Text

Purdue University Safety Evaluation for Amendment No. 14 to Renewed Operating License No. R-87 for the Purdue University Research Reactor Digital Instrumentation Control Upgrade
	ML18275A109
Person / Time
Site:	Purdue University
Issue date:	04/01/2019
From:	Cindy Montgomery; Research and Test Reactors Licensing Projects Branch
To:	;
	Montgomery C, NRR/DLP, 415-3398
Shared Package
ML18275A090 -Pkg.	List: ML18262A434; ML18275A109; ML18275A124;
References
	EPID L-2017-LLA-0251
	Download: ML18275A109 (96)
	v • d • e

SAFETY EVALUATION BY THE OFFICE OF NUCLEAR REACTOR REGULATION RELATED TO AMENDMENT NO. 14 TO RENEWED FACILITY OPERATING LICENSE NO. R-87 PURDUE UNIVERSITY DOCKET NO. 50-182

1. INTRODUCTION By application dated February 27, 2017 (Ref. 1), as supplemented by letters dated June 21, 2017 (Ref. 2), December 18, 2017 (Ref. 7), March 2, 2018 (Ref. 12),

September 20, 2018 (Ref. 3), October 5, 2018 (Ref. 8) and March 19, 2019 (Ref. 22),

Purdue University (the licensee or Purdue), submitted a request to upgrade the instrumentation and control (I&C) systems for the Purdue University Reactor (PUR-1) by replacing it with new digital instrumentation and control (DI&C) systems. Additionally, the licensee requested editorial changes to the technical specifications (TSs) for the PUR-1, for surveillance requirements 4.2, 4.4, and 4.6 to make them consistent with the corresponding limiting conditions for operation (LCOs) in the approved PUR-1 TSs.

The proposed digital upgrade of the I&C systems replaces the Neutron Flux Monitoring System (NFMS), Reactor Control System (RCS) (except for the rod/source/detector drive systems), the Reactor Protection System (RPS), the control console and display instruments, and the Radiation Monitoring System (RMS). These major systems interface with subsystems such as the Rod Drive System (RDS), the Reactor Room Pressure Differential Monitoring System (RRPDMS), the Reactor Water Makeup System (RWMU), the Heating Ventilation and Air Conditioning (HVAC) System, and the Power Conditioning System (PCS). Section 3 of this safety evaluation (SE) provides the U.S. Nuclear Regulatory Commission (NRC) staffs technical evaluation of these systems. However, the RDS, HVAC, and RRPDMS subsystems, which were not changed or were replaced by the licensee without prior NRC approval, are not discussed in detail in this SE.

In addition to changes to TS 1.32, 3.2, 3.3, and 4.2 proposed by the licensee to provide a definition, two LCOs, and a surveillance requirement (SR) related to the replacement DI&C systems, the licensee proposed other TS changes to: (1) correct TS 4.2 wording for inconsistent reference in the SR to the corresponding table in the LCO, (2) delete an improper reference to fuel clad in SR 4.4 for the corresponding LCO on building confinement, and (3) clarify that SR 4.6 is by visual inspection to better align with the LCO wording.

The NRC staff performed a regulatory audit (Audit) for the DI&C upgrade license amendment request (LAR) at the PUR-1 facility in West Lafayette, IN, during the week of August 22 - 24, 2017. Performance of this Audit was in accordance with the audit plan (Ref. 4) and the NRC staff issued the audit report on December 20, 2017 (Ref. 5). The audit report resulted in a request for additional Information (RAI) dated November 13, 2017 (Ref. 6). The licensee provided its responses to the RAI on December 18, 2017 (Ref. 7) and March 2, 2018 (Ref. 12).

Enclosure 2

2. REGULATORY EVALUATION The NRC staff reviewed the LAR, as supplemented, to ensure that: (1) there is reasonable assurance that the health and safety of the public will not be endangered by operation in the proposed manner, (2) activities proposed will be conducted in compliance with the Commissions regulations, and (3) the issuance of the amendment will not be inimical to the common defense and security or to the health and safety of the public. The NRC staff considered the following regulations during its review of the proposed changes:

PART 20, Standards for Protection Against Radiation of Title 10 of the Code of Federal Regulations (10 CFR), which provides the regulatory requirements for protection against ionizing radiation resulting from activities conducted under licenses issued by the Nuclear Regulatory Commission.

Part 50, Domestic Licensing of Production and Utilization Facilities, of 10 CFR, which provides the regulatory requirements for licensing of non-power reactors.

Section 50.34(a)(7) of 10 CFR, which requires the applicant to describe the quality assurance (QA) program for design, fabrication, construction, and testing of the structures, systems, and components of the facility and 50.34 (b)(6)(ii), which requires that a final safety analysis report include the managerial and administrative controls to be used to assure safe operation.

Section 50.34(a)(3)(i) of 10 CFR, which requires the applicant to describe the principal design criteria for the facility.

Section 50.34(a)(3)(ii) of 10 CFR, which requires the applicant to describe the design bases and the relation of the design bases to the principal design criteria.

Section 50.34(a)(4) of 10 CFR, which requires a preliminary analysis and evaluation of the design and performance of structures, systems, and components of the facility with the objective of assessing the risk to public health and safety resulting from operation of the facility and including determination of the margins of safety during normal operations and transient conditions anticipated during the life of the facility, and the adequacy of structures, systems, and components provided for the prevention of accidents and the mitigation of the consequences of accidents.

Section 50.34(b)(2) of 10 CFR, which requires a description and analysis of the structures, systems, and components of the facility, with emphasis upon performance requirements, the bases, with technical justification therefor, upon which such requirements have been established, and the evaluations required to show that safety functions will be accomplished. The description shall be sufficient to permit understanding of the system designs and their relationship to safety evaluations.

Section 50.34(b)(2)(i) of 10 CFR, which requires such items as the instrumentation and control systems and electrical systems be discussed insofar as they are pertinent.

Section 50.34(b)(4) of 10 CFR, which requires a final analysis and evaluation of the design and performance of structures, systems, and components with the objective stated in 10 CFR 50.34(a)(4) and taking into account any pertinent information developed since the submittal of the preliminary safety analysis report.

Section 50.36(a)(1) of 10 CFR, which requires that each applicant for a license authorizing operation of a production or utilization facility include in this application proposed technical specifications and a summary statement of the bases or reasons for such specifications, other than those covering administrative controls, shall also be included in the application, but shall not become part of the technical specifications.

Section 50.36(b) of 10 CFR, which requires that the TSs be derived from the analyses and evaluation included in the safety analysis report.

Section 50.36(c) of 10 CFR, which requires the TSs to include:

Safety limits upon important process variables that are found to be necessary to reasonably protect the integrity of certain of the physical barriers that guard against the uncontrolled release of radioactivity (50.36(c)(1)(i)(A));

Limiting safety system settings for automatic protective devices related to those variables having significant safety functions (50.36(c)(1)(ii)(A));

Limiting conditions for operation, which are the lowest functional capability or performance levels of equipment required for safe operation of the facility (50.36(c)(2));

Surveillance requirements relating to test, calibration, or inspection to assure that the necessary quality of systems and components is maintained, that facility operation will be within safety limits, and that the limiting conditions for operation will be met (50.36(c)(3));

Design features of the facility such as materials of construction and geometric arrangements, which, if altered or modified, would have a significant effect on safety and are not covered in categories described in 10 CFR 50.36(c)(1), (2),

and (3) (50.36(c)(4)); and, Administrative controls relating to organization and management, procedures, recordkeeping, review and audit, and reporting necessary to assure operation of the facility in a safe manner (50.36(c)(5)).

NUREG-1537, Part 2, Guidelines for Preparing and Reviewing Applications for the Licensing of Non-Power Reactors, Standard Review Plan and Acceptance Criteria, (Ref. 9.2) provides guidance to the NRC staff for performing safety reviews of applications to construct, modify, or operate a nuclear non-power reactor. The NRC staff used NUREG-1537, Part 2 as guidance and acceptance criteria to review the Purdue application for upgrading its I&C systems in order to verify compliance with the applicable regulatory requirements listed above. Part 1 and Part 2 of NUREG-1537 reference additional guidance, as applicable, including:

Regulatory Guide 1.152-1996, Criteria for Use of Computers in Safety Systems of Nuclear Power Plants (Ref. 21), which, to the extent applicable to research reactors, provides guidance for the use of digital computers in nuclear safety systems including computer hardware, software, firmware, and interfaces and in which the NRC staff endorses use of Institute of Electrical and Electronics Engineers (IEEE) standard IEEE 7-4.3.2-1993 (Ref. 19).

Regulatory Guide 2.5-1977, Quality Assurance Program Requirements for Research and Test Reactors (Ref. 20), which describes a method acceptable to the NRC staff of complying with the regulations for quality assurance program requirements for research and test reactors and in which the NRC staff endorses use of American National Standards Institute/American Nuclear Society (ANSI/ANS) standard ANSI/ANS-15.8-1976.

ANSI/ANS-15.1-1990, The Development of Technical Specifications for Research Reactors (Ref. 15), which provides guidance that identifies and establishes the content of TSs for research and test reactors.

ANSI/ANS-15.8-1995, Quality Assurance Program Requirements for Research Reactors (Ref. 16), which provides the general requirements for establishing and executing a quality assurance program for the design, construction, testing, modification, and maintenance of research and test reactors.

ANSI/ANS-15.15-1978, "Criteria for the Reactor Safety Systems of Research Reactors" (Ref. 17), which provides the criteria for establishing appropriate specific design requirements for the reactor safety system of an individual research reactor.

ANSI/ANS-10.4-1987, Guidelines for the Verification and Validation of Scientific and Engineering Computer Programs for the Nuclear Industry (Ref. 18), which provides guidelines for the verification and validation (V&V) of scientific and engineering computer programs developed for use by the nuclear industry.

IEEE 7-4.3.2-1993, "IEEE Standard Criteria for Digital Computers Systems in Safety Systems of Nuclear Power Generating Stations" (Ref. 19), which, to the extent applicable to research reactors, provides guidance to establish minimum functional and design requirements for computers used as components of a nuclear safety system.

3. TECHNICAL EVALUATION PUR-1 is a Lockheed Nuclear Products Materials Testing Reactor licensed for operation at a thermal power level of 12 kilowatts (kWt). Construction on PUR-1 began in 1961 and in 1962, the Atomic Energy Commission issued a license, authorizing the facility to operate at a power level of one kWt. Purdue University School of Nuclear Engineering manages and operates PUR-1. The primary mission of PUR-1 is training and educating Purdue University nuclear engineering students and students from neighboring universities without reactors, such as the University of Illinois.

The initial license, granted in 1962, was renewed in 1968, 1988, and 2016. The license renewal approved by the NRC in 2016 (Ref. 11) authorized the licensee to operate the facility at steady state power levels not in excess of 12 kilowatts (thermal) until October 30, 2036. The current TSs identify the PUR-1 Safety Limit (SL) and Limiting Safety System Settings (LSSSs); and the licensee did not request any changes to these values in this LAR.

The majority of the current I&C systems and subsystems use vacuum tube technology from the 1960s. Because of the difficulty in obtaining replacement parts, PUR-1 has experienced significant periods of downtime in recent years due to failures in these I&C systems and subsystems. The proposed replacement digital I&C systems and subsystems are designed to replicate the existing PUR-1 control console and nuclear instrumentation channels in order to minimize changes to the facility operating license and TSs. The new I&C systems and subsystems for the operator console are installed in the existing console metal frame within the PUR-1 reactor room.

This SE is divided into sections addressing each of the major systems the licensee is replacing within the I&C systems for PUR-1, including the NFMS (SE Section 3.1), the RCS (SE Section 3.2), the RPS (SE Section 3.3), the RMS (SE Section 3.4), and the control console and display instruments (SE Section 3.5). The RCS section (SE Section 3.2) also discusses the interfaces with auxiliary systems such as the RDS, the RWMU, the RRPDMS, the HVAC system and the PCS. The RDS, RRPDMS, and HVAC are not discussed in detail in this SE because they were not changed or were replaced previously as allowed without prior NRC approval.

Section 3.6 of this SE discusses access controls.

The technical evaluations in SE Sections 3.1 through 3.6 include subsections providing a system description, the NRC staffs system performance analysis of the proposed I&C system and subsystems to ensure the design basis and design criteria for the PUR-1 I&C systems and subsystems are met and license requirements for the performance of the system are specified.

SE Section 3.7 describes the NRC staffs evaluation of the process followed by the licensee to perform the proposed digital upgrade of the I&C systems for PUR-1, including its QA program and procedures, which are discussed in Section 3.7.1 of this SE. SE Section 3.8 describes the evaluation of the licensees proposed changes to the PUR-1 TSs. A conclusion for each NRC staff evaluation is included at the end of SE Sections 3.2 through 3.8. SE Section 3.9 discusses the licensees commitment to perform V&V testing of the entire RPCS after installation, and SE Section 3.10 includes an overall conclusion for the technical evaluation. SE Section 4 is the NRC staff evaluation of environmental considerations for this amendment request and SE Section 5 provides the NRC staffs overall conclusion for issuance of the amendment. Finally, SE Section 6 contains a list of acronyms and their definitions and SE Section 7 is the list of references.

3.1. Neutron Flux Monitoring System System Description of the Neutron Flux Monitoring System Purdue proposes to replace its existing neutron monitoring system for PUR-1 with Mirion Technologies, Inc. (Mirion) measurement channels. The new NFMS consists of four channels, with each channel having a sensing element, an amplifier or converter, and signal processing boards that process the signals (Ref. 1). When any neutron channel reaches its defined setpoint for scram, an output signal will initiate a scram through interruption of the magnet circuit. The PUR-1 NFMS includes three high-power level trip points as well as a trip on high, positive change rate. Change rate is a measure of the rate of change of power in percent per second (%/s). As discussed in SE Section 3.8.2.2, change rate is equivalent to reactor period of the original system. Table 5 in Section 3.8.2.2 of this SE provides the NRC staffs analysis of the proposed setpoint conversions. The Mirion neutron measurement channels also send signals to the RCS, for various control and protective functions. SE Section 3.2 provides further detail on the RCS.

The Functional Requirements Specification (FRS) for the Reactor Protection/Control System (RPCS) Replacement Project (Ref. 2.1) indicates that the new detectors will be in the same location in relation to the reactor core as the existing detectors. The NRC staff did not review the location of the detectors as part of this SE because the existing detector locations were found acceptable when the license was renewed (Ref. 11).

The Mirion channels are a modular system with a microprocessor to process the signal depending on the channel type. Table 1, below, is compiled from information in the LAR and in the FRS (Refs. 1 and 2.1, respectively) and provides the components, descriptions, measurements, ranges, and scram setpoints of the four Mirion neutron channels.

Table 1 - Mirion Technologies Neutron Measurement Channels Channel Components Description Measurement Range Setpoint for scram 1 - Startup wide Detector Pre-amplifier TKV DWK-250 Wide range Power level 1 - 1e10 15%/s or less range channel WL6367A, 23.21 Signal monitor Change rate cps fission chamber processor -3%/s -

33% /s 2 - Log N and Detector Current/ DAK-250g Source and Power level 0.00001 - 15%/s or less change rate WL23084, frequency Signal intermediate Change rate 300%

channel compensated converter processor range power 12 kWt, 120%

ionization NV 102.00H monitor -3%/s - operating chamber 33% /s power level, or less 3 - Linear power Detector Current/ DAK-250g Source and Power level 0 - 300% 120%

channel WL8075, frequency Signal intermediate (linear) power Selected uncompensated converter processor range Range or less ionization NV 102.00H monitor chamber 4 - Safety Detector - DGK-250 Power Power level 0 - 300% 12kWt, 120%

channel WL8075, Signal range (linear) power operating uncompensated processor monitor power level, ionization or less chamber The FRS (Ref. 2.1) and LAR (Ref. 1) describe how the Mirion neutron monitoring channels operate. The following descriptions of NFMS Channel #1 through Channel #4 summarize the relevant information from these references.

Channel #1 Channel #1 is the Log count rate and change rate channel. The channel uses a Mirion DWK-250 digital wide range channel to monitor neutron flux and includes a fission chamber to detect thermal neutrons, a pulse pre-amplifier, and a channel providing logarithmic count rate and a change rate signal. The DWK-250 will provide counts per second (cps) and change rate, as well as alarms, status, and tests, on its local display. This channel will also send an analog signal to the RCS to indicate neutron flux.

Channel #1 is the channel used during approach to criticality and very low power operations.

During startup, the fission chamber for Channel #1 is placed near the reactor core (lower limit).

Neutron-produced pulses from the fission chamber are amplified and counted. Smaller pulses produced by any means other than neutrons, such as gamma radiation or alphas, are rejected by a discriminator. The reactor change rate is displayed on the Yokogawa Electric Corporation (Yokogawa) recorder, the front of the DWK-250 channel, and on the operator console.

Per footnote (a) in Table 1 of the proposed PUR-1 TS 3.2, Channel #1 is not required after the neutron flux is sufficient to indicate on scale for the Log-N and Change Rate channel (Channel #2). When Channel #1 is near the upper limit of its counting range, Channel #2 and Channel #3 become the principal means of monitoring and controlling the reactor, and the Channel #1 fission chamber may be withdrawn to a region of lower neutron flux by means of the existing fission chamber drive mechanism. However, according to the licensee (Ref. 1), the new fission chamber can provide indications through 1e10 cps. This instrument can monitor the full range of reactor power by repositioning the detector using the associated drive mechanism.

The mechanical part of the drive mechanism will not change as a result of this LAR and is not evaluated in this SE.

Channel #1 covers the range from 1 to 1e10 cps and change rates from -3 %/s to 33 %/s (analogous to reactor period of -30 s to +3 s). Table 1 of this SE lists the channel setpoints including a withdrawal interlock alarm when the count rate is less than 2 cps and a rod withdrawal interlock that engages when the reactor change rate is less than or equal to 6 %/s.

The channel also has a setback, which is the automatic gang lowering of all of the shim-safety rods and the regulating rod into the core until they reach their lower limits, the originating condition clears, or the operator manually stops the setback. The Channel #1 setback occurs when the reactor change rate is less than or equal to 8 %/s. Channel #1 provides the following signals to the RCS:

Channel #1 change rate (4-20 milliampere (mA) analog output)

Flux log count rate (4-20 mA analog output)

Channel #1 Change Rate Trip (digital output)

Channel #1 Change Rate Setback (digital output)

Channel #1 Change Rate Rod Interlock (digital output)

Source Missing Channel #1 count rate (digital output)

Upper limit Channel #1 count rate > 1e5 cps (digital output)

Channel #1 system test (digital output)

Channel #1 system fault (digital output)

Channel #2 The DAK-250g is the Log N and Change Rate channel. It indicates the reactor power level over the range from 0.00001 to 300 percent power. It also indicates change rates from -3 %/s to 33 %/s (analogous to reactor period of -30 s to +3 s). This channel includes an ionization chamber detector, a current to frequency converter, and a digital channel that will process the detector signal. The DAK-250g will provide the log N of the reactor power in percent full power and the change rate in %/s, as well as alarms, status, and tests, on its local display. This channel will provide analog signals to the RCS to indicate log power and change rate.

Footnote (b) in Table 1 of the current PUR-1 TS 3.2 requires that Channel #2 (and Channel #4) be operable at startup, but not on scale (i.e., not indicating on the meter). Footnote (b) did not change as a result of this LAR.

Table 1 of this SE lists the Channel #2 setpoints. A rod withdrawal interlock will occur when the change rate is less than or equal to 6 %/s, a setback will occur when the change rate is less than or equal to 8 %/s, and the reactor will scram when change rate is less than or equal to 15 %/s. Channel #2 provides the following signals to the RCS:

Channel #2 change rate (4-20 mA analog output)

Channel #2 log power (4-20 mA analog output)

Channel #2 log power trip (digital output)

Channel #2 change rate trip (digital output)

Loss of high voltage trip (digital output)

Channel #2 change rate setback (digital output)

Channel #2 change rate rod interlock (digital output)

Channel #2 not on scale (digital output)

Channel #2 system test (digital output)

Channel #2 system fault (digital output)

Channel #3 Channel #3 uses the DAK-250g to measure the reactor power level over the range of 0 - 300 percent. This channel can measure reactor power, by detecting neutron flux, in the reactor operating range from shutdown to greater than 100 kWt. It can detect thermal neutron flux up to 2.5 x 1010 neutrons per square centimeter per second (n/cm2s). This channel includes an uncompensated ion chamber, current to frequency converter, and a digital measurement processor. The channel indicator displays the measured value (percent power).

Table 1 of this SE lists the Channel #3 setpoints. Channel #3 has a setback at 0 percent or greater of the currently selected range, and at 110 percent or less of the currently selected range. Channel #3 sends the following signals to the RCS:

Channel #3 linear power (4-20 mA analog output)

Channel #3 linear power trip (digital output)

Channel #3 not on scale (digital output)

Channel #3 linear power 110% setback (digital output)

Channel #3 range indicator (16 digital output signals)

Channel #3 system test (digital output)

Channel #3 system fault (digital output)

Channel #4 Channel #4 is the Safety Channel and its purpose is to provide a scram at the value listed in Table 1 of this SE. Channel #4 linearly measures from a few percent to at least 150 percent power. This channel provides the power signal for a high power level trip at 12 kWt (120 percent setpoint) and includes a setback at 11 kWt, corresponding to 110 percent operating power, or less. This channel includes an uncompensated ion chamber and a signal processor. The channel indicator displays the calibrated reactor power.

Channel #4 provides the following signals to the RCS:

Channel #4 reactor power (4-20 mA analog signal)

Channel #4 reactor power trip (digital output)

Channel #4 reactor power setback (digital output)

Channel #4 system test (digital output)

Channel #4 system fault (digital output)

Technical Evaluation of the Neutron Flux Monitoring System Design Bases The NFMS provides input for protective functions, such as scram the reactor on high power and inputs control functions, such as servo mode to adjust the regulating rod to maintain a preset power level. Section 3.1 (Design Criteria), Section 7.3 (Reactor Control System) and Section 7.4 (Reactor Protection System) of NUREG-1537, Part 2 (Ref. 9.2) provide guidance for evaluation of the NFMS design bases. The NRC staff used this guidance to review the design bases of the NFMS. SE Section 3.2.3 (RCS Design Bases evaluation) and SE Section 3.3.2 (RPS Design Bases evaluation) document the NRC staff evaluation and conclusions on the NFMS design bases.

Technical Evaluation of the Neutron Flux Monitoring System Design Criteria Guidance for evaluation of the NFMS design criteria is discussed in various sections of NUREG-1537. Section 3.1 (Design Criteria), Section 7.3 (Reactor Control System) and Section 7.4 (Reactor Protection System) of NUREG-1537, Part 2 (Ref. 9.2) apply to the NFMS design criteria. SE Section 3.2.4 (RCS design criteria evaluation) and SE Section 3.3.3 (RPS design criteria evaluation) document the NRC staff evaluation and conclusions on the NFMS design criteria.

3.2. Reactor Control System System Description of the Reactor Control System The licensee describes the RCS in the LAR (Ref. 1), as supplemented by the FRS (Ref. 2.1),

the Reactor Protection/Control System HMI Functions Software (SRS-SDD) and the Reactor Protection/Control System Hardware Design Document (HDD) (Refs. 7.1 and 7.2, respectively).

Figure 1, which is based on Figure 7-2 from the LAR, is a simplified block diagram of the RPCS.

A system description of the RCS (Section 3.2.1) and its subsystems (Sections 3.2.1.1 - 3.2.1.7),

based on these references, follows Figure 1.

Figure 1 - Simplified RCS Block Diagram Operation and control of the reactor is by the RCS. In particular, the RCS performs several functions including: system startup, system shutdown, maintaining a shutdown state, changing power levels, and maintaining operation at a set power level. Per the guidance in Chapter 7 of NUREG-1537, Part 2 (Ref. 9.2), non-power reactors, such as PUR-1, can be designed and operated to pose acceptably small or insignificant risk to the public without isolating or separating the RPS from other subsystems. The design of the PUR-1 I&C systems, in which subsystems for normal operation and safety subsystems are intermingled, was previously evaluated and found acceptable by the NRC Staff in Chapter 7 of the SE on license renewal (Ref. 11). Due to the small size and low risk of the PUR-1 reactor, the RCS and RPS have some overlapping and combined functions, which is accepted practice for research reactors.

The licensee refers to the combined project to replace both the RCS and RPS as the RPCS replacement project. Both the RCS and RPS hardware portions of the RPCS interface with the Mirion NFMS.

As discussed in Section 3.4 of this SE, the RCS includes all operator console human machine interface (HMI) equipment and a programmable logic controller (PLC). The PLC includes control algorithms responsible for reactor control and operation. It also includes the R*TIME open source software and the computer functions for the display and data historian. The RCS controls all non-scram control rod movement (e.g., the reactor drive controls and the servo control to perform reactor startup, operation, and shutdown) and all data acquisition and display functions.

The RCS also includes data acquisition system (DAS) hardware to provide interfaces between several external systems and the RCS. The DAS provides input signals the RCS uses to determine the current conditions of the reactor and other components and outputs signals generated by the RCS to control equipment and other auxiliary systems such as the HVAC and RWMU systems. The external systems provide two types of signals to the RCS: 4-20 mA analog input signals and dry contact digital inputs. The RCS provides digital output signals to control power to external systems through control relays. Additionally, the RCS injects voltage signals (10 volts direct current) into the potentiometers used in the drive systems to determine the positions of the control rods, neutron source, and the fission chamber. A voltage divider calculation on the voltage signal received from the potentiometer provides the position determination displayed on the operator console.

The data historian records information for each process parameter that interfaces with the system. The user will be able to configure the data historian to specify the data points to retain, the sampling rate, and the length of data retention. The default sampling interval is 1 s. The archive files, available on the display workstation, can retain at least 5 years of data, consistent with PUR-1 TS 6.8, which requires records of facility operations to be retained for a period of at least 5 years or for the life of the component involved, if less than 5 years. The archive function can also record triggering of setpoints and actuation of components.

The NFMS provides inputs to the RCS that are used to provide input to the RCS scram relay, provides indication of the current core conditions on the display screens, and provides feedback on reactor conditions during movement of the control rods, neutron source, and fission chamber. The RCS interfaces with the NFMS via the data acquisition hardware [RTP Corporation, RTP 3000 TAS (Technologically Advanced System)]. Three control rod drives, one neutron source drive, and one fission chamber drive interface with the new RCS. These drives were not changed as part of this LAR.

Three blade-type control rods (one regulating rod, and two shim-safety rods) provide for control of the reactor. The regulating rod is a hollow stainless steel blade operated with a direct drive and has no scram capability. The regulating rod is a low reactivity worth control rod used primarily to maintain an intended power level. Its position can be adjusted manually by the reactor operator or automatically by a servo-controller. The shim-safety rods are borated stainless steel with a magnetic clutch and screw operated drive mechanism. The shim-safety rods can be disengaged to drop by gravity into the core to scram the reactor.

The RCS allows individual control rod withdrawal and prevents withdrawal of more than one rod at a time. A gang lower function can insert all control rods simultaneously to reduce reactivity.

The rod withdrawal interlock inhibits outward rod motion under certain conditions and setbacks insert the control rods into the reactor to lower power prior to reaching the scram setpoint to reduce the likelihood of a scram. Section 3.2.1.2 of this SE provides more detail on the Reactor Drive Control Systems.

3.2.1.1. Alarms The FRS (Ref. 2.1) provides a description of the RPCS alarms. The system uses four types of alarms to alert operators and other nearby personnel in the event of an abnormal condition:

House, Class 0, Class 1, and Class 2. The House Alarm initiates a site evacuation. A push button switch on the control panel utilizes a control relay or RCS digital output to activate the House Alarm. The Class 0 Alarm initiates a reactor room evacuation. The Alarm Summary display screen displays the Class 1 Alarm that activates the console annunciator. A Class 1 Alarm will sound on all reactor trips (including manual trips) and reactor setbacks. The Class 2 Alarm does not activate the annunciator and only appears in the Alarm Summary display screen. A Class 2 Alarm indicates an abnormal facility condition other than a scram or setback, such as a loss of power to the PCS or an active interlock. The Alarm Summary display screen on the computer provides the capability to filter and sort all of the alarms. The indication of alarms does not distinguish between the types of alarm. Flashing red on the display screen signals that there is at least one unacknowledged alarm, regardless of whether it is a Class 1 or Class 2 Alarm.

An alarm acknowledgement capability allows determination of the sequence of alarms when multiple alarms are present. All digital input alarms are sequence of event type inputs. The system logs the timestamp of each input to the nearest millisecond. The data historian captures all alarms. When an alarm activates, the operator acknowledges it (by pushing the "Alarm Acknowledge" button on the console). The audible alert will stop but the indication will still be present on the annunciator board and the operator screen. If another alarm occurs (or an alarm condition, which was acknowledged, clears and then alarms again), the alarm will audibly sound again and indicate on the console.

3.2.1.2. Reactor Drive Control Systems The FRS (Ref. 2.1) provides a description of the reactor drive control and its subsystems. The RCS contains five control channels to raise or lower the two shim-safety rods, the regulating rod, the fission chamber, and the neutron source. These control channels connect to the existing RDS and are described in more detail below.

All five drive circuits operate a jam indicator on the console in the event of a mechanical jam in the drives. The jam indicator alerts the reactor operator to an abnormal condition in the drives, such as a kinked cable in the source and fission chamber drive units or high mechanical friction in the rod drives. The RCS senses the jam indication and generates a Class 2 alarm, which appears in the Alarm Summary display screen. An indication on the RCS display screens alerts the reactor operator to this alarm condition.

An input to the RCS for each drive assembly provides the current location of the corresponding component except for the source drive, which does not require location indication.

Using the operator control display screen, the reactor operator can control the selected rod by one of the following methods:

The operator enters the numerical value of the desired target position and selects the GO button on the display screen. Upon reaching the target position, the RCS automatically terminates rod movement. Note that moving the joystick or selecting the STOP button on the display screen stops the automatic control rod movement before reaching the target position. The drive system may not move more than 3 centimeters (cm) from the point where the STOP initiation signal was set or the RCS will initiate a setback function.

The operator can adjust the current rod position (up or down) with a coarse or fine adjustment arrow. The adjustment distances are user configurable with coarse adjustments initially set to 2 cm and fine adjustments initially set to 0.2 cm. This is a one-time movement and requires the reactor operator to select the adjustment arrow for each adjustment.

Besides using the operator control display screen, the reactor operator can use the physical raise/lower switch. This switch provides a momentary input to the RCS to initiate movement of the regulating rod, shim-safety rods, neutron source, or fission chamber. Manually holding the raise/lower switch in the raise or lower position is required to achieve continuous rod movement.

The regulating rod may also be controlled by using the automatic servo control. The servo control algorithm provides automatic control to maintain a set power level using input from Channel #3. Once the desired power level is achieved manually, the reactor operator can switch to servo mode. A new power level can be set if it is within 5 percent of the set power level. In servo mode, the RCS automatically adjusts the regulating rod to adjust power level by comparing the input from Channel #3 to the set RCS value. If power deviates from the requested level by more than 5 percent, servo control is terminated, a rod setback occurs, the servo control annunciator is activated, and the Class 1 Alarm sounds. The data historian will capture the servo control activation, deactivation, and power level.

3.2.1.3. Shim-Safety Rod Drive Systems The FRS (Ref. 2.1) provides a description of the signals, connections, components, and terminations between the shim-safety RDS and the RCS. The shim-safety RDS allows selection of the desired shim-safety rod drive using the operator console display screen. This connects the drive system for that rod and clears any other drive circuit that is energized.

Electrical interlocks prevent the raising of more than one control rod or fission chamber simultaneously.

