ML21036A300
| ML21036A300 | |
| Person / Time | |
|---|---|
| Site: | Armed Forces Radiobiology Research Institute |
| Issue date: | 02/05/2021 |
| From: | US Dept of Defense, Armed Forces Radiobiology Research Institute, Uniformed Services Univ. of the Health Sciences |
| To: | Office of Nuclear Reactor Regulation |
| Shared Package | |
| ML21036A296 | List: |
| References | |
| Download: ML21036A300 (157) | |
Text
Enclosure 3 - Redacted - Available to the Public Supplemental Information for the License Amendment Request for the Upgrade of the Instrumentation and Control System for the Armed Forces Radiobiology Research Institute TRIGA Reactor
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Supplemental Information for the License Amendment Request for the Upgrade of the Instrumentation and Control System for the Armed Forces Radiobiology Research Institute TRIGA Reactor 5 February 2021 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Table of Contents AFRRI Digital Instrumentation and Control Summary of Changes ............................................................. 1 1 Data Acquisition Cabinet (DAC) - Component #1 ............................................................................. 2 1.1 NP-1000 Linear Power Channel - Component 1a.................................................................... 10 1.1.1 Design Function .............................................................................................................. 11 1.1.2 Description of Old NP-1000 ............................................................................................ 11 1.1.3 Comparison of Old NP-1000 vs. New NP-1000 ................................................................ 12 1.1.4 Detailed Description of New NP-1000 ............................................................................. 12 1.1.5 Safety Analysis................................................................................................................ 14 1.1.6 Technical Specifications .................................................................................................. 16 1.1.7 Quality Assurance........................................................................................................... 17 1.2 NPP-1000 Linear Power Pulsing Channel - Component 1b...................................................... 18 1.2.1 Design Function .............................................................................................................. 19 1.2.2 Description of Old........................................................................................................... 19 1.2.3 Comparison of Old vs. New............................................................................................. 20 1.2.4 Detailed Description of New ........................................................................................... 20 1.2.5 Safety Analysis................................................................................................................ 23 1.2.6 Technical Specifications .................................................................................................. 25 1.2.7 Quality Assurance........................................................................................................... 25 1.3 NLW-1000 Log Power Channel with PA-1000 Preamplifier - Component 1c ........................... 27 1.3.1 Design Function .............................................................................................................. 28 1.3.2 Description of Old........................................................................................................... 28 1.3.3 Comparison of Old vs. New............................................................................................. 29 1.3.4 Detailed Description of New ........................................................................................... 29 1.3.5 Safety Analysis................................................................................................................ 34 1.3.6 Technical Specifications .................................................................................................. 35 1.3.7 Quality Assurance........................................................................................................... 36 1.3.8 List of Deployments at other Facilities ............................................................................ 37 1.4 NMP-1000 Multi-range Linear Channel - Component 1d ........................................................ 38 1.4.1 Design Function .............................................................................................................. 39 1.4.2 Description of Old........................................................................................................... 39 1.4.3 Comparison of Old vs. New............................................................................................. 40 ii Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 1.4.4 Detailed Description of New ........................................................................................... 40 1.4.5 Safety Analysis................................................................................................................ 43 1.4.6 Technical Specifications .................................................................................................. 45 1.4.7 Quality Assurance........................................................................................................... 45 1.4.8 List of Deployments at other Facilities ............................................................................ 46 1.5 NFT-1000 Fuel Temperature Channels - Component 1e ......................................................... 47 1.5.1 Design Function .............................................................................................................. 48 1.5.2 Description of Old........................................................................................................... 48 1.5.3 Comparison of Old vs. New............................................................................................. 49 1.5.4 Detailed Description of New ........................................................................................... 49 1.5.5 Safety Analysis................................................................................................................ 51 1.5.6 Technical Specifications .................................................................................................. 53 1.5.7 Quality Assurance........................................................................................................... 54 1.6 Scram Loop - Component 1f .................................................................................................. 55 1.6.1 Design Function .............................................................................................................. 56 1.6.2 Description of Old........................................................................................................... 56 1.6.3 Comparison of Old vs. New............................................................................................. 57 1.6.4 Detailed Description of New ........................................................................................... 58 1.6.5 Safety Analysis................................................................................................................ 61 1.6.6 Technical Specifications .................................................................................................. 62 1.6.7 Quality Assurance........................................................................................................... 63 1.6.8 List of Deployments at other Facilities ............................................................................ 63 1.7 Rod Control and Rod Drives - Component 1g ......................................................................... 64 1.7.1 Design Function .............................................................................................................. 64 1.7.2 Description of Old Control Rod Drive Mechanisms (CRDM) ............................................. 64 1.7.3 Comparison of Old CDRM vs. New CDRM ....................................................................... 65 1.7.4 Detailed Description of New CDRM ................................................................................ 65 1.7.5 Safety Analysis................................................................................................................ 66 1.7.6 Technical Specifications .................................................................................................. 67 1.7.7 Quality Assurance........................................................................................................... 69 1.7.8 List of Deployments at other Facilities ............................................................................ 70 1.8 Process Instrumentation - Component 1h.............................................................................. 71 1.8.1 Primary Water Temperature Measuring Channels .......................................................... 71 iii Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 1.8.2 Pool Level Measuring Channel ........................................................................................ 71 1.8.3 Safety Analysis................................................................................................................ 71 1.8.4 Technical Specifications .................................................................................................. 71 1.8.5 Quality Assurance........................................................................................................... 72 2 Facility Interlock System - Component 2........................................................................................ 74 2.1 Design Function ..................................................................................................................... 74 2.2 Description of Old .................................................................................................................. 74 2.3 Comparison of Old vs. New .................................................................................................... 74 2.4 Detailed Description of New................................................................................................... 75 2.4.1 Interlocks ....................................................................................................................... 75 2.4.2 Reactor Tank Lead Shield Door ....................................................................................... 76 2.4.3 Core Support Carriage .................................................................................................... 78 2.4.4 Exposure Room Plug Doors ............................................................................................. 78 2.5 Safety Analysis ....................................................................................................................... 80 2.6 Technical Specifications.......................................................................................................... 80 2.7 Quality Assurance .................................................................................................................. 81 3 Control System Console - Digital - Component 3 ........................................................................... 82 3.1 Rod Control Panel - Component 3a ........................................................................................ 87 3.1.1 Design Function .............................................................................................................. 87 3.1.2 Description of Old........................................................................................................... 87 3.1.3 Comparison of Old vs. New............................................................................................. 87 3.1.4 Detailed Description of New ........................................................................................... 87 3.1.5 Safety Analysis................................................................................................................ 88 3.1.6 Technical Specifications .................................................................................................. 89 3.1.7 Quality Assurance........................................................................................................... 89 3.2 Reactor Mode Control Panel - Component 3b........................................................................ 91 3.2.1 Design Function .............................................................................................................. 91 3.2.2 Description of Old........................................................................................................... 91 3.2.3 Comparison of Old vs. New............................................................................................. 91 3.2.4 Detailed Description of New ........................................................................................... 92 3.2.5 Safety Analysis................................................................................................................ 93 3.2.6 Technical Specifications .................................................................................................. 94 3.2.7 Quality Assurance........................................................................................................... 94 iv Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 3.3 CCS Computer - Component 3c .............................................................................................. 96 3.3.1 Design Function .............................................................................................................. 96 3.3.2 Description of Old........................................................................................................... 96 3.3.3 Comparison of Old vs. New............................................................................................. 96 3.3.4 Detailed Description of New ........................................................................................... 96 3.3.5 Safety Analysis................................................................................................................ 96 3.3.6 Technical Specifications .................................................................................................. 97 3.3.7 Quality Assurance........................................................................................................... 97 3.4 UIT Computer - Component 3d ............................................................................................ 101 3.4.1 Design Function ............................................................................................................ 101 3.4.2 Description of Old......................................................................................................... 101 3.4.3 Comparison of Old vs. New........................................................................................... 101 3.4.4 Detailed Description of New ......................................................................................... 101 3.4.5 Safety Analysis.............................................................................................................. 108 3.4.6 Technical Specifications ................................................................................................ 108 3.4.7 Quality Assurance......................................................................................................... 109 3.5 Bargraphs - Component 3e .................................................................................................. 112 3.5.1 Design Function ............................................................................................................ 112 3.5.2 Description of Old......................................................................................................... 112 3.5.3 Comparison of Old vs. New........................................................................................... 112 3.5.4 Detailed Description of New ......................................................................................... 113 3.5.5 Safety Analysis.............................................................................................................. 113 3.5.6 Technical Specifications ................................................................................................ 113 3.5.7 Quality Assurance......................................................................................................... 114 3.6 Recorders - Component 3f ................................................................................................... 115 3.6.1 Design Function ............................................................................................................ 115 3.6.2 Description of Old......................................................................................................... 115 3.6.3 Comparison of Old vs. New........................................................................................... 115 3.6.4 Detailed Description of New ......................................................................................... 115 3.6.5 Safety Analysis.............................................................................................................. 116 3.6.6 Technical Specifications ................................................................................................ 116 3.6.7 Quality Assurance......................................................................................................... 116 4 References................................................................................................................................... 118 v
