ML20055H019
| ML20055H019 | |
| Person / Time | |
|---|---|
| Site: | General Atomics |
| Issue date: | 12/31/1988 |
| From: | GENERAL ATOMICS (FORMERLY GA TECHNOLOGIES, INC./GENER |
| To: | |
| Shared Package | |
| ML20055G996 | List: |
| References | |
| TRF-252, NUDOCS 9007250060 | |
| Download: ML20055H019 (135) | |
Text
--
m=i--iiii mii f: :TRIGA.
- Reactors E
~
2 I
TRF-252 I
l TRIGA REACTORS FACILITY I
SAFETY EVALUATION UNDER 10CFR50.59 l
MICROPROCESSOR BASED INSTRUMENTATION AND CONTROL SYSTEM g
for the I
GENERAL ATOMICS TRIGA MARK 1 REACTOR I
I I
I Dece mbe r,1988 I
f CENERAL ATOMICS I
++
I I
- gr=uss;as s P
+
TABLE OF CONTENTS 1.
' Introduction...........................................
I 2.
TRIGA Mark I-Instrumentation and Control System 4
Hardware...............................................
-2".1' Control System Console (CSC) 4 s
,n 2.2 Data Acquisition and Control Unit (DAC)............
9
.l I
2.3 Power Monitors and Safety Systems.................
20 2.4 Control Rod Drive Switches and Circuits...........-
28 2.5 Servo controller Description......................
31 l
'I 2.6 SCRAM Circuit......................................
'31 l
2.7 Modes of Operation................................
36-2.8 Control Rod Drives 40 2.9 Auxiliary Monitoring Channels.....................
43 3.
TRIGA Mark I Instrumentation and Control System Software...............................................
45 I
3.1 CSC Processes 45 3.2 DAC Processes.......................'..............
48-I,
-4.
Safety Evaluation..................................
53
'4.1 Reactor Safety Systems Description............
55 I
~
4.2 Safety-Analysis...............................
60 72 4-3 Summary of Safety Analysis 5..
. Installation Procedures..................'...........-
75 5.1' Final Installation and Checkout 75 I
5.2 Modification of Written Procedures and Checklists,................................
75 References..................................................
76 I
I
, Appendix'A Glossary of Terms
~ Appendix B Single Failure Criteria Analysis E
Appendix-C Scram Circuit Safety Analysis I
Appendix D Failure Rate of Typical Interlock Circuitry Appendix E Analysis of a Five Dollar Ramp Accident Appendix F.
Safety Consideration for a Pulse from High Power
- g Appendix G Reactor Operations Checklists W
h I
LI LI
.ll l
8 SAFETY EVALUATION UNDER 10CFR50.59 I
MICROPROCESSOR RASED INSTRtMENTATION AND CONTROL SYSTEM for the GENERAL A'!WICS TRIGA MARK I REACTOR 1.
INTRODUCTION Control of research reactors, including the TRIGA family of reactors, (e.g. the General Atomics (GA) TRIGA Mark I reactor) has been accomplished to date using instrumentation and control systems based on solid-state, hardwired, analog circuitry.
The logic for this control circuitry has been developed through many years of experience and includes attention to matters such as (1) necessary redundancy in the signal inputs, signal processing and I
controls, and (2) prevention of single mode failure mechanisms.
A continuing problem with the presently installed console on the Mark I reactor is the progressive obsolescence of many of the solid state, analog components.
Many of the electronic console components, as w(u as the present ' control rod drive system, are no longer manuf actured, hence are imposs'ible to replace.
A continuing program aimed at expensive if not redesign, replacement and in general a piece-by-piece upgrade of the existing control system is not r.tcessarily the most cost-effective approach I
towards reliable operation if a state-of-the-art instrumentation and control system utilizing microprocessor technology coupled with standard industrial signal conditioning equipment can be installed.
Present day developments of personal computers (PC) such as the family of IBM PCs, provide many opportunities to replace the earlier analog circuitry by compact and powerful computer bs.s ed control systems.
The proposed change described in this document is directed toward replacing the standard analog control console for the 250 kw GA TRIGA Mark I pulsing I
reactor with a microprocessor based instrumentation and control systea developed by the GA TRIGA Reactor Division.
This system incorporates (1) a digital wide range neutron power monitor, (ii) analog power safety channels.
I 1
I gmy
f I I
(iii) a variety of state-of-the art signal conditioners and process controllers, plue (iv) a digital data acquisition and control system incorporating IBM PC/AT or compatible computers in industrial versions.
The design and manuf acture of this system complies with the guidance given in American Nuclear Society and the American National Standards Institute guide ANSI /ANS 15.15-1978,
" Criteria for the Reactor Safety I
Systems of Research Reactors" (1). This standard serves the research reactor community in lieu of_the ad hoc application of similiar standards for power I
reactors (e.g. IEEE Standard 279-1971).
Even if single failure criteria for not deemed mandatory by ANSI /ANS 15.15 for plant protective actions were applied, the standard allows the use of negligible risk reactors simple redundancy, i.e., the monitoring of the same reactor parameter using independent, redundant equipment, to satisfy the single failure criteria for the reactor safety system.
I It is important for the reviewers of this document to realize that all safety circuits are still hardwired in the system, are of the same type I
(analog current measuring systems) and function completely independent of the system computers.
The system provides for redundancy in that two independent input assemblies provide the operator with duplicate hardwired readout n fuel temperature, los power,
- period, and percent power.
Furthermore, the geometry and construction of these two units provides a means to asaure that no common mode failure (except loss of f acility AC power) can isable both of these two channels.
B There are several added advantages of the system proposed for installat ion on the M. ark I reactor which will enhance system safety, reliability And mairwainability (i)
The use of powerful microntqutern allows data - operator input as well as output - to be more efficiently and systematically processed and recorded than ever befors:
I I
2 I
e
r i
l l'f j
(ii) S Mal data reductions not previously possible (such as on-line i
calculation ot' the prompt period during a pulse) will be done either
)
in near-real-timet
)
(iii) On-line self-diagnostics will be performed which determine the state of the system at all times, and 1
I i
(iv) operational surveillance and operations data are accommodated as never before with all information gathering and processing done routinely j
I and regularly by the console computers.
I g
)
1 I
I I
LI I
I l E llI
I r
B 2.
TRIGA MARK I INSTRttlENTATION AND CONTROL SYSTEM HARDWARE I
The. Instrumentation and Control System (ICS) proposed for use with CA's TRIGA Mark I research reactor is a microcomputer based reactor control system. The basic elements of this system are:
I (1) A control system console (CSC)
(2) A data acquisition and control ur.it (DAC):
I (3) Three independent power monitors and associated safety circuits
~
(4)
Two (or more) independent fuel temperature monitors and as-sociated safety circuits.
I Figure 2-1 is a simplified block diagram of the proposed system.
I 2.1 Control System Console (CSC)
The CSC is a desk-type control console located in the Reactor Control Room (Figure 2-2).
Reactor operations from - this console are conducted using a set of rod control switches, reactor mode switches and a computer keyboard,- and information is prasented to the operator through a microcomputer, color CRT, high resolution color monitor, and various indicators and annunciators.
I The rod positions are adjusted by issuing consnands to the CSC which in turn transmits these commands to the DAC via high speed data consnunication I
cables. The DAC reissues these consnands to the rod drive mechanisms.
Dur-ing reactor operations, the CSC receives raw data from the DAC, again via the conununications network, processes this data, and presents the data in
. meaningful engineering units and graphic displays on a number of peripheral systems. The CSC also provides data storage and logging capabilities.
I I
I
I I
a ilil lill ll I
is ill lil I
i l
ll"
ll i
I til un l*
maa I=s me e,
_m e
_m mm m 11 I
l l t
n' in i l-h
=
i ___ij _ _il_ __ i g E8 i
En 11" ll I
$_ E m
m i
lili Is Ill'I I
iE b I
! lili
+ +
+ +
a
<. C i.
I
=
lg la b
I la i
I i
t I
i a
s l.l Il
'v2 45 Il V 8 IF I
09
.".: S E
c' -:
l I
i I
l l
l l
\\\\ \\
RSODE AND STARTUP WORKSTATION REACTOR INFORRBATION RBONITOR SWITCHES CABINET ASSEROBl.Y l
HIGH RESUI.UTION BARGRAPNS l
OPERATIONS R8085 TOR I
-~
POUBER TIBID l
RECORDER 1
e CONTROL SYSTERO CORIPUTER COR3PUTER STORAGE DRAWER EXPsanana i
CHASSIS BLANK PAIEEL PRINTER DRAWER' ROD POSITION AlWB KEYBOARD 19115. RACK A800ftT COIITROL aMS PEDESTAL ASSER88tY l
1 Figure 2-2 TRIGA Mark I Control System Console i
i l
_. - op f.
I 2.1 1 Centrol panels and Indicators The rod control panel, located directly below the high-resolution color monitor, contains the following:
I 1.
A SCRAM switch 2.
A rod magnet ON/0FF/ RESET key switch I
3.
Manual control rod adjustment switches (UP, DOWN, CONTACT /0N) 4.
An ALARM ACKNOWLEDGE switch.
To tha right of the reactor status CRT are eight vertical LED bar graph displays indicating (i) percent power (safety channels 1 and 2),-(ii) los power, (iii) period, (iv) fuel temperature (safety channels 1 and 2),
(v) nv (peak power in a pulse), and (vi) nyt (energy released in a pulse).
All be.rgraph displays are hardwired to their respective sensors and signal processors, and thus do not rely on computer generated oucput.
This is I
part of the hardwired reactor safety system.
To the left of the reactor control CRT is the mode control panel con-taining (i) the console power-on switch, (ii) the prestart run switch, (iii) reactor mode switches, and (iv) thumb-wheel switches to set percent power demand in the automatic mode.
I 2.1.2 CRT Dist, lays I
The CSC incorporates two color CRT monitors.
A high resolution color graphics (reactor control) CRT provides the operator with a real-time graphic display of the reactot status (Fig. 2-3(a)).
This CRT displays a-number of strategic operating parameters using bar graphs and other digital displays, and alerts the operator to any abnormal or dangerous conditions.
.A second reactor status CRT displays pertinent diagnostic messages and re-actor status and facility status information (Tigure 2-3(b)].
E I
I
.~..-., -..~ ~
-..-._. - - -.- ~. - -. - _ -
t i
lI Tue 5+p 2' 13:21:41 1999 110(E STE*'iW ST ATE i
SYSTENs ft4Y1adi',-t16dt PE4
,I
+
(Ct%IO: 250 lH F
ll1P TEtti 1PO j'
1.2 184--- 100 3-FUEL 01 (UEL #R IIO
~
1.i 181.-
10 [
100 1.0 1-814.;
l -.
.9 184 '
4~
90-
,I 2
30-S0-
.9 i$4i 5,
ID 70-
.7 th4 -
e-I 10'3 60-
+
.6 Ill-7_
e.
30
.5 m4 3o _;
-4 30 -
40-
.4 181 j gg w I
85 -
30
.3 m :
10'k so'-
to:
.2 m -
104.,
gg, e,n _.
.1 Nt4.
.0 f t4 2 10'l _ -
p_
LitlE(A ltLOGl[fERICOl TP
$1 S2 F13
- 00tlFR 917 634 (di T44 92 $4 92
'I
.23 MW 00WEp.
CSC High Resolution CRT Display of Reactor Operating Figure 2-3(a).
i Parameters.
l
................................ G A sT A T u s W 1 ta D
. t1H1000 Poue.r
- 4. les-0 W
. Cont Atr Monitor
.00 CPM
. NMtOOO Loa Power
- 1. 6e-6 *;
. Area Monttor (Low)
.00 mRh
. tJM1000 *. Li neenr Power O%
. Area Monitor (Hi gh )
.00 mRh.
f
. NFP1000 *. Linear Power O%
. Air Activtty Monitor
.00 CPM.
. tlPluoO ". Linear Power O *;
- Water Activity Monitor
.00 CPM.
I
- Fuoi T oa.p 48 1 25 C
- Pit Water Temperature 31.00 C
+
. Fuer! Temp #2 20 C
. Pit Water Conductivity 0.02 umn
. Fuel Temp n' 27 C
,I 4
+
- CTR Position O
+
. Curr ent Pulse Number 11494
. Shimi Posttien
. Pulse Mode Prohibit OFF
. Ght'
osi t i on 5
+
O
. Rec asttton I
. flod Withdrawal Prohibt oft
~ l
. W CSC Resctor and Facility Status CRT Display.
Figure 2-3(b).
'I I
8
{
I 2.1.3 Printer l
The CSC also interfaces with a near-letter-quality (dot matrix) l printer.
The printer ran be used to print out log information, historical l I data (such as pulse information), or any files stored in the CSC hard disk or floppy disk flies.
It also can be used to print the high resolution re-actor status CRT, incluaing pulses displays.
I 2.2 Data Acquisition and Control Unit I
The DAC is located in the Mark I reactor room adjacent to the reactor and provides high speed data acquisition and control capability.
It monitors the reactor power from the wide range power monitor (NM-1000), the I
safety channels (NP-1000 and NPP-1000), the fuel temperature safety chan-nels, water temperature, and control rod position.
The DAC receives com-
{
mands from the CSC - and reissues these connands - to raise and lower the I
control rods or scram the reactor.
It communicates with the CSC via a pri-1 mary and a secondary serial data trunk; the secondary trunk serves as a backup should the primary trunk f ail.
These serial data trunks allow a drastic reduction in the wiring requirements between the-reactor room and the control console.
The various inputs and outputs to and from the DAC are summarized in Figure 2-4.
I The DAC is a multi-shelf cabinet which contains, in addition to a va-riety of signal processors, an industrially hardened microprocessor-based I
computer.
Figure 2-5 shows the basic configuration of the cabinet.
The DAC cabinet houses the following equipment, arranged on shelves from top to bottom 1.
Power supplies and power conditioning equipment:
2.
Relay boards, optical isolator boards, and input scanner L
boards:
3.
Action Paks, which monitor and condition signals for temperatures, conductivity as well as other parameters:
1I i
- I
.~
.. _.. -, _... -........ ~. -.. - --_
i I
~
1 CONTROL RELAYS I
I OlGITAL OUTPU11
' 00 ORIVE UP
-R I
R00 Llullt
^
M D.
I, j i
180LAtl0N SW!TCHEg R00 0RIVC 00Wel I:
I l
4
- TRANSitNT ROO AIR DIGIT Al lwvT8 MULTIPLEXER 0 04:32 7
. R00 mA04tf
"* 8E"A""I g - POWER CONTROL l
RttAy I
I DRIVER
. paggrapygnggg l
l ' ALLAYS
- AC GWITCHED I
g ' POWER CONTROL
- Nesttee PULSt LOCROUT Amit h0.1
- ,e gepigge pyggg LOCROUT l
R00 0Rivi,0.,Ti0.
4 o
I l _,UEL n imu.
RA0iATi0...n0.
A,0.ut>O.
=
g.10VOC stCT104 I
tu'Jn I - LIIsli TEST
~##
,,,,i.
I l
N l ACT,0.,AR.i...,
l C0a0 T0stRs l
)
/
I Asio n0.2 l
si l
FUtt Ti4IPE R ATUMS l
POOL InttT*
l
' P 1P I
ntAPE RATUM POOL DUTLET*
n--Tv=
m R,00t i
I:
A,. VOC,0.,E CTi0.
0,A.u,ti0.
.ei.
.. 0C OR TD -i.
TitsPIRATURE INPUTS OUTPUT $ W IIII?t32 t
MAGNETVOLTAot I-I i
i I
I P0OL CONOUCTIVITY m
DEMINE R All2tR F LOW
[
f l
I l
l 1
A/0 StCTION 0/A
'Ogc
$y;i aa
- 10. C.. R
- .. m=.
L Atti/ 3TER OUTPUT l
R00 CONT m l-L'"
._ _ J I
- hOTU$to t 3 0uTPUTs ust0 e aiwufs ust0 Stuurnary of DAC Inputs and Outputs 5
Figure 2-4 I
I 1e
_ _. ~. _. _. _.. _ _
pgg,
Ip r -
Im - _. _ _
v; AgJm$.t;gggwMySPPF"
~. 7 @
MdqYpd;g,fp. ;yn,fWeapty; y g
E%.
, gh gp g; '.Q,y
_, =
E 7
77 4-
- - 3:
1,. j,,
4,.r*-
- gi.
- g., ;.
y-IfE
~
5,1 POWER CON 0lil0NING
.c
.c I
1l'. g."
E
,a
- {'
- . c
_i. ->
4
.Op'
' '** h, '
- L.
ROD UP/DOWN RELAYS
~ +
I My E
- .' f T=
AND OPTICAL
- ~ ' l.7
~
~
'l'.
- :y, w >
ISOLATOR MODULES m.m
., at
...s.,.
.g B
OlGITAL OUTPUT RELAYS D -. qf w
.... f~
AND DIGITAL INPUT p'
,.M>
r
)
l SCANNER (DIS 064)
- 9. _
s t
E g4.
ata.
,.tj
},.,
ACTION PAK MODULES sy 5 w
s c
yy e 4.c.
..A NPP-1000 AND NP 1000 5.
D JE'.
POWER SAFETY CHANNELS
- .7
... 7 }'.
, I ' g I
g-;A. ',-
. S.., _. )g.i
,y
...t 3
ANALOGINPUT p '.
?":,.
-]; M W" +
g,.
fA f,.
N -
TERMINAT10N/(A1016)
AND LABMASTER BOARDS E
f:A l
- 3..
~M A.,be ck.~ [ ' ' ; };p.
l u:
G,
flf '
M._.,.
fA*f]- p.l "4
e J.
f
. g?,:.% DAC COMPUTER 7
I n..
s{ c
,1
.~
1 ' f '..
ft 1,..l' x
i t
4 e4 p.-
.t g
t; ;,r ;
.i $
, f_,.
., il:,
~ - 1 '
v t
.g
&wxs.~,6.1J :, F. C M S
I
.g 3
f.
k.' hy h
. & w.kh dQwp
$sw%n$n&l.N.l@qp&R $fh?$
h?
g m
~ 6#,
d Hid $ $$, h g d g u ji4 C ;dfTg M 2 E
Figure 2-5.
Configuration of DAC Cabinet.
I I
i i
L 4.
NP-1000 and NPP-1000 power safety channels L
5.
Various analog termination and serial communications boards 6.
An IBM 7532 (BC-20) microcomputer.
i 2.2.1 Shelf One Components L
l Lg Shelf one consists of power supplies and power conditioning equipment.
The W
magnet power supply supplies magnet power to the control rod electromagnets 1
in the SCRAM circuit.
A potentiometer power supply supplies power to the potentiometers that monitor rod positions.
The solenoid power supply pro-vides power to the solenoid controlling the air for the transient rod mechanism.
The auxiliary power supply furnishes power for control re-lays (RLYO8s), the opto-isolators, and the DIS 064 scanner board.
The power conditioner contains a trip breaker and two line filters.
It provides out-l put to two 120 V ac strips.
One is a direct output from the line filters; the other is switched by a remotely-controlled relay.
.l I
1 2.2.2.
Shelf Two Components The components of shelf two are shown in Fig. 2-6 These are:
1.
Two RLY08 relay boards which handle output signals for rod movement.
Board 1 controls the UP movement of the transient j
and standard rods; board 2 controls the DOWN movement of the transient and standard rods.
-1 2.
Six optical isolator module boards, each of which contain up to four opto-isolator signal conditioning modules.
These boards interface the DAC components with external ac voltages.
2.2.3 Shelf Three Components The components of shelf three are shown in Fig. 2-7 These aret lE
'I 12 II
E E
W E
E E
S E
E E
E E
E E
E M NmE W
g;
,e i' l
!N t
I i
i
-.g
., m.%ys:3 i
\\
j e:.g '-
l
'7;Y g-g@
l
_,1. ;gSUh.hM y pg.g
%~
Nb..iY?$?"$
-_ o.
3
'v I
OPTICAL S?gj ISOLATOR Oj"cr*
RLY88MO.2 MODULES m-RELAY BOARD 2.,
&; M,. "'
i (ROS DOWN) e
^
- ~"
pk.
m l
V f
\\
l l
+
=.
l e__
\\
~
w i
L hv RLYSB NO.1 RELAY BOARD l
(ROD UP) 1 l
l l
~
m l
k:v,1 w}$ie l
.w Figure 2-6.
Components of Shelf 2 of DAC Cabinet.
I f
4 l
r i
yr a
n t
x e
i 6
P i
1
im O
N E
E E
O E
M E
W 6
W E
M M M W,, W W m,. m
,, n i,
- "e tJ i
l I
- j l
D858G4 I
i I
-i y
.9-yn&W4,2W372?%Q EW 3
4 c.e es www4
~
i
~% m:n @% w; %w (p474-n g.S,% e~ %....
t i
g w M A a-y. w ; m: c s,-
x m;:.U.%yn
- wramm j
w w5::p g g gm~ y m@ w-_.s,-
ys RLYO8 NO.5 e/;[d7hN$NM$$y;cy; e# 3.[.,.
zsi$.,.+.
- h..r-
'w.
w
.y
.t
- w hiY
+
e qsMs#mg fc j m-
_ a,
t
- m. s c u e% n:~m A)1LL'?- -
tycux
.:p g r 1
r h*'
ft
?
E.
I h-9 4
l wwner-f #ighY., -.
~
m
.g
.s y _,
. y
- s. u.
RLYDS NO.4
.~.
.g e;
Q@.,.
~.. p,
., pg 9
R.
y[g.
[l
} Rf
&q,<w,
,[
s..
p m.-
.. ?*f A
.. h; m
^
(*%;.,. ~
it
' ^ '
1 g N g.
D h t;*, '
3 l
g l
};_
.g
- pgy,
,3_._
(J ' i ~.
y...-..
7 (hh. -
gag mp -.
I p.
r 5
44j.
n...,
...-.f,.
.4
-pq.
.w&n i i 2-
-Q-
~' ' '
-.te. r %.
ger af.. -
+. -ry t;.%p*f~s r=p~s;;,ue' ' ' '
Ar. ;
z m
A-n a
M4
@hnegg
- RLYO8 NO.3 i
%@.w%$g d-y,.y n,d. :h $ _
=
h
._i v 9 & D>Meya wan hhk$hfh ::f, '-J k
f
-s 4
+
r
- 7 ~ 't c s r 4 962
- ; q;Wh @2%{&ry & n%k: ~ ': :
iM
?
-a qy x W.5 1
w:, %ew:gwi
.s-n
-c ee n:
, _. ' p
. -~n I
-f n,:n, A.
a.n. v.- >+.,,*A.
.",. ~
~%
7 's 9w1(*:*n:
C
- ' ?
vl1fk, n@%c..v$ % ~ ". <-.