The shim rod safety RDS display screen(s) provide the following indications:

Upper Limit - the drive unit is at the upper limit of its travel

2/3 Limit - the drive unit is two-thirds out

Engage - The shim-safety rod is attached to the drive electromagnet

Lower Limit - The drive unit is at the lower limit of its travel

Drive - The drive unit is connected to the raise-lower switch

Rod Location - The numerical location of the rod within the core Each shim-safety RDS has 12 connections to the RCS. The inputs are to the drive motor and a supply to a positioning potentiometer. The outputs are dry contact connections to the RCS for the jam switch, upper limit, 2/3 upper limit, lower limit, engage switch, and bottom. Readings of the dry contact outputs from both the normally open and normally closed contacts provide redundancy. Similarly, voltage readings between the slider and the up terminal and between the slider and the down terminal provide positioning.

3.2.1.4. Regulating Rod Drive System The FRS (Ref. 2.1) provides a description of the signals, connections, components, and terminations between the regulating RDS and the RCS. Selecting the regulating rod drive on the appropriate operator console display screen activates the regulating RDS. This connects the regulating RDS to the raise/lower switch and clears any other energized drive circuit. The regulating RDS operation is identical to the shim-safety RDS described in SE Section 3.2.1.3 above, with the exception that it can also be controlled using the automatic servo control. The automatic servo control setting maintains current power level percent within 5 percent by adjusting the height of the regulating rod using input from Channel #3 and can be activated and deactivated by the reactor operator using the appropriate operator console display screen.

The regulating RDS display screen(s) provide the following indications:

Upper Limit - the drive unit is at the upper limit of its travel

Servo - displays whether the servo control is enabled or disabled

Lower Limit - The drive unit is at the lower limit of its travel

Drive - The drive unit is connected to the raise-lower switch

Rod Location - The numerical location of the rod within the core The regulating RDS has nine connections to the RCS. The inputs are to the drive motor and a supply for the positioning potentiometer. The outputs are dry contact connections to the RCS for the jam switch, upper limit, 2/3 upper limit, and lower limit. Readings of the dry contact outputs from both the normally open and normally closed contacts provides redundancy.

Similarly, voltage readings between the slider and the up terminal and between the slider and the down terminal provide positioning.

3.2.1.5. Fission Chamber Drive System The FRS (Ref. 2.1) provides a description of the signals, connections, components, and terminations between the fission chamber drive system and the RCS. The fission chamber drive system allows selection of the fission chamber drive by using the operator console display screen. The fission chamber drive connects to the raise/lower switch and clears any other energized drive circuit. Interlocks prohibit raising the fission chamber while the control rods are driven. The fission chamber drive operates the same as the shim-safety RDS described in Section 3.2.1.3 above.

The fission chamber drive system display screen(s) provide the following indications:

Upper Limit - the drive unit is at the upper limit of its travel

Lower Limit - The drive unit is at the lower limit of its travel

Drive - The drive unit is connected to the raise-lower switch

Location - The numerical location of the fission chamber within the core The fission chamber drive system has eight connections to the RCS system. The input connections are to the drive motor and a supply for positioning the potentiometer. The outputs are dry contact connections to the RCS for the safety switch and upper and lower limits.

Readings of the dry contact outputs from both the normally open and normally closed contacts provide redundancy. Similarly, voltage readings between the slider and the up terminal and between the slider and the down terminal provide positioning.

3.2.1.6. Neutron Source Drive System The FRS (Ref. 2.1) provides a description of the signals, connections, components, and terminations between the neutron source drive system and the RCS. The neutron source drive system is activated by selecting the source drive on the operator console display screen. This connects the source drive system to its raise/lower switch. The source drive system has a more simplified operation that the previous systems. The reactor operator controls the source drive by using the operator console display screen to:

Adjust the current position with the up adjustment arrow where upward movement continues until either the up arrow, down arrow, or stop button is pressed.

Adjust the current position with the down adjustment arrow. Because this adjustment adds positive reactivity to the reactor core, continuous manual depression of the down adjustment arrow is required as a safety feature.

The neutron source drive system display screen(s) provide the following indications:

Upper Limit - The drive unit is at the upper limit of its travel

Source Raise - Indicates the source is being raised

Source Lower - Indicates the source is being lowered

Lower Limit - The drive unit is at the lower limit of its travel The source drive system has five connections to the RCS. The inputs are to the drive motors and the outputs are to dry contact connections to the RCS for the safety switch and upper and lower limits. Readings of the dry contact outputs from both the normally open and normally closed contacts provide redundancy.

3.2.1.7. RCS Scram Input As part of the combined RPCS, the RCS portion has an interposing relay within the RPS magnet circuitry. The RCS controls this relay and can open the relay contact to remove power from the shim-safety rod magnets and scram the reactor. The RCS includes the RMS, NFMS, manual scram buttons, and key switch scram functions, using separate relay contacts connected by independent communication channels from the RPS scram circuits. The RCS scram also uses self-monitoring, which identifies failures in the data acquisition hardware, computer, and power supply. These RCS scram inputs include:

Area Radiation Monitor (RAM) #1, #2, #3 - High dose rate alarm or failed input from each monitor (See Section 3.5 of this SE)

Continuous Air Monitor (CAM) - High count rate alarm or failed input (See Section 3.5 of this SE)

NFMS Channel #1 - High Change Rate alarm or failed input (See Section 3.3 of this SE)

NFMS Channel #2 - High Change Rate alarm, high power alarm, loss of high voltage, or failed input (See Section 3.3 of this SE)

NFMS Channel #3 - High power alarm or failed input (See Section 3.3 of this SE)

NFMS Channel #4 - High power alarm or failed input (See Section 3.3 of this SE)

NFMS Channel #1, #2, #3, #4 - Channel fault or test mode (See Section 3.3 of this SE)

RCS - Input/Output (I/O) Equipment Failure

RCS - Computer Failure

RCS - Power Supply Failure

Manual Scram (two different buttons - one on the control console, one in the hallway) (See Section 3.3 of this SE)

Key switch on the control console (See Section 3.3 of this SE)

Magnet power fault (See Section 3.3 of this SE)

The NRC staff reviewed the RCS scram logic as part of the review of the RCS Control Algorithm Software during the Audit (Ref. 5) to gain a better understanding of the detailed information submitted by the licensee in the LAR (Ref. 1). The review identified that all of these inputs are compared internally to the same setpoints used for the RPS scram relays and the results are logically ORd1 together within the RCS Control Algorithm Software. If any input is set to 1, the RCS scram output is set, which activates an interposing relay within the RPS scram circuit. The RCS scram output is latched into the system. By design, the reset logic for the RCS scram checks all scram conditions a final time before the RCS scram will reset, ensuring all scram conditions have cleared. If the condition has cleared, the operator presses and briefly holds the annunciator acknowledge button located on the operator console to reset the scram. The RCS scram output provides a diverse and redundant method to scram the reactor. Since the relays for the scram circuit are in series, any relay that opens will remove power to the control rod magnets and result in a scram. Therefore, operation or malfunction of the RCS scram relay will not adversely affect operation of the RPS safety functions.

In addition to the input into the RPS scram system, the RCS also has interlocks and setbacks configured in the RCS control algorithm software. The reactor drive control system contains interlock permissive circuits in the raise circuits to prevent withdrawal of the shim-safety rods, the regulating rod, or the fission chamber under specific conditions.

The interlocks for the RDS are located within the RCS control logic and they prevent the regulating rod and shim-safety rods from being withdrawn under the following conditions:

Source missing - Channel #1 must indicate neutron source presence with count rate of at least 2 cps. When this condition is not satisfied, a Source Missing indicator shows and rod withdrawal is inhibited.

Change rate > 6 %/s - Channel #1 and #2 change rate must be below 6 %/s. If 6 %/s or above, the WITHDRAWAL INLK indicator illuminates and rod withdrawal is inhibited.

DAS Hardware Trouble - If the DAS hardware is not operational, an indicator illuminates on the annunciator panel and rod withdrawal is inhibited.

Workstation on - if the workstation driving the control panel displays is down for any reason, the RCS will not allow the rods to be withdrawn.

Source Drive in Operation - Interlock logic on the source drive prevents raising the control rods or fission chamber while raising or lowering the source.

Drives Selected >1 - If more than one drive system is selected for movement the withdraw interlock will be set. Insertion of more than one drive is possible, but withdrawal of more than one drive is inhibited.

Lowering the control rods individually or as a gang is always possible.

The setback function controls the shim-safety rods and regulating rod to prevent a condition that, if allowed to continue, would result in a reactor scram. Setback conditions include a change rate setback, power setback, or a servo setback. Any of these conditions will automatically cause the gang lower system to simultaneously lower the control rods to a set target below rod bottom to ensure they fully insert. If the setback conditions clear and no active scram condition exists, the setback conditions reset and the reactor operator can move the 1

OR is a Boolean operator that gives the value one if at least one operand (or input) has a value of one, and otherwise has a value of zero.

joystick to stop rod movement. The annunciator panel on the RCS operator console indicates setback conditions.

System Description of External Systems The RCS takes input from, and provides specific outputs to, other external systems within the reactor control room. The licensee describes the external systems in the LAR (Ref. 1), as supplemented by the FRS (Ref. 2.1). The interface and systems descriptions in this section of the SE are based on the information in the FRS.

3.2.2.1. Heating and Ventilation and Air Conditioning System The HVAC maintains the environmental conditions within the reactor room to ensure temperature and humidity remain at the required levels to allow for safe operation of the reactor.

Section 3.3.2 of this SE discusses environmental considerations in more detail. The HVAC is a separate system that operates independently; however, switches on the operator console can activate or disable the HVAC system. A switch on the operator console can isolate confinement for the reactor room and actuate the corresponding Class 1 Alarm. The flow of air into and out of the reactor room is through high-efficiency particulate air filters on both inlet and outlet.

Recirculation of the air in the reactor room is also possible.

The licensee did not propose any changes to the HVAC system in its LAR; instead, the LAR describes the HVAC interfaces with the new digital components of the RCS. The HVAC system has two connections to the RCS system: one digital output to indicate the state of the system and one digital output from the RCS to control the input power connection. The RCS uses several internal connections and components to control and monitor the HVAC system. The RCS indicates and logs the HVAC system on/off status. The HVAC system receives power from a circuit separate from building power to the reactor room.

3.2.2.2. Reactor Room Pressure Differential Monitoring System The RRPDMS maintains the reactor room at a negative pressure differential compared to areas outside of the confinement per PUR-1 TS 3.4.a.1. This helps to ensure that in the case of a radioactive release, the release is via a controlled pathway consistent with the facility accident analyses (Ref. 10).

The LAR describes the interfaces between the RRPDMS and the new digital components of the RCS. The negative air pressure monitor has one connection to the RCS system. This is a digital output from the RRPDMS to the RCS that indicates the state of the system. The RCS receives an input from RRPDMS and displays the readout of the air pressure differential between the reactor room and atmosphere. A dry contact digital input initiates a Class 2 Alarm if the air pressure differential reaches its lower limit. The licensee did not propose any changes to the RRPDMS in this LAR.

3.2.2.3. Reactor Water & Makeup System The RWMU monitors the water quality, temperature, and level of the reactor pool water to ensure it is within the limits defined in PUR-1 TS 3.3 (Ref. 10). The water process system uses two separate probes for monitoring these parameters: one in the pool and one downstream of the demineralizer. The system provides the controls for the operator to turn the water process pump and water chiller on or off to adjust water quality and temperature, as necessary.

The licensee did not propose any changes to the RWMU in its LAR. Instead, the LAR describes the interfaces between the RWMU and the new digital components of the RCS. The RWMU has nine connections to the RCS system. The probes each supply readings of temperature and conductivity providing four total connections to the RCS. Three digital outputs, one from the water pump and two from the water chiller, provide information to the RCS to track the state of the water pump, the chiller ready state, and the chiller on/off state. The two remaining connections provide the ability to control the power for the water pump and chiller at the control panel.

The RCS will display a Class 2 Alarm if either sensor indicates the water temperature rises above 30 degrees Celsius (C) or if the water conductivity rises above 3 microSiemens per centimeter (S/cm).

3.2.2.4. Power Conditioning System/Uninterruptable Power Supply The licensee proposed to add a new PCS that is common to all RPCS components. The PCS would condition the power to operate the RPCS components and provide a battery backup to allow adequate time for controlled shutdown of the reactor in the event of a loss of power. The PCS consists of two Uninterruptable Power Supply (UPS) units installed to power the RCS and RPS. The HDD (Ref. 7.2) identifies UPS-1 as intended for use for powering non-RPS components including the workstation computer, workstation monitor, Ethernet switch, PLC

[RTP 3000 TAS], the recorders, and one of the power distribution units. UPS-2 provides power to the RPS-related components including the NFMS channels, the constant current source (to supply current to the electromagnets), the rod drives, and the remaining power distribution unit. The Purdue house power supply is the source of power to both UPSs. The PCS has two network connections to the RCS system. The RCS monitors the status of the each UPS through a network connection from the RCS display workstation.

The licensee did not initially propose changes to the accident analysis for the loss of normal electric power, which states loss of normal electric power at PUR-1 will shut down the reactor in its original LAR. The NRC staff asked how the UPS units impact this scenario in an RAI (Ref. 6). In the response to the RAI (Ref. 7), the licensee stated the capacity of the UPS units allows the RCS and RPS to operate for 30 minutes in the event of a loss of house power and allows for a controlled shutdown of the reactor. The response also states that the typical time for a normal shutdown is 15 minutes. The licensee stated there are two distinct loss of power scenarios with the incorporation of the proposed UPS systems: a loss of house power, and a loss of power from the UPS to the RPS. In the response to the RAI, the licensee stated that operators will be aware of any loss of house power due to loss of lighting, which is located on the same circuit as the UPS units, and a Class 2 Alarm initiated by the RCS to alert the operator to loss of power to the UPS units. The licensee further stated that this would require a controlled shutdown of the reactor. Alternatively, a loss of UPS power to the RPS, for any reason, removes power to the constant current source for the RPS. As a result, the magnets holding the shim-safety rods lose power, resulting in a reactor scram.

In its RAI response (Ref. 7), the licensee proposed changes to Chapter 13 of the PUR-1 safety analysis report (SAR) to analyze the conditions for Loss of Normal Electrical Power and Failure of UPS Unit Power Supply. Additionally, the licensee proposed PUR-1 TS 3.2.e to require the operator to initiate a reactor shutdown upon a loss of normal electric power.

Section 3.8.2 of this SE discusses the NRC staff review of proposed TS 3.2.

Technical Evaluation of the RCS Design Basis This section of the SE documents the NRC staff review and evaluation of the design basis of the PUR-1 DI&C upgrade of the RCS against the design bases acceptance criteria in Sections 3.1 and 7.3 of NUREG-1537, Part 2 (Ref. 9.2).

In its LAR (Ref. 1), the licensee proposed a revised Chapter 7 of the PUR-1 SAR. Sections 7.2 and 7.3 of the proposed SAR identifies the design bases and criteria used for PUR-1 RCS. The principal design criteria of PUR-1 establish the necessary design, fabrication, construction, testing, and performance requirements for structures, systems, and components important to safety that provide reasonable assurance that PUR-1 can be operated without undue risk to the health and safety of the public. Section 50.34(a)(3)(ii) of 10 CFR requires the applicant to describe the design bases and the relation of the design bases to the principal design criteria and 10 CFR 50.34(b) requires updating the information to take into account any pertinent information developed since the submittal of the preliminary SAR.

The NRC staff reviewed and evaluated the RCS design basis to determine the adequacy of the control systems to maintain the required variables within operational limits during facility operation and to verify that the impact of control system failures is appropriately included in the SAR accident analyses. Based on the system description, confirmed in part by the NRC staff observations of the equipment during the Audit (Ref. 5), the NRC staff finds that the RCS design meets the design acceptance criteria in the guidance in Section 7.3 of NUREG-1537, Part 2 (Ref. 9.2) that the instrumentation provide continuous indication of the neutron flux over the licensed maximum power range and entire expected range of the monitored process variables, as defined in PUR-1 TS 2.2, TS 3.2, TS 3.3, and TS 3.4, and that suitable alarms and/or indications are provided. The NRC staff finds that the detector channels in the RCS directly monitor neutron flux for reactor power level and power rate-of-change, and interlocks are in place to prevent reactor startup without a sufficient neutron count rate in the core or other unsafe conditions.

As described previously in this SE, the proposed NFMS channels monitor the neutron flux and reactor power either at the same or over a larger range than the previously approved channels.

Therefore, the NRC staff finds the update to the sensor channels requested in the LAR to be more conservative than the previously approved system. The NFMS channels provide information to both the RCS and the RPS portions of the system to allow the RPCS to monitor reactor conditions during normal and accident conditions. This information also provides the capability for periodic testing, channel checking and calibration of the I&C system. In addition, the NFMS provides an independent, diverse and redundant method to initiate a reactor scram.

The scram signals generated by the NFMS will interrupt power to the relay in the RPS magnet circuitry. During the Audit (Ref. 5), the NRC staff observed that the four NFMS channels have sufficient range to cover the expected ranges of the monitored variables during normal operation and reactor transients, as stated by the licensee in the LAR. Due to the cross-functional and interrelated implementation of the NFMS within the RPCS, Section 3.3.2 of this SE discusses additional evaluation of the NFMS under the RPS design basis.

During the Audit (Ref. 5), the NRC staff reviewed the RCS scram control algorithm in the RCS Control Algorithm Software to gain a better understanding of the detailed bases underlying the information submitted by the licensee in the LAR (Ref. 1). All inputs that can scram the reactor are logically ORd together within the RCS. If any input is set, the scram digital output is set, which triggers the interposing relay to open, removing power from the shim-safety magnets and dropping the shim-safety rods into the core. The RCS scram provides the ability to scram on RCS failures as well as providing a diverse and redundant backup to the other RPS scram relays discussed in Section 3.3 of this SE. During the Audit (Ref. 5), the NRC staff discussed the RCS scram signal with the licensees vendor supporting the upgrade to establish an understanding of the information docketed in the LAR. The Scientech, Inc. (Scientech) representative demonstrated the RCS scram function latches in and will only reset once the original condition clears and the operator presses and briefly holds the annunciator acknowledge button. This confirmed information in the LAR that the reset logic for the RCS scram is designed so that all scram conditions are checked a final time before the RCS scram resets, ensuring all scram conditions have cleared. Also during the Audit (Ref. 5), the NRC staff reviewed the results from the factory acceptance testing (FAT) and site acceptance testing (SAT) and confirmed that functionality of the RCS scram function was successfully tested and demonstrated per the design bases requirements stated in the LAR.

ANSI/ANS-10.4-1987 (Ref. 18) provides guidance for the verification and validation of scientific and engineering computer programs for the nuclear industry. Section 9 of the standard recommends that the test results for the V&V activities during the installation phase be documented and reported as specified in the V&V Plan and, if the findings necessitate any retesting or revision of the test report, the updated test results should be verified again before final program acceptance. In its RAI responses (Refs. 7 and 12), the licensee committed to reperform the entire FAT and SAT prior to resuming reactor operations, if the LAR is approved, to verify the functionality of the entire RPCS, including the RCS scram functionality (see SE Section 3.7.4).

During the review of the RCS Control Algorithm Software, the NRC staff also examined the setback and interlock logic functions. The RCS incorporates a series of setbacks and interlocks to help ensure continued safe operation of the reactor. Four conditions can cause a setback, which results in simultaneous insertion of the shim-safety rods and regulating rod into the core until they reach their lower limits. If the condition that caused the setback clears and the operator resets the setback, the operator can stop the insertion of the control rods by moving the joystick. Otherwise, the rods will fully insert. Any setback that occurs will illuminate a Setback indicator on the annunciator panel and a Class 1 Alarm will occur. The four setback conditions are:

Low-Power Change Rate - Log count rate meter indicates a high change rate

High-Power Change Rate - Log-N change rate amplifier indicates a high change rate

Over Power - Linear level channel indicates high power level

Safety Over Power - Safety amplifier indicates a high power level.

The NRC staff reviewed the setback control algorithm in the RCS Control Algorithm Software as part of the Audit (Ref. 5) and confirmed that the software algorithm for the setback function will act as the licensee described in the LAR (Ref. 1). This will reduce the likelihood that a condition such as a high reactor change rate or high power level, will result in a reactor scram. The NRC staff also reviewed the FAT and SAT results and confirmed that the tests successfully demonstrated RCS setback functionality. The licensee committed to reperform the entire FAT and SAT (Ref. 22) prior to resuming reactor operations, if the LAR is approved, to verify the functionality of the entire RPCS, including the setbacks (See SE Section 3.7.4).

Regarding the interlocks control algorithm in the RCS Control Algorithm Software, the NRC staff observed that the interlock inputs are all logically ORd together in the RCS software and if any condition is met, the RCS interlock will engage. Each of these conditions is sensed by the RCS and the RCS generates a Class 2 Alarm. This information facilitates detection of a system malfunction. An indication on the RCS display screens alerts the reactor operator to this alarm.

Before the interlock can reset, all the inhibit conditions are checked and must be cleared. Once the interlock has reset, the system allows normal rod withdrawal. The NRC staff reviewed the FAT and SAT results during the Audit (Ref. 5) and confirmed that the tests demonstrated proper functionality of the RCS interlock. The licensee committed to reperform the entire FAT and SAT (Ref. 22) prior to resuming reactor operations, if the LAR is approved, to verify the functionality of the entire RPCS, including the RCS interlock functions (see SE Section 3.7.4).

During the Audit (Ref. 5), the NRC staff reviewed the software algorithm for the watchdog timer and discussed the function with the licensee and Scientech representatives. For the watchdog timer function, the RCS workstation software sets an integer internally to a value of 30. If the RCS R*Time software is not operational, this integer will decrease by 1 every second. When the value reaches 0, the workstation trouble indication will be set, which identifies an RCS Computer Failure and generates an RCS initiated scram. Additionally, the NRC staff reviewed the FAT and SAT results and confirmed the tests demonstrated functionality of the RCS watchdog. In an RAI (Ref. 6), the NRC staff questioned the lack of a SR associated with the PLC/RCS because it has input into the RPS. In the RAI response (Ref. 7), the licensee stated that an SR is not warranted for the PLC/RCS because any failures would not prevent the RPS from performing its safety function. Section 3.3.3.7 of this SE provides more detail on why an SR for the RCS/PLC is not required. The licensee committed to reperform the entire FAT and SAT (Ref. 22) prior to resuming reactor operations, if the LAR is approved, to verify the functionality of the entire RPCS, including the watchdog timer (see SE Section 3.7.4).

The NRC staff observed operation of the RCS during the Audit (Ref. 5), which confirmed the NRC staffs understanding of the description of operation presented in the LAR (Ref. 1). The Reactor Drive Control screen shows drive status for the Neutron Source, Fission Chamber, Shim-Safety Rod 1 and 2, and the Regulating Rod. The RCS displays the position (both graphically and numerically) of the selected rod and indicates if the rod drive is at the lower limit, 2/3 height, or the upper limit. All drives have jam indication and the shim-safety rods have indication if magnet power is engaged and if the rod is fully inserted in the core. There is also an indication at the bottom of the rod control screen if Automatic Startup or Servo Control is enabled.

The right screen can be changed to a variety of displays, depending on the operators preference. An annunciator screen will automatically pop up on the operator console in response to any condition that causes a scram or setback condition (Class 1 Alarm). The reactor operator can click the annunciator screen to navigate to a screen with more information.

These design features and the information available to the operator provide the capability for periodic testing, channel checking and calibration of the I&C systems.

To ensure continuous monitoring and control by the RCS, the licensee selected components suitable for the environmental operating conditions in the reactor room. In addition, a new dedicated HVAC system was previously installed for the PUR-1 reactor room to ensure acceptable environmental limits are maintained. Environmental and Electromagnetic Interference/Radio Frequency Interference (EMI/RFI) considerations are discussed in more detail in Section 3.3.2 of this SE.

The PUR-1 RPS has been designed to scram the reactor on several conditions, which are detailed in Section 3.3 of this SE. These scram relays are independent of the RCS and any failure or operation of the RCS is overridden by the RPS relays opening, which results in a scram by removing magnet power and dropping the control rods into the core. Chapter 7 of the PUR-1 SAR is included in the LAR (Ref. 1) and identifies the maximum hypothetical accident as a fuel handling accident, which is independent of any action the RCS can take. In addition, the PUR-1 SAR includes analysis of the impacts of accidents such as insertion of excess reactivity, loss of coolant, loss of coolant flow, mishandling of malfunction of fuel, experimental malfunctions, loss of normal electric power, and external events such as fire and explosion.

Even though the RCS is not credited for addressing these accidents, failure of the RCS would automatically open its associated scram relay in the RPS system to remove rod magnet power and scram the reactor. If the RCS scram relay did not operate as intended, the remaining RPS scram relays would independently scram the reactor.

The NRC staff evaluated the RCS design using the design basis acceptance criteria identified in Section 3.1 Design Criteria, and Section 7.3, Reactor Control System, of NUREG-1537, Part 2 (Ref. 9.2). Based on the information provided by the licensee and reviewed by the NRC staff, the NRC staff finds that the RCS design basis results in a reliable, redundant and fail-safe system that helps ensure continued operation of the reactor within the SL and LSSS established in the PUR 1 TSs.

Based on the NRC staffs review of the information provided in the LAR, as supplemented, and supported by the observations during the Audit, the NRC staff concludes:

RCS design criteria supporting the design bases are specified for the portions of the RCS that are assumed in the SAR to perform an operational or safety function.

The design bases functions of the RCS and components are designed to permit and support normal reactor operations, and the RCS and its subsystems and components will give all necessary information to the operator or to automatic devices to maintain planned control for the full range of normal reactor operations.

The licensee included RCS design criteria and provided references to relevant up-to-date standards, guides, and codes, which includes information on the design:

for the complete range of normal reactor operating conditions, to cope with anticipated transients and potential accidents, redundancy to protect against unsafe conditions in case of single failures of reactor protective and safety systems, to facilitate inspection, testing, and maintenance and, quality standards commensurate with the safety function and potential risks of the PUR-1.

RCS design criteria supporting the design bases are derived from applicable standards, guides, codes, and criteria and provide reasonable assurance that:

the structures, systems, and components of the PUR-1 RCS will function as designed and required by the analyses in the SAR and, the public will be protected from potential radiological risks resulting from operation of the PUR-1 RCS system and subsystems.

Technical Evaluation of the RCS Design Criteria This section of the SE documents the NRC staffs review and evaluation of the proposed RCS system design to perform its safety functions based on the appropriate design criteria to satisfy the 10 CFR 50.34(a)(3) and (b) requirements. The NRC staffs evaluation of the design of the proposed RCS I&C systems is based on acceptance criteria in Section 7.3 and 7.4 of NUREG-1537, Part 2, including guidance in industry standards referenced by both Section 7.3 and Section 7.4 of NUREG-1537, as listed in Section 2 of this SE.

3.2.4.1. Independence Section 7.4 of NUREG-1537, Part 2 (Ref. 9.2), states that the SAR should address the separation and independence of the RCS and RPS and show independence of detector channels and trip circuits. However, given the acceptable small or insignificant radiological risk to the public or to the environment, NUREG-1537 further states:

If the safety analysis in the SAR shows that safe reactor operation and safe shutdown would not be compromised by combination of the [RCS and RPS], they need not be separate, independent, or isolated from each other.

NUREG-1537, Part 2 (Ref. 9.2) also states that hardware and software for computerized systems should meet the guidelines of IEEE 7-4.3.2-1993 (Ref. 19). IEEE 7-4.3.2 states that safety functions be separated from non-safety functions such that the non-safety functions cannot prevent the safety system from performing its intended functions. Appendix E of IEEE 7-4.3.2 further states that [f]or proper independence of the safety computer from non-safety equipment, both electrical and communication isolation should be ensured.

The NRC staff reviewed the PUR-1 LAR (Ref. 1) and observed the RPCS during the Audit (Ref. 5) to confirm the physical, electrical, and communication independence between the RCS and the RPS shows they are sufficiently independent to preclude any interactions which would result in compromising the function of the safety system. The staff confirmed that the NFMS Mirion channels provide input to both the RCS and the RPS. However, separate relays on the NFMS channels handle this communication. Although the cabling is located in the same cabinet and routed together, separate cables carry the signals to the RCS and RPS.

The RCS and RPS are not completely independent because the RPS magnet power circuitry contains a relay that is actuated by the RCS. However, the configuration for interactions between the systems ensures any malfunction in the RCS scram relay will not prohibit the protection functions of the RPS. Since the relays are in series, a failure of the RCS relay will not prevent any of the remaining RPS relays from opening and causing the reactor to scram. The licensee does not credit the RCS relay for safe shut down of the reactor. However, it provides a diverse and independent method to scram the reactor. Finally, as discussed in Section 3.2.2.4 of this SE, two UPS units provide power for all the RPCS components. One UPS unit is dedicated to the RCS related components and the other to RPS related components.

Due to the interconnected nature of the RPCS, the RPS technical evaluation in SE Section 3.3.3.2 of this SE discusses the independence criteria in more detail.

Based on the information provided above and the discussion in Section 3.3.3.2 of this SE, the NRC staff finds that even though the RCS is not completely independent from the RPS, the design includes independent means to protect the reactor if any single component or channel fails. Therefore, the NRC staff finds that the proposed PUR-1 I&C systems meet the intent of the design acceptance criteria applicable to research reactors for independence identified in IEEE 7-4.3.2-1993 and the guidance in Section 7.3 of NUREG-1537.

3.2.4.2. Fail-safe on Power Loss The fail-safe design acceptance criteria of NUREG-1537 help to ensure that, on loss of power, the RCS and associated equipment are designed to assume a safe state and will enable safe reactor shutdown. As discussed in Section 3.2.2.4 of this SE, PUR-1 has two UPS units that are house-powered. If there is a loss of house power, each UPS is designed to power the attached equipment for 30 minutes to allow the operator sufficient time to perform a controlled shutdown. Loss of power from the UPS units generates multiple scram signals that initiate an immediate shutdown of the reactor.

The NRC staff observed the RPS scram circuit schematic diagram during the Audit (Ref. 5) to establish a better understanding of proposed modifications described in the LAR (Ref. 1). The NRC staff verified that the RCS relay has multiple inputs and controls a single relay contact within the RPS scram circuit. The NRC staffs observations also verified the RCS relay opens the relay contact in the event of a loss of UPS power, as discussed in Section 3.2.2.4 of this SE.

The RCS - Power Supply Failure signal, received from the UPS via Ethernet, causes the contact to open if the UPS unit supplying power to the RCS fails. In addition, the LAR (Ref. 1) and the FRS (Ref. 2.1) show that Channel 2s Mirion box has a loss of high voltage signal, and all of the Mirion channels have a signal for a failed input to the RCS scram input logic. The NRC staff review of the wiring diagrams for the Mirion Channels, found in the FRS (Ref. 2.1),

confirmed (1) the outputs for the loss of high voltage and failed input signals are sent to the RCS scram input logic, and (2) the signals will result in the RCS scram relay opening. This RCS scram is redundant to the automatic opening of the RPS relays for the RPS components that lose power. Therefore, in the event of a loss of power, the RCS is designed to fail-safe.

During the Audit (Ref. 5), the NRC staff reviewed the RPCS Control Algorithm FAT for the RCS scram and confirmed the licensee sufficiently tested the functionality of the RCS scram, as described in the LAR. The FAT included functional tests of all the digital output points and other inputs for the scram identified above, and all tests were documented and passed. The licensee committed to reperform the entire FAT and SAT (Ref. 22) prior to resuming reactor operations, if the LAR is approved, to verify the functionality of the entire RPCS, including the RCS scram input logic functions (See SE Section 3.7.4).

Based on the information provided in the LAR and its Audit observations, the NRC staff finds that the licensees implementation of fail-safe acceptance criteria for the RCS is acceptable.

The NRC staff finds the PUR-1 RCS design includes redundant methods to help ensure the reactor assumes a safe state on loss of electrical power or any of the other RCS scram inputs discussed in Section 3.2 of this SE. Therefore, the NRC staff concludes that the design of the RCS I&C systems for PUR-1 meets the fail-safe acceptance criteria in Section 7.3 of NUREG-1537 (Ref. 9.2), which are that the systems assume a safe state, enable safe reactor shutdown, and not prevent the RPS from performing its designed safety function.

