ML20044D731
| ML20044D731 | |
| Person / Time | |
|---|---|
| Site: | University of Virginia |
| Issue date: | 05/12/1993 |
| From: | Mulder R VIRGINIA, UNIV. OF, CHARLOTTESVILLE, VA |
| To: | |
| Shared Package | |
| ML20044D729 | List: |
| References | |
| NUDOCS 9305200202 | |
| Download: ML20044D731 (39) | |
Text
E
- (,.
I I
I I
14-DAY REPORT OF A " REPORTABLE EVENT" CONCERNING AN INADVERTENT MODIFICATION OF THE I
UNIVERSITY OF VIRGINIA REACTOR CONSOLE I
I I
Submitted by:
j Robert U. Mulder, Director j
U.Va. Reactor Facility May 12,1993 I
I I
I 9305200202 930512 PDR ADDCK 05000062 S
i m
~
Table of Contents 1
I P.m I.
S u m m ary.........................................
1 l
II.
Discovery of the Console Problem
......................2 1
I III.
Source of the Console Problem.........................
3 IV.
Initial Actions..................
..............5 i
V.
Consequences of the Change to the Scram Logic............
6 I
VI.
Root Cause Analysis
................................7 VII. Self-Identified Violations...........................
10 VIII. Actions Required by UVAR Technical Specifications.......
13 ll IX.
Safety Significance........
14 A.
Loss of Off. site Electrical Power....................
19 l
B.
Reactor Period (startup and power operation)..........
19 1
C.
Complete Loss of Primary Coolant Flow..............
20 l
D.
Partial Loss of Primary Coolant Flow................
21 l
E.
H igh Powe r...................................
22 F.
Key Switch....
23 G.
Ran ge Switch.................................
23 X.
Corrective Actions................................
24 XI.
Regulatory Enforcement Conside.ations 27 Aopendices A.
Spurious reactor trips and their significance..............
29 B.
Mixer drivers: Hardware Considerations 31 C.
Scram logic.....................................
34 i
D.
36 I
lI i
!I l
l t
i i
i
lL i
m 14-DAY REPORT OF A " REPORTABLE EVENT"
{
CONCERNING AN INADVERTENT MODIFICATION OF THE UVAR CONSOLE I.
SUMMARY
At 6:30 PM on April 28,1993 the Reactor Director was notified by members of his reactor staff of the discovery of a problem with the reactor console instrumentation. The r
investigation conducted later that evening by the Reactor Director, the Reactor Supervisor and a reactor operator (RO) revealed that the reactor had been operated that afternoon at full power for 5.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> with five major automatic trips required by Technical 7L Specifications (TS) not operable. The inoperable trips were: two power range, low flow, primary pump off, and reactor period. However, other automatic shutdown capability associated with in-core parameters was available, partially offsetting those not available. In 7
addition, the NRC licensed reactor operator at the console had all the usual alarms, u
reactor instrumentation readings and manual shutdown capability available to him. The 7
reactor was operated in this condition because the operators had no indication that some E
of the required trip functions were not available until the period trip capability happened to be tested later that evening at reactor shutdown.
m This situation developed as a result of an unintentional and inadvertent modification of the automatic shutdown logic circuitry in the console, made by another senior reactor operator
{
following an automatic reactor shu'.down near mid-day.
That senior operator (SRO), v.ho has been the primary person responsible for electronic E
maintenance of the console 6uring the past decade, interchanged what had appeared to him to be two identical mixer driver (MD) modules in the scram logic drawer. Contrary to his belief, these modules were not exactly alike in that they had been altered internally prior to their installation in the console in the early 1970's, at the time of UVAR console upgrade from tube technology. The modifications introduce.d into the MDs more than 20 L
years ago were to tie together the unused inputs inside the MDs. With the MDs in their assigned positions the tie-offs did not affect scram logic, and thus the modifications were I
not documented in the detailed schematics kept of the MDs. Since the unused inputs have different numbers and positions in the two MDs, when the MDs were interchanged several trip functions were tied together in parallel. Had the tie-offs not been made, the interchange would not have compromised the trip functions.
i The reactor was operated at a power level of two megawatts without incident for 5.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> during the afternoon of April 28 following the exchange of the MDs. The operators that afternoon had no way of knowing that key trip functions were unavailable, since everything I
appeared normal with all visual reactor information available. Only a test of the scram l
system with the reactor shutdown would have permitted knowledge of the lack of certain l
tnps.
l A test of the trip system had been performed successfully that morning, as required by standard operating procedures (SOPS). A test was not performed after the interchange of the MDs because the operator, and then his direct supervisor for reactor operations, judged (at the time) that the simple exchange of modules did not require this.
i I
l t
I 9
During the period that the reactor was operated in siolation of some license requirements, no operational parameters for the reactor were exceeded, no safety limits were violated 3
and no damage was caused to the reactor or the conso!e. The switching of the MDs did lE not damage other electronic components in the conse,le. Following discovery of the l
problem and its cause, the console was quickly and easily returned to its original functional condition with the return of the MDs to their initial configuration.
The UVAR is currently shutdown with all systems back in normal working order. While operable, the reactor remains shutdown until we discuss the results of our evaluation and implemented corrective actions with the NRC Region II Regional Administrator, or his designee, in conformance with the NRC Confirmation of Action Letter of April 30,1993.
.I l
II.
DISCOVERY OF TIIE CONSOLE PROBLEM During shutdown of the University of Virginia Reactor (UVAR) at 5:46 PM on Thursday, April 28,1993, the Reactor Supenisor (who has a Senior Reactor Operator "SRO" NRC l
license) was determining the integrated reactor power for the day. As shutdown was i
nearing completion with the reactor already subcritical, the Supenisor began to demonstrate to the reactor operator at the console a technique used to "round number" the power integration reading on the integration display.
lg In the power integration reading round-off process, sometimes performed following reactor lg shutdown, the intermediate range channel drawer mode selector switch is taken out of l
" operate," and the selector switch run through test positions. With the switch in the S
l 3 sec. / IO position and if the delta-temperature reading (from either decay beat or a test signal) is greater than zero, then one or two additional clicks (equal to 0.01 MW-hours each) can be added to the integrated power meters. This has the effect of advancing the power integrator numeral to its next whole number.
The selector switch can be advanced up to a position that causes a test of the period
- 5 position for the purpose of inducing an intentional automatic shutdown, that the reactor i
should trip through activation of the reactor safety system (RSS) because the intermediate period indication would be made to go below 3.3 seconds. In other words, the remaining l
control rod should drop the remaining short distance into the core. The reactor did not trip as expected. Instead, the remaining rod was driven into the core.
i I
i I
2 l
~
Ill.
SOURCE OF Tile CONSOLE PROBLEM in the process of investigating the failure of the UVAR to be tripped by the injection of a false period trip signal, afternoon entries made in the reactor logbook were reviewed by the RO and the Supervisor. The entries show that at mid-day on April 28, a spurious automatic reactor shutdown (trip) occurred during the shift of the SRO most experienced in electronics and the reactor console systems. (Please refer to Appendix A for a discussion of spurious scrams).
UVAR logbook entries of April 28 indicate that this Senior Reactor Operator assessed and noted in the logbook possible causes for this scram. To explain his assessment, it must be l
pointed out first that there are two parallel pathways in the scram circuitry (please refer to the copy of Fig. 3.15 Scram Logic Drawer, taken from the UVAR Design and Analysis Handbook, an updated Safety Analysis Report for the UVAR).
~
81 Both MD's M3 12 only Power 1 Period Pump on/ Header down Power 2 Pool level 1 Range switch Manual Reactor door Pool level 2 Pump off Pump on Manual Ground floor low flow I
Face rad.
Escape hatch Bridge rad.
Truck door key switch Fire / Evacuation Pool temp, Air to header
)
)
Scram ON Annunciators MD 12 l
l 2 cps from NI Test Reset K2a O.........
SR l
f5 t
I T
y O
NA 45 l
e l
I Solid State Solid State Relay W
M.
Relay
= K2 K1 :
k nsole Sole ir mag ug q
p,nn g 333,p lW l
}
f 3
yt p,j,ys l
l p
mag W
13 p
scram Relay Figure 3.15 Scram ler.ic Drawer I
l il 3
~
One side of the circuitry controls the shutdown functions of two of the control rods and the second side controls the third rod. The fourth rod, a regulating rod, is not scrammable. Each side of the circuitry contains a component called a solid-state relay (SSR) and a mixer / driver (MD) module. The SSR plug-in modules are identical units. As regards the MDs, in Figure 3.15 they are shown as single blocks with identifiers MD#1 and MD#2. These SSR and MD modules have been in use since the early 1970's and outwardly appear identical, with the exception for identifying serial numbers on the labels.
In the accompanying text on page 3-31 of the Handbook, both the MD modules are described as "being essentially 28 input OR gates." There is no mention of any difference between them. (Please refer to Appendix B for a discussion of the Mixer Driver Characteristics).
The SRO with electronic background and familiarity with the console interior noted in the logbook that he could isolate the side down which the signal causing the spurious trip had l
come, by holding the reset button in and obsening which rods had magnet current. It occurred him that by a simple exchange of the SSR modules he might trace from which SSR module the spurious signal could be coming from.
With the reactor shutdown, the SSRs were switched. The SRO waited for a time with the console instrumentation on and the reactor shutdown, and observed that the spurious scram signals were still coming en the original side of the system. The SRO then recorded in the logbook that he had eliminated the SSR modules as a source of the spurious scram signals.
The MD modules were identified as the next potential source of the spurious signal.
I These MDs were also interchanged in the belief that they, like the SSRs, were identical.
With the reactor still shutdown, the MD modules in the interchanged position and the console turned on, the SRO waited for another spurious scram signal to occur. When g
after about 30 minutes no further spurious shutdown signals were received, the SRO E
discussed the possibility of restarting the reactor with the Reactor Administrator. There being no discernable cause for the original scram (no scram annunciators had lit), a I
reactor restart was authorized by the Reactor Administrator without a recheck of the automatic trips.
