ML20082J882
| ML20082J882 | |
| Person / Time | |
|---|---|
| Site: | Pennsylvania State University |
| Issue date: | 08/16/1991 |
| From: | Raiskums G ATOMIC ENERGY OF CANADA, LTD. |
| To: | Hughes D PENNSYLVANIA STATE UNIV., UNIVERSITY PARK, PA |
| Shared Package | |
| ML20082J889 | List: |
| References | |
| NUDOCS 9108290048 | |
| Download: ML20082J882 (3) | |
Text
,i.g
. AUG 23 '91 16:.32 PCm STATE RSEC P.2/3--
- AQi.
A AECL EACL AECLCANDU EACL CANDU i
2251 Spealunen Drive 2251, rue Speakman M4:sissauas Ontario Missinsuca (Ontario)
Canada L5K IB2 -
Canada L5K 182 (418) 823 0040
[416) 823-9040 Fox (416) 823-8006 Fax (416) 823-8006
+
Telex 06-882372 itie 06 982s72 l
l 1
file: 17-60501-000-000 l
1991 Aug 16 Mr. D. Hughes Penn State Brnmie Reactor, l
The Pennsylvania State University, University Park,' PA,16802.
Subject:
PSBR Console - PSU Purchase Order 259725 B Removal of PROTECTED Classification on Licensing Submittals Related to QA Procedures
+
Dear Mr. Hughes,
i This letter gives you authorirr.uon to remove the protected - proprietary classification of the information listed below. Copies may be made without rettdction for public use. Note that i
for items (1) to (6); only the Cover Sheet and Table of Conu:nts are unprotected.
(1) 17-69200-TS-001, PROTROL' Software Quality Assurance Plan Cover sheet and Table of Contents.
-(2).
17-69200-TS-002, PROTROL* Software Verification and Validation Plan l
Cover sheet and Table of Contents.
(3) 17-69200-TS-003, PROTROL' Software Configuration Management Plan Cover sheet and Table of Contents..
(4) 17-69200-SDH-001, PROTROL' Software Designer's Handbook Part 1, Cover sheet and Table of Contents.
i (5) 17-69200-SDH-002, PROTROL' Software Designer's Handb.sok p 2.
Cover sheet and Table of Contents.
e
[
h i
O r
\\\\
I NRe2sjggg;gggggs m
g,,=,
-.. -. ~
~.. -
g c.; - < _;,'y* ALXi 23 ~ '91 -16 42 PENN STATC RSCC P.3/3
'4.
(6)_
17-69204SDH 003, PROTROL' Software Designer's Handbook Part 3, Procedures.
Cover sheet r.nd Table of Contents.
(7)?
QA 17-60501-001, Project QA Plan, PSBR CSS Upgrade.
(8)
Work Plan dated 09-May-05, Rev.1, as edited for commercial confidentiality by R.D. Fournier on 91 06-19..
Sincerely,
.l e
jQ
+
- 0. A. Ralskurns AECL - Engineering Services cc
- W. Zolkiewicz
_(AECL-T)
T. McNeil-i 4
4 2
Y s
AUG 23 '91 16 41 PENN STATC RSCC P, p s C
SENNSTATE
~
~
Radiation Science and Engineering Center Penn State Breazeale Reactor University Park, PA 16802 cou.s. of hain*= ins Fax # (814) 663 4840 An Equd Oaxrnmity Udvmie Tel# (814) 865 6351 Date:
Confidential:
~
O yes Y
Routine 3
- of pages:
E[J 3[?'
Y no O
Urgent Ondudno m ad To:
US - N Rt Fax #:(3of)49s,.orso Attn: /r}pgm /% o,ye3 Te!#: (30/ )97A -IfAg Fcom:
fg
{fo7.g
Subject:
A gg g L g.r-r e R Message:
N A M
/tFCL dtk 4J)AA bwb 1
wk.
m A&m A=h~%
t km dd4.h e
- Regrrds, Acknowledgement of Receipt:
4h O
Requested V Not Required
r 4
4 PENNSTATE ch.cies t., Hmier ii4 Acm cram boiioin, p
benlof \\ Kt Preudef0 ior kewarit Ihr hnnehanu M ( n64Fuh and pe.n of ine cr.auie smui ennerun Pan PA ie,m:
July 8,1991 Nuclear Regulatory Commission Document Control Desk Washington D C. 20555 Re: Revision to the License, Technical Specifications, and Sately Analysis Report for the Penn State Breazeale Reactor, License No R 2, Docket No 50 05
Dear S:
t or t4::ame The attached materialis submitted in response to oral questions by the NRC concerning our onginal amendment request cated April 19,1991, included are: training plan, rationaltot the watchcog circuit not being a Technicat Specifcation,information on AECL's Quality Assurance Program, and proposed replacement pages to incorporate a watchoog scram in the Technical Speciteatens;it required An exemption of fees for this licensing atten is requested under the provisions of 10 CFR Part 170.11(a)(4).
11 you have questions on tnis matter, please ref er them directly to the pnncipat autnor of the attachments.
