupting execution of a program to reset the signal channel. Any test procedures that may have been activated will be reset. The watchdog functionality can be tested. The NZ 12 central processor halts signal processing to interrupt the signal for the watchdog timer.
The NZ 21 input/output (I/O) processor will also generate an error message because its link to the central processor is interrupted. When the response time of 10 seconds is elapsed, the NZ 12 central processor will be reset and restarted. The existing (in steady state) measured values will not be stored in memory.
Self-monitoring is performed when the NZ 21 I/O processor or the NZ 12 central processor detects a malfunction. Depending on the type of the malfunction detected, the signal channel will remain in operation as long as possible and as long as a fault message is generated. The cause of the malfunction may be displayed either on the front panel or on the computer interface. Fault messages remain in memory until the system is restarted via the watchdog test. Fault acknowledgement is used to reset a series of stored error messages provided that the causes have been eliminated.
Examples of fault messages are NZ 21: RAM fault, S-Bus fault, High voltage out of range, S-Bus Timeout, etc.
The NZ 21 I/O processor and NZ 12 central processor cyclically test their parameter and data memories and cyclically calculate the checksum (calculated while checking the erasable programmable read-only memory (EPROMS)) to compare with a setpoint. A fault message will be generated by the NZ 12 central processor if necessary. The NZ 12 central processor also monitors the measured values of voltages to determine if they are within preset limits and monitors recursive filters.
In the DWK 250, the TKV 23 preamplifier, NI 21 and NA33 activate test generators in the input modules. These are used to check RPS signal paths. Periodical testing and simulation routines are incorporated into the DWK 250 and supported by operator dialog.
Periodic testing can be performed without using external test generators and without interference in wiring. A test status message is set at the beginning of the test
procedure by enabling the key switch. Open Item #19 was generated to address a question with the control of the keys for the test switches.
Technical Specification Review During the audit, NRC staff reviewed the Purdue TSs, both the existing TSs and the proposed changes. As detailed below, Open Items #7, 9, and 11 were generated to address questions that arose during this review.
Purdue submitted proposed TSs as part of the LAR. During the audit, the NRC staff reviewed the available operating procedures, TSs, and surveillance procedures for the new system, and how they are related. However, NRC staff noted that, at the time of the audit, Purdue had not finalized the proposed changes to the PUR-1 TSs. The proposed TSs did not provide complete information for changes (additions and deletions). Also, surveillance test procedures and the operating procedures were not complete as of the audit.
Purdue proposed changes to the PUR-1 TS definition 1.32, Reactor Secured.
Specifically, a new condition for the PUR-1 reactor to be secured states the control console is placed in a permissions status where the controls are not operable. During the regulatory audit, the NRC staff observed that this added condition is related to the password control for the RPCS operator workstation. However, the NRC staff does not fully understand how the permission status is used to render the controls inoperable and explain the basis for adding this new reactor secured condition. This resulted in audit Open item #7.
Purdue TS 3.2 is used to specify the lowest acceptable level of performance or the minimum number of acceptable components for the reactor safety system. Proposed TS 3.2a requires that the safety-related instrumentation shall be operable in accordance with Table I Safety Channels Required for Operation, and Table II Safety-Related Channels (Area Radiation Monitors). Purdue provided proposed TS 3.2, but the application did not provide additional description or justification needed to assess the acceptability of the proposed TS 3.2, editorial changes to Table I for Channel, Setpoint, and Function. Further, the surveillance requirements (SRs) under TS 4.2a requires a channel calibration (1. annual electronic calibration and 2. annual power calibration). However, nothing is proposed for daily/pre-start checks to ...assure that the reactor safety system is operable as required by Specification 3.2. Open item #9 was generated for Purdue to provide a proposed SR that will establish the operability of the safety channels required for operation and explain how the SR will be performed.
Additionally, the NRC audit teams review of the SAR and TSs noted that the setpoints provided in Chapter 7, Section 7.4.a, Table 7-6 of the PUR-1 SAR, and the PUR-1 TS Table I for safety channels required for operation are not the same. Purdue will need to update the affected documentation to ensure consistency between the SAR and TS.
Based on the audit of the proposed TSs, it appears that the SRs for the new system remain unchanged in the LAR submittal including no changes to the frequency of performing SRs. As such, the NRC staff is uncertain how the periodicity of the surveillance frequency will be established for the new system. The audit team noted that Purdue should clarify if the installation of the proposed system will require changes to the surveillance frequency identified in the proposed TSs. Additionally, the NRC audit
team noted that TS 4.2.d describes a channel check of each of the scram capabilities specified in Table I prior to each startup. However, consistent with the NRC endorsed guidance in American National Standard Institute/American Nuclear Society (ANSI/ANS)-15.1-2007, [a]ppropriate surveillance testing on any technical specification required system shall be conducted after replacement, repair, or modification before the system is considered operable and returned to service. The NRC staff noted that the proposed TS and SR need to incorporate the guidance for retest following replacement, repair, or modification.
The NRC audit team also observed that the Purdue standard operating procedures (SOPs) have not been updated yet. The NRC staff need to review the pre-start checklist (SOP-1) that will be proposed to incorporate the pre-start checks that verify the reactor is operational per the PUR-1 TS. This is especially significant since the current pre-start checklist (Purdue SOP-1) contains several inconsistencies with both the current and the proposed TS. Open Item #11 was generated for the development of updated SOPs for the proposed equipment upgrade.
Based on the audit open items, the NRC staff has identified a request for additional information (RAI) for Open Items #7, 9 and #11 to request Purdue provide the information necessary to close the audit open items.
Radiation Monitoring System The RMS consists of three area radiation monitors (RAMs) and one continuous air monitor (CAM). Both the RAMs and the CAM have been updated as part of the license amendment. The RAMs and CAM will output to both the RCS and the RPS. The RCS will monitor the RAM and CAM dose or count rate signal and provide a scram signal to the RPS if high level setpoints are exceeded. There is also a digital contact directly to the RPS from each RAM and CAM that will initiate a scram when the high level contact is set.
During the audit, staff reviewed Curtiss-Wright Document No. PUR1-HDD-001, Rev. 3, November 2016, Hardware Design Document. The manufacturer of the RAMs and CAM is ThermoScientific.
RAM Algorithm Overview Each RAM provides one analog output (dose rate) of the current dose rate and three digital outputs (high alarm, fail, and alert). The high alarm output controls a double-pole double-throw (DPDT) (magnet power current loop) relay where one relay output is in-line with the magnet power current loop and the other is monitored by the RCS. The fail and alert outputs are digital inputs to the RTP. The dose rate is a 4-20 mA analog input to the RTP.
NRC staff reviewed the RAM Algorithm found in Curtiss-Wright Document No. PUR1-SRS-SDD-001, Reactor Control System Control Algorithm Software, Rev. 3, dated January 2017. Each RAM provides one digital input to the RPS and three digital and one analog input to the RCS. The analog input measures the dose rate and the digital inputs measure the health status of the RAM, indicate the high dose rate alarm, and indicate the high dose rate alert. A digital variable in the I/O card in the RCS monitors the signal quality. A poor signal quality, bad RAM health status, or high dose
rate alarm (value above the alarm setpoint for each RAM) are ORd (logical OR) together and result in a scram. A poor signal quality, bad health status, or high dose rate alert (value above the alert setpoint for each RAM) are ORd together and result in a positive output to the environmental health control algorithm, but does not result in a scram. The setpoints for each RAM differ for the alert and the alarm. Both alert and alarm result in a Class 2 R*TIME alarm message on the alarm summary display.
