ML20082J880
| ML20082J880 | |
| Person / Time | |
|---|---|
| Site: | Pennsylvania State University |
| Issue date: | 08/16/1991 |
| From: | Raiskums G ATOMIC ENERGY OF CANADA, LTD. |
| To: | Hughes D PENNSYLVANIA STATE UNIV., UNIVERSITY PARK, PA |
| References | |
| NUDOCS 9108290048 | |
| Download: ML20082J880 (3) | |
Text
_ - _ _ _ _
go; 23 '91 1684? PCtw STATE REEC P.2/3 l
a A-AECL EACL AECL CANDU EACL CANDU 2251 Speskman Drive 7251, ne Spaalman anan$1 nahab 182 (418) 823 !K)40 (416)823-9040 Fex (416) 823 8006 Fad 416) 823-8306 Telex 00982372 T6lt: 06 982372 l
file: 17-60501-000-000 1991 Aug 16 Mr. D. Hughes Penn State Breareale Reactor, The Pennsylvania State University, l
I University Park, PA,16802.
Subject:
PSBR Console - PSU Purchase Order 259725 B Removal of PROTECTED Classification on Licensing Submittals Related to QA Procedures
Dear Mr. Hughes,
1 This letter gives you authorization to remove the potected - proprietary cla.ssification of the information listed below. Copies may be made without restriction for public use Note that for items (1) to (6), only the Cover Sheet and Table of Contents are unprotected.
(1) 17-69200-TS 001, PROTROL' Software Quality Assurance Plan Cover sheet and Table of Contents.
(2) 17-69200-TS 002, PROTROL* Software Verification iod Validaticn Plan Cover sheet and Table of Contents.
(3) 17-69200 TS-003, FROTROL* Software Configuration Management Plan Cover sheet and Table of Contents.
(4) 17-69200-SDH 001, PROTROL' Software Designer's Handbook Part 1.
Cover sheet and Table of Contents, (5) 17-69200-SDH-002, PROTROL* Software Designer's Handbook Part 2.
Cover sheet and Table of Contents.
), -,
k
.(
o108290048 910823 ADOCK0500g5 r.
,i F DR
' E'~
,. ALG 23 '91 16:4E FOf4 STATC RECC P. 3 '3 l
(6) 17-63200-SDlI-003, PROTROLS Software Designer's Handbook Part 3.
Procedures.
Cover sheet and Table of Contents.
(7)
QA-17 60$01-001, Project QA Plan, PSBR CSS Upgrade.
(8)
Work Plan dated 89 May-05, Rev.1, as edited for commercial confidentiality by R.D. Fournier on 91 06 19.
Sincerely, i
G. A. Raiskums AECL - Engineering Senices cc W. Zolkiewicz (AECL-T)
T. McNeil 2
l
V.
o es.,o-s-nse
?E n STATE 6
Radiation Science and Engineering Center Penn State Breazeale Reactor University Park, PA 16802 cou.g. or k,chwing Fax # (814) 863 4840 An EqualOppruvsry Urdvmiry Tel# (814) 865 6351 Date:
Confidential:
O yes Y
Routine 3
- of pages:
?[J 3[7' V no O
Urgent ceudno mveo To:
y3, g g Fax #:(3ol)49a -0A60 Attn: /qom
//janoo n g Tol#: (3o/ )<< 92 - / lag From:
[q 4 g, e,,
Vo rw subject: Ascc terret
=
Message:
4 sh h &'C L Y
$ 4A Ln Tw
. A A r &
A s.
M SLb A
NL Ap-ME hw d M -uh
- Regards, Acknowledgement of Receipt:
'M-a Re,mes,ee
- me, Re,mi, e 1
i l
PENNSTATE i, i..,-
oi.rin L ii..*r ii4 hi-n. or.a u w tu, a r, p
se e..., u,,,, e ie, m.~,.
i,,, o e..,,,,,,. s,,,, t..,.
thd (k a,s el it.t G,.Jv.ic k n.m,!
l'nn etse y P.ek. l' A It. hic July 6,1991 Nuclear Regulatory Commission Document Control Desk Washington D C. 20555 Re: Revision to the License. Technical Specifications, and Sately Analysis Report for the Penn State Breazeale Reactor License No R 2, Docket No 50 05
Dear Sir or t,
',acame, The atlached material is submitted in response to oral questions by the NRC concerning out original amendment request cated Apnt 19,1991. Included are' training plan, rationalfor the watchdog circuit not being a Technical Specification, information on AECL's Qua!'ty Assurance Program, and proposed replacement pages to incorporate a watchdog scram in the TeChni0at SpeCatications;it rcQuired.
An exemption of f ees for this licensing action is requested under the provisions of 10 CFR Part 170.11(a)(4).
If you have questions on this matter, please ref er them directly to the pnncipal autnor of the attachments.
Daniel E Hughes, or the direClor, Marcus H Voth at (814)865-0351.
Sincerely, l
.4ud. w.
