ML20076D840
| ML20076D840 | |
| Person / Time | |
|---|---|
| Site: | Pennsylvania State University |
| Issue date: | 07/08/1991 |
| From: | Hosler C PENNSYLVANIA STATE UNIV., UNIVERSITY PARK, PA |
| To: | NRC OFFICE OF INFORMATION RESOURCES MANAGEMENT (IRM) |
| Shared Package | |
| ML19302E849 | List: |
| References | |
| NUDOCS 9107300274 | |
| Download: ML20076D840 (24) | |
Text
.
4 , . .
!!E NSTATE -m pA amrin t.. Hwcr u.i Arn,Grausw buoo.ng senuir var heuacni o,e .<cu,a w h.nno n.raa st.i< t ,,n trun and Ikat, of the Gradua r $ctm; t nactuy Park. P A lt+02 July 8,1991 Nuclear Regulatory Commission Document Control Desk Washington, D.C. 20555 Re: Revision to the Lice nse. Technical Specifications, and Safety Analysis Report for the Penn State Brea:eale Reactor, License No. R 2, Docket No. 50f5
Dear Sir or Madame:
The attached matenalis submitted in response to oral questions by the NRC concerning our onginal amendment request dated April 19,1991. Included are: training plan, rational for the watchdog circuit not being a Technical Specification, information on AECL's Quality Assurance Program, and proposed replacement pages to incorporate a watchdog scram in the Technical Specifications: it required.
An exemption of tees for this licensing action is requested under the provisions of 10 CFR Part 170.11(a)(4).
11 you have questions on this matter, please refer tnem directly to the principal author of the attachments, Daniel E. Hughes, or the director, Marcus H. Voth at (814)S65-6351.
Sincerely,
[?,:.0.YsYt_-
Charles L. Hosler Senior Vice President for Research
.7nd Dean of Graduate School CLH:MHV/skt ,
Attachments cc: Region i Administrator p! ,'
Subscribed to and sworn before me on this ./ ' ^) ~
day of. /// /e ' ,1991, NotarpPublic in and for: Centre CountygPennsylvania,
,f \/ ,1 i
(
, ,/ _ f > > !\ i'i l;4ll.Ib!!;--}: Q NOTARIAL SEAL BONN!( K. ['CHELBEPcER, Nctary Public
$We Cchp Baro, Centre Co., Pa.
My Commission Expres July 30,1991 9107&XQ74 9L070A PDR ADOcg gr;gg,gg5 m FDR P 1,7005 ~a %_e u_, 1(yl) i'
(-
- l W ,
Rational for the Watchdog Circuit not being a Technical Specification 7/2/91 A non-power reactor facility such as the Penn State Breazeale Reactor (PSBR),
is charged with the mission (1) to operate the reactor such that the health and safety of the public is not jeopardized and (2) to provide facilities for nuclear research, training and testing, To have Technical Specifications (TS) above and beyond those necessary to assure the first mission reduces the capability of the facility to fulfill its second mission. Unnecessary TS can reduce the flexibility and versatility of a facility and impact its limited resources adversely. Any unnecessary use of resources prevents those resources from being used in more productive ways.
One of the design criteria of the new console (NC) for the PSBR was that all of the current TS must be met using hardwired analog technology and that the failure of the computer must not disable the reactor safety system (RSS). That criterion was met.
The fact that the computer can fail in many modes is inconsequential as long as any credible failure does not disable the RSS. To require a component to detect its own failure, when there is a redundant and diverse component that still protects the health ,
and safety of the public,is not necessary and should not be a TS requirement.
All safety channels and interlocks required by the TS are implemented by the hardwired analog RSS. The protection, control and monitoring system (PCMS) duplicates and validates those required safety channels and interlocks. There are
- additional scrams and interlocks in the PCMS that are not required by the TS.
The NC's RSS is a complete functional duplication of the old console (OC)
RSS. The PCMS communicates with the RSS through digital outputs (DO) (on/off) to configure the RSS appropriately for each mode. The same function is performed by the mode selector switch on the OC. A failure of the mode selector switch on the OC does not completely disable the RSS; the Limiting Safety System (LSS) is functional at all times and is independent of the mode. Ukewise, the PCMS failure does not disable the NC's RSS.- In fact, the design of the PCMS and the RSS make it more i reliable and safe than the OC because it does self-checks of its software and hardware and a hardwired status light is displayed if the high power scrams are bypassed. In addition, the NC utilizes two SCRAM buses with the power range high power SCRAM
(
.. : 1
'l l I
Y relay in one bus and the wide range high power SCRAM relay in the other, it takes two l dos from the PCMS to energize relays to bypass both high power scrams.