Staff also reviewed the factory acceptance testing for the RAM algorithm completed in Curtiss-Wright Document No. PUR1-FAT-001, Rev. 1, Factory Acceptance Test for Control Algorithm, dated August 2016. This document provided the testing completed for each RAM where input and output values were verified. NRC staff reviewed the testing completed and results and verified they were all completed satisfactorily.
CAM Algorithm Overview The CAM provides one analog output (dose rate) of the current dose rate and two digital outputs (high alarm and fail). The high alarm output controls a DPDT relay where one relay output is in line with the magnet power current loop and the other output is monitored by the RCS. The fail output is a digital input to the RTP.
NRC staff reviewed the CAM Algorithm found in Curtiss-Wright Document No. PUR1-SRS-SDD-001, Reactor Control System Control Algorithm Software, Rev. 3, dated January 2017. The CAM provides one digital input to the RPS and two digital and one analog input to the RCS. The analog input measures the count rate and the digital inputs measure the health status of the CAM and indicate the high dose rate alarm. A digital variable in the I/O card in the RCS monitors the signal quality. A poor signal quality, bad CAM health status, or high dose rate alarm (value above setpoint) are ORd together and result in a scram, RCS system alarm, and a Class 2 R*TIME alarm message on the alarm summary display.
Staff also reviewed the factory acceptance testing for the CAM algorithm completed in Curtiss-Wright Document No. PUR1-FAT-001, Rev. 1, Factory Acceptance Test for Control Algorithm, dated August 2016. This document provided the testing completed for each RAM where input and output values were verified. Staff reviewed the testing completed and results and verified they were all completed satisfactorily.
Keyswitch The control console includes a keyswitch that provides a digital input to the RPS and RCS via an interposing relay. When the key is engaged, the RCS will apply power to the operator console reactor runtime odometer, which tracks the number of hours the shim rod magnets are powered. It will start logging time when the keyswitch is enabled and will stop logging time when the keyswitch is disabled.
Scientech Document No. PUR1-SRS-SDD-001 describes the logic for this function.
NRC staff reviewed this logic. NRC staff also reviewed the factory acceptance testing for the keyswitch algorithm completed in Curtiss-Wright Document No. PUR1-FAT-001, Rev. 1, Factory Acceptance Test for Control Algorithm, dated August 2016. This document provided the testing completed for the key switch where input and output values were verified. NRC staff reviewed the testing completed and results and verified they were all completed satisfactorily.
Manual Scram PUR-1 includes a manual scram button on the ROC, and another in the hallway.
Document No. PUR1-SRS-SDD-001 describes the logic implemented for these manual scram buttons, which will send a trip signal to the RPS via interposing relays. NRC staff reviewed this logic and observed the location of the relays in the temporary rack.
Magnet Power Control The magnet power control sets the magnet power to 30 milliamps (mA) when enabled.
A magnet power switch on the operator console sends a digital input signal to the RCS to enable magnet power and the RCS Scram relay when the operating conditions are met. The RCS Scram relay energizes a 24 volts direct current (VDC) control signal to the RPS magnet power relay. A 0-10 VDC analog input to the RCS verifies the magnet power current level and the signal quality. A poor digital or analog signal initiates a RCS scram output and an R*TIME Class 2 alarm message.
Purdue explained that they redesigned the magnet circuit, and only maintained the electromagnets. Also, Purdue noted that the functionality of the reset pushbutton would be maintained.
Quality Assurance ISG Design Criteria 7.4-34 discusses NRC staff review of the QAP to ensure the components and equipment of the new digital systems are commensurate with their safety importance; managerial and administrative controls can be used to assure safety design and operation of the design. 10 CFR 50.34, subsection (b)(6)(ii), requires a description in the SAR of managerial and administrative controls to be used to ensure safe operation.
Purdue has not established a QAP for modifications or replacements of the I&C system, nor has it defined managerial and administrative controls of the safety design and operation of the I&C system. Purdues SAR explains that the Laboratory Director and the Reactor Supervisor are responsible for QA activities at the PUR-1, but the SAR does not specifically describe what these activities are and how they are documented.
Consequently, at the time of the audit, QA records for the upgraded RPCS have not been created. Purdue staff recognized that this was an open item. NRC staff identified an open item to provide a description of the Purdue QAP established in accordance with the PUR-1 SAR and provide the QAP documentation for the replacement of the RPCS.
Open Item #21 was generated to address this open item.
Scientech prepared PUR1-QA-001, Quality Assurance Plan for Purdue, Rev. 0 to define the process to be followed for the design, development and testing of the RPCS.
This document defines the scope of work, roles and responsibilities, scope management, risk management, and quality management for Mirion and Scientech.
The QAP states that the RPCS is considered a non-safety related system, and therefore 10 CFR 50, Appendix B, quality requirements and codes and standards for safety systems were not applicable for this project. Nonetheless, Scientech identified QA sections applicable from its QA manual, as well as QA procedures to be used, such as QAP 22.1, Project Plans, and SOP 20.1, Software Development and Control.
The Scientech QAP defines the documents to be prepared for the Purdue RPCS, and the review and approval process. The QAP did not require the creation of formal QA records, but Scientech maintained copies of the project documents, and provided copies to Purdue.
Mirion followed its QAP. During the audit, NRC staff reviewed Mirion certificates of compliance with ISO 9001 and other Europeans standards. NRC staff reviewed the safety standards and qualification completed for each Mirion channel. All Mirion channels meet the electrical safety standard DIN-EN (IEC) 61010-1 2001 (VDE 0411-1),
Safety Regulations for Electrical Measurement and Control Equipment. Additionally, all the channels were in compliance with several German regulations: KTA 3501, Reactor Protection System and Monitoring Equipment of the Safety System; KTA 3502, Accident Measuring Systems; KTA 3505, Type-testing of Measuring Sensors and Transducers of the Safety-related Instrumentation and Control System; KTA 3507, Factory Tests, Post-Repair Tests, and Demonstration of Successful Service for the Instrumentation and Controls of the Safety System; KTA 1401, General Requirements Regarding Quality Assurance; and followed Mirion Technologies quality management manual. The DGK-250 and DAK-250 follow additional German regulations, IEC 60880-2006, Nuclear Power Plants - Instrumentation and Control Systems Important to Safety, and Software Aspects for Computer-based Systems Performing Category A Functions IEC 60880:2006.
This documentation contained several certificates. An RTP Certificate of Conformance dated January 29, 2016, states that the equipment is in conformance with contract requirements including form, fit, and function compatibility. An additional certificate is the Allied Wire and Cable Certificate of Compliance. IQNet and DQS GmbH certified that Mirion Technologies maintains a quality management system in accordance with standard ISO 9001:2015 and is valid until March 28, 2019.
Configuration Management Section 7.6.i of the SAR describes Configuration Management for PUR-1. Specifically, this section requires that any change to the facility be documented. Further it requires that configuration of the software be maintained and documented as Appendix II to the Reactor Characteristics and Operation manual. This document was not updated at the time of the audit. NRC staff identified an open item to provide an excerpt for Appendix II to the reactor characteristics and operations manual (RCOM) that demonstrates how configuration management for the software will be maintained and controlled in accordance with the PUR-1 SAR.
NRC staff reviewed PUR-1 Operating Principles and Core Characteristics Manual, Revision 0, which describes the reactor, operation, and control and system descriptions.