Charles L Hosler Senior Vice Ocsident for Researen and D Sn 01 Graduate S noot CLH:MHV!skr Attachments cc. Region 1 Acministrator 3
,/
I i
day oi 'h -
,1991, Subscribed to and sworn betore me on this
/
Notar
- Public in and tor Centre County, Pennsylvania
- /
./
i.1%.m n
,y
)
NOTMiAl $(At BONNIE O E'CHELCEFGit Nc.9tv runic sta'e toc, tm, c,mt, c3,, p,,
A'y Cm w,, h:m s jv!, 23 1991 N
C;.
~
IIt h
[
e
(;
, U.
si J tj l
is.aOrmnu3(,
c,.m
Rational for the Watchdog Circuit not being a Technical Specification 7/2/91 A non power reactor facility such as the Penn State Breazeale Reactor (PSBR),
is charged with the mission (1) to operate the reactor such that the health and safety of the public is not jeopardized and (2) to provide facilities for nuclear research, training and testing. To have Technical Specifications (TS) above and beyond those necessary to assure the first mission reduces the capability of the facility to fulfill its second mission. Unnecessary TS can reduce the flexibility and versatility of a facility and impcct its limited resources adversely. Any unnecessary use of resources prevents those resources from being used in more productive ways.
One of the design criteria of the new console (NC) for the PSBR was that all of the current TS must be met using hardwired analog technology and that the failure of the computer must not disable the reactor safety system (RSS). That criterion was met.
The fact that the computer can fail in many modes is inconsequential as long as any credib:e failure does not disable the RSS. To require a component to aetect its own failure, when there is a redundant and diverse component that still protects the health and safety of the public,is not necessary and should not be a TS requirement.
All safety channels anc interlocks required by the TS are implemented by the hardwirec analog RSS. The protection, control and monitoring system (PCMS) duplicates and validates those required safety channels and interlocks. There are additional scrams and interlocks in the PCMS that are not required by the TS.
The NC's RSS is a complete functional duplication of the old console (OC)
RSS. The PCMS communicates with the RSS through digital outputs (DO) (on/olf) to configure the RSS appropriately for each mode. The same function is performed by the mode selector switch on the OC. A failure of the mode selector switch on the OC does not completely disable the RSS; the Umiting Safety System (LSS) is functional at all times and is independent of the mode. Likewise, the PCMS failure does not disable the NC's RSS. In fact, the design of the PCMS and the RSS make it more relia'sle and safe than the OC because it does self-checks of its software and hardware and a hardwired status light is displayed if the high pnwer scrams are bypassed. In addition, the NC utilizes two SCRAM buses with the power range high power SCRAM i
relay in one bus and the wide range high power SCRAM relay in the other. It takes two dos from the PCMS to energize relays to bypass both high power scrams.
On the OC, the mode selector switch cannot detects its own failure and initiate a SCRAM automatically; obviously this is not required by the TS. On the NC, a watchdog SCRAM (which detects some failures of the PCMS) should not be required by the TS.
The fact that it is possible to detect failures of the PCMS is not sufficient reason to make it a TS requirement.
One suggestion is that a watchdog circuit SCRAM should be required by the TS because it assures that the data displayed on the CRT to the operator is near real time and correct. This basis has not been the precedent with other digital control systems such as General Atomic's (GA) or Armed Forces Radiobiological Research Institute's (AFRRI) or in parameter display systems such as that of GA or the University of Michigan.
Operators are trained to observe all the data that is displayed, compare that data, assess the validity and act to maintain the reactor in a safe condition. The analog displays of the new console are,vithin comfortable view of the opemtor and all channels are displayed. There are no embedded processors between the analog displays and the detectors. Redundancy and diversity ensure that no single failure will compromise all the data to the RSS, PCMS or the operator. The new console has further redundancy. The PCMS CRT displays the same data as the analng displays. If the CRT falls, the backups are the analog displays, if the analog displays fail, the backups are other analog displays and/or the CRT displays.
There are several modes of failure that willlead to bad data as an input to the analog displays, the CRT displays, the auto controller, or the SCRAM comparators.
One mode of such a failure is a failure of a safety channel anywhere from the detector to the input to the SCRAM comparator, analog displays or the PCMS. The power channels can failif the high voltage bias supplies fail. Both the OC and the NC have scrams that initiate on loss or degradation of the high voltage bias supplies. A loss of sensitivity of the detector ic a failure that neither the OC or the NC can directly detect.
Any single channel may fail abruptly, or worse, slowly drift out of calibration. If the linear channel is the one that fails or loses sensitivity and the system is in auto mode, I
the controller may maintain power based on the linear channel while actual power is driven higher. If this particular failure occurs, the data displayed to the operator, data
1 Input to the auto control system, or the data to a SCRAM comparator may not be correct. Failure of one safety channelis tolerable in the SAR of the OC or the NC because:
1.
The operator is trained to view and compare redundant and diverse channel displays and make decisions as to the validity of the data before acting.
2.