On the OC, the mode selector switch cannot detects its own failure and initiate a l SCRAM automatically; obviously this is not required by the TS. On the NC, a watchdog SCRAM (which detects some failures of the PCMS) should not be required by the TS.
The fact that it is possible to detect failures of the PCMS is not sufficient reason to make it a TS requirement.
One suggestion is that a watchdog circuit SCRAM should be required by the TS because it assures that the data displayed on the CRT to the operator is near real time and correct. This basis has not been the precedent with other digital control systems such as General Atomic's (GA) or Armed Forces Radiobiological Research Institute's (AFRRI) or in parameter display systems such as that of GA or the University of Michigan.
Operators are trained to observe all the data that is displayed, compare that data, assess the validity and act to maintain the reactor in a safe condition. The analog displays of the new console are within comfortable view of the operator and all channels are displayed. There are no embedded processors between the analog displays and the detectors. Redundancy and diversity ensure that no single failure will compromise all the data to the RSS, PCMS or the operator. The new console has further redundancy. The PCMS CRT displays the same data as the analog displays. If the CRT fails, the backups are the analog displays, if the analog displays fail, the backups are other analog displays and/or the CRT displays.
There are several modes of failure that willlead to bad data as an input to the analog displays, the CRT displays, the auto controller, or the SCRAM comparators.
One mode of such a failure is a failure of a safety channel anywhere from the detector to the input to the SCRAM comparator, analog displays or the PCMS. The power channels can failif the high voltage bias supplies fail. Both the OC and the NC have
- scrams that initiate on loss or degradation of the high voltage bias supplies. A loss of sensitivity of the detector is a failure that neither the OC or the NC can directly detect.
Any single channel may fail abruptly, or worse, slowly drift out of calibration. If the linear channel is the one that fails or loses sensitivity and the system is in auto mode,
- - the controller may maintain power based on the linear channel while actual power is l driven higher. If this particular failure occurs, the data displayed to the operator, data i
l
. ~
. I- , .
- J input to the auto control system, or the data to a SCRAM comparator may not be correct. Failure of one safety channelis tolerable in the SAR of the OC or the NC because:
- 1. The operator is trained to view and compare redundant and diverse channel displays and make decisions as to the validity of the data before acting.
- 2. If an operator initiates an action based on bad data, the redundant and diverse safety channels will act to shutdown the reactor if the power or temperature exceed the setpoints,
- 3. Redundancy and diversity designed into the RSS assures that the RSS will perform its function adequately.
- 4. If the auto controller has bad data as an input, the redundant and diverse safety channels will SCRAM the reactor if the power or temperature exceed the setpoints, Watchdog circuits, as now implemented, do not check the validity of the signal that is the input to the system, yet a spread validation between power channels or thermocouple (TC) channels is not required by the TS. The PCMS does perform a power channel spread validation and will initiate a stepback if a failure of that
' validation is detected. Although it is part of the PCMS, it is not and should not be part of the TS because the RSS is designed to protect the reactor in such a failure.
Another mode of failure that will cause bad data to be displayed on the CRT is -
one that causes the CRT to freeze on an unchanging screen. If the freeze is due to a failure that is not detectable by self-checks or prevents resedng of the watchdog circuit, the reactor will not SCRAM. If there is no watchdog SCRAM, then the computer is operating properly except for the CRT. Therefore, all the RSS safety features continue to be functional; the auto controller of the PCMS,if engaged, remains functional; and the analog displays will continue to display good data. If all of those features are functional, the reactor continues to operate safely. This mode of failure that causes bad data to be displayed to the operator is more safe than the other mode of failure discussed above, if the screen is frozen in this failure mode, the operator will notice that:
- 1. The clock does not update.
< l , . ,
Y 2. The normal random noise is not present on the data displays.
3, Data does not change il there is an attempt to move control rods, access other screens, or any other function that may be part of normal operation.
A properly trained operator will be comparing data between the CRT display and the analog display continuously; especially if a change is anticipated or attempted. There is no operation that an operator can initiate, based on bad data displayed on the CRT, that will prevent the RSS from maintaining the reactor in a safe condition. Watchdog circuits as they are presently implemented, will not detect either of the above two modes of failure that may lead to a frozen CRT or bad data on the CRT.