Purdue staff noted that they are considering updating this document to describe how to control and operate the new RPCS system. Also, they are considering using Scientech PUR1-OPS-001, Operator Manual, Rev. 1, which describes how to use the RPCS, human machine interface (HMI) display, and physical controls from the operator console.
NRC staff identified an open item to address this and it is Open Item #28.
For the RPCS, Scientech prepared PUR1-CMP-001, Configuration Management Plan, Revision 0. This plan defines the requirements for configuration management and
control of hardware, software, and documents configuration items for the RPCS. In particular, this plan describes organization, roles and responsibilities and how to control third party software and the R*Time system. This includes data files prepared for PUR-1. However, during development, Scientech noted that files backup were maintained on an external system, and Scientech provided the final versions.
The plan states that all documents and hardware components are described in the PUR-1 Hardware Design Description (PUR1-HDD-001) and the configuration and settings of the hardware components are documented in the PUR-1 system configuration manual (SCM) (PUR1-SCM-001). Also, this plan described how to manage documents created for PUR-1. Scientech maintained a project document log listing all documents. Open Item #20 was generated to address a question with configuration management.
Software Configuration Manual Scientech prepared a SCM, PUR1-SCM-001, Rev. 0, which describes the procedures and information necessary for configuration of the hardware and third party software, including R*Time software. The SCM identifies the exact version of the software delivered to Purdue.
The SCM also describes the process to create login access to the RPCS and the HMI.
In addition, Scientech provided PUR1-SMM-001, System Maintenance Manual, Rev. 2.
This manual provides information and instruction to maintain RPCS software application and hardware. This manual includes a section that describes the procedure for configuration management of the RCS files. Specifically, the system files for the RCS were saved in the external hard-drive of the ROC workstation (O2-WKS), configuration management system using SubVersion Server. The SubVersion Server can be used to perform configuration management activities (e.g., checking files after modifications) of the R*Time source, configuration files, and NetArrays project. The manual also describes how to configure and modify the RCS using the files saved in the SubVersion Server, as well as how to perform system disaster recovery.
The PUR1-SMM-001 also defines the following operation procedures: RPCS system power up, RCS system power down, RCS component replacement, and drive system configuration (settings to operate with RCS).
Software Quality Assurance Plan Scientech developed PUR1-QA-002, Software Quality Assurance Plan, Rev. 0 to define software QA requirements for the RPCS replacement, including software development and configuration. Scientech derived and adapted the requirements in IEEE Std. 1012.
The software quality assurance program (SQAP) described the organization and roles and responsibilities to perform software quality assurance (SQA) activities. In addition, this plan describes the use of peer reviewers for review of certain documents, depending on their safety integrity level (SIL). Specifically, documents would be reviewed in accordance with SOP 20.1, and described in the SQAP. The SQAP defines who was responsible for development and verification of each document. For example, the
software verification and validation plan (SVVP) was developed by the Project Engineer and verified by the Project Manager.
The SQAP describes the tasks to be performed during the development and testing of the RPCS. These tasks are: staging and configuration of RPS and RCS hardware, configuration of R*Time system, control algorithms, and HMI displays. In addition, this document describe SQA requirements for verification and validation (V&V) activities and configuration management, as well as the content of the documents developed for these activities.
The SQAP describes defect reporting and corrective actions for the R*Time system and when developed application specific software.
Verification and Validation Plan Scientech developed PUR1-VV-001, Software Verification and Validation Plan (SVVP) for PUR-1, Rev. 0. This document describes V&V activities to be performed during the design, development and testing of the RPCS, which were adapted from Scientech QAP 20.1. (This QAP addresses SQA and SVVP for safety related projects.) Scientech also considered its SOP 20.1 for software development and control, which describes configuration and software development activities for the project.
The SVVP described procedures, documents, reviews and testing for the RPCS, including the HMI. This document also describes how V&V activities would be performed throughout the life cycle of the RPCS. This document describes the following life cycle phases for the RPCS: concept, requirement, design, implementation, test, and installation/checkout. The VVP describes the activities to be performed during each phase, as well as the documents created. For example, during the requirements phase, Scientech created software requirement specification, software configuration management, test plan, and a requirements traceability matrix (RTM). Note that even though a RTM was required, Scientech did not prepare one for this project. Instead, Scientech used the FAT to verify that all RPCS requirements were verified. For this to be accomplished Scientech used the functional requirements specification (FRS) and Software Requirements Specification/Software Design Document (SRS/SDD) documents, and mirror the requirements identified in the SRS/SDD.
Because the RPCS is a non-safety related system, Scientech did not use an independent V&V team, instead performed peer review in accordance with its QAP and SOP.
In the SVVP, Scientech identified the SIL for each system component or configuration item (e.g., FAT) in the RPCS. A map of the SIL levels was included in Exhibit 1.
The SVVP includes Appendix A, which provides all software V&V forms required by SOP 20.1 and QAP 20.1. In particular, these forms provided templates for certain documents and review checklists. The forms provided are:
- RTM review checklist
- Software design review checklist
- Test plan
- RTM (design) review checklist
- FAT procedure
- RTM (implementation) review checklist
- Test exception report
- Unit testing checklist
- Unit test spreadsheet Note, according to this plan, during the installation and checkout phase, Scientech needed to prepare a configuration audit checklist, installation checkout checklist and operability verification. These forms were not prepared for PUR-1, and their scope was part of the FAT and SAT.
The SVVP describes how anomalies observed should be handled and documented.
Specifically, anomalies identified during all phases up to implementation will be resolved in accordance with the process described in SOP 20.1. For anomalies identified during testing, anomalies should be tracked by a test exception report (TER). The SVVP requires these anomalies should be resolved before performing the SAT.
During the audit, NRC staff observed all V&V forms prepared and completed for PUR-1.
However, these forms were not transmitted to PUR-1 and remained with Scientech.
Test Plan Scientech submitted PUR1-TST-001, Test Plan, Rev. 0, to define the requirements for system testing to verify functional requirements of the RPCS and associated subsystem (including new and existing reused equipment). This plan describes unit testing, integration testing, FAT and site acceptance test (SAT). This plan notes that after installation, SAT will be performed using actual signals from the reactor system to demonstrate functionality of the system. The plan clearly states that the SAT should not be a repetition of the FAT, but instead the SAT would verify the interface between the RPCS and the reactor system and demonstrate the system was correctly installed and functioning.
This plan describes the external equipment to be used during testing. In particular, the equipment to simulate reactor operation and simulate inputs signals, as well as the equipment to record outputs from the RPCS.
This plan describes the use and content of test procedures, with step-by-step instructions, for the FATs and SAT. Furthermore, the plan specifically identifies the FAT procedures to be prepared for the replacement neutron detectors (Mirion), neutron channels, and system (including both RCS and RPS). This plan states that these test procedures should be reviewed and approved by Purdue. It also identifies people responsible for performing the different test activities, including completion of test reports.
This plan requires identification of the acceptance criteria, pre-requisites, hardware, and test order in each test procedure.
This plan describes the process and criteria to identify, record and dispose of anomalies observed during testing. Specifically, Scientech would create TERs for each anomaly,
and they will be tracked in TestTrack Pro software. The plan also defines criteria for approval, suspension, and resumption of tests.