If an operator initiates an action based on bad data, the redundant and diverse safety channels will act to shutdown the reactor if the power or temperature exceed the setpoints.
3.
Redundancy and diversity designed into the RSS assures that the RSS will perform its function adequately.
4.
If the auto controller has bad data as an input, the redundant and diverse safety channels will SCRAM the reactor if the power or temperature exceed the setpoints.
Watchdog circuits, as now implemented, do not check the validity of the signal that is the input to the system, yet a spread validation between power channels or thermocouple (TC) channels is not required by the TS. The PCMS does perform a power channel spread validation and willinitiate a stepback if a failure of that validation is detected. Although it is part of the PCMS, it is not and should not be part of the TS because the RSS is designed to protect the reactor in such a failure.
Another mode of failure that will cause bad data to be displayed on the CRT is one that causes the CRT to freeze on an unchanging screen. If the freeze is due to a failure that is not detectable by self checks or prevents resetting of the watchdog circuit, the reactor will not SCRAM. If there is no watchdog SCRAM, then the computer is operating properly except for the CRT. Therefore, all the RSS safety features continue to be functional; the auto controller of the PCMS,if engaged, remains functional; and the analog displays will continue to display good data. If all of those features are functional, the reactor continues to operate safely. This mode of failure that causes bad data to be displayed to the operator is more safe than the other mode of failure discussed above. If the screen is frozen in this failure mode, the operator will notice that:
1.
The clock does not uodate.
1 1
1
(
e 2.
The normal random noise is not present on the data displays.
3.
Data does not change if there is an attempt to move control rods, access other screens, or any other function that may be part of normal operation.
A properly tralped operator will be comparing data between the CRT display and the analog display continuously; especially if a change is anticipated or attempted. There is no operation that an operator can initiate, based on bad data displayed on the CRT, that will prevent the RSS from maintaining the reactor in a safe condition. Watchdog circuits as they are presently implemented, will not detect either of the above two modes of failure that may lead to a frozen CRT or bad data on the CRT.
Bad data displayed on the CRT is not desirable, but it is not an unsafe condition unless accompanied by an incredible, simultaneous and complete failure of the RSS.
Even in that case, the TRIGA fuel system provides added safeguards that are not present in other types of reactors. By the definition of a safety related system in Regulatory Guide 1.152 (Cnten'a for Programmable Digital System Software in Safety-Related Systems of Nuclear Power Plants, U. S. Nuclear Regulatory Commission, Nov 1985) the CRT display is not a safety related system; a se.foty related system being defined as one that is required to remain functional during a design basis event in order to protect the health and safety of the public.
Based on the above analysis, we do not believe that making the watchdog circuit SCRAM a safety channel required by the TS is warranted. The watchdog SCRAM is part of the SAR as described in Chapter 7. If there is a change in the watchdeg SCRAM, it will have to be reviewed to determine if there is an unreviewed safety question under the 10 CFR 50.59 criteria, if there is an unreviewed safety question, the amendment process would be required for the change. If not, the NRC would be informed by the usual methods of the 10 CFR 50.59 change. The present watchdog circuit increases the reliability of the system by being an on line diagnostic tool. We do not believe that any computer system associated with the reactor should be without a watchdog circuit. However, since the RSS remains functional and meets the single failure criteria, a TS requirement that the PCMS should detect its own failure and SCRAM the reactor is not necessary. With the OC, the individual channels do not detect their own failure and do not SCRAM the reactor if a failure is detected; to place such TS requirements on the NC is not appropriate.
Review of amendments issued by the NRC to GA and AFRRI for digital console upgrades and the imlementation of parameter display systems by GA and the University of Michi[; a presents a very confusing history of watchdog circuits. The amendments for the digital console upgrades, state bases that are different in both cases. In the case of GA, amendment No. 29 indicates that a watchdog safety channel is "... applicable when computers are utilized to perform reactor control functions". The AFRRl amendment No.19 for a very similar system, requires a watchdog safety channel to "... insure adequate communication between the Data Acquisition Computer (DAC) and the Control System Computer (CSC) units". The GA console utilizes the very same communications link between the DAC and the CSC as the AFRRI system.
The AFRRI console utilizes the computer for control. if either basis is appropriate they should both be part of each TS change, in addition, neither TS change states that integrity of the CRT data display is a basis for the watchdog safety channel requirement, defines minimum design specifications for the watchdog circuit, indicates the frequency or the extent of the surveillance, or indicates the length of the time interval that is appropriate for the watchdog circuit.
The parameter display systems (G A and University of Mici..gan) were approved for implementation by local review under 10 CFR 50.59. The data of these systems is displayed to the reactor operator, but there has been no TS change requiring a watchdog safety channel. Likewise, many control rooms have parameter displays ranging from strip chart recorders to digital system CRT displays that have no TS requirements for watchdog circuits. In summary, there is no clear precedent for a minimum watchdog circuit, a basis for a watchdog circuit, surveillance requirements for a watchdog circuit, or minimum design specifications for a watchdog circuit. A TS requirement for the Penn State PCMS watchdog SCRAM would set an adverse precedent for parameter display systems et all non power reactor facilities.
