Text

__

.,, f **vg L

d _ f,, UNITED STATES f5 R 2' <

• NUCL'AR REGULATORY COMMISSION WASHINGTON, D C. N555

_ y . . . . + ,l 1

,S VETY EVALUATION BY THE OFFICE OF NUCLEAR REACTOR REGULATION SUPPORTING AMENDMENT M0. 19 To FACILITY OPERATING LICENSE NO. R-84 ARMED FORCES RADIOP.10 LOGY RESEARCH INSTITUTE DOCKET NO. 50-170 1.0- INTRODUCTION AFRR1 has determined that due to the progressive obsolescence of their control console, a new reactor instrumentation and control system is needed to maintain reliable operations. On May 11, 1988 AFRRI publish?d their safety analysis of the new reactor instrumentation and control system. In this report AFRR1 concluded that the new system has equal or greater safety built-in than the existing system and therefore is an allowable change under 10 CFR 50.59.

10 CFR 50.59 permits licensees to make changes in the facility as described in the safety analysis report without prior Connission approval unless 1.ne proposed-change, test, or experiment involves a change in the technical specifications incorporated in the license or an unreviewed safety question. A proposed change, test, or experiment shall be deemed to involve an unreviewed safety question-(1) if the probability of occurrence or.the consequences of an accident or malfunction of equipment important to safety previously evaluated in the safety analysis report may be increased; or (2) if a possibility fer an accident or malfunction of a different type than any evaluated previously in the safety -

analysis report may be created; or (3) if the margin of safety as defined in the basis for any technical specification is reduced.

The staff concluded from'its review of the AFRRI safety analysis report that since (1) the instal 16 tion of the new reactor instrumentation and control

. system did present an unreviewed safety question because of the possibility of an accident or malfunction of a different type than any evaluated previously and-(2) additional technical specifications were required, NRC review and approval were required of the replacement computerized control system.

Pursuant.to 10 CFR 50.90, the licensee submitted by letter dated April 30, 1990, as supplemented on June 19, 1990 and July 13, 1990, a request to amend A)pendix A of Facility Operating License No. R-84, " Technical Specifications for tie AFRRI Reactor Facility." The licensee submittal of June 19, 1990 resubmitted the May 11, 1988 safety analyses. The requested amendment would allow installation of the microprocessor based instrument and control system and add the watchdog (DAC to CSC) scrom to ' Table 2 of the Technical Specifications, " Minimum Reactor Saf ety System Scrams."

The licensee has temporarily installed, in parallel to their existing control console, the new digital microprocessor based instrumentation and control system provided by General Atomics. The transfer of control from the old to 1

9000030032 900723 f,DR ADOCK 05000170 PDC

O. . .-

. .?. -

' the new system (including scram) is v% a series of gradual steps accompnied by tests which are expected by AFRRI to demonstrate the reliability of tne new equipment while maintaining the proven performance of the existing control

.' system. Upon completion of all testing (described later in this SER), the new console will be used to control (except for the hardwired trip functions) both the safety and nonsafety aspects of operation of the TRIGA reactor and the old analog console will be disconnected. The new console _will replace-the old

' analog console in the control room. included in this change is the installation of three new stepping-motor control rod drives. .

The primary functions of the new system will remain the same as the old system; to monitor critical parameters and provide a scram signal when needed, to provide information to the operator and to provide control for the pulse and steady-state modes of operation.

2.0 ' HARDWARE AND SYSTEMS ASSESSMENT This portion of the review focused on the areas of potential vulnerability or susceptibility of the new control console which might compromise its ability to present accurate information to the operator and to provide scram signals when required. No assessment was made of the reliability of the nonsafety-related operation controls. Issues investiq A d incluA i single failure, environmental

_ qualification, seismic qualificatio'n, surge wite tand capability (SWC), elec-tromagneticinterference(EMI),failuremodesandeffects, reliability, error detection, and independence.