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Appendix A - Summary Table WAS/IS.................................................................................................. 120 Appendix B - Photos of Components ................................................................................................... 122 Appendix B.1 - Data Acquisition Cabinet ......................................................................................... 122 Appendix B.2 - Facility Interlock System .......................................................................................... 129 Appendix B.3 - Control System Console........................................................................................... 133 List of Tables Table 1 - Data Acquisition Cabinet - Comparison of Old vs. New ............................................................. 5 Table 2 - List of Trips Associated with the NP-1000 ............................................................................... 13 Table 3 - List of Trips Associated with the NPP-1000 ............................................................................. 22 Table 4 - List of Interlocks Associated with the NLW-1000 ..................................................................... 32 Table 5 - Representative Data for the Standard Control Rods ................................................................ 35 Table 6 - List of Trips Associated with the NMP-1000 ............................................................................ 42 Table 7 - List of Trips Associated with the NFT-1000 .............................................................................. 50 Table 8 - Comparison of Old vs. New Scram Loop Contacts ................................................................... 57 Table 9 - Console System Console - Comparison of Old vs. New ........................................................... 83 Table 10 - List of Recorder Inputs ........................................................................................................ 116 List of Figures Figure 1 - Diagram of Major Components for the AFRRI Instrumentation and Control System ................. 1 Figure 2 - Picture of Old and New DAC .................................................................................................... 2 Figure 3 - Block Diagram of the New Data Acquisition Cabinet (DAC) ...................................................... 3 Figure 4 - Data Acquisition Cabinet AC Power Distribution ...................................................................... 4 Figure 5 - Picture of Old and New NP-1000 ........................................................................................... 10 Figure 6 - Simplified Block Diagram of Old System vs. New System ....................................................... 10 Figure 7 - Detailed Block Diagram of new NP-1000................................................................................ 11 Figure 8 - Picture of Old and New NPP-1000 ......................................................................................... 18 Figure 9 - Simplified Block Diagram of Old System vs. New System ....................................................... 18 Figure 10 - Detailed Block Diagram of new NPP-1000............................................................................ 19 Figure 11 - Picture of Old NM-1000 and New NLW-1000 ....................................................................... 27 Figure 12 - Simplified Block Diagram of Old System vs. New System...................................................... 27 Figure 13 - Detailed Block Diagram of new NLW-1000........................................................................... 28 vi Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Figure 14 - Picture of Old NM-1000 and New NMP-1000....................................................................... 38 Figure 15 - Simplified Block Diagram of Old System vs. New System...................................................... 38 Figure 16 - Detailed Block Diagram of new NMP-1000 .......................................................................... 39 Figure 17 - Location of the New NMP-1000 Compensated Ion Chamber................................................ 44 Figure 18 - Picture of Old Fuel Temperature Channels and New NFT-1000 ............................................ 47 Figure 19 - Simplified Block Diagram of Old System vs. New System...................................................... 47 Figure 20 - Detailed Block Diagram of new NFT-1000 ............................................................................ 48 Figure 21 - Picture of the Scram Loop and Major Components .............................................................. 55 Figure 22 - Detailed Schematic of the Scram Loop ................................................................................. 56 Figure 23 - Picture of Old and New Control Rod Drive Mechanism ........................................................ 64 Figure 24 - Picture of Old and New Facility Interlock System Cabinet .................................................... 74 Figure 25 - Facility Interlock System (FIS) Interlock Diagram .................................................................. 77 Figure 26 - Core Support Carriage Regions ............................................................................................ 78 Figure 27 - Picture of Old and New Exposure Room Doors Status Panel ................................................ 78 Figure 28 - Picture of Old and New Exposure Room Plug Door Control Boxes ........................................ 79 Figure 29 - Picture of Old and New Control System Console .................................................................. 82 Figure 30 - Block Diagram of New Control System ................................................................................. 82 Figure 31 - Picture of Old and New Rod Control Panel ........................................................................... 87 Figure 32 - Rod Control Panel................................................................................................................ 87 Figure 33 - Picture of Old and New Reactor Mode Control Panel ........................................................... 91 Figure 34 - Reactor Mode Control Panel................................................................................................ 92 Figure 35 - Left Side Status Display...................................................................................................... 102 Figure 36 - Right Side Graphics Display - Reactor Display #1 ............................................................... 104 Figure 37 - Picture of Old and New Bargraphs ..................................................................................... 112 Figure 38 - Picture of Old and New Chart Recorders ............................................................................ 115 Figure 39 - Data Acquisition Cabinet ................................................................................................... 122 Figure 40 - Data Acquisition Cabinet - Power Supplies ........................................................................ 123 Figure 41 - Data Acquisition Cabinet - Digital Input/Output ................................................................ 124 Figure 42 - Data Acquisition Cabinet - Analog Input/Output ............................................................... 125 Figure 43 - Data Acquisition Cabinet - Nuclear Instruments ................................................................ 126 Figure 44 - Data Acquisition Cabinet - Control Rod Drive .................................................................... 127 Figure 45 - Scram Loop ....................................................................................................................... 128 Figure 46 - Facility Interlock System - Cabinet Outside........................................................................ 129 vii Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Figure 47 - Facility Interlock System - Cabinet Inside .......................................................................... 130 Figure 48 - Facility Interlock System - Exposure Room Control Box ..................................................... 131 Figure 49 - Facility Interlock System - Exposure Room Status Panel .................................................... 132 Figure 50 - Control System Console - Front ......................................................................................... 133 Figure 51 - Control System Console - Rear .......................................................................................... 133 Figure 52 - Control System Console - Power Supplies ......................................................................... 134 Figure 53 - Control System Console - UPS ........................................................................................... 135 Figure 54 - Control System Console - Digital Input .............................................................................. 136 Figure 55 - Control System Console - Digital Output ........................................................................... 137 Figure 56 - Control System Console - Rod Control Panel - Front ......................................................... 138 Figure 57 - Control System Console - Reactor Mode Control Panel - Front ......................................... 139 Figure 58 - Control System Console - Reactor Mode Control Panel - Back .......................................... 140 Figure 59 - Control System Console - Computers - Left Side Display ................................................... 141 Figure 60 - Control System Console - Computers - Right Side Display ................................................. 142 Figure 61 - Control System Console - Bargraphs and Recorders .......................................................... 143 Figure 62 - Control System Console - Bargraphs - Front ..................................................................... 144 Figure 63 - Control System Console - Recorders - Front ..................................................................... 145 Figure 64 - Control System Console - Bargraphs and Recorders Panel - Back ...................................... 146 viii Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 List of Abbreviations, Acronyms and Symbols
°C degree Celsius 3PDT three pole, double throw 4PDT four pole, double throw A ampere A/D analog to digital AC alternating current AFRRI Armed Forces Radiobiology Research Institute ANS American Nuclear Society ANSI American National Standards Institute CCS Console Computer System CCW counterclockwise CIC compensated ion chamber COTS Commercial off the shelf cps counts per second CRD Control rod drive CSC Control System Console CSV comma separated variable CW clockwise D/A digital to analog DAC Data Acquisition Cabinet DC direct current ER Exposure room ESF engineered safety feature FIS facility interlock system GA General Atomics GA-ESI General Atomics - Electromagnetic Systems GFD ground fault detector HP History playback HV high voltage Hz hertz I&C Instrumentation and Control I/O input/output IAW in accordance with IFE instrumented fuel element LAN local area network LAR License amendment request lb pound LCD liquid crystal display LCO limiting condition of operation LED light emitting diode LSSS limiting safety system setting mA milliamperes MCC motor control center msec milliseconds MW megawatt NQA Nuclear Quality Assurance ix Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 NRC Nuclear Regulatory Commission NSAB Naval Support Activity Bethesda O&M Operator and Maintenance OEM original equipment manufacturer PID proportional, integral, derivative RAM radiation area monitor RCS Reactor Control System RPI rod position indication RPS Reactor Protection System RTD resistance temperature detector RWP Rod withdrawal permit SAR safety analysis report SOW statement of work SR surveillance requirement TB terminal board TRIGA Training, Research, Isotopes, General Atomics TS technical specification UIT user interface terminal UPS uninterruptible power supply USB universal serial bus V voltage V/F voltage to frequency Vac voltage, alternating current Vdc voltage, direct current W watts WDT Watchdog timer x
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 AFRRI Digital Instrumentation and Control Summary of Changes A primary design intent of this upgrade was to replace the old system with a new system that is form and function identical to the old system to the maximum extent possible. The primary motivation for this upgrade was due to parts obsolescence and equipment maintainability, which had become increasingly difficult with the old system. Refer to the Functional and System Requirements Specifications documents.
Figure 1, shown below, is a diagram of the major components of the Instrumentation and Control (I&C)
System. The items highlighted in green are old components and remain installed and unchanged, and are used in the new system. The items highlighted in blue are new components that have functionally replaced old components. There are three major subcategories: (1) Data Acquisition Cabinet, (2) Facility Interlock System, and (3) Control System Console. Detailed in the following document is a summary of the new system and how it compares to the old system along with the safety analysis of each new subcomponent and any associated changes to the technical specification that are needed.
Figure 1 - Diagram of Major Components for the AFRRI Instrumentation and Control System 1
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 1 Data Acquisition Cabinet (DAC) - Component #1 Figure 2 - Picture of Old and New DAC The Data Acquisition Cabinet (DAC) was located on the reactor floor near the reactor pool and was completely replaced. The DAC served as the data gathering and control interface between the reactor and the control system console. It monitored the reactor power from the safety channels ( ), the (mounted separately on the wall), along with the fuel temperature channels (
modules), water temperature channels, and control rod position.
The DAC acquired data in real-time from the various sensors associated with the reactor and facility. The DAC stored this data and transmitted them via the network to the Control System Console (CSC). In turn, the DAC received commands from the CSC, and reissued those commands to raise/lower the control rods or scram the reactor. It communicated with the CSC via an Ethernet data network. The DAC controlled the positions of the control rods, either in response to operator inputs entered in at the CSC console, or automatically using the power feedback loop during automatic operation.
The overall function of the new DAC remains unchanged. It still acquires data from instrumentation in the reactor and associated systems, processes it, and transmits via Ethernet it to the CSC. The new DAC is installed in the same location as the old DAC. It houses the as well as equipment to process analog and digital inputs. A comparison of the original DAC versus the new DAC is detailed in Table 1 below.
2 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Figure 3 - Block Diagram of the New Data Acquisition Cabinet (DAC)
AC power is supplied to the DAC by the UPS located in the CSC. AC power is distributed to three identical rackmount power strips. Each strip has 8 outlets and features a 15A resettable circuit breaker and a lighted power switch. All DAC devices that require AC input power are plugged into these power strips. For a detailed block diagram of the AC power distribution see Figure 4 below.
3 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Figure 4 - Data Acquisition Cabinet AC Power Distribution 4
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Table 1 - Data Acquisition Cabinet - Comparison of Old vs. New Power Supplies Function: Supplies Vdc power for the components located in the DAC along with a power supply for the control rod magnets and transient rod air solenoid.