We do not agree that the PCMS watchdog circuit should be pan of the TS as defined in 10 CFR Part 50.36. However, if the commission finds that a TS must be imposed, we proposo a change as indicated by the enclosed replacement pages. The basis will be that a watchdog circuit will reduce the time that a reactor stays at power when the PCMS computer has a fatal failure in any of the software or hardware self-checks. Tha surveillance required will be that the watchdog circuit will SCRAM the reactor when any single self. checks fails. Since it is not possible to cause each of the
i 1
self checks to fail independently, it is not possible to test each se!f check. A minirnum design specification for a watchdog circuit will not be proposed.
t t
I r
f h
i i
s I
t i
i b
b
?
e i
i I
?
4
--~s v
,e www--
~
v v~< - - -,
n-v w--.
- ~~- -
7 reactive n:d is in its most reactive position, and that the reactor will remain subcritical without further operator action.
t 1.1.42 SCUARE WAVE OPERATION Square wave (SW) operation shall mean operation of the reactor with the node l
selector switch in the square wave position which allows the operator to insert preselected reactivity by the ejection of the transient rod, and which results in a maximum power of 1 MW orless.
1.1.43 TRIGA FUEL NLEMENT A TRIGA fuel element is a single TRIGA fuel rod of standard type, either 8.5 wt% U-ZrH in stainless steel cladding or 12 wt% U ZrH in stainless steelcladding enriched to less than 20% uranium-235.
1.1.44 WATCHDOG CIRCU_fT A watchdog circuit is a circuit consisting of a timer and a relay. The timer energtzes the relay as long as it is reset prior to the expiration of the timing interval. If it is not reset within the timing interval, the relay will de energize thereby causing a SCRAM.
I-I 20 SAFEW LIMIT AND LIMITING SAFCW SYSTEM SE I IING 2.1 S AFEW LIMIT FUEL ELEMENT TEMPER ATURE Acclicability The saf ety Innit specification applies to the maximum temperature in the reactor fuel.
Ob!cetive The objective is to define the maximum fuel element temperature that can be permitted with confidence that no damage to the fuel element and/or cladding will result.
Scecifications The temperature in a water <ocied TRIGA fuel element shall not exceed 1150*C under any operating condition.
7 D.2111 The important parameter 1or a TRIGA reactor is the fuel element temperature. This parameter is well suited as a single specification especia!!y since it can be measured at a point within the fuel element. The measured fuel temperature is directly related to the maximum fuel temperature of the region. A loss in the integrity of the fuel element cladding could arise from a build-up of excessive pressure between the fuel moderator and the cladding if the maximum fuel temperature exceeds 1150*C. The pressure is caused by the presence of air, fission product gases, and hydrogen from the dissociation of the hydrogen and zirconium in the fuel moderator. The magnitude of this pressure is determined by the fuel-moderator temperature, the ratio of hydrogen to zirconium in the alloy, and the rate change in the pressure, i
i Amendment No.
,_.4-.
~
..n
.m...
8 The safety limit for the standard TRIGA fuelis based on data, including the large mass of experimental evidence obtained during high performance reactor tests on this fuel. These data indicate that the stress in the cl adding due to the increase in the hycrogen pressure from the dissociation of zirconium hydride will remain below the bWnate stress provided that the temperature of the fus! does not exceed 1150*C (2102*F) and the fuel cladding is water cooled. See Safety Analysis Report, Ref.13 in section IX and Simnad, M.T., F.C. Foushee, and G.B. West, ' Fuel Elements for Pulsed Reactors," Nucl. Technology, Vol28, p. 31 56 (January 1976).
22 UMITING SAFETV SYSTEM SETTING (LSSS) eedicabWtv The LSSS specification applies to the scram setting which prevents the safety lim:t from being reached.
Ob;ective The objective is to prevent the safety limit (1150'C) from being 'eached.
Soecircations The limiting safety system setting sha!I be a maximum of 700 C as measured with a 12 wt% U ZrH instrumented fuel element. The instrumented fuel element shall be located in the B ring and adjacent to an empty fuel position when an empty fuel position exists in the B ring.
Has The limiting safety system setting is a temperature which, if reached shall cause a reactor scram to be in,tiated preventing the safety limit from being neeeded.
Experiments and analyses described in the Safety Analysis Report,Section IX -
Safety Evaluation, show that the measured fuel temperature at s:cady state power has a simple linear relationship to the normalized power or power of tne highest powered fuel element in the core. Maximum fuel temperature occurs when a new 12 wt% U ZrH fuel element is placed in the B ring of the core. The measured fuel temperature during ste'dy state operation is close to the maximum fuel temperature.
Thus,450 C of safety margin exists before the 1150 C safety ilmit is reached. This safety margin provides adequate compensation for using a dep'etd instynented 12 wt% U ZrH fuel element instead of an unitradiated one to measure 'he fuel temperature. See Safety Analysis Report,Section IX.