~
'V'uF;nf hw ; a
- -. ve
+
m
- w?g$f ? {~
Y.
r
'f..,_l
?
J i
?
I i
t, Figure 2-7.
Components of Shelf Three in DAC.
l 3
r s
,k
(.)/k b
'(
i
I I_.
=
,3 f 7.,
g g
- f. g G a.
RV.?if_) l l f, jd pY'.
N..
~~*^u sg...; ;,
. g
, fl 4 ' 4'
' - . M.. ; @
g '_,,.'b.
,., ' ' I.
, ~ -9
(..
f W..
8
,,h*
'. h ' T c.
1 y.
g 'k %.
~
I
^
l
.. ).
- ,. N..
+
+
l ' '; -
} ~ [:-
- }_
' h ~
~
1- _
d E
4
=
'!t.
- p3
- P e4 "
((
g
.)
.-r,
,a
.p.
w 3
E c.
L y
..< 1:
1g m
e
=
O
{_-
E
~
.* - {-
e 3
}
5:
a g-8
.m g
g' M
f.
~
gi h.7
~
v
~
I y
);:
gg g
- 5 /;
- . ;. ',)'Q( -
- [
y,-
- [
A
.~..
.v.'....,*'.c..w
=
I 9 ':
'A' y
g ;.
h
. - l,
'1 S
pggg.h. '
g,.w. c 4.
a.
~
k k
f!!I E
I 8
15
I LI Table 2.1, Sunmary of Action Pak Functions in DAC I
12 6
E 22.
n Il Tl is 10
+
so it i
3 19 N
8 2
13_'
1 1
og I
I Location Action Pak Type Function Conunents 1
4440 (-108)
. Primary Flow Not Used 8
2 4440 (-108)
Secondary Flow Not Used 3
4157 (-177)
Water Temp In Not Used 4
4157 (-177)
Water Temp out Not Used 5
4157 (-1771 Water Temp Pool I
6 4300 (-1205N)
Magnet Voltage Monitor 7
4350 (-A0',13)
Fuel Temp 1 8
4 3 50 (.'.' 03 )
Fuel Temp 2 s
8 9
4350 (-A003)
Fuel Temp 3 10 4010 (-144)
Fuel Temp Test Prestart Time Delay Relay K2 11 I=
12 4001.5 13 1000 (-6016 L,N)
Fuel Temp 1 Limit 14 1000 (-6016 L,N)
Fuel Temp 2 Limit 15 1000 (-6016 L,N)
Fuel Temp 3 Limit I
16 1020 (-6074 L)
Ground Fault Detector 17 4800 (-325)
Fuel Temp. Ramp Timer 18 4300 (-122)
NP-1000 High Power Limit
-B 20 19 4300 (-122)
NPP-1000 High Power Limit Scram Check Relay K1 Scram Check Relay K4 11 Scram Check Relay K3 42 16 8x
I 1.
Three RLYO8 relay boards which provide a variety of digital output signals.
These include (1) control of the standard control rod electromagnetic current; (ii) transfer of test signal inputs into the Action Pak limit alarms during prestart test modet (iii) DAC watchdog relay contacts in the SCRAM cir-cuits (iv) control of switched 120 V ac powers (v) NM-1000, NP-1000 scram lockouts during pulsing operation; (vi) NPP-1000 I
amplifier gain change control for pulse modes and (vii) con-trol of the transient rod air solenoid.
2.
A digital input scanner board (DIS 064) which ha= a capacity of 64 inputa.
The module consists of a remote intelligent module (RIM 808), which controls the DIS 064, and a diode matrix /
terminator board.
The DIS 064 scans up to 64 isolated contacts every 10 me.
I 1.2.4 Shelf Four Components Shelf four of the DAC (Figure 2-8) contains 17 Action Pak modules and 3 trip test relays which are used to monitor or condition reactor sensor'_ signals (Action Paks perform the function of the bistable trips in the old analog TRIGA consoles).
A sununary of the functions of the various Action Paks is provided in Table 2-1.
2.2.5.
Shelf Five Components Shelf five (Figure 2-9) contains the NPP-1000 and the NP-1000 8
nuclear instruments that serve as power safety channels 1 and 2.
2.2.6.
Shelf Six components E
"c^c - " '" ""-" ~ "-
E I
17 l
p
I m'
e
,M b.Y i
,j M c,
-4 t
i l
l I
i w g n s -- -p 2
.. ~*
f I
Ikhk Nk,;.E NY N,.*O d[$rh 'I..i -
. g[ l
[p.
~
INTIM2D l
NP1000 l
AMPLIFIER &
-i.
MUX. '
i
%[-tin [h _
- .Y HV POWER SUPPLY s,
g
-~.;t k.-
D [.N
[:-[
.f, l
y,_.,.
y
. z.
i
, W,. < f.%5 c..&.'
[ h [_W T
~
J. j. :.. L '.
eg x
, s 5
1
- - c j
_-__.-s.
~
y k-r ?
- ..;,,"._ _ 5 s
e Y'
i g
-; g p
'N y :'
' 4LR.
i %. >
}s, fy y.. -
f,,
y f
.g.y
=
N T)_
y' m,.
s u
J.
4-. - 5
. A g
e l [., ;. ^
_.s
.. y;
.?
- 6,
^ g _,
N
=
- k
, -~
. g:
y, - t > M.- g
,y<
wy
?
i&v L__
f/.
[
l l
~
s 4
g D.'-'
Yi
.s
~
,7
- 7.,, 6 - -,, ~ '.
j,,'a'~
=
's.
...a v
- ;:, ~.
- l,
'~
4
,..s-
~...
-,.. - u:
e e
,,-Q zk
. _, s ; KH.._.
. _ ' ' Q.,Y
-1"~,_.
.s 7 x7%
a
. ??}
, f g '.
~
- ~
mm
- i
'. :.y:..
b :.
u.
- ,.~ ~
. gv'g ;-
of N j ' '.~ ' HV POWER SUPPLY aggptggggg g
._.g 4 3 7(%.g.
d l
+
i' o
.m e
- b.,p.
. A.. s r
,... - 4. T..
4.
s l
I 5
7 Figure 2-9 Components of Shelf Five in DAC.
A
/'
s I
\\
ie
]
i I
1.
An analog input termination board (AIOl6) which receives all inputs to the AI0l6 board No. 2 in the microcomputer (shelf 7).
2.
The Lab Master daughter
- board, which is an analog-to-digital (A/D) converter for the Lab Master mother board (located in the BC-20 microcomputer).
The I
Lab Master is a high speed module that is required for data collection in the pulsing mode, and also serves as a
]
D/A converter for the translator input for servo (AUTO mode) operations.
I 2.2.7 Shelf Seven E
Shelf seven in the DAC contains the BC-20 (IBM PC/AT-compatible) micro-computer. The computer chassis consists of the following modules:
I 1.
A central processing board (CPU) board consists of an Intel CPU boa-i with 512 K on-board RAM and a battery backed real-time clock.
It is configured to boot up from the hard disk drive when power is turned on.
2.
A RAM expansion board adds 640 K of RAM.
The board includes two RS232 serial input / output ports, and one printer port (not used).
I Serial port 1 connects to the DIS 064 digital input scanner (shelf three) and serial port 2 connects to the NM-1000.
3.
A Lab Master high speed analoF input / output board, which connects directly to the Lab Master daughter board on shelf six. When the system is in pulse mode, the mother board receives high-speed analog input data from the pulse ion chamber via the NPP-1000 and the daughter board.
In the servo configuration, the Lab Master generates a *5 V analog signal from the digital output from the 7532 E
I 1,
8
I servo controller software. This signal is used to drive the stepping motor translators.
4.
Two IC/ network boards (these are high-speed, token-passing, local area network boards that operate at one megabaud over standard IBM conunanication cables). The network boards handle communication between the DAC and the CSC.
The two boards provide system redundancy the computer automatically switches to the alternate board if the main board fails.
a 5.
A watchdog board which acts as fail-safe hardware capable of shutting down the reactor in case of a computer malfunction.
The board controls relay contacts in the SCRAM circuit such that if the DAC loses power or stops operating, the relay will be deenergized and the reactor SCRAMMED. The board has two individual outputs connected to redundant watchdog relays. The board also acts as a monitor of the DAC software by providing four completely independent outputs which constantly check for proper operation of four separate I
software modules.
- 6. The digital output module (DUM32) provides up to 32 digital outputs.
Most of these outputs are used to control the RLY08 boards on shelves two and three.
g 7.
Two AI0l6 analog input boards, which receive 16 analog inputs per board. These inputs are received from terminal blocks TB1 and TB2 at the bottom of the DAC cabinet.
The inputs to AIOl6#1 consist of I-rod position indicators, radiation monitors and the two power safety channels; inputs to AI0l6f2 include the fuel temperature safety channels, pit water temperature and pit water conductivity.
I 2 >-
>- -- -e
~ --
g 1he,_._itor. _e s...t,., stems _ t,e Mar, mcS m_i,or the 20
E power from source level to full power (250 kW) and the rate of power change (from -30 to +3 sec period) in the steady state modes. The NM-1000 power monitor and safety channel provides power level and rate of change information, scram and servo control (in automatic mode) functione using an I
ex-core fission chamber, amplifiers and high voltage power supplies, a dedicated microcomputer, and interfaces with the DAC and CSL.
Power is displayed on the high-rasolution CRT monitor and is also hard-wired to an LED I
log power bargraph display.
In addition, two independent power monitor and safety systems are provided to monitor the reactor and shut the reactor down (SCRAM) in the event of an overpower condition.
These channels utilize GA's NP-1000 or NPP-1000 nuclear instrumentation system, with uncompensatad ion chambers (UCIC), and interface with the CSC and DAC.
Power is sig lave d on the high-resolution CRT monitor and is also hard-wired to the 1ED percent power bargraph displays.
The pulse channel monitors the power level up to 1200 MW in the pulse mode.
The DAC will collect the pulse channel data via the Lab Master module and transmit the data to the CSC for processing.
Each I
of these channels is explahed in more detail below.
2.3.1.
NM-1000 Monitoring and Safety Channel The NM-1000 (Figure 2-10) is an industrial neutron monitoring system which is used both in research reactors and in nuclear power plants.
It utilizes a i
fission chamber for the neutron detector, pulse processing electronics and a microcomputer to process instrument readings.
Outputs are routed to the DAC and then to the CSC for processing and display.
Log power and reactor period I
are also displayed on hardwired bargraphs.
The NM-1000 is contained in two NEMA enclosures, one for the amplifier and pulse processing electronics and 8
the other to house the microprocessor assemblies.
The enclosures are mounted on the wall of the reactor room adjacent to the DAC.
A functional block diagram of the Mark I NM-1000 is shown in Fig. 2-11.
The amplifier assembly centains the following:
1.
Modular plug-in type subassemblies for the pulse preamplifier I
electronics.
21 I
It I)F ~ E.
_g g _
~. _.. _... _ _.
3 a
I Y.
d E! N
~
y);ll, _yp.; 3 E~
kNb hh J{i $5
?
~ U!
I w
l i
ny I
gj i.
%gi E
di -j '
g M
I k$1 d
h
'E; t
t u
I I
g l
E I
4 N
b 5
kg 4
gig-l#
8 egg id e"fa9@MM%fj.
9\\
.g 3
- h h $ $$fS!y d s>Q' if I
-a guy E
-w h.
- .w-e*
4.4
,-w-e.
g u
es aus== se en aus==
ins am e an'en aan ese an em aus aus nmmmmmems myemats OPERATI0lllAL POWER MONITOR FUNCTIONAL BLOCK DIAGRAM i
Pone inP :
[
t a
?
PREAW W 4
}
CHAMBUI9E.
1
,.w, (CORO gEACM IIDEM SAC hSAC CONsetS t
m l
r 1 r 1 r 1 r E
EEE LM T
GRAPN GRAPN CRT IECW WER L"
e5 PLAY l
Iconsole MN l
1 tsS PER I
%PWR I
i ESCAHOW l
l-189(3)A Figure 2-11 l
9-7-88 l:-
J
Ei-f 2.
Bypass filter and RMS electronics for the wide range Campbe13 amplifier.
3.
Signal conditioning circuits.
4.
Low voltage power supplies.
5.
Detector high-voltage supply.
6.
Digital diagnostics and consnunication electronics.
The processor assembly consists of:
1.
- Modubr plug-in subassemblies for consnunication electronics between amplifier and processor).
2.
Microprocessor.
3.
Control / display module.
I 4.
Low voltage power supplies.
5.
Isolated 4 to 20 mA outputs.
6.
Isolated rod withdrawal prohibit (RWP) outputs.
I 7.
Isolated power /high voltage trip outputs.
8.
Period trip contacts.
The NM-1000 as used on the TRIGA Mark I uses a standard 1.3 counts /see-nv encased fission chamber to provide 10 decades of power in-dication - from shutdown (source) level to full power - hence it is also referred to as a wide-range power monitor.
Both log power and linear power readouts are provided; the linear power indication is autoranging.
A count rate or circuit is used to monitor power for six decades up.from I
source levell the top four decades are monitored by a Casspbelling cir-cuit.. When neutron flux levels become high enough so that the detector cannot be operated in the count rate mode(power proportional to the pulses from the detector) without excessive pulse pile-up problems, the Campbelling technique is used.
This technique consists of electronically deriving a signal which is proportional to the root mean I
square of the current fluctuations present in the fission chamber signal.
I I
24 8
l
t The amplifier / processor circuit employs designs which perform auto-matic on-line self diagnostics and calibration verification.
Detection of unacceptable circuit performance is automatically alarmed.
The sys-tem is calibrated and checked (including the testing of RWP trip points) prior to operation during the prestart checks.
The accuracy of the channels is *3% of full-scale, RWP, and high power trip settings are repeated within 1% of full-scale input.
2.3.2.
NP-1000 Safety Channel The NP-1000 power safety channel is a complete analog linear percent power monitoring system housed within one compact enclosure in the DAC.
A functional block diagram of the NP-1000 (safety channel 1) is given in Fig. 2-12.
The NP-1000 enclosure contains the followings 1.
Current-to-voltage conversion signal conditioning.
i 2.
Power supply trip circuits.
3.
Isolation devices.
1 4.
Computer interface circuitry.
The power level trip circuit is hardwired into the SCRAM circuit and the isolated analog outputs are monitored by the CSC as well as be-ing hardwired to a vertical LED percent power bargraph indicator on the right side of the CSC.
The system uses an uncompensated ion chamber to detect neutrons.
I 2.3.3.
NPP-1000 Safety / Pulse Channel The NPP-1000 system is identical to the NP-1000, except that a pulse integrator circuit and nv peak circuit have been added to measure peak power and total energy in the pulse mode.
The CSC automatically selects the proper gain setting for pulse or steady state mode, depend-ing on the mode selected by the reactor operator.
A functional block diagram of the NPP-1000 le given in Fig. 2-13.
I 2,
8
9 m m
==
==
SAFETY CHANNEL POWER MONITOR.
FUNCTIONAL BLOCK DIAGRAM
% PWR 50. 2 C
SCRAM N.W. BD. 2
?
mm ename innei inaa NP-1ses
?
4 gy mmum J L g
iBac)
(comsme 3 7 1 r ese sam ann ese
% PWR
}
icassem teoasme en msnm
% PWR gg;>
n _. 2-12 o
I e
i i u
a 11
aus aus aus sus aus aus eau uns ser maan sur e aus e aus aus e sus assnesrestAraneus SAFETY CHANNEL / PULSE POWER MONITOR FUNCTIONAL BLOCK DIAGRAM frutsE MORE ONLY) sP-ism emnes armam samme
?
ILV. 50.1 4F-SCRAM BVPAS5 BVPA55 10N CHARABER IDAC) GAR f % PWR 59.1
-4> LOOP SACI f* STEASY STATE gggg g, y e-W VISTEABY 4-RELAYS TR Am WP-1808 STATE M Yi (CORE)
A L 0
1 P
1 P
gg LAB MASTER BAC EELAY BENWER BATA SARIPLER S-N " CO IFRSE W. MVi N
' k (DAC)
(BAC)
, CoRSELE)
(
NETWORK CSC 1 r 1 r 1 r CSC CSC CSC BAR BAR BAR GRAPH GRAPH GRAPN CRT PEAR trameMF)
I
% par gg g g 9-7-88 ngure 2-13
}
I i
1 2.3.4.
Fuel' Temperature Safety Channels The fuel temperature safety channels are redundant, fail-safe monitors of fuel temperature and will scram the reactor if a trip limit of 500'C is reached.
Both sensors are type K thermocouples resident in instrumented TRIGA fuel elements.
These voltage inputs are optically l
isolated and converted to O to 20 mA output signals.
Each current loop I
provides three important functions:
i 1.
Input to a trip unit that scrams the reactor if the signal is too hight I
2.
Input to a vertical LED fuel temperature bargraph located c.
on the reactor control consolet 3.
Input to the computer via the AI0l6 No. 2 analog input 2
I board.
Figure 2-14 is a block diagram showing the functional aspects of the fuel temperature monitors.
r 2.4 Control Rod Drive Switches and Circuits E
The standard (rack-and-pinion) control rod drive circuit consists 1
of the UP/DOW switches on the CSC, and the UP/DOW relays in the DAC.
Pushbutton switches on the CSC rod control panel are arranged in four l
vertical columns, one column for each control cod. Each row of switches contains a white DOW switch, a white UP switch, and a yellow pushbutton MAGNET switch.
J l
Indication of the control rod position on the high resolution CRT is as follows:
G t
e I
~
em m e e s mma-a m i amm 1 ame uma en am aus aus aus ama em an aus as aus
~
~
~
y CaRMEMIS, AFUBBCS __
m-FUEL TEMPERATURE MONITOR FUNCTIONAL BLOCK DIAGRAM 888^"
(OACi Tme FT NO.1 VOLTAGE TO
$ F.T. NO.1 CanaEmi [
h n ci i
ANRMURER DAC (CORE) h0PUCAL AW18 NO. 2 m
(DAC)
/ FSOLATORS 8-1 V m
VMRGE TD [
f d '
F1 NO. 2 (DAC)
(
CURRENT 4
g AMPUFIER (CONSOLE)
SCRAM l
l TMP m
L00F 1 r F.T.NO.2 m
CSC (CONSOLE)
CSC CSC Y
BAR BAR CRT GRAPH GRAPH DISPLAY F.T. NO.1 F.T.NO.2 FT NO.1
-(CONSOLE)
FT NO. 2 FIGURE 2.14
{[gg) d fas
GREY control rod.
A GREY colored rod indicaces that the control rod is at its lower limit.
I MAGENTA control rod.
A MAGENTA rod indicates that the control rod and rod drive are at its upper limit.
GREEN control rod.
A GREEN control rod indicates that the rod and g
. E drive are between the upper and lower limits.
g
= g MAGNET box.
The YELLOW color in the box between each control rod and rod drive graphic on the high resolution CRT indicates that the elec-
=
trumagnet power is ON.
The magnet power circuit it energized by a key switch located on the left side of the control panel. The absence of the yellow color, or a BLACK indication, signifies the absence of mag-net current.
l 2 W When the MAGNET pushbuttons are depressed, marnet current is inter-rupted and the YELLOW color in the MAGNET box wii be eliminated.
If a
- g a g control rod is above the down limit, the rod falls back into the core.
Re-leasing the button closes the magnet circuit and magnet current is reset.
_ I
=
Software interlocks in the UP pushbutton circuit make this circuit in-operative under certain conditions.
A minimum s ot.:ce interlock relay in the NM-1000 prohibits rod withdrav'l in the absence of a set minimum source level count. Also, any time the console is in transient mode of operation, I
the standard osotor driven rods cannot be raised.
Second, withdrawal of more than one rod at a time is prevented.
Soft-ware interlocks inhibit all rod UP driv. relays in the DAC anytime two or more rod UP pushbuttons are pressed on the CSC rod control panel.
All 'JP buttons must first be release 4 before any rod withdrawal is permitted.
- I I
30 a
In automatic (as well, as square wave) mode, the regulating rod drive is s removed f rom manual control.
Sof tware control is then exercised ~ over rod motion using a PID algorithm (section 2.5), to drive the rod either up
-or down based on.a comparison of the reactor power with the-power demand set by means of the thumbwheel switches on the CSC mode control, panel.
2.5.
Servo controller Description I
The servo-controller, in the automatic mode, controla the reactor-power automatically to the demand power level selected by the operator.
-Thumb-wheel switches are provided on the mode control panel for the desired power selection.
The servo controller will track and stabilize reactor power through the utilization of a proportional-integral-derivative (PID) algorithm.
The servo controller. system utilizes the latest digital com-puter technology coupled with extensively developed software.
This is in comparison to previous TRIGA consoles, which used an analog computer con-I
. trol rod motion in the servo mode.
Reactor power level nnd changes are measured by an analog / digital in-put from the NM-1000 chunel.
Th( pit' algorithm in the DAC then responds to this input by comparing it to the, sperator set demand power level on the CSC, by movement of the regulating control rod, which is powered by a pre-cise translator / stepping motor drive.
This drive will be driven up or down
~
automatically to control the power level to the demand power level setting.
The rate of power increase., ute limited by a preset, acceptable reactor I
period (Section 2.7.3).
The drive mechanism for the servo control rod drive is an electric stepping-motor-actuated linear drive equipped with a magnetic coupler and il rod position potentiometer.
2.6.
SCRAM Circuit l;
The SCRAM circuit is shown in Fig. 2-15.
Most of the scram circuit components are located in the DAC.
The circuit la completely hardwired and 31
)
I
II(-
N g8 es
, ee 0
g8 e e n
ss,
4
- 4. 7 i
s e s_.
e e.
g9 o mm.
aa ra i, e s.
3_
a mmU sa f
a' 9
a e
m'f o
._8
- c*'
ccsa'8
- e*
S
- n*"'>
asee u
easm'*
C u
n I
I m
m k
e
-,/
/
M Il. l I'
3i
- s 91
,,.l ra rt'e es',
\\
e s
r ace *'
o s
mE is e ' 'g ces5';
aM cme s :
f sveB'.
- n a
sS cawsN sB a
3,
cc nn*:8 t
-5 ee a
ea i
nm'j em'*
ea e
se u
s9 as :,
ac
/
c m s '-,\\
t r
j 8'
e' i
i
,8 C
mI j
,:y1 s
m n e "'r, i
o e
rme m
e m
's a a e 'c 3 a
eW o
cm 5,
v s
i e
m w
e s
r s
n c
t m
a
- 3 m
o 3
S s
e su c
u d
s 3
e
- g e
e e s s
e a
,3,,
i r
v
-i s
8=F w
4 a
t l
a u
gl a
p d
u
-i r
e e
re^
r s
m M p" s
t e
m
-I u
m a
e' s
a.
a r
H s
u " y e
b3 a3
-I g
L_ -
T r
3 y\\
5 2
e ty
E s
n m.n H,,
r m
a R
e m
U r
?