I Unfortunately, the modules were intentionally left in the exchanged position,1) because they were believed identical, and 2) it was hoped that information would be obtained as to the source of future spurious scrams while the reactor was operating. The reactor was restarted and operated without incident for the rest of the afternoon. Two other operators took their scheduled turns at the console (the shifts are two hours in duration) until the programmed shutdown in the early euning. Without the performance of a test of the l
scram system, and all other indicators functioning, these operators had no indication that anything was amiss.
Had the problem not been identified by chance at shutdown on Wednesday evening, with the purposeful actuation of the period trip, the problem would have been uncovered Thursday morning with the performance of the Daily Checklist prior to reactor startup.
l Thus, the actual moment of discovery is not a critical issue.
I 4
IV.
INITIAL ACTIONS Returning to the events during the early evening of April 28, after the console problem was uncovered notifications were made by the Reactor Supenisor to the Reactor Administrator, the Reactor Director and the SRO on duty at mid-day. These actions were appropriate and in accordance with our procedures.
Upon receiving the report of the problem with the console electronic logic system, the Reactor Director requested the Supenisor verify which scram channels had been temporarily inoperable during the afternoon. [ Note: This verification did not involve starting up the reactor, completing the part of the Daily Checklist dealing with the test of the scrams.] Next, the Director returned to the Reactor Facility to begin his personal assessment, and prepare a preliminary report for the Reactor Safety Committee, the University of Virginia administration and the NRC.
u 7
Following the request by the Reactor Director to fully identify the problem discovered, the Reactor Supenisor switched the two mixer drivers back to their original location in the drawer with the UVAR shutdown and proceeded to test the reactor safety system with the E
help of the RO. They found that all trips functioned properly. Thus, the problem with the console appeared connected only with the interchange of the mixer / driver modules.
+
The covers to the modules were removed and it was determined by visual inspection that the modules were wired somewhat differently, although the components were the same.
~
nus. it was concluded that the modules were not interchangeable, as had been believed and suggested by the schematic in Figure 3-15. Indeed, with the modules returned to the original position in the drawer, the portion of the reactor Daily Checklist pertaining to the I
scram logic was successfully completed several times. De test failed for some of the scrams (indicated below) with the modules in the position occupied during the afternoon operation.
Next, the UVAR was tagged out-of-senice, appropriate entries were completed in the logbook, and the processes ofidentifying the violations and making local notifications of a I'
reportable event were begun. The next day, meetings were held among University officials, a local press release was prepared, and made, and the NRC was called within the required 24-hour notification period and sent a special report by facsimile. On its own accord, the I
university decided to take the reactor out of operation until,1) full corrective actions satisfactory to its Reactor Safety Committee are completed and,2) we have discussed the results of our evaluation and implemented corrective actions with the NRC Region II l
Regional Administrator, or his designee, in conformance with the NRC Confirmation of Action Letter.
l 1
5
V.
CONSEQUENCES OF TIIE CIIANGE TO TIIE SCRAM LOGIC Operation with the modules in the interchanged position resulted in key reactor protective automatic trips required by the Technical Specifications to become inoperable. The reactor system trips not operable were:
Two power-level scrams Intermediate-range period scram (Low) Primary coolant flow scram (Loss of) Power to primary pump scram Range switch scram Key switch scram The first five are required by UVAR Technical Specifications (i.e. license).
The reactor system trips operable with the MDs interchanged were:
Pool water temperature scram All three manual scrams Two poolwater level scrams Bridge radiation monitor scram Air pressure to header scram Face radiation monitor scram Evacuation alarm scram Truck door open, escape hatch open, and Mineral Irradiation Facility scram (tied into one input)
Primary coolant pump-on scram Header-down with pump-on scram The start-up count rate interlock (not a trip) was available.
I Interested readers are referred to Appendix C for a technical discussion of the trip channel circuit.
I Note: All the trips in both lists are again operable with the MDs put back in their original configuration. However, although operational, the UVAR has been taken out of service.
It is noted also that in this report the terms trip and scram are used interchangeably.
I I
6 i
VI.
ROOT CAUSE ANALYSIS Discussion The senior operator who interchanged the SSR and MD modules is experienced in electronics, basing had training in electronics in the U.S. Nasy's nuclear program. He has 13 years of experience on the U.Va. reactor staff and is the person most familiar with the I
reactor console instrumentation. At the time of hire, he contributed heavily to a 1982 UVAR console upgrade. On the afternoon of April 28, his actions appeared logical and appropriate to him and the Reactor Administrator (an individual who has held an SRO license for over 30 years and presently occupies one of the two reactor supervisor positions on the reactor staff). Unfortunately, the SRO (and the RA) relied too much on an inaccurate and imperfect memory of work done on the scram logic drawer more than a decade previously.
I l
Knowledge that a difference existed between the modules and/or additional procedural I
requirements in the SOPS would have prevented this particular situation. The SRO who l
l made the interchange had performed an upgrade to the scram logic drawer in 1982, but did not immediately recall some of his knowledge from that time. The detailed schematic of the scram system is available, but the generic drawing in the updated Safety Analysis I
Report (SAR) was looked at since the SAR is easier to find. The detailed drawings of the interconnections between modules in the scram logic drawer show that different inputs were used between the two MD modules. While the MD modules were " modified" from I
the off-the-shelf state to disable the (different) unused inputs in each one, this was not shown in the MD reference book at the Reactor Facility. Still, a consultation of the detailed drawings alone would have alerted the troubleshooter to the potential problem I
with an interchange of the MDs.
I It is accurate to state that no other operator would have had the confidence to take the initiative to exchange the MDs without prior consultation of detailed schematics, colleagues, and obtaining prior management approval. In hindsight, errors of judgement I
by the SRO, and then the Reactor Administrator, resulted in the loss of some automatic trips. The manipulations on the console should have been characterized as maintenance.
)
Also, the modules should not have been assumed identical. Instead, detailed drawings should have been consulted, the modules opened and compared, the proposed change documented and duly authorized by higher management. A specific written procedure for this type of change did not exist but is now being proposed and will be implemented.
I Finally, the trip system should have been tested for proper performance after the change had been completed.
It was uncharacteristic for this SRO not to have at the very least " tested the circuit" following the interchange of the MDs. The performance of a second Daily Checklist should have been called for following manipulation of the console electronics to verify l
operability of the protective systems prior to the reactor restart in the afternoon. In so doing, the inoperable scrams would have been detected. It is noted that a Daily Checklist is done once every day [usually in the morning, prior to reactor startup as per standard l
operating procedures (SOPS)) to verify that the required systems are functional. The Daily
Checklist was not repeated because the interchange of the modules did not appear to constitute a modification to the console to the operator and administrator.
The Reactor Director can vouch that this SRO has shown a high level of safety consciousness in the past. The general high opinion and esteem for this SRO extends to the departmental faculty and the Reactor Safety Committee. In keeping with his character, the SRO immediately stepped forward and took entire responsibility for the event. In truth, the responsibility is shared between him, the Reactor Administrator, and management, and could have been influenced positively by the availability of additional procedures covering troubleshooting of the console and response following spurious trips.
It is noted that personnel disciplinary action is a consideration in such a circumstance.
However, disciplinary actions are an internal matter to the University and will not be discussed in this report.
At the time of the 1982 reactor console upgrade, performed subsequent to Reactor Safety Committee approval, our electronics-expert SRO had proposed that the inputs to the scram logic drawer be re-arranged and fed to both mixer drivers (Memo to ReSC of February 12, 1982). The ReSC minutes (March 8,1982) indicate that the ReSC approved the proposed new annunciator system and the addition of a pump-on/ header-down scram but decided that the location of signals going into the scram logic system should remain unchanged. Had the inputs been rearranged to occupy separate and consistent input numbers between the two MDs, their interchange would not have caused a change in the scram logic. Also, if the unused inputs to the MDs had not been tied together, their interchange would not have caused a change in the scram logic. [ Note: With the reactor shutdown, the UVAR console was tested with unmodified MDs taken from the shutdown CAVALIER reactor console and found to work as intended.]
The occurrence of spurious trips has here-to-fore not been seen as a cause for safety concern. However, their occurrence and the informal response (troubleshooting) elicited to trace them did initiate this event. Spurious trips may be due to ground loops and old l
electronic components. Unplanned trip frequency will likely reduce with time simply as a I
consequence of the replacement of old console components, already beginning with funding from the DOE Reactor Instrumentation Program. It is clear that the search for the elimination of unwanted spurious trips should be attempted only in a careful i
considered fashion using pre-approved procedures.
UVAR Technical Specification 4.5 addresses the topic of reactor maintenance. Central to I
the non-performance of a test of the scram system was the (improper) understanding by the SRO and the Reactor Administrator of the definition for " maintenance." The SRO and Administrator believed that maintenance had not been attempted, since the console l
had (presumably) not been changed, although the modules had been lifted and replaced on the contact bus. [ Note: Maintenance is not a term defined in the UVAR TS. Neither is this term defined in the ANS-15 " Operations of Research Reactors Glossary of Definitions l
and Terminology." Definitions for " troubleshooting" and " maintenance" are found in INPO's Guideline for Conduct of Maintenance at Nuclear Power Stations, April 1992.]
8
f Whenever a mistake is made, consideration is usually given to time pressures. It appears l
that in this case some time was taken by the SRO to discuss the situation with the i
Administrator, and the necessary conclusions should have been reachable within this period.
I Of a lesser magnitude in this search for root causes is the lack of redundancy of expertise.
Lack of personnel redundancy is unavoidable, due to the small staff size at research reactors. The SRO who switched the MDs has been relied on by the entire staff for his electronic expertise. Another individual, who has a degree in electrical engineering, has recently obtained his reactor operators license. His expertise will assist the reactor staff in the area of electronics and instrumentation.
I The lack of a " devil's advocate" was felt in this case. Some simple questions as to the proof for the assumption that the MDs were alike from the Reactor Administrator would l
have set the SRO to thinking and have changed the sequence of events for the better.
The event was a product of unlikely circumstances, and is not reflective of generalized l
breakdown in operating procedures. Nevertheless, it is useful to search for underlying root causes, search of similar problems and seek the improvement of the standard operating procedures which are intended to help humans to overcome their propensity for mistakes.
