Response to Follow-Up Request for Additional Information for the License Amendment Request to Upgrade the Nuclear Safety System at the Mit Reactor

ML18120A115
Person / Time
Site:	MIT Nuclear Research Reactor
Issue date:	04/20/2018
From:	Lau E, Queirolo A Massachusetts Institute of Technology (MIT)
To:	Document Control Desk, Office of Nuclear Reactor Regulation
References
CAC MF5003
Download: ML18120A115 (16)
v • d • e

Text

NUCLEAR REACTOR LABORATORY AN INTERDEPARTMENTAL CENTER OF MASSACHUSETTS INSTITUTE OF TECHNOLOGY EDWARD S. LAU 138 Albany Street, Cambridge, MA 02139-4296 Facility Tours Assistant Director of Telefax No. (617) 324-0042 Education & Training Reactor Operations Tel. No. (617) 253-4211 Activation Analysis Coolant Chemistry Nuclear Medicine 20 April 2018 U.S. Nuclear Regulatory Commission Washington, D.C. 20555 Attn.: Document Control Desk

Subject:

Response to Follow-Up Request for Additional Information for the License Amendment Request to Upgrade the Nuclear Safety System at the MIT Reactor, License R-37, Docket No. 50-20 (CAC No. MF5003)

The Massachusetts Institute of Technology (MIT) hereby submits a response to the 6 March 2018 follow-up questions to the Request for Additional Information (RAI) on the License Amendment Request (LAR) to upgrade the Nuclear Safety System at the MIT Reactor (MITR). The original RAI was created on 12 October 2017 subsequent to a regulatory audit that was performed by Nuclear Regulatory Commission (NRC) staff at the MIT Reactor on 24-26 July 2017. This audit identified additional information that would be required to be docketed in order to support a licensing decision by NRC. On 14 December 2017, MIT submitted responses to the RAI.

On 6 March 2018, MIT received a set of eleven follow-up questions related to several of the original RAI questions and MIT's answers. To the eleven follow-up questions, MIT hereby provides responses in the following format: the NRC question in italics, followed by the MIT answer in normal font. Wherever necessary, MIT's responses will reference updates to supporting documents of various previous Enclosures.

Follow up question 1 (for RAI #1): MIT response included examples of its QA Requirements Checklist in Enclosures A and B. The dates identified in these examples are not in chronological order or consistent with the development activities.

1- Please explain what the dates identified in the checklist represent and why they are not in chronological order.

Response to follow up question 1 (for RAI #1):

Dates identified in the QA Checklist (PM 1.13 Quality Assurance Requirements Checklist) indicate when the item was signed off as completed. While the items are generally performed in chronological order, consistent with the development activities, the dates of completion are not necessarily expected to be in a chronological sequence, because of documentation, editing, and O administrative needs. ;ro 2

/Vt!<

RAJ Responses for Upgrade ofNSS Page 2 For instance, the relevant items in Enclosure A (NSS Scram Logic Card Modules) are listed in the following order: Safety Review, Specifications, Procurement, Drawings & Schematics, Fabrication, Bench Testing, and Handling & Installation Instructions. The Safety Review item and the Specifications item were actually started in 2013; Handling & Installation Instructions started in 2017. However, the Safety Review signoff date was 4 November 2017, because naming of the individual modules had changed over time, and in the latter part of 2017 we revisited the Safety Review document to standardize the terminology. We also added further details to the original text, but there were no substantive changes in the Safety Evaluation.

Similarly, the Procurement was started in 2014, but the signoff date was 29 July 2016, when the iterative process for designing the Scram Logic Cards was finally completed and accepted as satisfactory. Drawings & Schematics were started in 2014 but were signed off as completed 31 May 201 7 when they were revised and finally approved by internal reviewers outside the Instrumentation group. Fabrication started in 2015 but was signed off 31 January 2017 after the iterative process for prototyping and production of the Scram Logic Cards was completed and accepted as satisfactory. Bench Testing started in early 2017 and was signed off on 2 July 2017.

Handling & Installation Instructions were finalized and signed off on 11 September 201 7.

Enclosure B (NSS Signal Distribution Module) has a similar list of relevant items, except that it does not require Handling & Installation Instructions. The Safety Review was started in December 2015. It was signed off as completed on 1 November 2017 when we revisited the Safety Review document to standardize the terminology. Specifications, Procurement, Drawings

& Schematics, and Fabrication were all started in 2016; Bench Testing was started in mid-2017.

All were signed off as completed on 28 October 2017 when the documentation was reviewed and approved as satisfactory.

Enclosure Bl (NSS Magnet Power Supply Modules) follows a similar pattern to Enclosure A, but again does not require Handling & Installation Instructions.

Follow up questions for RAJ #2:

2- MIT responses included in Appendices A-M describe the MIT-developed components.

However, in several instances these documents refer to bench testing and/or pre-operational testing, without providing clear references to test procedures and results. Further, sometimes it is not clear if when talking about test, if MIT is referring to bench testing or to pre-operational testing. Lastly, some description use the future tense to refer to tests that will be performed, even though Enclosure Q identified these tests as completed.

Please clarify if bench testing and pre-operational testing has been performed and completed for NSS components. Also, please clarify if the NSS components are currently installed and operating in parallel with the existing system.

Response to follow up question 2 (for RAJ #2):

Bench testing for all MIT-developed components/modules has been completed. Bench testing refers to tests of individual modules in a stand-alone manner, without connection to designated components upstream and downstream. Each different modules/component had its own written procedure or steps for the bench testing. Where necessary, signal input to the module from designated upstream components will use a simulated test signal when performing bench tests.

RAI Responses for Upgrade of NSS Page 3 Likewise, the module's signal output to downstream components will only be measured on the bench to confirm the signals are compatible with designated downstream components.

Pre-operational testing for all MIT-developed components/modules has been completed to the point where scram signals were successfully confirmed as output. These scram signals cannot be routed to the existing reactor scram circuits until there is NRC approval of the LAR. Pre-operational testing is performed with all Nuclear Safety System components/modules connected in their designated configuration, with fission chamber detectors in their final reactor locations sending signals to the Mirion DWK 250 neutron flux monitors, which in turn are connected to all downstream, MIT-developed components/modules. For these tests of the integrated system, no simulated signals are needed.

The pre-operational testing was performed as per written procedure "New Nuclear Safety System Global Test Special Procedure". Reactor staff performed this procedure several times in the course of developing the procedure, and also after receiving comments by the MIT Reactor Safeguards Committee on 16 November 2017. The final version of the procedure was performed and signed off on 13 December 201 7, and was provided as Enclosure Q in the RAI Response submitted on 15 December 2017. In Enclosure Q, one can see that some steps cannot be completed until scram signals are routed to the existing reactor scram circuits after there is NRC approval of the LAR. These steps were marked "N/A" to indicate such. Once NRC approves the LAR, this procedure will be performed again, this time in its entirety. At that point, pre-operational testing will be complete.

Currently, the new Nuclear Safety System, with all of its components/modules integrated in their designated configuration, is operating in parallel with the existing system. It is not connected to the existing scram circuits, and therefore will not interrupt magnet current and scram the reactor.

Its performance is being monitored with the console operator reading and recording hourly data.

3- The descriptions provided in the enclosures were accompanied by drawings or logic schematics. These drawings did not include revision numbers. Please explain how one determine that is the latest available revision and why revision numbers are not being used.

Response to follow up question 3 (for RAI #2):

The drawings submitted to NRC on 15 December 2017 do not include revision numbers. At the time of the July 2017 site audit visit, our revision numbers appearing on all of our drawings gave an impression that the design process had not yet been completed, suggested by the fact that there was a revision number other than zero. However, the design process was complete, and to the extent possible, the drawings reflect the as-built condition, and contain review and approval initials. As a result, MIT removed revision references from all final drawings just prior to the December 2017 submittal. Subsequent changes will contain revision letters beginning with "A",

and new review and approval initials.