Daniel E. Hughes, or the director, Marcus H Volh at (814)865-6351-Sincerety, l
, -Ow Charles L Hosier Senior Vee President tor Research and Dean ot Graouate School CLH;MHV/skr Attachments cc: Region i Administrator a,
. I
'"j day oi '/, (,1991, Subscribed to and sworn before me on this,
/
Not a y Pubhc in and tor: Centre County, Pennsylvania r
lr ol: ilio n i
NOTARfAl $[AL BONSUI K. [lCH[LBERGER, Notary Public 5'd'e (die:t Borc, Centre Co, Pa.
My Com tission tawts jury 30 3993 L2 - - * - _
-~,.
I s
=
e s
t
(';
},'
%,du uwomn.nin emes o i
1(005u
- -. - ~ - -
y c;n ;
1 ij' Rational-for the Watchdog Circuit not being a Technical SpMfication 7/2/91 A non power reactor facility such as the Penn State Breazeale Reactor (PSBR),
I is charged with the mission (1) to operate the reactor such that the health and safety of the public is not jeopardized and (2) to provide facilities for nuclear research, training and testing. To have Technical Specifications (TS) above and beyond those necessary to assure the first mission reduces the capability of the facility to fulfiil its second mission. Unnecessary TS can reduce the flexibility and versatility of a facility and impact its limited resources adversely Any unnecessary use of resources-prevents those resources from being used in more productive ways.
One 'of the design criteria of the new consolo (NC) for the PSBR was that all of the current TS must be met using hardwired analog technology and that the failure of
-the computer must not disable the reactor safety system (RSS). That criterion was met.
The fact that the computer can fail in many modes is inconsequential as long as any
' credib!e failure ~does not disable the RSS. To require a component to detect its own failure, when there is a redundant and diverse component that still protects the health and safety of the public, is not necessary and should not be a TS requirement.
All safety channels and interlocks required by the TS are implemented by the hardwired analog RSS.' The protection, control and monitoring system (PCMS) duplicates and validates those required safety channels and interlocks. There are -
additional scrams and interlocks in the.PCMS that are not required by the TS.
i-The NC's RSS is a complete functional duplication of the old console (OC):
RSS. The PCMS communicates with the RSS through digital outputs (DO) (on/off) to <
P configure the RSS appropriately for each mode. The same function is performed byt the mode selector switch on the OC. A failure of the mode selector switch on the OC-does not completely disable the RSS; the Umiting Safety System (LSS) is functional.
at all times and is independent of the mode; Likewise, the PCMS failure does not p
disable the'NC's RSS. In fact, the design of the PCMS and the RSS make it more reliable and safe than the OC because it does self-checks of its software and hardware
~
and a hardwired status light is displayed if the high power scrams are bypassed. In addition, the NC utilizes two SCRAM buses with the power range high power SCRAM -
relay in one bus and the wide range high power SCRAM relay in the other, it takes two i
dos from the PCMS to energize relays to bypass both high power scrams.
On the OC, the mode selector switch cannot detects its own failure and initiate a i
SCRAM automatically; obviously this is not required by the TS. On the NC, a watchdog i
SCRAM Gvhich detects some failures of the PCMS) should not be required by the TS.
f The fact that it is possible to detect failures of the PCMS is not sufficient reason to l
make it a TS requirement.
One suggestion is that a watchdog circuit SCRAM should be required by the TS
[
because it assures that the data displayed on the CRT to the operator is near real time and correct. This basis has not been the precedent with other digital control systems
{
such as General Atomic's (GA) or Armed Forces Radiobiological Research Institute's (AFRRI) or in parameter display systems such as that of GA or the University of Michigan.
Operators are trained to observe all the data that is displayed, compare that data, assess the validity and act to maintain the reactor in a safe condition. The analog displays of the new console are within comfortable view of the operator and all channels are displayed. There are no embedded processors between the analog displays and the detectors. Redundancy and diversity ensure that no single failure will compromise all the data to the RSS, PCMS or the operator. The new console has further redundancy. The PCMS CRT displays the same data as the analog displays. If
[
the CRT fails, the backups are the analog displays, if the analog displays fail, the i
backups are other analog displays and/or the CRT displays.
There are several modes of faLJre that willlead to bad data as an input to the 1
analog displays, the CRT displays, the auto controller, or the SCRAM comparators.
One mode of such a failure is a failure of a safety channel anywhere from the detector
[
to the input to the SCRAM comparator, analog displays or the PCMS. The power I
channels can fail if the high voltage bias supplies fall. Both the OC and the NC have
- scrams that initiate on loss or degradation of the high voltage bias supplies. A loss of sensitivity of the detector is a failure that neither the OC or the NC can directly detect.
l L
Any single channel may fail abruptly, or worse, slowly drift out of calibration. If the i
linear channel is the one that fails or loses sensitivity and the system is in auto mode, the controller may maintain power based on the linear channel while actual power is driven higher, if this particular failure occurs, the data displayed to the operator, data I
I-
input to the auto control system, or the data to a SCRAM comparator may not be correct. Failure of one safety channelis tolerable in the SAR of the OC or the NC because:
1.