3.2.4.3. Effects of Control System Operation/Failures The proposed RPS is designed to scram the reactor on a number of conditions, which are detailed in Section 3.3 of this SE. These scram relays are independent of the RCS and any failure or operation of the RCS is overridden by the RPS relays opening resulting in a scram, which will remove magnet power and drop the control rods into the core. As discussed in Section 3.2.4.2 of this SE, RCS failures would automatically open its associated scram relay in the RPS system to remove power to the rods and scram the reactor. Even if the RCS scram relay did not operate as intended, the remaining RPS scram relays independently scram the reactor.

During the Audit (Ref. 5), the NRC staff reviewed the RCS scram control algorithm in the RCS Control Algorithm Software to gain a better understanding of the detailed bases underlying the information submitted by the licensee in the LAR (Ref. 1). All of the RCS scram inputs identified in Section 3.2.1.7 are logically ORd together within the RCS hardware. If any input is set, the scram digital output is set, which triggers the interposing relay to open, removing power from the shim-safety magnets and dropping the shim-safety rods into the core. The RCS scram provides the ability to scram on RCS failures as well as providing a diverse and redundant backup to the other RPS scram relays discussed in Section 3.3 of this SE. The NRC staff discussed the RCS scram logic with the licensees vendor during the Audit (Ref. 5) to confirm the licensees implementation, as described in the LAR (Ref. 1). The Scientech representative demonstrated the RCS scram function latches in and will only reset once the original condition clears and the operator pushes and briefly holds the annunciator acknowledge button. Before it resets, the reset logic scans the RCS scram input function blocks so if the condition still exists the RCS scram will not reset. In order to verify these algorithms functioned as intended, the licensee and Scientech staff performed extensive FAT and SAT with the equipment installed in its temporary location at Purdue. During the Audit (Ref. 5), the NRC staff reviewed the FAT and SAT results and confirmed the tests successfully demonstrated functionality of the RCS scram algorithm.

The licensee committed to reperform the entire FAT and SAT (Ref. 22) prior to resuming reactor operations, if the LAR is approved, to verify the functionality of the entire RPCS, including the RCS scram control functions (See SE Section 3.7.4).

Based on the information provided, the NRC staff finds that the design of the PUR-1 I&C systems help ensure the reactor assumes a safe state even if the RCS were to fail completely.

Therefore, the NRC staff concludes that the proposed RCS I&C systems for PUR-1 meet the fail-safe acceptance criteria in Section 7.3 of NUREG-1537, Part 2 (Ref. 9.2), which are that the systems assume a safe state, enable safe reactor shutdown, and not prevent the RPS from performing its designed safety function in the case of control system action or inaction.

3.2.4.4. Operational Bypass In the LAR (Ref. 1), Section 7.4, the licensee stated there is no bypass capability for interlocks.

Therefore, the guidance in Section 7.3 and 7.4 of NUREG-1537, Part 2 is not applicable.

Section 3.2.1 of this SE discusses the use of interlocks in more detail. In order to verify these interlocks functioned as intended, the licensee and Scientech staff performed extensive FAT and SAT once the equipment was installed in its temporary location. During the Audit (Ref. 5),

the NRC staff reviewed the FAT and SAT results and confirmed that interlock functionality was successfully tested. Also during the Audit, the NRC staff confirmed with the licensee there are no experimental facilities that interact with control or protection functions. The licensee demonstrated during the Audit how experiments are inserted into the core attached to a line inserted through a tube. As stated previously, the licensee committed to perform the entire FAT and SAT (Ref. 22) again, if the LAR is approved, and prior to resuming reactor operations, to verify the functionality of the entire RPCS, including verifying that the interlocks function as intended (See SE Section 3.7.4).

3.2.4.5. Surveillance The guidance in Section 7.3 of NUREG-1537, Part 2 (Ref. 9.2) recommends application of the functional design and analyses to the development of bases of technical specifications, including surveillance tests and intervals. Additionally, ANSI/ANS-15.15 (Ref. 17) recommends the system design include capability for periodic checks, tests and calibrations. The standard also recommends that, if on-line periodic testing is necessary, such testing should not reduce the capability of the system to perform its safety function.

The RPCS FRS (Ref. 2.1), includes the following system design requirements for testing:

The design provides the capability for periodic testing that simulates, as closely as practicable, the required functional performance of the supplied system.

Where practical, test devices, such as test blocks, are utilized to eliminate the application and removal of wires in order to perform periodic surveillance testing.

Test devices shall not interfere with the operability or safety function of the component or system under test and existing test points/jacks/switches are utilized where practicable.

The supplied equipment shall have a mechanism to verify functionality of inputs and digital outputs. This can be accomplished during self-test intervals or during a periodic manual test.

The licensee also states (Ref. 2.1) that it requires a FAT to be performed to demonstrate the functionality of the RPCS and to demonstrate conformance of the system equipment to the design performance requirements specified in the FRS, including the system design requirements for testing. The NRC staff reviewed the RCS logic to initiate a reactor scram, indication of parameters on the control console and RCS display, and the alarm configuration at the operator console in Section 3.2.3 of this SE. The staff found that the RPCS design includes the features necessary to perform periodic testing of the system, including the display of any necessary parameters or alarms to the operator. Further, during the Audit (Ref. 5), the staff confirmed that the licensee properly implemented the RCS logic in the RPCS and observed operation of the RPCS and control console. The staff also reviewed the FAT and SAT results and confirmed that functionality of the RPCS, including RCS testing provisions, was successfully demonstrated. Based on this information, the NRC staff finds that the design of the PUR-1 I&C systems includes the necessary features to facilitate the performance of the required surveillance checks, calibrations, and inspections required by the TS and these design features provide acceptable provisions to demonstrate operability of the RPCS.

Section 4 of the PUR-1 TS (Ref. 3) documents the SRs that are required to demonstrate operability of the RPCS. As discussed in Sections 3.3.3.7 and 3.8 of this SE, the NRC staff reviewed the SRs and their intervals using the acceptance criteria identified in Chapter 7 of NUREG-1537, Part 2 (Ref. 9.2), and found them acceptable. Due to the interconnected nature of the PUR-1 I&C systems, the application of the functional design and analyses to the SRs and details for the PUR-1 digital I&C new systems SRs and intervals are reviewed and found acceptable in the RPS surveillance section. Section 3.3.3.7 and Section 3.8 of this SE discuss the evaluation of the PUR-1 digital I&C systems surveillance requirements using the acceptance criteria identified in Chapter 7 of NUREG-1537, Part 2 (Ref. 9.2).

Based on its review of the information provided above and the discussion in Sections 3.3.3.7 and 3.8 of this SE, the NRC staff concludes the design of the PUR-1 I&C systems meet the design acceptance criteria in Section 7.3 of NUREG-1537, Part 2 (Ref. 9.2) to include the capability for periodic checks, tests and calibrations to facilitate the performance of the required testing to ensure RCS operability without affecting the ability of the RCS to perform its intended function, and that the RCS testing provisions, and the bases for technical specifications including surveillance tests and intervals provide reasonable assurance of the continued reliable operation of the RCS. Based on its review of the information provided above and the discussion in Sections 3.3.3.7 and 3.8 of this SE, the NRC staff concludes the design of the PUR-1 I&C systems meet these criteria and is acceptable.

3.2.4.6. Quality Due to the interconnected nature of the PUR-1 I&C systems, quality for the new systems is reviewed under the section on evaluation of Purdues digital upgrade process. This section describes the licensees overall quality assurance program (QAP) for the upgrade of the PUR-1 I&C systems. See SE Section 3.7.1 for the evaluation of the PUR-1 digital I&C systems using the acceptance criteria identified in in ANSI/ANS-15-8 (Ref. 16).

Conclusion of RCS Technical Evaluation On the basis of its evaluation of the information presented in this SE, the NRC staff concludes as follows:

The licensee has considered the normal operating characteristics of the reactor facility, including thermal steady-state power levels, and the planned reactor utilization when proposing the RCS I&C upgrades. The proposed PUR-1 RCS design continues to provide the necessary functions of the RCS and components to permit and support normal reactor operations, and provides all necessary information to the operator or to automatic devices to maintain planned control for the full range of normal reactor operations.

The components and devices of the RCS are designed to sense all parameters necessary for facility operation with acceptable accuracy and reliability, to transmit the information with high accuracy in a timely fashion, and control devices are designed for compatibility with the analyzed dynamic characteristics of the reactor.

The proposed design preserves the PUR-1 TS required interlocks, and provides suitable redundancy, and diversity to avoid a total loss of operating information and control, to continue to help limit hazards to personnel, and to help ensure compatibility among operating subsystems and components in the event of single isolated malfunctions of equipment.

The design of the replacement RCS is such that any single malfunction in its components would not prevent the RPS from performing necessary functions, nor prevent achieving a safe shutdown condition of the reactor.

The provisions for channel tests, checks, and calibrations, and the bases for surveillance tests and intervals provide reasonable assurance that the RCS will function as designed.

3.3. Reactor Protection System System Description of the Reactor Protection System The licensee describes the RPS in the LAR (Ref. 1), as supplemented by the FRS (Ref. 2.1),

the SRS-SDD and the HDD (Refs. 7.1 and 7.2). Figure 2, which is Figure 7-1 from the LAR, is a simplified block diagram of the RPS magnet circuit interrupts. A system description of the RPS, based on these references, is provided in this section.

Figure 2 - Simplified Block Diagram of RPS Magnet Circuit Interrupts The RPS consists of a constant current power source that is wired through several relays connected in series to the shim-safety rod magnets. These relays receive scram signals from the RMS, the NFMS, the RCS and manual scram inputs. If any scram signal is received, the associated relay contacts open, removing power to the shim-safety rods magnets, and cause the shim-safety rods to drop into the core, shutting down the reactor. The scram signals connected to the relays in the magnet power circuitry are:

Channel # 1 (Start-up Channel) Change Rate Trip

Channel # 2 (Log Power Channel) Power Level Trip

Channel # 2 (Log Power Channel) Change Rate Trip

Channel # 2 (Log Power Channel) Loss of Detector High Voltage Loss Trip

Channel # 3 (Linear Power Channel) High Power Trip

Channel # 4 (Safety Channel) High Power Trip

Pool top radiation area monitor

Reactor Operator Console Radiation Area Monitor

Water Make-up Radiation Area Monitor

Continuous Air Monitor

Reactor Control System

Console Key switch

Manual Scram (Operator Console & Hallway)

A Class 1 Alarm will sound on all reactor trips (including manual trips). The data historian captures all reactor trips and the trips are indicated on the annunciator panel and the control console, as previously described in Section 3.2.1.1 of this SE.

As described in Section 3.2.1.7 of this SE, the RCS provides a scram signal that is redundant to scram signal actuation by the RPS. Specifically, the RCS will generate a scram signal, which will open the associated relay in the magnet power circuitry, for a scram input signal from the NFMS or RMS and for input signals indicating failure of either the NFMS or RCS. In this manner, either the RCS or RPS can independently initiate a scram.

Sections 3.1 and 3.2 of this SE describe operation of the NFMS and RCS, respectively, and Section 3.5 covers operation of the RMS.

Technical Evaluation of the RPS Design Basis This section of the SE describes the NRC staff review and evaluation of the design basis of the PUR-1 DI&C upgrade of the RPS using the design bases acceptance criteria of Section 3.1 and 7.4 of NUREG-1537, Part 2 (Ref. 9.2).

In its LAR (Ref. 1), the licensee proposed a revised Chapter 7 of the PUR-1 SAR. Sections 7.2 and 7.4 of the proposed SAR identify the design bases and criteria used for the upgraded PUR-1 RPS. The principal design criteria of PUR-1 establish the necessary design, fabrication, construction, testing, and performance requirements for structures, systems, and components important to safety that provide reasonable assurance that PUR-1 can be operated without undue risk to the health and safety of the public. The regulations in 10 CFR 50.34(a)(3)(ii) require the applicant to describe the design bases and the relation of the design bases to the principal design criteria. Section 50.34(b) of 10 CFR requires updating the information to take into account any pertinent information developed since the submittal of the preliminary SAR.

The NRC staffs RPS design basis evaluation reviews the adequacy of the protective system design to monitor the parameters that detect the need for protective action and perform its protective function. The principal design action of the RPS is to rapidly place the reactor in a subcritical condition by automatically inserting the control and safety rods whenever any of the selected parameters exceeds predetermined limits.

The current system includes three operational channels and one safety channel. The operational channels include a startup channel, a Log N and reactor change rate channel, and a linear power channel. The fourth channel is the safety channel, which in conjunction with the safety circuit of the Log N and change rate channel, initiates an automatic reactor trip if the reactor power exceeds the high power setpoint of 12 kWt or the reactor change rate is greater than 15 %/s. The licensee is replacing the current system with four Mirion neutron channels:

startup channel, log power channel, a linear power channel, and the safety channel, which is a linear power channel to monitor high power values of the reactor. The FRS (Ref. 2.1) lists the requirements for the new channels. Table 1 in Section 3.1 of this SE summarizes the Mirion channel ranges and their scram setpoints.

The proposed Mirion neutron channels measure and display reactor power to allow the operator to monitor and control reactor power within the LCOs. As described in Section 7.1 of the PUR-1 LAR (Ref. 1), in the event that power reaches the LSSS of 12 kWt, the RPS is designed to initiate automatic protective action to correct the abnormal situation before the SL is exceeded.

The licensee did not propose to modify the LSSS or SL in this LAR, and the NRC staff did not evaluate the licensees methods to determine these limits in this SE. These settings were previously found acceptable in the NRC safety evaluation report issued with the license renewal in 2016 (Ref. 11). The response time and instrument error of the new safety channels are also important for evaluating the suitability of the proposed I&C systems. These conservative factors (50 percent uncertainty and 600 millisecond delay in response time) are also unchanged from prior analyses (Ref. 10) and used by the licensee to evaluate performance of the proposed I&C systems as discussed throughout this SE.

In addition, excess reactivity, reactivity worth of experiments, and other reactivity parameters are calculated through various measurements using readouts from these channels to help ensure operation within the PUR-1 LCOs. The maximum excess reactivity, as allowed by PUR-1 TS 3.1.d (Ref. 1), is 0.6% k/k. In Chapter 7 of the PUR-1 license renewal SAR (Ref. 10), the licensee stated that analysis has shown that this amount of reactivity will result in a reactor period of 1 s. In the LAR (Ref. 1), the licensee provided an analysis showing that, if the reactor were at its maximum allowable operating power with a 50 percent uncertainty added, the one second period would result in a reactor power of 48.9 kWt. Further, if the protective action was delayed by 600 milliseconds, peak power would be 89.2 kWt. Under these conditions, the RPS would prevent the onset of nucleate boiling, and prevent the reactor from reaching its SL, even if the control system did not properly function.

As described in Section 3.1 of this SE, the neutron channels will cover the entire range of normal reactor operation. In particular, these channels will monitor neutron flux during normal operation and accident transients up to and exceeding 300 percent. Therefore, the neutron detectors cover the expected range of variation of the monitored power during normal operation.

In this manner, the new system ensures redundancy in the important ranges of power measurements by overlapping ranges of the log and linear power channel and the safety channels. Note that PUR-1 does not operate in square-wave or pulse mode. Further, as stated in the LAR (Ref. 1), there are no experimental facilities or experiments that contain interlocks and the system does not include the ability to bypass any RPCS interlocks.

In the LAR (Ref. 1), the licensee indicated that the new NFMS can measure neutrons, even in the presence of gamma radiation. Specifically, Channel #2 (power channel) has one chamber sensitive to both neutrons and gamma rays, and another sensitive to only gamma rays. The current in both of these chambers is sent in opposite directions, thereby compensating for the gamma induced current and yielding the measurement of only neutrons. This allows for sensitivity to neutrons even in the presence of intense high gamma radiation. Operator indication of neutron flux is primarily on the operator console. Operators are also able to view any parameter that is capable of initiating a trip in the system on the front of the Mirion Channels. Additionally, a 4 20 mA current from the neutron channels is sent to the two Yokogawa digital recorders. One recorder is traditionally dedicated to displaying reactor power values (Channels #1, #2, and #3) while the other indicates reactor change rate (Channels #1,

2, and #4). During the Audit (Ref. 5), the NRC staff observed the indicators for power on the operator console and on each individual channels indicator with the RPCS installed in parallel with the existing system.

The PUR-1 is designed such that if the power or change rate are determined to be at unsafe levels, the NFMS will generate a scram signal so the RPS can perform its protective scram action by removing current to the shim-safety rod magnets, scramming the reactor. Each channel is capable of individually scramming the reactor based on each parameter measured (i.e., change rate and power level). In addition, the NFMS will also transmit signals to the RCS to generate a scram signal. In this manner, the new system includes diverse means to scram the reactor.

The NRC staff reviewed the RPS wiring diagrams for the PUR-1 reactor the licensee submitted in LAR supplements (Refs. 2.2 and 7.3)2. These diagrams show the electrical connection of the 2

These references contain security-related information and are withheld from public disclosure under 10 CFR 2.390.

scram signals in the magnet circuitry, which will scram the reactor. During the Audit (Ref. 5),

the NRC staff also reviewed the related FAT reports that show the tests performed to validate the RPS wiring and magnet circuitry. The licensee successfully tested the RPS and confirmed that it can scram the reactor. In addition, the NRC staff also reviewed the SAT results for the testing performed with the RPCS installed in parallel with the existing system. These tests were also successful, and showed that the RPS and magnet circuitry work as designed. The licensee committed to reperform the entire FAT and SAT (Ref. 22) prior to resuming reactor operations, if the LAR is approved, to verify the functionality of the entire RPCS, including verifying the functionality of the RPS wiring and magnet circuitry (see SE Section 3.7.4).

NUREG-1537 (Ref. 9) defines the LSSS as the calculated setpoint for a protective action which provides the minimum acceptable safety margin and includes measurement uncertainty. The licensee indicated that all safety analysis described in the LAR (Ref. 1) were performed using a 50 percent uncertainty for the instrument setpoints. In Section 7.4.b of the LAR (Ref. 1), the licensee stated that this large margin for analyzing safety setpoints was used to help ensure reactor integrity and protect public health and safety. The PUR-1 protective system setpoints and the licensees assumptions for uncertainty were previously approved by the NRC staff (Ref. 11) and are unchanged for this LAR.

Any scram signal is capable of interrupting the circuit and thereby initiate the protective action of scramming the reactor. Once magnet power is lost, there is no mechanism to prevent the rods from falling all the way into the core and the scram fully shuts down the reactor. In order to restart the reactor after a scram, the rod drives must be driven to their lower limits (i.e., fully inserted), the magnets re-engaged, and the rods lifted again. Without manually moving the drives to their lower limits, there is no way to engage the control rods for reactor restart and the fully inserted rods will maintain reactor shutdown without operator action. Therefore, the RPS is always capable of going to completion in shutting down the reactor once a scram is initiated.

As previously described in this section of the SE, the RPS performs its protective action through interruption of the magnet power circuit which runs from the constant current power supply through each of the relay contacts for the measurement channels, radiation monitors, manual scrams, RCS PLC and the key switch in series. The two manual scram buttons in the PUR-1 are readily available to an operator on the console, as well as, at the exit during an evacuation scenario. These scram buttons directly interrupt the magnet circuit and have no other function.

The NRC staff reviewed the wiring diagram and confirmed that the two manual scrams are part of the magnet circuitry. During the FAT, the licensee successfully tested operation of these scrams.

The analog I&C system included two type of scrams. A fast scram occurred when a short period signal or a high power level signal generated the scram and a slow scram occurred when other signals generated the scram. Fast and slow scrams had different circuit response times.

The fast scram circuits were used on parameters whose accident sequences were sensitive to scram response time. In the LAR (Ref. 1) and the RAI response (Ref. 7), the licensee stated that these functionalities were not included in the new system because the RPCS can provide faster scram initiation upon receiving any scram signal (in the magnet circuitry). The NRC staff reviewed the wiring diagrams and logic to confirm that any signal in the magnet circuitry can scram the reactor, and finds that no differentiation for scram signals is included or needed in the new system.

In the LAR (Ref. 1), the licensee noted that the shutdown margin and the methodology for its calculation were not modified. This margin is calculated with the most reactive shim-safety rod and the non-scrammable rod stuck in the most reactive position (Ref. 10). The NRC staff did not evaluate how the shutdown margin was calculated in this SE. Shutdown margin was evaluated and previously found acceptable by the NRC staff (Ref. 11).

In the LAR (Ref. 1), the licensee indicated that current scram times (move the rods from full removal to full insertion) at PUR-1 are typically in the 500-600 millisecond range, and that the new system can scram the reactor faster than the current system. This is well within the not exceed one second required in the PUR-1 TS 3.2c. Section 7.2.g of the LAR (Ref. 1), stated that this is the time from signal initiation (via manual scram, reactor over power, high change rate or high radiation levels) until the rod bottom switch is activated. Per the LAR analysis, a one second drop time is sufficient to protect the reactor from a 1 second period (approximately 171 %/s change rate). During the Audit (Ref. 5), the NRC staff reviewed the tests performed during FAT to measure rod drop time. These tests were successfully completed and met the time requirement specified in the PUR-1 TS. The licensee committed to repeat the entire FAT and SAT (Ref. 22), if the LAR is approved by the NRC, including verifying rod drop times, prior to resuming reactor operation (See SE Section 3.7.4). Rod drop timing tests are also performed annually, as required by TS 4.2.c.

With the new system, the licensee can measure scram time after every scram and the system will alert the operators if the value recorded is greater than one second. In the event of a scram, the time from the initiation of the scram condition in the scram circuit until the shim-safety rod reaches the rod lower limit switch is measured and recorded. Whenever there is a reactor scram, the RCS will calculate the scram time for each shim-safety rod. This time will be saved as part of the computed scram time within the RCS historical data along with the height from which the rod was dropped. Software is included in the PLC to monitor the scram time from scram initiation until the rod bottom light is illuminated for both shim-safety rods. If either of these take longer than 1 second, a local RCS computer alarm (Class 2 Alarm) is activated.

In the LAR (Ref. 1), the licensee indicated the RPCS is installed in the reactor room in the Duncan Annex of the Electrical Engineering Building at Purdue University. The licensee identified that the conditions in the reactor room are 5 to 35 degrees C (41 to 95 degrees Fahrenheit (F)) and humidity 20 to 80 percent (non-condensing). The licensee determined this operating range using historical data of the reactor room, which the NRC staff reviewed during the Audit and summarized in the audit report (Ref. 5). During the review of the data sheets and manuals for the proposed I&C systems, the NRC staff determined the allowable operating ranges for the RPCS equipment being installed is well within the environmental range maintained in the reactor room by the HVAC and is acceptable. In its RAI response (Ref. 7), the licensee noted that there is no direct readout for reactor room environmental conditions, but the building includes a recently replaced HVAC system to maintain these conditions (temperature and humidity sensors mounted on the unit automatically activate operation). A discussion of the HVAC interfaces with the RCS is in Section 3.2.2.1 of this SE.

During the Audit (Ref. 5), the NRC staff determined there are no direct means to measure the cabinet temperatures, which the licensee and Scientech staff confirmed. In the RAI (Ref. 6), the NRC staff questioned how the design of the electronic cabinets ensures the RPCS components will not overheat. In its RAI response (Ref. 7), the licensee stated the room environmental conditions and the venting in the cabinets limit the expected cabinet heat rise to within the design tolerances of the equipment. In addition, following final installation and prior to first startup, the licensee intends to monitor temperature conditions by hand to ensure temperatures are within acceptable ranges. The cards used in the RCS also include internal temperature sensors that will actuate the RCS DAS Trouble indication to notify the operator of temperature problems within the equipment.

In the FRS (Ref. 2.1), the licensee stated that there are no special equipment EMI/RFI ratings or test requirements, and that the vendor only needed to confirm operability of the equipment during testing. In its RAI response (Ref. 7), the licensee explained that the vendor did not perform an EMI/RFI test of the RPCS, but that electromagnetic compatibility was verified by the FAT and SAT. These tests included a piecewise verification of every expected system functionality. In addition the vendors design is rated for EMI resistance through manufacturer testing, such as immunity to a pulsed magnetic field (per International Electrotechnical Commission [IEC ] 61000-4-9). During the Audit (Ref. 5), the NRC staff reviewed the FAT and SAT results and confirmed that functionality of the RPCS was successfully demonstrated. The licensee committed to reperform the entire FAT and SAT prior to resuming reactor operations, if the LAR is approved by the NRC, to verify the functionality of the entire RPCS, including confirming electromagnetic compatibility (See SE Section 3.7.4).

The NRC staff evaluated the RPS design using the design basis acceptance criteria identified in Section 3.1 and Section 7.4, of NUREG-1537, Part 2 (Ref. 9.2). Based on the NRC staffs review of the information provided in the LAR and supported by NRC staff observations during the Audit, the NRC staff concludes:

The RPS design basis resulted in a reliable, redundant, and fail-safe system that helps ensure continued operation of the reactor within the SL and LSSS established in the PUR-1 TSs.

Design criteria supporting the design bases are specified for the portions of the RPS that are assumed in the SAR to perform an operational or safety function.

The licensee included design criteria and provided references to relevant up-to-date standards, guides, and codes, which includes information on the design.

The reactor has operable protection capability in all operating modes and conditions, as analyzed in the SAR for the complete range of normal reactor operating conditions and to cope with anticipated transients and potential accidents.

The range of operation of sensor (detector) channels is sufficient to cover the expected range of variation of monitored variables required during normal reactor operating conditions and to cope with anticipated transients and potential accidents.

The system requirements for the RPS (such as required scram times) are clearly identified and are consistent with the system requirements in the SAR accident analyses and TS.

The scram system is designed to maintain reactor shutdown without operator action to at least the shutdown margin of the PUR-1 TS.

The count rate interlock functions properly in a high-gamma field and that all reactivity changes can be properly monitored until the startup channel indication overlaps the log or linear channel power indication.

The RPS is designed for reliable operation in the normal range of environmental conditions anticipated within the facility.

The RPS includes the necessary means to trip the reactor when a scram condition exists.

The RPS design provides sufficient redundancy to protect against unsafe conditions in case of single failures within the reactor protection/control system.

The RPS is designed to facilitate inspection, testing, and maintenance.

Technical Evaluation of the RPS Design Criteria This section of the SE documents the NRC staffs review and evaluation of the proposed RPS system design to perform its safety functions based on the appropriate design criteria to satisfy the 10 CFR 50.34(a)(3) and 50.34(b) requirements. The NRC staffs evaluation of the design of the proposed RPS is based on acceptance criteria in Sections 7.3 and 7.4 of NUREG-1537 (Ref. 9.2), including acceptance criteria from the guidance and industry standards referenced by both Section 7.3 and Section 7.4 of NUREG-1537, as listed in Section 2 of this SE.

The licensee identified the design criteria for the PUR-1 I&C systems in Sections 7.2 and 7.4 of the LAR.

3.3.3.1. Single Failure The new system includes four neutron channels to cover the entire range of normal reactor operation and up to 300 percent power. These channels have been configured to provide redundancy when measuring power to ensure that a single failure of the RPCS will not place the reactor in an unsafe condition. In addition, these channels provide redundant indication of power and change rate. In the event that all facility parameter indication are not available on the operator console, the measured values are still accessible on the face of the neutron flux channels.

The new system is designed to fail-safe. As described in Sections 3.2.1.7 (RCS) and 3.3.1 (RPS) of this SE, the magnet circuitry consists of relays in series, receiving scram signals from the neutron channels, radiation monitors, manual scrams, RCS PLC and the control console key switch. Therefore, any signal received from these systems to interrupt power to the magnet circuitry, or loss of the magnet constant current power supply, will scram the reactor.

When the magnet current is removed, the shim-safety rods fall back into the core under the force of gravity. There is no mechanism to prevent the rods from falling all the way into the core and the scram goes to completion once initiated. In addition, per the licensee, reactor core design is such that any one shim-safety rod inserted into the core by one third of its full travel distance is capable of putting the reactor at a negative period and beginning shutdown. The licensee also stated that it is a fail-safe design (Ref. 1).

In addition, the Mirion channels include self-testing to detect any subsystem anomaly. If a failure is detected, the channel will issue a signal to the RPCS, which will shutdown the reactor (by opening the relay in the magnet circuitry). The RCS PLC also monitors failure signals or invalid indication from the other systems (e.g., radiation monitor), which will cause a scram signal from the RPCS. Furthermore, the RCS PLC includes logic to detect I/O equipment failure, computer failure, and power supply failure. The RCS PLC also includes a watchdog timer to ensure the operator workstation remains responsive. Any of these failures will generate a RCS signal to scram the reactor. In this manner, the RCS PLC will provide a higher level of safe operation. As previously described, all scram capability is built in series allowing for any single subsystem to initiate reactor shutdown. This eliminates the possibility of systematic, non-random, concurrent failures of redundant elements in the protection systems and reactivity control systems.

If all automatic protective means were to fail to scram the reactor, the operator can depress the manual scram buttons or remove the key switch on the control console, which will interrupt power to the magnet circuitry and scram the reactor. This is consistent with the guidance in Section 7.4 of NUREG-1537, Part 2, which states that the insertion of the safety rods may also be initiated manually by the operator.

During the Audit (Ref. 5), the NRC staff reviewed the magnet power circuitry and confirmed that signals from the neutron channels, radiation monitors, manual scrams, RCS PLC and the control console key switch will interrupt power to the magnet circuitry, causing the reactor to scram. The licensee demonstrated several scenarios that will shut down the reactor if a scram signal is generated by any of those systems. In addition, during the Audit, the NRC staff reviewed the results of FAT functional tests performed that confirmed the proper function of the magnet circuit. The licensee committed to reperform the entire FAT and SAT (Ref. 22) prior to resuming reactor operations, if the LAR is approved, to verify the functionality of the entire RPCS, including verifying proper operation of the magnet power circuitry (see SE Section 3.7.4).

Based on this information provided and reviewed, the NRC staff finds that the RPS will perform its protective action by interrupting power to the magnet circuitry. In addition, the NRC staff finds that the design of the RPS includes multiple, diverse ways to initiate a reactor scram when the failure of any single component or channel occurs. Therefore, the NRC staff concludes that the proposed PUR-1 RPS will perform the required protective actions in the presence of any single failure or malfunction and meets the design acceptance criterion in NUREG-1537, Part 2 (Ref. 9.2) for single failure and the design acceptance criteria in Sections 5.1 and 5.4 of ANSI/ANS-15.15-1978 for single failure and fail-safe.

In addition, because the RPCS design includes diverse ways to initiate a reactor scram and perform its safety function, the RPCS meets the design acceptance criteria in NUREG-1537, Part 2, which establish that the systems design features should be sufficient to protect the health and safety of the public.

3.3.3.2. Independence The I&C systems proposed for PUR-1 are independent from one another. In particular, the RPS does not require information from the RCS to perform its safety functions. Each of the neutron channels will operate completely independently. In addition, each neutron channel has dedicated cabling to and from the measurement detector to the Mirion channel and there is no connection between channels. Therefore, scram capability by each channel is accomplished by each channel individually and for each parameter (change rate and power level) measured.

The control console is not credited in the RPS and does not have any prioritization of safety functions or communication isolation between modules. The parameters from the RPS may be read by the RCS but may not be transmitted from the RCS to the RPS. A control console instrument system failure or malfunction does not prevent the RPS from performing its safety function, and does not prevent the reactor from performing a safe shutdown. According to the licensees calculations, if all indications are incorrectly shown, and the operator were to instantaneously move all rods to their most reactive positions, the scram capability still initiates a shutdown before the onset of nucleate boiling (Ref. 2). Diverse indications of reactor power and change rate are available to the operator, and the indications are monitored by the RCS PLC system to ensure they remain in the expected range. The Yokogawa recorders also provide indications to the operator without processing by the RCS PLC.