The pair of drawings for the Withdraw Permit Circuit in Enclosure I are an exception to the above. These are R3W-203-4 Rev. C and R3W-203-4 Rev. D. Revision C is the existing Withdraw Permit Circuit under license R-37. For the new NSS, the necessary update to the circuit is provided in Revision D. Implementation of the change as per Revision D will happen only after NRC approves the LAR for the new NSS.

RAJ Responses for Upgrade ofNSS Page4 4- In Enclosure D, MIT described the Signal Distribution Module (SDM). This description states that the < l 00 kW key switch module (KSM) is in NIM BIN 1 and receives power through the XI 4 connector. However, Enclosure DJ provided the Global Connection Diagram for the NSS, and this drawing does not show the KSM in NIM BIN 1, but instead installed in NIM BIN 2. Please confirm the location of the KSM and the components installed in each NIM BIN Response to follow up question 4 (for RAJ #2):

It is the drawing [Enclosure D drawing R3W-268-2 "NSS Global Connection Diagram"] that is correct. - As shown in Photo 1 below, the KSM is in NIM Bin 2, along with the three Magnet Power Supply Modules and the Blade Drop Timer Interface. It receives power through the Xl 7 connector. The description in Enclosure D [Q/A File document #2017-34 "Signal Distribution Module"] was incorrect in item 5 on page 2. The updated document, now dated 15 March 2018, is enclosed. The correction reads as:

The X14 connector then passes the 24-volt DC power as output to the "NIM Bin 1" instrument rack which contains three downstream components: Scram Logic Card 1, Scram Logic Card 2, and the LED Scram Display Module.

LOOP A

~

Photo 1 - NIM Bin 2

RAI Responses for Upgrade ofNSS Page 5 5- In Enclosure E, MIT described operation of the scram logic card (SLC). However, this description does not describe the use of test switch necessary for surveillance testing. Please describe the operation of the test switch that will be used for surveillance testing and calibration.

Response to follow up question 5 (for RAI #2):

For surveillance testing and calibration, the Test-Condition Bypass (TCB), shown in Photo 2 below, will be used. A detailed description of the TCB was provided in Enclosure J [Q/A File

1. 2017-28 document "DWK 250 'Test' Condition Scram Bypass Assembly", and schematic R3W-264-3 "DWK 250 'Test' Condition Scram Bypass Assembly"]. It was fabricated to facilitate test procedures to demonstrate that a specific trip condition from a DWK 250 nuclear safety channel will result in a scram of the reactor.

The TCB is depicted in the Enclosure U block diagram, on the left-hand side amongst the four DWK 250 nuclear safety channels. It also appears in the Enclosure D drawing R3W-268-2 "NSS Global Connection Diagram" in grid location C-1. Its use is illustrated in Enclosure Q written procedure "New Nuclear Safety System Global Test Special Procedure" pages 15 through 17 (steps 1 through 50).

DWK 250 "TEST" CONDITION SCRAM BYPASS Photo 2 - Front Face of TCB Panel with Caution Posting

RAI Responses for Upgrade ofNSS Page 6 6- In Enclosure E, MIT described the logic to generate a scram signal. In the description for sub-circuit card (SC) 10, MIT stated that there are two independent outputs that go to the withdraw permit circuit (WPC) and the KSM However, the Global connection Diagram provided in Enclosure DJ does not show a connection from the SLC to the WPC. Please describe how the WPC receives the scram signal from the SLC. Also, please explain if the WPC connect to the programmable logic controller (PLC) .

Response to follow up question 6 (for RAI #2):

The two 24-volt DC outputs from sub-circuit SCIO go independently to the Magnet Power Supplies and the Withdraw Permit Circuit. This is stated in Enclosure E [Q/A File #2017-35 document "Scram Logic Card Modules", Item #10 on page 6]. Also, Enclosure E's main schematic for the SLC shows the two independent outputs as going from relays U4 and U7 to the

. WPC and the magnet power supplies ("MPS" on the drawing).

Enclosure D drawing R3W-268-2 "NSS Global Connection Diagram" depicts the SCIO output that goes to the WPC as doing so by way of the KSM. This path is similarly depicted on the block diagram in Enclosure U. The KSM drawing R3W-259-4 in Enclosure G also shows this pathway, in greater detail: the SLC outputs are shown entering the KSM and directly affecting relays RYS, RY6, RY7, and RY8 there, which then interrupt the WPC. This is described in Enclosure G [Q/A File #2017-37 document "<100 kW Key-Switch Module", page 4 and the third paragraph of page 5].

The WPC does not connect to the programmable logic controller (PLC) directly. Instead, when the WPC is open, a signal goes to the PLC via relay RY4, which is physically located in the KSM. The coil for relay RY4 is shown in grid location A-4 of WPC drawing R3W-203-4 Rev.Din Enclosure I, and in grid location C-5 ofKSM drawing R3W-259-4 in Enclosure G.

Figure 3 in Enclosure L [Q/A File #2017-40 "Safety System Monitoring & Status Display PLC"]

shows this input to the PLC as "WPC Energized Signal". Therefore, it is important to clarify that this input signal is not fed directly from the circuitry of the WPC.

7- In Enclosure Gl, MIT provided the logic schematic for the KSM This schematic shows an output signal with the following label: "To safety system monitoring and status display PLC input (WPC status). " Please explain what this signal refers to.

Response to follow up question 7 (for RAI #2):

This is the signal described in the last two paragraphs of the Response to follow up question 6 above. This output signal happens when the contact for relay RY4 in the KSM is open. RY4 is open whenever the WPC is open. This signal to the PLC allows data logging showing when the WPC is de-energized, for the purpose of determining the time sequence of alarms for system troubleshooting.

RAI Responses for Upgrade ofNSS Page 7 8- In Enclosure H, MIT described operation of the magnet power supplies module. This description includes a photo of the frontal view of the module. This photo shows two pairs of LEDs that were not described nor included in the logic diagram provided in Enclosure HJ.

Please describe operation and logic for these LEDs.

Response to follow up question 8 (for RAI #2):

Each magnet power supply module contains power supply circuit boards for two reactor shim blades, for instance shim blade #1 and shim blade #2. Two sets of indicator lights are on the front of each magnet power supply module, one set for each shim blade's magnet. Each set contains a green "Available" light in the upper position and a yellow "On" light below it. Power to the magnet power supply module is provided by a dedicated 24-volt DC power supply built into the module. If the 24-volt DC power, as adjusted via the magnet power supply circuit board's adjustable regulator, is adequate, then the green light illuminates. If the circuit board is sending adequate current to the shim blade magnet, then the yellow light illuminates.

Drawing R3W-266-4 "Magnet Power Supplies" shows these indicator lights. This detailed circuit diagram was included in the Drawings and Schematics section of Enclosure B 1, which is the QIA file for the magnet power supply modules. (It was not referenced in the Enclosure H document on these modules, and so was not included in Enclosure H.)

Enclosure B 1 contains "Special Procedure for Bench Testing of the Magnet Power Supply Modules", which provides for testing of these indicator lights in steps 6 through 9 and steps 12 through 15. (These steps also mention an "Energized" indicator light; note that it is on the Test Box depicted in Figure 1 on page 5 of the procedure, not on the magnet power supply module.)

9- In Enclosure Kl, MIT provided the logic schematic for the blade drop timer interface. This schematic shows an input for the "Minor Scram Switch. " Please describe how this signal is used in the logic for the blade drop timer.

Response to follow up question 9 (for RAI #2):

The Blade Drop Timer Interface Module has a two-position "Start Signal Source" selector switch on the front. When the switch is toggled to the "Minor Scram Switch" position, the two-out-of-four coincidence logic in the Blade Drop Timer Interface circuit is not used. The operator needs only to press the console Minor Scram pushbutton to have the Interface module start the Blade Drop Timer. This is described in Enclosure K [Q/A File #2017-30 document "Blade Drop Timer Interface Module" page 2].