In the pulse mode ci operation, the same limiting safety systein setting shall apply.
However, the temperature channel will have no effect on limiting the otak power generated, because of its relatively ong time constant (seconds), coTpared with the wicth of the pulse (milliseconds). In this mode, however, the tempemtare trip will act l
l Amenoment No.
is thermocouple. Hence, when either the linear, percent power, or temperature scram occurs, the rnaximum fuel temperature will be far below the 1150*C safety limit.
2.3 REACTOR CONTROL SYSTEM ADf!Cabi1X This specification applies to the informaton which must be available to the reactor operator during reactor operation.
Ob!ectiv.g The objective is to require that sufficient information is available to the operater to assure safe operation of the reactor.
SDecif; cation The reactor shall not be operated unless the measuring channels listed in Tab!e 1 are operable. (Note that MN.AU and SW are abbreviations for manual, automat:c and square wave, respectively).
Table 1 Measuring Channels Min. No.
Effective Mode Meaturina Channel O p m b's UN.AU f.y!!g EW Fuel Element Temperature 1
X X
X Linear Power 1
X X
Percent Power 1
X X
Pulse Peak Power 1
X Count Rate 1
X Log Power 1
X X
Reactor Period 1
X Eai!1 Fuel temperature displayed at the control console gives continuous information on this parameter which has a specified safety limit. The power level monitors assure that the reactor power levelis adequately monitored for the manual, automatic, square wave and pulsing modes of cperation. The specifications on reactor power level and reactor period indications are included in this section to provide assurance that the reactor is operated 31 all times within the limits allowed by these Technical Specifications.
Amendment No.
l
16 3.2.4 REACTOR SAFETY SYSTEM AND INTERLOCKS i
AtoticabiFtv This specification applies to the rear'or safety system channels, the interlocks, and the Watchdog Circuit.
Obiedtive i
The objective is to specify the minimum number of reactor safety system channels and interlocks that must be operable for safe operation.
Scecifientien The reactor shall not be operated unless all of the channels and interlocks des:ribed in Table 2a and Table 2b are opstrable.
Table 2a l
Minimum PSBR Channels Number Effective Mode Channel Ocerable Function jg,My g 3 Fuel Temperature 1
SCRAM 2 700*C X
X X
High Power 2
SCRAM s 110% of 1 X
X MW Detector Power Supply 1
SCRAM on f ailure of X
X supply voltage Scram Bar on Console 1
X X
Preset Timer 1
seconds or less after pulso Watchdog Circurt 1
SCRAM on software or X
X X
self-check f ailure Amendment No.
n
17 Table 2b Minimum PSDR Interlocks l
Number Effective Mode in!g!!ocks Ooerabig furletta MN fhtt Ed Source Level 1
Prevent rod withdrawal X
with less than two neutron induced counts per second on the startup channel Log Power 1
Prevent pulsing from X
levels above 1 kW Transient Rod 1
Prevent applications of X
air unless cylinder is fully triberted Shim, Sr'f ety, and 1
Movement of any rod X
Regulating Rod except transient rod Simultaneous Pod 1
Provents simultaneous X
X Withdrawal manualwithdrawalof two rods 2E!:i A temperature scram and two power level scrams provide automatic protection to assure that the reactor is shut down before the safety imit on the fuel element temperature will be exceeded. The manual scram allows the operator to shut down the system in any mode of operation !! an unsafe or abnormal condition occurs. in the event of failure of the power supply for the safety chambers, operation of the reactor without adequate instrumentation is prevented. The preset timer insures that the transient rod will be inserted and the reactor will remain at low power after pulsing. The watchdog circuit will scram the reactor if the software or the scif checks f all(see Safety Analysis Report, Chapter Vil, sections H.2,d and 1.4)
In the pulse modo, movement of any rod except the translant rod is prevented by an interlock. This interlock action prevents the addition of reactivity over that in the transient rod. The interlock to prevent startup of the reactor with less than 2 cps assures *. hat tufficient neutrons are available for proper startup in all relevant modes of operation. The intertoex to pt event the initiation of a pulse above 1 kW is to assure that the magnitude of the pu40 vvill not cause the safety timat to be exceeded. The interlock to prevent application of air to the transient rod unless the cylinder is fully inserted is to prevent pulsing the reactor in the manual mode, Simultaneous manual withdrawal of two rods is prevented to assure tha reactivity rate of insertion is not exceeded.
Amendment No.
= _ _ _ _ - _ - _ _ _ _ _ _ _ _ - _
- _ --..~.--
.- ~ - -
L9 8 4 32.5 CORE LOAMQ AND UNLOADING OPERATION Acolicability This specification applies to t1e low count rate interlock.
Obiective The objective of this specificaton is to eliminate interference with fuelloading procedures.