The LAR describes commonalities between the RPS and RCS. As described in Section 3.2.1.7 of this SE, the RCS receives signals from neutron channels, radiation monitors, manual scrams, and the control console key switch. These signals are part of the RCS PLC logic to generate a scram signal, and consequently interrupt power to the magnet circuitry causing the reactor to scram. In addition, the RCS PLC monitors signal qualities, in case that a bad quality signal or unexpected reading is detected, the RCS PLC will set the parameters value to the most conservative or high point of the range and generate a scram signal. All of the relays are in series allowing for any single system to perform a complete system scram so the RPS and the RCS can both issue a scram signal.

During the Audit (Ref. 5), the NRC staff reviewed the magnet power circuitry and confirmed that signals from the neutron channels, radiation monitors, manual scrams, RCS PLC and the control console key switch will independently interrupt power to the magnet circuitry, causing the reactor to scram. The NRC staff also observed that the signals are sent to the RCS PLC, and they can independently generate a scram signal. The licensee demonstrated several scenarios that will shutdown the reactor if a scram signal is generated by those systems. In addition, during the Audit, the NRC staff reviewed the functional tests performed during FAT and SAT to verify the magnet circuitry. The licensee committed to reperform the entire FAT and SAT (Ref. 22) prior to resuming reactor operation, if the LAR is approved, to verify the functionality of the entire RPCS, including confirming proper operation of the magnet circuitry (see SE Section 3.7.4).

The RPS was designed such that it is capable of performing its entire functionality without interaction from the operator. Further, the RCS PLC has no means to modify configuration of the RPS, neutron channels, or radiation monitors. Modifications to the neutron channels can only be performed directly in the Mirion channel, as described in Section 3.1 of this SE. Signals, independent from the RPS signals, from the neutron channels analog signals (4-20 mA) are sent to the RCS PLC, and there is no additional data transmission or communication between the RCS and RPS. Failure to receive these analog signals will not affect operation of the RPS.

The UPS includes network connectivity with the RCS to provide power supply status and indicate abnormal conditions. The NRC staff evaluated how the power supply status signal is used in the logic in the RCS to scram the reactor because the UPS is an external, non-safety-related device sending a signal to the RCS, which can shutdown the reactor. During the Audit (Ref. 5), the NRC staff observed that the logic in the RCS to scram the reactor includes a signal associated with power supply failure, which will generate the RCS scram signal. Also, loss of power to the UPS will generate an alarm on the control console to which the operator will respond manually by initiating a shutdown of the reactor in accordance with PUR-1 TS 3.2e. Section 3.8.2 of this SE includes the staff evaluation and conclusion for PUR-1 TS 3.2e.

When a scram occurs, the reactor cannot be restarted until the trip state is cleared, the operator resets the alarm by pressing the annunciator acknowledge, the requirements for operation identified in PUR-1 TS Table I (Ref. 1) are met, the rod drives are manually driven to their lower limits, the magnets reenergized, and the rods re-engaged.

The RCS and RPS are located in the same instrument cabinets and their wiring runs are set side by side. During the Audit (Ref. 5), the NRC staff observed that neutron channels are installed in a separate rack from the RCS and UPS, and even though these were temporary racks, the licensee plans to maintain this physical separation. The NRC staff recognizes that physical independence is not necessary for this type of reactor per the guidance in NUREG-1537. Furthermore, the staff finds that a failure or damage to the cabinets or wires will cause power interruption to the magnet circuitry, which will scram the reactor. Therefore, the NRC staff concludes that the system is designed to trip the reactor through diverse and independent means.

As discussed in more detail in Section 3.2.2.4 of this SE, two UPS units provide power for all the RPCS components. One UPS is dedicated to the RCS related components and the other UPS for RPS related components. The introduction of the proposed UPS systems changes the equipment response for a loss of building electrical power since power can be lost to the system by a loss of power to the UPS units themselves or by a failure of one of the UPS units. In its RAI response (Ref. 7), the licensee stated that the UPS systems could provide power to the RPCS during a loss of building power for up to 30 minutes, which prevents a reactor scram since the UPS is providing power to the scram magnets. However, in the event of a UPS failure, the loss of power to the magnets would cause the shim safety rods to fall into the core under the force of gravity, scramming the reactor.

In its RAI response (Ref. 7), the licensee also proposed to update the PUR-1 SAR to document the proposed functionality of the RPCS with the integral UPS units. The licensee renamed Section 13.2.g of the SAR, Failure of UPS Unit Power Supply, to describe the scram due to loss-of-power to the magnets and added Section 13.2.h, Loss of Normal Electrical Power, to the SAR to describe the holdup function of the UPS units with a controlled shutdown by the operator. Additionally, the licensee proposed TS 3.2.e to require the operator to initiate a reactor shutdown within 15 minutes of the initial loss of building power (see Section 3.8.2 of this SE).

During the Audit (Ref. 5), the NRC staff noted that the UPS units also provided power to two front National Electrical Manufacturer Association [NEMA] 5-15 outlets and ten rear, NEMA 5-15 outlets. In its RAI response (Ref. 7.2), the licensee stated that the rear outlets power various subsystems, but that the front outlets are convenience outlets intended for maintenance and calibration use only. The licensee also stated that use of the convenience outlets will be administratively limited, by PUR-1 procedures, to reactor operators only.

Based on the information provided, the NRC staff finds that even though the RPS is not completely independent from the RCS, the I&C systems design includes sufficient and diverse means to protect the reactor when the failure of any single component or channel occurs.

Therefore, the NRC staff concludes that the proposed PUR-1 I&C systems meet the intent of the acceptance criteria for independence for the failure of any single component or channel in NUREG-1537, Part 2 (Ref. 9.2).

3.3.3.3. Equipment Qualification In the LAR (Ref. 1), the licensee indicated that the proposed I&C systems for PUR-1 have a long history of safe use in industry applications, many of which are nuclear related.

Performance of the integrated system has also been tested through extensive parameter evaluation.

In the LAR (Ref. 1), the licensee also indicated that all instrument cabling is IEEE 383 certified.

As described in Section 3.3.2 of this SE, the RPCS is installed in the reactor room in the Duncan Annex of the Electrical Engineering Building at Purdue University. In that section of this SE, the NRC staff described and evaluated the effects of the environmental conditions, EMI/RFI and power surge on the DI&C systems and concluded the RPS is designed for reliable operation for the conditions anticipated within the facility.

In addition, in the LAR (Ref. 1), the licensee indicated that there is little to no risk of catastrophic earthquake in the West Lafayette area. The licensee also indicated that there are no credible physical or electrical interference scenarios where experimental or other components would interfere with reactor systems.

Based on the information provided and reviewed, the NRC staff finds the proposed DI&C systems are qualified for the intended operating environment and were designed such that, in abnormal conditions, the reactor will fail-safe (i.e., scram) and that the proposed PUR-1 I&C system meets the design acceptance criteria for equipment qualification in Section 7.4 of NUREG-1537, Part 2 (Ref. 9.2) and IEEE 7-4.3.2 (Ref. 19).

3.3.3.4. Prioritization of Functions As described in Sections 3.2.1.7 (RCS) and 3.3.1 (RPS) of this SE, the magnet circuitry consists of relays in series, receiving scram signals from the neutron channels, radiation monitors, manual scrams, RCS, and the control console key switch. Therefore, any signal received from these systems to interrupt power to the magnet circuitry or loss of power itself will independently scram the reactor, and signals were not prioritized.

During the Audit (Ref. 5), the NRC staff reviewed the magnet power circuitry wiring diagrams and confirmed that signals from the neutron channels, radiation monitors, manual scrams, RCS PLC and the control console key switch will independently interrupt power to the magnet circuitry, causing the reactor to scram. The licensee simulated several scenarios that will shutdown the reactor if a scram signal is generated by those systems. In addition, during the Audit, the NRC staff reviewed the functional tests performed during FAT to verify operation of these scram signals. The FAT results confirmed that signals from the I&C systems will scram the reactor as shown in the magnet power circuitry wiring diagrams the licensee submitted in its LAR (Ref. 7.3). The licensee committed to reperform the entire FAT and SAT (Ref. 22) prior to resuming reactor operation, if the LAR is approved, to verify the functionality of the entire RPCS, including verifying proper operation of the magnet power circuitry (See SE Section 3.7.4).

In the LAR (Ref. 1), the licensee indicated that the RCS failure modes do not affect the ability of the RPS to perform its safety functions. For example, in the LAR, the licensee indicated that the position of the rod drives holds no bearing on the status of shutdown condition. Even if the RCS were to act in the most unsafe manner, by instantaneously removing the rods to their full travel height, the RPS would intervene and scram the reactor. The licensee tested these capabilities during FAT and the NRC staff reviewed these test results during the Audit. Further, the licensee indicated that because the control console is not credited in the RPS, there was no need for prioritization of safety functions or communication isolation between priority modules.

The NRC staff reviewed the logic in the RCS PLC to confirm that it does not affect the independent operation of the RPS to scram the reactor. The NRC staff finds that, even if all indication of neutron flux and change rate is unavailable on the RCS, the values of these indications are still accessible on the NFMS channels. Based on the information provided and reviewed, the NRC staff finds that the RPS will independently initiate a reactor scram and the RCS will not undermine this capability. The NRC staff concludes that the proposed RPCS for PUR-1 meets the design acceptance criteria of the NUREG-1537, Part 2 (Ref. 9.2) and IEEE 7-4.3.2 (Ref. 19) for the RPS to prioritize signals from safety and non-safety sources.

3.3.3.5. Setpoints As described in Section 3.1 of this SE, the licensee did not modify most of the previously approved TS values for the SL or LSSS in the LAR. Accordingly, the methodology used by the licensee to determine the values of these setpoints was not evaluated by the NRC staff in this SE. Specifically, the LSSS of 12 kWt power level and operating power of 10 kWt were previously reviewed and approved by the NRC staff as part of license renewal (Ref. 11).

However, the licensee proposed TS modifications in the LAR regarding the parameters measured. Specifically, the proposed RPCS measures and displays the Change Rate rather than the Reactor Period. While the purpose of these two parameters are similar, their units are different and therefore the setpoints are numerically different. The proposed change rate setpoints are slightly more conservative because the licensee selected setpoint values lower than the values calculated in the conversion to units of change rate from the units of reactor period. In the LAR (Ref. 1), the licensee described how it calculated change rate from reactor period. Proposed Table I of PUR-1 TS 3.2 lists the new values, as updated by the licensee in a LAR supplement (Ref. 3.2), to identify the setpoints implemented. Table 1 in Section 3.1.1 of this SE also lists the licensees proposed setpoints. The proposed TS setpoints changes are reviewed and found acceptable by the NRC staff in Section 3.8.2 of this SE.

In the LAR (Ref. 1), the licensee indicated that modification of the setpoints in the I&C systems can only performed by the reactor supervisor or a delegated authority. To perform any setpoint changes, the reactor supervisor must use the key switches in the Mirion channels. Operator access to perform modifications to the equipment setpoints, which are set based on the licensee TS and SAR, is described in Section 3.6 of this SE.

In the LAR (Ref. 1), the licensee indicated that the nuclear instruments were required to be of high precision to give a reasonable level of detail as to the true value of measured parameters in the core. The licensee further stated that the instruments will give actual values with an expected error no greater than approximately 1 percent. The safety analysis described in the SAR (Ref. 1), assumed a 50 percent instrument uncertainty3 This is more conservative than using the instrument data to estimate the expected error (which would be less than 50 percent),

and thus provides greater safety margin for analyses (worst-case instrument readings subjected to uncertainty).

In the LAR (Ref. 1), the licensee states that the RCS PLC is programmed such that if any parameter indication falls outside of the predefined range, the signal is deemed invalid and set to the most conservative value, which then causes a reactor trip. Power level is not the TS safety limit for the PUR-1. The safety limit is a fuel temperature of 530 degrees C, but the fuel temperature is not measured directly. Consequently, the LSSS is on power level, which is directly measureable and chosen to assure that the reactor protection system will be actuated automatically to correct the abnormal situation and prevent the fuel temperature from exceeding the safety limit specified by TS 2.1.

Reactor power values are indicated in three locations for the operator. The first location is on the Mirion Channels themselves. Operators are able to view on the front of the channel any 3

Error is difference between the measured value and the true value of object being measured.

Uncertainty is the quantification of the doubt about the measurement result. The lower the accuracy and precision of an instrument, the larger the measurement uncertainty.

parameter which is capable of initiating a trip in the system. Second, analog signals (4-20 mA) are fed to two digital recorders, one that indicates power values and the other that indicates reactor change rate. The RCS is the third location that indicates the power and change rate at the top of the main operator screen.

During the Audit (Ref. 5), the licensee demonstrated the use of the workstation and its screen display that provides the indications for the neutron channels and plant parameters. The NRC staff observed how the licensee can retrieve setpoint values and how authorized personnel could modify these setpoints to validate the information contained in the LAR. In addition, the NRC staff reviewed the results from the FAT, in which the licensee tested the instrument, displays and logic associated with the measured parameters and setpoints, and finds the testing performed confirmed the proper function of the workstation and its screen display for the neutron channels and plant parameters.

Based on the information provided and reviewed, the NRC staff finds that the proposed I&C systems and subsystems will measure the parameters necessary to protect the reactor, and the previously approved setpoints (Ref. 11) will continue to help protect the fuel and help ensure public health and safety. Therefore, the NRC staff finds that the proposed RPCS DI&C systems for PUR-1 meet the acceptance criteria for setpoints, accuracy requirements, and actuated equipment response time in Section 7.4 of NUREG-1537, Part 2 (Ref. 9.2) and Section 5.6 of ANSI/ANS-15.15-1978 to assure that the proper setpoints are automatically made active and the system has features that facilitate administrative controls to verify the proper setpoints.

3.3.3.6. Bypass/Permissives, and Interlocks In the LAR (Ref. 1), the licensee indicated that there are no experimental facilities or experiments that contain interlocks and there is no bypass capability for interlocks in the RCS.

Further, because the RPS is only comprised of the relays and the magnet circuitry, the licensee did not use any bypasses or inhibits. In the event of a system anomaly or instrument failure, no bypass or interlock will preclude the reactor from being safely shutdown. The NRC staff reviewed the FRS (Ref. 2.1) and design documents to verify that maintenance bypasses were not part of the RPS. Also, the NRC staff verified that the number of operable channels required by the PUR-1 TS 3.2 remains one (Ref. 1), meaning that if only one neutron channel reaches its specified setpoint or any malfunction is detected, then the RPS will scram the reactor.

According to the licensee (Ref. 1), the RCS includes permissive circuits for the withdrawal circuits of the control rods and the fission chamber. The software interlocks prevent raising more than one control rod simultaneously or the fission chamber and any control rod simultaneously. These permissives and interlocks are independent and do not affect operation of the RPS. If an interlock is active, the yellow WITHDRAWAL INTERLOCK indicator will illuminate and the associated class 2 Withdraw INLK indicator specific to the system being inhibited is displayed on the digital annunciator screen. The annunciator displays are discussed further in Section 3.4 and shown in Figure 6 of this SE. Additionally, per the licensee (Ref. 1),

PUR-1 operating procedures prohibit the operator from withdrawing the control rods when a warning indicator is showing.

The current I&C systems included permissives associated with the shim-safety rods and slow scram circuit. Since the slow scram circuit was removed in the new system, the permissive to raise the shim-safety rods was removed and replaced with a set of three requirements that are necessary to energize the magnet current: (1) that the NFMS not be in test mode, (2) that the key switch is turned on, and (3) that the annunciator reset pushbutton is depressed. The licensee stated this set of requirements will be part of operational procedures approved by the Committee on Reactor Operations (CORO) for operation with the new I&C systems (Ref. 1).

During the Audit (Ref. 5), the NRC staff reviewed the logic implemented in the RCS and the test results from the FAT to confirm the information provided in the LAR regarding permissives and interlocks. The NRC staff observed that the interlocks and permissives included in the RCS do not interfere with the RPS. Based on its review, the NRC staff finds the design properly documents permissive conditions and appropriate indications are provided for interlocks.

Further, the NRC staff finds that the proposed PUR-1 I&C systems do not contain bypasses or means to deliberately induce inoperability of the RPS safety function. Accordingly, the NRC staff concludes that the proposed I&C systems for PUR-1 meets the design acceptance criteria for bypass/permissives and interlocks identified in NUREG-1537, Part 2 (Ref. 9.2) and Section 5.7 of ANSI/ANS-15.15-1978 (Ref. 17) and is acceptable.

3.3.3.7. Surveillance The guidance in Section 7.4 of NUREG-1537, Part 2 (Ref. 9.2) recommends that the RPS design reasonably ensure that the design bases can be achieved and the system can be readily tested and maintained in the designed operating condition. ANSI/ANS-15.15 (Ref. 17) recommends the system design include capability for periodic checks, tests and calibrations.

Additionally, if on-line periodic testing is necessary, such testing should not reduce the capability of the system to perform its safety function.

Section 4.1 of the FRS (Ref. 2.1) documents the RPCS design, including system design requirements for test and calibration of the RPS, to demonstrate the RPCS can be readily tested and maintained. These design requirements are described and evaluated in Section 3.2.4.5 of this SE. Based on that evaluation, the staff found the design of the PUR-1 I&C systems includes the necessary features, including the display of any necessary parameters or alarms to the operator, to facilitate the performance of the required surveillance checks, calibrations, and inspections required by the TS and these design features provide acceptable provisions to demonstrate operability of the RPCS. Due to the interconnected nature of the PUR-1 I&C systems, the evaluation and conclusion regarding surveillance provided in Section 3.2.4.5 of this SE pertain to all of the RPCS, including the RPS. Therefore, based on the review in Section 3.2.4.5 of this SE, the NRC staff concludes the RPS meets the design criteria in Chapter 7 of NUREG-1537, Part 2 (Ref. 9.2). The following paragraphs and Section 3.8 of this SE discuss surveillance testing for the RPCS (including the RPS and RCS).

Section 50.36(c)(3) of 10 CFR requires the surveillance requirements relating to test, calibration, or inspection to assure that the necessary quality of systems and components is maintained, that facility operation will be within safety limits, and that the limiting conditions for operation will be met. In addition, the design acceptance criteria for the RPS in Section 7.4 of NUREG-1537, Part 2 (Ref. 9.2) recommends that the RPS be sufficiently distinct in function from the RCS that its unique safety features can be readily tested and verified.

In the LAR (Ref. 1), the licensee identified proposed TS changes and changes to TS SRs. In its response to the RAI (Ref. 7), the licensee added a new surveillance (PUR-1 TS 4.2.f.) to test the new UPS units with a simulated loss of off-site power for 30 minutes. The licensee also proposed to change the SR action time from 30 minutes to 15 minutes in a LAR supplement to the PUR-1 TS (Ref.3.2). See Section 3.8.4 of this SE for additional information.

PUR-1 TS 3.2.c requires that scram times be less that one second, and TS 4.2.c requires an annual measurement of this time. The proposed I&C systems have the capability to measure this time after every scram. During the Audit, the NRC staff reviewed the test results for tests performed to determine scram times. The NRC staff observed that the scram times measured met the requirements in TS 3.2.c.

PUR-1 TS 4.2.a requires calibration of the reactor safety channels annually. TS 4.2.e requires channel checks for each of the scram capabilities identified in Table I of the TS 3.2 before startup. The licensee indicated in the LAR (Ref. 1) that the setpoint values in Table I of PUR-1 TS 3.2 are verified as part of its pre-start checklist. In its RAI response (Ref. 7), the licensee proposed that, as part of the checklist, operators will be required to confirm that the software version in the console matches the version identified in the Reactor Characteristics and Operations Manual to assure that the reactor safety system is operable as required by TS 3.2.

During the Audit (Ref. 5), the licensee demonstrated how this version confirmation is performed.

As described in Section 3.3.1 of this SE, the RPS consists of several relays connected in series, which are connected to the shim-safety rod magnets. The relays are electromechanical components that do not require calibration. TS 4.2.d requires performance of a channel check of each of the RPCS scram capabilities listed in Table I of TS 4.2 prior to each days startup. In its RAI response (Ref. 7), the licensee stated that the prestart checklist requires rods to be raised to 6 cm, so that the operator can visually verify that the rods drop as expected when the scram is induced. Further, the scram cause is verified by various indications on the operator screen, the face of the NFMS channels, the annunciator panel (left of the display screens) and auxiliary panel (located on the right operator screen).

The NRC staff considered whether a surveillance was needed for the watchdog timer or any other inputs to the scram system that are generated within the RCS. Based on the NRC staff review, as documented in Sections 3.2 and 3.3 of this SE, the NRC staff determined the RCS is not credited for safe shutdown of the reactor and the RPS system is the sole credited source for safe shutdown of the reactor. The RCS instead provides a redundant and diverse method of safe shutdown of the reactor in the event of an unsafe condition. Since the RCS is not credited for safe shutdown, the staff determined there is no need for a new SR for any RCS components.

Based on its review of the information provided by the licensee and audit observations discussed above and in Sections 3.2.4.5 and 3.8 of this SE, the NRC staff finds that the RPCS design includes the necessary capabilities for periodic checks, tests and calibrations to help ensure the systems are operable to protect the reactor when necessary. The NRC staff also finds that the checking, and calibration provisions of the existing and new TSs, including surveillance tests and intervals proposed by the licensee for the PUR-1 I&C systems, provide reasonable assurance that the new digital I&C systems of the RPCS will function as designed and include surveillances that assure that operability is restored following maintenance.

Therefore, the NRC staff concludes that the proposed RPCS, including the RPS, follow the guidance in NUREG-1537 (Ref. 9.2) for testing capabilities and related surveillances to verify the availability and reliable operation of the RPCS. Further, the NRC staff concludes that the PUR-1 TSs meet the 10 CFR 50.36(c) requirements that TSs include SRs relating to test, calibration, or inspection assure that the necessary quality of the DI&C systems and components is maintained, and is acceptable.

3.3.3.8. Classification and Identification In the LAR (Ref. 1), the licensee identified the systems that are safety or non-safety related systems. Specifically, the proposed Chapter 7 in the LAR indicates the RPS is safety related and the RCS is non-safety related. The PUR-1 safety-related systems are also clearly identified by the licensee in PUR-1 TS 3.2. The licensee also stated that the reactor and proposed I&C systems are simple, and a trained operator can easily identify safety and non-safety components. Additionally, during the Audit (Ref. 5), the NRC staff observed the proposed I&C systems and noted the I&C vendor applied permanent red tape to identify wires for signals input to the relays in the magnet circuitry.

Based on the LAR descriptions and observation of the RPCS, the NRC staff finds that the proposed I&C systems include sufficient information, indication, and identification for a trained operator to distinguish safety and non-safety systems and components. Therefore, the NRC staff finds that the proposed RPS for PUR-1 meets the design acceptance criteria for classification and identification in Chapter 7 of NUREG-1537, Part 2 (Ref. 9.2) and Section 5.11 of ANSI/ANS-15.15-1978 (Ref. 17).

3.3.3.9. Human Factors Section 3.4.3.5 of this SE describes the control console and RCS, including the HMI principles followed to identify reactor and operation parameters. The licensee prepared a SRS-SDD and the HDD (Refs. 7.1 and 7.2) to detail the functional requirements and design for the PUR-1 HMI.

Additionally, in the LAR (Ref. 1), the licensee described the principles followed to design the HMI. Specifically, the licensee required that the reactor operator should be able to view critical reactor parameters at all times and that the operator should be able to find historic information of a facility parameter (as well as its current value) in no more than three screen changes.

Regarding the safety of the reactor and protection of the facility and public, operators will have the following information available:

Reactor change rate as monitored by two of the detector systems: Channel 1 (Low Level) and Channel 2 (High Level).

Reactor power values as indicated by the neutron channels, digital recorders and control console.

Signals from the four detector channels, the radiation levels, and all other facility parameters, including the coolant chemistry, bulk pool temperature, reactor room pressure, and status of the rooms confinement.

This information will allow the operator to view parameters on the main display of the workstation. The workstation is capable of plotting the parameters value as a function of time, as well as plotting multiple parameters on the same screen. This workstation display of the operator console is the primary source for an operator to obtain information on the status of a facility parameter. During the Audit (Ref. 5), the licensee demonstrated the use of the operator console with the proposed I&C systems.

In the LAR (Ref. 1), the licensee explained that, when a scram or setback condition occurs, or when an equipment failure occurs, an alarm sounds and indicators will illuminate the source of the alarm on both the annunciator panel and the operator console. Further, the annunciator screen in the console will automatically generate a pop up on screen when a scram or setback condition is present. Operators use an annunciator acknowledge button to turn off (or acknowledge) the alarm. The audible alarm will remain off until another alarm initiator activates or a parameter value associated with an alarm, which has already been acknowledged, returns to a safe level followed by a return to an unsafe level. If a scram results, the annunciator acknowledge switch must be held in for approximately two seconds to allow re-enabling magnet power as part of the steps for scram recovery (as discussed in Section 3.3.3.2 of this SE). An evacuation alarm horn is also installed in the reactor instrument racks. The horn is activated by pushing the alarm button on the reactor console. The licensee can test the alarms in the control console or alarm horn by pushing the alarm button on the reactor console or by simulating a scram signal in the system. During the Audit (Ref. 5), the NRC staff observed the location of the annunciator panel, operator console, and evacuation alarm. The licensee also demonstrated the operation of the alarm horn.

As discussed in Section 3.3.3.1 of this SE, the RPS includes capability to manually shutdown the reactor. Specifically, the reactor can be manually scrammed by the control console key switch or either of the two manual scram buttons, which are located on the control console and in the hallway outside the control room respectively. During the Audit (Ref. 5), the NRC staff reviewed the magnet power circuitry and confirmed that signals from the control console key switch and manual scram buttons will interrupt power to the magnet circuitry, causing the reactor to scram. The NRC staff reviewed the logic for operation of the key switch and manual scram buttons, labeling, and location in the temporary rack and hallway, respectively. The NRC staff also reviewed the tests results from FAT that tested operation of the key switch and manual scram buttons to scram the reactor. The NRC staff confirmed that the operators will have ready access to the key switch and manual scram buttons and that these will perform their safety function.

In addition to the variables monitored and controlled by the proposed I&C systems, there are process instruments that are necessary for the safe operation of PUR-1. These variables have continuous indication on the control console and are monitored and recorded. The licensee stated that a thermometer is used to ensure that the criteria established for the neutronic analyses and the thermal hydraulic analyses remain valid because the safety limit is based on fuel temperature and not on power. Similarly, the licensee stated that PUR-1 also has differential air pressure sensors to ensure a negative pressure in the reactor room relative to pressure outside the reactor room. The negative pressure is part of the assumptions for the calculated dose to the maximally exposed member of the public during the maximum hypothetical accident (Ref. 1). The RCS will also provide indication of the coolant flow rate, coolant conductivity, and water height. If the operator observes that these parameters are outside their range of operation, the operator can start a controlled shutdown of the reactor from the operator console or using the manual scram buttons.

Based on its review of the information provided in this section and in Section 3.4.3.5, the NRC staff finds that the proposed RPS includes readily available indication of PUR-1 parameters and safety variables. The NRC staffs audit observations confirmed that the indications and locations of these parameters were designed in accordance with Purdues principles for the operator to have continuous view of important reactor parameters and access to historic information of a facility parameter with ease and minimal operator actions. Accordingly, the NRC staff concludes that the proposed RPS for PUR-1 meets the acceptance design criteria for human factors identified in NUREG-1537, Part 2 (Ref. 9.2).

3.3.3.10. Quality Section 3.7.1 of this SE describes the evaluation of the QAP followed by Purdue for the upgrade of the I&C systems, including the RPS, for PUR-1. Section 3.7.1 of this SE provides the NRC staff evaluation of the PUR-1 digital I&C systems using the acceptance criteria identified in ANSI/ANS-15-8 (Ref. 16).

Conclusion on the RPS Design Criteria Evaluation Based on the information provided and reviewed, the NRC staff evaluated the RPS design in accordance with the design acceptance criteria identified in Section 7.4 of NUREG-1537, Part 2.

On the basis of its evaluation of the information presented above, the NRC staff concludes as follows:

The design criteria followed produced a reliable, capable and suitable RPS for operation and protection of the PUR-1 facility. The protection channels and protective responses are sufficient to help ensure that the SL, LSSS, and RPS-related LCOs discussed and analyzed in the SAR will not be exceeded.

The design reasonably ensures that the design bases can be achieved, the RPS is built of high-quality components using accepted engineering and industrial practices, and the RPS can be readily tested and maintained in the designed operating condition.

The RPS design is sufficient to provide for adequate isolation and independence from other reactor subsystems required by SAR analyses to avoid RPS malfunctions or failures caused by the other systems.

The RPS is designed to maintain function or to achieve safe reactor shutdown in the event of a single random malfunction within the system.

The RPS is designed to prevent or mitigate hazards to the reactor or escape of radiation, so that the full range of normal operations poses no undue radiological risk to the health and safety of the public, the facility staff, or the environment.

The RPS design includes provisions for testing and channel checking, and bases for technical specifications, including surveillance tests and intervals, and provides reasonable assurance that the RPS will function as designed.

3.4. Control Console/Display Instruments System Description of the Control Console/Display Instruments The licensee describes the control console/display instruments in the LAR (Ref. 1), as supplemented by the FRS (Ref. 2.1), the SRS-SDD and the HDD (Refs. 7.1 and 7.2). A system description of the control console/display instruments, based on these references, is provided in this section.

The control console and display instrument systems include displays for the reactor operator to view operating information and the status of systems and equipment. Figure 3 (adapted from Figure 7-4 in the LAR (Ref. 1) is a picture of the PUR-1 reactor console and display instruments.

The NRC staff observed this configuration during the Audit (Ref. 5), which is the configuration used as the staging for SAT, but is representative of the planned installation. Not shown is the operators desk that will be integrated into a console with the right three panels.

Figure 3 - PUR-1 Site Acceptance Staging of Reactor Control Console and Display Instruments The operator interface consists of a reactor operator console, which includes the operator console display workstation. The FRS (Ref. 2.1) lists the operator console features. The NRC staff reviewed the following features:

Annunciator panel

Display screens for reactor power, change rate, and rod position

Display screens for the three RAMs and one CAM

Display screens to indicate the status of the HVAC and water makeup systems

Display screen to indicate current time

A timer which can count up or down for a user-defined duration

Reactor runtime odometer

Panel recorders

Panel indicators and indicator switches Operators can use these features to perform surveillance testing, channel check, maintenance and diagnostic of the IC& systems.

The control console provides control functionality through utilization of a key switch for engaging the rod magnetic current. This key switch provides an input into the RPS and RCS via an interposing relay. When the key is engaged, the RCS will apply power to the operator console reactor runtime odometer, which tracks the number of hours the shim rod magnets are powered.

It will start logging time when the key switch is enabled and will stop logging time when the key switch is disabled. This function is emulated in a computer display screen as well.

Colors for the indicator lights on the console show the operator the status of the reactor at a glance. All trip indicators are red and warning indicators yellow. The indicators and controls necessary for startup and shutdown operations are logically grouped in front of the operator. A large, clearly visible scram button that will allow rapid manual shutdown of the reactor, as well as three other emergency switches, are included on the left most panel of the console. The emergency switches activate the control room alarm, activate the house alarm, and shut down the HVAC isolating the reactor room.

The main operator interface to the RCS and RPS is via a display screen mounted in the operator console. The two display screens, which are panel mounted within the center and right-most sections of the operator console, are controlled by a mouse and keyboard. The computer workstation drives the monitors for display of process indication data and provides the operator the ability to control the reactor. In addition to the other TS minimum requirements to operate the reactor, in order to energize the scram magnets, the workstation must be online.

Section 7.6.a of the LAR (Ref. 1) states that one screen is dedicated to reactor drive controls while the other allows the operator to view general facility data and plot any system parameter.

The FRS (Ref. 2.1) lists the information available for display on the workstation:

Reactor status

Startup condition summary

Reactor drive control

Annunciator and Alarm summary

Tabular display

Trend displays

System monitoring displays (HVAC, RAM, RWMS, etc.)