G a
a IF 6 A u
l su #^
u s
u e
m e
r4 m
5I m
n n
r a
o a
e
- 8 n
u v
a
- 8 r
)
i t
n a
e r
d nt s
e e
r e ea t
II i
m i_
m a
8
~
s pr e
i e
e oou p
n r
) l g
a nC ni e( if O yn o awc
(
l o
eh) eR sd tu e
s p C
o oyp
+
e
-) {- ai h
8 t H gl r
2 E
et f
i R
(
w"
I does not in any way depend on the computer in the console (CSC) or in the DAC, nor on any software.
Additionally, watchdog timer circuits in both the CSC and DAC would initiate a scram should there be a failure in any one of four control software modules.
If not reset properly by any one of four software modules, the watchdog relays will deenergize, opening the SCRAM circuit and cause a reactor SCRAM.
I 2.6.1.
Monitoring Components The SCRAM circuit is monitored for two conditions:
power supply out-I put voltage and shorts to ground. The voltage output is monitored by an Ac-tion Pak unit (see Table 2-1).
Insulation from the chassis ground is ground fault detector, which monitored by another Action Pak serving as a
detects and reports shorts to ground (the entire scram circuit is isolated relay contact closure output is provided to from ground).
In each case, a
the DAC computer.
A fault in either case will be indicated on the High I
Resolution CRT and Reactor Status CRT.
2.6.2.
Control Inputs I
The following are control inputs to the SCRAM circuit in the DAC:
1.
The NP-1000 and NPP-1000 Safety Channels.
The reactor power is monitored by these two channels using two independent ion chambers (UCIC).
If the reactor power exceeds the trip setpoint (275 kW or 110% of licensed power), the unit will open its relay contact in the hardwired scram circuit, close its contact to the DAC computer digital input, scramming the I
reactor.
A SCRAM message will be displayed on the CSC.
Also installed in the NP and NPP enclosures are high voltage power supplies for the associated detectors.
Trip circuits in each of these devices monitor for a decrease in high voltage.
At approximately a 20% decrease this trip will scram the reac-tor.
33 I
~
g$
c l
2.
Fuel Temperature.
The reactor fuel temperature is monitored?
Lusing two-type K- (chrome 1/alumel). thermocouple inputs.
Each-thermocouple input is conditioned by an. Action Pak module, and monitors for high level alarm limits.
If a temperature chan--
nel exceeds the limit setpoint or the thermocouple shorts, the-unit will'open its scram' relay contact in the SCRAM circuit and close its contact to the DAC computer digital input, scramming the' reactor.
A SCRAM na ; age will be displayed on the CSC.
~ternal Scrama.
There is one set of' external SCRAM contacts
.a each of the supply and return trains.
These contacts are any external SCRAMS that may be required e.g., the-used high '
perature King furnace operations in the Mark I.
Two sets of contacts are required for each external scram wired :
into the scram circuit, one for tho' hardwired relays, and a I
second as a DIS 064 input for scram indication on the CSC.- One set of the external scrams will be dedicated to the. licensed required high-temperature King Furnace operations on the Mark I reactor.
1 4.
CSC Manual SCRAM Switch.-
The SCRAM' circuit is connected to the CSC and the DAC. The RED SORAM push button on the CSC has three sets of contacts.
One set is in the supply train and l,
one set is in the return train.
A third set provides digital-I-
input to the <:sc computer (IBM 7532).
Pressing the scram but-ton opens both sets of concacts in the scram circuit and
,g closes the contacts to the CSC computer digital input.
1 5.
CSC Watchdog.
The CSC computer includes a watchdeg timer board. The watchdog board has four independent timers,-all of which must be continuously retriggered at least every 10 sec-onds by-the operating software modules to prevent timeout.
- s e
>4 l
lIf a. monitored software module fails or hangs _up, the associ--
ated - timer will timeout and both vatchdog relays _- will; be deenergized, opening their - contacts in the SCRAM ' circuit. -
4
-Also, if the CSC computer recognizes a SCRAM condition, either internally or externally, it will command the watchdog to re--
set and stop all timers. This causes an immediate SCRAM.
t
,us 6.-
CSC Magnet Power _ Key Switch.
The key switch on the CSC, plus the requirement for operators to use passwords before rod' magnet current. can be applied, provides - a secure method of.
preventing inadvertent startup of the reactor.
The key switch has three positions:
"0FF" Interrupts the magnet power and forces a SCRAM condition; "0N" enables magnet powe r t and
" RESET". enables magnet power and signals the-CSC to reset fromJ a SCRAM condition.
The switch returns to the '-"0H" position -
- when released.
As the switch is moved f rom.one positionEto another, the switch position is signaled via' digital inputs to-the CSC._
Switching from "0N" to " RESET" will also acram the reactor should the reactor be operating.
-7.-
DAC Watchdog.
A watchdog board is included in the DAC com-puter also. The DAC watchdog is identical to the CSC watchdog and operates in the same-manner.
2.6.3.
Operating outputs I
Outputs controlled by the SCRAM circuit include the electromagnets for the_reguiating,_ shim I, and shim II rods, and the solenoid control-ling the air supply to the transient rod.
If the-voltage from the power l
supply is adequate and all of the input control conditions are normal,
~
the SCRA:4 interlock relay in the transient rod solenoid circuit will be energized and the solenoid control enabled.
I I
e I
b Voltage is also supplied'to the normal open contacts of the magnet control- _ relays. ' These ' relays are controlled _by the DAC computer as di-rected by the CSC computer.
A closed contact will energize the associ-ated electromagnet.
If the rod is_in contact with the magnet, it will' follow the motion of the drive mechanism.
If, at any time, one or more of the input control conditions become I
- abnormal, its SCRAM contacts.will open.
This will remove current ~from all rod electromagnets and deenergize the solenoid, thereby-dropping all I
control rods into the core. The SC,.AH condition must be cleared and the computer reset before operations can be resumed.
2.7.
Modes of-Operation I
The TRIGA Mark I ICS permits four standard operating _ modes prestart, manual, automatic, and pulse.
2.7.1 Prostart Mode. The prestart mode is used to run diagnostic tests
- g 5
on the various system devices which have the ability for causing _ a reactor SCRAM.
Prestart checks are run automatically by the software, and are initiated by the operator using the PRESTART CHECKS RUN. switch on the:CSC mode control panel.
These checks do-not require that the l
keyswitch be ON or an operator logged on to the system prior to entering this mode.
The prestart software comprises a portion of the DCP process which runs in the DAC (Section 3.2).
When the prestart checks are initiated l
at the CSC, the SC process (Section 3.1) redirects the screen outputs-to i.e., the prestart software consnunicates directly the DAC sof tware accross the -network with the output devices. The following checks are
'then made during prestart checks 1.
Fuel Temperature Scram Circuit Test.
This test is performed by making the software output a test voltage on the analog L
36 I
... ~... -
l
(
f_-
output channel to test the fuel temperature limit-Action Paks.
Two tests are conducted / one,- where the output-voltage:
corresponds to. 95% of the configured temperature, which is tested to ensure that the alarm is not activated, and second,
- j. ~
.where the output voltage corresponds to 100% of the configured temperature to ensure that the limit' alarm is' activated..
~
2.
~18(1000 Test.
Calibration modes 2 through 5 are sequentially tested for correct power level output, where modes 2 : and 3' test the count rate channel output, and modes 4 and'5 test the; campbell output.
The power level-is' deemed acceptable if the measured value falls between' 95% and 105% of the configured-value.- While in modo 5, the NM1000 % Power High trip is also tested.-
.The source level trip is also tested to ensure that rod withdrawal-prohibit interlocks are functioning as intended.
3.
NPP1000 and NP1000 Tests.
The % Power SCRAM and loss of high voltage SCRAM trips are tested sequentially by activating'the.
test inputs in each of these channels' by using one of-the RLY08 pretest relays.
Activating the test inputs causes the
-two1 analog channels to output a power level of 110%- Following
- these tests, the pretest relays are turr.ed of f to test the trips'in their OFF condition.
.g W;
4.
.DAC Watchdog Test.
While in the prestart mode, the " scanner" process has been halted for some time and therefore the DAC watchdog timers have timed out.
This condition is-tested by' the " timed-out" test.
Following this test, the four timers i
are retriggered and this condition tested.
5.
Devices Not Tested Automatically.
The following devices are
.not tested by the prestart softwara and they must be tested
'g manually:
External Sram Circuits; Hegnet Power Keyswitch and J:
,I
.. ~
s i
Console Manual Scram Button.
In addition, 'the software prestart-checks do not provide the required demonstration that
=a SCRAM will indeed drop a raised control rod. These are also tested manually using hardwired circuitry.
.l I
~2.7.2-Manual Mode. The manual and automatic reactor control modes are I
used for reactor operations from source level to 100% of licensed power.
I These two modes are used for manual reactor-startup, change in power level, and steady state operation.
The pulse mode generates high-power' l
levels for very short periods of time.
i
~
Manual rod control (Figure 2-16) is accomplished throu;;h the use of
- l push buttons on the rod control panel.
The top row of push buttons _
(magnet) is used to interrupt the current to the rod drive c.agnet.
If the rod is above - the down limit, the-rod will fall back into the core and the magnet will automatically drive to the down ' limit, where it W
again contacts the armature.
-l The middle row of push button (UP) and the bottom row-(DOWN) are used to position the control rods.
Depressing these push buttons causes ~ the control rod to move in the direction indicated.
Several interlocks. prevent the movement of the rods in the up direction under.
~~l conditions such as the following:
1.
Scrams not reset.
I 2.
Magnet not coupled to armature.
3.
Source level below minimum count.
4.
Two UP switches depressed at the same time.
5.
Mode switch in the pulse position.
6.
M gnet current not enabled.
There is no interlock inhibiting the DOWN motion of more than one l
t
~
l l
38 3
~
~ as aus an amsjaNm7 ass-
=
r a M-a s a n. e s aus aus e s 1 aNs ses:
as an en ma
=
~
car m
DISPEAYS -
L g g g~
I"I (canSoEl mSee.
cSe H00 DIGITAt m
m UP/DOWN NIPUT NETWORK SCANNER g y w. ; m STEADY-STATE (coNsaEi STANDARD-AND TRANS mact RDD DRIVE FUNCTIDNAL ~
mAct
- mac, oomu BLOCK DIAGRAM l
amTAt Rives ACTUAN#
GUTPUT g
I m0DULE
/ L
- (REAcTWI l ROOM)- t STEPPNE ROD TRANSLATm (DmVE ONLE-t oRwE omvE
- II E I MOVES POSITION i
0-1s V.
UP/DOWN POT i-is9m (CORE BWDGE)
(CORE SmDGE)
(DACLg g g g.,,
7-27-87 Figure'2 __
-g; 2.7.3 Automatic Mode.
Automatic (servo) power control can be obtained by invitching' f rom manual operation to automatic operation.
All the instrumentation, safety, and interlock circuitry described above applies and is in operation in this mode.
However, the servoed rod (regulating rod) is controlled automatically in response to the power level and period signal.
The reactor power level is compared with the demand level set by the operator and-is used to bring the reactor power to the I
demand level on a fixed preset period no shorter than 6.5 seconds.
'Ihe purpose of this feature is to automatically maintain the preset power level during long-term power runs.
Figure 2-17 is a functional block diagram of the auto-mode operation of the Mark I reactor.
lI 2.7.4 Pulsing Mode.
Reactor control in the pulsing mode (Figare 2-18) consists-of establishing criticality at a power' level below I kW in the steady state mode.
This is accomplished by the use of the standard motor driven control rods, leaving the transient rod fully inserted.
.W Selection of pulse r. ode on the CSC mode control. panel causes several i
-instrumentation changes in the DAC.
First, both the NP-1000 and NM-1000 scrams are bypassed.
Second, the gain of the NPP-1000 ' is changed to
'1200 MW full scale.- Third, the nyt and nv peak circuits.are enabled in the NPP-1000.
2.8.
Control Rod Drives The GA TRIGA Mark I rod drive mechanisms will be updated with electric
'W stepping motor actuated linear drives equipped with a magnetic coupler and a positive feedback potentiometer for rod position indication.
The present I
standard rod drives are=two-phase ac Qiotor driven, and do not lend themselves to digital control necessary for servo control.
All rod drives will be f
updated to stepping motor drive mechanisms.
A stepping motor (Superior Electric M092-FD302 ) drives a pinion gear and a 10-turn potentiometer via a chain and pulley gear mechanism.
The pinion gear engages a rack attached to the magnet draw tube.
An I
.e 8
I LBJ B
.8 l -
i !=la
's in g 1
t
~
i -
i
=
!i i i
a
.:e i
s
.i.
m x
l t
I u
-l ll -l ll Il.
11 1 11
_1 11 la i
1 a
n=
m 4_
u
/.
g p
I e.a n
l I
lI
!l s_I E
l I g:
=
l l
s I
l l
g w
M l
lls*l+n I
.I ill g
l
- B t
I s.
i 41
.B:
I I
- B 8
I E<
-l 5 g l=;
5 g
g :I-g a
,; g g Bl
[
m
+
B a
- s M
- me e
a E
a e.
U 8
i O
4 4
~
CD I
1 r i
3 r "g
55 a
55 8"
Iu!
'g e
e a:
-"I e"
I '8 8
I II I"a 2
s.:c s
a
=B EE a
mE e
n e
a g
sa og sa 53 C
- g g
g a
a
,lg g
W 5
ja sh eIElEl5 h
th h
~l C
5gl sE E H E
E
- Be "=
=
" E R E85588
.g m3 I
4 I
m CL.
'E
- l
'I as
=h E5 42
=I
=
,__s..
I electromagnet, attached to the lower end of the draw tube, engages an iron armature.
The armature is screwed and pinned into the upper end of a connecting rod that terminates at its lower end in the control rod.
When the stepping motor is energized (via the rod control UP/DOWN switch on the opera.or's console), the pinion gear shaft rotates, thus raising t.he magnet drev tube.
If the electromagnet is energized, the armature and the 8
connectird rod will raise with the draw tube so that the control rod is withdra5n from the reactor core.
In tne event of a reactor scram, the magnet is de-energized and the armature will be released.
The connecting rsd, the picton, and the control rod will then drop, thus reinserting the control rod.
Stepping motors operate on phase-switched de power.
The motor shaft advances 200 steps per revolution (l.8 dog per step) when in a four-step input sequence (full-step mode),
Since current is maintained on the motor windings when the motor is not being stepped, a h.gh holding torque is I
maintained.
The torque vs speed charetteristic of a stepping motor is greatly de-pendent on the drive circint used to step the motor.
To optimize the torque characteristic vs motor frame size, a translator module was selected to drive the M092-FD302 stopping motor.
This combinatien of stepping motor and translator module produces an optimum torque at the operating opeeds of the control red drives.
I In order to provide a control rod banking operation (i.e., all rods in a given group operating at the same speed simultaneously), the built-in pulse 5
generator on each of the translator modules has not been used.
A single a
pulse generating circuit has been provided.
2.9 Auxiliary Monitoring Channels 8
2.9.1 Pit Water Temperature Monitoring Channel i
I 8
i B
o The TRIGA Mark I coolant temperatura is measured with a probe.in the.
reactor tank and indicated on both CRT displays on the CSC. A
- platinum resistance temperature detector (RTD) is used as the temperature sensing element. The sensor is connected to an Action-Pak' located in the DAC.;
- 2. 9.~ 2 ' Radioactivity Honitoring Radioactivity. levels in the reactor tank water and reactor room air ventilation system will be measured with G-M probes, as is'done presentir, but will be monitored and reported to the operator on t.he CSC status wir.dow using inputs to the AIOl6f1 board (Figure 2-4).
.2.9.3 Conductivity Monitoring
.The electrical conductivity of the TRIGA Mark reactor tank water is
-7 measured using a platinum-electrode conductivity cell.
Specific conductance in pmhos/cm is also ir.dicated on the status window on the CSC via an input to I
the AI0l6f2 board (Fi:gure 2-4).
I I
I I
?ns I
I
!I e
I
~
?-
I I
3.
TRIGA MARK I INSTRUMENTATION AND CONTROL SYSTEM SOFTWARE E
The software for the computer based TRIGA Mark I reactor'ICS is
, divided ~f.nto fifteen different processes.. Each one performs a specific function or functions and is essential for system performance.
Eleven of I'
the fifteen processes are associated with the CSC while the remaining four operate on the DAC. When operated as a whole, the software utilizes these
. processes in such a way to present the operator with an instrumentation and' 5
control'_ system that is essentially real-time.
Each of the 15 processes is described briefly as to their function or p_
functions.
In order to better understand the description of each process, flow diagrams (Figures 3-1 and~3-2) for the CSC and DAC respectively show how each software process interacts with essential hardware components as q
well as with other software processes.
3.1.
CSC Processes 1.
SC (State Controller)
LI The SC is'a major process in the CSC and performs six functions:
LI a.
Receives input command from the reactor control console (RCC) keyboard via the KEY process.
b.
Receives rod control and mode control panel commands via the
,gW ZACK process.
c.
Initializing during " power on" via the BOOT process, d.
Accepts system generated commands from the DISP process (see 3.1(3)) and the DAC command processor (DCP) process (see L
3.2(3)].
.s I
.i e..
Transmits consnands' to the DCP process, f.
Provides menu screen information to the standard resolution display on the RCC.
t 2.
BOOT I
Initialization of the system database when ac power is applied is the sole function of the= BOOT process.
.3.
DISP.(display / animator) i Four functions are performed by the DISP process:
a.
Provides real-time animation of the reactor rods, rod drive-positions, and various bar graphs representing power and I
period on the high' resolution display, b.
Updates the status, warning, and-scram displays on the stan-dard resolution screen.
E Commands the SC to go to the scram state when,a scrum is c.
detected in the database.
d.
Receives new data consnands from the SCANNER process (see I
3.2(4)] located in the DAC.
4.
KEY (Keyboard monitor)
When a key on the keyboard is depressed, t'ne KEY processes sole function is to tell the SC process that a key has been depressed.
~
5.
ZACK (ZACK DIS 064 monitor)
- g 46 8
-=
Id 3
l$fi The ZACK process, like the KEY processi indicates to the SC 4
procese that push button on the rod control or mode control panel has been depressed.
6 '. - HST '(History data logger.and playback)-
4 i
- The HST process has two functions:
g, W
.i a.
Write information from the database into the hard disks b.
Read information from the hard disk'into the database. "In the. steady state mode at 2 see intervals (configurable l
interval), the information displayed on both the high and l-standard resolution screens is recorded on hard disk.
This process continues to 5 min a fter the reactor is scrammed.
It will also record the current screens at all scrams and i
'N warnings.
The HST process, in the playback mode, will display this logged information under either automatic or manual control.
'7.
PULSE (PULSE graphics playback) i i^
The PULSE process has the one function of displaying a pulse selected from the'10 pulses stored on the'hard disk. The display
]
is shown on the high resolution screen.
Coordinate axis scalings
[
Lw can be changed to enhance resolution. The pulse data on the hard disk comes directly from the DCP process (see 3.2(3)].
.I l
L' 8.
LP (Line Printer)
I LP process is another single function process.
It takes data from standard resolution screen and formats the data for printer input.
9.
HIST BACKUP (history archive BACKUP)
El 47 l8
'e
-I.
- The li!ST BACKUP process allows hard disk history archive data to be written onto floppy disks.
I 10.-
PULSE BACKUP (PULSE archive BACKUP)
I The PULSF, BACKUP process allows hard disk pulse archive. data to be written onto floppy disks.
'11.. RECOVER (restore history or pulse archive)
'I The RECOVER process allows restoration from floppy disk of-either-history or. pulse archive data back onto the hard disk.
3.2.
DAC-Processes I
1.
- 8 The DAC process is neaded only to initialize the GENESIS process.
It has no other function.
2.-
GENESIS'(real startup and network / scanner monitor)
The GENESIS process performs two important functiont.
a.
AC power on initialization of the DAC software.
I b.-
General system diagnostics.
For example, before it boots the DCP process, it checks for proper operation of the communication network between the DAC and CSC.
During normal operation the GENESIS process periodically checks
-operation of the network, DAC, and CSC.
If improper operation is detected it will scram the reactor and initiate a DAC reboot sequence.
I g
.e I
I 3.
The DCP process is the major process in the DAC.
It performs five functions:
The process communicates with the CSCs SC process through i
a.
which reactor rods are moved and mode changes are implement.
I In short, it's through this process that the control system commands reactor hardware devices by the use of analog and relay contact closure signals.
b.
The process keeps track of which mode the system is in.
Another function is the high speed acquisition and transfer c.
of pulse data directly to the CSCs hard disk.
This method of data gathering uses the DCP process since it is faster than I
the typical SCANNER process.
d.
The DCP sends start /stop commands to the SCANNER process for proper system operations.
I The DCP process contains the control system pretest mode e.
software.
4.
SCANNER (digital, analog, and NM-1000 input scanner)
I The SCANNER procees handles all control system inputs other than pulse data as mentioned in 3.2(3) These include analog, digital, and RS232.
Its I
a.
Continually scans these inputs approximately every 200 msec.
I b.
It transfers this data to the CSC and a local (DAC) database.
I I
I
-l T It performs preconfigured alarm setpoint checks on_all g
c.
incoming data and sends notiffcation of any alarm-to the CSCs
-DISP-process.
d.
It performs the auto mode PID algorithm. -This algorithm T
calculate 2 rod speed and direction each scan cycle and adjusts the speed and direction'of the rod accordingly.
<I 8
8
'I
!I:
I~
t t
I 5
8
- s.
I se 5!
E 'M 'M M
Wl -M W "E W #W sM M
M MW6 M', W W
~
.CSC
~
-l a
s.
I NEYSSARD PUSN SUTTONS MSN RES STS RES g
l mSPLAY WSPiAY l
WERM KEYSOARD PBSN 9511SN CHARACTERS STATE F
1 1 r 1 PCHANGES
~
pggggg
{(NE)Y j
{(ZAC)K l
$5 j
gygg;,
[,]5,,
i p.4 REACTOR
- WARNNM, y
MS,i.