Soecification During core loading and unloading opera 5ons when the reactor is suberitical, the low count rate interlock may be momentarily defeated using a spring loaded switch in accordance with the fuel loading procedure.
BP.Sia During core loading and unloading, the reactor is suberitical. Thus, momentarily defeating the count rate is a cafe operation, Should the core become inadvertantly supercritical, the accidental insertion of reactivity will not allow fuel temperature to exceed the 1150 C safety limit because no single TRIGA fuel element is worth more than 1% k/k in the most reactive core position.
30.6 SCBA LIlME Acolicability This specification applies to the time required to fully insert any control rod to a full down position from a full up position, Obiective
- The objective is to achieve rapid shutdown of the reactor to prevent fuel damage.
Soecification The dme from scram initiation to the full insertion of any control rod from a full up
. position sha!! be less than 1 second.
4 Bads
' This specification assures that the reactor will be promptly shut down when _a -
scram signalis initiatsd. Experience and analysis,Section IX, SAR, have Indicated that for the range of transients anticipated for a TRIGA reactor, the
- specified scram time is adequate to assure the safety of the reactor. If the scram signal is initiated at 1.10 MW, while the control rod is being withdrawn, Amenenent No.
31 insertion rates, and the reactivity worth of expenments inserted in the core.
4.2.2 REACTWITY INSERTION RATE
/ 'olienblUtv This specification applies to control rod rnovement speed.
Oblective The objective is to assure that the reactivity addition rate specification is not violated and that the control rod drives are functioning.
Soecification The rod drive speed both up and down and the time from scram initiation to the full insertion of any control rod from the full up position shall be measured annually, not to exceed 15 months, or when any significant work is done on the rod drive or the rod Basis This specification assures that the reMor will be promptly shut down when a scram signal is initiated. Experience and analysis have indicated that for the range of transients anticipated for a TRIGA reactor, the specified scram time is adequate to assure the saf6ty of the reactor. It also assures that the maximum reactivity addition rate specification will not be exceeded.
4.2.3 REACTOR SAFETY AND CONTRO", SYSTEMS hecticability
" %.s The specifications apply to the surveillance requirements for measurements, channel tests, and channel checks of the reactor safety systems and watchdog circuit.
Oblective The objective is to verMy the performance and operability of the systems and components that are directly related to reactor safety.
Soecifications a.
A chanr'el test of the scram function of the high power, fuel temperature, manual.
and present timer safety channels shall be made on each day that the reactor is to be operated, or prior to each operation that extends more than one day, b.
A channel test of the detector power supply SCRAM function and the watchdog circuit shall be performed annually, not to exceed 15 mor.ths.
Amendment th I
l
m i
32 Channel checks for operability shall be performed daily on fuel element c.
temperature, linear power, count rate, log power and reactor period when the reactor 13 to be operated, or prior to each operation that extends more than one
- day, d.
The percent power channel shall be compared with other independent channels for proper channel indication, when appropriate, each time the reactor is operated.
The pulse peak power channel shall be compared to the fuel temperature each e.
time the reactor is pulsed, to assure proper peak power channel operation.
Basis TRIGA system components have proven operational reliability, Daily channel tests insure accurate s: ram functions and insure the detection of possible channel drift or other possible deterioration of operating characteristics, The channel checks wit! make inioimation availablo to the operator to assure safe operation on a daily basis or prior to an extended run. An annualchanneltest of the detector power supply scram will assure that this system works, based on past experience as recorded in the operation log book. An annual channel test of the watchdog circuit is sufficient to assure operabihty, Comparison of the percent power channel with other independent power channels will assure the detection of channel drift or other possible deterioration of its operational characteristics. Comparison of the peak pulse power to the fuel temperature for each pulse will assure the detection of possible channel ortit or deterioration of its operathnal characteristics.
4.2.4 REACTOR INTERLOCKS Aceticabihtv This specification app;ies to the surveillance requirements for the reactor control system interlocks.
Obiective The objective is to insure performance and operability of the reactor control system interlocks.
Sneettications A channel check of the source interlock shall be performed each day that the a.
reactor is operated or prior to each operation that extends more than one day.
b.
A channel test shall be performed semi annually, not to exceed 7 months, on the log power interlock which prevents pulsing from power levels higher than one kilowatt.
Amendment No.
PSBR Conscle Replacement Training This training pian is designed to prepare current licensed reactor operators and senior reactor operators for operations on the new reactor control system. As the intended recipients of this training already hold NRC licenses for PSBR, the plan does not include training or instruction in resctor theory, radiation safety, water handling, or any other aspects of operation not affected by the console replacement. This is a preliminary plan, and will be modified as the need arises. Supplementary help will be provided for the individual licensed operator who may not have any experience with digital computers.
Comouter Conceots:
3 lectures with demonstrations,41/2 hrs.
R. Gould, Project Assistant Objective: To familiarize licensed operators with basic computing concepts to provide background for understanding specifics of the new control system.
Computer Architecture: Overview.