Ability to view, create, manage data historian archive,

Ability to generate reports Figure 4, which is Figure 7-5 of the PUR-1 LAR (Ref. 1), shows the Reactor Drive Control screen, which is the main operator screen. According to the LAR (Ref. 2.1), administrative controls require this screen to be displayed at all times. During the Audit (Ref. 5), the NRC staff asked how the main operator screen (left screen) would be dedicated to the reactor drive controls and how this dedication would be enforced. The representative from Scientech demonstrated that the left screen is dedicated in the software to display the Reactor Drive Control screen and cannot be changed by an operator. However, the information displayed on the right screen can be changed by the operator to display other screens as needed. Purdue personnel also demonstrated that there were no controls to change the Reactor Drive Control screen to any other screen and how to select other screens for display on the right operator screen.

Section 7.6 of the LAR (Ref. 1) states that the reactor drive control screen includes drive status for the neutron source, fission chamber, shim-safety rods 1 and 2, and the regulating rod. The RCS displays the position (both graphically and numerically) of the selected rod and indicates if the rod is at the lower limit, 2/3 height, or the upper limit. All drives have jam indication and the shim-safety rods have indication if magnet power is engaged and if the rod is at rod bottom.

There is also indication at the bottom of the rod control screen if Automatic Startup or Servo Control are enabled. Rod position indication is always on the left hand screen of the operator.

The neon or dull coloring of the labels near the rods indicate if the switch is active or inactive.

Figure 4 - PUR-1 Main Operator screen Figure 5, which is Figure 7-6 of the LAR (Ref. 1) provides a screenshot of one possible menu available on the second display screen. This screen contains a menu select for accessing information on system data, including the HVAC, RAM, annunciator data; and drive system data, such as the rod drive controls and servo controls; and neutron flux data. Pressing any button on the menu will bring up a secondary screen that provides additional details on the parameters for the selected system.

Figure 5 - Console Summary screen Section 3.3.2.2 of the FRS (Ref. 2.1) and Section 7.6 of the LAR (Ref. 1) states that two panel recorders are mounted in the cabinets next to the workstation displays. These panel recorders monitor signals from different channels and display the information as shown in Table 2.

Table 2 - Panel Recorder Signal Definition Recorder 1 Recorder 2 Channel 1 - Counts per Second Channel 1 Change Rate Channel 2 - Power Level Channel 2 Change Rate Channel 4 - Power Level Channel 3 - Power Level User Configurable User Configurable In addition to displaying parameters on the panel recorders, the front panel of each neutron channel will also display parameters for Channels 1-4.

Section 3.3.2.3 of the FRS (Ref. 2.1) and Section 7.6 of the LAR (Ref. 1) describe the annunciator panel. The annunciator panel on the control console has two types of lighted panels. The first panel is display only and the second panel has push button functionality that allows the operator to activate specific functions. Operating procedures, as well as interlocks, keep the operator from withdrawing the control rods when a warning indicator is showing. Table 3 shows the annunciator alarms, including two unused spare positions that are included in the first panel.

Table 3 - Annunciator Panel Alarms Lighted Indicator Only Change Rate Setback Power Setback Withdrawal Interlock Change Rate scram Power scram RAM scram CAM scram RCS DAS Trouble Workstation Trouble Channel Fault Manual Scram Servo Trouble SPARE SPARE Table 4 identifies the LED indicators and pushbutton switches with LED indicators on the second panel.

Table 4 - Panel indicators and Switches Lighted Indicator Only Lighted Indicator with Push Button Switch Environmental Health Control Room Alarm Chiller On House Alarm Isolate Confinement Annunciator Acknowledge Magnet Power Water Process Pump Power Chiller Power During the Audit (Ref. 5), the NRC staff observed the lighted indicators noted in Table 3 above both with and without push button functionality. As mentioned previously, in addition to the annunciator panel, the second workstation display contains an annunciator screen.

In addition to the primary workstation, a secondary workstation is also present in the control room. Section 7.6.j of the LAR (Ref. 1) describes the secondary workstation. This secondary workstation mimics the operator console (with a single screen rather than two). Its primary role is to allow facility or visiting personnel to view reactor data or status without having to interrupt the reactor operator. Additionally, the secondary workstation also serves as a public site server, which may be accessed by any Internet Protocol address on the West Lafayette Campus. This allows for facility personnel not physically located within the reactor room to view current facility status. A data diode restricts data and provides electronic security by ensuring one-way communication between the RCS and secondary workstation. Data will flow from the RCS to the secondary workstation but communication back to the RCS from the secondary workstation is not allowed. During the Audit (Ref. 5), to gain a better understanding of the information in the LAR, the NRC staff asked how the workstations are identified to prevent confusion and how the secondary workstation is protected. The licensee showed the NRC staff the markings that designate the operator workstation as 02-WKS and the secondary workstation as SWKS, as documented in the LAR. The secondary workstation is accessible by anyone in the reactor room and the password is separate from the passwords for the main operator console workstation. This authorization is enforced by an administrative username/password combination that is controlled by the PUR-1 Reactor Supervisor per a procedure approved by the CORO (Ref. 7).

During the Audit (Ref. 5), the NRC staff observed that the control console also provides the ability to export data to removable media without risk to the system, as described in the LAR (Ref. 2.1). This is done using a key for Universal Serial Bus (USB) port blockers that is under similar administrative control to the reactor key. USB ports currently in use by the keyboard and mouse for the control console are located within the cabinet and would be difficult to access without the operator being aware. Section 3.6 of this SE further discusses the access controls for the USB ports.

Technical Evaluation of the Control Console/Display Instruments Design Basis This section of the SE provides the NRC staff review and evaluation of the design basis of the control console and display instruments against the acceptance criteria identified in the guidance of Section 3.1 and Section 7.6 of NUREG-1537, Part 2 (Ref. 9.2).

Section 50.34(a)(3)(ii) of 10 CFR requires the applicant to describe the design bases and the relation of the design bases to the principal design criteria and 10 CFR 50.34(b) requires updating the information to take into account any pertinent information developed since the submittal of the preliminary SAR. In Section 7.6 of the LAR (Ref. 1), the licensee described the design bases for the proposed control console and display instruments.

The main screen of the primary operator workstation, as shown in Figure 4, indicates reactor power and change rate. It also allows for rod position control, as discussed previously in Section 3.2.1.2 of this SE. As described in Section 7.6.b of the LAR (Ref. 1), the operator may move the rods manually, using fine or coarse withdraw, or by inputting a desired height.

Through manual control, the operator may select the drive, which is desired to be moved. A joystick can then be lifted or depressed indicating upward or downward motion of the rod, respectively. When the joystick is lifted or depressed and a rod withdrawal inhibit is not active, the rod will continue to drive in the direction the operator positioned the joystick. The operator may stop rod motion at any time through toggling the joystick or selecting stop on the operator screen. Clicking on the Selected Drive Coarse/Fine Withdraw button requests the control algorithm withdraw the selected drives one course/fine step. The position change for one fine step is unique to each drive and a programmed setting parameter in the control algorithm.

Each press of the selected drive coarse/fine withdraw button withdraws the drives only one-step, the button must be pressed for each step of withdrawal.

The operator may also select a desired height for a given rod. The rod is selected, the desired height entered, and motion starts on operator approval. The rod position indication is always on the left hand screen of the operator. Neon or dull coloring of the labels near the rods show the switch activation, or lack thereof, respectively.

Section 7.6.a of the LAR (Ref. 1) describes the primary operator workstation rod position control and indication. Multiple indications are provided to describe the rod position. When the rod is located at the bottom of its travel path, the Rod Bottom Light is activated. When the rod is at 2/3 of its travel length, the 2/3 limit switch is activated. These indications are the same for each of the drives and switches. Color indications on these lights show whether the switch is activated or not. A dull color shows the switch is not activated while a bright neon color indicates activation. When a drive is activated, text appears that indicates to the operator that the drive is energized and is in motion (provided that it is not jammed). A jam circuit is incorporated in the drive circuits to operate a jam indicator light on the console in the event of a mechanical jam in the drive of both systems. This indication alerts the operator to the possibility of cable kinking in the source and fission chamber drive units, or mechanical friction in the rod drives. During the Audit (Ref. 5), the NRC staff reviewed the SAT associated with the different rod drive controls and rod position indication. Based on its Audit observations and information presented in the LAR, the NRC staff finds that the information displays associated with the manual controls are clearly visible by the operator and provide unambiguous indications to avoid operator confusion. The NRC staff also finds that rod position indications are continuously displayed on the console and are readily accessible and understandable to the reactor operator.

Section 7.6.a of the LAR (Ref. 1) describes the ability of the operator to plot any system parameter or set of parameters on the second screen of the primary workstation. For example, the operator may choose to plot the height of each control rod against the reactor power level as indicated by Channels 1, 2 and 3. The status of any switch, setpoint, parameter value, or bi-stable relay may be seen on the secondary screen. Additionally, the parameters and the system functions with similar functionality have been grouped on the main summary screen of the secondary display. Section 7.6.c of the LAR discusses trends and display graphs. Each of the graphs is auto-scaling (which may be stopped at the operator's discretion) and may access historic facility data. There is no limit on display range with respect to the actual values of the parameters measured. A poor signal quality results in a magenta colored plot line. During the Audit (Ref. 5), the NRC staff observed the capability to view different parameters and system functions on the second screen, as stated by the licensee in the LAR. During the Audit (Ref. 5),

the NRC staff reviewed the SAT that confirmed the functionality of the plotting and trending capability. The licensee committed to reperform SAT prior to resuming reactor operation, if the LAR is approved, when the RPCS is connected to the reactor system and other external systems, in its fully installed configuration, to ensure the display systems function correctly (see SE Section 3.7.4). Per PUR-1 TS 6.1.a.4. and TS 6.2., all of the FAT and SAT test results and action taken to correct any deficiencies that may occur during these tests will be reviewed by the CORO and reviewed and approved by the Facility Director (Ref 7). Based on the above, the NRC staff finds that the display instrumentation demonstrates the capability to provide accurate, complete, and timely information pertinent to safety system status in a readily accessible and understandable manner to the reactor operator.

The control console is installed in the control room, and will operate in the environmental conditions identified in Section 3.3.3.3 of this SE. Further, in the FRS (Ref. 2.1), the licensee stated that, beyond normal industry installation practices, there are no special equipment EMI/RFI concerns and once the equipment is installed in its final configuration, the FAT and SAT will be performed again to verify system operability.

Section 3.3.2 of the FRS (Ref. 2.1) states that the operator initiates a manual scram using the scram button on the leftmost panel of the console or by using an identical button installed in the hallway outside the reactor room. The leftmost panel also contains an annunciator panel. Any annunciator alarm associated with a trip or setback (Class 1 Alarm) will activate an audible alarm in the reactor room and be displayed on the annunciator panel. Additionally, this leftmost panel provides for a locking mechanism (key switch) to ensure that the reactor facility will not be operated by unauthorized personnel. This key switch is not new to the system. It was a part of the previous system and was incorporated into the design to satisfy the existing design bases requirement for secured shutdown defined by PUR-1 TS 1.32.b.3 (Ref. 11). Based on this information, the NRC staff finds that the operator is able to shutdown (via scram) the system by means of readily available switches, and the system is designed to annunciate the operators action.

Section 3.3.2 of the FRS (Ref. 2.1) also states that this annunciator panel includes three other emergency push button switches separated from the other indicators and controls on the panel.

One activates the control room alarm, one activates the house alarm, and one isolates the confinement space.

Section 7.6.a of the LAR (Ref. 1) states that the RCS provides the means for the operator to determine the actual cause of an alarm through the use of the alarm summary and/or system monitoring computer display screens. All alarms on the annunciator panel will be announced using the annunciator alarm. In the event of any alarm, an indication flashes on the main operator screen. During the Audit (Ref. 5), the NRC staff visually verified that the indication flashes on the main operator screen. The secondary screen automatically switches to the digital annunciator board, which gives more detail about the cause of the scram or setback. Trip indicators are displayed in red, whereas warning indicators are displayed in yellow.

Section 7.4 of the LAR (Ref. 1), describes the annunciator acknowledge button used by the reactor operator to turn off (or acknowledge) the alarm. When acknowledged, the audible alarm (horn) will remain off until another alarm initiator is detected or a value, which has already been acknowledged, returns to a safe level and then transitions back to an unsafe level. The visual (alarm button) annunciator on the display will not clear until the relevant parameter has been returned to non-alarm levels. It blinks until acknowledged and is on solid while the alarm condition still exists. An annunciator test functionality is present in the workstation to check the operability of the panel. This testing can be performed in a variety of ways including sending simulated signal to any protective subsystem. An evacuation alarm horn is installed in the instrument system racks and is activated by pushing the alarm button on the reactor console.

Section 3.3.2.2 of the FRS (Ref. 2.1) describes the panel recorders. As shown previously in Table 2, panel recorder No. 1 monitors signals from Channels 1, 2 and 4. Recorder No. 2 monitors signals from Channels 1, 2 and 3. Each recorder also allows for one additional user configurable signal through the display workstation. All signals, except for the configurable signals, are monitored directly from the NFMS interface signals by the trend recorders and do not require operation of the RCS I/O equipment of the reactor operator console workstation.

The display system has no capability of propagating signals back to the RPS systems. Diverse indications of reactor power and change rate are available to the operator and the indications are monitored by the RCS to help ensure they remain in the expected range. The Yokogawa recorders also provide indications to the operator without processing by the RCS.

The control console is not credited in the PUR-1 SAR to perform automatic protection of the reactor and is therefore not considered part of the RPS. According to the licensee (Ref. 1), a control console instrument system failure or malfunction does not prevent the RPS from performing its safety function and does not prevent the reactor from performing a safe shutdown. As stated by the licensee (Ref. 1), even if all indications are incorrectly shown and the operator were to instantaneously move all rods to their most reactive positions, the scram capability still initiates a shutdown before the onset of nucleate boiling.

During the review of accident analyses for license renewal (Ref. 11), the NRC staff performed confirmatory calculations to verify that large margins exist to the core power corresponding to the onset of nucleate boiling and large temperature margins exist to the incipient boiling and the fuel SL for insertion of the maximum excess reactivity without scram. Based on these confirmatory calculations, the NRC staff concluded during license renewal that the licensees assumptions and calculated results provide acceptable margin to the fuel temperature safety limit of 530 degrees C (986 degrees F) specified in PUR-1 TS 2.1. In its LAR (Ref. 1), the licensee used the same underlying assumptions for a ramp reactivity addition accident with the proposed RPCS system and reached the same results. Accordingly, the NRC staff finds that, even in the unlikely scenario of malfunction of the proposed control console/display instruments and improper operator action based on the faulty indication, the fuel temperature will not exceed the safety limit specified in TS 2.1 in the event there is a ramp reactivity addition accident.

As described in Section 7.6.e of the LAR (Ref. 1), all system parameters are updated at a frequency not to exceed one second on the workstation. The system parameters are recorded with resolutions of 10 milliseconds and all control system logic is performed at an interval not to exceed 250 milliseconds. As described in Section 3.2.3 of this SE and in the audit report (Ref. 5), a watchdog timer is implemented as part of the PLC to ensure the operator workstation remains responsive. This function is performed every 30 seconds. Section 7.6.e of the LAR (Ref. 1) states that this speed is consistent with human system interface response expectations to provide operators with the information needed to place and maintain the facility in a shutdown condition and identify any abnormal condition or transient.

Section 7.6.e of the LAR (Ref. 1) states that the NFMS channels provide near instantaneous monitoring and independent protective action with a design display refresh (or update) of facility parameters every five seconds. The LAR further states that this display update rate is 10 to 20 percent of the time an operator takes to interpret a significant facility parameter and take manual action. Section 7.6.g of the LAR (Ref. 1) states that annual calibrations and periodic maintenance will account for drift in certain measurement devices used by the control console.

The NRC staff evaluated the control console and instrumentation design using the design bases acceptance criteria identified in Section 3.1 and Section 7.6 of NUREG-1537, Part 2 (Ref. 9.2).

The NRC staff finds that that the displays and operator control systems reference applicable standards and guidance and are designed and located to promote ease and efficiency in the performance of operations necessary for the safe control of the reactor. The NRC staff also finds that the design meets expected range of operation, contains appropriate manual controls and manual initiations of protective actions, contains readily accessible and understandable control, safety, and rod position indications, and considers the effects of failure modes on display and control instrumentation.

Based on the NRC staffs review of the design bases information provided in the LAR and observations during the Audit, the NRC staff finds that the proposed control console/display instruments are adequate to perform the necessary control and protection actuation and information management, storage, and display functions to help ensure continued safe operation of the reactor. Therefore, the NRC staff concludes the PUR-1 control console and instrumentation design meets the design bases acceptance criteria in Section 3.1 and Section 7.6 of NUREG-1537, Part 2.

Technical Evaluation of the Control Console/Display Instruments Design Criteria This section of the SE documents the NRC staffs review and evaluation of the proposed design of the control console and display instruments to perform their functions based on the appropriate design criteria to satisfy the 10 CFR 50.34(a)(3) and 50.34(b) requirements. The NRC staffs evaluation of the design of the proposed control console and display instruments is based on acceptance criteria in Section 7.6 of NUREG-1537, including acceptance criteria from the guidance and industry standards referenced by Section 7.6 of NUREG-1537, as listed in Section 2 of this SE.

The licensee described the design criteria for the proposed control console and display instruments in Section 7.6 of the LAR (Ref. 1).

3.4.3.1. Independence As previously described in Section 3.3.3.2 of this SE, Section 7.6.a of the LAR (Ref. 1) indicates that a failure or malfunction in the control console/display instruments does not prevent the RPS from performing its safety function and does not prevent the reactor from performing a safe shutdown. The secondary workstation is isolated by hardware from the primary workstation and there is no data communication between safety channels or between safety and non-safety systems. The most significant failure mode of the display and control instrumentation would be a loss of power. In the event of any abnormal system behavior, PUR-1 operators are trained to insert a manual scram on the operator console and visually verify rods drop into the core.

Based on the information provided in Section 7.6.a of the LAR (Ref. 1), the NRC staff finds that the I&C systems design includes diverse means to shutdown the reactor, including two backup manual scram switches, and the operator workstations and displays are isolated and, even if they malfunction, cannot impede execution of the safety function. Therefore, the NRC staff finds that the proposed PUR-1 control console /display instruments meet the acceptance criteria in NUREG-1537, Part 2 for independence (Ref. 9.2) for diverse control console/display instruments so that a single failure or malfunction cannot disable the protective function.

3.4.3.2. Fail-safe In accordance with PUR-1 TS 3.2.e building alternating current (AC) power must be supplied to the reactor I&C systems during normal operation. As described previously in Section 3.2.2.4 of this SE, two UPS units receive power from the building supply and are capable of supporting the RPCS for at least thirty minutes following loss of power. Specifically, UPS-1 is intended for use for non-RPS components including the workstation computer and workstation monitor. As discussed in more detail in Section 3.2.2.4 of this SE, this time is sufficient to sustain the operation of the control console and display systems long enough for the operators to shut down the reactor in a normal manner as required by proposed PUR-1 TS 3.2.e.

In the event of a power supply failure of either of the UPS units, power is lost to the scram magnets and the Shim Safety rods fall into the core under the force of gravity. In its RAI response (Ref. 7), the licensee states that in the event of a loss of magnet power or any abnormal system behavior, the operator is trained to initiate a manual scram on the operator console and visually verify the rods drop into the core.

The performance of the UPS units is checked by the surveillance requirement in TS 4.2, which is discussed and found acceptable in Section 3.8.4 of this SE.

Based on the information reviewed, the NRC staff finds that a control console failure will not prevent the RPS from performing its safety function and will not prevent safe reactor shutdown.

Accordingly, the proposed PUR-1 control console and display instruments meet the fail-safe acceptance criteria in Section 7.6 of NUREG-1537, Part 2 (Ref. 9.2).

3.4.3.3. Prioritization of functions In Section 7.6, Control Console and Display Instruments, of the LAR (Ref. 1), the licensee stated that as the control console is not credited in the RPS, there is no necessity for prioritization of safety functions or communication isolation between priority modules. There is also no method to prevent a safety function from the primary display screen.

The NRC staff noted that priority is discussed in the LAR as part of the HMI design of the control console in the HMI Functions Software Design Description (Ref. 7.1). The HMI design indicates the 1st priority alarm in red. Additionally, a Priority button on the control console allows the user to view All Alarms by Time (default) or to filter by priority. The filters are not by a single priority but include all priorities up to the selected priority (e.g. Priority 1-1 Alarms shows only priority 1 alarms, Priority 1-2 Alarms shows priorities 1 and 2, , Priority 1-16 Alarms shows all 16 alarm priorities). The control console contains an Ack Priority button, which allows authorized users to acknowledge a selected priority of alarms.

Based on the provided information contained in the LAR, as supplemented, the NRC staff finds that the PUR-1 does not have multidivisional control and display stations, or operator workstations and the displays are not associated with multiple safety divisions. However, the received alarm signals from both safety and non-safety sources are prioritized for processing and display on the operator console. Accordingly, the NRC staff finds that the proposed control console and display instruments for PUR-1 meet the relevant design acceptance criteria for prioritization of functions in IEEE 7-4.3.2 applicable to a research reactor (Ref. 19).

3.4.3.4. Surveillance The guidance in Section 7.6 of NUREG-1537, Part 2 (Ref. 9.2) recommends that the design of the control console, display instruments, and equipment be readily testable and capable of being accurately calibrated and that appropriate surveillance tests and intervals are provided to ensure that the instruments and equipment will perform its design function.

Section 4.1 of the FRS (Ref. 2.1) documents the system design requirements for test and calibration of the RPCS, including the control console/display instruments, to demonstrate operability of the RPCS. These design requirements were described and evaluated in Section 3.2.4.5 of this SE. Based on that evaluation, the staff found the design of the PUR-1 I&C systems includes the necessary features to facilitate the performance of the surveillance checks, calibrations, and inspections required by the TS and these design features provide acceptable provisions to demonstrate operability of the RPCS. Due to the interconnected nature of the PUR-1 I&C systems, the evaluation and conclusion regarding surveillance provided in Section 3.2.4.5 of this SE also pertain to the control console/display instruments.

Therefore, based on its review in Section 3.2.4.5 of this SE, the NRC staff concludes that the design of the control console/display instruments follows the guidance in Chapter 7 of NUREG-1537, Part 2 (Ref. 9.2) for instruments and the controls in the control console to provide for checking operability, inserting test signals, performing calibrations, and verifying trip settings.

The following paragraphs and Sections 3.3.3.7 and 3.8 of this SE discuss surveillance testing of the RPCS (including the control console/display instruments).

Section 50.36(c)(3) of 10 CFR requires that TSs include surveillance requirements relating to test, calibration, or inspection to assure that the necessary quality of systems and components is maintained, that facility operation will be within safety limits, and that the limiting conditions for operation will be met. In addition, the design acceptance criteria for the RPS in Section 7.6 of NUREG-1537, Part 2 (Ref. 9.2) recommend a TS review to verify that appropriate SRs and intervals are specified to ensure that the instruments and equipment will perform their functions, as designed.

Section 7.6.g of the LAR (Ref. 1) states that calibrations and periodic maintenance is required to account for drift in certain measurement devices used by the control console. Section 7.10 of the LAR (Ref. 1) contains a table of surveillances that list and describe the annual electronic calibrations. Additionally, the RAI responses (Ref. 7) state that TS 4.2.d requires a channel check of each of the scram capabilities specified in Table I of TS 3.2 to be performed prior to each days startup. Performance of this SR introduces simulated signals on the face of the neutron flux monitoring channels. These signals then propagate down the signal stream to induce a scram. Various binary contact operations (LED indication) can be seen both on the operator screen and the face of the neutron flux monitoring channels to verify standard performance. Additionally, the licensee proposed adding a new SR to verify operability of any system that is repaired or replaced prior to that system being deemed operable. This TS is reviewed and found acceptable in Section 3.8.4 of this SE.

Based on its review of the information provided, the NRC staff finds the SRs and the intervals applicable to the proposed display instruments and the controls in the control console help ensure the control console and display instruments are operable and will perform their functions as designed. As such, the NRC staff finds the PUR-1 control console/display instruments follow the guidance in Section 7.6 of NUREG-1537, Part 2 (Ref. 9.2) and the annunciator and alarm panels on the control console provide adequate indication of the status of the reactor and its systems to support operators in safe operation and shutdown of the reactor.

Therefore, the NRC staff concludes that the proposed RPCS, including the RPS, follow the guidance in NUREG-1537 (Ref. 9.2) for testing capabilities and related surveillances to verify the availability and reliable operation of the RPCS and meets the 10 CFR 50.36(c) requirements that TSs include SRs relating to test, calibration, or inspection to assure that the necessary quality of the DI&C systems and components is maintained and is acceptable.

3.4.3.5. Human Factors Section 7.1 of the LAR (Ref. 1) indicates that human factors was considered in the information displayed and the characteristics of the displays (e.g., location, range, type, and resolution) to support operator awareness of the system and facility status, and the displays support facility operators in making appropriate decisions. HMI principles were used in the location of I&Cs for the control console and displays and in the display screens. Ease of operator access to historic information was also considered to allow the operator to find historic information of a facility parameter (as well as its current value) in no more than three screen changes.

The licensee used the design principles described in Section 3.1.4 of the HMI Functions Software Design Description, General HMI Display Requirements, (Ref. 7.1). These design principles are related to grouping and organization, data flow, navigation, information, control, fonts and readability, use of color, scales and resolution, and charts and graphs. During the Audit (Ref. 5), the NRC staff observed examples of HMI considerations such as color indications to show whether a rod drive switch is active or not or that parameters with similar system functions and functionality are grouped together on the main summary screen of the secondary display. Section 7.6.a of the LAR (Ref. 1) describes that all trip and warning indications are red or yellow, respectively.

Figure 6 provides an example of the color and wording change for a scram. The figure provides the example, Makeup Water RAM SCRAM, which shows the indicator has changed from green to red and the wording changed from NORMAL to SCRAM. The operator can select each annunciator alarm by left-clicking the indicator to display trends and graphs. The trends and graphs allow the operator to display any parameter value. The graphs are auto-scaling (which the operator can control) and bad signal quality is indicated with a magenta colored plot line.

Figure 6 - Digital Annunciator screen showing a Makeup Water RAM Scram The NRC staff finds that the proposed PUR-1 control console and display instruments are sufficiently designed and located to promote ease and efficiency in the performance of operations necessary for the safe control of the reactor. Further, the PUR-1 design provides the necessary outputs and displays of the reactor status and the displays are readily observable by the operator at the reactor controls. Therefore, the NRC staff concludes the PUR-1 I&C systems meet the design acceptance criteria for human factors in Section 7.6 of NUREG-1537, Part 2 (Ref. 9.2).

3.4.3.6. Annunciators Section 3.3.2.3 and Section 3.3.3 of the FRS (Ref. 2.1) describe the annunciator panel and alarm design requirements, respectively. During the Audit (Ref. 5), the NRC staff discussed the various alarm types, the indications available when they actuate and how the annunciator works to establish an understanding of the information docketed in the LAR. As described in Section 3.2.1.1 of this SE, a House alarm signals a site evacuation, Class 0 Alarms signal a reactor room evacuation, Class 1 Alarms actuate an annunciator alarm on the console, and Class 2 Alarms appear in the RCS alarm summary display screen, but do not activate an annunciator alarm. The annunciator screen will automatically pop up on the operator console, in addition to a buzzer alarm, in response to any condition that causes a scram or setback condition. An annunciator acknowledge button must be actuated for any annunciator that signaled a reactor scram before magnet power can be reapplied. The annunciator screen shows the subsystem that caused the scram.

Section 7.4, Reactor Protection System, of the LAR (Ref. 1) describes the annunciator alarms.

Annunciator alarms are achieved using three sets of horns. The first horn gives audible indication of a setback or scram and can be turned off using the annunciator acknowledge button. Pressing this button does not prevent the annunciator alarm from re-activating if another event occurs that would normally set off the alarm. The second horn is the Room Alarm, which indicates the need to evacuate the room in the event of a radiological event. An operator or other facility personnel would activate the room alarm manually. The third alarm is the Facility or House Alarm, which is also accessible to the operator and indicates the need to evacuate the entire reactor facility. (Refer to Section 3.2.1.1 of this SE). During the Audit (Ref. 5), the NRC staff reviewed the FAT results for the house alarm and confirmed that annunciator functionality was successfully tested and demonstrated per the design requirements stated in the LAR.

The HMI Functions Software Design Description (Ref. 7.1) provides the input parameters for the annunciator display screen. The software requirements for the annunciator screen are described in the RCS Control Algorithm Software reviewed during the Audit (Ref. 5). The functionality of all annunciators are tested through an annunciator test function. The annunciator tiles are tested using Indicator Test and Reset buttons as described in the HMI Functions Software Design Description. The Indicator Test button lights all operator console indicators, annunciator tiles, and the Class 1 Alarm Horn. The Indicator Reset button will reset any latches set for the annunciator digital output signals and remove any previous test selection.

Additionally, a channel check of each of the scram capabilities in Table 1 of PUR-1 TS 4.2.d (Ref. 1) is required prior to each days startup. In its RAI response (Ref. 7), the licensee confirmed that the scram indication capabilities of the screen, annunciator panel, and auxiliary panel are verified.

The NRC staff finds that the proposed annunciator alarms for PUR-1 clearly show the status of operating systems, interlocks, and confinement, as well as facility conditions such as radiation levels. Additionally, the system/channel surveillance tests include the annunciators and displays and these tests satisfy the TS 4.2, 4.3, and 4.4 requirements for operability of the various annunciator alarms. As a result, the NRC staff concludes the annunciators meet the design acceptance criteria in NUREG-1537, Part 2 (Ref. 9.2).

3.4.3.7. Quality Section 3.7.1 of this SE describes the QAP followed by Purdue for the PUR-1 RPCS DI&C upgrade and evaluates the PUR-1 digital I&C systems using the acceptance criteria identified in ANSI/ANS-15.8 (Ref. 16), which is endorsed by Regulatory Guide (RG) 2.5 (Ref. 20).

Conclusion for Control Console/Display On the basis of its evaluation of the information presented above, the NRC staff concludes that the LAR, as supplemented, contains sufficient control console/display information. Specifically, the NRC staff concludes:

All nuclear and process parameters important to safe and effective operation of the PUR-1 reactor will be displayed at the control console. The display devices for these parameters are easily understood and readily observable by an operator at the reactor controls. The control console design and operator interface are sufficient to promote safe reactor operation.

The design of the output instruments and the controls in the operator console provides appropriate features for checking operability, inserting test signals, performing calibrations, and verifying trip settings. The availability and use of these features will help ensure that the console devices and subsystems will operate as designed.

The annunciator and alarm panels on the control console provide adequate indication of the status of the reactor and its systems to support operators in safe operation and shutdown of the reactor.

The locking key switch on the control console reasonably ensures that the reactor facility will not be operated by unauthorized personnel.

3.5. Radiation Monitoring System System Description of the Radiation Monitoring System The RMS consists of three RAMs and one CAM. The purpose of these monitors is to indicate radiation levels at important locations and provide information to the operator. The RAMs measure the intensity of gamma radiation while the CAM measures the activity of airborne particulates. The units contain screens displaying the radiation levels. Section 7.7 of the LAR (Ref. 1) describes the RAMs as Thermo Electron RMS-3 Radiation Monitors with DA1-X series detectors. The CAM is an AMS-4 Beta Particulate Monitor, which contains a main processing unit to perform signal validity and self-checks on outputs and inputs to the system.

Section 3.5.2 of the FRS (Ref. 2.1) describes the locations of the RAMs. The locations of the RAMs detector heads will be: one at the pool top near the control rod drives, one on the wall next to the water process system, and one near the operators console. The current system uses scintillation radiation area monitors with a range of 0.05 to 60 milliroentgen equivalent man per hour (mR/hr). As described in Section 7.7 of the LAR (Ref. 1), new Geiger-Mueller counters will be used, which cover a broader range of 0.01-100 mR/hr. Each RAM has an operating temperature range of -40 to +50 degrees C, which is well within the PUR-1 environmental conditions identified in Section 3.3.3.3 of this SE.