==M BATA DATA POWER ON
~
lO 8
BACNUP l SC) w l
i STARTUP
~
SCRAM CatRNAND J L J
DATABASE COPY WSTORY
~
ile SECONO -
ARCNNE l soor j m
V g'
1 P PESE 1
@EaIPmi
"*"" g "a"
R= =Y=A=
J k-J L 1 SCANS WORTN i
INSTORY M i
gy gaya PutSE ASCINVE 1 I
{ RECSVER j
- [
TO FROM fRSEE F8000
.C,
.AN.R S=N
.C, 1-21-88 Figure 3-1'
q
,-a 3
me
,4,"p4.ad ee4 42-.M 4 e" JS4 MMN*.44-s.A4,Js=---
- -.-M.4 4--m.4L-sAsw.=a=+
de
-e e d 46m#.4--4,eba. A A,ee
..4 4 # A h4J s 6.e 4.d.
4-wd6a-.A.=*, deme.4et.e~he_."
A4 44--.
-,.A-,
I'-
1 l
lli l-1 i
I sg I.t a
1 i
o l
i
~
si l ::
g l
l8
=
+-
_i g
g-7
("I l
=E
~
a-e L
i.
=
ar I-I,t SE 6
s
+-
5 u
- g b l I, 4 j
8 Il lllg
- i.l[i=i 1
i s i
i.
L,-
sig l l
.,i 8
an E
n i
i p.
{
J'
-+
s Ln
- N (,
I!gl. II &l,El,l!,!
lI I
4 1o a
us-
<s----
as I
E dl h
I I
=
ii
=
W ganN s h
t-
.==gs i
I li lilii 4
8
I I
4.
SAFETY EVALUATION The installation of a state-of-the-art microprocessor based inst rumen-I tation and control system is expected to provide the TRIGA Reactors Facil-ity with a system that has equal or greater operational capabilities than 8
the present ICS and in addition, provides an equal or higher degree of re-liability and maintainability.
Of paramount importance are remaining ques-tions dealing the system's capabilities with regards to providing the nee-I essary safety functions for the TRIGA Mark I reactor.
The material to support this 10C?nSO.59 application is based on work done under an earlier application approved by the TRIGA Safety Committee in September 1986 (9) for a multi-phase test program with the new ICS.
This test progam was conducted starting first with the new system in a " read only" mode and then progressing, in a carefully orchestrated series of more I
detailed tests (with all results and test plans fully approved by the Safety Committee) until in Phase V, the new console was and continues to be I
operated in a " stand alone" mode with the old console completely discon-nected.
In each of these stages, our experience and confidence were in-creased an the operational features were progr essively better understood.
In the earlier portion of this two-year period shortcomings and oversights in both the hardware and software were discovered, identified, and cor-rected.
During the past several months, over one hundred " stand-alone" op-erating hours with the new ICS has been accumulated on the Mark I with the I
system we have described in Sections 2 and 3, and whose safety is analyzed below.
The reactor safety system which is part of the new ICS is designed to interrupt magr et current (and air supply for the transient rod) resulting in the rapid insertion of all rods, thus shutting down the reactor in the event a safety dannel is tripped.
The system to perform this function is hardwired into the s. ram loop and in no way depends on successful operation of the computer software to detect and shut the reactor down in the event of an unsafe condition.
Each of the redundant channels which detect unsafe conditions (reactor power a t.d fuel temperatures which exceed license I
i r
)
~ l limits) are totally independent, have their own power supplies, _own hard-wired output displays on the operations console, and connect directly to I
the scram loop.
The control system computer aur.:.ats the - directly wired safety system by monitoring for undesirable operating chsracteristics,_and when a scram condition occurs as a result of a channel trip on any of the directly wired safety channels, it monitors and reports this conditi,on to the operator.
In this analysis we wish to distinguish carefully between genuine safety related issues, from those which can perhaps be best summarized as reliability issues; i.e.,
the ability to operata for long periods of time It.
without component failures that would necessitate shutdown of the system
/
clearly the purview of a for maintenance and repairs.
Safety issues are I'
10CFR50.59 review. On the other hand, neither the Technical Specifications nor the Safety Analysis Report has placed requirements on long-term reli-ability of operation. We submit, however, that the design and construction proven and technically of the new ICS is based on - and incorporates sound techniques and component.n including standard industrially hardened equipment.
While we have evidence attesting to the reliability of the new ICS during_the various phases of the test program, we are unable to make meaningful claims for the new ICS to be compared with the reliability of the older console which is based on. solid-state, hardwired analog circuity g
BU that has been developed and used with many years of successfu1Lexperience.
Nevertheless, there is every reason to believe that the new ICS'will-prove j
I1
/-
to be as reliable over the long term as has been the old, analog console.
The safety evaluation presented herein must necessarily cover several aspects of the features of the ICS to form a basis for the finding that the.
I installation of this system meets the criteria set forth in 10CFR50.59.
The review herein will demonstrate that the new ICS (i) will not increase
'the probability of occurrence or consequence of an accident or malfunction I.
of the reactor system, (ii) will not create the possibility for an accident or malfunction of a type different than previously evaluated for the older control system, and (iii) vill not reduce the margin of safety which is the basis of any technical specification.
The questions to be covered include
b-b
.G+
' C.
1.-
Does - the proposed system meet all _ specific requirements - of' the R-38 Technical Specifications, and can it be installed without re-
-quiring'a change to the applicable Tech Specs?
2..
Do the methods used to provide. the safety functions in the new-system to ' prevent the occurence of unsafe conditions, or condi-tions which may violate the requirements cf the reactor license, H
avoid-the use of untried techniques?
I reactor operator provided at all times with basic perfor-3..
Is the I
mance data in the event of failures in the-non-safety related com-ponents of the system -
e.g.,
failure of the computer system to function as designed?
Under such conditions, is the operator g,.
4!I given the ability. to monitor reactor conditions and proceed with' an orderly shutdown of the reactor?
4.
Has on-line testing performed on the system shown that'the system y
reliably provides the licensed required safety systems?
The discussion below attempts to answer _ the above questions and thus provide a basis for the conclusion that the proposed changes do not consti-tute an unreviewed safety question, and in fact, may' enhance the ability of the !TRIGA Facility to~ operate the Mark I _ reactor safely-and in a-trouble-free-manner.
First, a brief description of the safety features of-the hardwired systems is presented.
4.1 Reactor Safety Systems Description Figure 4-1 is a schematic representation of the Mark I reactor scram conditions which will lead to' loss of magnet current and air supply (reac-tor scram):
4.1.1 Reactor Power Safety Channels. The TRIGA Mark I power safety system I
is designed to comply with IEEE Standard 379-1977 [2] for single I '
~
4
~
~
~
A
~
-1107.
Manual Console Scram m
v Power Safety Channel No.-1 Loss of HV m Loss jupply Failure. Facility ACIPower v
i Manual Individual ~ Rod Scram 1107 w
of a
Power Safety Channel No. 2 Manuhl Inna of W p
Magnet 4
Magnet Current 1107.
Current External Scram No. I m
w Power Safety Channel No. 3 Loss of'HV External Scram No. 2 e
v t
Transtent 500*C Timeout CSC Watch Dog Timer Fuel Temperature No. 1 m
Rod r
500*C Air Supp?.y q
DAC Watch Dog Timer Fuel Temperature No. 2 500*C--
Fuel Temperature No. 3 3
.i i
Figure 4-1.
Schematic representation of conditions leading to a scram on the TRIGA Mark I reactor.
,2a a -
.a.
s....
.: ~ _,,
.a
~...
.~,.._c.-
s f ailures and common mode f ailures.
A three-channel system is pro-I vided in a one-out-of-three trip logic configuration (the require-ment of the applicable. Technical Specifications is for two power safety channels (8)).
Two of three power channels use the outputs I,'
of independent uncompensated ion chambers which are processed in-l
' dependently by two linear percent power amplifiers (NP1000 and l
NPP1000). Each is housed in its own independent enclosure with current-to-voltage conversion citcuits, high voltage power supply.
and associated trip circuits, isolation devices, analog outputs, and computer interface circuitry.
When a preset power level (110% of I
licensed power) is reached, each channel, can activate (to own i
bistable trip, causing the scram loop to open.
The two channels have independent inputa to the scram circuit, with one input in the I
supply and the other in the return train of the loop (rigure 2-15).
One of the two channels, the NPP-1000, also acts as a pulse monitor j
to measure pulse peak power and a pulse integrator circuit in this channel measures total pulse energy.
The independent circuitry in both these channels (in steady state the NP1900 and NPP1000 are l.
identical), with inderendent detectors and inonnendent high voltage l
power supplies, ensures complete and simple.odi.ndancy with regards l
to the parameter being monitored.
l I
A third power safety channel is provided by the digital wide range power monitor (NM1000).
The TRICA Facility proposes to use the NM1000 as the third safety channel in the one-of-three trip logic.
)
l This channel has been designed to satisfy all requirements necessary j
L to operate as a Class 1E system as a nuclear safety channel for the l.
~
nuclear power industry (2-5).
The NM1000 neutron monitor design 8-utilizes high speed counting circuits, shielded signal and data com-munications cables, high speed digital (microprocessor) processing of the signal, and optically isolated output buffers for processing I
of power data from the fissiot chamber. As such, its use as a power safety channel meets the crx. aria of equipment diversity required for redundancy by ANSI /ANS 15.15 (1).
To test its' response to rapid power changes, the response time of the NM1000 to a sudden change in 5 I
--J..
m w
--w-
- ee- ="wu--m m
e "F
W
I i
power (step chan5es in reactivity) has been measured and compared to the existing analog safety channels on the Mark I (6). These timing I
tes.ts showed that the response time of the digital channel fully katisfies the requirements for a scram channel for TRIGA.
Similiar I
to the analog channels (NPP and NP1000), the NM1000 trip output is also hardwired into the scram loops thus any overpower condition in the HM1000 will c.lso interrupt egnet current without any reliance on the DAC or CSC computers.
The NM1000, thr efore, also provides 4
complete redundancy for operation as a license required safety.
channel with either or both of the analog channels.
In the pulse mode of operation, relays controlled by the :,ystem sof tware are used to (i) bypass the NP1000 and NM1000 steady-state f
power scrams from the scram loop and (ii) change the NPP1000 amplifier gain for pulse power monitoring.
One potential problem could arise if the bypass relays f ailed and the NP1000 or NM1000 f ailed to return f rom their scram bypass mode when the reactor is returned to steady-state mode (it should be noted that for both the steady state channels to fail simultaneously requires failure of two Ii separate relays located on two separate RLYO8 cards, a highly s.nlikely event).
If such an unlikely failure
'ere to occur, the inherent redundancy of the system still provides one high power I
level trip because the NPP1000 would still be able to scram the reactor should the steady-state power exceed the preset limits.
Conversely, if the NPP1000 gain cl.ange which allows the reactor to be pulsed is not changed back to ' the steady-state gain when the operator changes back to manual (steady state) mode, then the redundant high power trips from the NP1000 and NM1000 will scram the I
reactor should the power limit N exceeded in steady-state.
Even if this condition occurred, th operator at the console would be able to observe the discrepancy imediately in power readings from the I.
redundant channels on the hign resolution CRT monitor.
Furthermore, the physical separstion of these three relays (NP1000 and NM1000 scram bypassi NPP1000 gain change) on three separate RLYO8 cards, coupled with the known high reliability of these relays, renders it I I
i I
incredible that as many as three of the relays can f ail simulta-hoously.
The only coasnon mode f ailure that could disable the fune-tion of these relays would be a failure in the DOM 32 relay driver board, but failure of the DOH32 would also disable the action of all j
i control rods (Figure 2-4).
Since this sequence of events is postu.
Isted to occur af ter a pulse and the subsequent automatic scram, a DOM 32 failure would make it impossible to approach critical, a safe-f failure mode.
As is pointed out in Section 4.2.3, a DOH32 failure is a scram condition detected and reported to the operator by the computer through one of the many self-diagnostics ' performed by the l
system.
,g We conclude therefore that for the system to remain unmonitored and-W unprotected in steady-state operations after a pulse, all three power monitors would have to fail, clearly an incredible event since there are three independent channels.
It is also useful to note l
that similiar failures were potentially possible but never observed in the hardwired analog "nso.s if, for example, one of the relays i
failed, or if one of th many wafers in the mechanical mode. switch
}
were to faill 4.1.2
, Fuel Temperature Safety Channels.
Three identical fuel temperature I
safety channels in a one-out-of-three trip logic provide the ability t
to shut the reactor down when the fuel temperature reaches 5000C or l
the thermocouple opens (fails high).
Similiar to the power safety channels, only two fuel temperature channels are required by the ap-h
-plicable Technical Specifications (8).
All three of the channels have independent temperature monitoring circuits (Action Paks),
limit sensors (bistable trips), hardwired readouts and scram loop l
inputs. The fuel temperature channels therefore, provide complete and simple redundancy in temperature measurements.
4.1.3 Other Scram Systems.
Numerous other components of the system pro-vide the ability of the system to shutdown in a safe manner; alona, with the power and temperature safety channels, they provide a scram E
i
- So -
I
~
.~.
i I
t I
logic circuitry that causes a reactor scram.
This circuitry, which j
uses a set of independsnt oper.-on-failure logic relay switches wired I
'in series, causes an open in the scram loop upon receipt of a trip signal as described above from power (110% of licensed power), fuel temperature (5008C), or any of the following additional systems (the first three are license required):
I 1.
Manual scram from the console,
- 2. -Loss of facility ac power.
3.
Manual magnet current interrept using the console key switch.
4.
Detector high voltage failure on any one of the power channels.
5.
Loss of r.c power to ICS due to earthquake switch trip.
I 6.
Externt.11y generated scram conditions (two independent channels).
7.
Reactor po>er reaching 1100 Mw during a pulse.
8.
Computer (hardware or software) failures de*.ected by " watchdog" l_
timers, four for each computer.
't The reactor power safety channels, fuel temperature safety channels, de-tector high voltage power supplies, and the watchdog timers are redundant l-saf ety systems; this redundancy in the protection devices provides cotoplete
[
assurance of safety in operation with regard to the parameter being monitored l
g 3
by that device.
4.2 Safety Analysis l
l 4.2.1 Single Failure Criteria Analysis.
For components - which are non-l' redundant in the reactor safety system (RSS), a single failure criteria analy-
- g sis was performed in confomance with ANSI /fd4S 15.15-1978 (1).
The results of RF this analysis are presented in Appendix B of this document, and show that ex-1 cept for the magnet current key switch (which does not perform a safety func-I tion except to prevent unauthorized startups), the Mean Time Between Failure (MTBF) of any single element of the proposed safety system <.xceeds the design life of the ICS (the MTBFs range from 23 years to 100 yea s).
5 I
l I
i 4.2.2 Safety System Fault Tree Ana'.ysis.
The University of Texas, with input from General Atomics [7] performed a fault tree analysis of the protective ac.
l tions of the proposed reactor safety system by developing a failure model and analyzing the model to calculate an overall failure probability for the RSS.
{
I (Appendix C).
With conservative assumptions, this analysis gives a failure probability of the RSS, of : x 107 8 failures per hour, giving an overall system HTBF of 4 x 10' years.
In other words, the inherent redundancy of the f
system makes it highly improbable that any component or sub-system failure would destroy the integrity of the entire reactor safety system.
4.2.3 Review of Specific Safety Related Issues.
The discussion below is aimed at conclusively demonstrating that installation of the new ICS does not (1) require any changes to the Mark I Technical Specifications [8), and (ii) does not pose any unreviewed safety questions as defined in 10CTR50.59(a)(2);
and therefore, operation of the Mark I reactor at GA with the new ICS does not constitute a decrease in the margin of safety as defined for this reactor.
In doing so, the four questions posed earlier in this section will be answered.
4.2.3.1 Technical Specifications Requirements.
Tables 4-1 and 4-2 compare
'the ability of the ICS presently installed, with the ability of the new ICS in l
meeting the specific requirements of the Mark I Technical Specifications for l
reactor safety systems and interlocks. The ability of the new RSS to meet and
+
g 3
exceed the license requirements is clear from these comparisons.
The proposed l
microprocessor based ICS, in addition to utilizing a scram circuit which in no way depends on proper functioning of the computer hardware and software, nev-ertheless initiates a reactor scram if a malfunction causes failure of the computers to run the software as designed.
Even if the watchdog timers ia the CSC and/or DAC should f ail to scram the reactor, the operator is at all times provided with the ability to monitor reactor conditions from the hardwired I
bargraph displays and taka appropriate action.
While the functional nature of the safety systems in the microprocessor based ICS do not change when compared with the presently used system, the use of state-oi.the art components and circuit design enhances their performance, reliability and meintainability.
Further, the structure of the scram circuit,
I I
Table 4-1 I
t Reactor Safety System Scrams I
Originating Old ICS New ICS Channel Power Leve18 2 or more 2 or more I
(2 in steady state)
Independent Independent Channels Channels 8
2 or more 2 or more Fuel Temperature (2 in Pulse)
Independent Independent Channels Channels Console Scram' Manual Manual Facility Powert Supply Failure Supply Failure Magnet Current Keyswitch8 Manual Manual I
. g Earthquake Sensor Loss of Console Loss of Console g
Power Power Loss of High Voltage 2 Independent 2 Independen*
I to Power Detectors Channels Channels External Scram 2 Independent 2 l'ndependent Channels Channels Computer Hardware /
N/A 4 Watchdog Timers Software Failure per Computer iAll of the above scrams are hardwired and do not in any way depend on the two microcomputers to originate the scram signal.
8 Minimum license required safety system scrams (8).
I I I l
r I
Table 4-2 5
Reactor Console Interlocks Operator Action Old ICS New ICS Withdrawal of more thar.
Prevented Prevented' one rod in steady state model Withdrawal of any standard Prevented Prevented rod in pulse model I
Application of air to Prevented Prevented transient rod in steady state with cylinder not I,
fully down!
Rod withdrawal without Prevented Prevented minimum source level Pulse Mode Prohibit P 2 1 kW P 2 1 kW 90
. m ni_m m.n..
r.,. ired int.r1oc,a m E
"I pg I
lI I
I I
(F/;are 2-15) separates the redundant safety systems (e.g.
the NP1000 and 1
NPP1000) by separating the trip relays for such channels on the supply and re-turn sides of the magnet power supply in the scram loop. Thus, failures, such i
as a short along either the supply or return lines in the scram loop which will negate the function of the trip relays between the two points on ti.e line at 1
which the short occurred (it may be noted that shorts to ground are detected by i
the ground fault detector), does not negate the effectiveness of the redundant safety system required by the Technical Specifications.
To do so requirer a short to occur simultaneously on both trains.
Appendix C further analyzes the probability of such failures in the scram loop.
in addition to the hardwired scrams listed in Table 4-1, a variety of component failures, when detected as a result of ccmununications between the two system I
computers or a component failure detected by the computers, will lead to a re-1 actor scram. These conditions are as follows:
I Network Consnunications Failure A SCRAM condition occurs as a result of loss of consnunications between the DAC and CSC computers.
j I
Digital Input Scanner Failure A SCRAM condition occurs upon loss of 1
an "I'm alive" signal that the DIS 064 I
boards send to each of the two com-puters.
Analog Input Receiver Failure A SCRAM condition occurs if either of the two AI0l6 boards receiving analog field inputs stops functioning prop-erly.
Digital Output Module Failure A SCRAM condition occurs upon loss I
of, or an error in communications between the computer and the DOM 32.
Since the DOM 32 controls the outputs from the rod drives among other.
v.
w 1
~: '
o i
i e
things, this indicates that computer control of the rod drives has been lost.
1 Data Base Update Failure A SCRAM condition occurs 11 the i
SCANNER software module, which pe-i riodically scans input devices and updates the data base, stops func.
L tioningv properly.
Improper func-tioning is indicated by failure of j
the database to be updated for 1-i second (5 cycles).
Ln l
NM1000 Communications Failure A SCRAM condition occurs upon loss of consnunications between the-NM1000 and DAC computers.
A failed condition occurs if no data is received over the serial port L
for approximately 5 seconds.
NM1000 Data Error A SCRAM condition occurs if an error is detected in the NM1000 I
data length and/or checksums l
transmitted over the NM1000 commu-nications link.
l 4.2.3.2 Techniques used in providing safety and control functions.
Of i
paramount importance in determining whether the safety system will-function as intended is a review of the safety system design, as well as methods or i
techniques used in providing the safety functions.
In other words, do such methods utilize untried techniques for performing the required safety fune-I, t io.w. Over a thirty year period and with the design of three generations of instrumentation and control systems by General Atomics, safety systems have evolved in console designs as new and improved technologies to provide this function have become available.
What has not changed however, is the I I
I i
l fundamental philosophy in safety system designs which is to provide the operator with redundant, hardwired safety systems that in no way rely on the proper operation of non-safety systems to provide the desired safety function.
Further, such designs have provided and will continue to provide I
the operator with basic performance data (power, fuel temperature and period as a minimum) so that reactor safety parameters can be monitored di-rectly and operations terminated by the operator independent of the perfor-mance of non-safety systems - e.g.,
system computers - if deemed necessary.
The applicability of this design philosophy to the microprocessor based ICS is as follows:
1.
As has been discussed in several places in this document, all safety systems are hardwired into the scram loop (Figure 2-15), and are inde-penwant from the operation of the data processing computers in the DAC and CSC.
If E.he computers fail to operate as designed (i.e., shut the reactor down in case of a computer hardware / software malfunction), then i
the hardwired safety system provides the operator with direct readouts from the redundant sensors (neutron detectors, fuel t.emperature thermo-couples) so that the operator is at all times presented with the basic operation data.
As a mint
- sum, all license required safety systems are hardwired into the scram loop.
I 2.
Although the design and components of the analog p wer safety channels have changed, both the NPP1000 and NP1000 continue to utilir.e the same design basis for operation as the present system i.e.
they use hardwired amplifiers and bistable trip circuits to provide the safety function.
Further, the circuit design properly separates the safety and non-safety outputs (2) to provide independent, redundant capability of the channels to provide the required safety function.
l g
The digital power monitor and safety chanr.el (NM1000) continues to use 3.
I W
the standard, well established techniques of wide range power monitor-ing by the use of count rate and Campbelling techniques to monitor power from source range to full power (10).
However, the processing of the data from the amplifiers is performed digitally using state-of-the-l a
. m-m.
I I'
art, high-speed data processors.
The response time of the digitally processed sigal for performance of the required safety function has teen shown through direct parallel testing to be equivalent, as regards TRIGA safety, to that from the older analog safety system.
Similiar to I
the design of the two new analog channels, circuit design in the NM1000 meets all criteria for independence and redundancy of nuclear safety channels.
i 4.
The fuel temperature safety channels also use the same design basis for operation as the present system - i. e., they use hardwired amplifiers and bistable trip circuits to provide the safety function.
Similiar to I
e the analog power channels, the components used to provide this function (Action Paks) rely on state-of-the-art designs.
I 5.
The logic used to provide the licenae required interlocks (Table 4-2) in the old system is maintained in the new ICS.