The operator is trained to view and compare redundant and diverse channel displays and make decisions as to the validity of the data before actiag.
2.
If an operator initiates an action based on bad data, the redundant and diverse safety channels will act to shutdown the reactor if the power or temperature exceed the setpoints.
3.
Redundancy and diversity designed into the RSS assures that the RSS will perform its function adequately.
4.
If the auto controller has bad data as an input, the redundant and diverse safety channels will SCRAM the reactor if the power or temperature exceed the setpoints.
Watchdog circuits, as now implemented, do not check the validity of the signal that is tne input to the system, yet a spread validation between power channels or thermocoupte (TC) channels is not required by the TS. The PCMS does perform a power channel spread validation and will initiate a stepback if a failure of that validation is detected. Although it is part of the PCMS, it is not and should not be part of the TS because the RSS is designed to protect the reactor in such a failure.
Another mode of failure that will cause bad data to be displayed on the CRT is one that causes the CRT to freeze on an unchanging screen, if the freeze is due to a failure that is not detectable by self-checks or prevents resetting of the watchdog circuit, the reactor will not SCRAM. If there is no watchdog SCRAM, then the computer is operating properly except for the CRT. Therefore, all the RSS safety features continue to be functional; the auto controller of the PCMS,if engaged, remains functional; and the analog displays will continue to display good data. If all of those features are functional, the reactor continues to operate safely. This mode of failure that causes bad data to be displayed to the operator is more safe than the other mode of failure discussed above. If the screen is frozen in this failure mode, the operator will notice that:
1.
The clock does not update.
r
- 4 2.
The normal random noise is not present on the data displays.
3.
Data does not change if there is an attempt to move control rods, access other screens, or any other function that may be part of normal operation.
A properiy traiped operator will be comparing data between the CRT display and the analog display continuously; especially if a change is anticipated or attempted. There is no operation that an operator can initiate, based on bad data displayed on the CRT, that will prevent the RSS from maintaining the reactor in a safe condition; Watchdog circuits as they are presently implemented, will not detect either of the above tw modes of failure that may lead to a frozen CRT or bad data on the CRT.
Bad data displayed on the CRT is not desirable, but it is not an unsafe condition unless accompanied by an incredible, simultaneous and complete failure of the RSS.
Even in that case. the TRIGA fuel system provides added safeguards that are not present in other types of reactors. By the definition of a safety-related system in Regulatoly Guide 1.152 (Cnteria for Programmable Digital System Software in Safety-Related Systems of Nuclear Power Plants, U. S. Nuclear Regulatory Commission, Nov 1985) the CRT display is not a safety-related system; a safety related system being defined as one that is required to remain functional during'a design basis event in order to protect the health and safety of the public.
Based on the above analysis, we do not believe that making the watchdog circuit SCRAM a safety channel required by the TS is warranted. The watchdog SCRAM is part of the SAR as described in Chapter 7. If there is a change in the watchdog SCRAM, it wi!! have to be reviewed to determine if there is an unreviewed safety question under the 10 CFR 50.59 criteria. If there is an unreviewed cafety question, the amendment process would be required for the change. If not, the NRC
- would be informed by the usual methods of the 10 CFR 50.59 change. The present-watchdog circuit increases the reliability of the system by being an on-line diagnostic tool. We do not believe that any computer system associated with the reactor should be without a watchdog circuit. However, since the RSS remains functional and meets the single failure criteria, a TS requirement that the PCMS should detect its own failure and SCRAM the reactor is not necessary. With the OC, the individual channels do not detect their own failure and do not SCRAM the reactor if a failure is detected; to place such TS requirements on the NC is not appropriate.
l
_m a
Review of amendments issued by the NRC to GA and AFRR1 for digital console upgrades and the implementation of parameter display systems by GA and the University of Michigan presents a very confusing history of watchdog circuits. The amendments for the digital console upgrades, state bases that are different in both f
cases. In the case of GA, amendment No. 29 indicates that a watchdog safety channel is "... app!! cable when computers are utilized to perform reactor control functions". The i
AFRRI amendment No.19 for a very similar system, requires a watchciog safety channel to "... insure adequate commun! cation between the Data Acquisition Computer (DAC) and the Control System Computer (CSC) units". The GA console utilizes the i
very same communications link between the DAC and the CSC as the AFERI system, j
The AFRRI console utilizes the computer for control. if either basis is appropriate they should bot be part of each TS change. In addition, neither TS change states that integrity of the CRT data display is a basis for the watchdog safety channel l
requirement, defines minimum design specifications 'for the watchdog circuit, indicates 1
the frecpency or the extent of the surveillance, or indicates the length of the time
-interval that is appropriate for the watchdog circuit.
.The parameter display systems (GA and University of Michigan) were approved for Implementation by local review under 10 CFR 50.59. The data of these systems is l
d3 played to the reactor operator, but there has been no TS change requiring a y etchdog safety channel Likewise, many control roorns have parameter displays ranging ficm stnp chart recorders to digital system CRT displays that have no TS I
requirements for watchdog circuits. In summary, there is no c! ear precedent for a
(
minimum watchdog circuit, a basis for a watchdog circuit, surveillance requirements for
[
a watchdog circuit, or minimum design specifications for a watchdog circuit. A TS requirement for the Penn State PCMS watchdog SCRAM would set an adverse l
precedent for parameter display systems at all non power reactor fcoities.