Reactor Control System The RCS takes input from the control console and neutron flux levels from the NFMS channels to control 5 drives in the reactor. There are 3 control rod drives, 1 source drive and 1 fission chamber drive. The existing control rod, source and fission chamber drive mechanisms will remain and interface with the new I&C system. The 3 control rods consist of a regulating rod and 2 shim-safety rods. RCS controls allow an individual rod to be controlled when withdrawn and prevents withdrawal of more than one rod at a time via interlocks. All control rods can be inserted simultaneously to reduce reactivity using a gang lower function. Open Items #15, 16, and 17 were generated to address questions with the PLC.
The operator interface consists of a ROC which includes the operator console display workstation. The console maintains use of a key-switch to engage operation of the reactor. Turning the key to the appropriate position engages the control rod magnet current, allowing for manipulation of the control rods. There is a scram button that will allow rapid manual shutdown of the reactor, as well as three other emergency switches.
The emergency switches activate the control room alarm, activate the house alarm, and shut down the HVAC isolating the reactor room.
The operator console display workstation is the main interface with the RCS and RPS.
It uses two display screens mounted in the operator console and the operator uses a keyboard and mouse to operate the workstation. The workstation displays process indication data and provides the ability to control the system. It also allows data to be exported to removable media. The workstation must be online to operate the reactor.
Magnet power will not engage without the workstation in operation. Open Item #8 was generated to address a question with operator training.
Reactor Control System Control Algorithm Review During the audit, NRC staff reviewed the RCS Control Algorithm Software (PUR1-SRS-SDD-001, Rev. 3) to review the logic associated with RCS functions that are related to the RPS. The following items were addressed as part of this review.
RCS SCRAM NRC staff reviewed the logic calculations for the RCS SCRAM inputs. These logical inputs include the following:
- RAM #1, 2, 3 - High dose rate alarm or failed input
- CAM - High count rate alarm or failed input
- NFD 1 (Mirion Channel #1) - Low period alarm or failed input
- NFD 2 (Mirion Channel #2) - Low period alarm, high power alarm, loss of high voltage, or failed input
- NFD 3 (Mirion Channel #3) - High power alarm or failed input
- NFD 4 (Mirion Channel #4) - High power alarm or failed input
- NFD 1, 2, 3, 4 - Channel fault or test mode
- RCS - I/O Equipment Failure
- RCS - Computer Failure
- RCS - Power Supply Failure
- Manual Scram (2 different buttons - one on console, one in hallway)
- Keyswitch on control console
- Magnet power fault All of these inputs are ORd together logically. If any input is set, the SCRAM digital output is set which triggers the interposing relay in the RPS SCRAM circuit, as the RCS SCRAM is an indirect SCRAM.
Note: Discussion with the vendors identified there are direct and indirect SCRAMs in the RPS SCRAM circuit. Direct SCRAMs have the RPS SCRAM circuit directly wired to the device. The direct SCRAMs include the keyswitch, manual SCRAMs, and the Mirion box SCRAMs. Indirect SCRAMs use an interposing relay because the original device cant handle the RPS SCRAM circuit current. These indirect SCRAMs include the RAM, CAM and RCS SCRAM relays.
NRC staff also reviewed how the RCS SCRAMs are latched into the system. The RCS SCRAM function block is the latching block. It can only be reset if the condition has cleared and the annunciator acknowledge button is pushed and held. The reset occurs first in the string of function blocks so if the condition still exists, stepping through the function blocks results in setting the RCS SCRAM flag again. The Scientech representative confirmed that no outputs are set until all the function blocks have all been stepped through.
RCS SCRAM Timing A representative from Scientech stated the RTP3000 records, to the millisecond, when a SCRAM input changes and then documents when the Rod Bottom indication is received.
This time range is the rod drop time. Purdue has confirmed that once the system is installed, the core will be refueled and the rod drop times will be validated before the system is brought fully online.
RCS Setback NRC staff reviewed the logic for the RCS setback function. The following setback conditions are ORd together: period setback, power setback, servo setback, and RCS SCRAM. Any of these conditions will cause the rods to gang insert to a set target below rod bottom to ensure they fully insert. If all setback conditions are clear and theres no active SCRAM condition, the setback conditions are reset to stop the setback. The rods will continue to insert to the target until the joystick is toggled to stop rod movement.
RCS Interlocks NRC staff reviewed how the interlocks logic works. The interlocks will not allow withdrawal of the shim-safety rods, the regulating rod, or the fission chamber if the source is missing, there is a data acquisition system (DAS) trouble alarm, workstation trouble, source drive is in operation, NFD 1 withdrawal interlock flag is set, or if the NFD 2 withdrawal interlock is set. The inputs are all logically ORd together and if any
condition is set, the RCS interlock will engage. The interlock is reset in a similar manner to the RCS SCRAM function. The interlock function blocks are all polled and if all the functions in the string are clear, the interlock will reset and allow normal rod motion.
An output will not occur until all function blocks have been polled.
RCS Workstation Trouble Watchdog Another software algorithm reviewed by NRC staff was the watchdog timer for the RCS.
The RCS workstation software sets an integer to 30. If the R*Time software is not operational, it counts down by 1 every second. When it reaches 0, the workstation trouble indication will be set and the RCS stall function is set which results in an RCS SCRAM.
Servo Control NRC staff reviewed the servo control algorithm. This algorithm is used to provide automatic control to maintain a set power level using input from Channel 3. Once the desired power level is achieved, the reactor operator can switch to servo mode. A new power level can be set if it is within 5 percent of the set power level. In servo mode, the RCS automatically adjusts the regulating rod to adjust power level by comparing channel 3 to the set RCS value. If power deviates from the requested level by more than 5 percent, servo control is terminated, a rod setback occurs, the servo control annunciator is activated, and a class 2 alarm initiates. The FAT test for the servo control was reviewed. There was one TER generated (TER # 8531) because the horn did not sound when the setback occurred. All other results passed and were signed off on September 1, 2016. The code for the setback horn was corrected and the test was performed again with satisfactory results and signed off on September 1, 2016.
HVAC System NRC staff noted the HVAC system has a digital input to indicate status to the RCS. The input drives a digital output which allows the RCS to control input power to the HVAC system via an interposing relay. There are also ties to the Isolate Confinement switch.
The Isolate Confinement switch has two outputs. One connects to the isolate confinement control relay and the other indicates the state of the switch to the RCS. The relay has two outputs. One connects power to the HVAC input power and one indicates relay state to the RCS. Confinement isolation can only be initiated by the control switch.
This interacts with the HVAC system by isolating the input power so the HVAC system is disabled if the isolate confinement is active.
Negative Air Pressure Monitor NRC staff reviewed the negative air pressure monitor as part of the audit. It provides indication of differential air pressure between the control room and outside, as well as control room and adjacent space, via a 4-20 mA signal. Each monitored differential air pressure has a digital alarm. These are both logically ORd in the RCS system and a flag is set if they are out of the setting range. This is part of the environmental health function where they are logically ORd with RAM, CAM and HVAC isolate confinement inputs to set an alarm. Fan power for maintaining negative air pressure is controlled by a control switch or the RCS directly.
Water Conditions NRC staff also reviewed the inputs to the RCS related to water conditions during the audit. The primary coolant pump has a digital input to the RCS to indicate if it is on or off. The water chiller provides two input signals to the RCS. The ready signal indicates power is available and there is also indication if the chiller is on or off. Chiller power is controlled by a dedicated control switch or by the RCS directly. There are also water chemistry sensors providing 4 analog input signals to the RCS. These signals are all 4 -
20 mA and are generated by two separate probes, one at the pool and one downstream of the demineralizer, monitoring water conductivity and water temperature. Alarm messages will indicate on the alarm summary page if the temperature or the water conductivity is too high.