On the Enclosure K schematic R3W-267-3, in grid location B-4, the Guarded Toggle Switch S2 can select either "DWK 250" or "Minor Scram Switch". When "Minor Scram Switch" is selected, the operator's action of pressing the Minor Scram pushbutton (connected at P8) will open the circuit, resulting in a 12-volt signal passing straight through P9 tostart the Blade Drop Timer.

RAJ Responses for Upgrade ofNSS Page 8 I 0- Enclosure L described operation of the Safety System Monitoring & Status Display PLC.

This enclosure includes the internal logic, which shows the following inputs: "Timer Reset Push Button " and "Enable/Disable Hourly Reminder. " Please describe what these inputs are. Also, please explain how the operator acknowledges and resets alarms/events in the PLC.

Response to follow up question 10 (for RAJ #2):

The "Timer Reset Pushbutton" and the "Enable/Disable Hourly Reminder" in Enclosure L

[Q/A File #2017-40 document "Safety System Monitoring & Status Display PLC" Figure 3 logic flow diagram] are user-input functions programmed in the PLC, as described in the page 5 text and depicted in Figure 4 of that document as "acoustic reminder". From time to time, the console operator is required to perform procedures or actions at precise time intervals. This timer function can provide a sound to alert the operator, and can be enabled and disabled using' the "Enable/Disable Hourly Reminder" input via a button on the PLC's touch-screen. These functions cannot interfere with the Nuclear Safety System.

The operator can acknowledge and reset alarms or events in the PLC by a reset button built into the software on the PLC touch-screen.

Follow up question 11 (for RAJ #10):

I I - In Enclosure V, MIT described the console layout and the human factors considered for the NSS. This description states that if the DWK 250 neutron channels are not installed in the correct location, an alarm will be generated. However, this is inconsistent with the information provided in the response for RAJ #2, item c, in which MIT stated that this is not part of the proposed NSS. Please clarify if the PLC will receive an alarm when a neutron channel is not placed in the correct location.

Response to follow up question 11 (for RAJ #10):

The memo in Enclosure V has been corrected, with the last sentence of item 1 deleted. (This sentence was left in the memo inadvertently in the 14 December 2017 submittal.) If the DWK 250 neutron flux channels are not installed in the correct location, it will be readily apparent as the operator performs startup checklists or other test procedures. No alarm is needed.

The revised Enclosure V memo is enclosed. Figures 1 through 8 remain unchanged, and are not included in this response.

RAI Responses for Upgrade ofNSS Page 9 The RAI follow-up question responses and enclosures submitted herewith do not contain any proprietary information.

This RAI follow-up question response submittal contains the following two

Enclosures:

Enclosure D. Q/A File #2017-34 document "Signal Distribution Module" dated 15 March 2018. (No drawings enclosed, as there is no change to Drawing R3W-268-2 "NSS Global Connection Diagram" or Drawing R3W-274-3 "Signal Distribution Module Board Wiring Diagram".)

Enclosure V. Memo "Human Factors Considerations for Design and Implementation of the New Nuclear Safety System" dated 11 April 2018. (No figures enclosed, as there is no change to the memo's eight appended figures.)

Sincerely, Edward S. Lau, NE Alberto Queirolo Assistant Director of Reactor Operations Director of Reactor Operations MIT Research Reactor MIT Research Reactor I declare under penalty of perjury that the forego* ect.

Executedon ~;lDate:)5 <+/-9\ 81

Enclosures:

As stated.

cc: USNRC - Senior Project Manager Research and Test Reactors Licensing Branch Division of Policy and Rulemaking Office of Nuclear Reactor Regulation USNRC - Senior Reactor Inspector Research and Test Reactors Oversight Branch Division of Policy and Rulemaking Office of Nuclear Reactor Regulation

Page 1 of 5 0/A File #E-2012-1 Digital Upgrade for Nuclear Safety System Q/A File #2017-34 "Signal Distribution Module" Description of the Signal Distribution Module The Signal Distribution Module (SDM) is an interface circuit between the DWK 250 digital neutron flux monitors and all components downstream. Because any trip signal generated from a nuclear safety channel must pass through the SDM on its way to the modules that effect a reactor shutdown, the SDM is considered a safety-related component of the Nuclear Safety System.

Additionally, the SDM contains the auctioneering diodes for the two 24-volt DC power supplies. There are two analog meters mounted on the SDM's protective casing, one showing the electric current from the power supplies, and the other showing voltage. (See Figure 1.) By selection via a rotary switch (also mounted on the case), the voltage meter shows the instantaneous voltage on the SDM, from the first power supply, or from the second power supply.

Figure 1 - Exterior of Signal Distribution Module, showing its two Analog Meters at top QA#-2017-34 15 MAR2018

Page 2 of 5 As can be seen in schematic diagram R3W-268-2 "Nuclear Safety System Global Connection Diagram" and circuit board diagram R3W-274-3 "Signal Distribution Module Board Wiring Diagram" the SDM has a total of thirteen connections. In terms of signal flow, four of those connections are strictly input (signal coming from each of the four DWK 250 units), six are input/output bidirectional, two are strictly output, and one is not in use. The following lists the roles of the connectors as they are labeled:

1. XlO: Receives signal from DWK 250 channel #1.

2. Xl 1: Receives signal from DWK 250 channel #2.

3. X12: Receives signal from DWK 250 channel #3.

4. X13: Receives signal from DWK 250 channel #4.

5. X14: Receives power from two 24-volt DC power supplies that are set up in parallel, but connected via auctioneering diodes on the SDM, so that if one fails, the other will take over without interruption. The X14 connector then passes the 24-volt DC power as output to the "NIM Bin 1" instrument rack which contains three downstream components: Scram Logic Card 1, Scram Logic Card 2, and the LED Scram Display Module. The X14 connector also passes the 24-volt DC power via connectors XlO through X13 to energize the output (scram/alarm) relays of the four DWK 250 channels. (The DWK 250 output relays are electrically isolated from the internal circuitry of the DWK 250, and rely on an external power source for their operation.)

6. Xl5: Passes signals from the four DWK 250 channels to Scram Logic Card 1.

The Xl 5 connector receives signals back from Scram Logic Card 1 and routes them to the LED Scram Display and several non-safety-related monitoring and display devices.

7. X16: Passes signals from the four DWK 250 channels to Scram Logic Card 2.

The Xl 6 connector receives signals back from Scram Logic Card 2 and routes them to the LED Scram Display and several non-safety-related monitoring and display devices.

8. XI 7: Passes signals to and from the <100 kW Key-Switch Module.

9. X18: Passes signals to and from an LED Scram Display module, which captures scram signals from any of the four DWK 250 channels via the Scram Logic Cards, and keeps them latched in until the LED Scram Display module is used to reset the two Scram Logic Cards. (Once the scram condition no longer exists, the DWK 250 will not show what the trip condition was.)

10. Xl 9: Passes analog signals from the four DWK 250 channels to existing console chart recorders and meters.

11. X20: Not in use.

QA#-2017-34 15 MAR2018

Page 3 of 5

12. X21: Passes signals from all inputs of the SDM to a non-safety-related programmable logic controller (PLC) for monitoring and status display.

13. X41: Passes the "Test" trip signal from each of the four DWK 250 channels through a Signal Junction Box to a Blade Drop Timer Interface Module, which in turn passes a signal to activate the existing Blade Drop Timer. This setup will measure the scram time from initiation of a scram signal to 80% insertion of a shim blade. The Blade Drop Timer Interface Module conditions a binary signal for compatibility with the existing Blade Drop Timer, and includes optical isolation of the SDM from the Blade Drop Timer. The Blade Drop Timer Interface Module and the Blade Drop Timer are mounted in separate NIM bins. The Blade Drop Timer in its own NIM bin receives 12 volts DC from its existing, independent power source. Connector X41 also passes low-voltage and fault signals from each of the two 24-volt DC power supplies to the PLC, by way of the SDM and the Signal Junction Box, via connector PIO on the Box and cable K-45 .

QA#-2017-34 15 MAR2018

Page 4 of 5 Safety Evaluation The Signal Distribution Module (SDM) is a four-layer FR4 printed-circuit board that facilitates passing of signals between various modules of the new Nuclear Safety System.