We do not agree that the PCMS watchdog circuit should be part of the TS as defined in 10 CFR Part 50.36. However, if the commission finds that a TS must be Imposed, we propose a change as indicated by the enclosed replacement pages. The
{
basis will be that a watchdog circuit will reduce the time that a reactor stays at power when the PCMS computer has a fatal failure in any of the software or hardware se!!-
checks. The surveillance required will be that the watchdog circuit will SCRAM the
[
reactor when any single self-checks fails. Since it is not possible to cause each of th6 I
i
solf checks to failindependentIy,it is not possible to test each self-check. A minimum design specification _for a watchdog circuit will not be proposed.
l t
(.
i y
- '4' reactive rod is in its most reactive position, and that the reactor will remalrt subertlical without further operator action.
1.1.42
$OUARE ' NAVE OPERATlQN Square wave (SW) operation shall mean eperation of the reactor with the mode selector switch in the square wave position which allows the operator to insert preselected reactivity byihe ejection of the tran-ient rod, and which results in a maximum power of 1 MW orless.
1.1.4?
TRIGA FUEL ELEMENT
' A TRIGA fuel element is a single TRIGA fuelrod of standard type, either 8.5 wt% U.
IrH in stainless steel cladding or 12 wt% U-ZrH in stainless steel cladding enriched to less than 20% uranium-235.
1.Dt4 WATCHDOG CIRCUIT A watchdog circuit is a circuit consisting of a timer and a relay, The timer energ!zes the relay as long as it is reset prior to the expiration of the timing interval If it is not reset within the timing interval, Ine relay will de energize thereby causing a SCRAM.
2.0 S AFCTY UMfT AND LIMITING SAFETY SYSTEM SETTING 2.1 SAFETY LIMIT-FUEL ELEMENTTEb4PER TURE Acoficabinty The safety limit specification applies to the maximum temperature it; the reactor fuel Objective The objective is to define the maximum fuel element temperature that can be permitted with confidence that no damage to the fuel element and/or cladding will result.
Soecifications The temperature in a water cooled TRIGA feel element shall not exceed 1150*C under any operating condition.
Basis The important parameter for a TRIGA reactor is the fuel element temperature. This parameter is well suited as a single specifcation especiaJty since 11 can be measured at a point within the fuel elemant. The measured fueltemperature is directly related to the maximum fuel temperature of the region. A loss in the integrity of the fuel element cladding could arise from a build-up of excessive pressure between the fuel-moderator and the cladding if the maximum fuel temperature exceeds 1150*C, The pr6ssure is caused by the presence of air, fission product cases, and hydrogen from the dissociation of the hydrogen and zirconiumin tae fuel-moderator. The magnitude of this pressure is determined by the fuel-moderator temperature, the ratio of hydrogen to zirconium in the altoy, and the rate change in the pressure.
Arnendrnent No.
8
?
The safety limit for the standard TRIGA fuclis based on data, including the large mass of experimental evidence obtained during high performance reactor tests on this fuel. These data indicate that the stress in the cladding due to the increase in the hydrogen pressure from the dissociadon of zirconium hydride will remain below the ultimate stress provided that the temperature of the fuel does not exceed 1150*C (2102*F) and the fuel cladding is water cooled. See Safety Analysis Report, Ref.13 in section IX and Simnad, M.T., F.C. Foushee, and G.B. West, " Fuel Elements for t
Pulsed Reactors,' Nucl. Technology, Vol.28, p. 31 56 (January 1976).
22 UMITING SAFETY SYSTEM SETTING ILSSS)
AeolicaMity The LSSS specification applies to the scram setting which prevents the safety limit from being reached.
Ob!ective The objective is to prevent the safety limit (1150 C) from being reached.
Soecifications
~
L The limiting safety system setting shall be a maximum of 700 C as measured with i
a 12 wt% U ZrH instrumented fuel element. The instrumented fuel element shal: be located in the B ring ano adjacent to an empty fuel position when an empty fuel position exists in the B ring.
Balli The limiting safety system setting is a temperature which, if reached shall cause a t
reactor scram to be initiated preventing the safety limit from being exceeded.
Experiments and analyses described in the Safety Analysis Report.Section IX -
Safety Eva!vation, show that the measured fuel temperature at steady State power I
has a simple linear relationship to the normalized power or power of the highest powered fuel element in the core. Maximum fuel temperature occurs when a new 12 wt% U-ZrH fuel element is placed in the B-ring of the core. The measured fuel temperature during steady state operation is close to tne maximum fuel temperature.
5 Thus,450*C of safety margin exists before the 1150 C safety limit is reached. This safety margin provides adequate compensadon for using a depleted instrumented 12 wt% U ZrH fuel element instead of an unirradiated one to measure the fuel temperature. See Safety Analysis Report, Secdon IX.
in the pulse mode of operation, the same limidng safety system setting shall apply.