Microprocessors Memory Bits & Bytes 1/O Storage Bus Peripherals AppScations of Computers Software Systems vs. applications e.g. DOS vs. Wordperfect Programming Basics the ' idea' of programs and how they run instructions - concept: instruction cycles subroutines / tasks e.g. MSG task in PSBRX flow / block diagrams Hardware I/O with peripheral or intelligent devices Signals Digital vs. Analog A to D D to A Digital I/O e.g. relays for output switch c!csure for input Example: New Console Motor Interface
4 4
Control Svstem Overview:
1 lecture with demonstrations,1 hr.
R. Gould, Project Assistant.
Objective: To provide an overview of the major subsysterns of the new console.
RSS (Readtor Safety System)
Wid6 Range Monitor -log, linear, log rate channels Power Range Monitor -linear, pulse,2 Thermocouples Hardwired RSS relay logic for SCRAMS and interlocks PCMS (Protection, Control and Monitoring System)
DCC-X (Digital Control Computer - X) t/O for field devices Motors and centrollers RSS signals Watchdog DCC Z DCC Z LAN and DCC-M historical data printer Subsystems Descriotions:
2 lectures,3 hrs.
R. Gould, Project Assistant.
Objective: To describe the function and arahitecture of the RCS (Reactor Control System) subsystems, and to provide an overview of PSBR software function and architecturo RSS console switches for SCRAMS and laterlocks signal processors for power and ternperature annunciators SCRAM logic in detail transient air and rod drive interlocks instrumentation Wide range fission chamber theory and operation Power Range Monitor GlC Thermocouples PCMS Block Diagram i
.4 9
4 Hardware DCC X and DCC-Z serial link I/O Chassis Al AO Di DO Watchdog Motors and Controllers LAN, DCC-M Functions Reactor Control and Regulation 4 cpstating modes Reacto Protection SCRAMS Interlocks Stepbacks Fscilities Systems Support Documentation:
All licensed operators to recieve copies of all transparencies used in lectures as well as the following:
Appendix B License Amendment Safetv Evaluation of the Reactor Console Chance Chapter Vll. License Amendment Reactor Safety. Protection. Control and Monitorino Svstem Ooeratino Manual PSBR Control and Safety System Upgrade, AECL Document OM 17-60501-001 Hands-On Console Trainino:
Individual training sessions, ihr. each.
R. Gould, Project Assistant Objective: To familiarize licensed operators with the controls layout of the new console, as well as an overview of the software.
Layout
SCRAM and Rod Control Panel SCRAM and Alarm Panel Wide Range Monitor Power Range Monitor PSBRX and PSBRZ Software Overview Operator Display annunciators mode selection power / temp / period displays control rod mimics reactivity display 9 alarm displays 4 mode displays manual auto square wave pulse Operator Controls rod worth lookup facility controls l
pulse data Message log Bar graph dispiays Trend displays Time Historical Maintenance Menus l
Simulated Reactor Ooerations (orior to installation):
21 hr. sessions, supervised by:
D.E. Hughes, Mgr. Engineering Services, Senior Reactor Operator, M.E. Bryan, Sr. Electronic Designer, Senior Reactor Operator.
2-1 hr. sessions, unsupervised.
Additional supervised training will be provided as needed for each licensed operator.
~
i Objective: To familiarize licensed operators with new console operations.
Particular emphasis will be placed on modified versions of the following procedures making use of new or different features of the new console.
SOP 1 Reactor Operating Procedure.
SOP 2 Daily Checkout Procedure.
SOP 4 Radiation, Evacuation and Alarm Checks.
These training sessions will make use of the PSBRXMDL or "model" version of the software supplied by AECL. This software simulates reactor inputs to the console in a realistic manner.
The following operations will be included similar to those included in AP 3 Operator and Senior Operator Requalification:
Reactor start up to include a range where reactivity feedback from nuclear heat addition is noticeable.
Reactor shutdown.
Power change in manual rod control greater then 10%
Power change in automatic rod control (1,2, and 3 rod) greater then 10%.
Power change using square wave mode (1,2,3 rod.)
Power change using pulse mode. Note: The PSBRXMDL software does not simulate TRIGA pulses, however they may be initiateo, with no subsequent power excursion.
Reactor Ooerations (after installation):
l 21 hr, sessions, supervised by:
D.E. Hughes, Mgr. Engineering Services, Senior Reactor Operator, M.E. Bryan, Sr. Electronic Designer, Senior Reactor Operator.
Additional supervised training will be provided as needed for each licensed operator, Objective: To familiarize licensed operators with new console operations with the TRIGA as input to the system, as the model software behavior may be slightly different from the actual reactor. Panicular emphasis will again be placed on modified versions of the following procedures making use of new or different l
features of the new console:
SOP-1 Reactor Operating Procedure.
SOP-2 Jaily Checkout Procedure.
SOP-4 Padiation, Evacuation and Alarm Checks.
l
These training sessions will make use of the PSBRX version of the software supplied by AECL This software uses the TRIGA for input to the system, and will be used for standard operations.