An ISO 9001-2008 certified electronic hardware manufacturer (Advanced Circuits) fabricated the board.

Failure Analysis If the board fails, such as by physical damage or other disruption to a scram signal path between a DWK 250 and the Scram Logic Cards, there will be a loss of the signal, thereby causing the Scram Logic Cards to produce a scram. The physical damage could include puncture, impact, fire, or high voltage surge, while other types of disruption could include radio frequency interference, overheating, or corrosion. All would result in a scram.

The connection (X14) to the two 24-volt DC power supplies only passes power to the two Scram Logic Cards and the <100 kW Key-Switch Module. The SDM board does not use the power for its own functions. The two power supplies are fed from an existing, common 120-volt AC source, and have an internal fuse that will protect against overcurrent conditions. They also have an output overload that will trip at no more than 35 volts DC. In the unlikely event of an excessive line voltage surge, both power supplies are designed to trip to protect themselves, interrupting power to the two Scram Logic Cards, scramming the reactor. If the surge affects the SDM board directly, it may create physical damage as described above, again resulting in a reactor scram.

If there is a loss of line voltage or an internal fault on either of the two 24-volt DC power supplies, a relay contact opens on the affected power supply to transmit a signal by way of the SDM and the Signal Junction Box to the PLC, showing on the PLC which power supply is in trouble.

Signals input to the SDM board from the two Scram Logic Cards are passed along to other display and status monitoring devices. If the board should be damaged in these areas, there is no effect on nuclear safety. The console operator may observe a partial loss of indications of reactor power and reactor period, but will not receive false information. There are redundant displays of reactor power and period, such as on the face of each DWK 250 chassis, that will remain operable. There are also four existing independent non-safety-related neutron flux channels or N-16 gamma channels displaying reactor power. Likewise, loss of signal output from the SDM to existing console chart recorders and meters has no effect on nuclear safety. There is redundant recording of reactor power history from the non-safety-related neutron flux channels.

Cybersecurity and Isolation The SDM is assembled on one circuit board. The module is constructed with standard industrially-rated components. It contains no digital components, and is therefore not subject to cybersecurity threats.

QA#-2017-34 15 MAR2018

Page 5 of 5 Transient Voltage Suppressor (TVS) diodes are used on the SDM board to ensure voltages never exceed 35 volts. Because the SDM is mostly a passive circuit board, it does not include any optical isolators. However, there are optical isolators built into Scram Logic Card 1, Scram Logic Card 2, the Blade Drop Timer Interface Module, and the PLC panel.

Access Control and Physical Protection The SDM will be mounted within the protective metal instrumentation cabinets of the control room. The instrumentation cabinets will provide the module with physical protection comparable to that for the current nuclear safety system. Routine maintenance and inspection will be performed only by licensed reactor staff or under the supervision of licensed reactor staff. The control room is attended whenever the reactor is operating. At all other times when the building is unoccupied, it is protected as per the NRC-approved Physical Security Plan. Therefore, access control and configuration control are assured.

Environmental Conditions The control room and its metal instrumentation cabinets are in an air-conditioned environment. The temperature is continuously maintained within a desirable setting (approximately 68 F). There is a temperature alarm (setpoint no higher than 78 F) that is monitored whenever the reactor is operating, or shut down with the control room attended.

This air-conditioning control easily satisfies the operating requirements for all the components on the SDM board.

Human Factors All cables to the SDM and cable connection points on the SDM will be labeled, as will the circuit board. These markings improve the human interface for purposes of installation and maintenance. Once it is installed, there will be no regular human interface with the SDM board. It will be handled only by or under the supervision of license reactor staff. Therefore, human factors engineering remains adequate.

Verification and Periodic Checks The new SDM board will be tested for wiring verification using a written procedure prior to first use, will be set up in the control room as part of the integrated new Nuclear Safety System to operate in parallel with the existing nuclear safety system for observation, and will receive functional checks periodically as part of the operational checks of the integrated Nuclear Safety System. Therefore, these pre-operational and routine surveillances are sufficient to assure the completeness and integrity of the circuitry.

QA#-2017-34 15 MAR2018

MIT NUCLEAR REACTOR LABORATORY AN MIT INTERDEPARTMENTAL CENTER John P. Foster Mail Stop: NW12-110 Phone: 617.258.5864 Deputy Director of Reactor Operations 138 Albany Street Fax: 617.324.0042 jpfostermit.edu Cambridge, MA 02139 Web: http://nrl.mit.edu MEMORANDUM To: New Nuclear Safety System QA File E-2012-1 From: John Foster, Deputy Director of Reactor Operations Re: Human Factors Considerations for Design and Implementation of the New Nuclear Safety System.

Date: 11 April 2018 The following list outlines the human factors considered for the Mirion DWK 250 channels and all components downstream in the new Nuclear Safety System.

1. Connections to the four DWK 250 channels are connectorized and remove error associated with point to point wiring. Routing of DWK 250 signaling is accomplished by the use of a 4-layer printed circuit board (Signal Distribution Module) to distribute the signals to the proper locations and modules. This minimizes the possibility of items being wired incorrectly and makes for ease of installation.

2. Back.lighting was activated for an "always on" condition for the DWK 250 channel displays so each display could be easily viewed by the operator at any time.

3. The scram logic card design incorporated the use of 2 out of 4 voting logic to allow for one channel to be in test or out of commission instead of the typical use of a bypass switch or relay. This ensures all equipment remains active and installed regardless of its state thereby mitigating the possibility of improper channel bypassing. If a channel is removed, all trips for that channel become active as seen by the scram logic cards.

4. The method of providing <100 kW high power scram settings on the existing nuclear safety system requires swapping out safety channels 5 & 6 high range amplifiers to low range amplifiers. This creates an opportunity where human errors could occur during the reconnection process. The new system will utilize a key switch that shifts from full power mode to <100 kW mode thereby mitigating the possibility of errors such as cable or card/chassis swapping. The key will be kept in the control room key cabinet, with use controlled by startup checklists that define the mode of operation (Full Power or <100 kW).

An annunciator informational alarm will actuate when in the <100 kW mode. See Figures 1-4 for existing and final annunciator panel layouts.

Page 1 of 2

5. The module layouts in the control room were identified by reactor staff and active reactor operators according to the most efficient use of space and the understanding of how certain modules interfaced with each other and existing equipment. See Figures 5 & 6 for the existing and final control room layout. The rundown relay panel was important to keep in its current location to eliminate the need for additional wiring to interface with the blade drives and magnets. It was important to keep the DWK 250 channels located at an easy-to-view height and in their exact locations utilized during the testing phase including detectors, preamps and cabling. The remaining modules were located in proximity to each other based on how the operator will utilize the equipment during routine surveillances.

6. The remote displays for wide range reactor power and reactor period will remain analog meters, very similar in appearance to the existing system. Additionally, they will be located on console in front of the operator in the same location as those for the existing system. The existing system has dedicated power and period meters for channel 3, while channels 1 and 2 share one set of power and period meters controlled by a selector switch. The new system will have 8 meter displays total (DWK 1-4, each with power and period). Channels 1 & 2 will be on the left hand side of the console and channels 3 & 4 will be on the right hand side of the console. See Figures 7 & 8 for existing and final console meter layouts.

Channel 1 detector is located in 4IH3 ; channel 2 detector is located in 3GV2; channel 3 detector is located in 4IH1 ; and channel 4 detector is located in 3GV5. The 4IH detectors are looking at the lower portion of the reactor core while the 3GV detectors are looking at the higher portion of the reactor core. This arrangement gives the operator two diverse views of the reactor flux regardless of which side of the console they are viewing reactor power/period.

7. Surveillance checklists were developed and tested to ensure all testing evolutions return the systems to their preferred state for reactor operation. Multiple operators performed the draft surveillance checklists in order to ensure sufficient detail and directions were included in the final procedures.