However, the temperature channel will have no effect on limiting the peak power generated, because of its reladvely ong time constant (seconds), compared with the i
width of the pulse (milliseconds). In this mode, however, the temperature trip will act i
l-i I
Amendment No.
4 15 thermocouple. Hence, when either the linear, percent power, or temperature scram occurs, the maximum fuel temperature will be far below the 1150'C safety limit.
2.3 E5 ACTOR CONTROL SYSTEM Acon abmtv c
This specification applies to the informadon which must be available to the reactor operator during reactor operation.
Obiective The objective is to require that sufficient informatien is available to the operator to assure safe operation of the reactor.
Soecification The reactor shall not be operated unless the measuring channek listed in Tab % 1 are operable. (Note that MN,AU and SW are abbreviations for manual, automate and square wave, respectively).
i Table 1 Measuring Channels M n. No.
Effective Mode Measurina Channel Owab!e BJJ h
E 3
Fuel Element Temperature 1
X X
X
[
Linear Power 1
X X
. Percent Power 1
X X
Pulse Peak Power 1
X Count Rate 1
X
~
Log Power 1
X X
Reactor Period 1
X EAsi I
Fuel temperatura displayed at the control console gives continuous information on this parameter which has a specified safety limit.- The power level monitors assure tnat the reactor power level is adequately monitored for the manual, automatic, square wave and pulsing modes of operation. The specifications on reactor power level and reactor period indications are included in this section to provide assurance that the reactor is operated at all times within the limits allowed by these Technical Specifications.
t t
Amendment No,
A A
3.2.4 REACTOR SAFETY SyjTEM AND INTERLOCKS Arcticability This specification applies la the reactor safety system channels, the interlocks, and the watchdog circutt.
Objdivt i
The objective is la specify the minimum number of reactor safety system channels and interlocks that must be operable for sale operation, L
Sopcification t
The reador shall not be Operated unless a!! of the channels and intertocks described in Table 2a a.-d Table 2b are operable.
Table 2a l
Minimum PSBR Channels Number Effective Mode Channel Ocernbte Function MNSj Mg Sy Fuel Temperature 1
SCRAM 2 700*C X
X X
High Power 2
SCRAM s 110% of 1 X
X MW Detector Power Supply 1
SCRAM on failure of X
X supply voltage Scram Bar on Console 1
X X
Preset Timer 1
seconds or less after pulse Watendog Circuit 1
SCRAM on software or X
X self check fallure Amencment No.
_ _ _ _. _ _ - _. - - - - _ - - - - - - - - - - - - - - - - - - - - - - - - ' - - - - - - ' ^ ^ ^ - ^ ~ ^ ~ ~ ~ ' ^ - ^ ^ ^ ^ ^ ~ ~ ~~
~ ~ ~ ~
=- - -
i 4-g 17 f
Table 2b Minimum PSBR Interlocks l
Number Effective Mode Interlocks OceraMe Function MN Eudft S6(
Source Level 1
Prevent rod withdrawal X
1' with less than two neutron induced counts per second on tha startup channel i
Log Power 1
Prevent pulsing from X
i levels above 1 kW Transient Rod 1
Prevent applications of X
air unless cylinderis fully inserted l
Shim, Saf ety, and 1
Movement of any rod X
Regulating Rod except transient rod I
Simultaneous Rod 1
Prevents simultaneous X
X
. Withdrawal manualwithdrawalof two e
rods i
[
DMi1 A temperature scram ano two power level scrams provide automatic protection to assure that the reactor is shut down before the safety imit on the fuel element temperature will be exceeded. The manual scram allows the operator to shut down the system in any mode of operation if an unsafe or abnormal condition occurs, in the l
event of failure of the power supply for the safety chambers, operation of the reactor without adequate instrumentation is prevented. The preset timer insures that the l.
transient rod will be inserted and the reactor will remain at low power after pulsing. The r
l~
watchdog circuit will scram the reactor if the software or the self checks fail (see Safety l
L Analysis Report, Chapter Vil, sections H.2.d and 1.4) in the pulse mode, movement of any rod except the transient rod is prevented by an interlock. This interlock action prevents the addititu of reactivity over that in the transient rod. The interlock to prevent startup of the reactor with less than 2 cps assures that sufficient neutrons are available for proper startup in all relevant modes of operation. The intertock to prevent the initiation of a pulse above 1 kW is to assure that the magnitude of the pulse will not cause the safety limit to be exceeded. The
[
interlock to prevent application of air to the transient rod unless the cylinder is fully
~
inserted is to prevent pulsing the reactor in the manual mode. Simultaneous manual withdrawal of two rods is prevented to assure the reactivity rate of insertion is not I
exceeded.
J l
Amendment No.
h
18 32.5 CORE LOADING AND UNLOADING OPERATION Acolicability This specifcation applies to the low count rate interlock.
Ob;ective The objective of this specificadon is to eliminate interference with fuel loading procedures.
Soecification During core loading and unloading operadons when the reactor is suberitical, the low count rate interlock may be momentarily defeated using a spring loaded switch in accordance with the fuel loading procedure.