Safety Analysis: The new power supplies are COTS components and have been manufactured to meet or exceed the requirements of the previous units. The power supplies receive 120 Vac primary side power from the DAC AC power distribution system which originates from the console UPS. The power supplies are of the switching type and provide input-to-output isolation with internal overvoltage and overcurrent protection. There are six power supplies. There is no necessity for redundancy in the design criteria of the power supplies. Since the system is designed to fail-safe, the failure of a power supply will not inhibit any safety function.
It is concluded that the new power supplies will continue to perform the design function required in a safe and reliable manner without imposing any undue risk to the health and safety of the public OLD NEW There were four power supplies: PS1 +5 Vdc Power Supply (
provides power the secondary side of the digital PS1 +24 Vdc Magnet Power Supply supplied isolator modules on the digital input drawer.
magnet power to the control rod drive electromagnets in the scram circuit. An PS2 +15 Vdc Instrument Power Supply (
served as the Magnet Power Supply is used to generate input Ground Fault Detector (GFD). It detected a fault to signals to the nuclear instrument remote chassis ground on both the supply and return connectors. It also provides the pulse gain signal buss. for the NPP-1000.
PS2 Potentiometer Power Supply supplied power PS3 +24 Vdc Utility Power Supply (
to the potentiometers that monitor rod position. is a 50W power supply that is used to power digital switch contacts external to the DAC PS3 +24 Vdc Solenoid Power Supply provided (FIS, Rod Drives, etc.). Input to output isolation is power to the solenoid controlling the air for the 3,000V.
transient rod mechanism.
PS4 +24 Vdc Solenoid Power Supply (
PS4 +12 Vdc Auxiliary Power Supply furnished provides power the transient rod air power for control relays, opto-isolators, and the solenoid.
DIS064 scanner board.
PS5 +24 Vdc Utility Power Supply (
is used to power digital switch contacts external to the console. Input to output isolation is 3,000V.
PS6 +24 Vdc Magnet Power Supply (
provides power to the standard control rod drive magnets. It is monitored by a ground fault detector (GFD) ( ),
which is also mounted in the power supply drawer. The GFD monitors both the high and low legs of the scram loop. If any point in the scram 5
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 loop shorts to earth ground, the GFD will detect it and generate a fault indication to the console. The GFD has a display, test mode and various indicators. When no fault is present, a green LED will be lit. When a fault is detected, yellow LEDs will be lit. The GFD is powered by PS5.
Digital Input/Output Function: The purpose of the digital input/output drawer is to isolate all digital inputs and outputs and transmit those signals to the control system console.
Safety Analysis: The new digital input boards and isolators are COTS components and have been manufactured to meet or exceed the requirements of the previous units. The new digital input boards and isolators have undergone rigorous testing and quality assurance at multiple steps in the design, manufacture and installation phases. Due to this, it is expected that the digital input boards and isolators will be as dependable as the old unit.
Nevertheless, the failure of either the digital input board or one or more of the digital isolators is of minimal consequence since a failure will not prevent the automatic protective actions from other independent channels (e.g. NP-1000 or NPP-1000) from being performed. In addition the interlock functions that are being performed by the digital inputs (e.g., FIS limit switches) will still be performed in the event of a failure of the digital I/O components since the interlocks are designed to be fail-safe.
It is concluded that DAC Digital I/O will continue to perform the design function in a safe and reliable manner without imposing any undue risk to the health and safety of the public.
OLD NEW DC digital input/output. Relay boards and digital The purpose of the digital input drawer is to input scanner board ( ). isolate all digital inputs from the computer. The digital input drawer houses two identical printed circuit board assemblies (PWA) populated with digital isolators.
Components:
Analog Input/Output Function: Analog input/output drawer is designed to accept analog inputs from various sensors and equipment and retransmit them for use at the control system console.
Safety Analysis: The new analog input boards and signal conditioners are COTS components and have been manufactured to meet or exceed the requirements of the previous units. The new analog input boards and conditioners have undergone rigorous testing and quality assurance at multiple steps in the design, manufacture and installation phases. Due to this, it is expected that the analog input boards and conditioners will be as dependable as the old unit.
6 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Nevertheless, the failure of either the analog input board or one or more of the analog signal conditioners is of minimal consequence since the components that perform a safety function, such as the pool water temperature, are designed to fail-safe, and any failure will result in a scram. In addition, a failure will not prevent the automatic protective actions from other independent channels (e.g. NP-1000 or NPP-1000) from being performed. The safety analysis for the individual process instrumentation channels are discussed in Section 1.8.
It is concluded that DAC Analog I/O will continue to perform the design function in a safe and reliable manner without imposing any undue risk to the health and safety of the public.
OLD NEW Signal conditioners and limit modules The analog input/output drawer houses signal used to monitor fuel temperatures, water conditioning modules that feature galvanic input temperature, and magnet voltage. to output isolation of 3,500 V. Of the 18 signal conditioning modules, 7 of them are designed to accept either current or voltage signal, 6 are designed to read potentiometer inputs, and 5 are designed to connect to 100 RTD sensors. The outputs are configured for 0 to 10 Vdc, to be read by modules mounted in the analog drawer. The signal conditioning modules are powered by a +24 Vdc, 120W switching power supply Every module has two calibration potentiometers for zero and span adjustments.
Components:
Nuclear Instruments Function: To house the nuclear instrument modules.
Safety Analysis: The safety analysis for the individual nuclear instrument channels are discussed in detail in Section 1.1 through Section 1.5.
OLD NEW Nuclear instruments. Nuclear Instruments.
The NFT instruments were not consolidated in a standalone package like the new , but consisted of COTS components, which were signal conditioners and alarm/trip 7
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 modules connected to the thermocouples from the instrumented fuel elements (IFE).
Control Rod Drive Mechanism (CRDM)
Function: To house the module and various other electronic components related to the CRDMs.
Safety Analysis: The safety analysis for the CRDMs is discussed in detail in Section 1.7.
OLD NEW convertor for the regulating The rod control drawer houses the motor and high speed data convertor module and three board for acquiring the pulse data. Relay boards modules. All modules are directly for controlling rod movement. Isolators for powered by the DAC AC power.
conditioning the rod control analog signals to Components digital. The modules were mounted separately on the wall of the reactor room.
Scram Loop Function: The design function of the scram loop is to de-energize both the magnets for the standard control rods and the solenoid for the transient rod air, causing the control rods to insert into the core placing the reactor in a safe shutdown condition. This is in response to, either automatic or manual actions for certain abnormal reactor operating conditions.
Safety Analysis: The safety analysis for the scram loop is discussed in detail in Section 1.6.
OLD NEW The scram loop was completely hardwired and Components:
did not depend on the computer or software to perform any required action.
Data Acquisition Computer Function: The computers have been relocated to the CSC and are discussed in detail in Section 4.
8 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 OLD NEW DAC Computer. based computer. All computers have been moved to the control system console.
9 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 1.1 NP-1000 Linear Power Channel - Component 1a Figure 5 - Picture of Old and New NP-1000 Figure 6 - Simplified Block Diagram of Old System vs. New System 10 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Figure 7 - Detailed Block Diagram of new NP-1000 1.1.1 Design Function The NP-1000 is designated as Safety Channel No. 1. The design functions of the NP-1000 are:
Measure neutron flux in order to provide percent linear power indication (0-120%).
Provide an automatic scram on overpower conditions.
Provide analog outputs to the bargraphs and recorders for steady-state operation.
Provide digital outputs to the reactor control console for steady-state operation.
1.1.2 Description of Old NP-1000 Reference - GA Operation and Maintenance Manual NP-1000/NPP-1000 Percent Power Channel, E117-1010 Revision 2, 1991[1]
The original General Atomics NP-1000 was a percent power monitoring channel packaged in a flameproof steel enclosure that was connected to a fission chamber. The original NP-1000 was a linear current to voltage conditioning device which included a commercial-off-the-shelf (COTS) high voltage power supply for the fission chamber and two bistable trip circuits. One for loss of HV and the other for overpower protection. The original NP-1000 provided isolated current outputs for display by the original bargraphs and paper chart recorders.
The instrument was analog, with the analog/digital (A/D) conversion taking place outside of the unit in a COTS A/D converter. Analog outputs from the original NP-1000 fed A/D convertors. This digital signal was then made available to the console computers for display on the user interface.
11 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 1.1.3 Comparison of Old NP-1000 vs. New NP-1000 The new General Atomics NP-1000 is an updated version of the original, obsolete unit and utilizes the original fission chamber. The location of the fission chamber on the core periphery remains unchanged.
The new unit is an analog/digital hybrid whereas the old unit was entirely analog. The circuit and associated relays that provide the contact closures for the scram loop remain analog. The output signals to the bargraph and recorder have also remained analog.
The performance of the safety function (i.e., measurement of signal from detector and actuation of bistable trips) is retained in the analog portion of the instrument while the analog to digital conversion of the signal for use at the control console computers has been integrated into what is now the digital portion of the instrument. The advantage of this integration is to reduce the noise pickup in the analog signal prior to digital conversion. The addition of a digital display provides local power indication and control for various testing and configuration settings via a touchscreen panel.
1.1.4 Detailed Description of New NP-1000
Reference:
NP-1000, Nuclear Power Module, User Manual, Document T3271000-1UM, Rev A, December 2018[2]
The NP-1000 module is packaged in a flameproof enclosure and mounted in the Data Acquisition Cabinet located in the Reactor Room. The module processes the current produced by a fission chamber and contains seven major subassemblies: Motherboard, Trip/Alarm Board, Isolation Amplifier Board, Digital Interface Board, Display Module, Front Panel Board, and HV Power Supply.
1.1.4.1 Motherboard Refer to schematic T3280101[2] for circuit details.
The motherboard of the NP-1000 serves as the backplane for all NP-1000 printed wiring assemblies (PWA)
(i.e., daughter cards). It provides the power for all daughter cards and HV power supply. Connections between all daughter cards and peripheral devices such as the front panel display and remote connectors are made via the motherboard. Incoming signal lines for control signals originating at the remote connector on the rear panel are protected by opto-isolators. Outgoing signals are isolated via relays, opto-isolators, or other methods.