I Such is the case here, and a number of SOP changes have been made or proposed.
Summary The identified root causes for this event were: a recent history of " spurious" automatic I-scrams: judgement error on the part of the SRO as to what was should have been regarded as maintenance of a safety-critical reactor console system; error on the part of the Reactor Administrator to rely on the greater electronic expertise of the SRO without testing the I
SRO's assumptions involved in making the MD interchange; lack of definitions in the SOPS for the terms " troubleshooting" and " maintenance;" the non-performance of a scram operability test prior to restart of the reactor following the exchange of the modules.
I I
I I
I 9
I
L
~
L VII. SELF-IDENTIFIED VIOLATIONS l"
The regulations from the UVAR SOPS and TS which were violated are reproduced below.
They are quoted individually and then followed by explanatoly comments.
1L Violations of UVAR Standard Operating Procedures (SOPS) m L
" 2. General Regidations A.
The reactor and operations must at all times meet the license requirements and the operationallimitations as setfonh in License R-66."
r L
Contrary to the above, the reactor did not meet license requirements during the 5.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> it operated with some TS requires automatic trips unavailable.
EL
" 2. General Regulations E
u
~
No jumpers or by-passes shall be installed or removed in the control D.
console unless the following conditions are met:
1.
No safety system is compromised I
2.
A record is made in the logbook 3.
Specific approval is obtained from the Reactor Supervisor or Facility Director."
Contrary to the above, the exchange of the MD modules resulted in an inadvertent I
and unintentional by-passing of protective systems. While this action was recorded in the logbook, the by-passes were made without specific approval.
" 2. General Regidations K
The reactor shall not be operated if any instmmentation required by the Technical Specifications is not fully operable."
I Contrary to the above, the UVAR was operated for a short period of time (5.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br />) with certain required instrumentation (already described previously) not fully l
I 10 I
I u
Violations of UVAR Technical Specifications ia 1.
Technical Specification 3.2, Reactor Safety System 7L Specification: The reactor shall not be operated unless the safey system channels described in the following table are operable:
1u 7
Applicable Channels from Technical Specipcations Table 3.1, Safety System Channels l
Channel Min. # Operable Sex Point Function Mode Required P""
',P *"O 1
lo.e ofponer scram forced convection pnmare coolant pow 1
min. of 800 g>m scram forced ccmwction max. of 3 Mu's scram forced conwction 7
reactor poner lesel 2
L max. of 0.3 MWt scram natural consection reactor period 1
min. of 3 sec.
scram all modes Contrary to the above, the automatic safety system trip settings indicated above were inadvertently disabled during 5.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> of reactor operation on April 28,1993.
u 2.
Technical Specification 3.3, Reactor Instrumentation Specification: The reactor shall not be operated unless the measuring channels described in Section 3.2 " Reactor Safety Systems" and in the following table are operable:
l Applicable Channels from Technical Specifications Table 3.2, Measuring Channels L
Channel Min. # Operable Mode Required Intermediate & period 1
all modes I
Contrary to the above, the automatic safety trips listed on the previous page in this report (from UVAR TS Table 3.1) were inadvertently disabled daring 5.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> of reactor operation on April 28,1993. Also, the measuring channel listed above (from UVAR TS Table 3.2) was placed into test position (one which should have caused a scram) while the reactor was being shutdown and was suberitical but did not meet I
the definition of shutdown in that all three shim rods were not fully inserted.
11
3.
Technical Specification 4.5, Maintenance Specification: Following maintenance or modification of a control or safety system component, it shall be verified that the system is operable before it is retumed to sersice or during its initial operation.
Contrary to the above, an action which was not considered to be maintenance or a modification, at the time it was done, did in fact inadvertently modify a component of the safety system. The operation of the system was not verified to check its operability before being returned to service because it was not believed that a E
modification had taken place.
4.
Technical Specification 6.3, Operating Procedures Specification: Written procedures, resiewed and approved by the Reactor Safety C
Committee, shall be in effect and followed for the items listed below.
L These procedures shall be adequate to ensure the safe operation of the reactor, but should not preclude the use ofindependent judgment and action should the situation require such.
(the two applicable sections are:)
1 (3) actions to be taken to correct specific and unforeseen potential
~
malfimctions of systems or components, including responses to alarms, suspected primary coolant system leaks, abnormal reacthirv changes (5) preventative and corrective maintenance operations that could have an effect on reactor safety.
Contrary to the above, no specific procedures existed for trouble-shooting problems with the reactor instrumentation as may be interpreted to be required by the wording in (3) above. Nor is there a Technical Specification definition for, or a good understanding of, of all the actions that might be considered to be maintenance.
i Therefore, for some actions such as the switching of the modules in the scram logic l
drawer there were no specific or general procedures.
I I
1 12
VIII. ACTIONS REQUIRED BY UVAR TECHNICAL SPECIFICATIONS The inadvertent change to the UVAR console was a reportable occurrence as per Technical Specification 6.4.2., " Action to be Taken in the Event of a Reportable j
Occurrence;"
(Note: only the applicable items are listed below:)
l I
A reportable occurrence is any of thefollowing conditions:
l (1) any safety system setting less conservative than specified in Section 2.2 of these specifications (3) safety system component malfunction or other component or system malfunctions during reactor operation that could, or threaten to, render the safety system incapable ofperforming its intended safetyfunction, unless immediate shutdown of the reactor is initiated (5) an observed inadequacy in the implementation of either administrative or procedural controls, such that the inadequacy could have caused the existence or development of an unsafe condition in connection uith the operation of the reactor Item (1) is applicable because certain safety system settings were set less conservative than specified in section 2.2 in that they were inadvertently disabled.
Item (3) is applicable in that a safety system component was made to be malfunctioning during reactor operation by the switching of two electronics modules prior to reactor start-up (even though this switch was mistakenly believed to have produced no change what-so-ever).
Item (5) is applicable because either the administrative and procedural controls to prevent the incident which occurred did not exist or they were not effectively implemented.
I I
I 13 i
IX.
SAFETY SIGNIFICANCE For a 5.5 hour5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> period, important automatic trips required by the reactor license were not available during the afternoon of April 28,1993. The fact that certain scram functions were not available could only have been determined had an operational check of the scrams been performed prior to the afternoon restart of the reactor. This operational check was not performed because it was not recognized that the interchange of the modules constituted maintenance, requiring operability checks. Scram unavailability can't be determined during reactor operation.
The reactor is normally operated four days per week for about 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br /> per day. Thus, l
the longest period the reactor could have been operated in this mode was about 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br />.
The Daily Checklist is always done before start of reactor operation each morning and would have determined the problem with the scram drawer logic. Had the modules been l
interchanged at the end or at the beginning of the workday, the problem would have been discovered with the Daily Checklist prior to reactor operation.
Reactor operation was normal that afternoon. The strip-chart recorders indicate both smooth N-16 and reactor neutron flux level traces. The values recorded on the Hourly g
Console Data Sheet for that afternoon were all within normal operational parameters. No 3
out-of-the ordinary conditions were noted in the reactor logbook until the discovery of the problem as shutdown was being completed.
Considerations are presented below showing that if the reactor had been challenged by l
equipment degradation or failure, with a very high likelihood automatic trips associated j
with in-core experimental facilities and/or a reactor operator manual trip would have kept
- n the reactor from exceeding safety limits. The automatic scrams associated with in-core experimental facilities were checked that morning and were not have been affected by the interchange of the MDs because they were on terminals that were symmetrically located.
Reference is made to Table A (on the following pages), where the UVAR operational
.g indicators which were available to the reactor operators that afternoon are listed. It is observed that functional alarms and automatic trips associated with in-core experimental irradiation facilities were available that roughly compensated for the lack of some license required automatic trips. These are the core differential temperature (" delta-T') visual and l
audible alarms, the core gamma-level monitor visual and audible alarms, the reactor bridge l
radiation level audible and visual alarms and automatic trip, the mineral irradiation facility ll visual alarm and automatic trip, the four Hot-thimble Facility visual and audible alarms, the primary pump-switch-on/ header-down light and automatic trip, the (3) manual trips, and the automatic control (servo deviation) visual and audible alarms associated with the l
regulating rod. In addition to the audible and/or visual alarms, the operator had reactor l
power indicators in clear line of sight, of which the most important are also presented in ll Table A. The rows shaded in Table A highlight the systems that offered important alarms or scrams which compensated for the unavailable scrams.
The safety action required in all cases for all scenarios is the dropping of control rods into I
the reactor core due to an automatic or manual scram. The safety function is j
l 14 l
accomplished by the control rods falling by gravity a short distance into the reactor core once the magnetic force which keeps them suspended is cut. Such is the case when the electric current supply to the electromagnets ceases. This safety function occurs when a manual scram button is pressed. It also occurs when there is loss of electrical power to the Reactor Facility.
To qualitatively illustrate the compensation which was available, various scenarios are presented below. Each one is possible, however with varying degrees of likelihood. A Probabilistic Risk Assessment (PRA) has not been attempted, for the benefit is small and the time required much exceeds the time available for filing this report. For the same reason, highly unlikely scenarios which would be difficult to model and time-consuming to compute have also not been attempted.
The overall conclusion that is reached is that'the operator had the necessary reactor operational information available to him to safely operate the reactor and to manually trip the reactor if conditions had required this. The automatic scrams associated with irradiation experiments in the reactor core roughly compensated for the scrams that were disabled.