UPS During the audit, NRC staff reviewed the uninterruptable power supply (UPS) interactions with the RCS. The RCS monitors the two UPSs and indicates loss of input power. It also initiates a Class 2 alarm to indicate the system is operating on battery backup. Communication is handled via network connection between both UPSs and the RCS. The RCS screen indicates battery status, power input status, and power output status. This screen was also reviewed in the operations manual (PUR1-OPS-001, Rev.1). Open Items #3, 4, and 5 were generated to address questions with the UPSs.
RPCS Factory Acceptance Test Review Scientech performed the following tests: FAT for control algorithm, FAT for system generation, FAT for physical inspection, and FAT for rod drop timing.
Mirion provided completed FAT reports, along with testing certificates for the neutron monitors. Description of these FATs is provided with the neutron channels.
Open Items #23, 24, and 25 were generated to address questions with the FATs.
RPCS Control Algorithm Factory Acceptance Test Scientech and Mirion prepared PUR1-FAT-001, Factory Acceptance Test for Control Algorithm, Rev. 1 to perform system integration and to demonstrate conformance with the system requirements defined in the FRS. NRC staff reviewed the completed FAT during the audit.
This FAT describes all tests performed for each component of the RPCS. In particular each section described the test activities, step-by-step, to demonstrate conformance with FRS. Each test identifies the I/O list, functional tests to be performed, and conditions to restore the system after testing.
The FAT for the control algorithm was completed in August 2016. The FAT identifies several TERs identified during the FAT. However, it was not clear if modifications to the system were made to resolve these TERs. NRC staff has identified an open item to request information about how these TERs were resolved and if the system was retested after modifications were made.
The following sections describe the information included in the testing report.
Functional Test of RCS SCRAM The report included the instructions on how the test was setup and how they performed the functional test for all of the digital output points. All tests were documented and were successfully passed. The final section documented the successful completion of testing and was signed off by Purdue and Scientech on August 30, 2016.
Functional Test of RCS Setback The functional test of the RCS setback had similar information to the SCRAM test. It described the test setup, the functional test of the digital output points and the results.
Finally it documented successful completion of all tests and was signed off by Purdue and Scientech on 9/1/16.
Functional Test of RCS Interlocks The functional test of withdrawal interlocks tests the physical inputs and outputs associated with the interlock. The testing documentation described the test setup and provided instructions for performing the test for digital input points and indications. All tests were passed and signed off. There were modifications to the testing that were performed that were also signed off. These typically resulted because they could not actually test rod withdrawal since the control rod drives were not connected to the system. Purdue stated they will perform all the FATs again once the system is fully installed. All tests that could be completed were completed and signed off on August 31, 2016.
Functional Test of Workstation Trouble Watchdog The functional test of the workstation trouble watchdog identified the test setup and how the watchdog was tested. The watchdog is set, R*Time is stopped and the test performer ensures the watchdog countdown occurs. Once the counter reaches 0, the test performer ensures the appropriate flags are set. All tests were passed and signed off by Purdue and Scientech on August 31, 2016.
Functional Test of Indicator Test/Reset The functional test of the indicator test/reset tests all panel indicators to ensure they illuminate and then verifies the indicators are not illuminated once reset. This also includes a functional test of the alarm summary acknowledge and verifies the security levels are appropriately applied. Similar to previous testing, the report documents the test setup and instructions for testing, and then documents successful completion of the testing on August 31, 2016, by Purdue/Scientech.
Functional Test of Temporary Setback Limits During review of the FAT, NRC staff noted the testing of Temporary Setback Limits.
This was discussed with Purdue to determine what these limits are. They are limits set by the superuser to limit percent power and power change rate to allow new operators to learn to operate the reactor with less potential for violating TS limits. This was tested by
SAT on September 2, 2016, by Purdue. In addition, during the audit Purdue personnel demonstrated the operation of the Temporary Setback Limits.
Functional Test of Magnet Power Control NRC staff reviewed the FAT for the magnet power control algorithm. This document provided the testing completed for the magnet power control where input and output values were verified. The tests performed were: magnet power switch, scram condition, alarms, and display setpoint. NRC staff reviewed the testing completed and results and verified they were all completed satisfactorily.
Functional Test of Manual Scram NRC staff reviewed the factory acceptance testing for the manual scram algorithm.
The documentation provided the testing completed for the manual scram buttons.
The functional tests were completed satisfactorily.
Functional Test for RPS NRC staff reviewed the completed FAT. This test identified the scram conditions and their corresponding contacts in the wiring cabinet, which were identified in wiring schematic, PUR1-HDD-0016-16. During the test, each scram condition was generated, and it was confirmed that a scram resulted. The functional test was satisfactorily completed in September 2016.
Functional Test of Neutron Channels This test demonstrated conformance of the Mirion neutron channels to the FRS after being integrated with the RPCS.
Scientech, Purdue and Mirion participated in these tests. They performed functional tests for each channel. Each test identified: I/O list, functional tests, modifications (if applicable), restoration of the system after testing, and completion. The functional tests for all 4 channels were successfully performed.
Rod Drop Timing - FAT This FAT is described in PUR1-FAT-003, Rev. 1, dated August 2016. NRC staff reviewed the completed FAT, which describes the tests performed and the results obtained. This document describes the test procedure for measuring this time. Purdue performed two measurements, one for a scram event, and another for multiple scram events. After the tests were completed a control rod drop timing report in a CVS file was created.
NRC staff observed the results recorded, which showed that the tests were passed.
Note that this test was performed twice because an error was observed. Scientech created TER, issue number 8525. The TER stated that an error was found in test steps 26 and 27. To resolve this issue, Scientech modified the configuration and performed a retest, which was successful.
Purdue noted that calculation of this timing is currently performed once a year. Purdue noted that they will perform this test when the RPCS is connected to the reactor system.
The FAT identifies the requirements to meet and pre-requisites to perform this test.
This FAT also showed that verification of miscellaneous items were performed, such as functionality testing, input verification of the control rod drop timing application, and no report is created when a scram is not present.
The FAT was successfully performed, and the report was signed by Scientech and Purdue.
Factory Acceptance Test for Physical Inspection NRC staff reviewed the FAT for Physical Inspection (PUR1-FAT-101) as part of the audit. The document demonstrates the RPCS system supplied by Scientech satisfies the functional requirements. It also demonstrates the hardware staged for factory acceptance testing matches the cabling, labeling, and configuration as documented in the hardware design description. All items were marked as satisfactory except for the water chemistry analyzer which was not on site at the time. All variations were signed off and cable to/from verifications were performed as part of the testing.
FAT for System Generation Scientech prepared PUR1-FAT-102, Factory Acceptance Test for System Generation, Rev. 1 to define the tests to be executed for the R*Time and application software for PUR-1 system. In addition, this document describes the process to configure or rebuild the RPCS from the source code files.
The FAT for system generation was successfully completed in August 2016.
Site Acceptance Test Scientech prepared PUR1-SAT-001, Site Acceptance Test for Parallel Installation, Rev. 0. This plan was used to demonstrate functionality of the RPCS replacement control algorithms and to show conformance with the FRS after parallel installation with the existing (reactor) system.
This plan describes the use of an external panel to test the interface between the RPCS and external systems. In particular, this panel would simulate signals from RAM, CAM, makeup water system, air pressure, HVAC, water pump, water chiller, water chemistry sensors, manual scram, key switch, house alarm, fission chamber drive control, source drive control, shim safety #1 rod drive control, shim safety #2 rod drive control, regulating rod drive control, and drive position indication.