Section 3.5.2 of the FRS (Ref. 2.1) states that in addition to the local displays on the equipment, the RAM meter readings are replicated on the operator console for each RAM system. Each RAM can initiate an automatic scram using external relays as part of the RPS to remove magnet power followed by a shutdown of the ventilation system through a trip signal or radiation level signal. The LAR (Ref. 1) states that the RCS can provide coincident audible and visible alarms, and cause a reactor scram through the PLC. The three RAMs will have four connections each to the RCS system. Three digital output signals will indicate a system failure, alarm, or alert.

An analog output signal indicates the current dose rate. Figures 3-6 and 3-7 of the HDD (Ref. 7.2) describe the signals, connections, components, and terminations of the radiation area monitors to the RPS magnet circuit and the RCS PLC.

The LAR (Ref. 1) states that the CAM is required for the reactor room and that, in addition to the local display on the equipment, the CAM meter readings are replicated on the operator console.

The CAM is located within the reactor room. Its range is 0-100,000 cps, the flow rate is 0.4 6to 4 cubic feet per minute (ft3/min), and it has local and remote indicators. The equipment is rated for an operating temperature range from 0 to 50 degrees C, which is well within the PUR-1 environmental conditions identified in Section 3.3.3.3 of this SE.

The CAM initiates an automatic scram using external relays as part of the RPS to remove magnet power followed by a shutdown of the ventilation system through a trip signal or radiation level signal. The RCS can provide coincident audible and visible alarms, and cause a reactor scram through the PLC. The CAM has three connections to the RCS system. One digital output to indicate the state of the system, one digital output to indicate an alarm, and an analog output signal to indicate the current dose rate. Figures 3-8, and 3-9 of the HDD (Ref. 7.2) describe the wiring terminations for connections between the CAM, the RCS PLC, and the RPS magnet circuit.

Section 7.7 of the LAR (Ref. 1) states that the RAMs and CAM can initiate an automatic scram through the RPS by using external relays to remove magnet power followed by a shutdown of the reactor room ventilation system through a trip signal or radiation level signal. In the RCS, the PLC monitors the functionality of the radiation monitoring equipment and will also interrupt magnet power if the radiation level exceeds the setpoint or signal quality becomes unacceptable. There are no real-time effluent radiation monitors, but effluent release is approximated with dosimetry placed near the exhaust of the facility.

Technical Evaluation of the Radiation Monitoring System Design Basis This section of the SE documents the NRC staff review and evaluation of the design basis of the RMS against the design acceptance criteria identified in the guidance of Section 3.1 and Section 7.7 of NUREG-1537, Part 2 (Ref. 9.2).

Section 50.34(a)(3)(ii) of 10 CFR requires the applicant to describe the design bases and the relationship between the design bases and the principal design criteria and 10 CFR 50.34(b) requires updating the information to take into account any pertinent information developed since the submittal of the preliminary SAR. In Section 7.7 of the proposed LAR (Ref. 1), the licensee described the design bases and criteria for the RMS.

As discussed in SE Section 3.5.1, the licensee selected the new RAM and CAM instrumentation to ensure a complete range of radiation monitoring and sampling equipment, appropriate to the facility, is employed. During the Audit (Ref. 5), the NRC staff confirmed that the new radiation monitoring equipment has sufficient range to cover the expected variation of the monitored variables during normal reactor operation and potential accident conditions, as stated by the licensee in the LAR (Ref. 1). Based on its documentation review and audit observations, the NRC staff finds that the design specifications of the new RMS meet or exceed the operating ranges and sensitivity requirements of the equipment approved by the NRC during license renewal (Ref. 11) and currently in use at the PUR-1. In addition, the NRC staff finds that the new RMS equipment provides the same inputs to the RPS as the current equipment.

Section 7.7 of the LAR (Ref. 1) states that the RAMs and CAM can initiate an automatic scram through the RPS by using external relays to remove magnet power. Additionally, the reactor room ventilation system is shutdown through a trip signal or radiation level signal. In the RCS, the PLC monitors the functionality of the radiation monitoring equipment and will also interrupt magnet power if the radiation level exceeds the setpoint or the equipment signal quality becomes unacceptable.

Table II, Safety-Related Channels (Area Radiation Monitors), referenced by PUR-1 TS 3.2 (Ref. 12) provides the setpoints for the RAMs and CAM. In the LAR, the licensee proposed minor changes to the table, including the removal of slow scram, but did not change the maximum setpoint values. The licensee also proposed to update Table II to allow that actual trip points can be set less than the TS values. The acceptability of these proposed TS changes is evaluated in Section 3.8.2 of this SE.

The licensee stated that the RMS setpoints are determined with the assumption that the instrumentation was operating with up to 50 percent uncertainty, as assumed in the accident analyses (Chapter 13) of the licensees SAR, and the most conservative values for analyzing safety conditions were used even though expected error is expected to be no greater than approximately one percent (Ref. 1). As stated in Section 3.3.2 of this SE, environmental conditions of the reactor room are measured and controlled and all of the new equipment has been confirmed to operate in the anticipated conditions. Environmental and EMI/RFI considerations are discussed in more detail in Section 3.3.3.3 of this SE. In addition to these systems, portable radiation monitors and personal dosimetry are available to help monitor and assess radiation exposure and prevent overexposure of workers and other personnel.

During the Audit (Ref. 5), the NRC staff reviewed the RAM and CAM algorithms of the RCS found in the SRS-SDD, as well as the results of the FAT performed for both the RAMs and CAM. The NRC staff confirmed that the tests performed were consistent with the guidance for V&V (Ref. 18) of the RAM and the test results verified program installation, verified the final RAM documentation, and validated that the RAM systems operated satisfactorily. The licensee committed to reperform the entire FAT and SAT (Ref. 22) prior to starting up the reactor, if the LAR is approved, to verify the functionality of the entire RPCS, including verifying the functionality of the RMS (see SE Section 3.7.4).

Based on the information provided and reviewed, the NRC staff finds that the design basis meets the expected range of operation and accuracy, describes interfaces with other analog and digital systems, provides adequate descriptions of the equipment its purposes, considers environmental conditions, is sufficiently reliable for operation in the intended environment, contains adequate accident monitoring and response time, and considers the effects of any new failure modes. As such, the NRC staff concludes that the RMS design meets the acceptance criteria in Section 7.7 of NUREG-1537, Part 2 (Ref. 9.2).

Technical Evaluation of the RMS Design Criteria This section of the SE documents the NRC staffs review and evaluation of the proposed design of the RMS to perform its functions based on the appropriate design criteria to satisfy the 10 CFR 50.34(a)(3) and 50.34(b) requirements. The NRC staff evaluated the design of the proposed RMS using acceptance criteria in Section 7.7 of NUREG-1537, including acceptance criteria from the guidance and industry standards referenced by Section 7.7 of NUREG-1537, and listed in Section 2 of this SE.

The licensee described the design bases and criteria for the RMS in Section 7.7 of the LAR (Ref. 1).

3.5.3.1. Single Failure As described in Section 7.7, Radiation Monitoring Systems, of the LAR (Ref. 1), the RAMs and the CAM are connected to the RCS and RPS via separate pathways. As stated in the LAR, the RCS displays dose or counts for the CAM and each RAM. The CAM and RAMs each provide an analog output signal to the RCS for the dose or count rate and a digital contact to the RPS for a scram on high level. The RCS monitors the dose or count rate signal for the CAM and RAMs and independently provides a scram signal to the RPS if any monitored dose or count rate exceeds the high level setpoint. To gain a better understanding of the information submitted by the licensee in the LAR (Ref. 1), the NRC staff reviewed the RMS operation during the Audit (Ref. 5). The NRC staff noted that each RAM and the CAM have a separate contact within the RPS scram circuit. If one of the RAMS or the CAM detects an unsafe condition, it will open its respective contact within the RPS scram circuit to independently scram the reactor.

The licensee does not credit the RCS for safe shutdown of the reactor in the SAR. However, the RCS provides a redundant method to shut down the reactor by interrupting magnet current using the RCS scram relay to initiate a scram. The RCS also provides the ability to scram the reactor if one of the RAMs or CAM has an equipment failure or poor signal quality.

Based on the information provided in the LAR and in the documentation reviewed during the Audit, the NRC staff finds that a failure of the proposed PUR-1 RMS or components connected to the RCS, including new or unique failure modes specific to DI&C, will not impede the RPS circuit from performing its safety function or prevent safe reactor shutdown. Therefore, the NRC staff concludes that the RMS meets the single failure design acceptance criteria in Section 7.7 of NUREG-1537, Part 2 (Ref. 9.2).

3.5.3.2. Independence As discussed in Section 3.5.1 of this SE, each RAM and the CAM have a separate contact within the RPS scram circuit. Any unit detecting an unsafe condition provides a diverse and independent means to scram the reactor. Additionally, the connections of the RAMs and CAM to the RCS allow for the independent ability to scram the reactor if the RAMs or CAM have any equipment failure or poor signal quality. In the RCS, the PLC monitors the functionality of the radiation monitoring equipment and will interrupt magnet power if the radiation level exceeds the setpoint or signal quality becomes unacceptable.

Based on its review of the information provided, the NRC staff concludes that the RMS design includes diverse and independent means to protect the reactor if any single component or channel fails. Additionally, the NRC staff finds the RMS is designed not to fail or operate in a manner that would prevent the RPS from performing its safety function, or prevent safe reactor shutdown. Therefore, the NRC staff finds that the proposed RMS for PUR-1 meets the independence design acceptance criteria in Section 1.2, 7.4, and 7.7 of NUREG-1537, Part 2 (Ref. 9.2) for diverse channels for radiation monitoring so that a single failure or malfunction cannot disable the protective function.

3.5.3.3. Surveillance The guidance in Section 7.7 of NUREG-1537, Part 2 (Ref. 9.2) recommends that the design of the control console, display instruments, and equipment be readily testable and capable of being accurately calibrated and that appropriate surveillance tests and intervals are provided to ensure that the instruments and equipment will be operable and reliably perform their functions.

Section 4.1 of the FRS (Ref. 2.1) documents the system design requirements for test and calibration of the RPCS, including the RMS, to demonstrate operability of the RPCS. These design requirements are described and evaluated in Section 3.2.4.5 of this SE. Based on that evaluation, the staff found the design of the PUR-1 I&C systems includes the necessary features to facilitate the performance of the required surveillance checks, calibrations, and inspections required by the TS, and these design features provide acceptable provisions to demonstrate operability of the RPCS. Due to the interconnected nature of the PUR-1 I&C systems, the evaluation and conclusion regarding surveillance provided in Section 3.2.4.5 of this SE also pertain to the RMS. Therefore, based on its review in Section 3.2.4.5 of this SE, the NRC staff concludes that the design of the RMS follows the guidance in Chapter 7 of NUREG-1537, Part 2 (Ref. 9.2) for the RMS to provide for checking operability, inserting test signals, performing calibrations, and verifying trip settings. Surveillance testing of the RPCS (including the RMS) are discussed in the following paragraphs and in SE Sections 3.3.3.7 and 3.8.

Section 50.36(c)(3) of 10 CFR requires that surveillance requirements relating to test, calibration, or inspection assure that the necessary quality of systems and components is maintained, that facility operation will be within safety limits, and that the limiting conditions for operation will be met. In addition, the design acceptance criteria for the RPS in Section 7.6 of NUREG-1537, Part 2 (Ref. 9.2) recommend a TS review to verify that appropriate surveillance tests and intervals are specified to ensure that instruments and equipment will perform their functions, as designed.

The licensee did not propose any changes to the approved TS surveillance requirements for the RMS as part of this LAR (Ref. 1). PUR-1 TS 4.2.b requires completion of a daily channel check on the radiation monitoring system equipment during periods when the reactor is operation.

TS 4.2.b also requires an annual calibration of the RAMs and CAM listed in Table II Safety-Related Channels (Area Radiation Monitors) of TS 3.2. Additionally, PUR-1 TS 4.2.e requires a biannual surveillance of the pool top radiation monitoring equipments offsite alarm.

The NRC staff approved the existing SRs for the RAMs and CAM during license renewal (Ref. 11). Based on review of the information, the NRC staff finds the same SRs are applicable to the new RMS. The RMS SRs, as applied to the proposed system, follow the guidance in Section 7.6 of NUREG-1537, Part 2 (Ref. 9.2) to provide for easy testing and accurate calibration, and the surveillance tests and intervals specified provide assurance that the system and equipment will be operable and reliably perform its functions. Therefore, the NRC staff concludes that the proposed PUR-1 RMS meets the 10 CFR 50.36(c) requirements for surveillances to help ensure the RAMs and CAM are operable to protect the reactor when necessary.

3.5.3.4. Human Factors As discussed previously in Sections 3.3.3.9 and 3.4.3.5 of this SE, the licensee used the vendors human factors engineering guidelines in developing the FRS for the I&C systems. In the LAR (Ref. 1), the licensee described the principles followed to design the HMI. Specifically, Purdue required that the reactor operator should be able to view critical reactor parameters at all times and that the operator should be able to find historic information of a facility parameter (as well as its current value) in no more than three screen changes. During the Audit (Ref. 5),

the NRC staff reviewed the installed RMS equipment and how it interfaces with the RPS and the RCS. The RMS variables can be selected by the summary screen of the RCS which is on the secondary display of the control console. In the event of a failure of the RCS, the radiation level can also be seen on the local displays of the RAMs or CAM. Failure of any of these interfaces with the RCS will not prevent the RMS inputs to the RPS from performing their safety function.

Based on the discussion above, as well as the discussion in Sections 3.3.3.9 and 3.4.3.5 of this SE, the NRC staff finds that the selection, type, location, and display of proposed PUR-1 RMS parameters were determined considering human factors analyses. For these reasons, the NRC staff concludes the RMS meets the acceptance criteria for human factors in Section 7.7 of NUREG-1537, Part 2 (Ref. 9.2).

3.5.3.5. Display and Recording As previously described in Sections 3.4.3.5 and 3.5.3.4 of this SE, the licensee stated that all trends and display graphs on the RCS may display any parameter value, including the RMS variables. Additionally, the operator has the ability to configure the trend displays to enter a Start Time and End Time to allow working with archive data and or real-time data (Ref. 2.1).

During the Audit (Ref. 5), the NRC staff observed operation of the displays and confirmed the graphs are auto scaling (at operators discretion) and that operators may archive data and access previously archived historic facility data. Section 7.6.c of the LAR (Ref. 1) states that there is no limit on the display range with respect to the actual values of the RMS variables measured. Bad signal quality will result in a magenta plot line. In its RAI response (Ref. 7.1),

the licensee stated that navigational controls for the secondary display (right operator console screen) provide the capability to move sequentially between logical pages in a series, or provide an immediate link to a predefined display. Additionally, the licensee stated that the digital annunciator screen is automatically displayed in the event of a scram or setback. During the Audit (Ref. 5), the licensee and Scientech staff demonstrated that in the event of a scram or setback, including those initiated by the RMS components, the secondary RCS display screen automatically switches to the digital annunciator board which gives more detail about the cause of the scram or setback. Based on the above information, the NRC staff finds that variables that pertain to PUR-1 operation, including those for determining the magnitude of radioactive releases, are recorded for future use.

As discussed in Section 3.4.1 of this SE, the PUR-1 DI&C system also includes two operator console mounted trend recorders. These recorders monitor the signals listed previously in Table 2 of this SE. As stated in the LAR (Ref. 1), the value displayed on the operator console may be checked by confirming the same value is being recorded on the Yokogowa Chart Recorders as well as verifying the value on the face of the Neutron Flux Monitoring Channels.

As stated in Section 7.6c of LAR (Ref. 1), the designed range of operation for all trends and display graphs is such that they may display any reactor-related parameter value. Further, the graphs are auto-scaling and there is no limit on display range with respect to the actual values of the parameters measured. Based on the information provided, the NRC staff finds that RAM displays, essential for operator action and the RCS, provide direct or immediate trend or rate information to the operator. Additionally, the NRC staff finds that trend information essential for operator action is continuously available on dedicated trend displays and selectively available on other displays to provide redundancy.

Section 7.1 of the LAR (Ref. 1) addresses NUREG-1537, Part 2 acceptance criteria for determining and continuously assessing that the magnitude of any radioactive release is available to the operator. The primary device for the detection of the release of fission products is the CAM. The CAM has a readout locally and on the operator console to indicate the CAM dose or counts. The CAM provides a scram signal to the RPS if the dose or count rate exceeds the high level setpoint. The licensee stated that, there are no real-time effluent radiation monitors. However, the effluent dose release is approximated with required monitoring by the dose readings obtained through the effluent surveillances of TS 4.7. This monitoring is accomplished via dosimetry placed at the exhaust of the facility and at a location inside the reactor room, which represents the hypothetical minimum distance between a member of the public and the reactor pool (Ref. 10), as approved by the NRC staff for license renewal (Ref. 11). The licensee did not propose changes to monitoring locations or the surveillance requirements for radioactive effluents. The NRC staff finds that the proposed RMS for PUR-1 has sufficient monitoring and indication to help ensure that the doses to members of the public are below those set forth in 10 CFR 20.1101(d) and 10 CFR 20.1301, Dose limits for individual members of the public.

Based on the discussion in Sections 3.4.3.5 and 3.5.3.4 of this SE, the information included in the LAR, as supplemented, and information reviewed during the Audit, the NRC staff finds that the new RAM system meets or exceeds the functionality of the previously approved system and is acceptable. As such, the NRC staff concludes the PUR-1 RMS meets the applicable design acceptance criteria for display and recording specified in Section 7.7 of NUREG-1537, Part 2 (Ref. 9.2).

3.5.3.6. Quality Section 3.7.1 of this SE evaluates the QAP followed by the licensee for the upgrade of the PUR-1 RPCS DI&C systems, including the RMS. The NRC staffs evaluation uses the design acceptance criteria identified in ANSI/ANS-15.8 (Ref. 16), which is endorsed by RG 2.5 (Ref. 20).

Conclusion on the Radiation Monitoring System On the basis of its evaluation of the information presented above, the NRC staff concludes:

The designs and operating principles of the I&C of the radiation detectors and monitors have been described and have been shown to be applicable to the anticipated sources of radiation.

The licensee adequately discusses the RMS capabilities for monitoring radiation and radioactive sources anticipated at the PUR-1 and the design of the RMS equipment provides reasonable assurance that all such sources will be identified and accurately evaluated.

The RMS described in the SAR continues to provide reasonable assurance that dose rates and effluents at the facility will be detected, and that the health and safety of the facility staff, the environment, and the public will be adequately protected.

3.6. Access Controls Description of PUR-1 Access Controls The licensee describes the PUR-1 access controls in the LAR (Ref. 1), as supplemented by the FRS (Ref. 2.1), the SRS-SDD and the HDD (Refs. 7.1 and 7.2). A description of PUR-1 access controls, based on these references, is provided in this section.

The licensee has incorporated measures to ensure access to the reactor controls are limited to authorized personnel. There are two levels of access restrictions to prevent unauthorized access to the reactor controls. The first is a Windows login required to access the RCS computer and the second is login to the R*Time RCS system itself. The Windows login includes four different levels including: admin (local administrator), rtime (R*Time service account),

Scientech (Scientech admin account), and oper (operator workstation user account). Once logged into the RCS computer, the second login for the R*Time software that drives the RCS has a separate user account system that requires login.

The access levels proposed for the R*Time software include: level 5 (viewer), level 10 (maintenance), level 15 (operator), level 20 (engineer), and level 31 (admin). In its RAI response (Ref. 7), the licensee confirmed it will be adopting the suggested Scientech user levels for the R*Time system. The RAI response also provided further details on the capabilities of each level, as follows:

Level 5 access only allows the user to navigate to non-administrative screens to view historic data and will not allow the user to select a rod for movement or access data archive settings.

Level 10 access allows more screens to be accessed than that which a Level 5 can view and also allows magnet power to be activated.

Level 15 allows the operator to manipulate control rods and use the automatic startup systems.

Level 20 allows the user to use the servo control functionality for the rods.

Level 31 is the highest access level and allows for manipulation of the archiving of data points and also the changing of user profile permission levels. A user assigned Level 31 privileges can also restrict access to certain data points for lower level users.

In its RAI response (Ref. 7), the licensee stated that to change user level permissions, approval by the CORO is required, as these changes constitute a system change under TS 6.2.

The licensee noted during the Audit (Ref. 5) that the RPCS is a closed system that does not connect to any external network. As discussed in Section 3.4 of this SE, there is a secondary workstation with a display that can be used by teaching staff to access various RCS displays, but data to this workstation is restricted via a one-way data diode to prevent any unauthorized access to the RCS. During the Audit (Ref. 5), the licensee indicated the secondary workstation also serves as a public site server that may be accessed by any IP address on the West Lafayette Campus if the secondary workstation is in operation. This allows for facility personnel not physically located within the reactor room to view current facility status. The secondary workstation is also secured using a password that is separate and different from the main operator console workstation passwords.

As documented in the LAR (Ref. 2.1) and described in Section 3.4 of this SE, there are USB ports in use on the RCS components and others that are not in use. During the Audit (Ref. 5),

to verify the information in the LAR, the NRC staff asked how USB access to the RCS is prevented. The licensee and Scientech staff demonstrated the use of port blockers installed in any unused USB ports. The ports in use by the keyboard and mouse for the control console are located within the cabinet. The ports cannot be accessed without the operator being aware.

Additionally, the system configuration modifies the RCS workstation on an account level, which will deny access to any removable storage device without proper account authorization. During the Audit (Ref. 5), the licensee indicated the key for unlocking the USB port blocker is under administrative control and locked in a security container to prevent unauthorized access.

The keys are secured in a locked cabinet within the reactor facility and access is restricted to authorized personnel only.

Additionally, the LAR describes two sets of keys for the Mirion Channels. The test key allows for the channel to be placed in test mode. In the LAR, (Ref. 1), the licensee explained that the test key must be under control of a licensed reactor operator or locked in an approved location.

A licensed reactor operator will use the test key to perform the prestart verification of scram capability for each of the channels. The configuration key allows for configuration changes to be made to the channel. The licensee stated that control of the test and configuration keys is maintained by storing them in separate locked cabinets, with access to each key controlled and limited to a specific subset of qualified and trained individuals who have undergone background investigations and have unescorted facility access to the Purdue controlled access areas in accordance with 10 CFR 73.67(d)(4) and 10 CFR 73.57, Requirements for criminal history records checks of individuals granted unescorted access to a nuclear power facility, a non-power reactor, or access to Safeguards Information.

Technical Evaluation of PUR-1 Access Controls This section of the SE details the NRC staff review and evaluation of the design basis of the RPCS using the acceptance criteria guidance in Chapter 7 of NUREG-1537, Part 2, including acceptance criteria from the guidance and industry standards referenced by Chapter 7 of NUREG-1537, as listed in Section 2 of this SE. (Ref. 9.2).

Section 50.34(a)(3)(ii) of 10 CFR requires the applicant to describe the design bases and the relationship between the design bases and the principal design criteria and 10 CFR 50.34(b) requires updating the information to take into account any pertinent information developed since the submittal of the preliminary SAR. Section 7.9 of the proposed SAR, included with the LAR (Ref. 1), describes the design bases and criteria for the proposed I&C systems.

As described in the LAR (Ref. 1) and confirmed by the NRC staff observations during the Audit (Ref. 5), unauthorized reactor operation is prevented through physical barriers, the use of key control measures, and electronic authentication. Access to the room where the reactor controls are located is limited via physical security measures. Access to the RPCS equipment inside the room is limited to personnel authorized by PUR-1 operations staff. Additionally, once someone is able to enter the reactor room, there are three more levels of security to help ensure that only authorized users operate the reactor. As discussed in the LAR, the reactor key, which is required to start the reactor, is secured in a locked cabinet and can only be obtained by an authorized user. In addition to the reactor key, there are two levels of electronic authentication needed in order to access the control console. A user must first be authorized to login to the Windows platform and then must also be authorized to login to the R*Time software. Both of these electronic logins include increasing access levels, which restrict the users ability to operate the controls based on management levels defined in PUR-1 TS 6.1.a.3.

During the Audit (Ref. 5), the NRC staff reviewed PUR-1 access controls and potential security vulnerabilities (physical and electronic) in the developmental phases of the software, as well as the controls to prevent unauthorized physical and electronic access. Additionally, the NRC staff determined that potential security vulnerabilities in the developmental phases of the R*TIME software are limited to those related to configuration management and portable media.

Electronic access through a network-based or wireless-based attack pathway does not exist.

Physical access to the software is protected by physical access control measures. The workstation is configured to provide the ability to export data to removable media without risk to the system. System updates may only be applied following scanning and validation of update media and files, and only by an authorized individual. This authorization is enforced by use of a separate administrative username/password combination that is strictly controlled.

Vulnerabilities related to configuration management are addressed by only allowing official software updates from Scientech to be installed on the workstation (See SE Section 3.7.2).

These updates will be transmitted to the workstation using portable media subject to the above controls.

During the Audit (Ref. 5), the NRC staff confirmed information provided in the LAR (Ref. 1) on controls that govern physical and electronic access to safety system software and data during and after installation - including installation, testing, operations, maintenance, and retirement.

Physical access to the reactor room is restricted, limiting access to the system and software to only authorized personnel. Within the reactor room, there are additional physical access control mechanisms. Electronic access to safety system software is prevented in several ways.

Network-based attacks are prevented by the data diode described above. This one-way deterministic data device eliminates the attack pathway posed by a network connection.

Portable media-based attacks are prevented by the physical protection of ports. Those ports that are easily-accessible are configured to export-only mode, which prevents the introduction of unauthorized data to the system. Wireless-based attacks are prevented by the absence of wireless technology in the system. Other electronic access is controlled by logical access controls within the workstation software and operating system.

Conclusion on Access Controls Based on the information provided and reviewed, the NRC staff evaluated the access control for the PUR-1 DI&C systems in accordance with the design acceptance criteria of Chapter 7 of NUREG-1537, Part 2 (Ref. 9.2), including acceptance criteria from the guidance and industry standards referenced by chapter 7 of NUREG-1537, as listed in Section 2 of this SE. Based on its evaluation of the information presented above, the NRC staff concludes:

The PUR-1 DI&C design adequately incorporates the previous reactor key protection and unauthorized reactor operation continues to be prevented by requiring use of a key at the control console. Additional electronic authentication prevents access to or control of the control console to help ensure operation of the reactor is restricted to authorized personnel.

The hardware design of the PUR-1 DI&C includes physical means to limit access to setpoint and calibration adjustments to the extent necessary to prevent inadvertent or unauthorized adjustments. In addition, the software access authorization of the control console workstation reasonably ensures that the reactor facility will not be accessed or modified by unauthorized personnel.

The licensee has adequately addressed potential access control and security vulnerabilities (physical and electronic) in the developmental phases of the software for the PUR-1 digital safety system.

3.7. Evaluation of Purdue Universitys Digital Upgrade Process This section of the SE documents the NRC staff review and evaluation of the design and development for the digital upgrade of the proposed I&C systems for PUR-1 using the acceptance criteria guidance in Chapter 7 of NUREG-1537 Part 2, including acceptance criteria from the guidance and industry standards referenced by chapter 7 of NUREG-1537, as listed in Section 2 of this SE. (Ref. 9.2).

In the LAR (Ref. 1), the licensee proposed replacing its current I&C systems with digital I&C systems to improve operation and reliability of PUR-1. The previous sections of this SE described and evaluated the I&C systems proposed by the licensee.

For this evaluation, the NRC staff reviewed the design and development process established by the licensee and its I&C systems vendors, Mirion Technologies, Inc., and its subcontractor, Scientech, Inc., who developed the control system and operator console.

Quality Assurance A robust QA program and managerial and administrative controls are necessary to help ensure that the system can perform its required functions. Section 50.34(b)(6)(ii) of 10 CFR, requires a description in the SAR of managerial and administrative controls to be used to help ensure safe operation. Section 7.2.1 of NUREG-1537, Part 1 recommends that all systems and components of the I&C systems should be designed, constructed, and tested to quality standards commensurate with the safety importance of the functions to be performed. Section 12.9 of NUREG-1537, Part 1 states the applicant should consider the guidance in RG 2.5 and ANSI/ANS-15.8-1976 in developing quality assurance programs for non-power reactors. The general requirements for establishing and executing a quality assurance program for the testing, modification, and maintenance of research reactors in ANSI/ANS-15.8 (Ref. 16), which is endorsed by RG 2.5, provide an acceptable method for complying with the quality requirements of 10 CFR 50.34. However, ANSI/ANS 15.8 recognizes that the described controls are integral to the management of a facility and that it is not necessary to establish a separate QA program for a facility upgrade such as an upgrade to the I&C systems. ANSI/ANS-15.1 (Ref. 15) provides guidance on documenting the managerial and administrative controls in the facility TSs.

In Section 7.8 of the LAR (Ref. 1), the licensee stated, [A] QA program will be developed, maintained, and utilized in accordance with the guidance of ANS/ANSI-15.8-1995. During its review of the design documentation (Refs. 2 and 7) and through observations made during the audit (Ref. 5), the NRC staff confirmed that Purdue reviewed and approved the QA documents prepared by the vendor and that the vendors QA program was followed for design and development of the RPCS. The guidance on QA for design development in ANSI/ANS-15.8 recommends that the applicable design inputs, such as design bases, performance requirements, regulatory requirements, codes, and standards, be identified and documented.

ANSI/ANS-15.8 further states that, for purchased items and services, the supplier is responsible for the quality of the product and must provide evidence of that quality. Further, the supplier-generated documents must be controlled, handled, and approved in accordance with established methods. The licensee established these requirements in the Purdue Functional Requirements Specification (Ref. 2.1), Software Requirements Specification and Software Design Description (Ref. 7.1), and Hardware Design Document (Ref. 7.2). The licensee prepared these design specifications to establish the design bases and criteria for the PUR-1 DI&C system and stated, in supplements to the LAR (Ref. 13), that it reviewed and approved all documentation and reports created by Mirion and Scientech. Additionally, the licensee stated it participated in the FAT and SAT conducted by the vendor, and the NRC staff confirmed this during its Audit (Ref. 5).

For the design and development of the replacement RPCS, the following documents were prepared by the PUR-1 vendors:

PUR1-QA-001, Quality Assurance Plan for Purdue, Rev. 0. This plan defines the activities, process, roles and responsibilities regarding quality requirements. This plan also identifies the vendor QA procedures used for the design, development and testing of the RPCS replacement.

PUR1-QA-002 Software Quality Assurance Plan, Rev. 0. This plan covers configuration of the R*TIME software on the Reactor Operator Console display workstation and the development of the site specific Reactor Operator Console display workstation display screens and applications. It also covers the development of the site-specific RTP 3000 control program for the control system functions.

PUR1-VV-001, Software Verification and Validation Plan, Rev. 0. This plan defines the V&V activities to ensure software integrity.

The NRC staff reviewed the vendors QA plans during the Audit (Ref. 5). As described in the audit report, the NRC staff observed that the vendor QA plans described the activities and managerial and administrative controls used to assure safety design and operation of the Purdues I&C systems. Additionally, the NRC staff noted that the PUR-1 Reactor Manager reviewed and approved the QA documents prepared by Scientech. The QA and control activities identified in the licensees design documents (FRS, SRS, HDD) and the vendors QA program included the following: the reactor control and protection system, the control console and display systems, and the radiation monitoring systems as identified in the PUR-1 LCOs.

The Audit Report (Ref. 5) summarizes the information reviewed regarding vendors QA plans and information the NRC staff reviewed in the certificates of conformance and qualifications, and certificate of standards compliance, provided on the neutron channels. During its review of these plan and certificate documents, the NRC staff noted that these documents were prepared, reviewed, and approved by Scientech and the final documents were reviewed and approved by the PUR-1 Reactor Manager.