Bad data displayed on the CRT is not desirable, but it is not an unsafe condition unless accompanied by an incredible, simultaneous and complete failure of the RSS.
Even in that case, the TRIGA fuel system provides added safeguards that are not present in other types of reactors. By the definition of a safety-related system in Regulatory Guide 1.152 (Criteria for Programmable Digital System Software in Safety-Related Systems of Nuclear Power Plants, U. S. Nuclear Regulatory Commission, Nov 1985) the CRT display is not a safety-relateo system; a safety related system being defined as one that is required to remain functional during a design basis event in order to protect the health and safety of the public.
Based on the above analysis, we do not believe that making the watchdog circuit SCRAM a safety channel required by the TS is wurranted. The watchdog SCRAM is part of the SAR as described in Chapter 7. If there is a change in the watchdog SCRAM, it will have to be reviewed to determine if there is an unreviewed safety question under the 10 CFR 50.59 criteria. if there is an unreviewed safety question, the amendment process would be required for the change. If not, the NRC
) would be informed by the usual methods of the 10 CFR 50.59 change. The present watchdog circuit increases the reliability of the system by t'eing an on line diagnostic i tool. We do not believe that any computer system associated with the reactor should be without a watchdog circuit. However, since the RSS remains functional and meets
( the single failure criteria, a TS requirement that the PCMS should detect its own failure i and SCRAM the reactor is not necessary. With the OC, the individual channels do not detect their own failure and do not SCRAM the reactor if a failure is detected; to place L
_ such TS requirements on the NC is not appropriate.
. r ,
y Review of amendments issued by the NRC to GA and AFRRI for digital console upgrades and the implementation of parameter display systems by GA and the University of Michigan presents a very confusing history of watchdog circuits. The amendments for the digital console upgrades, state bases that are different in both cases. In the case of GA, amendment No. 29 indicates that a watchdog safety channel is "... applicable when computers are utilized to perform reactor control functions". The AFRRI amendment No.19 for a very similar system, requires a watchdog safety channel to "... insure adequate communication between the Data Acquisition Computer (DAC) and the Control System Computer (CSC) units". The GA console utilizes the very same communications link between the DAC and the CSC as the AFRRI system.
The AFRRI console utilizes the computer for control. If cither basis is appropriate they should both be part of each TS change. In addition, neither TS change states that integrity of the CRT data display is a basis for the watchdog safety channel requirement, defines minimum design specifications for the watchdog circuit, indicates the frequency or the extent of the surveillance, or indicates the length of the time interval that is appropriate for the watchdog circuit.
The parameter display systems (GA and University of Michigan) were approved for implementation by local review under 10 CFR 50.59. The data of these systems is displayed to the reactor operator, but there has been no_ TS change requiring a watchdog safety channel. Likewise, many control rooms have parameter displays ranging from strip chart recorders to digital system CRT displays that have no TS
- requirements for watchdog circuits. In summary, there is no clear precedent for a minimum watchdog circuit, a basis for a watchdog circuit, surveillance requirements for a watchdog circuit, or minimum design specifications for a watchdog circuit. A TS requirement for the Penn State PCMS watchdog SCRAM would set an adverse precedent for parameter display systems at all non power reactor facilities.
We do not agree that the PCMS watchdog circuit should be part of the TS as defined in 10 CFR Part 50.36. However, if the commission finds that a TS must be imposed, we propose a change as indicated by the enclosed replacement pages. The basis will be that a watchdog circuit will reduce the time that a reactor stays at power when the PCMS computer has a fatal failure in any of the software of hardware self-checks. The surveillance required will be that the watchdog circuit will SCRAM the reactor when any single self checks fails. Since it is not possible to cause each of the
i J self checks to fail independently, it is not possible to test each self-check. A minimum design specification for a watchdog circuit will not be proposed, e
l l
l b
L l
s , ,
, 7 reactive rod is in its most reactive position, and that the reactor will remain
'. Subcritical without further operator action.
1.1.42 SOUARE WAVE OPERATION Square wave (SW) operation shall mean operation of the reactor with the mode selector switch in the square wave position which allows the operator to insert preselected reactivity by the ejection of the transient rod, and which results in a maximum power of 1 MW orless.
1.1.43 TRIGA FUEL ELEMENT A TRIGA fus! element is a singie TRIGA fuel rod of standard type, either 8.5 wt% U-ZrH in stainless steel cladding or 12 wt% U-ZrH in stainless steel cladding enriched to less than 20% uranium-235.