8. Annunciator alarms will be arranged in a method consistent with current NRL practices. The bypass alarm will be added to the left side annunciator panel near all other bypass alarms and will be their characteristic yellow color. The safety system scram alarm will remain in its current location and remain red in color. All other alarms are informational in nature and will be white in color.

Page 2 of2

NUCLEAR REACTOR LABORATORY AN INTERDEPARTMENTAL CENTER OF MASSACHUSETTS INSTITUTE OF TECHNOLOGY EDWARD S. LAU 138 Albany Street, Cambridge, MA 02139-4296 Facility Tours Assistant Director of Telefax No. (617) 324-0042 Education & Training Reactor Operations Tel. No. (617) 253-4211 Activation Analysis Coolant Chemistry Nuclear Medicine 20 April 2018 U.S. Nuclear Regulatory Commission Washington, D.C. 20555 Attn.: Document Control Desk

Subject:

Response to Follow-Up Request for Additional Information for the License Amendment Request to Upgrade the Nuclear Safety System at the MIT Reactor, License R-37, Docket No. 50-20 (CAC No. MF5003)

The Massachusetts Institute of Technology (MIT) hereby submits a response to the 6 March 2018 follow-up questions to the Request for Additional Information (RAI) on the License Amendment Request (LAR) to upgrade the Nuclear Safety System at the MIT Reactor (MITR). The original RAI was created on 12 October 2017 subsequent to a regulatory audit that was performed by Nuclear Regulatory Commission (NRC) staff at the MIT Reactor on 24-26 July 2017. This audit identified additional information that would be required to be docketed in order to support a licensing decision by NRC. On 14 December 2017, MIT submitted responses to the RAI.

On 6 March 2018, MIT received a set of eleven follow-up questions related to several of the original RAI questions and MIT's answers. To the eleven follow-up questions, MIT hereby provides responses in the following format: the NRC question in italics, followed by the MIT answer in normal font. Wherever necessary, MIT's responses will reference updates to supporting documents of various previous Enclosures.

Follow up question 1 (for RAI #1): MIT response included examples of its QA Requirements Checklist in Enclosures A and B. The dates identified in these examples are not in chronological order or consistent with the development activities.

1- Please explain what the dates identified in the checklist represent and why they are not in chronological order.

Response to follow up question 1 (for RAI #1):

Dates identified in the QA Checklist (PM 1.13 Quality Assurance Requirements Checklist) indicate when the item was signed off as completed. While the items are generally performed in chronological order, consistent with the development activities, the dates of completion are not necessarily expected to be in a chronological sequence, because of documentation, editing, and O administrative needs. ;ro 2

/Vt!<

RAJ Responses for Upgrade ofNSS Page 2 For instance, the relevant items in Enclosure A (NSS Scram Logic Card Modules) are listed in the following order: Safety Review, Specifications, Procurement, Drawings & Schematics, Fabrication, Bench Testing, and Handling & Installation Instructions. The Safety Review item and the Specifications item were actually started in 2013; Handling & Installation Instructions started in 2017. However, the Safety Review signoff date was 4 November 2017, because naming of the individual modules had changed over time, and in the latter part of 2017 we revisited the Safety Review document to standardize the terminology. We also added further details to the original text, but there were no substantive changes in the Safety Evaluation.

Similarly, the Procurement was started in 2014, but the signoff date was 29 July 2016, when the iterative process for designing the Scram Logic Cards was finally completed and accepted as satisfactory. Drawings & Schematics were started in 2014 but were signed off as completed 31 May 201 7 when they were revised and finally approved by internal reviewers outside the Instrumentation group. Fabrication started in 2015 but was signed off 31 January 2017 after the iterative process for prototyping and production of the Scram Logic Cards was completed and accepted as satisfactory. Bench Testing started in early 2017 and was signed off on 2 July 2017.

Handling & Installation Instructions were finalized and signed off on 11 September 201 7.

Enclosure B (NSS Signal Distribution Module) has a similar list of relevant items, except that it does not require Handling & Installation Instructions. The Safety Review was started in December 2015. It was signed off as completed on 1 November 2017 when we revisited the Safety Review document to standardize the terminology. Specifications, Procurement, Drawings

& Schematics, and Fabrication were all started in 2016; Bench Testing was started in mid-2017.

All were signed off as completed on 28 October 2017 when the documentation was reviewed and approved as satisfactory.

Enclosure Bl (NSS Magnet Power Supply Modules) follows a similar pattern to Enclosure A, but again does not require Handling & Installation Instructions.

Follow up questions for RAJ #2:

2- MIT responses included in Appendices A-M describe the MIT-developed components.

However, in several instances these documents refer to bench testing and/or pre-operational testing, without providing clear references to test procedures and results. Further, sometimes it is not clear if when talking about test, if MIT is referring to bench testing or to pre-operational testing. Lastly, some description use the future tense to refer to tests that will be performed, even though Enclosure Q identified these tests as completed.

Please clarify if bench testing and pre-operational testing has been performed and completed for NSS components. Also, please clarify if the NSS components are currently installed and operating in parallel with the existing system.

Response to follow up question 2 (for RAJ #2):

Bench testing for all MIT-developed components/modules has been completed. Bench testing refers to tests of individual modules in a stand-alone manner, without connection to designated components upstream and downstream. Each different modules/component had its own written procedure or steps for the bench testing. Where necessary, signal input to the module from designated upstream components will use a simulated test signal when performing bench tests.

RAI Responses for Upgrade of NSS Page 3 Likewise, the module's signal output to downstream components will only be measured on the bench to confirm the signals are compatible with designated downstream components.

Pre-operational testing for all MIT-developed components/modules has been completed to the point where scram signals were successfully confirmed as output. These scram signals cannot be routed to the existing reactor scram circuits until there is NRC approval of the LAR. Pre-operational testing is performed with all Nuclear Safety System components/modules connected in their designated configuration, with fission chamber detectors in their final reactor locations sending signals to the Mirion DWK 250 neutron flux monitors, which in turn are connected to all downstream, MIT-developed components/modules. For these tests of the integrated system, no simulated signals are needed.

The pre-operational testing was performed as per written procedure "New Nuclear Safety System Global Test Special Procedure". Reactor staff performed this procedure several times in the course of developing the procedure, and also after receiving comments by the MIT Reactor Safeguards Committee on 16 November 2017. The final version of the procedure was performed and signed off on 13 December 201 7, and was provided as Enclosure Q in the RAI Response submitted on 15 December 2017. In Enclosure Q, one can see that some steps cannot be completed until scram signals are routed to the existing reactor scram circuits after there is NRC approval of the LAR. These steps were marked "N/A" to indicate such. Once NRC approves the LAR, this procedure will be performed again, this time in its entirety. At that point, pre-operational testing will be complete.

Currently, the new Nuclear Safety System, with all of its components/modules integrated in their designated configuration, is operating in parallel with the existing system. It is not connected to the existing scram circuits, and therefore will not interrupt magnet current and scram the reactor.

Its performance is being monitored with the console operator reading and recording hourly data.

3- The descriptions provided in the enclosures were accompanied by drawings or logic schematics. These drawings did not include revision numbers. Please explain how one determine that is the latest available revision and why revision numbers are not being used.

Response to follow up question 3 (for RAI #2):

The drawings submitted to NRC on 15 December 2017 do not include revision numbers. At the time of the July 2017 site audit visit, our revision numbers appearing on all of our drawings gave an impression that the design process had not yet been completed, suggested by the fact that there was a revision number other than zero. However, the design process was complete, and to the extent possible, the drawings reflect the as-built condition, and contain review and approval initials. As a result, MIT removed revision references from all final drawings just prior to the December 2017 submittal. Subsequent changes will contain revision letters beginning with "A",

and new review and approval initials.

The pair of drawings for the Withdraw Permit Circuit in Enclosure I are an exception to the above. These are R3W-203-4 Rev. C and R3W-203-4 Rev. D. Revision C is the existing Withdraw Permit Circuit under license R-37. For the new NSS, the necessary update to the circuit is provided in Revision D. Implementation of the change as per Revision D will happen only after NRC approves the LAR for the new NSS.