During the audit, Purdue indicated that they would repeat this test once the RPCS is connected to the reactor system and other external systems (e.g., manual scram, key switch, etc.).
PUR-1 Hardware Design Document Review NRC staff reviewed the Hardware Design Document (HDD) (PUR1-HDD-001) as part of the audit. The HDD defines the design of the hardware for the RPCS. It also describes the overall system design, including hardware and software of the RPCS.
NRC staff has identified Open Item #27 to request this document be docketed along with two other documents.
Power Sources NRC staff questioned the source of power (UPS-1 or UPS-2) to be used for the components being installed. The HDD identified the anticipated source of power for the components procured/installed by Scientech/Mirion. The original intent was to use UPS-1 for the non-RPS components which includes the following: workstation computer; workstation monitor; Ethernet switch; RTP 3000 TAS; the recorders; and one of the power distribution units. UPS-2 was to be used for the RPS-related components including the Mirion boxes (Channels 1, 2, 3, and 4), the Acopian current source, the rod drives, and the remaining power distribution unit. Discussion with Purdue personnel indicated this may not be the end result because it depends on where cables can reach.
This is addressed in Open Item #5.
Component Model Numbers and Operating Ranges NRC staff reviewed the HDD to determine the component model numbers and operating ranges to ensure they will function appropriately in the reactor operating environment.
The following components were identified in the HDD:
- Dell 5810 (Workstation)
- Siriusview LCDR8U19-12 (Monitors)
- N-Tron 1005TX (Ethernet Switches)
- RTP 300D/R2-155 (TAS Chassis)
- Yokogawa DX1004 (Recorders) - (0 - 50°C) Temperature and (20% - 80%)
Relative Humidity
- Thermoscientific RMS-3 (RAMs) - ( 122°F) Temperature
- Thermoscientific AMS-4 (CAM) - ( 122°F) Temperature
- Dwyer Series DH-2 (Negative Air Pressure Monitor)
- Rosemount 56-03-20-30-DP (Water Chemistry Analyzer)
- Rosemount 400VP-11 (Water Chemistry Probe)
- Tripp-Lite Smart 3000CRMXL (UPS)
- Tripp-Lite BP48V48RT4U (UPS Battery)
- RTP 3000/06 (Node Processor)
- RTP 3126 (Analog/Digital Input Cards) - ( 60°C) Temp (10% - 95%) RH
- RTP 3122 (Analog Output Cards) - ( 60°C) Temp (10% - 95%) RH
- RTP 3139 (Digital Output Cards) - ( 60°C) Temp (10% - 95%) RH
- RTP 3000/01 (Chassis Processor) - ( 60°C) Temp (10% - 95%) RH
- Canary GT-10SD Rev. C (Data Diode) - (0 - 50°C) Temp (10% - 80%) RH
Demonstrations and Questions Discussed with Purdue/Scientech/Mirion NRC staff had multiple discussions and requests for demonstrations that were handled by representatives from Purdue, Scientech, and/or Mirion. The following sections discuss these items.
Dedication of Screen for Reactor Drive Controls NRC staff questioned the assertion in the Functional Requirements Specification that the left screen would be dedicated to the reactor drive controls and how this would be enforced. The representative from Scientech stated the left screen is dedicated to the Reactor Drive Control screen and cannot be changed while the right screen can be used to bring up other screens the user desires. Purdue personnel then demonstrated that you could not change the Reactor Drive Control screen to another screen. The Reactor Drive Control screen shows drive status for the Neutron Source, Fission Chamber, Shim-Safety Rod 1 and 2, and the Regulating Rod. It displays the position (both graphically and numerically) of the selected rod and indicates if the rod is at the lower limit, 2/3 height, or the upper limit. All drives have jam indication and the shim-safety rods have indication if magnet power is engaged and if the rod is at rod bottom. There is also indication at the top of alarms and indication at the bottom if Automatic Startup or Servo Control are enabled.
NRC staff asked during the demonstration if Purdue was able to modify the system software and how this would be controlled. The Scientech representative identified that Purdue has the source code and the tools necessary to modify the system if desired.
Purdue personnel stated that only the highest level user access allows modifying the code and this would only be entered with the express intent of making changes to the code. Normal access level does not allow modifying the code to ensure accidental changes are not made. Purdue also demonstrated the difficulty in accessing live code to modify it which also provided assurance that accidental code changes would not be made. If a value is forced to a set value, a system alarms to identify a value is forced.
NetArrays allows you to identify what values are being forced.
User Accounts NRC staff reviewed the various user accounts used at PUR-1. The Windows login is independent of the login used to access the RCS R*Time software. Windows logins include admin - local admin; rtime - R*Time service account; Scientech - Scientech admin account; and oper - operator workstation user account. In addition, the R*Time software includes the following levels: facility staff + SRP - Highest level including source code access; SRO; RO; and TNR. Finally, in the System Generation FAT (PUR1-FAT-102), there was another set of user levels for the system. These levels are:
view - level 5; maint - level 10; oper - level 15 (Purdue indicated operators probably here); engineer - level 20 (Purdue - SRO mostly here); and admin - level 31 (Purdue - only if needed to adjust R*Time due to concerns about accidental adjustments). Discussion with Purdue personnel indicated that these are the various recommended Scientech settings but the levels to be used at PUR-1 are not defined yet.
Open Items #6 and 7 were generated to address questions with user access.
Pushbutton Indicators NRC staff noted that in the FRS, there is discussion about pushbutton indicators versus just indicators without much description and we needed further clarification. This was discussed with Purdue personnel who identified the indicators on the console. The pushbutton indicators include the Control Room Alarm, House Alarm, Isolate Confinement, Water Process Pump Power, Chiller Power, Magnet Power and Annunciator Acknowledge. These pushbutton indicators light up when they have been pressed to indicate status of the associated system. In addition, there are two other indicators that are not pushbuttons and they are Chiller On and Environmental Health.
Marking of Safety vs. Non-Safety Components During the audit, NRC staff asked if there was any markings or indication used to distinguish between safety and non-safety components. Purdue personnel indicated that there were no such markings however, due to the simplicity of the reactor, a trained operator will be able to know which ones are safety components and which are not.
Geographic Security Requirements NRC staff noted that some documents referred to geographic security requirements and asked the representative from Scientech about them. He responded that these requirements are not used at Purdue. In some applications there are multiple access points such as the EOF, Control Room and TSC at a nuclear utility, and the user may not want certain functions accessible at certain locations. Therefore settings can be implemented to restrict access to certain features to specific locations.
USB Control NRC staff questioned how security controls are in place to restrict USB access to the RCS and RPS components to ensure viruses and other malware cannot be introduced.
Purdue and Scientech personal demonstrated the installation of port locks into unused USB ports and how the system configuration (Identified in the SCM (PUR1-SCM-001))
modifies the workstation on an account level to deny access by any removable storage.
The key for unlocking the USB port locks is under similar administrative control to the reactor key. They also indicated the ports currently in use by the keyboard and mouse for the control console are located within the cabinet and would be difficult to access without the operator being aware.
HVAC Controls NRC staff questioned how the temperature and humidity setpoints for the HVAC system are set and who maintains the setpoints. Purdue personnel identified they determined the setpoints and the vendor programmed them in the HVAC system. The HVAC system operates independently to maintain the humidity and temperature.