The primary review criteria for instrument and control systems for research reactors are presented in ANSI /ANS 15.15(1978)"CriteriafortheReactorSafety Systems of Research Reactors." The staff performed this evaluation.also using criteria which apply to current vintage nuclear power plants. However, due to the inherent reactivity. insertion safety feature of the TRIGA reactor design and minimal decay-heat generation that cannot cause fuel' damage, the staff has con-cluded that these power plant criteria may serve as guidelines and that strict adherence to the power plant criteria is generally not warranted. The exceptions are noted in the appropriate sections below.

During the review and audit, the licensee described the new system including licensing, engineering, testing and training aspects. The vendor also partici-pated and provided additional information. The staff also had benefit of material from the U.S. Air Force, the University of Texas at Austin and the console owners group. The licensee also had an-independent safety review performed by ORI, Inc. which concluded that the system was acceptable. This is the first system of this type provided by General Atomics which the staff has reviewed, therefore, there is no direct comparison that can be made to a previously licensed configuration.

At AFRR1, the Safety System Scram Circuit consists of two analog nuclear power monitor channels (NP-1000, NPP-1000) and two fuel temperature channels which are hardwired. Also wired into the scram circuit are contacts for manual scram, pulse timer, low water level, key switch and watchdog timers. The HM-1000 microprocessor based nuclear power channel monitors reactor power, but is not wired to the scram circuit at AFRRI.

s.

. 2.1 Environmental and Seismic Oualification The :ew control-system will be installed in the control room and the reactor 1 hall. The staff considers the reactor hall (excluding within the pool itself) )

to bt a mild environment when compared to power plant requirements and therefore the a ntire system can be considered to be in a mild environment. The system 1

'has been constructed in standard commercial enclosures suitable for a rtild environment. The testing that has been done to date has not revealed any i problems related to temperature or humidity. The new system should not be unduly susceptible to temperature or humidity problems and is therefore acceptable to the staff.

Though there have been no requirements promulgated for seismic qualification I testing of research reactor control equipment, the staff reviewed the equipment l to determine general ruggedness. The equipment appears to be mounted in a good l commercial quality fashion which should prevent any significant movement of I components within the console and racks. In this TRIGA reactor, an inadvertent scram does not present a challenge to reactor safety systems because a scram consists of the removal of current to the control rod magnets allowing the i control rods to drop into the core by gravity. No other equipment is required to maintain the reactor 'in a safe shutdown condition. The primary concern ,

remaining would be relay contact chatter which could prevent a scram when )

required. The safety system scram circuits for this system are designed to '

scram on failure (which includes contact chatter) and therefore the staff concludes that any further testing is not warranted-and the system is acceptable.

2.2 Electromagnetic Interference (EMI) l The staff reviewed the susceptibility of the new equipment to EMI due to the poten-tial for common mode interference which coulc disable more than one system at a time. As discussed' earlier, due to the design characteristics of the TRIGA reactor, an inadvertent- scram does not present a similar challenge to- safety systems that it would on a power reactor, though it might cause operational difficulties such as disrupting an experiment.

At AFRRI, optical isolators are used which will prevent conducted EMI from being transmitted between the control and safety channels. The neutron flux e signal cabling is shielded to reduce the impact of radiated EMI. Previous experience with similar equipment provided by several different vendors at other facilities has indicated that if EMI causes any perturbance in the system ,

it will most likely cause a scram, which is acceptable to the staff for a TRIGA reactor. Based on the above, the staff concludes that EMI should not prevent a scram when required and the design is therefore acceptable.

2.3 Power Supplies The power supplies for the system are buffered to reduce the possible impact of minor power line fluctuations. The scram circuits for the new system are designed to scram when power is lost to them. The NP-1000 and NPP-1000 are analog devices and will respond to power fluctuations similar to the existing analog equipment. The digital NM-1000 nuclear power channel uses a battery

Q backed-up random access memory (RAM) to store constant data during loss of power. In addition to self-diagnostics, the NM-1000 has a watchdog timer circuit which puts the NM-1000 in a tripped condition and scrams the reactor if power fluctuations prevent proper software operation. As described in the NM-1000 Sof tware Functional Specification and Sof tware Verification Program (March 1989), the NM-1000 is also tested to verify that the system returns to proper operation following restoration of power. The staff finds this accept-able.