B2is During core loading and unloading, the reactor is subcritical Thus, momentarily defeating the count rate is a safe operation. Should the core become inadvertantly supercritica!, the accidental insertion of reactivity will not allow fuel temperature to exceed the 1150 C safety limit because no single TRIGA fuel element is worth more than 1% k/k in the most reactive core position.
3.2.6 SCRAM TPM ADD cablity Ii This specification applies to the time required to fully insert any control rod to a full down position from a -lull up position.
Obiective The objective is to achieve rapid shutdown of the reactor to prevent fuel damage.
Soecircation The time from scram initiation to the full insertion of any control rod from a full un position shallbeless tnan 1 second.
Basis This specification assures that the reactor will be promptly shut down when a scram signai is initiated. Experience and analysis, Secton IX, SAR, have indicated that for the range of transients anticipated for a TRIGA reactor, the specified scram time is adequate to assure the safety of the reactor. If the scram signal is initiated at 1.10 MW, while the control rod is being withdrawa, Amencment No
31 insertion rates, and the reactivity worth of experiments inserted in the core.
4.2.2 REACTIVITY INSERTION RATE ADohe t h This specification applies to control rod movement speed, Objective The objective is to assure that the reactivity addition rate specification is not violated and that the control rod drives are functioning.
Soecification The rod drive speed both up and down and the time from scram initiation to the full insertion of any control rod from the full up position shall be measured annual'y, not to exceed 15 rnonths, or when any signdicant work is don 6 on the rod dnve or the rod.
Basis This specification assures that the reactor will be prornptly shut down when a scram signalls initiated. Experience and analysis have indicated that for the range of transients anticipated for a TRIGA reactor, the specified scram time is adequate to assure the safety of the reactor. It also assures that the maximum reactivity addition rate specification will not be exceeded.
4.2.3 REACTOR SAFETY AND CONTROL SYSTEMS Anoticability The specifications apply to the surveillance requirements for measurements, channel tests, and channel checks of the reactor safety systems and watchdog circuit.
Obiective The objective is to verify the periormance and operability of the systems and components that are directly related to reactor safety, S2ecHications A channel test of the scram function of the high power, fuel temperature, manual.
a.
and present timer safety channels shall be made on each day that the reactor is to be cperated, or prior to each operation that extends more than one day.
b.
A channeltest of the detector power supply SCRAM function and the watchdog circuit shall be performed annually, not to exceed 15 months.
1 Amendment No.
-.1 Channel cnocks for operability shall be performed daily on fuel element c.
temperature, linear power, count rate, log power and reactor period when the reactor is to be operated, or prior to each operation that extends more than one day;
- d. _ The percent power channel shall be compared with other independent channels for proper channel Indication, when appropriate, each tirne the reactor is operated.
The pulse peak power channel shall be compared to the fuel temperature each -
e.
time the toactor is pulsed, to assure proper peak power channel operation.
Bath TRIGA system components have proven operational reliability. Daily channel tests -
insure accurate scram functions and insure the detection of possible channet drift or -
other possible deterioration of operating characteristics The channel checks will make information available to the a erator to assure safe operation on a daily basis or prior an extended run. An annual channel test of the detector power supply scram will assure that this system works, based on past experience as recorded in the operation tog book. An annual channel test of the watchdog circuit is sufficient to assure operability Comparison of the percent power channel with other independent power channels will assure the detection of channel dntt or other possible deterioration of its operationalcharacteristics. Comparison of the peak pulse power to the fuel
_ temperature for each pulse will assure the detection of possible channel dritt or
~
3 deterioration of its operational characteristics.
4.2,4 RE ACTOR INTERLOCKS Acclien50ity
!1 This specification applies to the surveillance requirements for the reactor control L
system interlocks.
Obiective The objective is to insure performance and operability of the reactor control system intertocks.
Seecdicatiem l
A channel check of the source inter 10ck shall be pertormed each day that the a.
j reactor is operated or prior to each operaten that extends rnore than one day.
b, A channel test sha!! be performed semi-annually, not to exceed 7 monthe, on tho log power interlock which prevents pulsing from power levels higher than one l_
- kilowatt, t.
Y i:
j i
l 5
l
(
Amendment f4o,
~
m PSBR Console Replacement Training This training plan is designed to prepare current licensed reactor operators and i
senior reactor operators for operations on the new reactor control system. As the intended recipients of this training already hold NRC licenses for PSBR, the plan does not include training or instruction in reactor theory, radiation safety, water handling, or I
any other aspects of operation not affected by the console replacement. This is a j
preliminary plan, and will be modified as the need arises. Supplementary help will be provided for the individual licansed operator who may not have any experience with digital computers.
Comnuter Concents:
3 lectures with demonstrations,41/2 hrs.
R. Gould, Project Assistant l
Objective: To familiarize licensed operators with basic computing concepts to provide background for understanding soecifics of the new control system.
Computer Architecture: Overview.