}
15 I
m TA!LE A (p gs 1 cf 3): UVAR OPERATIONAL INDICATORS AVAILAELE TO REACTOR OPERATOR (with mixer driv:rs switched)
Shaded rows highlght the systems that offered impor1 ant alarms or scrams which compensated for the unavaliable scrams Visual ham Reactor system indication m nal @2 In cabon of Indcaw indcahon Scram or Avail-Readings Abnormal Condition Availability or audible Alarm Level
, g, alarm I "7 tem 1eI"2r"d3) b "' 2m cps (w/ chamber out) increasing avaiiabie visuai none so e "
null r infinite a positive value available visual none ad intermediate range level (NV) 4x10"nv
>4x10' and increasing available visual none (local, remote & recorder) a Wod 8
null or infinite a positive value available visual no linear power level 2x10' amps
>2x10' amps & increasing available visual none 25 power range level #1 about 100%
>100% and increasing available visual no 2
power range level #2 about 100%
>100% and increasing available visual a
l 0
core differential temperature :
about 12.87J i > 137!:.
i avitilables
!!Soth.
reactor pool temperature varies between 70 and 1007 g
x ed to 2105 F i
pnmary coolant flow rate 1030 gpm
< 1010 gpm available visual P
am P
Uff electrical power to primary pump on at 2 MW off above 200 kW light visual no N-16 (heat exchanger room) & recorder 3.2x10' amps
>3.5x10* amps available visual none core gartime level mondi SM (7.9x10* amps)
- .'>8.5x10 ampsj favailablej Lbsthi v
mnstant air particulate monitor a 150-200 cpm
>300 cpm available both
> 400 cpm
r, r,
m c--
m
~
TA2LE A (p:ga 2 cf 3): UVAR OPERATIONAL INDICATORS AVAILA!LE TO REACTOR OPERATOR (with mixer driv:ra switched)
Shadad rows hghteght the systems that offered important alarms or scrams which compensated for the unavailable scisms.
Visual Scram Reactor system indication Nominal (@2 MW)
Indication of Indicator indication Scram or hail-Readings Abnormal Condition Availability or audible Alarm Level g g, alarm reactor bridge radiation level :
.1.5 4 2.5 mr/hr
' >4 rnr/hr available both -
- yes
{
reactor face radiation monitor-0.15 - 0.3 mr/hr
' >0.5 mr/hr available.
both.
yes r r-above about.145T.
Mineral Irradiation FaclHty lead shield -
1 about 507 greater than
> 155T '
t:mperature pool temperature s at aW same tak as aw m Ms d Y
. reactor power -
available meter Mineral Irradiation Facihty coohng gas us%
outsW
>W about 130*F about 160"F yes I
temperature control control scram room room
> 295 *C, alarm a
S Hot Thimble facihties temperatures -
i various (270-295'C) l available:
b th b
na ye t tolerance nominal -
l trip out &
cutomatic control, servo deviation Jzero or null.
. > than a few % deviation; available :
. both alarm at
<>7%
primary pump on with header down.:
beader up light, pump on Ight.:
header tails with the pump :.
.. light forj
-Ight for :
r fans
'yes' scrarn
-indicated normal primary flow
~ running :
header up header up reactor room argon monitor a recorder 100-300 cpm
> 400 cpm available both cpm l
vent duct argon rnonitor & recorder 100-300 cpm
> 400 cpm available both E
"P 2600-2800 nanommps
> 3000 nano-amps available visual none e
f im d t
TABLE A (page 3 of 3): UVAR OPERATIONAL INDICATOR 3 AVAILABLE TO REACTOR OPERATOR (with mixer (rivera r. witched) shaded rows highieght the syttems that ofhsred important alarms or scrams which compensated br the incvailable saams.
Visual Scram Reactor system indication Nominal (@2 MW)
Indication of Indicator indication Scram or Avail-Readings Abnormal Condition Availability or audible Alarm Level alarm I
scram on high power by range switch (with prima uP 2 MW position 200 kW position none none to 2 k
no u
position when above 250 kW scram by switching to 2 MW range switch (with pnmay u 200 kW position 2 MW position none none position no d
above 200 kW low poollevel scram #1 19'4"-19'6" pool level
< 19'3%" causes scram none scram only Y'S a
3 a" low pool level scram #2 19'4'-19 9 pool level
< 19'3%" causes scram none scram only yo, three manual scrarrs /
(reset ino. indication [
- (nonej scram only
- yes" 4
te ctor r mck door truck door open scram reset, door closed none scram only yes escape hatch open scram reset, hatch closed hatch open none scram only Y'8 a
button p hed or sensor U
evacuation & fire alarms reset none scram only yes key switch turned on turned off position scram only sa
I A.
Loss of Off-site Electrical Power The loss of electrical power to the Reactor Facility is the most likely challenge to the reactor.
l Although likely, it is handled routinely by the fail-safe design of the safety system. This system fulfills its purpose quite simply with the insertion of the control rods which fall when the l
electromagnets are de-energized.
B.
Reactor Period (startup and power operation)
Here is no mechanism for a large insertion of positive reactivity other than deliberate, malicious action by the operator or a total failure of the control rod drives such that they l
withdraw without operator action (very highly-improbable). The falling away of all seven experiments with some small negative reactivity worth from the core could have added +1.1%
delta-k/k. The falling of even one experiment would be highly unlikely. As explained in the subsequent section, reactor overpower would have resulted in either automatic or manual shutdown, assuming no malicious intent on the part of the reactor operator.
Reactor Initially Operating Below 2 MW The reactor was started up once following the interchange of the MDs. During startup, the reactor operator had (and was attentive to) reactor period indication at all times.
Procedures require that the reactor operator maintain the reactor period at greater than I
100 seconds during the initial phase of the startup. The period is maintained at this rather conservative level due to the natural unavailability of period protection during the I
initial phase. The period protection circuity is on the intermediate range channel which does not detect a rising neutron flux until the flux level has increased several orders of magnitude. During the second phase of startup, once the intermediate range is on-scale, I
a 30 second period limitation is procedurally enforced. The margin from the 30 second administrative limitation to the scram setpoint of 3.5 seconds (not available) is substantial. A trip signal would have been processed only had an operator intentionally withdrawn the rods at a sufficiently-high rate to produce a reactor period of less than 3.5 seconds. Given the attention paid to the period indication by the operator on startup, the lack of period protection for the latter phase was not significant due to high l
improbability of a positive reactisity insertion great enough to cause a three second period. Consequences from the reactor going over-power would have been prevented by the remaining automatic and manual trips available.
I If one postulates a positive period resulting from erroneous operator action (too rapid withdrawal of control rod) or from a negative reactivity-worth e::periment falling away l
from the core, the power would rise at a rate depending on the magnitude of the reactivity insertion. With low-magnitude positive reactivity insertion, reactor power would rise until the delta-T, core gamma and/or the hot-thimble facility temperature I
alarms are obtained. The delta-T temperature caly needs to rise by a few tenths of a degree, the core gamma monitor rise by less than 20% of its 2 MW value and the hot-l thimble temperatures rise by about 5 C to produce audible and visual alarms. The operator would thus know that the reactor power level was going up and would then I
.I l
!I I
manually trip the reactor. In the likely situation that the reactor is level at 2 MW full power under servo control, the operator would be made aware of the reactivity change lI by the automatic (servo) control mechanism tripping out at r 7% deviation, resulting in an audible and visual alarm.
Reactor Initially Operatine at 2 MW il Protection from reactivity insertion with the reactor at 2 MW is discussed under the high power scenario heading.
I C.
Complete Loss of Primary Coohnt Flow l
Loss of primary reactor coolant flow is a possibility that needs to be considered, however, its occurrence is not very likely. His is borne out by the experience of some 33-years of reactor operation. In this time there has never been a loss of coolant flew to levels below the scram
,l set peint.
1 sss or flow through the core can occur three ways, either by the pump ceasing to work with I
tue putip motor still functional, the pump motor ceasing to work (causing the impeller to stop turning) or the flow header falling away from its normal position beneath the reactor gridplate while the pump is on. [ Note: The header" is a funnel-like structure connecting the bottom of I
the reactor core with the primary coolant pipe. It must be movable to permit reactor cooling by natural convection. In natural convection mode, it is in the down position. It is held in the up position by the difference in pressure generated through the down-flow of coolant.]
First, assume total pump failure through the loss of the coupling between the impeller and the I
motor. This would cause the header to fall with the pump still energized, resulting in an automatic shutdown from the header-down/ pump-on scram.
I In the second case, assume that the motor fails, which would stop the pump. If the electrical breaker on the motor trips before the header falls from the loss of flow, the header-down/ pump-on scram would not be initiated. However, when the header falls with the reactor g
operating at two megawatts there would be an immediate trip out of automatic control due to the insertion of negative reactivity resulting from the increase in the average in-core temperature. The trip out of automatic regulating rod controlleads to visual and audible l
alarms at the console which would alert the operator te the unusual situation. Also, the reactor power level would immediately decrease in response to the negative reactivity insertion.
In fact, the reactor power level would have to drop to below 200 kW because the core l
differential temperature at 200 kW in natural convection mode is greater than the delta-T in forced convection mode at 2 MW. The aggregate rods positions in the full-power mode are therefore lower than in the natural convection mode.
I In the third case, with the header falling and the pump remaining on, the reactor trips from the header-down/ pump-on scram. This is the situation that this particular scram was designed I'
to handle.
20 I
D.
Partial Loss of Primary Coolant Flow The possibility of a reduction in the amount of coolant flow through the core to levels below the scram set point also needs to be investigated. Just as there has never been a complete loss of flow neither has there been a case when there has been a reduction in the coolant flow rate below the scram set point. The observed reduction in flow over many years has been slow and small (a total of less than about 30 gpm, that is 3% of 1030 gpm normal flow). This gradual decrease over time is explained through wear on the impeller and/or the collection of small debris on a protective screen located in the primary piping upstream of the impeller.
A reduction in the flowrate through the core might be caused by either a malfunctioning pump or some type of flow blockage. Degradation of primary flow sufficient to drop the header will scram the reactor. Coolant flow degradation not sufficient to drop the header would be obsened no later than the performance of the Console Data Sheet, filled out on an hourly schedule. A small drop in coolant flow would not have a negative impact on the reactor. He rod servo-control drive mechanism would drive the regulating rod a small distance out of the reactor in response to an actual decrease in reactor power caused by the greater average core coolant temperature. The reactor can safely accommodate the larger delta-T applicable to natural convection operation, calculated to be about 19*F.