1.1.44 WATCHDOG CIRCUIT A watchdog circuit is a circuit consisting of a timer and a relay. The timer energizes the relay as lor g as it is reset prior to the expiration of the timing interval. If it is not reset within the timing interval, the relay will de. energize thereby causing a SCRAM.
2.0 SAFETY LIMIT AND LIMITING SAFETY SYSTEM SETTING 2.1 SAFETY LIMIT-FUEL ELEMENT TEMPERATURE Acolicability The safety limit specification applies to the maximum temperature in the reactor fuel.
Q@4thdi The objective is to define the maximum fuel element temperature that can be permitted with confidence that no damage to the fuel element and/or cladding will result.
Soecifications The temperature in a water-cooled TRIGA fuel element shall not exceed 1150*C under any operating condition.
Basis The important parameter for a TRIGA reactor is the fuel element temperc*ure. This parameter is well suited as a single specification especially since it can be measured at a point within the fuel element. The measured fuel temperature is directly related to the maximum fuel temperature of the region. A loss in the integrity of the fuel element cladding could arise from a build up of excessive pressure between the fuel moderator and the cladding if the maximum fuel temperature exceeds 1 tS0*C. The pressure is caused by the presence of air, fission product gases, and hydrogen from the dissociation of the hydrogen and zirconium in the fuel-moderator. The magnitude of this pressure is determined by the fuel moderator temperature, the ratio of hydrogen to zirconium in the alloy, and the rate change in the pressure.
Amendment No.
i -l l
, 81 .
i
~
l "i The safety limit for the standard TRIGA fuel is based on data, including the large mass of experimental evidence obtained during high performance reactor tests on this <
fuel. These data lndicate that the stress in the cladding due to the increase in the hydrogen pressure frem the dissociation of zirconium hydride will remain below the ultimate stress provided that the temperature of the fuel does not exceed 1150'C (2102'F) and the fuel cladding is water cooled. See Safety Analysis Report, Ref.13 in section IX and Simnad, M.T., F.C. Foushee, and G.B. West, " Fuel Elements for
- Pulsed Reactors," Nucl. Technology, Vol28, p. 31 56 (January 1976).
22: LIMITING SAFETY SYSTEM SETTING (LSSS)
AcoHeability
' The LSSS specification applies to the scram setting which prevents the safety limit from being reached. .
Obiective The objective is to prevent the safety limit (1150 C) from being reached.
-Soecifications .
The limiting safety system setting shall be a maximum of 700'C as measured with a 12 wt% U ZrH instrumented fuel element. The instrumented fuel element shall be located in the B-ring and adjacent to an empty fuel position when an empty fuel position exists in the B-ring.
BM!1 The limiting safety system setting is a temperature which, if reached shall cause a reactor scram to be laitiated preventing the safety limit from being exceeded.
Experiments and analyses described in the Safety Analysis Report,Section IX -
Safety Evaluation, show that the measured fuel temperature at steady state power has a simple linear relationship to the normalized power or power of the highest
. powered fuel element in the core. Mtximum fuel temperature occurs when a new 12 wt% U ZrH fuel element is placed in the B-ring of the core. The measured fuel temperature during steady state operation is close to the maximum fuel temperature.
L Thus,450 C of safety margin exists before the 1150 C safety limit is reached.- This
-safety margin provides adequste compensation for using a depleted instrumented 12
- wt% U ZrH fuel element instead of an unitradiated one to measure the fuel temperature. See Safety Analysis Report,Section IX.
In the pulse mode of operation, the same limiting safety system setting shall apply.
However, the temperature channel will have no effect on limiting the peak power.
generated, because of its relatively ong time' constant (seconds), compared with the 1 width of the pulse (milliseconds), in this mode, however, the temperature trip will act I Amendment No..
. . 35
.; thermocouple. Hence, when either the linear, percent power, or temperature scram occurs, the maximum fuel temperature will tre far below the 1150 C safety limit.
2.3 REACTOR CONTROL SYSTEM Acolicability This specification applies to the information which must be available to the reactor operator during reactor operation.
Objective The objective is to require that sufficient information is available to the operator to assure safe operation of the reactor.
Soecification The reactor shall not be operated unless the measuring channels listed in Table 1 are operable, (Note that MN,AU and SW are abbreviations for manual, automatic and square wave, respectively).