For the neutron systems, Mirion provided quality records of the tests performed to verify design and operation of their components. Mirion designed and qualified the DWK-250, DAK-250g, and DGK-250 in accordance with its QA program and procedures. The NRC staff reviewed results of these qualifications during the Audit (Ref. 5). In the revised Chapter 7 submitted with the LAR (Ref. 1), the licensee identified the standards used to evaluate the performance of the neutron channels. During the Audit (Ref. 5), the NRC staff reviewed these documents and observed that the neutron channels were tested in accordance with the Technischer

Überwachungs-Verein (TÜV) qualifications according to German nuclear safety standards

[Kerntechnischer Ausschu] KTA 3501, Reactor protection system and monitoring equipment of the safety system, KTA 3505, Type-testing of measuring sensors and transducers of the safety-related instrumentation and control system, KTA 3507, Factory tests for the instrumentation and controls of the safety system, and KTA 1401, General requirements regarding quality assurance. These KTA guidelines apply to the type approval tests of safety-related I&C systems that perform measurement and control functions in accordance with Category A of international standard IEC 61226, Nuclear power plants - Instrumentation and control important to safety - Classification of instrumentation and control functions. Category A is equivalent to IEEE 323, Qualifying Class 1E Equipment for Nuclear Power Generating Stations Classification, and to IEEE 344, Seismic Qualification of Equipment for Nuclear Power Generating Stations. Mirion provided copies of testing certificates to Purdue. These certificates are part of the facility documentation for the neutron channels. NRC regulations do not require the use of Classification 1E equipment at research reactors, such as PUR-1. These vendor qualifications are stricter and exceed the applicable non-power reactor guidance of ANSI/ANS-15.8 and NUREG-1537 with regards to RPS and monitoring equipment.

During the Audit (Ref. 5), the licensee and Scientech staff demonstrated RPCS functionality to the NRC staff. However, the RCS performed unexpectedly during the demonstration. The licensee and Scientech staff subsequently fixed the error in the coding and demonstrated the correct operation of the RCS. A TER was generated by the licensee and Scientech representative in accordance with the vendors QAP to document the error and subsequent correction and retest. This event allowed the NRC staff to observe the process and procedures being used for QA.

Based on the Mirion and Scientech information reviewed onsite, the NRC staff concludes that the RPCS and neutron channels were developed in accordance with the vendors QA plan and procedures and properly documented and certified by the licensee. Additionally, based on its review of the LAR, as supplemented, and review of the design bases and design criteria documented in this SE (see SE Sections 3.1.3, 3.2.5, 3.3.4, 3.44, 3.5.4 and 3.6.3), the NRC staff finds the DI&C replacement systems meet or exceed the requirements of the original I&C systems. The NRC staff also finds that the licensee followed the ANSI/ANS-15.8 (Ref. 16) guidance to identify, follow, and document applicable design inputs, such as design bases, performance requirements, regulatory requirements, codes, and standards. Further, consistent with the guidance of ANS/ANSI-15.1 for the conduct of operations, per TS 6.2.c.2, the CORO is required to review major revisions of procedures and proposed changes in reactor facility equipment or systems which have significant safety impact to reactor operations.

Based on the its review of implementation and test (See Section 3.7.4 of this SE) and supported by its Audit, the NRC staff finds that Purdue used a documented test plan to demonstrate that the RPCS is capable of performing its intended function. The staff also finds that satisfactory completion of the RPCS V&V required by the proposed License Condition C.4 in License R-87 will confirm the RPCS has the capability to perform to its design specfications. In addition, PUR-1 TS 6.8 requires that the results of the test be documented and retained in facility records. Also, TS 6.2.d.2 requires the CORO to audit the results of action taken to correct deficiencies that may occur in the reactor facility equipment systems, structures, or methods of operations that affect reactor safety. Therefore, the NRC staff finds that the PUR-1 QA program follows the ANSI/ANS-15-8 guidance in Section 2.3.3 for design verification by the performance of qualification tests.

ANSI/ANS-15.8 (Ref. 16) recognizes that the QA controls are integral to the management of a project or facility and do not necessitate the establishment of a separate program. Accordingly, the NRC staff concludes that the RPCS QA program, which relied on the vendors QA program for the design and development of the RPCS follows the guidance for quality assurance in ANSI/ANS-15-8 and is acceptable. Additionally, the QA provisions for the design, development and test of the PUR-1 RPCS meet the 50.34(b)(6)(ii) requirement that managerial and administrative controls be used to assure safe operation. Accordingly, the NRC staff finds the RPCS QA program acceptable.

Configuration Management The LAR, as supplemented (Refs. 1 and 2.1) describes the requirements for configuration management for PUR-1. Specifically, the licensee requires that any change to the facility be documented. Further it requires that configuration of the software be maintained and documented as Appendix II to the Reactor Characteristics and Operation Manual. However, during the Audit (Ref. 5), the NRC staff noted that the licensee had not established a separate configuration management plan for modifications or replacements of the upgraded I&C systems.

This observation was the basis for an NRC RAI (Ref. 6) that asked how configuration management for the RCS software will be maintained and controlled. In its RAI response (Ref. 13), the licensee stated that Appendix II to the Reactor Characteristics and Operations Manual will contain a reverse chronological list of changes made to the software following final installation of the system. This list of software changes will include an updated RCS release version identification number as well as an explanation of each set of changes made.

Additionally, old and new values of the calibration parameters will be documented by the licensee. Finally, operators conducting each day's startup will verify the current software version listed on the RPS operator screen matches the version listed at the top of this section of the RCOM. During the Audit (Ref. 5), the licensee demonstrated the method for viewing the software version. The licensee stated that the final procedures to manage configuration changes would be approved by the CORO prior to resuming reactor operations per the requirements of PUR-1 TS 6.2 Review and Audit.

ANSI/ANS 15.8-1995 (Ref. 16) recommends that equipment that requires configuration control be identified and that management be responsible for establishing and maintaining proper configuration and provide written authorization of any changes to safety-related items. The licensee meets the management and administrative criteria through TS 6.2 and TS 6.4, which require the facility management and CORO to:

audit the results of action taken to correct those deficiencies that may occur in the reactor facility equipment systems, structures, or methods of operations that affect reactor safety, which includes the TERs generated against the RPCS testing, and

review and approve written operating procedures to ensure they are adequate to ensure the safe operation of the reactor. This includes the reactor startup procedures, maintenance procedures, surveillance checks, calibrations, and inspections of reactor instrumentation and controls, and administrative controls for operations and maintenance.

Also, PUR-1 TSs 4.2, 4.3, and 4.4 require that before placing equipment into operation, the system must be properly calibrated or checked, as appropriate, and any deficiencies in the equipment or the current configuration of the system documented.

Based on the information reviewed, the NRC staff finds that the design and development of the RPCS digital upgrades uses configuration control that appropriately traces changes to safety system software from point of origin to implementation and that the licensee has a program to ensure installation of the correct version of the RPCS software. The NRC staff also finds that the PUR-1 TSs: 1.) require licensee management to be responsible for establishing and maintaining proper configuration and must authorize any changes to safety-related items and 2.) that all configuration changes to safety-related items are documented. Finally, the NRC staff finds that, before placing equipment into operation, the PUR-1 TSs 6.2 and 6.4 will help ensure that the system is properly calibrated or checked, as appropriate, and any deficiencies in the equipment or the current configuration of the system are documented and corrected. Therefore, the NRC staff concludes that the RPCS configuration management meets the acceptance criteria for configuration management in ANSI/ANS-15.8 (Ref. 16).

Design and Development Process For the digital upgrade, the licensee issued a FRS (Ref. 2.1). This document identified the design requirements for the RPCS and components associated with it, as well as, the design requirements for connections to existing equipment in PUR-1. For replacement of the I&C systems, the licensee acquired new modern digital components but maintained the operability philosophy of the current systems. The licensee stated that the new I&C systems are analogous to the old I&C systems. The proposed upgrade replaces the neutron flux system, reactor operator console, RPS and RCS. Scientech used the FRS to design, develop and test the RPCS, as described in the following sections of this SE.

The NRC staff reviewed the FRS and finds that the document details the system requirements to replace the existing RPCS, as well as the requirements associated with system operation and security. The FRS also defines the requirements for configuration management, testing, and inspection of the RPCS replacement. Based on this information, the NRC staff finds that the FRS accurately identifies the functional characteristics and system requirements for the RPCS.

Therefore, the NRC staff concludes that the proposed RPCS for PUR-1 meets the design acceptance criteria in Chapters 3, 7, 8, 13, and 14 in NUREG-1537, including acceptance criteria for hardware and software for computerized systems applicable to non-power reactor DI&C systems in the guidance and industry standards for digital upgrades referenced in Chapter 7 of NUREG-1537, as listed in Section 2 of this SE. (Ref. 9.2).

Using the licensees FRS (Ref. 2.1), Scientech prepared the Reactor Protection/Control System HMI Functions Software (SRS-SDD) and Reactor Protection/Control System Hardware Design Document (HDD) (Refs. 7.1 and 7.2). The SRS-SDD provides the functional requirements, control functions, algorithms, and displays for operation of the RCS. The HDD defines the overall system design including the type, quantity, and location of all hardware and third-party software in the RPCS replacement system. The licensee and its vendors used these documents to design, develop, test, verify, and validate operation of the RPCS replacement system. The NRC staff reviewed the SRS-SDD and HDD (Refs. 7.1 and 7.2, respectively) and confirmed that the functional requirements defined in the FRS (Ref. 2.1), including potential security vulnerabilities, were acceptably translated in these documents, to further define the design of the PUR-1 I&C systems.

As part of the software development process, the vendor prepared a Software Quality Assurance Plan to define the software QA requirements for the RPCS replacement. The NRC staff reviewed this plan during the Audit (Ref. 5). The plan defined the V&V activities and associated requirements, roles and responsibilities, development activities, defect reporting, and corrective actions followed during the development of the software for the RCS. The NRC staff also reviewed examples of defect reporting created during verification of the RCS. These are described in the audit report (Ref. 5). Based on the information reviewed, The NRC staff finds that this plan established the measures, activities, roles, and responsibilities for the development of a robust software and that the testing program adequately tests all portions of the system design to help ensure that RPCS meets its design requirements and specifications and that it fulfills its intended safety function.

In addition, Scientech prepared a Software Configuration Manual to describe the procedures and information necessary during design, development, and integration for configuration of the hardware and third-party software used in the RCS, as well as, the process to perform configuration management of the RCS files. This document identifies the software version delivered to Purdue. The NRC staff reviewed this document during the Audit (Ref. 5) and observed that the same software version is installed in the RCS. The NRC staff finds that this manual was developed in accordance with the vendors QA plan and that it defines complete and unambiguous procedures followed to design and develop the RCS software. The NRC staff determined that the proposed RPCS for PUR-1 meets design acceptance criteria identified in ANSI/ANS-15.8-1995 (Ref. 16), which is referenced in Section 12.9 of NUREG-1537 (Ref. 9.2) and endorsed by RG 2.5 (Ref. 20).

Based on its review of this information, the NRC staff finds that the design documents for the proposed RPCS for PUR-1 meets the design acceptance criteria for a structured development process for safety and non-safety systems in NUREG-1537, including acceptance criteria that applies to non-power reactor DI&C systems from the guidance and industry standards for digital upgrades referenced in Chapter 7 of NUREG-1537, as listed in Section 2 of this SE. (Ref. 9.2).

Implementation and Testing The design of the RPCS was implemented and tested in accordance with the process described in the Software Verification and Validation Plan (SVVP) for PUR-1. During the Audit (Ref. 5),

the NRC staff observed that this document describes V&V activities performed during the design, development and testing of the RPCS. These activities were mapped to the development lifecycle of the RPCS. The audit report (Ref. 5) summarizes information reviewed in the SVVP. Based on the information reviewed, the NRC staff determined that the vendor established and followed a clear and robust software development process. In addition, Scientech performed the V&V activities described in the SVVP and these tests were witnessed by the licensee. The results of these activities were recorded on V&V forms, which were signed by the licensee. Scientech provided a summary report of the V&V activities and the individual V&V forms are available to the licensee upon request. During the Audit (Ref. 5), NRC staff confirmed the information in the summary report was consistent with all V&V forms prepared and completed for PUR-1.

As part of V&V activities, it is common industry practice to use a requirements traceability matrix (RTM) to verify that all system requirements were met. The SVVP required the creation and use of the RTM. Scientech did not prepare an RTM for this project, but instead used the FAT to verify that all RPCS requirements were properly implemented. Scientech used the requirements identified in the FRS (Ref. 2.1) and SRS/SDD (Ref. 7.1) to develop the FAT and then performed the FAT to confirm that the RPCS performed the required functions. During the Audit (Ref. 5), the NRC staff reviewed the results from the FAT, and observed that the performance of the I&C systems met the design specifications.

For the neutron channels, Mirion used its test procedures. During the Audit (Ref. 5), the NRC staff reviewed Mirions test procedures and results for the neutron channels, including the complete FAT and SAT reports. For testing of the RPCS, Scientech prepared a Test Plan.

The NRC staff reviewed this plan during the Audit (Ref. 5). The NRC staff observed that this plan defined the requirements to verify functional requirements of the RPCS and associated subsystem (including new and existing reused equipment for the PUR-1). This plan included requirements and activities for unit testing, integration testing, FAT and SAT. The audit report (Ref. 5) details the information included in this plan and the information reviewed by the NRC staff.

The licensee and its vendors performed FAT of the control algorithm, system integration, physical inspection and rod drop timing. The audit report (Ref. 5) details the activities and results obtained during these tests. During the Audit, the NRC staff observed that these tests were completed in August and September 2016. The NRC staff confirmed that the majority of the tests were successfully completed. For the tests that were not satisfactorily completed, Scientech prepared TERs that described the problems encountered. Most of the test exceptions were later resolved, as described in the licensees RAI response (Ref. 7). However, in its RAI response, the licensee stated that some TERs generated in the testing phase were due to the inability to fully implement the DI&C system interface with the facility (Ref. 13).

During the Audit (Ref. 5) and in the RAI response (Ref. 7), the licensee noted that it will perform complete testing of the system, including repeating all FAT and SAT tests, to verify that all test exceptions were properly resolved and that the RPCS replacement meets the requirements identified in the FRS (Ref. 2.1) and SRS-SDD (Ref. 7.1). These test results will be approved by the PUR-1 Reactor Supervisor and audited by the CORO prior to resuming reactor operations with the new I&C systems (Ref. 1).

After the FAT was completed, the licensee performed the tests identified in the Site Acceptance Test for Parallel Installation. The SAT was performed to demonstrate functionality of the RPCS replacement control algorithms and to show conformance with the FRS (Ref. 2.1) after parallel installation with the existing (reactor) system. The audit report (Ref. 5) details the activities and results obtained during SAT. During the Audit, the NRC staff reviewed the test report and observed that all tests were passed, except those tests that required connection to existing systems. As mentioned before, the licensee will perform these tests before the RPCS is connected to the reactor.

Based on the information reviewed, the NRC staff finds that the licensee and its vendors defined clear and complete plans to test the replacement RPCS. The NRC staff observed that test reports were prepared to summarize test activities, acceptance criteria, results, and identify test exceptions or pending tests, which will be completed again if the LAR is approved by the NRC.

Therefore, the NRC staff finds that the design implementation of the proposed RPCS for PUR-1 is appropriate and that the design was, or will be, tested in accordance with the vendors QA program and plans. Accordingly, the NRC staff concludes that the design implementation and testing of the replacement RPCS meets the design acceptance criteria associated with digital upgrades in NUREG-1537, including design acceptance criteria that apply to non-power reactor DI&C systems from the guidance and industry standards for digital upgrades referenced in Chapter 7 of NUREG-1537, as listed in Section 2 of this SE. (Ref. 9.2).

Conclusion for Digital Upgrades Based on the information provided and reviewed, the NRC staff evaluated the RPCS design, including the development, implementation and testing process, in accordance with the design acceptance criteria associated with performing digital upgrades in Chapter 3, 7, 8, 12, 13, and 14 in NUREG-1537, including the applicable acceptance criteria for non-power reactor DI&C systems in the guidance and industry standards for digital upgrades referenced in Chapter 7 of NUREG-1537, as listed in Section 2 of this SE (Ref. 9.2).

The NRC staff finds that the development, implementation and testing process for the RPCS design followed by the licensee and its vendors produced a reliable and fail-safe RPCS that is acceptable for use in PUR-1. Specifically, the NRC staff concludes that the replacement RPCS provides reasonable assurance that the PUR-1 can operate safely without exceeding the safety limit established in the PUR-1 TS, based on the following:

The PUR-1 DI&C design adequately documents the design bases and the functional characteristics of the safety system hardware and software and the requirement specifications are properly described for each requirement.

The quality of the software and hardware components follows the established non-power reactor guidance using a graded approach consistent with the degree of the safety importance and reliability goals of the RPCS system and the replacement, modification, or changes to the facility I&C systems meet or exceed the requirements of the original systems or components.

The PUR-1 DI&C design adequately documents the validation and verification of the safety system software development activities and the documentation exists to show that the V&V tasks will be successfully accomplished for the RPCS system to verify conformance of the PUR-1 structures, systems, and components to the specified requirements.

The PUR-1 DI&C design adequately documents that the configuration management program appropriately traces changes to safety system softwarefrom their point of origin to implementationand addresses any impacts on system safety, control console, or display instruments.

The PUR-1 DI&C design provides assurance that the required computer system hardware and software are installed in the appropriate system configuration and the licensee has a management program to ensure that the correct version of the software/firmware is installed in the correct hardware components.

3.8. Evaluation of Proposed Changes to Technical Specifications The PUR-1 TS define specific features, characteristics, and conditions governing the operation of the facility. As part of the LAR (Ref. 1), as supplemented, the licensee proposed changes to the PUR-1 TS primarily to correspond to design and operational changes resulting from the replacement of the PUR-1 I&C systems by the digital RPCS. The licensee also proposed two additional TS changes that corrected terminology references and clarified procedural requirements.

The NRC staff reviewed the format and content of the proposed TSs for consistency with the guidance in NUREG-1537, Part 1, Chapter 14, and Appendix 14.1, and ANSI/ANS-15.1-2007 (Refs. 15 and 9.2). The NRC staff specifically evaluated the content of the TSs to determine if the PUR-1 TSs meet the requirements in 10 CFR 50.36, Technical specifications.

TS 1.32 Reactor Secured In the LAR, as supplemented by responses to RAIs (Refs. 1 and 7), the licensee proposed to add condition b.6 to PUR-1 TS 1.32, the list of conditions to meet the definition of Reactor Secured. The licensee proposed an additional condition that defines when the PUR-1 is secured to ensure the digital control console is placed in a state that will prevent unauthorized access to the digital console and stored parameters.

The current TS 1.32 states:

1.32 Reactor Secured - A reactor is secured when

b. Or the following conditions exist:

1. Both shim-safeties and the regulating rod shall be fully inserted

2. Electrical power to the control rod circuits shall be switched off

3. The reactor key shall be out of the key switch and under control of a licensed operator or locked in an approved location

4. No work shall be in progress involving core fuel, core structure, installed control rods, or control rod drives unless they are physically decoupled from the control rods

5. No experiments shall be moved or serviced that have, on movement, a reactivity worth exceeding the maximum value allowed for a single experiment The proposed TS 1.32 would add the following condition:

6. The control console is placed in a permissions status where the controls are not operable.

The definition of Reactor Secured in PUR-1 TS 1.32 describes the status of the reactor and the equipment requirements to place the facility in a suitable and safe condition to allow the facility to be unattended by reactor operations personnel (e.g. during evenings and weekends).

The licensee stated that, while magnet power for the control rods cannot be enabled while conditions in PUR-1 TS 1.32.b.2 and TS 1.32.b.3 have been met, the additional condition of PUR-1 TS 1.32.b.6 further assures the secured status of the reactor. During the Audit (Ref. 5),

the NRC staff observed that this new condition is related to the control of access to the new RPCS operator workstation computer. In its response to an RAI (Ref. 7), the licensee stated that the new operator workstation computer has multiple levels of access such as viewer, maintenance, operator, engineer, and administrator. Reactor operators and other authorized users are assigned a unique profile and each profile has a unique login and password with one of the aforementioned access levels. When the reactor operator (user) logs out of the system, additional security is provided for the system and its archived data. Further, the addition of the reactor secured requirement for the controls to be inoperable also ensures the control algorithm and archived data is unavailable for modification.

Based on its review of the information provided, as well as information reviewed and activities observed during the Audit, the NRC staff finds that the condition in which the reactor control console is placed into a permissions status where the controls are not operable is necessary to ensure that the reactor is secured and can be left unattended. The NRC staff finds that the definition of "reactor secured" is consistent with the guidance in Appendix 14.1 of NUREG-1537, Part 1 (Ref. 9.1) and the definition in ANSI/ANS 15.1-1990 (Ref. 15) that describes when the reactor is secured. The new definition is important for determining when the TS 6.1 minimum staffing requirements need to be met and under what conditions the reactor may be unattended.

Therefore, the NRC staff concludes that the proposed TS meets the 10 CFR 50.36(c)(5) requirements for administrative controls to assure operation of the facility in a safe manner and is acceptable.

TS 3.2 Reactor Safety System In the LAR and supplements (Refs. 1, 3 and 7), the licensee proposed that PUR-1 TS 3.2, Reactor Safety System, be modified to change the conditions under which the two shim-safety rods are permitted to be moved more than 6 cm from the fully inserted position. The proposed changes are discussed separately below.

3.8.2.1. Proposed Change to Add PUR-1 TS 3.2.e The licensee proposed to add a new condition e. to specify that building power must be available and an action statement providing a time limit to shut down the reactor if building power is lost.

The current TS 3.2 states:

3.2 Reactor Safety System Specification - The two shim-safeties shall not be moved more than 6 cm from the fully inserted position unless the following conditions are met:

a. The reactor safety channels and safety-related instrumentation shall be operable in accordance with Tables I and II including the minimum number of channels and the indicated maximum or minimum set points.

b. Both shim-safety rods and the regulating rod shall be operable.

c. The time from the initiation of a scram condition in the scram circuit until the shim-safety rod reaches the rod lower limit switch shall not exceed one second.

d. The pool top radiation monitor shall be capable of indicating an alarm to off-site reactor staff when a high limit is reached and the reactor has been secured.

The alarm may be out of service up to thirty days. Loss of functionality beyond thirty days shall require a visual pool level inspection in intervals of 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months , not to exceed 30 hours3.472222e-4 days 0.00833 hours 4.960317e-5 weeks 1.1415e-5 months .

The proposed TS 3.2 would add the following condition:

e. Building alternating current power must be supplied to the reactor Instrumentation and Control during normal operation. Loss of power shall require immediate shutdown by the operator to be completed within an interval of 15 minutes.

Historically, non-power reactors are designed for fail-safe passive shutdown by a reactor scram in the event of the loss of offsite electrical services. The proposed PUR-1 TS 3.2.e would add a specific requirement to require building power as a condition for reactor operations and completion of shutdown within a brief period. The licensee stated (Ref. 7) that this condition was not required before the LAR because building power directly supplied the I&C equipment and scram magnets, so it was not possible to operate the reactor. However, with the addition of the proposed UPS units, a scram will not occur since the UPS units will provide backup power automatically to the RPCS. These new UPS units have sufficient capacity to provide power to the RPCS for up to 30 minutes. However, it is not appropriate to operate the reactor under these conditions because other building and reactor support systems, such as room lighting and the HVAC system, have no power. This TS condition will preclude operation of the reactor when there is no building power and if the building loses power during reactor operations, the specification would allow 15 minutes for the operator to perform a controlled shutdown instead of causing an automatic reactor scram.

The guidance in Section 8.1 of NUREG-1537, states that TS should be provided to ensure operability commensurate with power requirements for reactor shutdown and that the design of the electrical power system provides that in the event of the loss or interruption of electrical power the reactor can be safely shut down. Based on its review of the proposed PUR-1 TS 3.2.e requirement to preclude operation of the reactor without building power, the NRC staff finds that PUR-1 TS 3.2.e is consistent with the guidance in Section 8.1, Normal Electrical Power Systems in NUREG-1537 (Ref. 8). The NRC staff also finds that 15 minutes is a reasonable amount of time to conduct an orderly shutdown of the reactor based on the analysis of the capacity and operability of the UPS units because they are designed and rated to provide a minimum of 30 minutes of backup power. Based on the above, the NRC staff concludes that proposed TS 3.2.e establishes the lowest functional capability or performance levels of equipment required for safe operation of the facility consistent with the SAR. Therefore, TS 3.2.e meets the 10 CFR 50.36(c)(2) requirement for an LCO and is acceptable.

3.8.2.2. Proposed Changes to Table I, SAFETY CHANNELS REQUIRED FOR OPERATION of PUR-1 TS 3.2 The licensee proposed three types of changes to TS 3.2, Table I, SAFETY CHANNELS REQUIRED FOR OPERATION (Refs. 1, 3, and 7). These changes, which are based on the upgraded DI&C systems, would revise (i) the channel names, (ii) the channel setpoints, and (iii) the description of the channel scram functions.

(i) Channel - The licensee proposed changes to the Channel names to reflect that the new NFMS channels monitor change rate instead of period. In the first row of the first column, Log count rate and period would change to Log count rate and change rate. In the second row of the first column and in note (a) of the table, Log N and period would change to Log N and change rate. Additionally, the licensee proposed to change note (c) from Period and counts per second to Counts per second. The NRC staff finds the licensees proposed changes correctly update the channel description to monitor change rate instead of reactor period consistent with the SAR and meets the 10 CFR 50.36(c)(2) requirement to establish the lowest functional capability or performance levels of equipment required for safe operation of the facility consistent with the SAR. Therefore, the changes to the TS 3.2, Table I channel names are acceptable.

(ii) Setpoint - The licensee proposed to change the units of Table I setpoints, from seconds (sec) to units of percent per second (%/s) for the setback, scram, and rod withdrawal interlock, with corresponding changes to the numerical values of the setpoints to the equivalent setpoint in units of %/s for change rate. Specifically, the Setback setpoint would be changed from 12 sec or greater to 8 %/s or less. The scram setpoint would change from 7 sec or greater to 15 %/s or less. The Rod withdrawal interlock setpoint would change from 15 sec or greater to 6 %/s or less.

Reactor period is defined as the time required for reactor power to change by a factor of e, where e is the base of the natural logarithm and is equal to approximately 2.718282. The relationship between reactor power and reactor period is expressed by the equation: P = P0et/,

where is the reactor period.

Table 5 provides the results of calculations the NRC staff performed to confirm the proposed setpoint unit conversion from period to change rate.

Table 5 - Confirmatory calculations for proposed protective setpoints Protective function Legacy Calculated Proposed setpoint change rate setpoint Rod withdrawal interlock 15 sec 6.89 %/s 6 %/s Setback 12 sec 8.69 %/s 8 %/s Scram 7 sec 15.36 %/s 15 %/s Based on its calculations, the NRC staff concludes that the new change rate settings proposed by the licensee are rounded down to the nearest integer value, providing lower setpoints for operation than currently in PUR TS 3.2. The lower proposed change rate setpoints would initiate protective action sooner and provide a greater safety margin than the existing period setpoints. Additionally, the NRC staff finds that changes from or greater to or less are appropriate given the inverse relationship of period in seconds to change rate in percent per second. Based on the above, the NRC staff finds that proposed changes to the setpoints in Table I of TS 3.2 provide for the lowest functional capability required for safe operation of the facility consistent with the SAR. Therefore, the NRC staff concludes that the proposed changes meet 10 CFR 50.36(c)(2) and are acceptable.

(iii) Function - The licensee also proposed changes to the Function column in Table I to eliminate the distinction between slow and fast scram in the TSs. In the existing analog I&C systems, the fast scram circuit cut power to the control rod magnets in less time (a fraction of a second faster) than in a slow scram circuit. Although small, this difference in scram time had a measurable difference in peak power reached during reactivity addition accidents in the prior safety analyses. As discussed in Section 3.3.3.6 of this SE, in the new RPCS there is no slow or fast scram because all scrams occur immediately (at one speed). The licensee stated that the proposed deletion of the word slow and fast where they appear before scram clarifies the scram function. The licensee also proposed to delete the second setpoint entry of 7 sec or greater and the associated Fast scram function to eliminate the duplicate entry that is not necessary given the proposed change to the scram function.

The revised entries that result from the licensees proposed changes to PUR-1 TS 3.2, Table I, discussed above, are noted in bold typeface in TABLE I. SAFETY CHANNELS REQUIRED FOR OPERATION, below.

TABLE I. SAFETY CHANNELS REQUIRED FOR OPERATION Minimum Number Channel Required Setpoint (c)(d) Function 2 cps or greater 2 cps rod withdrawal interlock Log count rate 8 %/s or less Setback 1(a) and change rate 15 %/s or less Scram 6 %/s or less Rod withdrawal interlock 8 %/s or less Setback 15 %/s or less Scram Log N and 1(b) 6 %/s or less Rod withdrawal interlock change Rate 12kW, 120% Operating Scram power level, or less 0% Selected Range, or Setback greater 110% Selected Range Setback Linear 1 or less 120% Selected Range Scram or less 11 kW, 110% Setback Operating power level, or less Safety 1(b) 12 kW, 120% Scram Operating power level, or less Manual Scram (console) 1 Scram (hallway) 1 Scram (a) Not required after Log N-Change Rate channel comes on scale.

(b) Required to be operable but not on scale at startup.

(c) All percentage based setpoints shall be tripped when the measured value is greater than or equal to the specified value. Counts per second (cps) setpoints are at values less than or equal to the specified value.

Exception: Trip point for 0% shall happen as the value goes from the positive to negative value.

(d) Setbacks shall be set such that they will be initiated prior to a Scram Based on the review of the information of the proposed changes to the Table I, SAFETY CHANNELS REQUIRED FOR OPERATION of PUR-1 TS 3.2, the NRC staff finds that the changes accurately reflect the new NFMS channels and the display units for the RPCS equipment and are consistent with the SAR. The proposed changes are consistent with the guidance, in Section 7.4 of NUREG-1537, Part 2, that recommends marking the monitored parameters that detect the need for protective action. The changes also meet the requirement in 10 CFR 50.36(c)(2) that LCOs provide the lowest functional capability or performance levels of equipment required for safe operation of the facility consistent with the SAR. Therefore, the NRC staff concludes that the proposed changes to Table I of TS 3.2 are acceptable.

3.8.2.3. Proposed Changes to Table II, SAFETY-RELATED CHANNELS (AREA RADIATION MONITORS) of PUR-1 TS 3.2 In the LAR and supplements (Refs 1 and 3), the licensee proposed changes to Table II of PUR-1 TS 3.2 to reflect changes to the RAM setpoints and to the function column.

The licensee proposed to change the setpoint for the Pool top monitor from 50 mR/hr or 2x full power background to 50 mR/hr, 2x full power background, or less than either and both Water process and Console Monitor setpoints, from 7 1/2 mR/hr to 7 1/2 mR/hr or less. The licensee stated that the fixed monitors will still initiate a scram whenever the preset alarm point is exceeded to warn of high radiation conditions. However, the addition of or less after each setpoint value allows the flexibility to set a lower setpoint value and provides a greater safety margin because the lower setpoints initiate protective action sooner.

The licensee also proposed changes to the Function column of Table II. The revision would change the function listed for the Pool top monitor, Water process, and Console monitor from Slow scram to Scram. As discussed in 3.3.3.6 of this SE, in the new RPCS there is no slow or fast scram because all scrams occur immediately (at one speed). The proposed deletion of the word slow before scram clarifies the scram function consistent with the proposed RPCS.

The revised entries that result from the licensees proposed changes to Table II of TS 3.2, are noted in bold typeface, below.

TABLE II. SAFETY-RELATED CHANNELS (AREA RADIATION MONITORS)

Minimum Number Channel Required(e) Setpoint Function Pool top monitor 1 50 mR/hr, 2x full power Scram background, or less than either Water process 1 7 1/2 mR/hr or less Scram Console Monitor 1 7 1/2 mR/hr or less Scram Continuous air sampler 1 Stated on sampler Air sampling (e) For periods of one week or for the duration of a reactor run, a radiation monitor may be replaced by a gamma sensitive instrument which has its own alarm and is observable by the reactor operator.