These functions are now performed digitally through the use of EPROM resident software to trip a relay rather than through the use of analog hardwired relay logic.
The older analog system provides the necessary functions with-out any built-in redundancy like that in the reactor safety systems.
Therefore, occasional mechanical failures of any of the required inter-locks is not backed up by a redundant systemt however, in the approxi-g l5 mately fifteen years that such interlocks have operated at GA, no failures have ever been experienced in any of the required interlocks.
The same reliability can be expected by the use of digitally controlled relays.
This reliability has been well demonstrated in the more than l
two years of testing that has been performed on the Mark I [9] during which no failures of any of the license required interlocks was experi-enced.
Secondly a quantitative analysis of failure rates has been made l-for a typical interlock circuit (i.e.
air cannot be applied to the i
transient rod cylinder in steady state operations unless the cylinder I
is fully down) for the older analog console circuitry and the new ICS discussed herein (Appendix D).
This analysis of the interlock circuits shows that the MTBF for the new console is a factor of two greater for the new ICS, and hence is demonstrably less prone to failure.
~
I I
t I
Turthermors, neutronic calcustions have been performed to show that I
even if a failure of any of these interlocks occurred, it does not present a threat to reactor safety.
First, the ramp accident analysis presented in Appendix E shows that if the first of the required inter-I locks (which prevents withdrawal of more than one rod simultaneously in f
steady state) fails, and if all rods are withdrawn at the maximum pos-sible speed, then the consequences of such a failure are negligible for a TRIGA reactor.
Second, if the operator is able to pulse inadvertant-ly from power (failure of interlock prohibiting application of air to transient rod' in steady state with the receiving cylinder not fully I
I I
down), then a calculation of the consequences shows that the maximum temperature reached when the reactor is pulsed by an insertion of $3.00 from a steady state power of 200 kW - with all scrams functional - is I
36000 (with a peak power of ~1.1 Mw) well below the maximum allowable fuel limit of $300C [8] (Appendix F).
Third, the interlock requiring that no control rod could be moved while in pulse mode assured (on the old analog console) that while 13 pulse mode no reactivity manipula-tions could be made during the period that no steady state power moni-t toring information is available to the operator.
Strictly speaking, l
this interlock is not needed for operations with the new ICS because all power _ monitoring information continues to be presented to the operator (even though the ICS is in pulse mode) up to the instant that I
the f!RE button is depressed to initiate the pulse.
The above analyres demonstrate that (1) the failure of any of these in-terlocks oither in the old or new systems do not constitute a danger to the reactor or to operations outside the limits established by the 11-conse, and (ii) the reliability estimates for the interlock circuits f
l indicate that the new ICS is at least a factor of two more reliable than-the older hardwired analog system.
We conclude therefore, that lg the use of the digitally driven interlocks is more reliable than the l5 analog hardwired relay logic, and does not create conditions for an ac-cident - or malfunction not previously evaluated for the older analog control system.
I I
I 6.
The three standard control rod drives on the TRIGA Mark I which use two I
phase ac driven motors for movement of the control rods are being re-i
~
placed with stepping motor drives which operate on phase-switched de power.
The stepping motor driver allow digital control and hence allow I
computer manipulation of the control rods'to control reactor power.
An accident, where a malfunction in the computer hardware / software in which all rods are driven out of the core by the computer at maximum speed (2 seconds for full withdrawal), has been analyzed for a 250 kW TRIGA reactor, with the assumptions that all redundant hardwired safety systems are functioning as intended.
This ramp accident analysis shows that a rapid insertion of'all control rods into a core having the maxi-tr.um excess reactivity ($5.00) allowed by the Technical Specifications (8) in 2 seconds, with the safety system functioning, will not lead to I
accident conditions.
The analysis summary is presented in Appendix E.
i For the Mark I, with the safety system scrams set at 275 kw, the peak power would be le a than 185 MW, and the peak temperature less than 25100.
The Mark I is routinely pulsed to ~1000 Hw with peak tempera-tures of 36000 and relies, as do all reactors fueled with the TRIGA U-ZrHx fuel moderator elemento, on the large prompt negative tempera-ture coefficient of reactivity to provide the ultimate shutdown mechanism for the reactor.
The above analysis demonstrates that the TRIGA Mark I reactor will eas-11y tolerate a ramp insertion of all control rods in 2 seconds.
This has I
additional very important implications a.
The reactor system can tolerate the failure of the interlock that pre-vents upward movement of more than one control rod as analyzed directly.
'I b.
The movement in a banked array of more than one control rod need not be I
limited in regular usage by concerns for reactor safety since the analyzed consaquences of serious malfunctions are veil within acceptable operating limits.
i I I
I l
'I c.
A malf inction in the computer that results in the simultaneous upward
]
L motion of all control rods - regardless of operator action - and with a maximum withdrawal time of 2 seconds, cannot endanger the reactor sya-tem.
I 4.2.3.3 Ability of system to monitor reactor conditions in the event o r' a failure'in non-aafety components.
The reactor operator at the system con-sole (CSC) is provided at all times with power and temperature related data i
derived from the three power safety channels and two fuel temperature safety channels, using bargraph indicators that are directly wired to the outputs of the respective channels:
The systems monitored directly on the CSC, in addition to having output scanned by the system computers and being l
reported on the console CRT, are:
I 1
1.
Power Safety Channel No. 1 as Percent Power
)
2.
Power Safety Channel No. 2 as Percent Power 3.
Power Safety Channel No. 3 as Log Power and Reactor l
and Wide Range Power Honitor Period 4.
Fuel Temperature Safety Channel No. 1 in degrees C 5.
Tuel Temperature Safety Channel No. 2 in degrees C 6.
Pulse Peak Power in Megawatts I
7.
Total Pulse Energy in Hw-seconds These indications are available to the operator at all times, regardless of the operating status of the two system computers or other non-safety re-lated systems.
The only common mode failure where these direct indicating circuits will not function is the loss of f acility ac power.
In such a i
failure mode however, magnet power to the control rod magnets would also be lost, thus shutting down the reactor.
^' **"-
E W
tiened e.: lier, the TRIGA Reactors Safety Committee under a 10CFR50.59 ap-plicati., approved a program beginning in September, 1986, to test the mi-croprocessor based ICS on the TRIGA Hark I reactor in a multiphase program (9]. This program
.l culminate with a demonstration of " stand-alone"
~
I II
1 I
operation of tho' reactor, in all licensed modes of operation (steady-state j
manual, steady-state automatic and pulse) using this instrumentation and cor. trol s: nom.
This program was carried out in the following phases (11-15):
Phase I Setup and evaluate components of ICS in a READ ONLY mode.
Phase Ian Connect control rod drives, one at a time only, to the new system to verify operation using the new console. Magnet con-trol was maintained from the licensed console with its full scram capabilities.
-)
)
1 l
Phase II:
Connect all control rod drivee and verify operation using the new ICS, and verify / demonstrate full mechanical and electri-cal operational capabilities.
The reactor was in a suberiti-cal condition, and magnet control van retained from the licensed console.
Phase III:
Connect all control rod drives and. carry out reactor opera-tions in all licensed modes using the new ICS; the licensed
)
control and safety systems remained operational in its en-lg W
tirety, with a signal from the hardwired scram loop in the new ICS being fed into the scram loop of the old console.
Magnet current was retained by the old console.
In other 1
worda, the new ICS was operated in a slave mode.
Phase IV:
Phase III was repeated, but with the roles of the two con-soles reversed; i.e., the new ICS was placed in complete control of the reactor, but the old console was wired into its hardwired scram loop.
This console then played the role I
of a slave system.
I
.I I
1 I
l Phase V:
All licensed modes of operation were conducted in a dedicated manner from the new ICS, with the old console completely dis-connected.
j I
Phase VI:
Training and quulification of licensed opaf,,,,, in the use of the new ICS for Mark I operations.
As the testing progressed to more advanced phases, shortcomings, over-sights and " bugs" both in hardware and software were identified and cor-rected.
To date, over 200 operating hoers have been aceun.clated in Phases IV and V where all aspects of operation of the software and hardware have been tested to ensure that they function as designed and are adequate to J
meet all requirements of reactor operation.
Of this total, ~100 hours are iu complete stand-alone operacions (Phase V).
The testing performed to date has covered the testit,6 of all design features necessary for safe op-eration, with the result that the ICS proposed for installation is 'an extensively tested system in which earlier problems have been identified and corrected as a result o!! this test program.
Finally it should be noted that the training and familiarization of all the licensed RO and SRO parsonnel is being conducted under Phase VI of the test program.
At the present time ten operators have qualif ted for I
performing all routine operations in all operating modes.
The remaining eight RO and SRO staf f have qualified for limited solo operation for the startup and shutdown checklists and low power (< 1 kW) runs for the purpose of making daily core excess measurements.
The fully qualified operators constitute a large enough staff to permit the facility at this time to per-form all customer and facility operations as needed.
The requalification training is continuing with the goal to qualify all personnel for conduct-ing routine operations in all operating modes.
I 4.3 Summary of Safety Analysis The safety analysis has resulted in the details set forth in Section 4.2 above.
The specific questions to be answered for the new IC3 were E I
I I
presented early in this section and are repeated here for the convenience of the reader together with the answer for each.
1.
Does the proposed system meet all specific requirements of the R-38 I
Technical Specifications, and can it be installed without requiring a change to the applicable Tech Specs?
The answer is YES to both of these questi6ns.
See Section 4.2.3.1 and 4.2.3.2 for detailed justification.
2.
Do the methods used to provide the safety functions in the new system to prevent the occurrence of unsafe conditions, or conditions which may violate the requirements of the reactor license, avoid the use of un-i tried techniques?
The answer is YES.
Several aspects of this question are addressed in Sections 4.1.1, 4.2.1, 4.2.2 and in 4.2.3.2.
I 3.
Is the reactor operator provided at all times with basic performance I
data in the event of failures in the non-safety related components of the system -
e.g.,
failure of the computer system to function as de-signed?
Under such conditions, is the operator given the ability to I
monitor reactor cond,itions and proceed with an orderly shutdown of the reactor?
The answer is YES as amply demonstrated in Sections 4.1.1, 4.2.3.2, and especially in 4.2.3.3.
4.
Has on-line testing performed en the system shown that the system reli-ably provides the licensed required safety systems?
I The answer le YES.
The support for this answer is detailed in Section 4.2.3.4.
I 73 -
I
i s
I In view of the f avorable answers to each of the four important quee-I tions and to the many related issues also treated in this document, va con-clude that the ' installation of the new ICS does not create any unreviewed safety issues within the intent of 10CFR50.59(a)(2).
In this connection it I
is useful to note that the abnormal occurrences evaluated in this document t
and for which the consequences are completely innocuous depend specifically on the inherent safety features of the uranium-zirconiua:- hydride reactor fuel.
In the final analysis and for the reason just noted, the safety of the General Atomics R-38 TRIGA Mark I reactor is to a very great extent in-dependent of the specific features of the older, analog console or the new microprocessor based instrumentation and control system.
l I
8 I
I I
I I
P I
I
. I g
8 5.
INSTALI.ATION PROCEDURES 5.1 Final Installation and Checkout.
Installation and checkout of the new I
instrumentation and control system will as a minimum consist of the following procedures:
a.
Removal of old console and associated hardware b.
Installation of new console and all associated hardware in final operating position. -
c.
Console checkout and acceptance testing (16).
All of the above tasks will be carried out under the cognizance of the I
Physicist-in-Charge and Associate-Physicist-in-Charge, and under direct au-parvision of the Deputy-Physicist-in-Charge.
The APIC will participate in the acceptance testing part of the testing.
TRIGA Facility staf f will carry out the installation, with assistance as needed from the TRIGA Divi-sion design engineers and technicians.
5.2 Modification of Wrheen Procedures and Checklists.
Mark I Standard Operating Procedur.s must be modified in order to accomodate operation from the new ICS.
Yhe facility staff is currently undertaking modification of I
the relevant procedures.
The modified procedures will be a7ailable prior to resuming routine operations after the final inacallation is completed and will be submitted to the Saf ety Conunittee for approval..
In order to conduct routine operations from this console during Phsse V of the test program, some checklists have of necessity been modified in order to accomodate these operations.
These checklists are included in Appendix G.
I I
B I I
l 8
REFERENCES r
i 1.
Criteria for the Reactor Safety Systems of Research Reactors, American National Standards Institute Guide A1SI/ANS 15.15-1978.
2.
Application of the Single Failure Criterion to Nuclear Power Generat-inz Class 1E Systems, Institute of Electrical and Electronic Engi-neers Standard IEEE 379-1977.
3.
Criteria for Protection Systems for Nuclear Power Generating Sta-tions, Institute of Electrical and Electronic Engineers Standard IEEE I.
279-1971.
4.
Digital Neutron Monitor NM-1000, GA Technologies Inc.
Document INS-25, GA Proprietary Information (1983).
5.
Qualification Test Report NM1000 Digital Neutron Monitoring System, GA Document E-269-1239, GA Technologies Proprietary Information (May, I
1984).
6.
J. Rasvi to W. K. Hyde, "Results of Timing Tests on NM1000 High Power Scrams," General Atomics Internal Correspondence (May, 1988).
l.
7.
J.
Rasvi and W.
K.
Hyde, General Atomics, Personal Conununications with T. Bauer, University of Texas (1988).
l 8.
Technical Specifications for The Torrey Pines TRIGA Mark I Reactor, License No. R-38, as amended and issued April 10, 1987.
("
9.
10CFR50.59 Application for Testing of NM1000 based Digital Control L
Console, Septembet 2, 1986.
l l
10.
G.
F. Knoll, Radiation Detection and Measurement, Chapter 14, John Wiley & Sons (1979).
11.
J. Razvi to A. M. Baxter, " Request for Approval to Proceed with Phase II of Test Program for TRIGA Mark I Digital Control and Instrumenta-tion System," GA Internal Correspondence (April 24, 1987).
12.
J. Razvi to A. M. Baxter, " Request for Approval to Proceed with Phase III of Test Program for TRIGA Mark I Digital Control and Instrumenta-tion System," GA Internal Correspondence (May 1, 1987).
13.
J. Razvi to A. M. Baxter, " Request for Approval to Proceed with Phase IV of Test Program for TRIGA Mark I Digital Control and Instrumenta-f tion System,' GA Internal Correspondence (February 1, 1988) 14.
J. Razvi to A. M. Baxter, " Request for Approval to Proceed with Phase I
V of Test Program for TRIGA Mark I Digital Control and Instrumenta-tion System," GA Internal Correspondence (June 2, 1988).
I w
a-ww
l
!I 15.
A. Baxter to J. Rasvi, "CSC Review of the Proposed Phase V Testing of the TRIGA Mark I Reactor," GA Internal Correspondence, CED:355:AME 88 I
(June 23, 1988).
16.
TRAC-1000- Instrumentation System Acceptance Test procedure, GA Document No. GATR-E-02, Issue B-(April, 1988).
8 E
8 I
I 8
I I
I 8
I I
E I I
)
I E
,t
<t E
Appendix A I
,E
- E LR 8
I I
E I
E E
E
'l I
I
i I
I GLOSSARY OF TERMS f
E Action Pak: The Action Fak is a patented logic circuit designed by Ac-I tion Instruments.
The Action Paks fulfill the function of the bistable trips in the old console.
A1016 (Analog input) Boards: The AI0l6 is a multifunction high speed analog / digital input / output expansion board for the DAC and CSC comp'at e r s.
8 7532: The IBM /AT microcomputer located in the CSC. The 7532 is manufactured by IBM and includes an expansion chassis.
BC-20: The IBM /AT compatible microcomputer located in the DAC. The BC-20 is identical in performance to the IBM 7$32 microcomputer with the l
exception that it does not require an expansion chassis.
[
CSC (Control System Console): The CSC is the reactor console located in the reactor control room.
The CSC includes a control panel.
DAC (Digital Acquisition and Control Unit): The DAC is an industrial I
m croprocessor-based computer packaged in an industrially hardened cabinet.
The DAC cabinet is physically divided into eight shelves, and has rows of terminal blocks along the bottom of the cabinet.
DIS 064 (Digital Input Scanner) Multiplexer: The DIS 064 is a digital in-put scanner with a capacity of 64 inputs.
The module consists of two parts. The bottom board is a remote intelligent module, or RIM 808, which controls the DIS 064. Mounted on standoffs atop the RIM 808 is a diode matrix and terminator board.
The two are connected via a ribbon I
cable.
I I
3
i I
DOM 32 (Digital output Module): The DOM 32 is a general purpose digital output board !*r the interface of 32 TTL level digital outputs to the IBM PC/AT (or equivalent) in the DAC and CSC.
l I
ECIK (Expansion Chassis Interface Connector) Driver Board: The ECIK driver board, located in the CSC, transfera computer bus signals to and from the ECIK receiver board in the expansion chassis.
The board has active circuitry to provide additional signal drive for the expansion chassis bus.
ECIK Receiver Board: The ECIK receiver board connects to the ECIK driver board in the IBM-7532 computer for bus signal communication be-tween the 7332 and the expansion chassis.
Transmission is via a I
special-purpose shielded ribbon cable.
4 EPROM (Erasable Progransnable Read Only Memory) Disk Boards: The EPROM disk boards are located in the 7532.
They contain firmware which is programmed by GA electronic division prior to delivery to the reactor facility.
I IC-DOS: The operating system for the IBM-7532 and BC-20 industrial mi-crocomputers.
IC-DOS is a variation of PC-DOS usad in IBM PC and com-I patible computers.
Lab Master The Lab Master is a high-spwed analog input / output board which connects directly. to the Lab Master daughter terminations board on shelf five of the DAC via a two conductor cable.
In pulse mode, the Lab Master mother board receives high-speed analog input from the ion cham-ber via the NPP-1000 signal conditioner and the Lab Master daughter l
board.
In the servo configuration, the Lab. Master acts as a DIA con-verter by taking the digital output from the DAC 7532 computer and
,I l
producing a *5 V analog signal which is used to drive the stepping motor o
lI translators.
L I
- 'I
I I
Networks The network board is a high-speed, token passing, local area network board that handles consnunication between the DAC and CSC. There are four network boards - two in the DAC and two in the CSC.
The second set of boards provides for system redundancy.
f Optical Isolatorst 'the optical isolator boards are located on shelf two of the DAC and interfaces the BC-20 in the DAC to external ac signals.
RLYO8 (Relay): A relay board located in the DAC and CSC.
Each board contains eight relays.
,I Watchdon Board: The watchdog board acts as a hardware fail-safe module capable of shutting down the reactor in case of computer failure.
The I
board controls relay contacts in the SCRAM circuit such that if the DAC or CSC computers lose power or stop operating, the relays will be l
deenergized and the reactor SCRAMMED.
640COM: The 640COM is a 640 K expansion board in the DAC 7532 computer with a RS232 serial I/O port, a parallel printer port, and a battery-backed real-time clock. Only the RS232 port is used.
It connects to the DIS 064 digital input scanner on shelf three of the DAC.
I 1
E e
'I I
.I
. - -...... - - ~... _. -. - - - -.. -......
f LI il l
Appendix B I
I TRIGA MMtK I INSTRIMENTATION AND CONTROL SYSTEM SINGLE FAILURE CRITERIA ANALYSIS 81404ARY FOR RRACTOR SAFETY SYSTEMS p
I E
I LI L
i
,8 I
,:I I'
I LI
I E
Single Failure Criteria Analysis Summary for the
.eactor Safety Systems I
..forences, 1.
IEEE 279-1971, " Criteria for Protection Systems for Nuclear Power Generating Stations."
2.
IEEE 379-1977, " Application of ths Single-Failure Criteria to Nuclear 1
Power Generating Station Class 1E Systems."
The following analynis is postulated upon the principle [oxplainect in Reference 2, Sectivt 6.1(4)] that redundancy of protection devices pro-vides complete assurance of safety in operation with regard to the param-eter monitored by the device.
For example, the failure of a fuse to blow-when subjected to its designed rating of overload current is a credible possibility, but the failure of two identical fuses in series to blow si-multaneously is not a credible possibility.
Failure rates are expressed in operation cycles or Mean Time Between Failures (MTBF).
i lI l
1.
The failure rate of relay contacts is expressed in operation cycles.
iI A conservative estimate based on manufacturers specifications for the relays in the proposed 7 stem is 25,000 operating cycles.
At two cycles per day and 5 daye per week, this is one failure in 48 years.
The most likely failure is increased contact resistance rather than welded contacts so that an unsafe condition probably is not credible in less than 100 years of operation.
2.
The manual scram button is a normally closed switch used to shut down the reactor manually.
The specified life is 100,000 cycles of operation.
At 15 manual scrams per day this woLid be one failure in I
25.6 years.
The most likely failure mode is a broken switch structure which would result in failure to reset after a scram.
Redundancy for a manual scram exists in the console operator key switch and power on swite' I
i
-i I
1 E
t-3.
The console key switch de-energizes the magnet supply as well as other circuitry.
The estimated life is 10,000 operations. At 15 op-I erations ' per day, this is a failure rate of one every 2.6 years.
However, the key switch is not depended upon to perform a safety I
function except to prevent unauthorized startup.
The manual scram button provides shutdown redundancy so that an unsafe failure is not credible.
p 4.
The loss of AC power causes the magnet supply to be de-energized which in turn produces the same response as a manual scram - dropped rods.
[
1 S.
The high level trips in the two analog power safety channels are re-I.
dundant and therefore do not present a credible mode for failure.
In the electronic circuitry comprising the safety
- channels, all non-safety outputs are physically separated and isolated to prevent common mode failures which may otherwise invalidate the single fail-ure criterion.
A minimum separation of six inches, or a metallic l
flame barrier, exists between all safety and non-safety circuits. A I
minimum isclation voltage of 1500 volts RMS or DC applies to both op-tical and transformer isolation.
I The MTBF of the NPP1000 and NP1000 safety modules is greater than 20,000 hours0 days <br />0 hours <br />0 weeks <br />0 months <br /> based upon component f a.llure rate data taken from MIL-HDBK-2178.
The bistable trip portion of the NP1000 has an MTBF greater than 200,000 hours0 days <br />0 hours <br />0 weeks <br />0 months <br />.
Since these units operate totally inde-pendently, each with its own detector and electronic circuits, com-plete redundancy exists.
I I j-The NM1000 power monitor and safety channel, with its own detector, electronics and a diverse design trom the two analog channels, also I
operates independently, providing complete redundancy when used as a
scram channel and therefore does not present a credible mode of fail-I I
\\
k ure (1].
As with the NPP/NP1000 channels,.'all safety and non-safety-
. outputs. are physically separated and optically isolated to prevent-
~
invalidatic.t of. the ~ ' single failure criterion.