Table 1 Measuring Channels Min. No. Effective Mode Measurina Channel Ocerable MN.AU ,P_u!M M Fuel Element Temperature 1 X X X Linear Power 1 X X Percent Power 1 X X Pulse Peak Power 1 X Count Rate 1 X Log Power 1 X X Reactor Period 1 X lhLii Fuel temperature displayed at the control console gives continuous information on this parameter which has a specified safety limit. The power level monitors assure that the reactor power level is adequately monitored for the manual, automatic, square wave and pulsing modes of operation. The specifications on reactor power level and ,
reactor period indications are included in this section to provide assurance that the reactor is operated at all times within the limits allowed by these Technical Specifiestions.
Amendment No.
18 , , ,
,. 3.2.4 REACTOR SAFET/ SYSTEM AND INTERLOCKS Acoficability This specification applies to the reactor safety system channels, the interlocks, and the watchdog circuit.
Objective The objective is to specify the minimum number of reactor safety system channels and interlocks that must be operable for safe operation.
Soecification The reactor shall not be operated unless all of the channels and interlocks described in Table 2a and Table 2b are operable.
l Table 2a l
l Minimum PSBR Channels Number Effective Mode Channel Operabig Function MN.AU EuLT SW Fuel Temperature 1 SCRAM ;t 700'C X X X H'gh Power 2 SCRAM s 110% of 1 X X t
i l~ Detector Power Supply 1 SCRAM on failure of X X supply voltage Scram Bar on Console 1 Manual Scram X X X Preset Timer 1 Transient rod scram 15 X seconds or less after pulse Watchdog Circuit 1 SCRAM on software or X X X self-check failure i
Amendmem' No.
. 17
.' Table 2b Minimum PSBR Interlocks l Number Effective Mode Interlocks Ooerable Function MU Sgg Sy Source Level 1 Prevent rod withdrawal X with less than two neutron induced counts per second on the startup channel Log Power . 1 Prevent pulsing from X levels above 1 kW Transient Rod 1 Prevent applications of X air unless cylinder is fully inser1ed Shim, Safety, and 1 Movement of any rod X
. Regulating Rod except transient rod Simultaneous Rod 1 Prevents simultaneous X X Withdrawal manualwithdrawalof two rods Bashi, A temperature scram and two power level scrams provide automatic protection to assure that the reactor is shut down before the safety imit on the fuel element temperature will be exceedad. The manual scram allows the operator to shut down the -
system in any mode of operation if an unsafe or abnormal condition occurs. In the event of failure of the power supply for the safety chambers, operation of the reactor without adequate instrumentation is prevented. The preset timer insures that the transient rod will be inserted and the reactor will remain at low power after pulsiag. The watchdog circus will scram the reactor if the software or the self checks fail (see Safety Analysis Report, Chapter Vil, sections H.2.d and 1.4)
In the pulse mode, movement of eny rod except the transient rod is prevented by an interlock. This interlock action prevents the addition of reactivity over that in the transient rod. The interlock to prevent startup of the reactor with less than 2 cp:1 assures that sufficient neutrons are available for proper startup in all relevant modes of operation. The intertock to prevent the initiation of a pulso above 1 kW is to assure that the magnitude of the pulse will not cause the safety limit to be exceeded. The interlock to prevent application of air to the transient rod unless the cylinder is fully inserted is to prevent pulsing the reactor in the manual mode. Simultaneous manual withdrawal of two rods is prevented to assure the reactivity rate of insertion is not exceeded.
Amendment No.
o 3 18 e . .
. 32.5 ' CORE LOADING AND UNLOADING OPERATION Aeolicability This specification applies to the low count rate interlock.
Obiective Tile objective of this specification is to eliminate interference with fuel loading procedures.
Soecification During core loading and unloading operations when the reactor is subcritical, the low count rate interlock may be momentarily defeated using a spring loaded switch in accordance with the fuel loading procedure. -
Basi During core loading and unloading, the reactor is subcritical. Thus, momentarily defeating the count rate is a safe operation. Should the core become inadvertantly supercritical, the accidental insertion of reactivity will not allow fuel temperature to exceed the 1150 C safety limit because no single TRIGA fuel elemeat is worth more than 1% k/k in the most reactive core position.
32.6 SCRAM TIME Acolicability This specification aoolies to the time required to fully insert any control rod to a fu'l down pasition from a 'ull up position.
Obiective The objective is to achieve rapid shutdown of the reactor to prevent fuel damage.
Soecification The time from scram inidation to the full insertion of any control rod from a full up position shallb6less than 1 second.