Next, considering an unlikely instantaneous drop in coolant flow to levels below the low-flow scram setpoint (remembering that the low flow automatic trip was not available), the delta-T would increase suddenly by an amount proportional to the flow change and would audibly alarm. De true delta-T reading, directly visible to the reactor operator, would show a higher than normal differential temperature across core. The reaction of the operator would be to J
manually trip the reactor if the delta-T reading is significant (above 13.1 F, compared to the
)
usual 12.85*F) or to look at other instruments to check whether the (apparent) power increase is real. The lower coolant flow rate would be observed. Also, the N-16 level would likely show a decrease, given greater decay due to longer time between core and the detector position. Rear w power readings from the nuclear instrumentation near the core would
[
increase (due c. greater neutron leakage from the core due to the lower density, higher water temperature in the core). These power readings would be above the true core power level.
The reactor automatic control system would respond with the insertion of the regulating rod, a beneficial outcome. The operator would react by manually tripping the reactor because of s
disagreement between the instruments.
(
(
21
[
E.
High Power Slow to Moderate Power Increases The Mineral Irradiation Facility (MIF) has three scrams associated with it. Two are important to the qualitative analysis being made here. The scrams are the cooling gas flow-temperature and the lead-shield temperature as sensed with thermocouples. They trip the reactor whenever their temperature setpoints are exceeded (see Table A). The gas flow temperature setpoint is 160*F and the lead shield setpoint is 155*F.
The MIF lead-shield temperature response is known to be rapid and fairly linear with reactor power (heating is due to gamma and neutron interaction). On April 28 with the reactor power at 2 MW, the shield temperature was at about 130 F and the pool temperature at 80 F. 'Dius, the 155 F MIF lead shield setpoint corresponded to (155-80)/(130-80) X 2 MW or about 3 MW. The power level scrams (not available) are set at 2.5 MW. The MIF scrams were checked for operability during the Daily Checklist performed on the morning of April 28, and remained functional after the exchange of the MD modules. Assuming that the operator was inattentive and that the reactor l
power had increased significantly above 2 MW, an automatic trip would have occurred at about 3 MW (the LSSS), well within the safety limit (defined as a curve based on a combination of coolant flow and reactor power).
Fast Power increase Gross over-power would only be possible due to an intentional operator insertion of positive reactivity by control rod motion. The falling away of all seven expe.riments with negative reactivity worth from the core could have added +1.1% delta-k/k, but this is a very improbable scenario. Postulating that the automatic trip covered above in the slow to moderate power increase scenario not have time to actuate, the reactor bridge radiation monitor would eventually deliver the automatic trip. It is noted that on such an excursion, vibration produced in the core could be sufficient to cause either the dropping of the header (delivering another automatic trip) or the dropping of one and then the remaining control rods. [The control rods are held up by the barest margin of magnetic force and are therefore susceptible to vibration. On occasion, they drop and trip the reactor when personnel walk onto the reactor bridge.)
Motion of the poolwater surface could actuate the automatic pool-level trips. With the
[
pool filled to ahnost overflowing, a 2.5 inch ripple would accomplish this. Normally, the l
pool fill is somewhat lower than the point of overflow, so as little as a 0.5 inch ripple could be sufficient to produce an automatic trip.
22.
r
w F.
Kev Switch
[
The reactor should be automatically tripped in the event that removal of the console key is attempted (extremely unlikely attempt). It is difficult to conceive of a situation where the operator would want to attempt to shut down the reactor by removal of the key. Upon trying l
this without success (this would have been the case on the afternoon of April 28), the sensible operator would manually trip the reactor. The key switch scram is not required by Technical Specifications.
G.
Range Switch I
The purpose of the range switch is to prevent the reactor from being operated above 0.2 MW with the primary pump off. The switch changes the high power scram settings from 0.25 MW I
to 2.5 MW when it is thrown. To operate the reactor above 0.2 MW without the pump o i the operator would have had to ignore the header position indication light (yellow for down, green for up) and the lack of a pump power indicator light (green), both clearly visible at the I
console. With natural convection upflow, the core gamma monitor located seven feet above the core would detect thermally rising N-16 and eventually alarm. The automatic trip would be initiated by the reactor bridge radiation level, if the operator had not manually tripped the I
reactor by then.
I It is noted that the UVAR is almost never operated in natural convection mode. It is operated at full power just under 2 MW almost all of the time. To possibly get the reactor to a condition where safety limits would have been violated, the primary pump would have had to I
have been turned off before the afternoon startup was attempted, and the operator would have m
had to fail to notice the pump-off condition in addition to the header-down indication. No natural convection operation was scheduled for April 28,1993.
I I
il I
'I I
1
<I l
I
I X.
CORRECTIVE ACTIONS The discovery of the non-availability of some scrams on the evening of April 28,1993 came as I-a big shock to everyone on the reactor staff. Never before, in the recollection of the Reactor l
Administrator, was even a single scram found to be inoperable when a Daily Checklist was I
conducted. Recognizing the significance of the event, the reactor was shutdown for an indeterminate period by the Reactor Director. The University, the community and the NRC were all rapidly notified during the ensuing 24-hours.
' Die TRTR National Chairman was contacted at the licensee's initiative to request the l
appointment of an official TRTR inspection team to visit the Reactor Facility at the earliest convenient date. The visit has been set for May 17 and 18,1993, and the group is composed of Dr. William G. Vernetson, Chair of TRTR and Director of Nuclear Facilities, U. of Florida, Mr. Wade J. Richards, Director Nuclear Operations, McClellan USAF Base, California, and Mr. Tawfik Raby, Chief, Reactor Operations and Engineering, NIST, Washington, D.C.
An immediate examination of the root causes for the event was begun. The hardware
.l explanations were quickly found, and then the implications carefully analyzed. In parallel to researching the console schematics, the SOPS were analyzed by the reactor staff for weaknesses and improvements to existing procedures were developed. In addition to hardware and procedural fixes, which are taking the initial thrust, management will consider the l
administrative corrective actions that may be required. Administrative actions for serious g
events may be of interest to the NRC and may be discussed verbally during future meetings,
!E but are internal actions and therefore will not be addressed in this written report.
Ig The Reactor Safety Committee met to discuss the incident within 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br />, and numerous l3 times thereafter in the following two weeks. By the third meeting, Dr. George T. Gillies had been appointed to the ReSC by the President of the University. Dr. Gillies has a background lg in electronics. Since the incident and up to the time of the sending of this report, the ReSC
!E had met four times.
The following procedural improvements have been made:
1.
Following every unplanned scram the reactor safety systems will be checked. A new ll checklist, called the Safety Systems Checklist, has been developed for this purpose.
!E Several SOPS have been modified to take into account the use of this new checklist.
i 2.
The SOPS will now contain definitions for " maintenance," and " trouble-shooting." Thus, there will be no doubt in the minds of reactor operators what activities require checks of operability. Additional procedures for maintenance will be developed as needed.
I 3.
The restart authorization following a scram will require the agreement of an SRO not at the console (i.e. otherwise uninvolved in the immediate operation of the reactor) and a l
Reactor Supervisor or his designee.
l lI 24 I
I 4.
While abundant examples as to when the operator should manually trip the. reactor exist in SOP 11 (it addresses abnormal conditions), a specific recommendation has been placed in SOP 2 under the general regulations. In a succinct fashion, it emphasizes the I
general conditions requiring an operator to manually trip the reactor, and suggests that a manual trip be initiated whenever there is any question about the safe operation of the reactor.
5.
Also in SOP 2, a clause has been added to explicitly require that the reactor be taken I
out of sersice immediately upon the discovery of a siolation of reactor Technical Specifications, so that the Reactor Director is given the opportunity to review the situation prior to authorizing a restart of the reactor. If the Reactor Director can't be reached within 48-hours, then his superior, the Chair of the Department of Mechanical, Aerospace and Nuclear Engineering, will make the appropriate decisions related to notifications, reviews, and reactor restart, with the advise of the Reactor Safety l
Committee.
A search was started and will be continued for similar " traps" associated with " modified" reactor console modules when compared to off-the-shelf modules. A small number of these have been identified. The console electronics are being checked against the available schematics for conformity.
I A consistent relabelling of modules will be carried out, by applying black writing on light colored paint, at a location where they can be clearly seen. No modules will be switched or I
exchanged in the future without a check to see that it is identical to the original. and a check of the system operability made following the exchange.
The MD modules will be returned to an unmodified state, that is, the unused inputs will be disconnected from each other. This will permit their interchange in the future.
To assure that the MDs had not been interchanged before, and the reactor run in the mode that it was run on April 28,1993, the Reactor Director had the Daily Checklists analyzed for I
indication of non-available scrams. A check was made by the Reactor Supervisor of the Daily Checklists readily available, as far back as January 5,1987. The search showed no instance of non-availability of scrams during the past six years. Older records exist, but the effort of retrieving them for examination, and the effort involved at this time, make going back further of little use.
The effect of the switching of SSRs and MDs on the reactor console circuitry and the reactor circuitry has been evaluated and checked. No damage was found, and the reactor is operable with the MD's returned to their original location in the scram drawer.
I The reactor will remain in a shutdown condition until the Reactor Safety Committee has reviewed the staff evaluation of the event, and corrective actions authorized by the ReSC have l
been implemented. Restart is also conditioned on a restart authorization from the ReSC and a discussion of our evaluation and implemented corrective action with the NRC Region II Regional Administrator or his designee.
25 iI
After reviewing the official TRTR report on their inspection of our Facility and reactor program to incorporate useful recommendations. The NRC will be notified in writing when all actions in response to this incident have been completed.
f
(
l
[
)
{
{
{
i 26
XI.
REGULATORY ENFORCEMENT CONSIDERATIONS
(
Based on a single inadvertent and imprudent action, numerous UVAR SOPS and UVAR TS were unintentionally siolated for a short time period (5.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br />) on April 28,1993. The licensee is presently back in compliance with license requirements, and is in the process of considering additional actions beyond the initial immediate actions and the corrective actions
.aken during the past two weeks.
The imprudent action which resulted in the violations was isolated to a single individual,
[
however the ramifications of his actions were recognized by his immediate supervisor when permission for restart was requested. Significant remedial actions commensurate with the seriousness of the event have been taken and more are being considered. Upper-level University administrators are aware of the event. The aggressive actions taken suggest that a strong deterrent effect has been felt by the reactor staff.