Microprocessors Memory Bits & Bytes 1/O -
Storage Bus Peripherals Applications of Computers t
,t i
1
. Software Systems vs. applications e.g. DOS vs. Wordperfect
]
Programming Basics the ' idea' of programs and how they run instructions concept: instruction cycles
[
subroutines / tasks e.g. MSG task in PSSRX flow / block diagrams t
Hardware I/O with peripheral or intelligent devices i:
Signals Digital vs. Analog
{
L A to D t
l.
D to A Digita) 1/O e.g. relays for output switch closure for input Example: New Console Motor Interface t
i u,
r
Control System Overview:
1 lecture with demonstrations,1 hr.
R. Gould, Project Assistant.
Objec:ive: To provide an overview of the major subsystems of the new console.
RSS (Readtor Safety System)
Wid6 Range Monitor - log, linear, tog rate channels Power Range Monitor -linear, pulse,2 Thermocouples Hardwired RSS relay logic for SCRAMS and interlocks PCMS (Protection, Control and Monitoring System)
DCC-X (Digital Control Cornputer - X) 1/O for field devices Motors and controllers RSS signals Watchdog DCC-Z DCC Z LAN and DCC-M historica: data printer Subsystems Descriotions:
2 lectures,3 hrs.
R. Gould, Project Assistant.
Objective: To describe the function and architecture of the RCS (Reactor Control System) subsystems, and to provide an overview of PSBR software function and architecture RSS console switches for SCRAMS and interlocks signal processors for power and temperature annunciators SCRAM logic in detail transient air and rod drive interlock:
Instrumentation Wide range fission chamber theory and operation Power Range Monitor GlC Thermocouples PCMS Block Diagram
r Hardware DCC-X and DCC-Z serial link I/O Chassis Al AO DI DO Watchdog Motors and Controllers LAN, DCC-M Functions Reactor Control and Regulation 4 operating modes Reactor Protection I
SCRAMS Interlocks t
Stepbacks Facilities Systems Support Qgeumentation-All licensed operators to recieve copies of all transparencies used in lectures as well as the fo' lowing:
Appendix B License Amendment Safety Evaluation of the Reactor Console
[
Chance Chapter Vil. Ucense Amendment Reactor Safety Protection. Control and Monitorino Svstem 1'
Ooerating Manual PSBR Control and Safety System Upgrade, AECL Document OM-17 60501-001 l
Hands-On Console Trs.ining:
Individual training sessions,1hr. each.
R. Gould, Project Assistant Objective: To familiarize licensed operators with the controls layout of the new i
console, as well as an overview of the software, J,-
Layout r
- SCRAM and Rod Control Panel SCRAM and Alarm Panel Wide Range Monitor Power Range Monitor PSBRX and PSBRZ Software Overview Operator Display annunciators mode selection-power / temp / period displeys control rod mimics reactivity display 9 alarm displays 4 mode displays manual auto square wave pulse Operator Controls rod worth lookup facility controls pulse data Message log Bar graph displays p-Trend displays Time l-Histon, cal Maintenance Menus l--
Simulated Reador Ooerations (orior to installation):
21 hr. sessions, supervised by:
D.E. Hughes, Mgr. Engineering Services, Senior Reactor Operator, M.E. Bryan, Sr. Electronic Designer, Senior Reactor Operator.
21 hr. sessions, unsupervised.
Additional supervised training will be provided as needed for each licensed operator.
s Objective: To familiarize licensed operators with new console operations.
Particular emphasis will be placed on modified versions of the following procedures making use of new or different features of the new console.
SOP-1 Reactor Operating Procedure.
SOP 2 Daily Checkout Procedure.
SOP-4 Radiation, Evacuation and Alarm Checks.
These training sessions will make use of the PSBRXMDL or "model" version of the software supplied by AECL, This software simulates reactor inputs to the console in a realistic manner.
The following operations will be included similar to those included in Ar-3 Operator and Senior Operator Requalification:
Reactor start-up to include a range where reactivity feedback from nuclear heat addition is noticeable.
Reactor shutdown.
Power change in manual rod control greater then 10%.
Power change in automatic rod control (1,2, and 3 rod) greater then 10%.
Power change using square wave mode (1,2,3 rod.)
Power change using pulse mode. Note: The PSBRXMDL software does not simulate TRIGA pulses, however they may be initiated, with no subsequent power excursion.
Reactor Ooerations (after instauation):
21 hr. sessions, supervised by:
D.E. Hughes, Mgr. Engineering Services, Senior Reactor Operator.
M.E. Bryan, Sr. Electronic Designer, Senior Reactor Operator.
Additional supervised training will be provided as needed for each licensed operator.
- Objective: To familiarize licensed operators with new console operations with the TRIGA as input to the system, as the model software behavior may be slightly different from the actual reactor. Particular emphasis will again be placed on modified versions of the following procedures making use of new or different features of the new console:
SOP-1 Reactor Operating Procedure.
SOP-2 Daily Checkout Procedure.
SOP-4 Radiation, Evacuation and Alarm Checks.
I These training sessions will make use of the PSBRX version of the software supplied by AECL This software uses the TRIGA for input to the system, and will be used for standard operations.