Basi This specification assures that the reactor will be promptly shut down wnen a scram signal is initiated. Experience and analysis,Section IX, SAR, have indicated that for the range of transients anticipated for a TRIGA reactor, the specified scram time is adequate to assure the safety of the reactor. If the scram signal is initiated at 1.10 MW, while the control rod is being withdrawn, Amendment No.
31 a insertion rates, and the reactivity worth of experirnents inserted in the core.
4.2.2 REACTIVITY INSERTION R ATE Arollenbilltv This specification applies to control rod movement speed.
Cblective The objective is to assure that the react!vity addition rate specification is not violated and that the control rod drives are functioning.
Snecifientl2D The rod drive speed both up and down and the time from scram inillallon to the full insertion of any control rod f rom the full up position shall be measured annually, not to exceed 15 months, or when any significant work is done on the rod drive or the rod.
13a:11 P
Th s specification assures that the reactor will be promptly shut down when a scram signalis initiated. Experience ar'd analysis have indicated that for the range of i -- transients anticipated for a TRIGA reactor, the specified scram tirne is adequate to assure the safety of the reactor it also assures that the maximum reactivity addition rate spectication will not be exceeded.
4.2.3 REACTOR SAFETY AND CONTROL SYSTEMS Anoticability The specifications apply to tne surveillance requirements for measurements, channel _
tests, and channes checks of the reactor safety systems and watJhdog circuit.
Oblective The object!ve is to verify the performance and operability of the systems and components that are directly related to reactor safety.
Soecifications
- a. A channel test of the scram function of the high power, fuel temperature, manual, and present timer safety channels shall be made on each day that the reactor is to be operated. or prior to each operation that extends more than one day. ,
- b. A channel test of the detector power supply SCRAM function ar'd the watchdog circuR shall be performed annually, not to exceed 15 months.
Amendment No.
( 32 ,
.f c. Channel checks for operabilty shall be performed daily on fuel element temperature, linear power, count rate, log power and reactor period when the reactor is to be operated, or prior to each operaticn that extends more than one day,
- d. The percent power channel shall be compared with other independent channels for proper channelindication, when appropriate, each time the reactor is operated.
- e. The pulse peak power channel shall be (x>mpared to the fuel temperaturo each time the reactor is pulsed, to assure proper peak power channel operation.
IhW1 TRIGA system components have proven operational reliability. Daily channel tests insure accurate scram functions and insure the detection of possible channei duft or other possible deterioration of operating characteristics. The channel checht will make information available to the operator to assure safe operation on n daily basis or prior to an extended run. An annualchanneltest of the detector powt. supply scram will assure that this system works, based on past experience as recorded in the operation log book. An annual channeltest of the watchdog circuit is sufficient to assure operability. Comparison of the percent power channel with other independent power channels will assure the detection of channel drift or other possible deterioration of its operational characteristics. Companson of the peak pulse power to the fuel temperature for each pulse will assure the detection of possible channel duft or deterioration of its operational charactenstics.
4.2.4 REACTOR INTERLOCKS 8CDMPhh This specification applies to the surveillance requirements for the reactor control system iniarlocks.
Oblectlyfg The objective is to insure performance and operability of the reactor control system interlocks.
SoecificqtLns
- a. A channel check cl the source interlock shall be performed each day that the reactor is operated or prior to each operation that extends more than one day,
- b. A charinel test shall be performed semi annually, not to exceed 7 months, on the log power interlock which prevents pulsing from power levels higher than one Kilowatt.
Amendment No.
f
.' PSBR Console Replacement Training This training plan is designed .o r 9 pare current licensed reactor operators and senior reactor operators for o] orations on the now reactor control system. As the Intended recipients cf this tra ning afroady hold NRC licensos for PSBR, the plan does not include training or instruction in reactor incory, radiation safety, water handling, or any other aspects of operation not affected by the consolo replacement. This is a preliminary plan. and will be modified as the nood arises. Supplomontary help will be .
provided for the Individual licensed operator who may not have any experienco with digital computers.
Comouter Conceots: 3 lectures with demonstrations,41/2 hrs.