[
The problem was identified by the licensee, who took the initiative of immediately taking the reactor out of senice, informing the University community and the public, and contacting the NRC as per regulations. A faculty member experienced in instrumentation systems was added
{
to the Reactor Safety Committee by the University's president. In addition, the National Organization of Test, Research and Training Reactors was asked and is responding by sending a team of three-research reactor experts to examine the reactor operations program. The
{
recommendations of this group will be considered and useful suggestions acted upon to supplement the considerable improvements initiated by the licensee on his own.
(
' Die unintentional violations could have been avoided by following existing SOPS on maintenance to the letter. However, some "blindspots" existed in the understanding by the SRO and the Reactor Adritinistrator of the procedures, as regards the meaning of the term
(
maintenance. The violations could not have been expected to have been prevented by corrective actions taken by this licensee for a previous violation. The last significant violation in the area of reactor operations occurred nine years ago (in 1984) with a shutdown margin
[
siolation.
Broad corrective actions have been achieved or identified as necessary within a reasonable time period. The Reactor Safety Committee, University administrators and the reactor staff have had numerous meeting to thoroughly discuss all aspects of the event.
The safety significance of the event resides in the potential for taking the reactor beyond its safety limits. The licensee is confident that enough automatic shutdown and manual shutdown
[
capability (with all alarms functional) remained for the likelihood of uncontrolled excursion to have been quite small. Of course, had more of the required scrams been available, that potential would have been smaller still.
The overall regulatory performance of this licensee is felt to be reasonably good. Only a few violations at the lower IV and V levels have occurred in all areas of reactor operations during
{
the past two years.
L 27 I
Appendix C to Part 2 of the Code of Federal Regulations contains the Rules of Practice for Domestic Licensing Proceedings. In " Supplement 1 - Reactor Operations" examples are provided as guidance in determining the appropriate severity level for violations in the area of reactor operations (with both power and non-power reactors following the same scheme). Our examination of the examples indicates that the event falls most closely into the Severity Level III category. The specific example listed under this heading most closely parallel is:
i "2.
A system designed to prevent or mitigate a serious safety event:
(a) Not being able to perform its intendedfimetion under cenain conditions (e.g.
safey system not operable unless off-site power is available; materiah or components not environmentally qualified)"
We do not believe that the violations fall under the Severity Level II classification, specifically l
as it refers to example:
"1.
A system designed to prevent or mitigate serious safey ewnts not being able to perform its intended safety function;"
A note appears in Part 2, defining " intended safety function."
" Intended safey function" means the total safety fimction, and is not directed toward a foss of redundancy. A loss of one subsystem does not defeat the intended safety i
fimetion as long as the other subsystem is operable.
I The physical safety system in our case is the automatic and manual scram system with multiple alarms, acting to back up the NRC licensed reactor operator at the console. This system was not fully functional in that some subsystems were not available, however a sufficient number of I
other subsystems existed such that the example cited for a Severity Level II does not appear applicable.
I For a Severity Level III violation, the NRC considers the application of fines and the holding of an enforcement conference. The licensee asks that the mitigating factors listed above be considered in the process of reaching a decision on the severity level assigned and the need for an enforcement conference.
I 1
(1 ll 28 l
Appendix A Spurious Reactor Trips and their Significance The term " spurious" is used in this report to indicate that no trip annunciator was associated with the trip. When such trips occur, and cannot be diagnosed after reasonable efforts, they are recorded as " noise" originated scrams or unknown scrams in the reactor logbook and annual reports. Because the unknown signal tripping the reactor lasts for an insignificantly t
short time and cannot be recreated intentionally for diagnosis, corrective action is very difficult.
As can be seen in the table below, for several months there have been certain weeks during which an average of two, and as many as six, spurious trips would occur with no annunciation.
During other weeks, no trips would occur. During the month of March there were no trips whatsoever.
I Shutdowns due to " electronic noise" in the console are infrequent, and represent more of a nuisance than a safety concern at research reactors. The nuisance stems from the need to l
spend about 30 minutes in getting the reactor back to power. There is no safety concern with a research reactor trips because the trips do not stress the system, are reliable, and do not require the intricate shutdown procedures necessary at power reactors. With the additional I
requirement to perform a check of the safety system using the new Safety Systems Checklist, the minimum total time between a scram and return to full power is estimated at 45 minutes.
I I
I I
I I
I I
E 29 c-
i L
E Period Operating IIrs MW llours
- of Scrams Comments 11-02 11-06-92 36.0 64 3 4
2 with no annunciator 11-09 11-13-92 28.5 55.2 0
11-16 11-20-92 17.5 30.9 5
4 with no annunciator 11-23 11-27 92 28.0 03 0
12-01 12-04-92 0.0 0.0 0
E 12-07 12-11-92 13.0 12.5 0
u 12-14 12-18-92 58.7 109.7 3
12 21 12-25-92 42.5 783 3
1-04 1-08-93 33.4 58.6 2
1-11 1-15-93 42.8 76.5 0
x 1-18 1-22-93 343 61.0 0
1-25 1-29-93 31.9 593 2
2-01 2-05-93 29.7 53.1 0
2-08 2-12-93 44.4 79.7 0
2-15 2-19-93 36.9 61.5 2
2-22 2-26-93 37.0 67.1 6
3 with no annunciator 3-01 3-05-93 42.6 81.6 0
3-0S 3-12-93 28.1 47.7 0
3-15-93 3-19-93 23.4 43.6 0
3-22 3-26-93 42.2 78.8 0
3-29 4-2-93 41.0 77.1 1
4-05 4-09-93 40.9 78.4 1
4-12 4-16-93 34.5 17.1 6
5 with no annunciator 4-19 4-23-93 27.5 513 0
.I 4-26 93 28-93 21.0 37.4 1
I with no annunciator I
30
rL Appendix B E
t' Mixer Drivers: Ilardware Considerations
~
The mixer drivers are very simple, discrete device modules that have not been manufactured since the 1970's. It is impossible to buy spares but once a fault is identified they are readily repaired. A mixer driver is a 28 input OR gate using negative logic where zero volts represents
~
L a logical I while ten volts represents a logical zero. Thus for a logical zero (+10 V) to be present at the output, all 28 inputs must also be at a logical zero (+10 V). The Mixer drivers use discrete components for doing this as shown in the attached diagram.
When a not-scrammed condition is present, Q1 (a PNP transistor) is cut off by having its emitters tied to 8.2 volts by the zener diode VR1 while its base is at 10 V defined by the input L
to any one of the 28 diodes. Note that even when a safe signal is present, at least one input must be able to sink a small amount of current to cause a 15 V drop across RI. With Q1 cut 7
off, no current is supplied to the base of Q2 and it is also cut off causing the output (pin 36)
L to be held at +10 V by the zener diode VR2. The filter on the output of the module prevents test pulses from being propagated to the Solid State Relays.
rL When any of the 28 inputs is brought to ground and can sink sufficient current to drop the base of Q1 sufficiently below the 8.2 V at its emitter (typically 0.8 volts below emitter or 7.4 V E
to ground), Q1 will conduct, passing current to the base of Q2 which will then also conduct.
When Q2 conducts, it shorts out VR2 to ground causing the output to go to ground. The sink requirements for both safe and unsafe conditions are on the system as a whole. Once one E
input draws the necessary current to set the bias on Q1, the other inputs need not draw additional current.
E The unused inputs are all tied together and then normally tied to the Range Switch Scram.
All of these jumpers are within the black box of the mixer driver. Since the unused inputs are different between the two sides, when the mixer drivers were reversed several scrams were tied I
together in parallel. Thus, in order to get a scram under that conditions several scrame would I
have to come in at the same time. One of the scrams that would have to be initiated along with several others was the Key Switch Scram.
1 I
After studying the circuit diagram for the mixer drivers, no compelling reason for the original disabl:ag of unused inputs can be inferred. The circuit has such a low input impedance that it requires about two milliamps of sink current to cause a scram. Thus if any inputs are not connected, no current can flow through them so that a scram will neither be inhibited nor disabled. Dr. Thomas Doyle (BSEE) of the Reactor Staff concurs with this assessment.
Why were the unused inputs shorted when originally installed? The technical manual on the mixer drivers make no mention about what is to be done with unused inputs. The l
CAVALIER operated successfully for years with unused inputs left open. The staff tested the CAVALIER mixer drivers with open unused inputs on the UVAR on April 29,1993 (UVAR shutdown) and found them to work fine, i.e, the portion of the Daily Checklist dealing with scrams was completed successfully. The original mixer drivers were reinstalled following the test of the CAVALIER mixer drivers.
l 31 l
When using CMOS logic which require five nanoamps of input current, it is necessary to tie all unused inputs because stray capacitance or induction or even dirt can cause a false input.
When using TTL logic which require one half milliamp sink current, unused inputs can usually be considered as high but a good design will tie unused inputs to the proper logic state.
There are several options that may wish to be examined if it is decided that the Mixer Drivers l
be made interchangeable:
1)
Remove all jumpers and leave unused inputs disconnected as was the intention of the instrument manufacturer.
2)
Move the jumpers out of the modules and install them in the drawer.
3)
Rearrange inputs so that they are symmetric between the two mixer drivers.
The reactor staff checked the CAVALIER and found that its MDs uses identical, interchangeable and unmodified mixer drivers with unused inputs floating. These MDs were tried in the UVAR (shutdown) and found to functionally work as expected.
The technical manual for the mixer drivers assumes that there are two identical modules in parallel as a means of mitigating the possibility of a failure in one mixer driver from preventing a scram. In 1982, the Reactor Safety Committee rejected a proposal by SRO B.H. to route all scrams to both mixer drivers on the grounds that having the redundant scrams (power 1 & 2, l
pool level 1 & 2 and low flow & pump off) go independently to one or the other mixer driver would limit the possibility of an unspecified failure in one mixer driver going over to the other.