All circuits are i
housed - in ' NEMA enclosures, with shielded cables used for communi-I cation between the amplifiers and the microprocessor, and between the microprocessor and the console data displays.- The detector output'to.
1 the amplifiers 'uses radiation resistant (Rockbestos) coaxial cables, p-routed in.a copper jacketed and insulated flexible conduit.
This provides protection from mechanical damage as well as EMI prevention.
l',
p
. [:
6.
The detector high voltage.is interlocked by trip circuits in the j
power safety channels and the redundant circuitry makes unsafe fail-ures'not credible.
Separation and isolstion criteria of item 5 above.
]
L
. apply.
7.
The two fuel temperature safety channels are high reliability modular l
signal conditioner / limit alarm devices each with calculated MTBF fig-ures exceeding 200,000 hours0 days <br />0 hours <br />0 weeks <br />0 months <br />.
The channels are redundant with separation criteria applied to the wire harness therefore an unsafe l
l failure is not credible, y
r I*
l l' g 8.
The. magnet supply ground fault detector uses a high reliability
- _5 modular signal conditioner / limit alarm.
The signal conditioner mod-o l
ule has an-MTBF of' greater than 200,000 hours0 days <br />0 hours <br />0 weeks <br />0 months <br />..The limit alarm eses a relay rated for more than 25,000 operations. There is a pushbutton switch which is used to test the operability of the ground. fault de-tector on a daily basis.
Because the relay only operates 'tu ring l
testing and fault conditions the end o'
life ' cannat be reached.
i eg Therefore the probability of an undetected ground fault is the prob-i
?
ability of random failure in the signal conditioner which is less than one in 23 years.
9.-
Watchdog Scrams - A watchdog timer on the data acquisition computer and another on the control system computer are required to be reset periodically by a program routine as a safeguard against ceiuput e r n.
y
I component (ailures either in hardware or software.
If the required response is not received within a definite time period, reduncant normally open (fail safe) contacts interrupt the scram loop dropping the rods and shutting dcwn the reactor.
The watchdog timer is an I.
added safety device.
I 8
E g
I t
R I
s_
8 sk I
i t
I e
i t
a e.
.. _. _. _.._ _-, _ _ _.. _...._ _. _.._.._.._.~..._, -.__ _.. _ _._ _ _
- 1 g
a l
d Appendix'C--
SCRAM CIRCUIT SAFETY ANALYSIS
~'
I i
i, 4
r 1 :,..
o
-(
, N..
c r
,~q..
m
~l.
1 i
4 E
J e
.. e :
?
l' m
h-
~
- r. ;
w m
s
,VE y il 1
1 Lg The University of Texas at Austin l
a E,_ '
Scram Circuit Safety AnalysP
.,,e Unitiersity of TeHas TRIG 11 Reactor r
\\.
1' I
vg a
Prepared by:
g 4
'i f i
e Dr. Thomai Sau+r I.!sistant D:recer Nuclear Engineering T+ aching Laboratory
~
Ca'71d Goff -
Engineerine Science Student g;
LS July 19,1988 I,
~i I
'N m~
I
- een,
,m
-..... -s W
A A.
i
1.
~
I o-TRIGA-ICS -
I L
Reactor Safety Systen j
Protective actions of the Reactor Safety System (RSS) are provided by L
several parameter measurement channels and a control-rod power circuit (scram circuit). Each measurement channel controls operation of the scram -
circuit 'by means of a relay in the circuit. When any one of these relays is tripped,it cuts power to the,
,1 rods.
The scram circuit design is comprised of four functional sections. These represent the physical circuit, including the ground fault and power supply:
4 h
monitors, a manual section including the key switch and manual scrams, the l
protective action monitoring of the system, and monitors of the system's -
operability. These sections are shown in the diagram below.
V.
l~
l orotectiv+ Action l
Signals (6 Loop
/+V $ witch i
l!
i
'g l
l
.l Program I
'g l
j Centrol l
i A +,.9 s i
20 V De l
- l Circuit l
l-Source Status I
j I,.
-d: 5',*.*0**
l C;ntrol was pg, L
l l t'enus) Scram Protectlyt Action Deals (-hoop
$witcn
~
Ass functional Diagram The following analysis first looks at the basics of the system in steady-state operation. After a general failure modelis developed, the' analysis expands to look at the calibra'. ion checks, the bypass relay used in pulse mode, and monitor channel failures that provide protective action 2
L 1.,::i3
signals to the scram circuit.
RSS Failure Analysis The RSS scram circuit supplies power to the control rods and hence is the
~
g point at which all scrams occur, or fail to occur; its proper function is k
' therefore imperative to safe operation of the reactor. In analyzing the scram circuit, as many potential failure modes as possible were examined to I
estimate the probability of a circuit failure. The ultimate f allure consequence was that the control rods were not inserted and no scram g
occurred during a scram situation. In order to examine the way in which individual failures in the circuit might lead to a non-scram condition, a fault tree was constructed based on an analysis of the scram circuit.
The first step in the RSS failure analysis involved identifying the various ways in which the RSS could fail. These include:
g
- 1) Physical System Failure 5
- 2) Limiting Safety System Setting (LSSS) Failure
- 3) System Operable Failure
- 4) Computer / Manual Control Failure l
The Physical System failures. include wire breaks, shorts, and failure of-the ground fault detect and voltage detect circuits. ' The LSSS failures are,
those which would cause loss of the ability to detect an unsafe condition.
These elements include the Fuel Temperature monitors and the Percent.
Power monitors in the NM-1000, NP-1000 and NPP-1000. System Operable failures are those which cause loss of the ability to monitor the operable conditica of other systems, for instance the high voltage monitors. Finally.
Computer / Manual Control failures are those associated with the program
~
relays or the manual scram and key switch.
I 3
The failure analysis-is based on.a fault-tree; approach in which the.
g probability of a particular failure is broken down into component parts which 5
are either added or multip!!ed together depending-on whether the components function in an "or" or_ an "and" manner respectively. The general i
L equation for the fault tree is:
(1)
Preur. - P3y3y, + PLsss + P,o,+ Pcomoman -
3y l
Where P,g,, is the overall probability of the circuit failing to scram 'in a p
l-scram situation and the Pj's are the probability of each of the failure modes
~
' described Nw. This analysis assumes that combinatorial failures between the four typea ef failures are rare events and thus are excluded. Unless' a-p specific common mode failure exists, combinations of single failures between different types should not cause a condition that prevents the protective L
action of the RSS circuit.
Multiple failure scenarios are significantly less probable.
5 y
E 1:
?
4 t
4
't
- .......~---.-.-..._-.-.-.
.. ~.
7s, l.
FAULT TREE OVER\\L:EW I
1 I
Y.
ControI Rod '
,3 Releese --
g r ailure i
8 K
'Controf Physical /
4 Circuit Manual input Failure Failure j
Q t
+
u
'}
ut a
LSSS Event Syst+m
- l Computer /
Physical ~
i Detection Operabl' Operator
= SVstem l
Failure Failure
- Failur, Fails i :~
I p ilure =P
+P
+P F
(1)
Fa LS$$
$gs0p.
Comp / Mac.
Phg$gs 5
g st LB e
o
1
- Physical System 1
There are many potential failures in the physical systeme Fortunately,
-i most result in loss of power to the control rods and-hence, a scram situation.'
' The pocsible failure modes are:
Pwer loss
. Shcet to.line'(supply to return)
I-Sh rt ta power Power fluctuation -
g'
- Voltage detect circuit failure Short to ground ;
1 Ground detect circuit failure h
Short to line (supply to supply or return to return)
The first two failure types, power loss and short from the supply to i
return trains, inherently scram the system by cutting off power to the I
control rods. Shorts to power are also safe failures as they do not prevent L
- operation of the circuit'and in any event are subject to detection by the f
ground fault detection circuit. Therefore, these three failure modes are not of concern for this analysis.
The fault tree shows the probabilities associated with the five remaining i
1 failure modes. Failures are broken into two categories for the fault tree analysis: failures which represent faults in the ground detect and voltage f
- detect circuits coupled with physical failures in the system and failures that
_ ins olve shorts along the supply and return trains which are undetectable by the ground and voltage detect circuits.
.m_
a L
The first failure considered is a power fluctuation which damages the circuit coupled with a failure of the voltage detect circuit. It is assumed that l
such a voltage fault could cause relays tofuse or otherwise malfunction in a f
manner that would prevent them from operating properly so that in the
- event that the voltage detect circuit failed, an unsafe situation would arise.
o L
In reality, a voltage fluctuation significant enough to cause such damage 5
q m2
,-.3.
~ -
~
4 i
3 i
c would probably cause other damage which might result in a scram situation.
Nevertheless, the probability is included for the sake of conservatism.
In considering the next failure mode, ground failures, it is important to k
note that the entire scram circuit is isolated at least 15 Kn froin ground. - In
' order for a ground failure to hurt the system then, two ground failures must v
occur on the same line to provide a short around one or several relays, the 1
- ground detect circuit must fall to notice the ground condition, and a line short occur on the other line (or a circuit relay also fall). This gives a fourth
' power failure term and is several orders of magnitude smaller than the I
other possible failures in the system.
I:i Finally, a short along either the supply or return train would not be 1
detected by the scram circuit. Such a short would negate the safety relays between the two points on the line at which the short occurred. However, for this to lead to an unsafe failure, such shorts would have to occur on both the supply and return trains because all safety monitors are duplicated on
'I both trains. This redur.dancy structure is shown in the fault tree and makes this a non-single failure mode. An alternative failure mode of the safety system with the same result of a short on both lines as mentioned above,is a short to line on one line and a relay failure on the other line.
There are two approaches to deal with the possible combinations of line short and relay failures. One approach is to consider the cirevit as a whole
+
and assume the probability is simply the sum of a line short or a relay l failure occurring on both lines. The other approach is to consider the number of segments across which a short could occur and the possible relay
. failures which could occur in conjunction with that particular short to cause j
an unsafe situation. This approach depends strongly on the geometry of the system as to which failures are credible and which are impossible. This
4::4 U.
~ analysis will therefore approach the line-relay failure combination from the +
. over61 picture standpoint. Note that these two models should give about the same probability of failure since the one model considers large cable length and few combinations of failures while the other considers short cable-lengths and many combinations of failures.
The equation for this segment of the fault tree, then, is:
- (P,p,,it
- P,o,t,ct) + [(Pyf,it)2. pg,ht,ct (pm,
. p, y)).
Pphysys y
y ui, + P,i,y)] (2)
[(Pgi, + P,i,y) {P g
p
- Where the squared term indicates that a ground fault must occur twice on the Jame line. P can be substituted into Equation 1 as part of the physys overall fallure probability.
1 I
LI:
.I yI i.
u LI I
uI w
a w
Ww M
-ww s'wedemN e-
[+
p
+
^
g
. M/SICA._ SYS-CM FAULT TM"C j
^
IH.
. Physical System i
h
,. g i
l h3 Oround Ytring
= Fault.
Shorts CYouit to Line Fails -
I Power Ground Short Short j
Monitor Monitor on Out onin L.
- Failur, Fanur+
Line Line h
f l
. Pover Power Ground.
- Unsaf, Short Short p,j,y p,j I
- Detector Supply D*tector Ground to to p,g, p,g Failt '
Fails Fails Shori Line Line l Pf a : (Pyr.4 P,,,,,)
P = (( P,g%+Pmy) e (P
.w+ Pu y )]
eo 3
shi I
I
.I JI SW Other Lin+
Line lc Faults Failure h.
[
Ground Ground I
i
'9 Short Short g
7 lf P
= ((Perrault) *Parnetect* (Pshun.+P lav N a
2 P
=P'+P
+P (2)
,g PHYSYS 1
2 3
'I m
t.
?l Limiting Safety System Setting The LSSS consists of the fuel temperature monitors and the percent power monitors. For either high fuel temperature or percent power to cause a non-scram situation, relays on both the supply and return trains must fail.
K This is because there are two independent fuel temperature monitors, one connected to each line of the scram circuit. Similarly, there are 2 percent-power monitors independently connected to each side of the scram circuit so that in order for a failure to occur, both would have to fail. This is clearly a J
non-single failure mode, f
External scrams may be inserted at two points in the scram circuit. If the
' external scram 'is a safety system setting these scrams should be' installed as separate circuits at each of the two points to maintain the non single failure criteria. An additional square term representin,- the circuit failure is l-necessary to complete the failure probability for the limiting safety system 1
setting.
i' The equation for the probability of LSSS failure as shown in the fault tree is-Ptsss - (P,%)2. (p
,,,)2 (3) p g
l; P
may be plugged into Equation 1 as part of the overall failure Lsss probability equation.
.I L
!li 1
t u
s
['
i -.
o g-I LN FAULT TREC t
l;..
( <.h I
I
..c-L, 3 :>y y J
'd:-
LSSS I Gl,_
i System L
Fails
.3 b
{-
v.
r f,
I Fuel temp.
%Fower LM Detection Detection lg.
Fails '
Fails I
s I
Fuel Fuel
%Pwr 81 %Pwr 82 Temp.
Temp.
Falls Fails
"'i i
e ; paj1s
- 2 Fails
.- n P
= (PTiemp )* + ( P2 Pun,. )2 (3)
L$$$
I I
1
?
'+
I.
I 3~
[
System Operable Failure l,
The system operable components are the high voltage, software watchdog, low-water level, and external scram relays. Each system operable -
!E component has independent sensors wired into both the supply and return lines and so is a non-single failure mode. A high voltage scram checks the l
voltage on each of the percent power monitors. There are two pairs of watchdog relays, one for the CSC and one for the DAC that monitor loss of program execution. Low-water level monitors check for extreme low water L
level in the tank. The external scram insures that all external conditions are met,if applicable. External serams should be installed in pairs, one circuit in.
both the positive and negative sections of the scram bus otherwise the l
failure probabilities of this analysis may be substantially altered.
Monitoring of computer program execution with software ressettable timers provide time out switches with two relays for each computer. Each pair of relays for each computer are set by program loftware control of four separate timers. These timers cause a scram if not reset within a five second time period! The four timers can be set by the same or separate software -
g '
modules and may be connected to the relays in different combinations.
l.
The equation governing the probability associated with the system I(-
operable segment of the fault tree is:
P,,g- (P,v,9 + P F+Pgxt3c,F + (Pcsc) + (P,c)2 W 3
g i,wt o
Where the squared terms are due to the redundancy in the system.
P can be plugged into Equation 1 as part of the overall failure sysoo probability.
I I
j
~
l Cosaputer/ Manual Control This section describes the probability of failure of the program relays and I
an operator scram. Since the program relays are identical, the possible failures are that one relay fails to open on command, or that two, three or all four fail. If only one relay fails, insertion of the three remaining rods will shut down the reactor so this is not an unsafe failure mode. If any two, three or all four relays fall to open, the reactor will not shut down. It is easily demonstrated with a probability tree analysis that the probability of 2
3 g
_ failure of 2,3, or 4 of the relays is 6Pr #4pf. p 4g where Pris the probability of a single relay failure. This expression will cisarly be dominated by the first term for small Pr so the cube and fourth power terms l
will be disregarded in further analysis.
The operator scram is normally initiated with the manual scram switch, in the case of a switch failure, however, the operator has other means to shut down the reactor. These include the key switch and the individual rod I
controls. The expression for rod control failure is based on the same
(
three-out-of-four logic as the program relays as again, only three rods'must be inserted to shut the reactor down.
The expression, then, for the probability of failure of these subsystems is:
2. (p
- P,y * @Rodctri b Pcomo/ nan - 6Ppe p,;,y Man.sce g
n (5)
"h Note that the operator has three independent methods to scram the o
system, all of which must Iall for a non-scram situation to crise. This is highly unlikely as the switches themselves are redundant. The manua!
,g scram switch, for example, is wired directly into the rod ccntrol circuit at two places, one on the supply line and one on the return line, both of which
(
~
10
5 C
3 AC-MC "I
y.
System Operable FaGure I
j l
l
- Softwar, Opere k 1
Function System j
Trip Fails Detect Fails r--
ll'
- l 1
External
. System
'W Vdog Vdog F tils -
Fails Fails Fails F
I External External
.DaC"2 Scenm #1 Scram #2 Low Water High q
!g Fails Fails FliTr _.
Fails pag),
piil8 Lev I Trip Voltage -
["
Fails --
Trio Fails I
(.
i
]
- l pSys0p, p 2., p 2 pExt p 2.,, p 2 Low Low H.v. a t H.v.a2 2
k)
CSC DAC Lipt NU W.ater Ynter Fajig rails l-! Elf gjly #2 Fails aj p lli n
l:
LI t
i must fail for the manual scram' to failc A third contact pair t. wa9s a status signal to the computer and is also capable of causing a scram by software commands within a 5 second delay period. Similarly, the key switch is wired g
' directly into the scram circuit at one point and also will send a power off signal to the computer software. These software signals stop the CSC from l-updating the watchdog timers and after five seconds, they will time out.
scramming the circuit if the other switch contacts failed to do so. Finally, there are the individual rod controls. These are run through the CSC and so g
demand that the software be operating properly; however, the watchdog relays are designed to scram the circuit in the event of a software failure.
l
_ Assuming then that the software is running, only three of the four rod controls must function properly to shut down the reactor, i.e. here again there must be two failures for the system not to scram. Overall, then there must be several catastrophic fr itures all occurring simultaneously,- none of Lwhich is caused by an event which would trigger other safety systems, for-
- l the operator not to be able to scram the system.
- Clearly, the expression is dominated by the chance of a program relay failure and the probability of the operator being unable to scram the system is vanishingly small.
I I
I I
I I1
a il
~
COMPUTCR / MANUAL g
4 g
- AUL~ TRCC I
Comp /
Man r
( ** *
-j I
,f Softvare Operator 8
Soram.
-:]
' Fails Fails s
e l
Backups i
Manual Fail j
1 Re149 2,3 or4 Scram Fails to Relays Fails '
.j I
Open.
Fail 1
i K'9 Rod l
Switch Controls
{
Does Not Not a Fails p3jj Prevent Single
-j Shut Down Failure ci; 1 Relay 2,3 or 4 Fails to
- pg3y, Ooan
= pail
- Does Not Prevent Shut Down "9
- 733)ure
)
(5)
Comp / Man
- Pr.Retag ManSor Key sw RodCtri B
I l
I
f.
-Failure Analysis Many of the relays in the scram circuit are of the same type and hence have identical failure probabilities. The fuel temperature, percent power, high voltage, watchdog, low water, external scram, and program relays are all similar. An expression for-the estimated failure rate for relays is found in l
jfilltary Handbook 217 Revision E. It is based on the environment, cycles per hour that the relay is expected to operate and of course, relay type.
l The Handbook gives the expression for failure as-6 A " A ( pt. ' Pe
- pc
- peye
- pt
- P ) failures /10 hrs (6) r-b g
Assuming a double pole, single throw, solenoid relay operating at less i
than one cycle per hour, carrying less than five amps, the literature specifies the modification factors as:
1'lj p, - 4.6 : Environmental Factor 1
p, - 1.5 : Contact Type Factor
-]
- Cycle Rate Factor p,y, - 1 ll p =12
- Family Construction / Application Factor g
L p - 1.5 : Quality Rating Factor g
l pt - 1.28 : Load Factor A
.006 : Base Relay Failure Rate 6
Equation 6 then gives A - 1 failure /10 hrs. If P,is the probability of a r
relay failure per hour, then P - 1 x 10-6 failures /hr. Note that in order to R
keep the failure estimates conservative, all failures are considered unsafe in L
the analysis. In reality, there are several safe failure modes, e.g. a relay opening without cause is a safe failure as it causes a system scram.
L For the manual scram, control rod and key switches, a similar expression applies:
I 12 s
3 l$ '
f A
- A (Pe
- Pc
- p,y, ' pt) failures /10 hrs (7) 6 s
6
'g Where:
W p, - 2.9 : Environmental Factor
. p, - 2.0 : Contact Type Factor p,y, - 1.0 : Cycle Rate Factor
/
p{- 4,77 : Load Factor A,
.034 : Base Switch Failure Rate l
6 s
.3 failures /10 hrs and P,- 3 x 10-7 failures /hr. Note that this Then A is only the probability of a physical failure of the switch itself. However,
- alI
=
because of the redundancy in the operation of the switches, as described in
-g the section on operator scrams, this probability is much larger than that of the switch operating properly, but failing to scram the system due to internal
. h system failure.
For the conductors in the circuit, data is given by the IFFF Guide to the Collection and Presentation of Electtjcal. Electronic. Sensino Comoonent and
'g Mechanical Eaulement Reliab'ility Data for Nuclear Power Generatine Stations.
The Guide suggests from empirical data tnat for a short to ground, the
. probability 's P - 1 x 10-6 failures / hour /100 circuit feet. The probability of i
g a short to power is Ppwr - 6 I 10-7 failures / hour /100 circuit feet. It is
~
assumed that a short to line is similar in probability to a short to power.
Although many line shorts may require two breaks (failures)in the line to
-a get a short, the possibility that a single event could create a short must also
- g j
be considered, e.g. a wire falling across two terminals, or that overlapping
- l cables could allow a single point line short. Therefore,in the interest of conservatism,line shorts will be considered as single point failures.
The ground and voltage detect circuits were assumed to have the same 8
13
)
. s. _ _
_ _. _ _. _ _ _ ~ _
'(
- j. '
5 It overall failure rate as a sensing instrument, This failure rate number is g
rather conservative since the detect circuits are much simpler than most sensing instruments and have fewer failure modes. Reliability and Risk i
Annivsis suggests a failure rate for a sensing ' instrument as: Pinst - 1 x 10-6 g
failures / hour.
The probability calculation for each of the four sections of the fault tree are as follows:
PPnysys - l(P,)2. p,,t. (p,,. p )) + (P,,
- P,,) + 1 (P,, + P,P p
a p
in p
(P,, + P )) - 3 x 10-12 p
a
'l Pm - 2 ' P,2 - 2 x 10-12 Psyso, - 5
- P,2 5 x g 2
)l Pcome/ Man - 6Pa + 4Ps - 6 x 10-12 4
E Using these numbers in Equation 1, we see that:
P,iio,, - 2x 10-1 I failures /hr, or a mean time between failures of 7x106 7
l
. years for the faillires considered. It is important to note that this is not the -
expected time for the circuit to go without failure, the long lifetime is rather indicative of the inherent design of the system in that all single failures will-i cause a scram condition, therefore, only two or more failures occurring t
simultaneously can lead to a polentially unsafe failure The improbability of g
_this happening is reflected in the low failure probability.
I I
I 18
- )
'I
- Explanation'of Equations' ci The equations given for switch and relay failure are of similar form.