Open Items #1 and 2 were generated to gather more information on the HVAC system.
Workstations NRC staff asked about how the workstations are identified to prevent confusion and how the secondary workstation is protected. Purdue indicated the operator workstation is
identified as 02-WKS, the secondary workstation is identified as SWKS. The secondary workstation is accessible by anyone in the room and the password is separate from the passwords for the main operator console workstation.
Alarms and Annunciator NRC staff questioned the various alarm levels, what occurs when they actuate and how the annunciator works. The representatives from Purdue and Scientech identified there are 4 types of alarms. House alarm causes a site evacuation, class 0 alarms cause a reactor room evacuation, class 1 alarms actuate an annunciator alarm from the console, and class 2 alarms do not activate an annunciator and only appear in the RCS alarm summary display screen. The annunciator screen will automatically pop up on the operator console in response to any condition that causes a SCRAM or setback condition.
System Identification and Labelling Purdue does not have a process to identify safety versus non-safety systems in the control room. However, Purdue requested that Scientech identified the wires connected to the relays in the RPS. NRC staff observed that these wires were marked with red tape.
In addition, NRC staff observed that the neutron channels are installed in a separate rack than the RTP and UPS. However, these are temporary racks used for integration and testing. Purdue noted that the final installation will maintain this separation.
- 4. ACCESS CONTROL AND CYBER SECURITY As part of the audit, NSIR staff performed a walkdown of the proposed digital I&C upgrade with Purdue University personnel and interviewed Purdue and Scientech representatives. The intent of the walkdown and interviews was to provide an assessment of the cyber security preventative measures (in place or proposed) in accordance with the ISG for Chapter 7 of NUREG-1537.
Several items for consideration were observed. These items were related to preventing unauthorized use of the reactor controls, potential cyber security vulnerabilities (physical and electronic) in the development phase, controls to prevent unauthorized physical and electronic access, and controls that govern physical and electronic access to safety system software and data during and after installation (includes installation, testing, operations, maintenance, and retirement). Further details are considered Sensitive Unclassified Non-Safeguards Information (SUNSI) and will not be included in this audit report.
- 5. EXIT MEETING At the conclusion of the audit, NRC staff met with Purdue staff and discussed the activities performed during the audit. The NRC staff addressed each of the planned audit activities outlined in the audit plan (ADAMS Accession No. ML17220A243). In addition, Purdue was provided with a summary of how many open items were closed during the audit and the number of new open items identified during the audit. It was
noted that there would be further review to determine which open items would need to be addressed by RAIs.
At the end of the meeting, Purdue and NRC staff discussed the schedule for completion of the approval of the LAR. NRC staff explained that the current schedule for the SE is dependent on a successful audit and prompt and complete RAI responses.
- 6. OPEN ITEMS NRC staff identified the following open items as a result of the audit. These open items were reorganized and summarized in RAIs, which are necessary to support NRC review.
- 1. During the audit, it was not clear how the reactor room HVAC settings were determined and how the HVAC system maintains the environmental conditions. Provide a description of how the operating temperature and humidity range in the FRS was determined (RAI #1). Describe how the HVAC unit will maintain the environmental conditions identified (RAI #2).
- 2. During the audit, NRC staff had questions on how the temperature in the component cabinets are monitored to ensure equipment remains operational.
Describe the means to measure temperature within the cabinets or explain why this information is not necessary (RAI #3).
- 3. The electrical requirements (FRS 3.1.1) state that there are no equipment electromagnetic interference/radio frequency interference (EMI/RFI) requirements except verifying operability (however, no such test has been documented or performed). During the regulatory audit, the NRC staff observed that much of the cabinet wiring is single strand copper or Cat-5 twisted pairs. At the same time, there are major alternating current (AC) sources (240 volts alternating current (VAC) for the UPSs and 120 VAC from UPSs to other loads), as well as, convenience outlets at top of cabinet.
Explain how electromagnetic compatibility is assured and verified or describe why it is not required (RAI #4).
- 4. During the audit, there were some questions on how the UPSs will operate in the new configuration. Chapter 13 of the Purdue SAR, Section 13.1.7, Loss of Normal Electric Power, will shut down the reactor. With the addition of the UPSs, this is no longer the case because the UPSs will continue to provide magnet power. Update the Purdue SAR to describe the role of the UPSs during a loss of normal electric power or explain why this update is not necessary (RAI #5).
In addition, it was stated that the UPSs can provide ride-through for loss of facility power. The UPSs are specified and sized to provide up to 30 minutes of backup power to the RPCS. Further, it was stated that a casualty procedure (CP) would be established for controlled shutdown following the loss of building power. Describe the operator actions (including method of controlled shut down (e.g., ganged drive-in or scram)) and approach to ensuring safe shutdown especially since the reactor room has no emergency lighting (RAI #6).
- 5. PUR-1 SAR, Chapter 7, Section 7.3.f.i.(b) states that each UPS unit supports loading up to 3600 watts when hard wired. During the Purdue site audit, the NRC staff noted that the test bed (as shown in PUR-1 SAR, Figure 7-4) for the RPCS had removable power connectors for the supplied power to the UPSs. If the final install will also have removable power connectors for the UPSs power inputs, provide the loading supported by each UPS and explain if the load rating is sufficient for the intended loads, including any anticipated use of the cabinet mounted Tripp Lite, 120 VAC, convenience outlets (RAI #7).
- 6. As described in the PUR-1 SAR, Section 7.9.a.iv, the RPCS operator workstation has multiple login groups for user authentication and establishing access control and privileges, including a super-user login with full privileges to control or modify any aspect of operation, maintenance, and program administration and configuration management. The level of privilege is stated in Table 8-1 in the System Generation, FAT as level 5, 10, 15, 20, and 31, but no description is provided to differentiate the permission associated with these levels. Provide a more detailed description of the permission levels associated with each of the group levels to be used; the criteria for assignment of individuals to the various levels, and how the permission levels (i.e., group assignments) will be administratively assigned and controlled or explain why this information is not needed (RAI #8).
- 7. Proposed TS definition 1.32, Reactor Secured, contains a new condition for the PUR-1 reactor to be secured that states the control console is placed in a permissions status where the controls are not operable. During the regulatory audit, the NRC staff observed that this added condition is related to the password control for the RPCS operator workstation. Describe in detail how the permission status is used to render the controls inoperable and explain the basis for adding this new reactor secured condition or explain why this information is not required (RAI #9).
- 8. The regulations in 10 CFR 55.59, Requalification, subsection (a)(2)(ii) requires an operating test that ensures the operator or senior operator demonstrate an understanding of and the ability to perform the actions necessary to accomplish a comprehensive sample of items specified in 10 CFR 55.45(a)(2) through (13), inclusive, to the extent applicable to the facility. The regulations in 10 CFR 55.45(a)(8) requires the operating test to demonstrate that the operators can [S]afely operate the facility's auxiliary and emergency systems, including operation of those controls associated with plant equipment that could affect reactivity or the release of radioactive materials to the environment. The regulations in 10 CFR 55.59(c)(3)(i)(W),
requires licensed operators to demonstrate that they can manipulate controls in response to a [M]alfunction of an automatic control system that affects reactivity. Provide a description of the operator training applicable for the proposed I&C upgrade implemented with this LAR that will be used to qualify the operators on the new console and equipment before the system is approved for use, or justify why no additional information is needed (RAI #10).