2.4 Failure Modes and Effects

.The May 11, 1988 safety analysis for AFRR1 included an April 22, 1988 Scram Circuit Safety Analysis performed by the University of Texas at Austin. This study identified the various ways in whicn the reactor safety system could

. fail. These include:

1 Physical System Failure (wire breaks, shorts, ground f ault circuits) 2 Limiting Safety System Setting Failure (failure to detect) 3 System Operable' Failure (loss of monitoring) 4 Computer / Manual Control Failure (automatic and manual scram)

This study was based on a fault tree approach which predicted failure to scram

~for various failure modes. The study concluded that a failure of all safety systems and therefore failure to scram was extremely unlikely. Failures attributable to the unique failure modes of the software of the NM-1000 were adequately considered and in addition, at AFRR1, the NM-1000 is not directly wired into the scram circuit. The staff concludes that the failure modes and effects of the new system were adequately considered and the design is therefore acceptable.

2.5 Independence. Redundancy and Diversity The staff reviewed the data link between the safety channels and the nonsafety systems. The safety channels provide direct hard wired scram inputs and are also hardwired directly to independent indicators on the control console. In addition, the safety channels provide inputs to the Non-Class IE Data Acquisi-tionComputer(DAC)throughopticalisolators. The optical isolators used have not been tested for maximum credible faults which the staff requires for power plant use, but have been tested by the manufacturer to standard commercial criteria. The OAC is then connected via redundant high speed serial data trunks to the Non-Class 1E Control System Computer (CSC) which interfaces with the operator;by controls, a keyboard and CRT displays. Since the CSC does communi-cate with the safety channels, this aspect of the system would not meet the independence requirements of a power plant. -However, the staff has concluded that the level of independence which has been maintained is appropriate for the

'AFRR1 TRIGA reactor and is acceptable.

For the AFRRI facility, redundant fuel temperature (Temp 1, Temp 2) inputs are

.provided to the scram circuit. Redundantpowerlevelinputs(NP-1000,NPP-1000) to tne scram circuit are also provided. The staff finds this redundancy acceptable. .Several additional scram signals are provided at the control

,3 4 .

.{e

~

console-(manual scram,. system watchdog timers). At AFRRI, the NM-1000 is not wired to the scram circuit but does provide inputs to the rod withdrawa'i prevent interlock system. The system as installed at AFRRI meets most of the require-ments of IEEE-279-1971 " Criteria for Protection Systems for Nuclear Power Generating Stations" and IEEE 379-1977 " Application of the Single-FM 1ure Criteria to Nuclear Power Generating Station Class 1E Systems," and is there-fore acceptable to the staff.

The operators are provided with information from both the analog NP coniters and the digital NM monitor. The information is displayed on both dire t wired bar graphs and on a graphic CRT. The scram is provided with automatic and manual contacts and, with the exception of the computer watchdog scram contacts, is similar to the old system. The staff considers this system sufficiently diverse and therefore is acceptable.

2.6 Testinj Extensive testing of the new system has been done by both the vendor and the licensee. A significant number of design changes took place during the testing that AFRRI performed during the phase-in of the new system. General Atomics has also reported no significant safety problems with their installation. The staff has reviewed the problems discovered during testing of the system and has concluded that the resolutions appear appropriate. The staff also agrees with.

the assessment by the licensee that long-term operability and safety is enhanced due to installation of equipment which has spare parts aveilaole and is capable of being properly maintained. An additional improvement is the self diagnostics feature which allows continuous on-line testing and reduces the possibility of undetected failures.