The following operations will be included similar to those included in the current AP-3 Operator and Senior Operator Requalification:
Reactor start up to include a range where reactivity feedback from nuclear heat addition is noticeable.
Reactor shutdown.
Power change in manual rod control greater then 10%
Power change in automatic rod control (1,2, and 3 rod) greater then 10%
Power change using square wave mode (1,2,3 rod.)
gs Power change using pulse mode.
Ooerator and Senior Ooerator Qualification Objective: Tc assure that alllicensed operators and senior operators will obtain competence in operating the new console.
The above training plan will culminate in an oral examination / operating test.
These examinations will be tailored specifically to topics impacted by the installation of the new console. They will choose a representative sample of questions on, and demonstrations of the following:
Performance of pre startup (reactor checkout) procedure.
Manipulation of the console controls as required to operate the facility between shutdown and designated power levels.
identification of annunciators and condition-indicating signals and performance or description of appropriate remedial actions.
Identification of the instrumentation systems and the significance of those instrument readings.
Observation and safe control of the operating behavior characteristics of the facility.
Description or performance of control manipulations required to ootain desired operating results during normal, abnormal, and emergency situations.
a D
Navigation to and from all displays, operation of message, trend, and bar graph modes.
An oral examination / operating test chec!tlist will be filled out by the evaluator (D.E. Hughes or M.E. Bryan) for alllicensed operators and graded on a pass fail basis.
JUL 25 '91 14:29 PEff 4 STATE R$EC P 2'4 1J A
AECL EACL AECL CANDU EACL CANDU 2251 Speattnan Dnve 2251, rue Spaekmen Mississsuae Ontario Mississauga (Ontario)
Cenede L5K 182 Canada L5K 102 (416) 823 9040 (416) EL49M0 Fsx(416)8234006 -
Fax (418)823 8000 l
Telex 06-9*.1372 Telex 06962M2 i
file: 17-60301-000-000 1991 July 23 Mr. D. Hughes Penn State Breazeale Reactor, The Pennsylvania State University, University Park, PA,16802.
Subject:
PSBR Console - PSU Purchase Order 259725-B Handling of Proprietary Information for Licensing
Dear Mr. Hughes,
This letter gives you permission to make a limited number of copies of the protected -
proprietary information listed below. Such copies may be issued to the U.S. Nuclear I
Regulatory Commission for licensing purposes.
(1) 17-69200-TS-001, PROTROLS Software Quality Assurance Plan Cover sheet and Table of Contents.
(2) 17-69200-TS-002, PROTROL* Software Verification and Validation Plan Cover sheet and Table of Contents.
(3) 17 ti9200-TS-003, PROTROL8 Software Configuration Management Plan Cover sheet and Table of Contents.
(4) 17-69200-SDH-001, PROTROLS Software Designer's Handbook Part 1.
Cover sheet and Table of Contents.
(5) 17-69200-SDH 002, PROTROLS Software Designer's Handbook Part 2.
Cover sheet and Table of Contents.
1 UU.E's..
I'dE.EIX.
I
\\
e-
_. ' R 25 '91 14130 PEm STATE RSEC
~
E ' #
(6) ' 17-69200-SDH403, PROTROL' Software Designer's Handbook Part 3, Procedures.
Cover sheet and Table of Contents.
(7)
QA-17-60501001, Project QA Plan, PSBR CSS Upgrade.
Any pages as required.
(8)
Work Plan dated 89-May-05, Rev.1, as edited for commercial confidentiality by R.D. Fournier on 91-06-19.
Sincerely,
/
1 G. A. Raiskums AECL - Engineering Services cc W. Zolkiewicz (AECL-T)
T. McNeil 2
D
JuL 25 '91 14:41 PDN STATC RSEC P.2/2 PENNSTATE
,,,,, o,
College of Dgtnecang Breu4 ale Nacicar P aciar Buildmg The Pennsylvania State Univonity UnMnity Pvt. PA 16802 July 25,1991 Nuclear Regulatory Commission Document Control Desk Washington, D. C. 20555 Re: Information Supplementing 7/8/91 Request for Revision to the Ucense, Technical Specifications and Safety Analysis Report for the Penn State Breazeale Reactor. License No. R-2, Docket No. 50 05
Dear Sir or Madam:
The attached letter from Gilbert Ralskums, AECL, to Dantal Hughes is submitted in response to oral questions by the NRC concerning our original amendment request dated April 19,1991. The letter gives Mr. Hughes permission to issue the listed protected-proprietary documents to the NRC in support of the above amendment request.
If you have questions on this matter, please refer them directly to the principal author of the attachments, Daniel E. Hughes, or the director, Marcus H. Voth at (184) 865 6351.
Sincerely, Marcus H. Voth Associate Professor, Nuclear Engineering Director, Radiation Science and Engineering Center MHV/kmc Attachments pc. Region 1 Administrator Charles L. Hosler I
An % o m-y em tuy m
I f.
yrt n,qg
__