- 9. TS 3.2a requires that the safety-related instrumentation shall be operable in accordance with Table I Safety Channels Required for Operation and Table II Safety-Related Channels (Area Radiation Monitors). The SR under TS 4.2a requires a channel calibration (1. annual electronic calibration and 2.
annual power calibration). However, nothing is proposed for daily/pre-start checks to ...assure that the reactor safety system is operable as required by Specification 3.2. Provide a proposed SR that will establish the operability of the safety channels required for operation and explain how the SR will be performed or explain why this information is not needed (RAI #11).
- 10. Provide additional description or justification needed to assess the acceptability of the proposed TS 3.2, editorial changes to Table I for Channel, Setpoint, and Function or justify why no additional information is needed (RAI #12).
- 11. PUR-1 SAR, Section 7.6.i - Configuration Management states that as part of the pre-start checklist, operators will verify the software version listed at the top of the displays on the console match the current release as listed in the Reactor Characteristics and Operations manual. During the regulatory audit, the NRC staff observed that the Purdue SOPs have not been updated to reflect this yet. Describe the update to the pre-start checklist (SOP-1) that will be proposed to incorporate this pre-start check for configuration management or explain why it is not necessary (RAI #13).
- 12. The current pre-start checklist (Purdue SOP-1) contains several inconsistencies with both the current and the proposed TS. Describe the updates to the SOPs that will be proposed to eliminate references to resolve these inconsistencies, in particular references to non-existent tables and incorrect reference to checks of each reactor safety system measurement channel when TS 3.2b is only for radiation monitors (Table II) or explain why an update is not required (RAI #14).
- 13. The setpoints provided in Chapter 7, Section 7.4.a, Table 7-6 of the PUR-1 SAR, and the PUR-1 TS Table I for safety channels required for operation are not the same. Explain and justify why these setpoints are different, change them such they match, or explain why no changes are necessary (RAI #15).
- 14. PUR-1 TS 4.2.d describes a channel check of each of the scram capabilities specified in Table I prior to each startup. ANS/ANSI-15.1-2007 provides guidance to so perform [a]ppropriate surveillance testing on any technical specification required system shall be conducted after replacement, repair, or modification before the system is considered operable and returned to service. Identify which SR incorporates the guidance for retest following replacement, repair, or modification provided in the ANS/ANSI-15.1-2007 standard or explain why it is not needed (RAI #16).
- 15. If the PLC fails, explain how controls and displays of important parameters that the operator should monitor to keep PUR-1 parameters within a limiting value, and those that can affect the reactivity of the core, are readily accessible and understandable to the reactor operator or justify why no additional information is needed (RAI #17).
- 16. If the PLC fails, explain how displays and controls provided to the operator for manual system-level actuation and control of safety equipment will be functional under conditions that may require manual actions or justify why no additional information is needed (RAI #18).
- 17. Propose a TS and SR associated with the PLC to verify its operability or justify why they are not needed (RAI #19).
- 18. The proposed TS includes a change to the specification wording for TS SR 4.6, Fuel Parameters. The NRC staff does not understand the connection of this proposed change to the requested I&C upgrade. Please explain the relationship, purpose, and basis for this change, including a SE of the acceptability of the proposed change; remove the TS change; or explain why no information or action is necessary (RAI #20).
- 19. Describe the procedural administrative control for access and authorized use of the keys for the test switches for the Mirion neutron channels (i.e., PUR-1 SOP or TS) or explain why these are not needed (RAI #21).
- 20. PUR-1 SAR, Section 7.6.i, Configuration Management, states that, current configuration of the [RPCS] software will be maintained and documented as Appendix II to the Reactor Characteristics and Operations Manual, and internal facility document. During the regulatory audit, the NRC staff observed that this Purdue internal facility document did not exist, yet.
Provide an excerpt for Appendix II to the RCOM that demonstrates how configuration management for the software will be maintained and controlled in accordance with the PUR-1 SAR or explain why software configuration management is not needed (RAI #22).
- 21. PUR-1 SAR, Section 7.8, Quality Assurance, states A Quality Assurance (QA) program shall be developed, maintained, and utilized in accordance with the guidance of ANS/ANSI 15.8-1995. During the regulatory audit, the NRC staff observed that this Purdue QA document did not exist, yet. Provide a description of the Purdue QAP established in accordance with the PUR-1 SAR, provide the QAP document, or explain why a QAP is not needed (including updating the PUR-1 SAR) (RAI #23).
- 22. During the regulatory audit, the NRC staff observed that a number of test procedures for the FAT and SAT were not conducted due to missing hardware or system interfaces. These were documented as cant test.
Explain how and when these previously untested tests will be completed (RAI #24).
- 23. During the regulatory audit, the NRC staff observed that a master list of FAT and SAT tests that were not performed did not exist and no test exception records were generated for the missing tests of the FAT. Explain how the missing tests are tracked and how satisfactory completion of all tests as required by the FRS will be documented (RAI #24).
- 24. For the FAT, TERs are required to be documented, including making permanent changes that are necessary to pass FAT with a retest before the completion of FAT. During the regulatory audit, the NRC staff observed that several TERs were documented during the FAT. However, it is not apparent to the NRC staff that documentation exists for the description of any changes made to the system, that the changes were made permanent (e.g., as evidenced by a change in the software build number), or that the changes were retested since the FAT documentation still indicated out of specification parameters. Provide evidence that the TERs generated included a description of the changes made to the system, that the changes are permanent, and that they were retested or explain why this documentation is not required (RAI #25).
- 25. During the regulatory audit, the NRC staff observed a demonstration that revealed that the control functionality for target rod withdrawal (i.e.,
withdrawal of a rod to a preset height) as related to inhibits for selection and withdrawal of a different rod may have functioned improperly. This apparent error was reported to be corrected and a subsequent demonstration performed satisfactorily. However, it is not apparent to the NRC staff that documentation exists for the description of any changes made to the system, that the changes were made permanent (e.g., as evidenced by a change in the software build number), or that more structured or formalized retesting was to be performed and documented. Provide evidence that a TER or similar document was generated that included a description of the changes made to the system, that the changes are permanent, and that they were retested or explain why this documentation is not required (RAI #26).
- 26. The safety review for PUR-1 provided with the amendment describes operation of Channel 4, Safety Channel. This description talks about fast scram that is performed by this channel, and states that the fast scram capability remains in the new I&C. However, during the audit, it was clear that this feature is not included in the new I&C system. Instead all channels have the same capability to scram the reactor. Explain what was meant by the sentence fast scram capability remains in the new I&C (RAI #27).
- 27. During the regulatory audit, NRC staff identified several documents that need to be docketed for use while preparing the SE. Please docket the following documents (RAI #28):
- PUR1-SRS-SDD-002 - HMI Functions Software
- PUR1-HDD-001 - Hardware Design Document
- PUR1-HDD-001-16 Sh. 2 - Second page of the SCRAM wiring diagram
- 28. During the regulatory audit, NRC staff reviewed PUR-1 Operating Principles and Core Characteristics Manual, Revision 0, which describes the reactor, operation, control and system descriptions. Purdue staff noted that they are considering updating this document to describe how to control and operate the new RPCS system. Also, they are considering using Scientech PUR1-OPS-001, Operator Manual, Rev. 1, which describes how to use the RPCS, HMI display, and physical controls from the operator console. Identify if Purdue will update the Operating Principles and Core Characteristics Manual, adopt the Scientech PUR1-OPS-001 Operator Manual, or explain why they are not necessary (RAI #29).