They include'a base failure rate for the given component type ( A ) and g
4 several modificci%s (p[s) based on the individual component and the system in which luperates. The modification factors used are explained below.
p,
- EnvironmentalFactor p,. :, Contact Type Factor p,y, : Cycle Rate Factor
- Family Construction / Application Factor pg p
- Quality Rating Factor q
pt
- Load Factor I,
Numerical values for the pis are given in hiilitarv Handbook 217-Rev. E and have been transcribed in part. Most of the modification factort lepend on whether the component meets MilSpec standards or is considert.d " lower L
quality".
In the interest of keeping failure estimates conservative, it is
~
I:
assumed that components are not MilSpec quality.
P,is based on the environment and installation type. For a fixed ground 7
installation, p,is 2.9 for switches and 4.6 for relays, f,
P is the same for relays and switches and deptods on the form and c
number of contacts. Values for P are shown in Table 1 below.
c
- E
- I.
.y.
_ 7-l.
j
' Table 1 Table 2-Table 3 I
,1991 fc 1
f 19HR9 E,
t SPST l.8
.35 1.82 R
.I
.SPST l.5
.I l.06 P
.3 -
Ir 9Pff.
l.?S
.2 1.29 M-1.8 SPST s 2.0
.3 1.?6 L
l.a J
4PST 2.5
.4 2.72 Not Reled 1.5 1
SPOT 3.0
.5 477
~$
-3PS1 A25
.4 9.40 i
'W.
4PST 5.5
.7 21.4 GPsi s.s
+
i For pt, the load factor, values are determined by S, which is the ratio of o
the load current to the rated resistive load. P. values for an inductance based -
t g
solenoid relay are shown in Table 2 above. The relays are assumed to be..
='
rated for 120V which gives an S
.2.
For a switch, p, is equal to the number of cycles per hour that the yy D
g switch is operated (pey, 1 if less than icycle/hr). For relays, p,y, is 1.0 if the.
. relay operates at less than 10 cycles.per houe i
The quality factor, p,,is shown in Table 3. The relay quality ratings are it t
g unknown and hence the relays are assumed not to be rated.
'[
11
~
11y, pr is shown for several relay construction types in Table 4 below.i.
]
h 9
Table 4 Contact Construbtion ff Current Igat j
4 l
8-Signol Current 1hinetire <
[
W 18 Les muett end Bry Reed 5
. mamps lig liintled 9
Megestic Letch I
14 5elenoid 6
0-5 pmps Armeture 10 Belenced Armature 12
$ctonald 3-l' T
16 i
i g
wu,
y 4
- These factors can-be-plugged 'into Equations 6 and 7 in-the failure -
~
analysis to get:-
I 6
4 ( P.
- Pe ' Pc
- Peye
- Pr
- P,) failures /10 hrs (6)
A r"A t
A pf.006 (1.28
- 4.6
- 1.3 'l.0
- 12 ' l.5) 6 Jl A = 1 Failure /10 hrs r
6 b (P. ' Pc ' Peye
- P,) Fillures/10 hrs (7)
A=A t
3 A, =.034 (2.9
- 2.0
- 1.0 ' 1.48)
I 6
L A, =.3 Failures /10 hrs Finally,it should be noted that these numbers assume that all failures are i
unsafe.
In fact,' failures to an open state cause a scram and hence these numbers are inherently conservative.
s3 3
LI a
"I
- s I
I I
!t Li 17
f Bypass Relay The bypass relay is used to cut the NP-1000 out of the scram circuit upon entering pulse mode.' When this occurs, only one monitor for percent power remains able to scram the system. The preceeding analysis on failure modes
~
shows~that one of the reasons for the extreme safety of the system is the
,l redundancy inherent in all monitoring systems.
This redundancy is compromised when the reactor goes into pulse mode. Fortunately, the reactor normally stays in pulse mode for a very short time so the chance of a failure at that instant is very small.
A potential problem could arise, however,if the bypass relay itself failed l
and the system did not return from puise mode, in that event, the system
- could operate for an extended period without the NP-1000 to provide the extra safety factor. If the bypass relay does fail, this failure will not be apparent on the operator's display. The percent power indicator for the NP-1000 will remain functional because the CSC will still be receiving
(:
information from it. It is, therefore, necessary that the operator check the NP-1000 safety limit scram each time the reactor is pulsed to confirm that the bypass relay has returned the system to steady-state operation.
Note that even if the bypass relay fails, the NPP-1000 is still monitoring the system and would be able to scram the system should the percent power exceed its limits.
For the circuit to remain in operation and totally unmonitored, the NPP-1000 would also have o fail. This again creates a situation in which two failures must occur for an unsafe situation to arise.
The new probability equation for the LSSS due to the bypass relay is:
PLsss - (P, nmo)2 + (P
,,,)2. (p,. Pey,3) - 3(Pa )- 3x10-12 p
gp gp h
- 2) - 2x10-12 as before.
Instead of PLsss - 2(Pg I
I8 I
^
^ ~ ~ ~ - ' " -
~
p' ':ep:
n e
Calibration Checks At system startup, the calibration of several systems is checked
[e automatically. These systems are: fuel temperature monitors, percent power monitors, high voltage monitors, and the watchdog timers. The manual scram
'I switch, magnet key switch, low water level, and external scram settings are not tested by the auto pretest function and should be checked manually, iy The fuel temperature, percent power, and high voltage monitors are checked by means of relays which switch from their normal positions to cut the monitors out of the system and allow a test current to be run through the sense section of the system. The CSC monitors when the system trips to assure that it is at the specified point. This process effectively compares a preset trip point to a software generated signal. The relays then return the system to normal cperating mode. To check the watchdog timers, the CSC sets I
each timer and to compare it to the clock make sure that it times out within the appropriate time.
An optional calibration signal in some LSSS signal circuits is a function that adds the test signal to the sensor signals. Failure to remove this additive signal are conservative and will not lessen the protective function of any channel.
O For the fuel temperature systems, percent power, and high voltage if any relay fails to return to normal operating mode, no current from the detectors L
.would reach the monitor circuits and this would result in a loss of signal L
condition. A loss of signalindication can be verified by the observation of the zero state of the signal display. If, however, an entire system fails to return to normal mode e.g. the fuel temperature monitors, and *. e calibration current remained on, the monitors would not scram but the detectors i
themselves would be completely cut out of the system. This is obviously an I
w-
-,s a
a
.,.u_a.
4w-.w__q-aa.
__v.s.e4...
4.,Ae, 3
m
_..Wi..
A
~.Jg_.6 4 Ju a
4ap p
h undesirable situation. ' Note that the only'way for such a failure to occur is for the CSC to leave the calibration signal active and fall to return the calibration.
relays to their normal opereting positions. -Merely leaving the relays in the
(
wrong positions will cause a loss of signal condition when the calibration current is turned off, j
Ll There are basically two failure modes associated with the watchdog
=!
timers: failure to reset and failure to time out. Both of these modes are tested l
I'
'in the pre-start calibration checks by simply setting the timer and letting it j
time out. Even if the CSC gets stuck in the calibration mode it is a safe failure as in this mode the CSC waits for a time out after setting the timer. If the l
system was in operation, trie first such time out would cause a scram. The watchdog timers could also be reset by a random signal, but this is unlikely.
f as two pairs of timers would require a reset. There are, then, no unsafe failures associated with the watchdog timers' calibration.
The additional failure probabilities for each subsystem due to calibration l
of the system are assumed to be those of the each subsystem failing all at once. Therefore, there are two terms to be added to the overall failure equation, one for the fuel temperature and one for the percent power /high voltage monitors. The temperature system has three relays which must fail simultaneously and each NP unit has two relays which must fail
- l simultaneously, l
P
-P,,iti Punit2 - P 2. p,2. p,4. ix i o-2 i Failures /hr z pwr/hv g
P,.r. - P 3 - 1 x 10- 3 8 Failures /hr p
g l
Clearly both of these failure rates are orders of magnitude smaller than those for the system as a whole. They do not significantly affect the overall.
failure probability LI E
20
,h
i I
' Moaltor Channels-in addition to the scram circuit, safety system failures could occur in the g
monitor.
The-monitor channels of importance are the fuel temperature j
monitors and the NP-1000 and NPP-1000 percent power monitors as these l
are critical to the safe operation of the system. For this analysis, the channels are all assumed to have the instrument failure rate shown in the above I
i analysis and all failures are assumed to be unsafe. This is a conservative estimate as some common failure modes, e.g. loss of signal from the detector, would cause a scram.
l The instrument failure rate is given as Pinst - 1 I 10-6 failures / hour.
Note that this failure rate is the same as the failure rate used for the relays in the circuit. - For an unsafe fuel temperature failure to occur, the analysis is l
identical to that for the scram loop i.e. both must fail for the system to be unsafe.
This leads to several permutations of failures which are unsafe.
4 liowever, all require at least two failures. The original expression was P,,,
o n
g
- 1x10-12. Now either the monitor or the relay can fail, but one must fail on L
each channel. Therefore:
_ P,,,- (P + Pj)2 - 4 x 10-12 failures /hr.
g g
Similarly, for the NP-1000 and NPP-1000, the added failure modes increase the number of possible failures, but the system redundancy still protects the system. For the NPP-1000, in addition to the monitor failure, a gain failure is considered. The NPP operates in a separate gain mode for g_
.E pulse operation and were it to switch to pulse mode during steady state
!~
operation the NPP would essentially be useless as the trip point in pulse mode is much higher than for steady state. Since the percent power and high I
21
l voltage failure rates are incorporated into different parts of the overall failure model and the percent power failure rates are de affected by the-
- bypass relay, it is easiest to look here simply at the increase in failures caused by considering the monitor channel failures, A detailed analysis is g
presented 'in the following example.
The additional failure probability, considering the interaction of the bypass relay and NPP gain turns out to be:
P,yppp,ii - 8 x 10-12 fallures/hr.
yp
'I This is essentially an increase of 1.1 x 10'88 failures /hr and brings the overall failure rate, incorporating the bypass relay and instrument failures, to 6
3x10-38 failures /hr. This gives a mean time between failures of 4x10 years.
Note that this number is essentially double that for the basic system (though this is not as apparent due tothe rounding done on the numbers, the original failure rate was about-1.6 x 10'll failures /hr), which is to be expected as the g
instrument channels considered had similar failure rates to the relays in the circuit.
Please note that there are other cross interactions possible in the system.
i.e. failures of two or more components related to each other but not directly I-interacting. In order for these failures to cause an unmonitored situation, g
though, three or more failures must occur. This puts the probability of such failures several orders of magnitude below the other failures in the system h
- and they hence have been disregarded in the analysis.
I
- I E
8 22 I
{"A '
' Analysis Example
~
The following is an example of the analysis used in this failure model.
In looking at the percent power system, there are six failures which can g
cause an unsafe situation. These are failure of: the NP-1000 monitor, the.
NPP-1000-monitor, the NP-1000-percent power scram relay, the NPP-1000
)
percent power scram relay, the' NPP-1000 gain mode relay, and the pulse
)
mode bypass relay. In all cases, failure of two mmponents is necessary to cause an unmonitored situation, but not_all failti.s pairs will result in such a situation. Since the NP and NPP are on different lines, one component must fall in each i.e. an NP monitor and NP scram relay failure is a safe pl combination as the NPP-1000 is still fully functional.
The. table below illustrates the possible failure combinations.
I, NPP-M 5
5 5
U U
NPP-R 5
5 9
t' 5
NPP-G 5
5 U
U U
NP-M U
U U
5 5
NP-R U
U U
5 Ogpass W
U U
'5 NPP-M: NPP-1000 Monitor NPP-R: NPP-1000 Scram Relag NPP-G: NPP-1000 Sein NP-M: NP-1000 Monitor NP-R: NP-1000 $crem Releg Bgpess: Ogpess Releg g.
5: Safe failure i.e. sgstem still monitored U: Unsafe failure, system not menttered E
The table clearly shows 'be increase in failures from the original model, which had a percent power failure rate of 1 z 10-12 (NP-R and NPP-R in the table). There are nine unique failure modes shown above for the increase of
'I 8 x 10-12 discussed in the monitor channel section.
- D I
23 I
m e-
.: l:
21;
.,m Conclusion As stated before, this analysis gives an overall failure probability of 3 x 10-11' failures per hour. This gives an approximate mean time between failures of 4 x 106 ysars.. Despite the seeming extremity of this number, it 1
was attempted throughout the analysis to make all assumptions as
(>
conservative as reasonably possible.
For instance the lifetime would:be extended by a factor of three if the reactor were assumed to operate only -
j eight hours a day instead of the continuous operation assumed in the analysis. The inherent redundancy of the system simply makes it highly I
I improbable that any failure would destroy the integrity of the safety system.
'{
At this point, a comparison of the safety system's reliability to that of the physical system might be of interest. Reliability and Risk Analysis gives the 4
failure rate of an individual control rod physically sticking as 1 x 10 per day,i.e. 4 x 10 6 failures per hour. Using the three out of four logic that only three control rods must function in order to cause a scram, the probability of g
failure equation is identical to that shown for the program relays in the Computer / Manual section and is dominated by the term 6*P 2. This gives a g
failure rate for just the control rods as 1 x 10'l0 failures per hour.
L L
Granted that this number still provides a reassuringly long mean time i-between failures (1 x 106 years), the point is that this small section~ of the
[
physical plant alone has a failure rate which is almost an entire order of magnitude greater than the scram failure rate for the Reactor Safety System.
' Clearly, the Reactor Safety System is one of the more reliable parts of the reactor design and is not likely-to be responsible for a system failure to scram.
t 8
24 I
b
' Bibliography General Atomic. G.A. Trina Hardware Reference Manual. General Atomic,.
i preliminary issue,1987.
'I General Atomic. G.A. Trina Ooerator's Manual. General Atomic,1987.
General Atomic. Microorocessor Based Research Reactor Instrumentation-and control System INS-24. General Atomic,1986, i
~
Hodadon, Ken.-
Safety Evaluation-Reoort of the New Nuclear Reactor -
Instrumentation and Control System for the AFRRI TRIGA Mark F Reactor Facilltv.1986.
IEEE Inc.
IRRR Guide to Collection and Presentation of Electrical.
,I Electronic.
Sensine Comoonent.
and Mechanical Eaulement Reliability Data for Nuclear Power Generatina Stations. New York:-
IEEE,1983.
Kurstedt, Harold A, Nuclear Safety Module. NSM-1: Reliability Analysis I
for Reactor Safety.
McCormick, N.J. Reliability and Risk Analysis. New York: New York Academy Press,1984.
United States Atomic Energy Comission.
Reactor Safety Studv:
An f ssessment of Risks in U.S. Commercial Nuclear Power Plants Anoendir III Failure Data. Washington DC: U.S. Government,1974.
United States Department of Defense. Military Handbook 217 Revision E:
Reliability Prediction of Electronic Eauioment. Washington DC: U.S.
Government,1986.
E ANS 15.15-1978. Criteria for the Reactor Safety Systems of Research Reactors. American Nuclear Society,1978.
I I
I I
I I
-Appendix D g
g.
I I
I I
I I
I I
I I
I I
I
. p.,
l' 1
Failure Rate of Typical Interlock Circuitry I
Transient Rod Air Enable Interlock of TRIGA Console Control System.
I Sununary A study was conducted to compare the reliability of a specific subsystem (the interlock that prevents. air to the pulse rod cylinder unless it is fully down);in the older, analog console and the digital ICS.
In the older system, all subsystems are hardwired whereas the new ICS utilizess computer software to operate the interlocks.
I For the specific interlock under consideration, the receiver DOWN I
microswitch initiating the signal is identical in the old and new ICS.
From there on, the two systems differ.
In the older console, the signal chain is hardwired ultimately to the Potter-Brumfield relay which performs the inter-lock function.
In the newer system, the initiating signal is processed by software which performs the interlock function through a solid state relay.
Results from a reliability analysis on the two subsystems described above I.
gave the following failure rates:
Digital ICS: 0.195 failures per 10e hours.
Analog ICS:
0.476 failures per 108 hours0.00125 days <br />0.03 hours <br />1.785714e-4 weeks <br />4.1094e-5 months <br />.
Therefore, the transient rod air enable interlock utilizing _ sof tware control'is 0.476/0.195 = 2.44 times more reliable.
I' Calculational Details.
(1)' Digital ICS Interlock Circuit.
The DAC computer in the ICS computer utilizes self-testing diagnostics to test the scanning and storage de-vices. As such, it requires multiple failures to cause a failt.re of the transient rod cylinder air enable function.
This multiplicity of fail-I I
I I
ures is not credible and relegates the reliability consideration to that of the I/O device, a solid state' telay (Gordos.IAC15).
The manuf acturer's specifications show that this device has a demonstrated MTBF of 5,120,000 hours0 days <br />0 hours <br />0 weeks <br />0 months <br /> 'or a f ailure rate of 0.195 f ailures per los I
hours.
I (2) Analog interlock circuit.
In a manner analogous to that in (1) above, the reliability ot the transient rod cylinder air enable interlock is reduced to that of a Potter-Brumfield relay..The reliability of this component is calculated as per Section 5.1.10.1-1 of MIL HDBK 217E (Oc-tober 27, 1986) where the f ailure rate ( A ) is given as:
p C x K YC X KF. rg)_F/108 hour, Ap=Ab (KE K K C
where Ab"AT #L AT = 0.0061 (85'C rating at 30' ambient)-
wt = 1.02-(stress factor = inductive load 5% of rated current)
I rE = 2 (benign ground environment, non MIL SPEC relay)
KC = 4.25 (3 PDT contact form)
KCYC = 1.0 (lower. quality relay ( 10/HR) rr = 6.0 (lower quality long armature medium power 5-20A) rq = 1.5 (non ER quality factor)
A, = e._1
- 1. eo 2.
25
- 1. e...e. 1. 5 ),,1e. h_
g
= e.,.
11.r..,1e.
_ s.
E
\\
I
I
}
f r
h
-o
. Appendix E
- B
.mm. o,,m oo_ -.-zo-I 8
- k^
I
!B
- t g
i8 3
it.
~I g
\\
- 14 *
+
n ANALYSIS OF A FIVE DOLLAR RAMP ACCIDENT I
Summary - An abnormal event is evaluated for the TRIGA Mark I reactor oper-ated with the digital ICS in which all control rods are ramped out of the reactor.
It is assumed for this event that the maximum licensed reactivity
($5.00).is ramped into the Mark I core-in the minimum possible time (2 sec-onds). This assumes the simultaneous failure of the interlock that prevents the removal of more than a single control rod and an unexpected change in rod withdrawal time f rom the nominal 37 seconds ' to 2 seconds.
The conse-quences of this event are trivial. The peak power and peak fuel temperature I
are 185 MW and 251'C (assuming a scrammed rod insertion time of 2 seconds) or 106 MW and 180'C (assuming a rod scram time of I second).
The operating I
parameters for such an event are far smaller than those authorized by the license for normal operations since the nominal peak power from a- $3.00 pulse is about 1000 MW and the maximum licensed fuel temperature is 530*C for the standard low hydride TRIGA fuel (Section 7.4(b)).
I Analysis - The GA computer program BLOOST 3 (a lumped parameter neutron ki-notics, thermal-hydraulic program) was used to evaluate the ramp event. The sequence of events is the following:
1.
The transient rod is fully withdrawn in preparation for approaching critical.
2.
The two shim rods and the regulating rods are withdrawn to a banked po-sition with the reactor critical at 0.010 watts.
3.
All control rods are then withdrawn simultaneously at maximum speed (taken as 2 seconds from full down to full up).
4.
The safety channels will terminate the excursion by scramming the reac-tor at 110% power, i.e.,
275 kW.
The calculations assumed that the control rod drop time after scramming I
I I
'f
_is 2 seconds, the maximum allowed by the license.
A second calculation 1
l evaluated the-results if the control rods-drop in I second.
(Typical con-trol rod drop times are actually N 0.6 seconds.)
o Table 1 lists the reactor parameters used for the event evaluated herein.
The - prompt negative temperatures coefficient of reactivity is T e coolant temperature coefficient is small and is 0.86 x 10-4 Ak/k'c.
h assumed herein to be sero.
This is especially valid for this event because
_during the excursion little heat is transferred to the water.
With only the transient rod withdrawn (Item 1 above) the reactor is suberitical by about 80 cents.
After the reactor is brought critical at 0.01 watts, the postulated ramp action can start the insertion of the avail-l able core excess reactivity ($5.00).
Since'the transient is terminated when the reactor power reaches 275 kW (1107. full power), only a portion of the
$5.00_ is inserted by the time the scram occurs.
At that time, the control rods fall under the action of gravity following a. delay time of 0.015 see to-allow for the magnetic field to decay.
Assuming 2 secondi for the rod drop peak power of 185 MW occurs 0.64 seconds after the start of the time, a ramp.
The peak temperature of 251'C occurs about 1.02 seconds after the start of the ramp.
The power rapidly decreases to below 250 kW 1.8 seconds after the start of the ramp. The total energy'ganerated in the excursion is I
less than 10 MW-sec.
Figure E-1 shows the various ramp accident parameters for a 2.0 second rod drop time. A similar set of values has been calculated I
assuming a rod drop time of 1 second after the scram (Figure E-2).
In this case, a peak power of 107 MW is reached in 0.64 seconds, with the peak fuel temperature of 179.5'C being reached in 0.91 seconds.
The reactor power is below - 250 kW in ~1.2 seconds af ter the initiating event.
The total energy-generated in the excursion is less than 6.2 MW-sec.
All of the operating parameters calculated for the postulated ramp event are far smaller than
- 3 those which are authorized for normal, licensed operation.
hg L
Conclusion.
The postulated event in which all control rods are ramped out of the Mark I TRIGA reactor (with a core excess reactivity of $5.00) in 2 seconds, with the safety system functioning, will not cause any damage to the reactor or harm to any person. l
y I
I TABI.E 1 Mark I Reactor Parameters Inittal Conditions-No. of fuel elements 74 Core / coolant temperature 20'C Initial power 0.01 watts I
-Cold, clean reactivity excess 3.5% Ak/k ($5.00).
Rod Worths Transient
$3.00 Shim 1
$2.02 Shim 2
$2.02 I'
Regulating
$1.75 Prompt neutron lifetime 68'psee I
Fuel element specific heat (C + 7T)
C 740 Joule /'C 7
1.50 Joule /'C I.
Core water specific heat (per element 860 Joule /*C CW Delayed neutron data I
p 7 (sec-1) 1
' 2.409 x 10-4 1.244 x 10-8
.2 1.593 x 10-8 3.051-x 10-8 3
1.431 x 10-s 1.114 x 10-1 4
2.884 x 10-a 3.013 x 10-1 5-8.394 x 10-4 1.1362 x 10' 6
3.066 x 10-4 3.0135 x 10' I
I:
It I
I m
.R&di MMf RMP u.s wT PHwemu l8# El@3' EH l
N l
ll'lII.T, llI J"
q m
i Ie.-I 454 M
d.k4.L
. de w ii
.I.k d.M aase.:. E.llhe l
ni 1.w
- .j p =
3 =3:
m#
s zg ;:.