The motherboard also contains the electrometer measuring detector current and circuitry to generate various test signals for the self-test functions.
The motherboard generates several self-test currents that are injected into the electrometer circuit in addition to the detector current via a relay enabled by firmware. DIP switches let the user select the amplitude of the self-test currents from 1A to 1mA, representing up to 120% reactor power. The self-test circuits are designed to generate high power, manual, and ramp currents. The high power circuit is a current source calibrated to instantaneously simulate reactor power >100% and cause a high power trip.
The ramp circuit provides a steadily increasing current representing 0 to >120% reactor power. It is calibrated to increase by 12% every second. Manual lets the user adjust any desired current level via the front panel potentiometer.
1.1.4.2 Trip/Alarm Board Refer to schematic T3301131[2] for circuit details.
The trip/alarm board is an analog board and contains six identical circuits to generate all trip and alarm indications. Every circuit is jumper configurable for a rising or falling trip. A comparator monitors an incoming signal voltage and compares it to a reference voltage. The reference voltage is user adjustable 12 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 via a potentiometer. When the circuit is configured for a rising trip, the comparator will switch states when the amplitude of the incoming signal exceeds the reference signal. A falling trip works the opposite way; when the incoming signal amplitude falls below the reference voltage, the comparator will switch states. Once a trip has occurred, the circuit latches in the tripped state. The only way to unlatch the circuit is for the user to apply a reset signal, even if all signal levels return to nominal prior to the reset.
Every trip has a DPDT (Form C) relay that the user can connect to via the remote connectors located on the back of the module. The relay is controlled by the output of the comparator and the operate signal.
Taking the NP-1000 out of operate mode (such as during a self-test) will immediately activate all trip relays. This is considered the failsafe condition, when all trips are set and latched, but not necessarily indicated by the front panel LEDs or remotely.
The trip logic signal (comparator output) is only activated when the comparator input exceeds the setpoint. Simply taking the NP-1000 out of operate mode will not activate the trip logic signal. The front panel LEDs, opto-isolator outputs, and Ethernet indications are driven by the trip logic signal, and so will only indicate a trip when the comparator input exceeds the setpoint.
The instrument has five (5) bistable trips. The analog relays are held energized in a fail-safe condition until an alarm (or loss of power) de-energizes the coil. The trips are listed in Table 2.
Table 2 - List of Trips Associated with the NP-1000 Trip Function Old New HV voltage low 20% loss of HV 20% loss of HV Overpower 1.1 MW 1.1 MW 1.1.4.3 Isolation Amplifier Board Refer to schematic T3133111[2] for circuit details.
The isolation amplifier board is an analog board that houses two isolated analog outputs that can be jumper configured for either voltage or current output. The isolators are commercially available voltage to current converters. The converters provide 1500 Vrms galvanic isolation. Adjustment potentiometers allow the isolators to be calibrated for offset and span. The isolation amplifiers provide a 4 to 20 mA or 0 to +10 Vdc output that is available to the user via the remote connectors. These isolated outputs provide the analog signals to the bargraphs and videographic recorders mounted in the control console.
1.1.4.4 Digital Interface Board Refer to schematic T3133301[2] for circuit details.
Digital conversion of the analog signal for use at the reactor control console was performed in a separate module. To decrease the distance that the analog signal needs to travel prior to conversion, this function has been integrated into the channel and takes place on the digital interface board. The benefit is the decrease in the noise of the signal prior to conversion.
The digital interface board houses the microprocessor and circuitry that interfaces with the other boards.
It also contains power supplies for digital power, A/D converters, communications circuitry, and the watchdog timer. The microprocessor is part of the microprocessor subassembly and is a commercially available microprocessor with integrated memory, Ethernet communication, and other peripherals.
13 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 The communication protocol used by the NP-1000 Ethernet-based nuclear module is described in GA Document, T9S900D970-SRS, GA TRIGA Nuclear Module Software Communications Protocol Document[3].
The incoming analog signals (+10 Vdc full scale) are divided in half by op-amp circuitry and sent to the A/D converter. The A/D converter communicates with the microprocessor via isolated serial peripheral interface (SPI) bus.
A watchdog timer (WDT) monitors the activity of the microprocessor on the digital interface board. If the WDT receives no input from the microprocessor for more than 1.6 seconds, the WDT sends an alarm and takes the module out of operate. When a WDT alarm occurs, the heartbeat LED will stop blinking, the loss of communications will cause all trips to set (and thus cause a reactor scram), and the console WDT Alarm will occur. A WDT alarm is latching in the instrument and can only be reset by cycling power. A WDT alarm is expected to be an extremely rare event.
1.1.4.5 Display Module Refer to TRIGA NP/NPP-1000 Software Requirements Specification T3287960-SRS[4].
Refer to schematic T3133301[2] for circuit details.
The display on the front of the module is a Monochrome LCD Display with white LED backlight. The display has a viewing area of 3.8 inches (diagonal) and a resolution of 320 X 240 (QVGA). The display includes an integrated touch panel and integrated digital backlight & contrast controls. A complete graphical operating system that executes graphical user interface (GUI) applications 1.1.4.6 Front Panel Board Refer to schematic T3400121[2] for circuit details.
The front panel board houses the red LED indicators for all trips that are activated by the trip/alarm board.
The remote/local switch lets the user control whether the module is in remote or local mode. A green LED indicator is wired in the circuit with the switch. The LED is lit when the module is in remote mode.
A potentiometer lets the user manually control the current in test mode. This potentiometer is accessible via a knob on the front panel.
1.1.4.7 HV Power Supply The internal 4W high voltage (HV) power supply can supply up to +1,000 Vdc. An internal sense circuit returns 0 to +1 Vdc for an output of 0 to +1,000 Vdc. Circuitry on the motherboard amplifies this sense voltage to +10 Vdc at maximum output. Additional circuitry is connected to the sense line to enable the HV self-test. A potentiometer located on the motherboard provides for adjustment of the HV output for proper detector voltage.
1.1.5 Safety Analysis The new NP-1000 is an updated version of the old unit that incorporates the digital to analog conversion into the module while retaining the separation of the analog portion for the performance of the safety related functions. The new NP-1000 maintains its independence from all other power monitoring channels and is hardwired into the Reactor Protection System (RPS) scram loop, therefore all scram functionality associated with the channel is maintained should malfunctions occur in the digital portion of the instrument or anywhere outside of the unit, including the console computers. Furthermore, the Reactor I&C System and RPS are designed such that there are no means available to the reactor operator to bypass the scrams associated with the NP-1000 so operation of the reactor beyond the limits defined in the 14 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 technical specifications and safety analysis report is not possible. For redundancy and diversity in the information provided to the reactor operator by the NP-1000, a dedicated analog output is directly wired to an updated bargraph display along with an updated recorder, thus ensuring information is available to the reactor operator for the safe operation and monitoring of the reactor and can also be used as a cross-check for the console computer display.
The new NP-1000 has been designed and manufactured to meet or exceed the requirements of the previous unit. The new NP-1000 has undergone rigorous testing and quality assurance at multiple steps in the design, manufacture and installation phases. Due to this, it is expected that the new NP-1000 will be as dependable as the old unit. Nevertheless, the failure of the NP-1000 is of minimal consequence since the reactor core is monitored by at least five independent channels that monitor the power level or fuel temperature of the core during steady-state operation and at least three independent channels that monitor the power level or fuel temperature of the core during pulse operations. Due to this independence, redundancy and diversity, the failure of NP-1000 to perform overpower protective action would not result in an increase in the consequence of any accident. Any foreseeable failure that impairs the ability of the NP-1000 to perform its safety function would initiate a fail-safe response and scram the reactor.
The main accident type that the NP-1000 is designed to mitigate is the insertion of excess reactivity resulting in overpower conditions. This insertion can be either as a step insertion or ramp insertion. The initiating event can be the failure of a high worth experiment, improper fuel element handling, and numerous other types of events that can inadvertently insert excess reactivity into the core. In the safety analysis it is assumed that one of the two safety channels (NP-1000 or NPP-1000) fails while the second channel would act as designed and terminate the insertion. Due to this independence and redundancy in the number of safety channels providing automatic overpower protective actions, the consequences of an excess reactivity insertion accident remain unchanged in the event of a failure of the new NP-1000.
Both the NP-1000 and NPP-1000 are being replaced as part of the upgrade. The units are designed to provide redundancy for the automatic overpower protective action. The reactor scram actions are performed in the analog portion of the units while the digital portion only provides non-safety related functions. Therefore, erroneous software code cannot be a source of common cause failure that would result in a loss of protective actions. In fact, there are no known common cause failures (CCF), other than as a possible result of some internal or external hazard (e.g., fire, flooding, dropped load, earthquake exceeding the design basis, etc.). As previously noted, the independence of the safety channels, and diversity designed into the RPS provides a large measure of protection against common cause failures.
However; it is important to note that should a CCF occur, it would not prevent the system from performing its primary safety function (i.e., shutting down the reactor) because the system is designed to be fail-safe.
A loss of electrical power or multiple circuit damage due to a fire, explosion, dropped load, or some other cause will result in a loss of power to the electromagnets, causing the control rods to drop into the core, safely shutting down the reactor.
The NP-1000 provides, independently, both an analog signal and digital signal to the control console for display by both bargraphs and recorder and by the console computer display interface. The reactor operator can use these two independent signals as a means to cross-check the validity of the indicated power level. In addition, the reactor operator also receives power indication from the NPP-1000, NLW-1000, NMP-1000, NFT-1000 channel 1 and NFT-1000 channel 2. The information from these other channels is also displayed on the bargraphs and recorder panel along with the console display screen.
Therefore, in the case that erroneous information is being provided by the NP-1000, there are five other channels that the operator can use for power level verification.
15 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 The design basis limit for fission product barrier protection, i.e. fuel cladding, is ultimately fuel temperature. This limit of 1000 °C remains unchanged with the upgrade of the NP-1000. The basis for the limit for automatic protective action for the overpower scram is to prevent exceeding the fuel temperature limit. This limit of 600 °C for the scram setpoint limit remains unchanged. The automatic scram for loss of HV is to ensure that the channel has the required voltage to be operational. This scram action also remains unchanged.