3.0 Software Assessment 3.1 C,riteria

.The staff requires an approved verification and validation (V&V) plan for software which performs a safety function or provides information to the operator. At AFRRI, the NM-1000 provide inputs to the rod withdrawal prevent interlock system block function. The NM-1000 software development was reviewed by the staff- to determine the acceptability of the V&V plan. The staff compared the' General Atomics V&V plan to Regulatory Guide 1.152 " Criteria for Program-mable Digital Computer Sof tware in Safety-Related Systems at Nuclear Power Plants" which endorses ANSI.IEEE 7-4.3.2 - 1982 " Application Criteria for Programmable Digital Computer Systems in Safety Systems of Nuclear Power Generating Stations." The staff has concluded that this standard is appropriate for use in reviewing research reactor software.

3.2 Verification and Validation plan The staff reviewed the verification and validation doccmentation provided by General Atomics. The staff also reviewed the additionel validation which was performed by the AFRRI staff. Since the safety scram circuits at AFRRI are hardwired and do not require software to function the emphasis of the review was to ensure that potential software problems could not prevent a scram if required.

a The hardwired scram circuit is wired so that a scram will occw even if the-control software is requesting rod withdrawal. An additional inortant feature is included to prevent sof tware errors from interfering with safety function..

The Control System Computer (CSC) and Data Acquisition Computer (DAC) include watchdog timers which must be reset every 10 seconds by the sof tware or they

.will trip and provide a scram signal to the rod magnet power.- The watchdog timers provide a continuous check of proper software operation. The staff finds them acceptable. Though the software was nut shown to be in full compliance with Reg. Guide 1.152, the software will not impede the safety systens and is therefore acceptable.,

4.0 Technical Specifications

'The scram circuit at' AFRR1 will include watchdog timer contacts which will provide a scram upon software failure. The staff has concluded that the presentation of correct, timely information to the reactor operator contributes to the safe operation of the reactor. Therefore, the watchdog scram inputs are added to Table 2, Minimum Reactor Safety System Scrams of the technical specifications. The operability of the watchdog scram will be verified by Technical Specification 4.2.2 which requires a channel test weekly. The basis of Table 2 is also amended to add the watchdog scrams and safety chambers is changed to safety channels .to more accurately describe the high voltage loss.

scram.

5.0 ENVIRONMENTAL CONSIDERATION

This amendment involves changes in the installation or use of facility components locatec' within the restricted area as defined in 10 CFR Part 20.

The staff has determined that the amendment involves no significant increase in the amounts, and no significant change in the types, of any effluents that may be released offsite, and there is no significant increase in Individual or cumulative occupational radiation exposure. Accordingly, this amendment meets the elig(ibility criteria for categorical exclusion set forth in 10 CFRPursuantto10CFR51.22(b 51.22(c)9).

or Environmental Assessment need be prepared in connection wit 1 the issuance of this amendment.

6.0' CONCLUSION The staff concludes that the hardware design of the new General Atomics console is acceptable for use in the AFRR1 TRIGA reactor. The Software design in the-CSC, DAC and HM1000 will not prevent the safety functions of the hardwired scram circuit from performing and is therefoe acceptable. The technical specifications are amended to include the watchdog scram inputs and surveillance requirements.

The staff has also concluded, based on the considerations discussed above, that:

.(1) because the amendment does not involve a significant increase in the probability or consequences of accidents previously evaluated, or create the possibility of a new or different kind of accident from any accident previously evaluated, and does not involve a significant reduction in a margin of safety, the amendment does not involve a significant hazards consideration, (2) there is reasonable assurance i. hat the health end safety of the public will not be endangered by the proposed activities, and (3) such activities will be conducted

P;- , _

..,;: y

- in compliance with the Comission's regulations and the issuance of this amendment will not be inimical- to the comon defense and security or the health and safety of the public.

Principal Contributor: James C.-Stewart

- Dated:- July 23, 1990

,)'

s t

t 8

4 A

i I

. . _ . . . . . . . . . . . . . . _ . _ _ _ _ .