RAJ Responses for Upgrade ofNSS Page4 4- In Enclosure D, MIT described the Signal Distribution Module (SDM). This description states that the < l 00 kW key switch module (KSM) is in NIM BIN 1 and receives power through the XI 4 connector. However, Enclosure DJ provided the Global Connection Diagram for the NSS, and this drawing does not show the KSM in NIM BIN 1, but instead installed in NIM BIN 2. Please confirm the location of the KSM and the components installed in each NIM BIN Response to follow up question 4 (for RAJ #2):

It is the drawing [Enclosure D drawing R3W-268-2 "NSS Global Connection Diagram"] that is correct. - As shown in Photo 1 below, the KSM is in NIM Bin 2, along with the three Magnet Power Supply Modules and the Blade Drop Timer Interface. It receives power through the Xl 7 connector. The description in Enclosure D [Q/A File document #2017-34 "Signal Distribution Module"] was incorrect in item 5 on page 2. The updated document, now dated 15 March 2018, is enclosed. The correction reads as:

The X14 connector then passes the 24-volt DC power as output to the "NIM Bin 1" instrument rack which contains three downstream components: Scram Logic Card 1, Scram Logic Card 2, and the LED Scram Display Module.

LOOP A

~

Photo 1 - NIM Bin 2

RAI Responses for Upgrade ofNSS Page 5 5- In Enclosure E, MIT described operation of the scram logic card (SLC). However, this description does not describe the use of test switch necessary for surveillance testing. Please describe the operation of the test switch that will be used for surveillance testing and calibration.

Response to follow up question 5 (for RAI #2):

For surveillance testing and calibration, the Test-Condition Bypass (TCB), shown in Photo 2 below, will be used. A detailed description of the TCB was provided in Enclosure J [Q/A File

1. 2017-28 document "DWK 250 'Test' Condition Scram Bypass Assembly", and schematic R3W-264-3 "DWK 250 'Test' Condition Scram Bypass Assembly"]. It was fabricated to facilitate test procedures to demonstrate that a specific trip condition from a DWK 250 nuclear safety channel will result in a scram of the reactor.

The TCB is depicted in the Enclosure U block diagram, on the left-hand side amongst the four DWK 250 nuclear safety channels. It also appears in the Enclosure D drawing R3W-268-2 "NSS Global Connection Diagram" in grid location C-1. Its use is illustrated in Enclosure Q written procedure "New Nuclear Safety System Global Test Special Procedure" pages 15 through 17 (steps 1 through 50).

DWK 250 "TEST" CONDITION SCRAM BYPASS Photo 2 - Front Face of TCB Panel with Caution Posting

RAI Responses for Upgrade ofNSS Page 6 6- In Enclosure E, MIT described the logic to generate a scram signal. In the description for sub-circuit card (SC) 10, MIT stated that there are two independent outputs that go to the withdraw permit circuit (WPC) and the KSM However, the Global connection Diagram provided in Enclosure DJ does not show a connection from the SLC to the WPC. Please describe how the WPC receives the scram signal from the SLC. Also, please explain if the WPC connect to the programmable logic controller (PLC) .

Response to follow up question 6 (for RAI #2):

The two 24-volt DC outputs from sub-circuit SCIO go independently to the Magnet Power Supplies and the Withdraw Permit Circuit. This is stated in Enclosure E [Q/A File #2017-35 document "Scram Logic Card Modules", Item #10 on page 6]. Also, Enclosure E's main schematic for the SLC shows the two independent outputs as going from relays U4 and U7 to the

. WPC and the magnet power supplies ("MPS" on the drawing).

Enclosure D drawing R3W-268-2 "NSS Global Connection Diagram" depicts the SCIO output that goes to the WPC as doing so by way of the KSM. This path is similarly depicted on the block diagram in Enclosure U. The KSM drawing R3W-259-4 in Enclosure G also shows this pathway, in greater detail: the SLC outputs are shown entering the KSM and directly affecting relays RYS, RY6, RY7, and RY8 there, which then interrupt the WPC. This is described in Enclosure G [Q/A File #2017-37 document "<100 kW Key-Switch Module", page 4 and the third paragraph of page 5].

The WPC does not connect to the programmable logic controller (PLC) directly. Instead, when the WPC is open, a signal goes to the PLC via relay RY4, which is physically located in the KSM. The coil for relay RY4 is shown in grid location A-4 of WPC drawing R3W-203-4 Rev.Din Enclosure I, and in grid location C-5 ofKSM drawing R3W-259-4 in Enclosure G.

Figure 3 in Enclosure L [Q/A File #2017-40 "Safety System Monitoring & Status Display PLC"]

shows this input to the PLC as "WPC Energized Signal". Therefore, it is important to clarify that this input signal is not fed directly from the circuitry of the WPC.

7- In Enclosure Gl, MIT provided the logic schematic for the KSM This schematic shows an output signal with the following label: "To safety system monitoring and status display PLC input (WPC status). " Please explain what this signal refers to.

Response to follow up question 7 (for RAI #2):

This is the signal described in the last two paragraphs of the Response to follow up question 6 above. This output signal happens when the contact for relay RY4 in the KSM is open. RY4 is open whenever the WPC is open. This signal to the PLC allows data logging showing when the WPC is de-energized, for the purpose of determining the time sequence of alarms for system troubleshooting.

RAI Responses for Upgrade ofNSS Page 7 8- In Enclosure H, MIT described operation of the magnet power supplies module. This description includes a photo of the frontal view of the module. This photo shows two pairs of LEDs that were not described nor included in the logic diagram provided in Enclosure HJ.

Please describe operation and logic for these LEDs.

Response to follow up question 8 (for RAI #2):

Each magnet power supply module contains power supply circuit boards for two reactor shim blades, for instance shim blade #1 and shim blade #2. Two sets of indicator lights are on the front of each magnet power supply module, one set for each shim blade's magnet. Each set contains a green "Available" light in the upper position and a yellow "On" light below it. Power to the magnet power supply module is provided by a dedicated 24-volt DC power supply built into the module. If the 24-volt DC power, as adjusted via the magnet power supply circuit board's adjustable regulator, is adequate, then the green light illuminates. If the circuit board is sending adequate current to the shim blade magnet, then the yellow light illuminates.

Drawing R3W-266-4 "Magnet Power Supplies" shows these indicator lights. This detailed circuit diagram was included in the Drawings and Schematics section of Enclosure B 1, which is the QIA file for the magnet power supply modules. (It was not referenced in the Enclosure H document on these modules, and so was not included in Enclosure H.)

Enclosure B 1 contains "Special Procedure for Bench Testing of the Magnet Power Supply Modules", which provides for testing of these indicator lights in steps 6 through 9 and steps 12 through 15. (These steps also mention an "Energized" indicator light; note that it is on the Test Box depicted in Figure 1 on page 5 of the procedure, not on the magnet power supply module.)

9- In Enclosure Kl, MIT provided the logic schematic for the blade drop timer interface. This schematic shows an input for the "Minor Scram Switch. " Please describe how this signal is used in the logic for the blade drop timer.

Response to follow up question 9 (for RAI #2):

The Blade Drop Timer Interface Module has a two-position "Start Signal Source" selector switch on the front. When the switch is toggled to the "Minor Scram Switch" position, the two-out-of-four coincidence logic in the Blade Drop Timer Interface circuit is not used. The operator needs only to press the console Minor Scram pushbutton to have the Interface module start the Blade Drop Timer. This is described in Enclosure K [Q/A File #2017-30 document "Blade Drop Timer Interface Module" page 2].

On the Enclosure K schematic R3W-267-3, in grid location B-4, the Guarded Toggle Switch S2 can select either "DWK 250" or "Minor Scram Switch". When "Minor Scram Switch" is selected, the operator's action of pressing the Minor Scram pushbutton (connected at P8) will open the circuit, resulting in a 12-volt signal passing straight through P9 tostart the Blade Drop Timer.