.y
.=
@%=h' S d~ :E.i b.'tb.-f;i1.: "Twr M E P "" 2L'.
W-E:'E;ir '6i NN =J3d A
~
-~ _...
- "'""*3:3 "M. E. ii3F.._".
- :fii :.' 3_*.'
- ..dh_d_. :-
_ iE.E31
~~~^C
=#
I u
3 q
l.-
- , T.t 4.-1Q -3 Mi Z_* d*
- .,,a3._
s..m mRegir,,.-4MW
.-, Is.:rg_stg 3,
.g a
3, Mi m
i ciE3% g
, 9i-9 ? i ?I.J-TV E1E PH
- jj f; i:g 3g;:;p;rp4Ef_.a81 gilN20E g iq ;" y :F 2
- . --I: ChE- - 545: $E $ 5
' 55$ iE!bNN 5il 5N~E i=.i $NNb5s5lM5lI!i-III
'55 I:N @ 5}N/
~
'NdNSb 2 E 5 ENN.l.2M5s[ __
U.
1 i
55 I5c' 5N E"i? '
~
- r u.
e.-k.
+ 4-m __ r h::-
ly
~~
,E !.__,,,,,,,
l (' l ' '
b K.
ji;.
l h~
~
,u Mp I
.+
,r 5 l 5
l 3 4.
I M@5E E @
W l
~
iseesib a
l mi i
%ilim.toi ii lin seiaeem nii se l
A q
h um.:.
N
. Ef1.
N Ll 5:
bTM
=
= li= ~ -- i E.TT."'Z7 f5- *EhlS
?? !*H
- ~ ' "~
'SIESMISEi y
-- =i':
=i5 'Ei mi E: Ei= Nl@-
I u
x m,. r..r.t. _'_.. giggp og
_.n.p. t=3y=.. _..
_.. g..3.t 3 Eijg: gn ;;.-:m:r..a,_.a r.=
m m
fra :..-
- mmm. m -Mv m-
- .m u=
= i ps=s+= -sus =.=:-.m @..
a..a-4 i
p= difEMVE sii1E ~ifi T ' l'3U 6 =fi C+
.=.
i
-. u
-J!
int M
=
( ~ ig'g r 149 _ a.;
+r 5=i lifi-5 @i. i=! I=! ifN I
- s7 J #E M N
.5 NF5 5 IN5
'!iiE i=M.,[!7.El'M 4
?... -...2 Fi C3 ;-3~6 2._...g.
.. _ ~..
.u.
r- :s i
i:.
.m e _. _
3....
~~
%j
.;I;-;, ; gg -.
..:f,rtEPt:1,: ::=.:: it'E E.~~.
' ' ~._~
d
..2 B BMhc u
- p. ry.
'l-j-- -.t_
-g j=
t:
pE
.: +.
-r g
.._.n=.
(
=
g gj.
q
- ,pg.. w(_.{' $, l p%.,...--.
4
_. Wo p
/O.
r
- m i a
'_l 1
m
+.
mnr c;
_.m. u
=
z4
.. - -rr e p go.
4._
i V
g T.
- 7 -; p
. jy y.. meg g. m.
.wg4iig4 a sh
.. g z :5 g 9 0*
g.-.
a e
e
. i.
L. iiiii :- in y
il L= a g. fq i+=
- Eipii
. = - i-F.=
=
..p
.; g;ps-am_a g 7=
p.
- =' MH: i=1 *=h-@r 43 brM #i TF_5 =
i=.Mlin. ni M i=i #
=sh M w=_
g g..
_4_
,,,1 g._.. Lg._.....g.g
=
=
[
..yA..g.mm y y.7 m
yy y
m I'
-y jihg
- 'Qiig T.13T
':rr,-
- u. ;ii
'i ?-
I
.-i.~
E.3 3]E
!!n itqg.R
[ Srhp
- 1 %
f-
- ". "7.L.
Z =_.. nMlb=.u..
--~1..
(
Wit f:i-E:EM6 i:-i ~. M i a:E.4 x_
- 30 Oi =M MiE.EiL a
Qf-
.j
_.....p..
_.:-M E.l
\\
.a..
- w..= =
_.a-., -...3 --,
gg--
m -
=. l:t-7 m._....
r=r-
- - =
2
--w -
y.
.:n.
, l q
[
m.- i m.%g
,;x
,2
'V.
g.
l
- F Wi ! s
---A-N3
- L
% m s00 _f J.o -
n W4dtei-.+4, M %
E"'E~U @
- g..,4 4b-4 bb,,
w fIf9M+#Wim W E TI. f!"
. i ri W
- WWMt1&
i
.m c---
l LL.
m
- q=. yas
. ama m.
.2
=
=E u =.
. - - --.m s=.%
3 u w d
-i.+= W Ea==
F-9iEN m:-
! EU 9.== % ia-.=t.=r==Emik n= n== a g
=
3"y. Yti_2E._E_ i_~.J._~
_ ~....
. ;;. _'=4, _' r ?, _'.'.~.._.-g 7"
i.i.D. =.__:..E_
~
~
-1
. J.-fi:i E_i.l:
I e'
W".E_
.E
_g i
h h NI 4b
. NW ihl': Itd dEE*
- Rq _1 ;j _j-
. i E@_,
ggq Jigag,p -,,-gj. 4
, *, (7 y
..I yp=
g.E m
m-- m a w ap
..- =
w usur :y y p=gmpag a-p ram 14 y
.g,g GifiMu3 nam gy-
=--,
p=gigi gig;t. g= 5:r g p g =i3-i;; =;3; t; y.
.=
i:- si. 4 +
- t, i
~^=5:==....g_r.._.
.p.. ~.___.
,..,__.g..-
7_..n mq.1, _==.=_ _=. _..
_u...=_ =__=_
_ =...
._ =.:..
_m
._.m
. I d_. _ __._
.__t._._.
.+.
r 4
j,
- l l;;
r --
o M_
14 _1 g
.t p y.
p J-p./
s 6'~
'7 7,
i h,
'c'M
- o 7
f,4
.w{ S
+O-
~M~ ~M*i'*
M "M
A wp
- 2 a
- n
"*~
g
=.
.=.i.m ym;ag m it
__w=.g. ;=- m x ;---w
=
,=;
g
. =
u,-i p i
a=. =hti s=i= #1 n= H=
- i:ai im 2^
==
= u= x;E
-a im n5=i
- 4. (=._
_ =.._
=
.==;
_.._.g. e-b p:::...
.._==
- u
__-f
-= 2%._y 7.__
r
= g
=
mi b=xw c
! m-im
- n a s
_ _- s wi m y
=
qm 1
= 44 c_
- w=t M:
p En i
- em w w e w =vwn
- =t, i=
4 v g.
=
- Wi= l&= w =.. +iM iMi i= =2m=i: =f M @ P =_ m n t=i 5=r& :si M= ; ;
c= M = W I
s::iMtEM M M5 =1
- #84HiM E45M
- EM i$hfEME: -i=W3M E E E5=;
.4g 4,.w.m _ %e E. _,_
_._J_
Mt+-
.a_.- :r L
p 4
i
_..+. p. g p
. i y
_. p..pM - _
! _ p._
g,
.,el... _ 4_ _....
i 0,1
/* O oO D 10 0
\\
(~ <- a.: - ~)
.l'G, 4
i IW n,v o * '
- M.
- RAMPAw T
M%i mnts I
- ~mm
__m m.
- 2 5. -- 5:M F-5 -5 2 I: Ei. *= Ed.';- IKE Y i :iFb9i T d i MMEM@IE-1.'. !iii r:5L.E
[
T.55-dss $ N E5E
' I.s M 5 b N E i.5 @b bsN N$h "I N1 I
t.
m m -w u n wav m
=
-um m mm e
m
-. w m.g y e=
v m2 ma e
- a g
m;= pet =pn t r _m q-g --
ijMT3.d[ 5i@'F5:5 [N Ii-iI;$ % E hdMTSNM If 95i'.Lui ~.$ 5'1
- -iji:(
it
- ij $
ii 4
Nkh'hN $N15 [.5 $ =. E I.
5N N
$ Ib
~.-5 3@
N Es 2
2 u
_ r-~~m m--
~~'~
~.:
. m - -- =
=
=.
!-~.
ZZ;
~
^
-~'"y EI,,,I
.e ih
__m
-3,, _.m.r...
w
..e.
' I --
k
.D,. M J N_~l
- 6...
.,. H.
y g
y l ll ll upulq iysomup
%Ed NI H llE d @,@h ge pu-amumusi a
m o m m
m m m
m
.st~
e-h a
w gg. _ =
E
- w---m a an g.
a
.. 4e
.:- :._ _x:
gig -Q:5 h y'-
- y'?
- p fy I
=
_.:-t--== :-'
.r.;
yr-y
- ,ap.y!.
- r.! E tj i-4;..E {pijE
- = -.jp
- .=-
1
...m__ _. _ -_=.__._q ' pn ;n a _;;.y-
~
- 2. a
.;c ::.
- u
_ - +--er e
.. _..._.._.-;$n:
'iJ Y Hii 53 5 t'U.OE Mil 1
'- ""2'. _ ' E
?. I m.. L.T13 :., } J 3 p,
31 g.,
- t THi i' 4 92.
fd4 E; r i ~:! rt "di
. :i.E' yE; *h1 g:
E. i i'E -Ji!gi[ d:]i" -L
_ y f'" :j. di i_g
=i:! Ei RRO-M i: -- pu i=. i di lii:
'+h M33I
-g.
==E 3-na :- M F 'i 5ii aire iM it=. = W u
.3; j
f=at=f = M
- i'@
+ --~~===
a =0i=Wi$1;aME a i N5
. M
==
==
+m e
=
g=.
2
., -
...=.
==
=
=
p 7.y p
L
. r rc. r.._ :: :: :
jy
_ =;._ -
.J
- =
/0
+.
..M.,,.J. m m
p
.a
,.4
. tooo \\/
.x
- m. --
n u
x i
~-mm 1 n u s D
4.p a pF j2
. a
.i. --. ij
. -,;F
_ saa
.e
, 4'i ib..3 7
dJ:'i? c
CH [r-i' i
1spastiW.i s
i I'
QEi
- @i
-i
- 3 =-
i : r..-
] ;.
m
- 5. g!!l5ff e: T'ri.-
.y 'ig p
=-
..=
D Nasj#! M 5E li-~
6:-
d =i-
~
H;HII==b n:4 n= =-
-;=-5 EM 5 1
n=
NN N. C5b 7U N b l5 N _.. _
.).I_.
~-E =
ck:bEr.b 5b NN5N
- NE -
W m
-ww w
w
. c m
u, m
m m ;m t m w
w I.
e
.. a
.: m a
=u e m s w
.a, w a e
s
'O F5i 5N
' 5.
'l Yi.
i h: =. dif.'
E d
i~.
b;N I
O
-.=_m..._.. =.
n=. =.,u.
=_=.:s_ i.=.:-- -
- sa...
p
- .-:..:.-Eiss
- r:
.m
.*risr
-F8'LN'__
- - e-T f'-
_'; ;;I
)
g
.2i.'"
"'Me % _
dI 1
- - ' ~~~~
J{
- ~ -
t;;
r:GGr~
~~
~
,w v-1..a g
u.'
- "4!
'0
- M-I
~
['
li l
sp i
- i h_
y49d-bte u
ll e
g m ag
--ww wm wn m.enn.
j
=
w n ;:p gy p;.5 g
g
~
..g -
-. - =
y :.= i.=
. y d
'* :';W =~d I5 du.'
,.M5Y8: THiM Ebb
-b N Nb Y
EN di
- "i. Wi! '.N i'd i N-2 L
- d.... _ _ _
=t-t:....,, k.. y
_3_,.. _.
._N;.._
-}
_.. c 3
d 2.. _..
l
=
FM
.-- w g
.~,
.# mw m
,u m.mmme n-m ms
- m en
=
nm.m v n w
w m w.a umm 'n u.=' u.,
u3.
m--::-diMW c
t
- ( 7--7 1:
5-:: 3..m p:- n:g gp_ ;- _
... -Q [g i-i--;i
~..
~
L '^:. "
~'
~
sy un u
m
-. _ - -.. =_ :. l.:._.. =
..p,t
+-t pt: =_
._ 1:..:
.:d. --.:..:_.;. ::
- p =. =.n- --== = _.
=:_:.:-
.._==.-:.
=
.g
- - -, -... 7
.a- ;
n
.a
- - - - ~_
-~"
f 4
_ -*g;*
-~-
J q
_... _.,f
_.._. _. _.4_
j H-
_._.J
.C e.,.
h E
III l
O N
O II 4g
- ""*""..n 'D+**f"'.' NN.
"*f ""It *n".*.M
.'S U8 9*
w m
x y
.v
- --"d a 98 'tT 19 N
4.:"lg x!.7nT
!I
. 7'W.
e.~.
.f u
b4 6
oi
-. _ + - a.m.:-
a a
e is sn i..
w s.e +.. iem we.n 3a.
r w g z 55 =.:.
p a
~.=;.; n-y g
..s.
.=w M~i f
=..:
- i:i y_ hl==h
- j -id q w
.._m =ir - 3 11x{
==i hn4..:_ = Y'-
I..
S_ _.y=__
T ::: u.
1
.x. :.
- EM.N T@'M ;~ N 5 5Ikd i M IdN.. 2 2$D
[3f-+
~
U' ' id i'E $j.; =j=5 5 ).
.;. 3..___.; g y --
T,_ m - -- - - = _... _.
__55.; :_5::55.3 gg.
- -t dd i.1
'. 5:l '-!
- ~~i5
.4 $5.f ([d] u.p"'
W.
rQ 3: p -
'4 hl i' 43 7'"
1 d
3
{.'. _.
- l
]
L.' v
- f '. -
- i i
. H 1.i i.rii E'. h-. p r-.n.i
@ _FiQl5.)
.- - 4 3.
- f. - _ n hj 3
I'
?;;
N i'ib
-!= NN "'
E'-~
INN iii 2: 5~.!? NENF $ MD:dr' M:W {i i.NN -.
f Si555h N N.5 7_M:irr;-k 55$!5 N25Ii 5h
$ Eh.N h!
7 7.____._
y_.;
e_..... _ _,. _ _._._
_ y..
%c
- ~' r 7'-
.,N, '.*' k T t d.~.
"*~~"*-*
- ~'i _*Z ;..---
_ +'.
_l
]--....,.
t--
e..
g-
~_.
t
_g p
g,Qj l.,
Qof I* O to. O 100 T+6 Af"rtR F9tT Rob HorioN (Mc )
. : a,
,0,.
4 f
I.
Appendix F-LI SAFETY CON 8IDERATION FOR A PUL8E'FROM HIGH POWER i
l
~
{
L'
.i l-
- f 4
I 1
.t l
l' i
't I
Lg
'- 3. g i
1
~.
Safety Consideration.for a Pulse
-l
-From High Power; A calculation of the fuel temperature and'other parameters resulting
,g 3
f rom an unplanned $3.00 pulse from high power steady state operation has
'been made using the methodology similar to that employed in the calculation reported herein in Appendix D.
The initial conditions-for this case are L
the following:
,~
Maximum Licensed Core Excess Reactivity:
$ 5.00
! g Maximum Pulse Rod Worth
$ 3.00 W
Maximum' Reactor Steady State Power Level 7
with Pulse Rod Fully Inserted:
200 kW r
275 kW i
L Shutdown. Reactivity:
-S 5.00 l
r Prior to the unplanned $3.00 pulse, the average and maximum fuel tem-
- peratures.are 200 and 360'C respectively.
At about 0.075 sec : af ter the cS pulse, the power peaks at 1.14 MW.
The maximum core averated fuel tem parature is still about 200'C with a corresponding maximum fuel temperature of about 360*C.
This. peak temperature is well below the license limit of 530'C.
The calculation'is conservative in that it. assumed a-shutdown reac-;
4 tivity of only $7.00 whereas the real case would probably have a-shutdown reactivity of about $9.00 ($3.00 pulse. rods $6.00 in 3 control rods).
w From this informative calculation it is obvious that the interinck re-quiring that the pulse-rod cylinder to be full DOWN before air can-be ;,-
l
}
plied performs only a control function [1] and is not required to prevent
. excessive or dangerous fuel temperatures.
I 19 -
____. -..... -.. - -. _. ~.... -. -...~
,?
Appendix G=
I k
s I
I REACTOR OPERATION CHECKLIST 8 I
I I
t
)
I o
('
-f I
l
')
I I
4 5
I
[,-
i I
LI I
Gener21 Atomica l
TRIGA REACTORS FACILITT I
MARK I REACTOR STARTUP CHECKLIST No.
Date' SRO RADIATION MONITORING SYSTEMS Area Monitor 1:=
Bksd mR/hr Alarm mR/hr
~
2:
CAM:
.Bkgd CPM Alarm - Low Hi CPM ~
Air Filter Monitor:
Bkgd CPM Alarm mR/hr Water Monitor:
AUEILIARY SYSTEMS
- 3 Water Treatment
- ON OFF Domineraliser Flow GPM 3
Water Temperature OC Filter Pressure - In out psig Conductivity pahos/cm Pit Cooling:
ON OFF Towers in Use
t
(
REACTOR Visual Inspection Control Rods Down Transient Rod Worth $
Air Pressure psig
~~ I Water Level Functional Check.
in.
Add water
' Experiments:
In-core Out-of-core Lazy Susan King Furnace Static Pressure psig
.Celibrations & Interlocks:
Rod raising interlocks in_ steady state Unable to move standard rods in pulse I
Unable to fire CTR in steady state when cylinder not in full down position RWP with source removed from F-21 Scram Checks: RAISE EACH ROD FROM DOWN LIMIT. SCRAM TO CHECK EACH CHANNEL.
.a. Manual
- b. Key Switch
- c. Console Reset.
I;
- d. NM1000 scram set at 1
- g. HVl(NPP)
HV2(NP)
L
- e. NPP1000-
- h. FT1 scram set at OC L
- f. NP1000
- 1. FT2 OC E
- j. Ext. #1 Ext. f2
-Rod.1 - Transient Rod 2 - Shim 1 Rod 3 - Shim 2 Rod 4 - Regulating ALL ADJUSTABLE SCRAMS, ALARMS AND INTERLOCKS PROPERLY SET
-Chamber and Instrument Sensitivity:
Linear Log i
l
(;
Source Adjacent to HM1000 Chamber - Today Source In F-21 l'
L Rev. 5/88
'4 G:noral' Atomics
]
=
TRIGA RLACTORS FACILITY l
I MARK I WEEKLY CHECKLIST
- 1.
REACTOR.
By/Date 1.1 Power chc.nnel detector voltages:
NM-1000 VDC NP-1000 VDC NPP-1000 VDC 4
1.2 !M-1000 interlocks:
Pulse prohibit (item 42)
RWP (item 40) 1.3 Er chquake switch operability l
1.4 Rod. drop time: Transient sec.
Shim I sec.
(( 2 6ec.)-
Regulating sec. Shim II sec.
h' 1.5 All bolts tight on rod drives and bridge assembly 1.6 Verify core map and measure core excess: ($ $5.00)
Core loading: Fuel Graphite dummies Locations Current core photgraph in Logbook No.
Page I
Excess CTR outs $
Logbook No.
Page Excess CTR in:
Logbook No.
Page
[
o 1.7 Instrument response with startup source adjacent:
Linear watts
. Log Channel i
12.
AUXILIARY SYSTEMS l
2.1 Check and drain water trap in CTR sir supply system I g; 2.2 Water sump levels Inside in.
Outside in.
'g
(< 6 in.)
Sump Light i
2.3 Bulk water temp Console
'C Digitec
'C l
p
~2.4 Conductivity of pool waters (< 2.5) pahos/cm
.]
j.'_
2.5 Reactor tank water levels () -4 in.)
_ in.
Add 2.6 Makeup w'ter tank level (> 1500 gal.)
gal.
- [
a
'I 2.7 Ventilation system Profilter AP (< 0.9) in. H O 2
Filter AP (< 4.0) in. H O 2
Filter changes required YES N0 on 32 RADIATION MONITORING SYSTEMS e
3.1 - Check calibration due dates on continuous monitors:
Area Monitor 1 Water Monitor Area Monitor 2 Air Monitor CAM filter changed on I
3.2 Water Monitor Source Test:
Alarm at CPM 3.3 Air Filter Monitor Source Test:
Alarm at CPM 4.
REMARKS Rev. 11/88 Reviewed by
I General Atcaico TRIGA REACTORS FACILITY MARE I MONTHLY CHECKLIST for
, 19 Date Logbook No.
Operator 1.
PRESTART CHECKLIST FOR POWER CALIBRATION 1.1 Reactor tank water level Add water
1.2 Experiments
In-core _
Out-of-core m
1.3 -Water treatment system off Isolated 1.4 Pit cooling system off Isolated Tank stirrer on 1.3 Temperature probe locations: T1 1.6 Starting pit temperature (P(1kw): T1 T2 oC 2.
POWER CALIBRATION DATA 2.1 Reactor power
_ kw on channel.
reached at __
hrs 2.2 Instrument readings during calibration (record temperature data in LB)
HM1000 Log Linear NPP NP NM Keithley-Time o
B I
3.
POWER CALIBRATION RESULTS 3.1 Calculated Power from Least Squares Fit kw (0.05760C/hr/kw) 3.2' Percent Error in Indicated Power
% Error = ((Pind - P ic)/P alc) x 100 e
e NM1000 HPP NP Keithley DPIC or above must be notified if any channel in error by more than
- 5%.
Person notified by jl 4.
ADJUST DETECTORS: Yes No NM1000: From to
-E NPP:
NP 4.1 Keithley Calibration Factor alw. Posted by 5.
VISUAL INSPECTION OF TANK Tank last cleaned on Tank cleaned this inspection Yes _ No 6.
NEXT SEMIANNUAL CHECKLIST DUE 7.
REMARKS I
Rev. 11/88 Reviewed by
ly l
TRIGA* Reactors I;{
lli i
l l
'{
1%:'
1 I
'I t
c[
14 I.
I L
f l
t.
l '
t l-
[
[
[.
-!I
(
l CENERAL ATOMICS I
l P.O. Box 85608
- San Die 90, CA 92138 5608 t
Phone (619) 455-4255
- Telex 695065 GENATOM SDG
- Fax (619)455 4169 L
.