This is still a valid argument.
f It is relevant to discuss whether the interchange of the MDs resulted or could have resulted in damage to other console electronics. It is first recalled that the scrams that were " tied
[
together" during the incident were:
High Power (1 or 2)
(
Key Switch Range Switch Low Flow or Pump Off
(
Intermediate Period The High Power and Intermediate Period scrams are supplied by bistable while the others are
[
developed by contacts. The bistables can easily tolerate being in parallel with another bistable with essentially no change from its normal load in either the tripped or untripped state as their normal rating is to supply 10 ma while they represent a load of just over 2 ma.
If all of the switches were open and both bistables tripped, then the total resistance to ground 7
seen by the tied-together inputs would be 280 ohms which implies a current of 36 ma. The 10-L Volt power supplies are capable of supporting 75 ma, so they would not be damaged by any combination of scrams on the tied-together inputs plus their normal load. For this load to be
[
present on a 10 volt power supply, at least one of the contact scrams must not be tripped. If all of the contact scrams are tripped and one but not the other bistable is tripped, the non-tripped bistable may be overloaded. The output transistors are rated for 25 ma and the output 32 i. -
zener is rated for between 20 and 33 ma depending upon the manufacturer. Either of these components (but not both) might fail if all of the other tied-together scrams are tripped for a sustained period of time. Note that if any of the contact scrams were not tripped, there would be no load placed on the bistable. From our test, they did not fail and were probably never put under any load at all since the Key Switch was ON at all times that other scrams were being tested.
It is concluded that the interchange of MDs did not and could not have led to the failure of other console electronic components.
Included as attachments to this appendix are:
Circuit Diagram of Mixer Driver B I
Memorandum to ReSC dated February 12,1982 Page 2 of Minutes of ReSC meeting of March 8,1982 I
I I
I I
I 33 I
,0 l" - - - - - -
-,en
. l 7
_ l-
.l.. _ ~ --- 5 1
t 2
6 l..
pg l
Pt, C RI 2
2 (bM CH3 3( ~lhd' I Cu4 4-M-
a I
C05 I
M-5t l CD6 M
6'I C a r"
?! j M P/0 C#8 pt 8'
N
?19 +2SV l
9 l C Ato q,
. n3 l
l A6 10PM-i 8.S R l
22E 2K l C Att 08 j,
tw l
w y
,, ' l CEl2 g2 2f329A tz +t-M F 5" G j A,r ad*
.M g
val e #NT56A N0ft l Cple l
- 1. ALL DIODES a nt 14 4868 UMLts$
14 + I M g
OTHE AwlSE SetCsFit0.
C RIS tOMM I
l 36 a t6 2N 613 R4 20 I 22 2400 VR2
/ J2 l
23'I 24'l Ckt9 INF59E Q"
=
i g
O N
l
~i!
~'s/i69412+2u CApac! Top _ __ 2 006 twa fr~
I CREO cast nao g: l9 g-l!,- Jo,s55312-ore, CnoxG IO ryM L!
2% Q -
I
- =
6 49 419*00-72 wm/M *C ft.or CD2f
=
26 SM y3s. - 49* - 48 myrdU Jtrre*M
]
27' l CR22 INTEStLOCK l I
- ' - - #7 5'2'0F*d W M#####
4a I)39 4F ~ ~ M W 97 EmWJ - M7E' M
- 44t.45 WP-/f!
,)
y p l Cn2S a
- - m* meewar rnr.rr m rer a
O ns
. Cn2s
- - i n so-are rrem.saw:e <<x
~g E l' n monsit w#f#~ d#d;" e"r r o"s#
- ' " # *0' M
Y
~ ~ E rx.soce O O m :s l Cn2s
= -
2 M 6993W0E2 hstr. Ae y 9f
~
r t*
30 H~
3'" I U l,
f fc W is*%A** f f M JNrr?" / ),,, _.
S CR26 g
O
.T.
32, l C R2 7 i
t
- 3
_~d hhhhk([
N d CthMATIC DIAGRAM-S A
_L--A-
-1, g.
-t- - -
c.4
.i,
. =
,,1, c.
..t v e. 9 l'
-801001 5 % 2, x
l.
~
~
w
.2
't
- .~ -
r
,,,n m.
I A
l 5__....
I
_ !4..
l 3
_ [
q
,i
~-.
lL DEPAILTA1ENT OF NUCLFAlt ENGINED;ING AND ENGINEERING PIIYSICS SCIIOOL OF ENGINEERING AND APPLIED SCIENCE UNIVDISITY OF VIRGINIA E
Phone: 924-713G 3EMORANDUM February 12, 1982 TO:
Reactor Safety Committee Via B.L. Shriver i
FROM:
B. Hosticka h J' u
SUBJECT:
Scram Logic System and Annuniciator Panel I would like permission to re-arrange the inputs to the scram logic drawer so that each scram input is separate and is fed to both mixer drivers.
E This will involve eliminating the auxiliary scram bus and splitting dual scrams such as pool level #1 and low flow.
The console manual scram will remain undisturbed and continue to be on the output of the system.
E In conjuction with the above modification I will install a new u
scram annuniciator system that has a separate placard light for each scram m
input.
The scram input that actually caused the scram (i.e. the first I
scram received) would be indicated by a flashing light, all subsequent ones would light up solid.
l Previous discussions of the staff have brought up the desirability i
of a " pump on header down" scram that would eliminate the possibility of I
operating the reactor with this conflicting flow configuration.
IF such a scram is desired, this would be a convenient time to install it.
Drawings of the old scram system, the proposed scram system and the annunciator system including technical details are attached.
I This nodification does not require a change in technical specifications nor does it involve an unreviewed safety question.
l I
I Attachment to Appendix B page 2 of 8 I
i l
1 June 79 Revision t
t O
O d
a
-3 5
k 5
M l
8 m
t2
=
lE Q
x 8
ll k
~
u l
%o
_A___
aa" d
m"
.s Te ll g
_. c i
E Q
5 a
e u
E o
m
\\,
l M
y a
3 o
e u
lE 5
u
,g s
3!
l
' s}
rauw c -3 n
=
-~
jj!
}x
{
J-x- - -
,-3
~jl.
p
,I!
w a
~
qy
+
a
$_^
x l
s
,1 v
[
_L
__ 4-m ik 5L a
ei m
3 v
5 i
e c
ti-t u
1 u
l O
i e l
l s
m.-
o s
s in a
nb g
.a i4 %
=
s g
4 m
M t
h~ ]F--* y'~ ] '-
l
\\
t o
rc fY o
W u
e M
P d
,x s
A t
n w
m o
NA i
(
T oT N 'k( )
e
~<
N
-- U N%
t s s tM d
3 1
~ u e
G w
I Attachment to Appendix B page 3 of 8 t
i i
t
l 1
I Scram inputs to mixer drivers i
l Switch developed scrams:
Pool level #1 Truck Door Escape Hatch Manual in Rx Room Manual on ground floor l
Pump On lg Range switch lE Relay developed scrams:
l Evacuation l
Key switch Air to Header l
Pool temperature Face radiation Bridge radiation Pump Off lg Pool level #2
- g Low flow (pump on - header down)
Bistable developed scrams:
Power range #1 Power range #2 Intermediate period I
Note:
This page was retyped from the original for the purpose of producing a more legible copy in the 14-day reportable occurrence event report.
I lI I
Attachment to Appendix B page 4 of 8
N a
c s'C.
u O
?!
et
<p i
s r
X n'
M
\\
c T
N c
w" i
s
]44 4
a
(
- s r
e s
u 2U
o
=
s ((
r
=<
4 k
u A i i L% e e
d 5
IS g
s
- t t
1 t
4 4
+
M d n,
t vt s
( c +.
s t,
s h
u s
7
- v y
\\
5
(
9
~
J i
t (A
T
~
c' r "t
?
N
\\
s o g
[
N, 1A
- o
,e 1
A' o
s -
e v 4 j
&1
)
t 1
{,Z 0
g
____.J d
r-d d
3s i
i rJ k.
J 3
1
,t sa 4E y
L I
F m
L t_u. i t s i 3
LLLA i
Wa t
E i
9 1
1
- ~ 4(1
+
u.
w
}
a t
d W{(\\ \\ \\ \\\\ \\_,#5{
r LL.3 Lu b o
[..
v 7 u
t tl-C J
1 E. k$
M" A
ca h
E u' '.
s e
Attachment to Appendix B page Sa of 8 (see sb) ll l
r lL i
w y
's N.
u t
5 s
s -
[
A
~
- 1 s
8 7
u gi 2
x t
5 gE w
t tu
, ~/
m i
+
' TP f. p tt 1111
',. 'D. g
. v1 c:
0 e
Lt-l
~
%s
- 3 ate a
~
i A
d R
1~
)
s S.
(
~
s
~
s
~ -
~ v u
J. y a
e, o
l a0 f
I g
)
']
NO p
g QJ e
~
i-
_ :-+,c y
s-.
I kn
$9 I
g lij
[j r
a o
i l
m n rm f
,I r
s.
4?*
?.
=
I
~..
e r
s l
i d e,
'N
("d b
I5 E
{
e+t n
LJ I
~
s i
R
-wv--
)
)
k 0,
,- ~
.i u
a
\\ 43 l
+
u -
+
~
- ^~Y i
V
- "*.a
[ l {
tw1
,i l l'I
$$i l
j
/)*1 1
?
b.
5\\ R l
eJ
~
.5*
'4
>g
--e----
n 3
6 1
l x *t h.
l z
s 4
2 2 e
3
,ia !
4 7
6 v
(
'$2 I
kttachmedi t6 'A;ipendix B page 5b of 8 (improved Sa)
I I
l _
us...u
.s
....sa.
l'IGUPI III-16 AUXILIRRY SCRAli SYSTrli O
E 110 V AC KEY RESET RELAY L
SWITCH SWI TCl!
COIL 12345678910
_L_.
()
f hY ll -!
}'l l-CM N
7 9
Ei C
RELAY CONTACTS
()
C I
L E
E REIAY COIL
[
h
FIACTOR ON" i
LIGHT C
TO norn
~
RELAY ONTACT I
O-KEY
+10 V SWITCl!