R. Gould, Project Assistant Objectivo: To familiarize licensod operators with basic computing concepts to provide background for understanding specifica of the now control system. ;
Computer Architecturo: Overvlow. ,
Microprocessors Memory Bits & Bytes 1/O Storage Bus ,
Peripherals Applications of Computers Softwarc Systems vs. applications e.g. DOS vs. Wordperfect Programming Basics the ' idea' of programs and how they run instructions concept: instruction cycles subroutines / tasks e.g. MSG task in PSBRX flow / block diagrams l
l Hardware I/O with peripheral or intelligent devices Signals I
Digital vs. Analog A to D D to A ,
Digital I/O e.g. relays for output switch closure for input Example: New Consolo Motor Interfaco l
Control System Overview: 1 lecture with demonstrations,1 hr.
R. Gould, Project Assistant.
Objectivt 1o provido an overview of the major subsystems of the now consolo.
RSS (Roactor Safoty System)
Wido Rango Monitor log, linear, log rato channels Power Range Monitor -linear, pulsa,2 Thermocouples Hardwirod RSS relay logic for SCRAMS and interlocks .
PCMS (Protection, Control and Monitoring Systom)
DCC X (Digital Control Computar X)
I/O for field devices Motors and controllers RSS signals Watchdog DCC Z DCC Z LAN and DCC M historica! data printer Subsystems Descriotions: 2. lectures,3 hrs.
R. Gould, Project Assistant.
Objectivo: To describe the function and architecture of the RCS (Reactor Control System) subsystems, and to provide an overview of PSBR software function and architecturo RSS console switches for SCRAMS ano interlocks signal processors for power and temperature annunciators SCRAM logic in detail transient air and rad drivo interlocks Instrumentation Wide rango fission chamber theory and operation i Power Range Monitor l GlC Thermocouples PCMS l
Block Diagram l
-' . - --&, yr--
l Hardware DCC X and DCC Z serial link I/O Chassis Al AO D1 DO Watchdog Motnrs and Controllers LAN, DCC M Functions Reactor Control and Regulation 4 operating modes Reactor Protection SCRAMS interlocks Stepbacks Facilities Systems Support Documentation:
All licensed operators to recieve copies of all transparencies used in lectures as well as the following:
Appendix B License Amendment Safety Evaluation of the Reactor Console Chance Chapter Vll. Ucense Amendment Reactor Safety. Protection. Control and Monitorino Svstem Qoeratino Manual PSBR Control and Safety System Upgrade, AECL Document OM 17 60501001
_ Hands-On Console Training: Individual training sessions, Ihr. each.
R. Gould, Project Assistant Objective: To familiarize licensed operators w;th the controls layout of the new console, as well as an overview of the so.tware, t Layout l
SCRAM and Rod Control Panel SCRAM and Alarm Panel Wida Range Monitor Power Range Monitor PSBRX and PSBRZ Software Overview Operator Display annunciators mode selection power / temp / period displays control rod mimics rea::tivity display 9 alarm dispioys 4 modo displays manual auto square wave pulse Operator Controls rod worth lookup facility controls pulso data Message log Bar graph displays Trend displays Time Historical Maintenance Menus Simulated Reactor Ooerations (orior to installation):
21 br. sessions, supervised by:
D.E. Hughes Mgr. Engineering Services, Senior Reactor Operator, M.E. Bryan, Sr. Electronic Designer, Senior Reactor Operator.
21 hr. cessions, unsupervised.
Additional supervised training will be provided as needed for each licensed operator.
I
_..__________m_-___m__________.__._____-___.-._ --. _m._-.-_. ___._._._ _- - _ .
., Objective: To familiarize licensed operators with new console operations.
Particular emphasis will be placed on modified versions of the following procedures making use of new or different features of the new console.
SOP 1 Reactor Operating Procedure.
SOP 2 Daily Checkout Procedure.
SOP 4 Radiation, Evacuation and Alarm Checks.
These training sessions will make use of the PSBRXMDL or "model" version of the software supplied by AECL This software simulates reactor inputs to the consolo in a realistic manner.
The following operations will be included similar to those included in AP 3 Operater and Senior Operator Requalification:
Reactor start up to include a ran00 where reactivity feedback from nuclear heat addition is noticeable.
Reactor shutdown.
Power change in manual rod control greater then 10%
Power change in automatic rod control (1,2, and 3 rod) greater then 10%
Power change using square wave mode (1,2,3 rod.)
Power change using pulse mode. Note: The PSBRXMDL software does not simulate TRIGA pulses, however they may be initiated, with no subsequent power excursion.
Reactor Ooerations (auer installation):
21 hr, sessions, supervised by:
D.E. Hughes, Mgr. Engineering Services, Senior Reactor Operator.
M.E. Bryan, Sr. Electronic Designer, Senior Reactor Operator.