It is concluded that the upgraded NP-1000 will continue to perform the design function required by this safety channel in a safe and reliable manner without imposing any undue risk to the health and safety of the public.
1.1.6 Technical Specifications All existing technical specifications[5] remain unchanged for this replacement. The technical specifications that apply to this channel are:
3.2.1 Reactor Control System Specification
- a. The reactor shall not be operated unless the measuring channels listed in Table 1 are operable for the specific mode of operation.
Table 1 Minimum Measuring Channels, requires two High-Flux Safety Channels for steady-state mode. The NP-1000 satisfies one of the two required for steady-state mode.
3.2.2 Reactor Safety Systems Specification The reactor shall not be operated unless the safety systems described in Tables 2 and 3 are operable for the specific mode of operation.
Table 2 Minimum Reactor Safety System Scrams, requires a scram for Percent Power High Flux (maximum setpoint of 1.1 MW) and High Voltage Loss to Safety Channel (maximum setpoint of 20% below nominal) 4.2.2 Reactor Safety Systems Specifications
- a. A channel test of the scram function of the high-flux safety channels shall be made each day that reactor operations are planned.
- b. A channel test of each of each of the reactor safety system channels for the intended mode of operation shall be performed weekly, whenever operations are planned.
- c. Channel calibration shall be made of the NP, NPP, NM1000, NLW, NMP or any other console instrumentation designated to provide direct power level information to the operator, annually not to exceed 15 months.
Technical Specification 3.2.2, Table 2, Minimum Reactor Safety System Scrams, requires a scram upon 20% or greater loss of high voltage. This specification has never had a companion surveillance specification, so one should be added to Section 4.2.2 of the Technical Specifications.
The surveillance specifications and periodicities listed in TS Section 4.2.2 that pertain to the old unit are still applicable and appropriate for the updated unit.
16 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 1.1.7 Quality Assurance TRIGA NP/NPP-1000 Software Requirements Specification T3287960-SRS[4]
This document defines the software requirements for the NP/NPP-1000 Digital Interface Board (DIB) and local touchscreen LCD display which are part of the General Atomics Electromagnetic Systems Inc. (GA-EMS) TRIGA radiation monitoring channel similar to the existing NMP-1000 and NLW-1000 channels. The NP/NPP-1000 software or anything the software controls cannot in any way impact the safety performance of the unit. The software performs no safety function.
The NI Software was produced from this specification. The software is common on all NP/NPP-1000 DIBs and touchscreen LCD. The objectives of the software produced was to provide the functions, status information, monitor and control of hardware, Ethernet/serial communications, internal tests and self-test functions per the requirements that have been allocated to the NP/NPP-1000 system.
GA Acceptance Test Procedure (ATP), NP-1000, Nuclear Power Instrument, T3271000-1AT[6]
This procedure specifies the steps required to perform a functional test and calibration on the NP-1000, Nuclear Power Instrument, P/N T3271000-001.
Factory Acceptance Test Procedure System Assembly, AFFRI TRIGA T3A10087371-FAT Rev A[7]
This test demonstrates that the Replacement I&C Console meets the requirements of the SOW and the Functional Requirements Specifications (FRS). It should be noted that GA performed separate, in-depth tests of the components, the nuclear instruments, the control system console, and the system as a whole.
These tests, their traceability to the SOW and their results are provided in accordance with the SOW.
Armed Forces Radiobiology Research Institute TRIGA Reactor Instrumentation and Control Console Replacement Site Acceptance Test Procedure, Part 1. T3A100B7372-SAT Rev A[8]
Site Acceptance Test Part 2: Replacement of the Instrumentation and Control Console for the AFRRI TRIGA REACTOR T3A100B7373-SAT Rev A[9]
This document is the Site Acceptance Test (SAT) for the Replacement I&C Console provided by General Atomics (GA) for the AFRRI facility. This test demonstrates that the Replacement I&C Console procured by AFRRI from GA has been installed correctly for operation at AFRRI and meets the technical and functional requirements.
This SAT is not intended to be an exhaustive test of the system at the component or subassembly level.
GA has factory tested in-depth, and calibrated according to manufacturer specifications, the various components and subsystems, the individual nuclear instrument channels, the rod control system, the auxiliary plant parameter measurement systems, and has tested the integrated system to demonstrate that the Replacement I&C System performed in the factory as intended. This was demonstrated by GA and accepted by AFRRI representatives during exhaustive factory acceptance testing (FAT). The SAT demonstrates satisfactory at-reactor installation of the system, and verifies, by adequate operational demonstration, that the system can be used to operate the AFRRI TRIGA in accordance with the facility operating requirements.
The SAT involved tests to confirm proper installation and functionality of all components and subsystems of the Replacement I&C System, including the nuclear power measuring channels, reactivity control systems, and all other balance of plant systems controlled and monitored by the replacement system.
17 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 1.2 NPP-1000 Linear Power Pulsing Channel - Component 1b Figure 8 - Picture of Old and New NPP-1000 Figure 9 - Simplified Block Diagram of Old System vs. New System 18 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Figure 10 - Detailed Block Diagram of new NPP-1000 1.2.1 Design Function The NPP-1000 is designated as Safety Channel No. 2. The NPP-1000 design function is to:
Measure neutron flux in order to provide percent linear power indication (0-120%).
Provide an automatic scram on overpower conditions.
Provide analog outputs to the bargraphs and recorders for steady-state operation.
Provide digital outputs to the reactor control console for steady-state operation.
In addition, the instrument is to measure the neutron flux for pulsing operations and to provide that information to the reactor control console for post pulse storage and analysis.
1.2.2 Description of Old Reference -GA Operation and Maintenance Manual NP-1000/NPP-1000 Percent Power Channel, E117-1010 Revision 2, 1991[1]
General Atomics NPP-1000 with a fission chamber for steady-state operations, uncompensated ion chamber or Cerenkov detector for pulsing operations. The original NPP-1000 pulse power monitoring channel was a linear current to voltage conditioning device which included a COTS high voltage power supply for the fission chamber and three bistable trip circuits. One for loss of HV, the second for overpower 19 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 protection and the third for NVT. The original NP-1000 provided isolated current outputs for display by the original bargraphs and paper chart recorders.
The original NPP-1000 had the following pulse circuitry: NVT (total Energy) Integrator, Time-to-peak Circuit, and Peak Follow and Hold circuit. The pulse data capture was performed outside of the unit as was incapable of continuous data capture during a pulse.
The original NPP-1000 is packaged in a flameproof steel enclosure. The instrument was analog with the analog/digital (A/D) conversion taking place outside of the unit in a commercial off the shelf (COTS) A/D converter.
1.2.3 Comparison of Old vs. New The new General Atomics NPP-1000 is an updated version of the old, obsolete unit and uses the same suite of detectors and multiplexer (MUX) box that was used previously. The new unit is an analog/digital hybrid whereas the old unit was analog. The output of an analog signal to the control console for display on bargraphs and recorders is maintained.
The location of the detectors with respect to the reactor core remains unchanged.
The performance of the safety function (i.e., measurement of signal from detector and actuation of bistable trips) is retained in the analog portion of the instrument while the analog to digital conversion of the signal for use at the control console computers has been integrated into the instrument. The advantage of this is to reduce the noise pickup in the analog signal prior to digital conversion. The addition of a digital display provides local power indication and control for various testing and configuration settings via a touchscreen panel.
The pulse data capture has also been integrated into the instrument and is approximately 10 times faster than the previous system.
1.2.4 Detailed Description of New
Reference:
NPP-1000, Nuclear Power Module, User Manual, Document T3281000-1UM, Rev A, January 2018[10]
The new NPP-1000 module is packaged in a flameproof steel enclosure and mounted in the Data Acquisition Cabinet located in the Reactor Room. The module processes the current produced by a fission chamber, uncompensated ion chamber or Cerenkov detector and contains seven major subassemblies:
Motherboard, Trip/Alarm Board, Isolation Amplifier Board, Digital Interface Board, Display Module, Front Panel Board, and HV Power Supply.
1.2.4.1 Motherboard Refer to schematic T3280101[10] for circuit details.
The motherboard of the new NPP-1000 serves as the backplane for all NPP-1000 printed wiring assemblies (PWA) (i.e., daughter cards). It provides the power for all daughter cards and HV power supply.
Connections between all daughter cards and peripheral devices such as the front panel display and remote connectors are made via the motherboard. Incoming signal lines for control signals originating at the remote connector on the rear panel are protected by opto-isolators. Outgoing signals are isolated via relays, opto-isolators, or other methods.
The motherboard also contains the electrometer measuring detector current and circuitry to generate various test signals for the self-test functions.
20 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 The motherboard generates several self-test currents that are injected into the electrometer circuit in addition to the detector current via a relay enabled by firmware. DIP switches let the user select the amplitude of the self-test currents from 1A to 1mA, representing 100% reactor power. The self-test circuits are designed to generate high power, manual and ramp currents. The high power circuit is a current source calibrated to instantaneously simulate reactor power >100% and cause a high power trip.
The ramp circuit provides a steadily increasing current representing 0 to >120% reactor power. It is calibrated to increase by 12% every second. Manual lets the user adjust any desired current level via the front panel potentiometer.
The pulse circuit produces a current pulse approximately 30ms to 50ms wide, with an amplitude of about 1mA, to simulate pulsed reactor operation. The pulse circuit is always used in conjunction with the lowest gain setting (1mA) of the electrometer. The detector that is used during a pulse (uncompensated ion chamber or Cerenkov detector) is positioned in such a way as to give 1mA detector current for peak pulsed power.
The NPP motherboard contains several circuits that are used for pulsed reactor operation. They are the NVT (total energy) integrator, time to peak and peak detect circuits.
The NVT circuit integrates the area under the power curve of a reactor pulse and returns a value that is proportional to the total energy of the pulse. A potentiometer sets the threshold for the start of integration. In steady-state reactor operation, the output of this circuit is clamped to 0V. Only when the gain setting of 1mA is selected for pulsed operation will the clamp be released and the circuit becomes active. It is designed to accurately hold the integrated value for a minimum of 1 minute, and will reset when the lower gain is deselected by the user or when a circuit reset signal is applied via firmware.