Based on the review of the proposed changes to the Table II, the NRC staff finds that adding or less to the setpoint values for the Pool top monitor, Water process, and Console monitor RAM channels retains the existing maximum setpoint, of the approved TS (Ref. 11), while also allowing the setting to be lower, and thus more conservative. The NRC staff finds that the licensees proposed changes to the Function column correctly reflect the scram function performance of the new RPCS, which is at one speed.

Additionally, the NRC staff finds that the proposed changes are consistent with the Section 7.7 of NUREG-1537, Part 2, guidance that the licensee provide a description of the equipment, systems, and devices that will give reasonable assurance that dose rates and effluents at the facility will be acceptably detected, and that the health and safety of the facility staff, the environment, and the public will be acceptably protected. Additionally, the NRC staff finds the licensees proposed changes meet the 10 CFR 20.1101(b) requirements to use, to the extent practical, procedures and engineering controls based on sound radiation protection principles to achieve occupational doses and doses to members of the public that are as low as reasonably achievable. The NRC staff also finds the licensees proposed changes meet the 10 CFR 50.36(c)(2) requirement that LCOs provide the lowest functional capability or performance levels of equipment required for safe operation of the facility consistent with the SAR. Therefore, the NRC staff concludes that proposed changes for Setpoint and Function in Table II of TS 3.2 are acceptable.

TS 3.3 Primary Coolant Conditions The licensee requested that PUR-1 TS 3.3 a, Primary Coolant Conditions be revised to reflect the use the units of electrolytic conductivity (Siemens) rather than the units of resistivity (ohm cm). The licensee proposed that coolant conductivity replace coolant resistivity and that greater than 330,000 ohm-cm be changed to less than 3 Siemens/cm.

The proposed TS 3.3.a (with revised text noted in bold typeface) states:

3.3 Primary Coolant Conditions Specification -

a. The primary coolant conductivity shall be maintained at a value less than 3 Siemens/cm.

In the LAR (Ref. 1), the licensee stated that the current LCO for primary coolant in PUR-1 TS 3.3.a is specified in units of resistivity rather than conductivity. The licensee noted that this is inconsistent with the current PUR-1 surveillance (TS 4.3) for PUR-1 TS 3.3, which requires conductivity to be recorded monthly.

The licensee stated that continuous monitoring of water quality for conductivity is available in the new digital RPCS system. The new digital RPCS system instrumentation indicates the water quality value in units of conductivity (Siemens/cm). The licensee also stated that the change to reference in TS 3.3.a from resistivity to conductivity makes the units of measure for the LCO value and the surveillance value the same and consistent with the indicated value of the new equipment. This also eliminates the need for the operator to convert the indicated water quality value to determine if the indicated water quality is within specification.

Based on its review, the NRC staff finds that the changes are compatible with the new RPCS equipment display, and consistent with the guidance in Section 5.2 of NUREG-1537, Part 2, that the licensee maintain high water quality to limit corrosion of fuel cladding, control and safety rods, the reactor pool and other essential components. Additionally, the NRC staff finds that changing the setpoint from greater than to less than is appropriate given the inverse relationship of resistivity in (ohm-cm) to conductivity in Siemens per cm and is compatible with the new RPCS equipment display. The NRC staff also finds that the licensees proposed changes meet the 10 CFR 50.36(c)(2) requirement that LCOs provide the lowest functional capability or performance levels of equipment required for safe operation of the facility consistent with the SAR. Based on the above, the NRC staff finds that proposed changes to TS 3.3.a are acceptable.

TS 4.2 Reactor Safety System The licensee proposed that PUR-1 TS 4.2.b be modified by changing the term Safety Channels to the term Safety-Related Channels. Additionally, the licensee proposed two new surveillance requirements: PUR-1 TS 4.2.f, a SR for the two new UPS units, and TS 4.2.g, a requirement for an electronic calibration after changes are made to components affecting channels in TABLE I. SAFETY CHANNELS REQUIRED FOR OPERATION, of PUR-1 TS 3.2.

3.8.4.1. Proposed Changes to TS 4.2.b.

In a supplement to the LAR (Ref. 3), the licensee stated the TS 4.2.b reference to safety Channels was inadvertently omitted from Purdues license renewal application (Ref. 10). This reference is inconsistent with the title of Table II. SAFETY-RELATED CHANNELS (AREA RADIATION MONITORS) of PUR-1 TS 3.2.

The proposed TS 4.2.b (with revised text noted in bold typeface) states:

b. A channel check on the radiation monitoring equipment shall be completed daily during periods when the reactor is in operation. Calibration of the Safety-Related Channels specified in Table II and hand held radiation survey instruments shall be performed annually, with no interval to exceed 15 months. Calibration may be deferred with CORO approval during periods of reactor shutdown, but shall be performed prior to startup.

Based on its review of the PUR-1 TS, the NRC staff finds that the SR 4.2.b contains an error in the reference to TS 3.2, Table II and should refer to safety-related channels. The licensees proposed revision is appropriate to make the SR text consistent with the title of TS 3.2, Table II.

The NRC staff finds that the licensees proposed change is consistent with the guidance provided in Appendix 14.1 of NUREG-1537, Part 1 (Ref. 9.1) that a TS not be ambiguous and that it clearly identify the parameter or function to be measured or tested. Accordingly, the NRC staff finds that proposed TS 4.2.b meets the 10 CFR 50.36(c)(3) requirement that SRs relating to test, calibration, or inspection assure that the necessary quality of systems and components is maintained and is acceptable.

3.8.4.2. Proposed Changes to TS 4.2 f.

In a response to an RAI (Ref. 7), the licensee proposed the addition of TS 4.2.f to prescribe the frequency and scope of the surveillance to demonstrate the minimum performance level of the UPS units. The new SR would require an annual requirement to verify that the UPS units can provide power for at least 30 minutes corresponding to the LCO of proposed PUR-1 TS 3.2 e discussed in Section 3.8.2.1 of this SE.

The proposed TS 4.2 f. states:

f. A simulated loss of off-site power shall be performed annually with no interval to exceed 15 months to verify the UPS units are capable of providing Instrumentation and Control power for at least 30 minutes.

Based on its review of the information for PUR-1 TS 4.2.f the NRC staff finds that the surveillance interval provided in PUR-1 TS 4.2.f. is consistent with the guidance for surveillance frequencies in ANSI/ANS 15.1 (Ref. 15) and is sufficient to help ensure the continued performance of the UPS units. Accordingly, the NRC staff finds that proposed TS 4.2.f meets the 10 CFR 50.36(c)(3) requirement that TSs include SRs relating to test, calibration, or inspection to assure that the necessary quality of systems and components is maintained, that facility operation will be within safety limits, and that LCOs (here, TS 3.2.e) will be met.

Therefore, the NRC staff finds that the addition of PUR-1 TS 4.2.f. is acceptable.

3.8.4.3. Proposed Changes to TS 4.2.g In a response to an RAI (Ref. 7), the licensee proposed the addition of PUR-1 TS 4.2.g to specify the surveillance required following replacement, repair, or modification of components impacting Channels in Table I of PUR-1 TS 3.2.

The proposed TS 4.2.g states:

g. Appropriate surveillance testing on any technical specification required system shall be conducted after replacement, repair, or modification before the system is considered operable and returned to service.

Based on its review of the LAR, as supplemented, the NRC staff finds that the surveillance is consistent with the ANSI/ANS-15.1-2007 (Ref. 15) guidance that appropriate surveillance testing on any TS required system is conducted after replacement, repair, or modification before the system is considered operable and returned to service for use in the PUR-1. The NRC staff also finds that proposed TS 4.2.g requirement for surveillance following replacement, repair, or modification meets the 10 CFR 50.36(c)(3) requirement that TSs include SRs relating to test, calibration, or inspection to assure that the necessary quality of systems and components is maintained. Accordingly, the NRC staff finds that the addition of TS 4.2.g. is acceptable.

TS 4.4 Confinement In a supplement to the LAR (Ref. 3), the licensee proposed to delete the reference to fuel clad in PUR-1 TS 4.4 by removing the phrase and fuel clad from the applicability statement and the phrase and the fuel clad from the objective statement. The licensee stated that the reference to fuel clad in the TS 4.4 SR for confinement is inconsistent with the related LCO in PUR-1 TS 3.4.

The proposed applicability and objective statements for PUR-1 TS 4.4 are:

Applicability - This specification applies to the surveillance requirements for maintaining the integrity of the reactor room.

Objective - The objective is to assure that the integrity of the reactor room is maintained, by specifying average surveillance intervals.

The guidance of NUREG-1537, Appendix 14.1 (Ref. 9.1), recommends that surveillance related specifications clearly identify the parameter or function of the corresponding LCO to be measured or tested, the method of test, and the frequency. The NRC staff reviewed the current and proposed TS and noted that PUR-1 TS 3.4 does not include an LCO for the fuel cladding.

Additionally, TS 3.4, which the NRC staff approved during license renewal, only applies to the integrity of the reactor room and not the fuel clad. The licensee inadvertently included these TS phrases when it proposed to consolidate a SR and a design feature related to fuel parameters in response to an RAI (Ref. 23).

The NRC staff finds that the TS 4.4 references to the fuel clad in the applicability and objective statements were requested in error during the license renewal (Ref. 11) and the requested change is necessary to align the SR with the relevant LCO for confinement. The NRC staff finds the change is consistent with the guidance provided in NUREG-1537, Part 1, Appendix 14.1 (Ref. 9.1) to ensure the actual wording of the specifications is not ambiguous and clearly identifies the parameter to be measured or inspected. Accordingly, the NRC staff finds that proposed TS 4.4 meets the 10 CFR 50.36(c)(3) requirement that SRs relating to test, calibration, or inspection assure that the necessary quality of systems and components is maintained. Based on its review of the above information, the NRC staff finds that the proposed changes to TS SR 4.4 are acceptable.

TS 4.6 Fuel Parameters In the LAR and the responses to RAI (Refs. 1 and 7), the licensee requested that PUR-1 TS 4.6, Fuel Parameters, be modified to specify that the fuel plate assemblies be visually inspected, whereas the current TS do not specify the means for inspection. Specifically, the licensee proposed adding through visual inspection of the assembly in reference to fuel plate inspections under PUR-1 TS 4.6.

The proposed TS 4.6 (with the new text in bold typeface) states:

4.6 Fuel Parameters Specification - Representative fuel plates shall be inspected annually, with no interval to exceed 15 months through visual inspection of the assembly. Representative is set forth to mean at least one plate from the assembly expected to have the highest burn as well as a plate from one of the 12 remaining, non-control assemblies.

In response to an RAI (Ref. 7), the licensee explained that the change proposed to PUR-1 TS 4.6 is unrelated to the I&C replacement. The license renewal review (Ref. 11) determined the maximum hypothetical accident involved a fuel handling accident. In an effort to increase the safety margin of the facility, reduce risk to health and safety of the public and conform with ALARA principles, the change would clarify that the SR for fuel integrity is met by visual verification of the assembly integrity on an annual basis. The licensee stated that this change minimizes the required fuel handling by allowing the licensee to perform the surveillance within the confines of the reactor pool.

The NRC staff noted that the NRC SER on license renewal (Ref. 11) found PUR-1 TS 4.6 acceptable because TS 4.6 establishes inspection requirements for the fuel to detect gross failure or visual deterioration by performing periodic visual inspection. The NRC staff finds that the proposed change to PUR-1 TS 4.6 is consistent with the guidance provided in Appendix 14.1 of NUREG-1537, Part 1 (Ref 9.1) to conduct periodic visual inspection of fuel, clarifies the scope of fuel inspection previously found acceptable by the NRC staff and is consistent with the 10 CFR 50.36(c)(3) requirement that a SR assure the necessary quality of the fuel is maintained. Based on the information provided above, the NRC staff finds that PUR-1 TS 4.6 is acceptable.

Changes to PUR-1 TS Bases The regulation at 10 CFR 50.36(a)(1) states that a summary statement of the bases or reasons for such speci"cations, other than those covering administrative controls, shall also be included in the application, but shall not become part of the TSs. Consistent with 10 CFR 50.36(a)(1),

the licensee submitted changes to TS Bases as part of the LAR (Ref. 1) that provide the reasons for the proposed TSs. The proposed Bases also follow the guidance provided in Appendix 14.1 to NUREG-1537, Part 1 (Ref. 9.1) and ANSI/ANS-15.1 (Ref. 15).

Conclusion on TS Changes The NRC staff reviewed the safety analyses and TS submitted with the LAR, which included description of the design, testing, and operation of the proposed DI&C. The NRC staff evaluated the PUR-1 TS changes proposed for upgrade of the reactors I&C systems to new digital components. Based on its evaluation of the information presented above, the NRC staff concludes:

The licensee provided TSs in accordance with 10 CFR 50.36(a) and those TS are derived from SAR analyses in the LAR, as supplemented by RAI responses, to satisfy the requirements of 10 CFR 50.36(b).

The proposed TSs implement the recommendations of NUREG-1537, Part 1, and ANSI/ANS-15.1-1990, by using definitions that are acceptable.

The proposed TSs contain limiting conditions for operation that specify the lowest functional capability or performance levels of equipment required for safe operation of the facility, as required by 10 CFR 50.36(c)(2)(i).

The proposed TS surveillance methods and intervals in the LAR are based on discussions and analyses in the SAR of required safety functions and satisfy the requirements of 10 CFR 50.36(c)(3).

The proposed TSs appropriately define the relevant features, characteristics, and conditions governing the operation of the PUR-1 facility.

Operation within the limits of the proposed TSs will not result in offsite radiation exposures in excess of 10 CFR Part 20 guidelines and will reasonably ensures that the facility will continue to function as analyzed in the PUR-1 SAR.

Adherence to the proposed TSs will limit the likelihood of malfunctions and mitigate the consequences to the public of off-normal or accident events.

Evaluation of testing, checking, and calibration provisions, and the bases of TSs, including surveillance tests and intervals, provide reasonable confidence that the proposed RPCS will function as designed.

Therefore, the NRC staff concludes that the proposed TSs provide reasonable assurance that the PUR-1 will be operated as analyzed in the LAR, as supplemented, and that adherence to the proposed TSs will provide reasonable assurance that the health and safety of the public will not be endangered by PUR-1 operation in the proposed manner.

3.9. License Condition on the Purdue University Research Reactor The PUR-1 testing and inspection requirements for the verification and validation of the design of the RPCS are provided in Section 4 of the FRS (Ref 2.1). The FRS specifies the manner in which the functionality of the new RPCS is demonstrated to document conformance with the RPCS design basis and design criteria for the PUR-1. During its Audit (Ref. 5), the NRC staff noted that several test procedures for the FAT and SAT were not conducted due to missing hardware, system interfaces, or required connection to the reactor and that some tests indicated unsatisfactory results. The NRC staff also noted that a master list of the tests performed did not exist and the licensee did not generate test exception records for the missing and failed tests.

In an RAI (Ref. 6), the NRC staff asked the licensee to explain how these tests are being tracked and when the tests will be completed. In its RAI response (Ref. 7 and 12), Purdue stated that final installation of the RPCS is required to complete all of the testing in the FAT and SAT and that to complete these tests, the core will be defueled to allow for rod movement without the potential for criticality. The licensee further stated that the master list of deficiencies and missing tests is not required because the entire FAT and SAT will be redone following final installation and any anomalies during this final integral testing will be resolved via TERs.

Additionally, the license stated that all TERs generated during testing will be provided to the NRC staff with the proposed PUR-1 Start-Up plan.

The NRC staffs findings of reasonable assurance are based on the licensees commitment to complete V&V testing satisfactorily (Refs. 7 and 12). The NRC staff findings regarding the adequacy of the system includes completion of the additional testing to be done by the licensee to confirm adherence to the design bases, design criteria, and Commissions regulations.

Therefore, the licensee proposed a License Condition which would require performance of V&V testing, FAT, and SAT on the RCPS and that the test results, including any actions to correct deficiencies, be reviewed by the CORO, and reviewed and approved by the reactor facility director, prior to resuming reactor operations. The license condition is as follows:

4. Reactor Protection and Control Systems Purdue University shall perform verification and validation testing, factory acceptance testing, and site acceptance testing described in the application for license amendment dated February 27, 2017, as supplemented by letters dated December 18, 2017, and March 2, 2019, on the reactor protection and control systems.

The test results and any action taken to correct deficiencies shall be reviewed by the Purdue University Committee on Reactor Operations and reviewed and approved by the Facility Director prior to resuming operation of the reactor.

The NRC staff finds that the condition above will ensure that testing is completed as described in the application to verify the capability of the RPCS to perform its design function.

Accordingly, the NRC staff will include a license condition C.4 in License R-87 for the PUR-1 research reactor to ensure the licensees commitments/representations made in the LAR, as supplemented, regarding performing V&V testing on the RPCS digital I&C systems.

3.10. Conclusion of the Safety Evaluation The NRC staff reviewed the LAR, as supplemented, for the modification to upgrade the PUR-1 I&C systems to a new all-digital system. The licensee submitted information for the NRC staff to evaluate the LAR in accordance with the NRCs regulations using the applicable guidance provided in Chapter 7 of NUREG-1537, Part 2 (Ref. 9.2). The NRC staff reviewed the safety analyses submitted, which included descriptions of the design, testing, and operation of the proposed DI&C, and conducted a regulatory audit to gain a better understanding of the information in the LAR, facility status, and the PUR-1 digital I&C upgrade. The staff found the proposed revisions to Chapter 7 of the SAR, as supplemented, are appropriate and the amendment authorizes the licensee to incorporate the revisions in its SAR. The NRC staff finds that the licensees request to upgrade the I&C systems for PUR 1 with new DI&C systems, as discussed in this SE, and the proposed changes to the PUR-1 TSs are acceptable, provided the licensee meets License Condition C.4. On this basis, the NRC staff concludes that the new DI&C systems are acceptable because they are designed in accordance with PUR-1s design basis and design criteria, will allow the PUR-1 to safely operate as analyzed in the LAR, as supplemented, and that adherence to the proposed TSs will limit the likelihood of malfunctions as discussed in this SE.

4. ENVIRONMENTAL CONSIDERATIONS The NRC regulation, 10 CFR 51.22(b), states that no environmental assessment or environmental impact statement is required for any action when the category of action, for which the Commission has declared to be a categorical exclusion by finding that the action does not individually or cumulatively have a significant effect on the human environment, is met.

The issuance of this amendment involves changes in the installation or use of a facility component located within the restricted area, as defined in 10 CFR Part 20 and changes to SRs. Therefore, the issuance of the amendment meets the definition of categorical exclusion in 10 CFR 51.22(c)(9) criteria below:

(i) The amendment or exemption involves no significant hazards consideration;

[10 CFR 51.22(c)(9)(i)]

Pursuant to 10 CFR 50.92(c) the Commission may make a final determination that a license amendment involves no significant hazards consideration if operation of the facility, in accordance with the proposed amendment, would not:

(1) involve a significant increase in the probability or consequences of an accident previously evaluated [10 CFR 50.92(c)(1)]; or The license amendment allows the upgrade of the reactor console and instrumentation to an all DI&C system. As discussed in Section 3 of this SE, which includes the evaluation of the design bases and criteria for the RCS, RPS, display system, and radiation monitors, no substantive changes were made for the SL or LSSS setpoints in the proposed license amendment. The shutdown margin and calculation methodology were not modified and the shutdown margin requirement previously approved by the NRC is maintained. The licensee used the same conservative factors for instrument error and delay time as previously approved by the NRC, even though the new digital upgrade allows for a faster response time and is more accurate. The new system does not include the ability to bypass RCS interlocks. The new system includes diverse means to scram the reactor. The RPS is always capable of shutting down and maintaining safe shutdown of the reactor. Consequently, the proposed amendment does not change the accident analyses previously approved by the NRC for the PUR-1.

For these reasons, there is no significant increase in the probability or consequence of an accident previously evaluated.

(2) Create the possibility of a new of different kind of accident from any accident previously evaluated [10 CFR 50.92(c)(2)]; or The licensee evaluated the credible accident scenarios in the license renewal SAR (Ref. 10) for PUR-1 and the NRC staff previously found the results of these accident analyses to be acceptable when it renewed the license (Ref. 11). The existing TS SL and LSSS are unchanged by this LAR and Purdue remains bounded by the previous accident analyses found to be acceptable by the NRC staff when it renewed the license.

Proposed changes to the LCOs do not change the lowest functional capability or the performance levels of equipment required for safe operation of the facility. Additionally, the proposed DI&C upgrade does not fundamentally change the manner in which the PUR-1 is operated. For these reasons, the proposed amendment does not create the possibility of a new or different kind of accident from any accident previously evaluated.

(3) Involve a significant reduction in a margin of safety [10 CFR 50.92(c)(3)]

The existing and proposed PUR-1 TS will continue to help ensure the ability to safely operate PUR-1. As discussed in Section 3 of this SE, the proposed TS include provisions that would initiate protective action sooner and provide a greater safety margin and no changes adversely affect the safety margins. Because the facility personnel and the public health and safety will continue to be adequately protected, the amendment does not involve a significant reduction in the margin of safety for these reasons.

Based on the above, the NRC staff concludes that this amendment involves no significant hazards consideration.

(ii) There is no significant change in the types or significant increase in the amounts of any effluents that may be released offsite; and [10 CFR 50.92(c)(9)(ii)]

The DI&C upgrade and TS changes do not change the reactor source term, the fission products generated, or amounts of any effluents that may be released offsite because there is no change to the facility design and procedures that control radiation sources and potential effluents. In addition, the amendment does not change the potential release paths from the facility and does not change the PUR-1 radiation protection program or radioactive waste management program. For these reasons, there is no significant change in the types or significant increase in the amounts of any effluents that may be released offsite.

(iii) There is no significant increase individual or cumulative occupational radiation exposure.

[10 CFR 50.92(c)(9)(iii)]

The amendment does not change the licensed power level or significantly alter reactor operations or requirements. The site perimeter (controlled area) and basic configuration of the facility are unchanged from that approved previously by the NRC staff during license renewal (Ref. 11). The amendment will not change existing administrative controls or the radiation protection program at PUR-1 for limiting individual or cumulative occupational radiation doses. The TSs and SRs will continue to help minimize individual and cumulative occupational radiation exposure. Accordingly, the resultant occupational dose remains unchanged and well within the regulatory limits of 10 CFR Part 20. For these reasons, there is no significant increase in individual or cumulative occupational radiation exposure.

In summary, the NRC staff has determined that the amendment involves no significant hazards consideration. There is no significant increase in the amounts, and no significant change in the types, of any effluents that may be released offsite, and no significant increases in individual or cumulative occupational radiation exposure. The amendment also makes editorial, corrective, or other minor revisions to the TSs. Accordingly, the amendment meets the eligibility criteria for categorical exclusion set forth in 10 CFR 51.22(c)(9) and 10 CFR 51.22(c)(10)(v). Pursuant to 10 CFR 51.22(b), no environmental impact statement or environmental assessment needs to be prepared in connection with the issuance of the amendment.

5. CONCLUSION The NRC staff has concluded, on the basis of the considerations discussed above, that (1) there is reasonable assurance that the health and safety of the public will not be endangered by operation in the proposed manner, (2) there is reasonable assurance that such activities will be conducted in compliance with the Commissions regulations, and (3) the issuance of the amendment will not be inimical to the common defense and security or to the health and safety of the public.

Principal Contributors: D. Warner, NRR R. Alvarado, NRR H. Akhavannik, NRR D. Hardesty, NRR A. Adams, NRR W. Schuster, NRR C. Montgomery, NRR Date: April 1, 2019

6. TABLE OF ACRONYMS 10 CFR Title 10 of the Code of Federal Regulations CAM Continuous Air Monitor DAS Data Acquisition System DI&C Digital Instrumentation and Control EMI/RFI Electromagnetic Interference/Radio Frequency Interference FAT Factory Acceptance Test FRS Functional Requirements Specification HDD Hardware Design Document HMI Human Machine Interface HVAC Heating Ventilation and Air Conditioning System I&C Instrumentation and Control ISG Interim Staff Guidance LAR License Amendment Request LCO Limiting Conditions for Operation LSSS Limiting Safety System Setting NFMS Neutron Flux Monitoring System NRC U.S. Nuclear Regulatory Commission PCS Power Conditioning System PLC Programmable Logic Controller PUR-1 Purdue University Reactor QA Quality Assurance QAP Quality Assurance Program RAI Request for Additional Information RAM Area Radiation Monitor RCS Reactor Control System RDS Rod Drive System RMS Radiation Monitoring System RPCS Reactor Protection/Control System RPS Reactor Protection System RRPDMS Reactor Room Pressure Differential Monitoring System RWMU Reactor Water & Makeup System SAR Safety Analysis Report SAT Site Acceptance Testing SE Safety Evaluation SR Surveillance Requirements SRS-SDD Software Requirement Specification - Software Design Document TER Test Evaluation Report UPS Uninterruptable Power Supply

7. REFERENCES

1. Purdue University, Purdue University - Submittal of License Amendment Request, dated February 27, 2017, ADAMS Package No. ML17061A257.

2. Purdue University, Supplemental Documentation - Submission of License Amendment Request, dated June 21, 2017, ADAMS Package No. ML17172A634.

2.1. Purdue University, Purdue University Research Reactor - PUR1-FRS-001, Revision 4, Reactor Protection/Control System Replacement Project, Functional Requirements Specification, dated September 30, 2016, ADAMS Accession No. ML17172A638.

2.2. Drawing Purdue Univ. - Drawing No. PUR1-HDD-001-16, Revision 3, RPS Wiring Sheet 1 of 2, dated November 30, 2016, ADAMS Accession No. ML17142A285. (Security-related information withheld per 10 CFR 2.390)

3. Purdue University, Revisions to Technical Specification Submission Supporting License Amendment Request, PUR-1, Docket 50-182,dated September 20, 2018, ADAMS Package No. ML18263A156.

3.1. Purdue University, Revisions to Technical Specification Submission Supporting License Amendment Request, PUR-1, Docket 50-182, dated September 20, 2018 ADAMS Accession No. ML18263A157.

3.2. Purdue University, Technical Specifications for the Purdue University Reactor, PUR-1, dated September 20, 2018, ADAMS Accession No. ML18263A158.

4. U.S. Nuclear Regulatory Commission, Purdue University Regulatory Audit Plan for Digital Instrumentation and Control Upgrade License Amendment Request, dated August 10, 2017, ADAMS Accession No. ML17220A243.

5. U.S. Nuclear Regulatory Commission, Purdue University Regulatory Audit Report for Digital Control and Instrumentation Upgrade License Amendment Request, dated December 20, 2017, ADAMS Accession No. ML17321B066.

6. U.S. Nuclear Regulatory Commission, Purdue University - Request for Additional Information Regarding the License Amendment of Facility Operating License No. R-87 for Digital Control and Instrumentation Upgrade for the Purdue University Reactor, dated November 13, 2017, ADAMS Accession No. ML17300B451.

7. Purdue University, Purdue University - Request for Additional Information Response for Digital Control and Instrumentation Upgrade License Amendment Request, dated December 18, 2017, ADAMS Accession No. ML18010A895.

7.1. Purdue University, PUR1-SRS-SDD-002 - Purdue University Research Reactor PUR-1 Reactor Protection/Control System HMI Functions Software Design Description, Revision 4, pp. 58 - 224, December 2016, dated December 18, 2017, ADAMS Accession No. ML18010A895.

7.2. Purdue University, PUR1-HDD-001 - Purdue University Research Reactor PUR-1 Reactor Protection/Control System Replacement Project Hardware Design Document, Revision 3, pp. 225 - 352, November 2016, dated December 18, 2017, ADAMS Accession No. ML18010A895.

7.3. Purdue University - Request for Additional Information Response Drawing No. PUR1-HDD-001 Sh. 2 of 2 dated December 18, 2017, ADAMS Accession No. ML18010A897. (Security-related information withheld per 10 CFR 2.390)

8. Purdue University, Interlock Language Retention In Technical Specification Submission Supporting License Amendment Request, PUR-1, Docket 50-182, dated October 5, 2018, ADAMS Accession No. ML18282A191.

9. U.S. Nuclear Regulatory Commission, NUREG-1537, Guidelines for Preparing and Reviewing Applications for the Licensing of Non-Power Reactors, Parts 1 and 2, February 1996, ADAMS Package No. ML12251A353.

9.1. U.S. Nuclear Regulatory Commission, NUREG-1537, Part 1, Format and Content, dated February 28, 1996, ADAMS Accession No. ML042430055.

9.2. U.S. Nuclear Regulatory Commission, NUREG-1537, Part 2, Standard Review Plan and Acceptance Criteria, dated February 28, 1996, ADAMS Accession No. ML042430048.

10. Purdue University, Application for Relicense of License Number R-87 with Power Uprate, Safety Analysis Report, dated July 07, 2008, ADAMS Accession No. ML083040443.

11. U.S. Nuclear Regulatory Commission, Renewal of the Facility Operating License for the Purdue University Research Reactor, PUR-1, dated October 31, 2016, ADAMS Accession No. ML16267A000.

12. Purdue University - Augmented Request For Additional Information Response For Digital Control and Instrumentation Upgrade License Amendment Request, dated March 2, 2018, ADAMS Accession No. ML18061A139.

13. Purdue University, PUR-1 Digital I&C Upgrade, Quality Assurance Program, dated March 2, 2018, ADAMS Accession No. ML18061A140.

14. U.S. Nuclear Regulatory Commission, Summary of March 15, 2018, Public Meeting With Purdue University Regarding License Amendment Application for an All-Digital Instrumentation and Control System, dated April 19, 2018, ADAMS Accession No. ML18082A808.

15. American National Standards Institute/American Nuclear Society, ANSI/ANS-15.1-1990, The Development of Technical Specifications for Research Reactors, ANS, LaGrange, Park, Illinois. December 7, 1990.

16. American National Standards Institute/American Nuclear Society, ANSI/ANS-15.8-1995, Quality Assurance Program Requirements for Research Reactors, ANS, LaGrange, Park, IL, September 12, 1995.

17. American National Standards Institute/American Nuclear Society, ANSI/ANS 15.15-1978, Criteria for the Reactor Safety Systems of Research Reactors, ANS, LaGrange Park, Illinois, 1978.

18. American National Standards Institute/American Nuclear Society, ANSI/ANS 10.4, Guidelines for the Verification and Validation of Scientific and Engineering Computer Programs for the Nuclear Industry, ANS, LaGrange Park, Illinois, 1987.

19. Institute of Electrical and Electronics Engineers, IEEE Standard 7-4.3.2, IEEE Standard Criteria for Digital Computers Systems in Safety Systems of Nuclear Power Generating Stations, Piscataway, New Jersey, 1993.

20. U.S. Nuclear Regulatory Commission, Regulatory Guide 2.5, Quality Assurance Program Requirements for Research and Test Reactors, dated October 1977, ADAMS Accession No. ML003740135.

21. U.S. Nuclear Regulatory Commission, Regulatory Guide 1.152, Criteria for Digital Computers in Safety Systems of Nuclear Power Plants, dated January 1996, ADAMS Accession No. ML003740015.

22. Purdue University, E-mail from Clive Townsend, Purdue University, to Cindy Montgomery, USNRC, Request for Digital Instrumentation and Control License Change on License Condition Statement, Docket 50-182, dated March 19, 2019, ADAMS Accession No. ML19078A382.

23. Purdue University, Response to Request for Additional Information Regarding the Reactor License Renewal Application, Responses to Letter dated July 25, 2016, dated September 19, 2016, ADAMS Accession No. ML16267A465.

v t e Letter Sequence Approval
EPID:L-2017-LLA-0251, Purdue University - Augmented Request for Additional Information Response for Digital Control and Instrumentation Upgrade License Amendment Request (Approved, Closed)
Initiation Request, Request, Request, Request, Request, Request, Request, Request Acceptance Administration Meeting Questions Answers Results Approval, Approval, Approval Other: ML19142A271
MONTHYEAR2018-09-20 [Table View]

ML18275A109

Text

Navigation menu

Search