Additional supervised training will be provided as needed for each licensed operator.
Objective: To familiarize licensed operators with new console operations with the TRIGA as input to the system, as the model software behavior may be slightly different from the actual reactor. Part!cular emphasis will again be placed on modified versions of the following procedures making use of new or different features of the new console:
SOP 1 Reactor Operating Procedure.
SOP 2 Daily Checkout Procedure.
SOP 4 Radiation, Evacuation and Alarm Checks.
, Those training sessions will make use of the PSBRX version at the software supplied by AECL This software uses the TRIGA for input 'o tho system, and will be used for standard operations.
The following operations will be included similar to those included in the current AP-3 Operator and Sonlor Operator Roqualificat!on:
Reactor start up to include a range whero reactivity foe"back from nuclear heat addition is noticeablo.
Reactor shutdown.
Power change in manual rod control greater then 10%
Power change in automatic rod control (1, 2, and 3 rod) greater then 10%
Power change using square wavo mode (1,2,3 rod.)
Power change using pulso modo.
Ooorator and Sontor Ooerator Quallflen11gn Objective: To assure that all licensed operators and senior opemtors will obtain competence in operating the now consolo.
The above training plan will culminate in an oral examination / operating test.
These examinations will be tailored specifically to topics impacted by the installation of the now console. They will choose a representative sample of questions on, and demonstrations of the following:
Performance of pre startup (reactor checkout) procedure. >
Manipulation of the consolo controls as required to operate the facility between shutdown and designated power levels.
Identification of annunciators and condition indicating signals and performance or description of appropriate romedial actions.
Identification of the instrumentation systems and the significance of those instrutnent readings.
Observation and safe control of the operating behavior characteristics of the facility.
Description or performance of control manipulations required to obtain i desired operating results.during normal, abnormal, and emergency situations.
. . l O
Navigation to and from all displays, operation of message, trend, and bar graph modes.
An oral examination / operating test checklist will be filled out by the evaluator (D.E. Hughes or M.E. Bryan) for alllicensed operators und graded on a pass fail basis.
l l
. _ . - . . . _ _ _ . ~ . - , . . _ . . _ . - _ _ . . - . . . . . . - _ . . ,
G4
~
JUL 23 '91 14 29 PCtfi STATE F5CC 'l
~
h' AECL EACL AECL CANDU EACL CANDU 2?51 Speatman Dnve 7251, rue Speatmen a 6 a Uk1 ea L5f182 fa?lML Telex 06 982372 fa'!lli %
Telex 06 962372 file: 17 60501000-000 1991 July 23 l
Mr. D. Hughes i Penn State Brearealc Reactor, The Pennsylvania State University, University Park, PA,16802.
Subject:
PSBR Console - PSU Purchase Order 25972511 Handling of Proprietary Information for Licensa.g
Dear Mr. Hughes,
This letter gives you permission to make a limited numbe < f copics of the protected -
proprietary information listed below. Such copies may be issued to the U.S, Nuclear Regulatory Commission for licensing purposes.
(1) 3 7-69200-TS-001, PROTROL' So5 ware Quality Assurance Plan Cover sheet and Table of Contents.
(2) 17-69200 TS-002, PROTROL' Software Verification and Validation Plan Cover sheet and Table of Contents.
(3) 17 69200-TS-003, PROTROL* Software Configuration Management Plan Cover shbet and Table of Contents.
(4) 17 69200-SDH-001, PROTROL' Software Designer's Handbook Part 1.
Cover sheet and Table of Contents.
(5) 17 69200-SDH 002, PROTROL' Software Designer's Handbook Part 2 Cover sheet and Table of Contents.
1 Ef.EIE., N*cM.747.
""' "3 M !21
JL( E5 '91 14130 PD44 STATC RSCC P.3'4 (6) ' 17 69200 SDH 003, PROTROL8 Software Designer's Handbook Part 3 Proce<!ures.
Cover sheet and " fable of Contents.
(7) QA 17 60501-001 Project QA Plan, PSBR CSS Upgrade.
Any pages as required.
(8) Work Plan dated 89 May 05, Rev.1, as edited for comrnercial confidentiality by R.D. Foumier on 91-06-19.
Sincerely,
- 0. A. Ralskums cc W. 741klewicz (AECL-T)
T. McNeil 2
l l-
, , . _ , _ . . . _ . . - , . . - . . . , . _ , . _ , - - . - . , , , . . - . . . , , _ _ , - ,2- * - & - - * * * *-
-