RAJ Responses for Upgrade ofNSS Page 8 I 0- Enclosure L described operation of the Safety System Monitoring & Status Display PLC.

This enclosure includes the internal logic, which shows the following inputs: "Timer Reset Push Button " and "Enable/Disable Hourly Reminder. " Please describe what these inputs are. Also, please explain how the operator acknowledges and resets alarms/events in the PLC.

Response to follow up question 10 (for RAJ #2):

The "Timer Reset Pushbutton" and the "Enable/Disable Hourly Reminder" in Enclosure L

[Q/A File #2017-40 document "Safety System Monitoring & Status Display PLC" Figure 3 logic flow diagram] are user-input functions programmed in the PLC, as described in the page 5 text and depicted in Figure 4 of that document as "acoustic reminder". From time to time, the console operator is required to perform procedures or actions at precise time intervals. This timer function can provide a sound to alert the operator, and can be enabled and disabled using' the "Enable/Disable Hourly Reminder" input via a button on the PLC's touch-screen. These functions cannot interfere with the Nuclear Safety System.

The operator can acknowledge and reset alarms or events in the PLC by a reset button built into the software on the PLC touch-screen.

Follow up question 11 (for RAJ #10):

I I - In Enclosure V, MIT described the console layout and the human factors considered for the NSS. This description states that if the DWK 250 neutron channels are not installed in the correct location, an alarm will be generated. However, this is inconsistent with the information provided in the response for RAJ #2, item c, in which MIT stated that this is not part of the proposed NSS. Please clarify if the PLC will receive an alarm when a neutron channel is not placed in the correct location.

Response to follow up question 11 (for RAJ #10):

The memo in Enclosure V has been corrected, with the last sentence of item 1 deleted. (This sentence was left in the memo inadvertently in the 14 December 2017 submittal.) If the DWK 250 neutron flux channels are not installed in the correct location, it will be readily apparent as the operator performs startup checklists or other test procedures. No alarm is needed.

The revised Enclosure V memo is enclosed. Figures 1 through 8 remain unchanged, and are not included in this response.

RAI Responses for Upgrade ofNSS Page 9 The RAI follow-up question responses and enclosures submitted herewith do not contain any proprietary information.

This RAI follow-up question response submittal contains the following two

Enclosures:

Enclosure D. Q/A File #2017-34 document "Signal Distribution Module" dated 15 March 2018. (No drawings enclosed, as there is no change to Drawing R3W-268-2 "NSS Global Connection Diagram" or Drawing R3W-274-3 "Signal Distribution Module Board Wiring Diagram".)

Enclosure V. Memo "Human Factors Considerations for Design and Implementation of the New Nuclear Safety System" dated 11 April 2018. (No figures enclosed, as there is no change to the memo's eight appended figures.)

Sincerely, Edward S. Lau, NE Alberto Queirolo Assistant Director of Reactor Operations Director of Reactor Operations MIT Research Reactor MIT Research Reactor I declare under penalty of perjury that the forego* ect.

Executedon ~;lDate:)5 <+/-9\ 81

Enclosures:

As stated.

cc: USNRC - Senior Project Manager Research and Test Reactors Licensing Branch Division of Policy and Rulemaking Office of Nuclear Reactor Regulation USNRC - Senior Reactor Inspector Research and Test Reactors Oversight Branch Division of Policy and Rulemaking Office of Nuclear Reactor Regulation

Page 1 of 5 0/A File #E-2012-1 Digital Upgrade for Nuclear Safety System Q/A File #2017-34 "Signal Distribution Module" Description of the Signal Distribution Module The Signal Distribution Module (SDM) is an interface circuit between the DWK 250 digital neutron flux monitors and all components downstream. Because any trip signal generated from a nuclear safety channel must pass through the SDM on its way to the modules that effect a reactor shutdown, the SDM is considered a safety-related component of the Nuclear Safety System.

Additionally, the SDM contains the auctioneering diodes for the two 24-volt DC power supplies. There are two analog meters mounted on the SDM's protective casing, one showing the electric current from the power supplies, and the other showing voltage. (See Figure 1.) By selection via a rotary switch (also mounted on the case), the voltage meter shows the instantaneous voltage on the SDM, from the first power supply, or from the second power supply.

Figure 1 - Exterior of Signal Distribution Module, showing its two Analog Meters at top QA#-2017-34 15 MAR2018

Page 2 of 5 As can be seen in schematic diagram R3W-268-2 "Nuclear Safety System Global Connection Diagram" and circuit board diagram R3W-274-3 "Signal Distribution Module Board Wiring Diagram" the SDM has a total of thirteen connections. In terms of signal flow, four of those connections are strictly input (signal coming from each of the four DWK 250 units), six are input/output bidirectional, two are strictly output, and one is not in use. The following lists the roles of the connectors as they are labeled:

1. XlO: Receives signal from DWK 250 channel #1.

2. Xl 1: Receives signal from DWK 250 channel #2.

3. X12: Receives signal from DWK 250 channel #3.

4. X13: Receives signal from DWK 250 channel #4.

5. X14: Receives power from two 24-volt DC power supplies that are set up in parallel, but connected via auctioneering diodes on the SDM, so that if one fails, the other will take over without interruption. The X14 connector then passes the 24-volt DC power as output to the "NIM Bin 1" instrument rack which contains three downstream components: Scram Logic Card 1, Scram Logic Card 2, and the LED Scram Display Module. The X14 connector also passes the 24-volt DC power via connectors XlO through X13 to energize the output (scram/alarm) relays of the four DWK 250 channels. (The DWK 250 output relays are electrically isolated from the internal circuitry of the DWK 250, and rely on an external power source for their operation.)

6. Xl5: Passes signals from the four DWK 250 channels to Scram Logic Card 1.

The Xl 5 connector receives signals back from Scram Logic Card 1 and routes them to the LED Scram Display and several non-safety-related monitoring and display devices.

7. X16: Passes signals from the four DWK 250 channels to Scram Logic Card 2.

The Xl 6 connector receives signals back from Scram Logic Card 2 and routes them to the LED Scram Display and several non-safety-related monitoring and display devices.

8. XI 7: Passes signals to and from the <100 kW Key-Switch Module.

9. X18: Passes signals to and from an LED Scram Display module, which captures scram signals from any of the four DWK 250 channels via the Scram Logic Cards, and keeps them latched in until the LED Scram Display module is used to reset the two Scram Logic Cards. (Once the scram condition no longer exists, the DWK 250 will not show what the trip condition was.)

10. Xl 9: Passes analog signals from the four DWK 250 channels to existing console chart recorders and meters.

11. X20: Not in use.

QA#-2017-34 15 MAR2018

Page 3 of 5

12. X21: Passes signals from all inputs of the SDM to a non-safety-related programmable logic controller (PLC) for monitoring and status display.

13. X41: Passes the "Test" trip signal from each of the four DWK 250 channels through a Signal Junction Box to a Blade Drop Timer Interface Module, which in turn passes a signal to activate the existing Blade Drop Timer. This setup will measure the scram time from initiation of a scram signal to 80% insertion of a shim blade. The Blade Drop Timer Interface Module conditions a binary signal for compatibility with the existing Blade Drop Timer, and includes optical isolation of the SDM from the Blade Drop Timer. The Blade Drop Timer Interface Module and the Blade Drop Timer are mounted in separate NIM bins. The Blade Drop Timer in its own NIM bin receives 12 volts DC from its existing, independent power source. Connector X41 also passes low-voltage and fault signals from each of the two 24-volt DC power supplies to the PLC, by way of the SDM and the Signal Junction Box, via connector PIO on the Box and cable K-45 .

QA#-2017-34 15 MAR2018

Page 4 of 5 Safety Evaluation The Signal Distribution Module (SDM) is a four-layer FR4 printed-circuit board that facilitates passing of signals between various modules of the new Nuclear Safety System.

An ISO 9001-2008 certified electronic hardware manufacturer (Advanced Circuits) fabricated the board.