The time to peak circuit is used to measure the time between the low power threshold crossing and the peak of a reactor pulse. The first output transition of T0 occurs when the low power threshold is crossed at the beginning of the pulse, and then again when the pulse value drops below the threshold. This is also a representation of the duration of the pulse. A differentiator circuit detects the zero-slope of the pulse and causes a transition of output T1 at the peak.
The peak detect circuit returns a value that is proportional to the maximum power of the reactor pulse. It is designed to accurately hold the peak value for a minimum of 1 minute, and will reset when a circuit reset signal is applied by the user via firmware. Note that the peak detect circuit will also return a peak value in steady-state reactor operation. Unlike the NVT integrator, it is not clamped.
1.2.4.2 Trip/Alarm Board Refer to schematic T3301131[10] for circuit details.
The trip/alarm board contains six identical circuits to generate all trip and alarm indications. Every circuit is jumper configurable for a rising or falling trip. A comparator monitors an incoming signal voltage and compares it to a reference voltage. The reference voltage is user adjustable via a potentiometer. When the circuit is configured for a rising trip, the comparator will switch states when the amplitude of the incoming signal exceeds the reference signal. A falling trip works the opposite way; when the incoming signal amplitude falls below the reference voltage, the comparator will switch states. Once a trip has occurred, the circuit latches in the tripped state. The only way to unlatch the circuit is for the user to apply a reset signal, even if all signal levels return to nominal prior to the reset.
Every trip has a DPDT (Form C) relay that the user can connect to via the remote connectors. The relay is controlled by the output of the comparator and the operate signal. Taking the NPP-1000 out of operate mode (such as during a self-test) will immediately activate all trip relays. This is considered the failsafe 21 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 condition, when all trips are set and latched, but not necessarily indicated by the front panel LEDs or remotely.
The trip logic signal (comparator output) is only activated when the comparator input exceeds its setpoint.
Simply taking the NPP-1000 out of operate mode will not activate the trip logic signal. The front panel LEDs, opto-isolator outputs, and Ethernet indications are driven by the trip logic signal, and so will only indicate a trip when the comparator input exceeds the setpoint.
The instrument has five (5) bistable trips. The analog relays are held energized in a fail-safe condition until an alarm (or loss of power) de-energizes the coil. The trips are listed in Table 3.
Table 3 - List of Trips Associated with the NPP-1000 Trip Function Old New HV voltage low 20% loss of HV 20% loss of HV Overpower (steady-state) 1.1 MW 1.1 MW NVT high (pulsing only) 50 MW*s 50 MW*s 1.2.4.3 Isolation Amplifier Board Refer to schematic T3133111[10] for circuit details.
The isolation amplifier board is an analog board houses two isolated analog outputs that can be jumper configured for either voltage or current output. The isolators are commercially available voltage to current converters. The converters provide 1500 Vrms galvanic isolation. Adjustment potentiometers allow the isolators to be calibrated for offset and span. The isolation amplifiers provide a 4 to 20 mA or 0 to +10 Vdc output that is available to the user via the remote connectors. These isolated outputs provide the analog signals to the bargraphs and videographic recorders mounted in the control console.
1.2.4.4 Digital Interface Board Refer to TRIGA NP/NPP-1000 Software Requirements Specification T3287960-SRS[4].
Refer to schematic T3133301[10] for circuit details.
Digital conversion of the analog signal for use at the reactor control console used to be performed in a separate module from the instrument. To decrease the distance that the analog signal needs to travel prior to conversion, this function has been integrated into the channel. The benefit is the decrease in the noise of the signal prior to conversion.
The digital interface board houses the microprocessor and circuitry that interfaces with the other boards.
It also contains power supplies for digital power, A/D converters, communications circuitry, and the watchdog timer. The microprocessor is part of the microprocessor assembly, a commercially available microprocessor with integrated memory, Ethernet communication, and other peripherals.
The incoming analog signals (+10 Vdc full scale) are divided in half by op-amp circuitry and sent to the A/D converter. The A/D converter communicates with the microprocessor via isolated serial peripheral interface (SPI) bus.
A watchdog timer (WDT) monitors the activity of the microprocessor on the digital interface board. If the WDT receives no input from the microprocessor for more than 1.6 seconds, the WDT sends an alarm and 22 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 takes the module out of operate. When a WDT alarm occurs, the heartbeat LED will stop blinking, the loss of communications will cause all trips to set (and thus cause a reactor scram), and the console WDT Alarm will occur. A WDT alarm is latching in the instrument and can only be reset by cycling power. A WDT alarm is expected to be an extremely rare event.
1.2.4.5 Display Module Refer to TRIGA NP/NPP-1000 Software Requirements Specification T3287960-SRS[4].
The display on the front of the module is a Monochrome LCD Display with white LED backlight. The display has a viewing area of 3.8 inches (diagonal) and a resolution of 320 X 240 (QVGA). The display includes an integrated touch panel and integrated digital backlight & contrast controls. A complete graphical operating system that executes graphical user interface (GUI) applications 1.2.4.6 Front Panel Board Refer to schematic T3400121[10] for circuit details.
The front panel board houses the red LED indicators for all trips that are activated by the trip/alarm board.
The remote/local switch lets the user control whether the module is in remote or local mode. A green LED indicator is wired in the circuit with the switch. The LED is lit when the module is in remote mode. A potentiometer lets the user manually control the current in test mode. This potentiometer is accessible with a knob on the front panel.
1.2.4.7 HV Power Supply The 4W high voltage (HV) power supply is powered from +24 Vdc and can supply up to +1,000 Vdc. An internal sense circuit returns 0 to +1 Vdc for an output of 0 to +1,000 Vdc. Circuitry on the motherboard amplifies this sense voltage to +10 Vdc at maximum output. Additional circuitry is connected to the sense line to enable the HV self-test. A potentiometer located on the motherboard lets the user manually adjust the HV output.
1.2.5 Safety Analysis The new NPP-1000 is an updated version of the old unit that incorporates the digital to analog conversion into the module while retaining the separation of the analog portion for the performance of the safety related functions. The new NPP-1000 maintains its independence from all other power monitoring channels and is hardwired into the Reactor Protection System (RPS) scram loop, therefore all scram functionality associated with the channel is maintained should malfunctions occur in the digital portion of the instrument or anywhere outside of the unit, including the console computers. Furthermore, the Reactor I&C System and RPS are designed such that there are no means available to the reactor operator to bypass the scrams associated with the NPP-1000 so operation of the reactor beyond the limits defined in the technical specifications and safety analysis report is not possible. For redundancy and diversity in the information provided to the reactor operator by the NPP-1000, a dedicated analog output is directly wired to an updated bargraph display along with an updated recorder, thus ensuring information is available to the reactor operator for the safe operation and monitoring of the reactor and can also be used as a cross-check for the console computer display.
The new NPP-1000 has been designed and manufactured to meet or exceed the requirements of the previous unit. The new NPP-1000 has undergone rigorous testing and quality assurance at multiple steps in the design, manufacture and installation phases. Due to this, it is expected that the new NPP-1000 will be as dependable as the old unit. Nevertheless, the failure of the NPP-1000 is of minimal consequence since the reactor core is monitored by at least five independent channels that monitor the power level or 23 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 fuel temperature of the core during steady-state operation and at least three independent channels that monitor the power level or fuel temperature of the core during pulse operations. Due to this independence, redundancy and diversity, the failure of NPP-1000 to perform overpower protective action would not result in an increase in the consequence of any accident, Any foreseeable failure that impairs the ability of the NPP-1000 to perform its safety function would initiate a fail-safe response and scram the reactor.
The main accident type that the NPP-1000 is designed to mitigate is the insertion of excess reactivity resulting in overpower conditions. This insertion can be either as a step insertion or ramp insertion. The initiating event can be the failure of a high worth experiment, improper fuel element handling, and numerous other types of events that can inadvertently insert excess reactivity into the core. In the safety analysis it is assumed that one of the two safety channels (NP-1000 or NPP-1000) fails while the second channel would act as designed and terminate the insertion. Due to this independence and redundancy in the number of safety channels providing automatic overpower protective actions, the consequences of an excess reactivity insertion accident remains unchanged in the event of a failure of the new NPP-1000.
Both the NP-1000 and NPP-1000 are being replaced as part of the upgrade. The units are designed to provide redundancy for the automatic overpower protective action. The reactor scram actions are performed in the analog portion of the units while the digital portion only provides non-safety related functions. Therefore, erroneous software code cannot be a source of common cause failure that would result in a loss of protective actions. In fact, there are no known common cause failures (CCF), other than as a possible result of some internal or external hazard (e.g., fire, flooding, dropped load, earthquake exceeding the design basis, etc.). As previously noted, the independence of the safety channels, and diversity designed into the RPS provides a large measure of protection against common cause failures.
However; it is important to note that should a CCF occur, it would not prevent the system from performing its primary safety function (i.e., shutting down the reactor) because the system is designed to be fail-safe.
A loss of electrical power or multiple circuit damage due to a fire, explosion, dropped load, or some other cause will result in a loss of power to the electromagnets, causing the control rods to drop into the core, safely shutting down the reactor.
The NPP-1000 provides, independently, both an analog signal and digital signal to the control console for display by both bargraphs and recorder and by the console computer display interface. The reactor operator can use these two independent signals as a means to cross-check the validity of the indicated power level. In addition, the reactor operator also receives power indication from the NP-1000, NLW-1000, NMP-1000, NFT-1000 channel 1 and NFT-1000 channel 2. The information from these other channels is also displayed on the bargraphs and recorder panel along with the console display screen.
Therefore, in the case that erroneous information is being provided by the NPP-1000, there are five other channels that the operator can use for power level verification.