POWER SUPPLY I
DUAL PRIMARY SCRAMS I
PRI. PUMP
+10 V POW. 3 q FF TO MIXEn-DRIVER I
POOLLEhEL$1 l
+10 V T.OW PII.
l FLO11
) TO MTXER-DRIVER I
P U'. ER SUPPL.Y
- 4 FOOL LEVEL #2 l
I Page 57 TSAR Page 4 5 FS AR t.rien dine n t I l
Attachment to Appendix B l
page 6 of 8
June 79 Revision 1
b u
n a
R $
E S
$a gn-
.c
>nu 9,
Nan x
na W
9 M
Sd 3dC g
s t
u h
h A
Se u
5" D_~ m.
~
w
$es a
m 28 5
n5 v'
e m
T--
n
$~
9
.au y
.I
_. c g!
MIS M
O d
o n
a
-m
-~
c:
m n
a 1
u d
a 3
3 y
s o
m a
=
v,
u m.
gg o
G
)
om O
Y
< -3 m
a b
h
~
p
-dia y;
h hh fx Q
T--
YF
=
u y
gm e
2 4
5 L--
-5 k
m 3
5 3
4
--t i.
y y
I g
x a
s s :
s a
o s
DE l
E as i
I o
a o
E!
5 a
M 3
m y
3
_r-m --v,L-e
~2 p
e g -
-w a
a e
e I
g 6,-.
4 t'
g u
a o
a n
r.
o e.
m M
M f,
a n
O gg gf3 m
a M
M Qo e
N 0-R*
- a m
2 u,
o I* O et e, -
n n.
g ".La ag n
<M m.-
175 na (1g S U Page 51 Attachment to Appendix B page 7 of 8 I
Reactor Safety Committee Page 2 March 8, 1982 Page 10 add statement as follows:
I The excess reactivity will vary somewhat depending on the core configuration.
The limiting factor is the specification on the shutdown margin.
Page 11, under start-up count rate - function
.I change two shim rods to three shim rods.
under air pressure to header add setpoint of 5 psig I
Page 30 a correct typographical errors Page 33 change approximately 100 C to the boiling point of water 5.0 The proposed change to the scram logic system and annunciator panel was reviewed by the committee.
It was decided that the signals going into the scram logic system should remain unchanged. The committee approved the new annuniciator system and the addition of a pump on - header down scram.
6.0 The committee reviewed the proposed changes to UVAR SOP, Section 11, abnormal procedures and approved with the following changes:
==
Introduction:==
add following sentence after first paragraph.
eg b If an abnor gm evaluate the asc =... e{t g y ar4_a Senior Operator shall be p n d
. mt to a possible reportable occurrence-Add:
Section m) Pool Temperature Page 11 1.0 change to read as follows:
I With the reactor operating at power, the indication (s) on the power range channel (s) is reading five % (100 kw) below the power level as indicated by the differential temperature across the core.
I b.
add following sentence:
If instrument is not required notify Senior Reactor Operator.
I c.
change last sentence to read:
There must be two people at the bridge to adjust wells and the adjustment
!I shall be supervised by a Senior Reactor Operator.
Page 11 b.1 change as follows:
If the unexplained reactivity change results.in a stable period of 30 seconds or less the reactor shall be shutdown.
If any reactor safety system exceeds its scram setpoint and the reactor does not scram, the operator shall scram the reactor manually.
lI add page 11-14 Section m:
A.
Pool Temperature The reactor pool temperature should rise approximately 10 F per hour when the reactor is first brought to power but the rate should decrease as time passes.
a)
Symptoms 1.
Pool temperature continues to rise after system has stabilized.
Attachment to Appendix B page 8 of 8 f'
r lC I
Appendix C Scram IAgic A review of the scram-logic drawer drawing that has been kept up to date yields the following I
observations. It is assumed that during the original installation of this drawer in circa 1971 all of the unused inputs of the 28 input mixer driver were bypassed by shorting out the input diodes within the Mixer-Driver-B modules. There were only a few inputs used at that time as listed below.
ORIGINAL Mixer Driver Input Function i
MDI-27 Low Flow & Pool Level #1 MDI-28 Intermediate Period I
MDI-29 Range Switch MDI-30 Auxiliary Scrams MDI-31 Power Range #1 MD2-8 Pump Off & Pool Level #2 MD2-9 Intermediate Period MD2-10 Range Switch l
MD2-11 Auxiliary Scrams MD2-12 Power Range #2 When comparing this list with the list of disabled scrams, there is a striking similarity. (Note:
The key switch now occupies the location of the old Auxiliary Scram and the poollevels now have independent inputs.)
iI In 1982, when the Auxiliary Scram bus was divided into its component scrams and the pool j
levels were separated from their shared locations to facilitate the installation ofindividual 3
scram annunciators, the new scrams were given identical locations on both mixer drivers as tabulated below, while the old scrams retained their original positions.
I l
f I
l l
34 i
1982 MODIFICATION Mixer Driver Input Function MDI-1 & MD2-1 Pool Temperature MDI-2 & MD2-2 Manual Ground Floor MDI-3 Pool Level #2 MD2-3 Pool Level #1 MDI-4 & MD2-4 Manual Reactor Room MDI-5 & MD2-5 Air To Header MDI-6 & MD2-6 Pump ON l
MDI-7 & MD2-7 Bridge Radiation MDI-13 & MD2-13 Face Radiation MDI-14 & MD2-14 Truck Door MDI-20 & MD2-20 Escape Hatch l
MDI-21 & MD2-21 Pump On Header MDI-25 & MD2-25 Evacuation / Fire MDI-27 Low Flow MDI-28 Intermediate Period I
MDI-29 Range Switch MDI-30 Key Switch MDI-31 Power Range #1 MD2-8 Pump Off I
MD2-9 Intermediate Period 1
MD2-10 Range Switch
{
MD2-11 Key Switch MD2-12 Power Range #2 The "new" scrams are also the ones that continued to be operational during this event, in which the original scrams were non-operational. The up-to-date drawing of the Scram Logic Drawer does not show the internals of the modules and the manual for the modules do not indicate that any inputs in the system have been disabled. As part of the modification in 1982, the above listed inputs were re-enabled in the mixer drivers.
No explanation has been found as to why the original installation did not use interchangeable inputs for the scrams. When SRO B.H. schemed out the modification of 1982, he saw no hinderance to using the same inputs on both channels. His notes from the 1982 modification
, clearly indicate that at that time he was aware of the asymmetry in the mixer drivers but assigned no undue importance to this. (It is a pity that he did not have a recollection of his work on this part of the console more than a decade ago.)
The permanently shutdown CAVALIER also does not use symmetric input to its Mixer Drivers.
35 I
a u
i Appendix D UVAR Scrams and Alarms Complete List Of UVAR SCRAMS The first logic scram is indicated by flashing light, subsequent ones by solid light. All scrams m
I are accompanied by Scram Alarm both visual (on the Combined Alarm Panel) and constant l
audible tone. Manual Scram on Console is mechanical switch downstream of Scram Logic.
1.
Power Range #1............. (250 kW or 2.5 MW, UIC) 2.
Power Range #2...
........ (250 kW or 2.5 MW, UIC) 3.
Pool Level #1
.. (19'3", mechanical switch)
L 4.
Pool Level #2..
.... (19'3", electrical conductivity switch) 5.
Primary Pump Off......
... (transition, senses voltage to motor)
E 6.
Primary Pump On........... (transition, pump "ON" switch) 7.
Bridge Radiation....
(30 mR/hr, ion chamber above pool)
. (2 mR/hr, ion chamber at ground Door) 8.
Face Radiation.
E 9.
Range Switch
............. (2 MW mode with flow header down)
- 10. Pump On, Header Down
..... (primary pump on with flow header down)
- 11. Air to Header..
.... ( >2 psi air to floats that raise flow header)
- 12. Truck Door Open
.. (confinement is lost, mechanical switch)
- 13. Escape Hatch Open........... (mechanical switch)
I 13a. Mineral Irradiation Scram... (high gamma shield temperature or low stone bed l
cooling gas flow)
- 14. Manual by Room Door
...... (mechanical switch)
I
- 15. Manual by Back Door......... (mechanical switch) 15a. Neutron Beam Port Scram. (entrance into block house with beam port drained)
I
- 16. Evacuation Alarm..
(four mechanical switches and alarms) 16a. Fire Alarm.....
..... (five pull boxes and six heat sensors)
- 17. Pool Temperature
.......... (105"F, RTD sensor)
I
- 18. Intermediate Period...
... (3.5 sec, CIC)
- 19. Low Flow....
. (960 gpm, differential pressure across orifice) l
- 20. Key Switch
... (mechanical switch)
- 21. Manual Scram on Console..... (hard contact mechanical switch)
UVAR Interlocks j
Shim Safety Rod Withdrawal prevented unless:
l
- 1) Source Counts indication greater than 2 CPS
- 2) Instruments NOT in test i
a.
Power Range #1 and #2 I
b.
Intermediate Range c.
Source Range l
d.
Pool Temperature t
4 I
i 36
l l
UVAR Alarms l
Alarms have a red lamp to indicate current status and a yellow lamp that locks on until cleared by operator. Scram alarm has continuous tone silenced by operator. Other alarms have intermittent tone silenced by the operator or automatically after two minutes.
1.
Seno Rod Control Lost........ (any reason to loose automatic rod control) 3.
Area or Argon Monitor high Level (particular instrument has red light) l 4.
Core Gamma High Radiation... (gamma ion chamber 10 ft. above core) 5.
Constant Air Monitor
........ (particulates in reactor room from fission gasses) 6.
Heat Exchanger Room Door.... (entrance to high radiation area) 7.
Demin. Room Door........... (entrance to high radiation area) 8.
Core Differential Temperature Higb(over power) l 9.
Demin. Conductivity High...... ( > 2 micro siemens, demin. sending bad water)
- 10. Secondary Pump OFF........ (any time secondary pump is off)
- 11. Hot-Thimble Temperature..... (any temperature either high or low)
I I
I 4
l I
I 37
.