Failure Analysis If the board fails, such as by physical damage or other disruption to a scram signal path between a DWK 250 and the Scram Logic Cards, there will be a loss of the signal, thereby causing the Scram Logic Cards to produce a scram. The physical damage could include puncture, impact, fire, or high voltage surge, while other types of disruption could include radio frequency interference, overheating, or corrosion. All would result in a scram.

The connection (X14) to the two 24-volt DC power supplies only passes power to the two Scram Logic Cards and the <100 kW Key-Switch Module. The SDM board does not use the power for its own functions. The two power supplies are fed from an existing, common 120-volt AC source, and have an internal fuse that will protect against overcurrent conditions. They also have an output overload that will trip at no more than 35 volts DC. In the unlikely event of an excessive line voltage surge, both power supplies are designed to trip to protect themselves, interrupting power to the two Scram Logic Cards, scramming the reactor. If the surge affects the SDM board directly, it may create physical damage as described above, again resulting in a reactor scram.

If there is a loss of line voltage or an internal fault on either of the two 24-volt DC power supplies, a relay contact opens on the affected power supply to transmit a signal by way of the SDM and the Signal Junction Box to the PLC, showing on the PLC which power supply is in trouble.

Signals input to the SDM board from the two Scram Logic Cards are passed along to other display and status monitoring devices. If the board should be damaged in these areas, there is no effect on nuclear safety. The console operator may observe a partial loss of indications of reactor power and reactor period, but will not receive false information. There are redundant displays of reactor power and period, such as on the face of each DWK 250 chassis, that will remain operable. There are also four existing independent non-safety-related neutron flux channels or N-16 gamma channels displaying reactor power. Likewise, loss of signal output from the SDM to existing console chart recorders and meters has no effect on nuclear safety. There is redundant recording of reactor power history from the non-safety-related neutron flux channels.

Cybersecurity and Isolation The SDM is assembled on one circuit board. The module is constructed with standard industrially-rated components. It contains no digital components, and is therefore not subject to cybersecurity threats.

QA#-2017-34 15 MAR2018

Page 5 of 5 Transient Voltage Suppressor (TVS) diodes are used on the SDM board to ensure voltages never exceed 35 volts. Because the SDM is mostly a passive circuit board, it does not include any optical isolators. However, there are optical isolators built into Scram Logic Card 1, Scram Logic Card 2, the Blade Drop Timer Interface Module, and the PLC panel.

Access Control and Physical Protection The SDM will be mounted within the protective metal instrumentation cabinets of the control room. The instrumentation cabinets will provide the module with physical protection comparable to that for the current nuclear safety system. Routine maintenance and inspection will be performed only by licensed reactor staff or under the supervision of licensed reactor staff. The control room is attended whenever the reactor is operating. At all other times when the building is unoccupied, it is protected as per the NRC-approved Physical Security Plan. Therefore, access control and configuration control are assured.

Environmental Conditions The control room and its metal instrumentation cabinets are in an air-conditioned environment. The temperature is continuously maintained within a desirable setting (approximately 68 F). There is a temperature alarm (setpoint no higher than 78 F) that is monitored whenever the reactor is operating, or shut down with the control room attended.

This air-conditioning control easily satisfies the operating requirements for all the components on the SDM board.

Human Factors All cables to the SDM and cable connection points on the SDM will be labeled, as will the circuit board. These markings improve the human interface for purposes of installation and maintenance. Once it is installed, there will be no regular human interface with the SDM board. It will be handled only by or under the supervision of license reactor staff. Therefore, human factors engineering remains adequate.

Verification and Periodic Checks The new SDM board will be tested for wiring verification using a written procedure prior to first use, will be set up in the control room as part of the integrated new Nuclear Safety System to operate in parallel with the existing nuclear safety system for observation, and will receive functional checks periodically as part of the operational checks of the integrated Nuclear Safety System. Therefore, these pre-operational and routine surveillances are sufficient to assure the completeness and integrity of the circuitry.

QA#-2017-34 15 MAR2018

MIT NUCLEAR REACTOR LABORATORY AN MIT INTERDEPARTMENTAL CENTER John P. Foster Mail Stop: NW12-110 Phone: 617.258.5864 Deputy Director of Reactor Operations 138 Albany Street Fax: 617.324.0042 jpfostermit.edu Cambridge, MA 02139 Web: http://nrl.mit.edu MEMORANDUM To: New Nuclear Safety System QA File E-2012-1 From: John Foster, Deputy Director of Reactor Operations Re: Human Factors Considerations for Design and Implementation of the New Nuclear Safety System.

Date: 11 April 2018 The following list outlines the human factors considered for the Mirion DWK 250 channels and all components downstream in the new Nuclear Safety System.

1. Connections to the four DWK 250 channels are connectorized and remove error associated with point to point wiring. Routing of DWK 250 signaling is accomplished by the use of a 4-layer printed circuit board (Signal Distribution Module) to distribute the signals to the proper locations and modules. This minimizes the possibility of items being wired incorrectly and makes for ease of installation.

2. Back.lighting was activated for an "always on" condition for the DWK 250 channel displays so each display could be easily viewed by the operator at any time.

3. The scram logic card design incorporated the use of 2 out of 4 voting logic to allow for one channel to be in test or out of commission instead of the typical use of a bypass switch or relay. This ensures all equipment remains active and installed regardless of its state thereby mitigating the possibility of improper channel bypassing. If a channel is removed, all trips for that channel become active as seen by the scram logic cards.

4. The method of providing <100 kW high power scram settings on the existing nuclear safety system requires swapping out safety channels 5 & 6 high range amplifiers to low range amplifiers. This creates an opportunity where human errors could occur during the reconnection process. The new system will utilize a key switch that shifts from full power mode to <100 kW mode thereby mitigating the possibility of errors such as cable or card/chassis swapping. The key will be kept in the control room key cabinet, with use controlled by startup checklists that define the mode of operation (Full Power or <100 kW).

An annunciator informational alarm will actuate when in the <100 kW mode. See Figures 1-4 for existing and final annunciator panel layouts.

Page 1 of 2

5. The module layouts in the control room were identified by reactor staff and active reactor operators according to the most efficient use of space and the understanding of how certain modules interfaced with each other and existing equipment. See Figures 5 & 6 for the existing and final control room layout. The rundown relay panel was important to keep in its current location to eliminate the need for additional wiring to interface with the blade drives and magnets. It was important to keep the DWK 250 channels located at an easy-to-view height and in their exact locations utilized during the testing phase including detectors, preamps and cabling. The remaining modules were located in proximity to each other based on how the operator will utilize the equipment during routine surveillances.

6. The remote displays for wide range reactor power and reactor period will remain analog meters, very similar in appearance to the existing system. Additionally, they will be located on console in front of the operator in the same location as those for the existing system. The existing system has dedicated power and period meters for channel 3, while channels 1 and 2 share one set of power and period meters controlled by a selector switch. The new system will have 8 meter displays total (DWK 1-4, each with power and period). Channels 1 & 2 will be on the left hand side of the console and channels 3 & 4 will be on the right hand side of the console. See Figures 7 & 8 for existing and final console meter layouts.

Channel 1 detector is located in 4IH3 ; channel 2 detector is located in 3GV2; channel 3 detector is located in 4IH1 ; and channel 4 detector is located in 3GV5. The 4IH detectors are looking at the lower portion of the reactor core while the 3GV detectors are looking at the higher portion of the reactor core. This arrangement gives the operator two diverse views of the reactor flux regardless of which side of the console they are viewing reactor power/period.

7. Surveillance checklists were developed and tested to ensure all testing evolutions return the systems to their preferred state for reactor operation. Multiple operators performed the draft surveillance checklists in order to ensure sufficient detail and directions were included in the final procedures.

8. Annunciator alarms will be arranged in a method consistent with current NRL practices. The bypass alarm will be added to the left side annunciator panel near all other bypass alarms and will be their characteristic yellow color. The safety system scram alarm will remain in its current location and remain red in color. All other alarms are informational in nature and will be white in color.

Page 2 of2