The design basis limit for fission product barrier protection, i.e. fuel cladding, is ultimately fuel temperature. This limit of 1000 °C remains unchanged with the upgrade of the NPP-1000. The basis for the limit for automatic protective action for the overpower scram is to prevent exceeding the fuel temperature limit. This limit of 600 °C for the scram setpoint limit remains unchanged. The automatic scram for loss of HV is to ensure that the channel has the required voltage to be operational. This scram action also remains unchanged.
It is concluded that the upgraded NPP-1000 will continue to perform the design function required by this safety channel in a safe and reliable manner without imposing any undue risk to the health and safety of the public.
24 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 1.2.6 Technical Specifications All existing technical specifications[5] remain unchanged for this replacement. The technical specifications that apply to this channel are:
3.2.1 Reactor Control System Specification
- a. The reactor shall not be operated unless the measuring channels listed in Table 1 are operable for the specific mode of operation.
Table 1 Minimum Measuring Channels, requires two High-Flux Safety Channels for steady-state mode and one for pulsing mode. The NPP-1000 satisfies one of the two required for steady-state mode and the one required for pulsing mode.
3.2.2 Reactor Safety Systems Specification The reactor shall not be operated unless the safety systems described in Tables 2 and 3 are operable for the specific mode of operation.
Table 2 Minimum Reactor Safety System Scrams, requires a scram for Percent Power High Flux (maximum set point of 1.1 MW) and High Voltage Loss to Safety Channel (maximum set point of 20%)
4.2.2 Reactor Safety Systems Specifications
- a. A channel test of the scram function of the high-flux safety channels shall be made each day that reactor operations are planned.
- b. A channel test of each of each of the reactor safety system channels for the intended mode of operation shall be performed weekly, whenever operations are planned.
- c. Channel calibration shall be made of the NP, NPP, NM1000, NLW, NMP or any other console instrumentation designated to provide direct power level information to the operator, annually not to exceed 15 months.
Technical Specification 3.2.2, Table 2, Minimum Reactor Safety System Scrams, requires a scram upon 20% or greater loss of high voltage. This specification has never had a companion surveillance specification, so one should be added to Section 4.2.2 of the Technical Specifications.
The surveillance specifications and periodicities listed in TS Section 4.2.2 that pertain to the old unit are still applicable and appropriate for the updated unit.
1.2.7 Quality Assurance TRIGA NP/NPP-1000 Software Requirements Specification T3287960-SRS[4]
This document defines the software requirements for the NP/NPP-1000 Digital Interface Board (DIB) and local touchscreen LCD display which are part of the General Atomics Electromagnetic Systems Inc. (GA-EMS) TRIGA radiation monitoring channel similar to the existing NMP-1000 and NLW-1000 channels. The NP/NPP-1000 software or anything the software controls cannot in any way impact the safety performance of the unit. The software performs no safety function.
25 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 The NI Software was produced from this specification. The software is common on all NP/NPP-1000 DIBs and touchscreen LCD. The objectives of the software produced was to provide the functions, status information, monitor and control of hardware, Ethernet/serial communications, internal tests and self-test functions per the requirements that have been allocated to the NP/NPP-1000 system.
GA Acceptance Test Procedure (ATP), NPP-1000, Nuclear Power Instrument, T3281000-1AT[11]
Factory Acceptance Test Procedure System Assembly, AFFRI TRIGA T3A10087371-FAT Rev A[7]
This test demonstrates that the Replacement I&C Console meets the requirements of the SOW and the Functional Requirements Specifications (FRS). GA performed separate, in-depth tests of the components, the nuclear instruments, the control system console, and the system as a whole. These tests, their traceability to the SOW and their results are provided to AFRRI in accordance with the SOW.
Armed Forces Radiobiology Research Institute TRIGA Reactor Instrumentation and Control Console Replacement Site Acceptance Test Procedure, Part 1. T3A100B7372-SAT Rev A[8]
Site Acceptance Test Part 2: Replacement of the Instrumentation and Control Console for the AFRRI TRIGA REACTOR T3A100B7373-SAT Rev A[9]
This document is the Site Acceptance Test (SAT) for the Replacement I&C Console provided by General Atomics (GA) for the AFRRI facility. This test demonstrates that the Replacement I&C Console procured by AFRRI from GA has been installed correctly for operation at AFRRI and meets the technical and functional requirements.
This SAT is not intended to be an exhaustive test of the system at the component or subassembly level.
GA has factory tested in-depth, and calibrated according to manufacturer specifications, the various components and subsystems, the individual nuclear instrument channels, the rod control system, the auxiliary plant parameter measurement systems, and has tested the integrated system to demonstrate that the Replacement I&C System performed in the factory as intended. This was demonstrated by GA and accepted by AFRRI representatives during exhaustive factory acceptance testing (FAT). The SAT demonstrates satisfactory at-reactor installation of the system, and verifies, by adequate operational demonstration, that the system can be used to operate the AFRRI TRIGA in accordance with the facility operating requirements.
The SAT involved tests to confirm proper installation and functionality of all components and subsystems of the Replacement I&C System, including the nuclear power measuring channels, reactivity control systems, and all other balance of plant systems controlled and monitored by the replacement system.
26 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 1.3 NLW-1000 Log Power Channel with PA-1000 Preamplifier - Component 1c Figure 11 - Picture of Old NM-1000 and New NLW-1000 Figure 12 - Simplified Block Diagram of Old System vs. New System 27 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Figure 13 - Detailed Block Diagram of new NLW-1000 1.3.1 Design Function The NLW-1000 is designated as the Log Power Channel and replaces a portion of the NM-1000 as described in Section 1.3.3and Section 1.4. The design functions of the NLW-1000 are:
Measure neutron flux in order to provide wide range logarithmic power indication.
Provide period indication.
Provide bistable trip/signal for interlocks.
Provide analog outputs to the bargraphs and recorders for steady-state operation.
Provide digital outputs to the reactor control console for steady-state operation.
1.3.2 Description of Old
Reference:
GA Operation and Maintenance Manual NM-1000 Neutron Monitoring System, E117-1000, 1989[12]
NM-1000 was designated as the operational channel and consisted of both the multi-range linear channel and the wide range log channel utilizing the signal from one fission chamber. This model, dating back to 28 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 the late eighties was obsolete. The NM-1000 was a digital instrument that used software and a microprocessor to calculate values for power and period. The trips then relied on these calculated values.
The original NM-1000 was designed to operate from the source range, through the intermediate range to the power range utilizing a single fission chamber.
The complete channel provided wide range logarithmic and linear outputs covering the entire neutron flux range from source to full power, with a source range output covering the lower six decades and a linear percent power output covering the upper two decades of reactor power.
The original NM-1000 consisted of a fission chamber, amplifier/signal conditioning assembly and a processor/output assembly, each mounted in separate large wall mounted enclosures.
The processor assembly consisted of communication electronics (between amplifier and processor), a microprocessor, a control/display module, low voltage power supply and isolated outputs. The processor assembly, using software, calculated reactor power and reactor period. The calculations were then used by control system console.
1.3.3 Comparison of Old vs. New The new General Atomics NLW-1000 is one of two instruments that is replacing the old NM-1000.
Specifically, the NLW-1000 replaces the wide range logarithmic function of the NM-1000 and provides the reactor period while the NMP-1000 replaces the multi-range linear portion of the NM-1000 and is discussed separately in Section 1.4.
The NLW-1000 uses a fission chamber. The NLW-1000 relies on analog signal processing (no software) for detector signal processing, both the power signal and the period signal, along with the bistable trip activation. The NLW-1000 provides analog outputs to the bargraphs and chart recorder for use at the reactor control console.
1.3.4 Detailed Description of New
Reference:
NLW-1000, Wide Range Log Power Module, User Manual, Document T3322000-1UM, Rev B, June 2015[13]
The NLW-1000 monitoring channel is a wide range logarithmic that operates with a fission chamber and a PA-1000 preamplifier that decouples and amplifies pulses that originate at the fission chamber.
The logarithmic reactor power signal is monitored by a period circuit which generates an output proportional to the rate of change in reactor power at any given instant.
The device includes adjustable bistable trip circuits for local and remote alarms and isolated current outputs for display by other devices.
The NLW operates Both modes generate an analog voltage. The summing amplifier adds both voltages and generates the log power signal. An offset adjustment is provided, but is usually set to 0V. The log power signal is sent to the digital interface board for display.
29 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 For self-test and calibration purposes, a circuit is provided whose output is a linear ramp. The ramp is adjusted to 0.145V/s, corresponding to a period of 3 seconds. When applied to the differentiator circuit, the period gain circuit can be adjusted. While in test modes (except period test) or pulsed power operation, the period trip lock circuit prevents generation of the period signal.
The NLW-1000 module is packaged in a flameproof steel and mounted in the Data Acquisition Cabinet located in the Reactor Room. The module processes the current produced by a fission chamber and contains ten major subassemblies: Motherboard, Log Count Rate Board, Log Current Board, Trip/Alarm Board, Isolation Amplifier Board, Digital Interface Board, Display Module, Front Panel Board, HV Power Supply, and PA-1000 Preamplifier.
1.3.4.1 Motherboard Refer to schematic T3301111[13] for circuit details.
The NLW motherboard serves as the backplane for all NLW printed wiring assemblies (PWAs) (daughter cards). It provides the power for all daughter cards and HV power supply. It contains some circuitry for monitoring voltage levels and range indicators. The power summing amplifier and period measurement circuitry are also on the motherboard. Connections between all daughter cards and peripheral devices such as the display or remote connectors are made via the motherboard. Incoming signal lines for control signals originating at the remote connector on the rear panel are protected by a resistor/diode network.
Outgoing signals are generally isolated via relays, opto-isolators, or other methods.
Both modes generate an analog voltage. The summing amplifier adds both voltages and generates the log power signal. An offset adjustment is provided, but is usually set to 0V. The log power signal is sent to the digital interface board for display.
The period signal is derived from the log power signal. A differentiator circuit monitors the rate of change of the log power signal. The NLW-1000 is capable of displaying a range for positive periods of infinity to
+3 seconds.
For self-test and calibration purposes, a circuit is provided whose output is a linear ramp. The ramp is adjusted to 0.145V/s, corresponding to a period of 3 seconds. When applied to the differentiator circuit, the period gain circuit can be adjusted. While in test modes (except period test) or pulsed power operation, the period trip lock circuit prevents generation of the period signal.