The following operailons will be included sim!;ar to tr.ar,o included in the current AP-3 Operator and Senior Operator Requalification-Reactor start up to include a range wheru reactivity feedback from nuclear heat addition is noticeable.
l Reactor shutdown.
I Power chan.;e in manuas tod control greater then 10%
i Power change in automatic rod control (1,2, and 3 rod) greater then 10%.
Power change using square wave mode (1,2,3 rod.)
Power change using pulse mode.
Qperator and Senior Ooerator Ount! fica!!QH i
Objective: To assure that all licensed operators and sen cr operators will obtain competence in operating the new console, i'
The above training plan will culminate in an oral examinatio,1/ operating test.
These examinations will be tailored specifically to topics impLcted by the i
installation of the new console. They will choose a representative sample of -
i questions on, ard demonstrations of the following:
j Performance of pre startup (reactor checkout) procedure.
Manipulation of the console controls as required to operate the facility I
between shutdown and designated power levels, i
identift' ion of annunciators and condition indicating signals and perfo' ance or description of appropriate remedial actions.
Identification of the instrumentation systems and the significance of those j
instrur':ent readings.
Observation and safe control of the operating behavior characteristics of the facility, Description or performance of control manipulations required to obtain desired operating results during normal, abnormal, and emergency situations,
[
I t
Navigation to and from all displays, operation of message, trend, and bar graph modes.
An oral examination / operating test checklist will be filled out by the evaluator (D.E. Hughes or M.E. Bryan) for alllicensed operators and graded on a pass fail basis.
j i
t
(
L F
t t
l
[
l l
.- m.
__.m-. -,,,,,,... - - -.~,,....--., _.-,,. -, -,,,,,, _,..,, -- _,,,-..., -,-.
.--m..
r r
A AECL FACL
~
MCL CANDU EACL CANDU mi s,..wa o,.
m i.n. s,..t n
=
f.t%TS?*
f.t#We""*
MEEkw MuRL u... men
- wm i
4 ille: 17-6050100M00 1991 July 23 Mr. D. Hughes Penn State Breneale Reactor.
The Pennsylvania State University, University Park, PA,16802.
Subject:
PSBR Console - PSU Purchase Order 259725 B Handling of Proprietary Information for Licensing
Dear Mr. Hughes,
This letter gives you permission to make a limited number of copies of the protected -
proprietary information listed below.- Such copies may be issued to the U.S. Nuclear 4
Regulatory Commission for licensing purposes.
(1) 17-69200-TS 001, PROTROL' Software Quality Assurance Plan Cover sheet and Table of Contents.
(2) 17-69200 TS 002, PROTROL' Software Verification and Validation Plan Cover sheet and Table of Contents.
(3) 17-69200-TS-003, PROTROL* Software Configuration Management Plan Cover sheet and Table of Contents.
(4) 17-69200-SDH 001, PROTROL* Software Designer's Handbook Part 1.
Cover sheet and Table of Contents.
(5) 17 69200-SDH 002, PROTROL* Software Designer's Handbook Part 2.
Cover sheet aad Table of Contents.
1 N'sEIL,a Ud;U2le
.g
_ _ _.~.. _ _.__. _ _ _ _.
',,.J4 M '91 14t N PEffi STATC RSCC p,3,4 r
(6) ' 17 69200 SDH-003, PROTROL' SoAware Designer's Handbook Part 3 Procedures.
Cover sheet and Table of Contents.
(7)
QA 17 60501001, Project QA Plan, PSBR CSS Upgrade.
Any pages as required.
(8)
Work Plan dated #9 May 05, Rey,1, as edited for cornmercial confklentiality by R.D. Foumler on 91419.
1 Sincerely, NC
M O. A. Ralskums AECL - Engineering Services cc W, Zolkiewicz (AECL 7)
T. McNeil 2
JLA. 22 '98 6d8d FUQ1 ST A7C RSCC P.2/2
, e PENNSTATE
,,i.,,,,,,,
c~.m._,
-~%
m hawyl m s suu U m en t Vahgreity Pwt, PA 16402 July 25,1991 I
Nuclear Regulatory Commission Document Control Desk Washington, D. C. 20555 l
Re: Information SupWomenting 7/8/91 Request for Revision to the IJcense, Technical Specifications -
and Safety Analysis Report for the Penn State Breazeale Reactor. License No. R 2, Docket No. 50 05 i
Dear Sir or Madam:
P The attachs d lettc' from Gilbert Ralskums AECL, to Daniel Hughes is submitted in response to oral questions by the NRC concerning our original amendment request dated April 19,1991. The letter gives Mr. Hughes permission to issue the listed protected proprietary documents to the NRC in support of the above amendment request.
j jf you have questions on this matter, please refer them directly to the principal author of the C2tachments, Danle! E. Hughes, or the director, Marcus H. Voth at (184) 865-6351.
Sincerely, Marcus H. Vo;h Associate Professor, Nuclear Engineering Director, Radiation Science and Engineering Center MHV/kmc
- Attachments
[
pc, - Region 1 Administrator Charles L Hosler lt l
l j
i An Eque Orposurury Umemry t-
- < * * * : r. :
- } ()TQi omogp f-
[
gg o
s, e
~
..