Two oscillator circuits generate the self-test signal for the PA-1000. One of them is adjusted to 100Hz, the other to 100 kHz. Other signals going to the PA-1000 are the discriminator signal, the test control signal, analog +15 Vdc, analog -15 Vdc and ground.
1.3.4.2 Log Count Rate Board Refer to schematic T3301141[13] for circuit details.
30 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 The log count rate board produces an output voltage which increases by +1 Vdc per decade increase in count rate.
1.3.4.3 Log Current Board Refer to schematic T3321111[13] for circuit details.
The board contains an electrometer, calibration circuitry, a pulse interlock relay, and clamp circuitry.
The incoming voltage signal is routed through the pulse interlock relay to a pair of amplifiers that filter the signal and convert it to a current input to the logarithmic amplifier. The logarithmic amplifier converts this current into a logarithmic voltage output. The pulse interlock relay disconnects the input to the amplifiers when the reactor is pulsed or the NLW is in current self-test modes.
The logarithmic amplifier incorporates a current reference, adjustable offset and gain, as well as temperature compensation.
The output of the log current board is calibrated for 0 to +3 Vdc for a detector current of 1 to 1mA.
Three test circuits provide the capability for self-tests. They are all activated by the microprocessor. The low current circuit is potentiometer adjustable to produce an output from 0 to at least >0.1mA, the high current circuit from 0 to >1mA. Once set, these current levels are fixed in normal operation. The third, the manual current circuit utilizes the user accessible front panel potentiometer to produce an output over the entire range, from 0 to >1mA. The manual current circuit only feeds into the log current board and is designed to test the upper power range on the log scale, from about 0.1% to greater than 100% power.
1.3.4.4 Trip/Alarm Board Refer to schematic T3301131[13] for circuit details.
The trip/alarm board contains six identical circuits to generate all trip and alarm indications. Every circuit is jumper configurable for a rising or falling trip. A comparator monitors an incoming signal voltage and compares it to a reference voltage. The reference voltage is user adjustable via a potentiometer. When the circuit is configured for a rising trip, the comparator will switch states when the amplitude of the incoming signal exceeds the reference signal. A falling trip works the opposite way; when the incoming signal amplitude falls below the reference voltage, the comparator will switch states. Once a trip has occurred, the circuit latches in the tripped state. The only way to unlatch the circuit is for the user to apply a reset signal, even if all signal levels return to nominal prior to the reset.
Every trip has a DPDT (Form C) relay that the user can connect to via the remote connectors. The relay is controlled by the output of the comparator and the operate signal. Taking the NMP-1000 out of operate mode (such as during a self-test) will immediately activate all trip relays. This is considered the failsafe 31 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 condition, when all trips are set and latched, but not necessarily indicated by the front panel LEDs or remotely.
The trip logic signal (comparator output) is only activated when the comparator input exceeds its setpoint.
Simply taking the NLW-1000 out of operate mode will not activate the trip logic signal. The front panel LEDs, opto-isolator outputs, and Ethernet indications are driven by the trip logic signal, and so will only indicate a trip when the comparator input exceeds the setpoint.
The instrument has six (6) bistable trips. The analog relays are held energized in a fail-safe condition until an alarm (or loss of power) de-energizes the coil. The trips for the NLW-1000 actuate interlocks and are listed in Table 4. The loss of high voltage trip signal is sent to the CSC, which in turn enforces the control rod interlock required for loss of HV to the channel. The period signal from the NLW-1000 is sent to the CSC, which uses this signal to determine if to enforce the less than 3 second period control rod interlock and also as an input to the automatic mode control PID algorithm. The greater than 1 kW Pulse Interlock uses one of the NLW-1000 analog bistable trips as an interlock for operation in Pulse Mode. The CSC reads the bistable trip signal and uses software to enforce the interlock.
Table 4 - List of Interlocks Associated with the NLW-1000 Trip Function Trip Action Control Rod Withdrawal Inhibit HV Low Interlock 20% loss of HV (software enforced)
Control Rod Withdrawal Inhibit Period Interlock < 3 seconds (software generated)
Pulse Mode Interlock Pulse Interlock > 1 kW Pulse Interlock (hardware/software enforced) 1.3.4.5 Isolation Amplifier Board Refer to schematic T3133111[13] for circuit details.
The isolation amplifier board houses two isolated outputs that can be jumper configured for either voltage or current output. The isolators are commercially available voltage to current converters. The converters provide 1500Vrms galvanic isolation. Output A is set for power level, and Output B is set for period.
Adjustment potentiometers allow the isolators to be calibrated for offset and span. The isolation amplifiers provide a 4 to 20 mA or 0 to +10 Vdc output that is available to the user via the remote connectors. These isolated outputs provide the analog signals to the bargraphs and videographic recorders mounted in the control console.
1.3.4.6 Digital Interface Board Refer to schematic T3133301[13] for circuit details.
The digital interface board houses the microprocessor and circuitry that interfaces with the other boards.
It contains power supplies for digital power, A/D converters, communications circuitry, and the watchdog timer. The microprocessor is part of the microprocessor assembly, a commercially available microprocessor with integrated memory, Ethernet communication, and other peripherals.
A watchdog timer (WDT) monitors the activity of the microprocessor on the digital interface board. If the WDT receives no input from the microprocessor for more than 1.6 seconds, the WDT sends an alarm and takes the module out of operate. When a WDT alarm occurs, the heartbeat LED will stop blinking, the loss 32 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 of communications will cause all trips to set (and thus cause a reactor scram), and the console WDT Alarm will occur. A WDT alarm is latching in the instrument and can only be reset by cycling power. A WDT alarm is expected to be an extremely rare event.
1.3.4.7 Display Module The display on the front of the module is a Monochrome LCD Display with white LED backlight. The display has a viewing area of 3.8 inches (diagonal) and a resolution of 320 X 240 (QVGA). The display includes an integrated touch panel and integrated digital backlight & contrast controls. A complete graphical operating system that executes graphical user interface (GUI) applications 1.3.4.8 Front Panel Board Refer to schematic T3400121[13] for circuit details.
The front panel board houses the red LED indicators for all trips that are activated by the trip/alarm board.
The remote/local switch lets the user control whether the module is in remote or local mode. A green LED indicator is wired in the circuit with the switch. The LED is lit when the module is in remote mode. A potentiometer lets the user manually control the current in test mode. This potentiometer is accessible with a knob on the front panel.
1.3.4.9 HV Power Supply The 4W high voltage (HV) power supply (T3322000-001) is powered from +24 Vdc and can supply up to 1,000 Vdc. An internal sense circuit returns 0 to +/-1 Vdc for an output of 0 to +/-1,000 Vdc. Circuitry on the motherboard amplifies this sense voltage and flips polarity if necessary to provide +10 Vdc at maximum output. Additional circuitry is connected to the sense line to enable the HV self-test. A potentiometer located on the motherboard lets the user manually adjust the HV output. Some additional filtering is provided on the motherboard.
1.3.4.10 PA-1000 Preamplifier Board Refer to schematic T3371101[13] for circuit details.
The PA-1000 is a high gain amplifier that is designed to connect to a fission chamber. It processes the signals from the fission chamber and sends the resulting pulses to the NLW for counting. The PA-1000 is configured to work with a one port fission chamber and as such, it extracts the signal directly from the high voltage supply.
The amplifier section is followed by a discriminator that incorporates a high speed comparator. It is used to compare the height of the amplified neutron pulses with the discriminator level supplied by a circuit on the NLW-1000 motherboard. Any pulses that exceed this discriminator level are processed and sent to the NLW-1000 for counting via a driver circuit.
In self-test mode, the PA-1000 receives a count rate high or count rate low signal (pulse train) from the NLW-1000 motherboard. Frequencies are usually set to 100 kHz and 100 Hz. The PA-1000 uses these signals to generate an input to the amplifier stages just as a detector signal would, to be counted by the NLW-1000. A separate control signal disables the input from the detector while the self-tests are active.
33 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 1.3.5 Safety Analysis The NLW-1000 is one of two new channels that have replaced the NM-1000. The NLW-1000 has been designed and manufactured to meet or exceed the requirements of the previous NM-1000. The NLW-1000 has undergone rigorous testing and quality assurance at multiple steps in the design, manufacture and installation phases. Due to this, it is expected that the NLW-1000 will be as dependable as the NM-1000.
The NLW-1000 provides the Greater than 1 kW Pulse Interlock. This interlock prevents operation in Pulse Mode when reactor power is greater than 1 kW. In the event of a failure of this interlock, pulsing operations are also administratively controlled with standard operating procedures (SOP) and checklists.
Therefore, a failure of pulse mode interlock is of minimal consequence.
The NLW-1000 provides the reactor period signal to the CSC which in turn enforces (via software) the Less than 3-second period interlock protection.
Uncontrolled withdrawal of a control rod may be caused by operator error or equipment malfunction.
The automatic mode allows for the simultaneous withdrawal of all three standard control rods. Normally, a less than 3 second period interlock limits the reactivity insertion rate, however in the event that the NLW-1000 fails in such a way that the 3-second period interlock is rendered non-functional (e.g., the NLW-1000 provides an erroneous period signal to CSC), a ramp reactivity insertion accident may occur.
Scenarios initiating at a power level of 100 watts and 1 MW are analyzed.
It is assumed that the new standard control rod drive mechanisms are withdrawing all 3 standard control rods at the maximum speed of 0.5 inches/second. The high power scram setpoint is assumed to be at the technical specification maximum of 1.1 MW and that the maximum delay time between reaching the scram setpoint and the start of the insertion of all control rods is 0.5 seconds. This delay allows for the closure of relay contacts and the bleeding off of the magnetic field from the control rod drive magnets.
For a single delayed neutron group model with the prompt jump approximation, a linear (ramp) reactivity increase results in the following equation for power as a function of time:
() 1+
=
0 where: () = power at time (0) = initial power level
= total delayed neutron fraction = 0.007
= one group decay constant = 0.405 1
= time (sec)
= linear insertion rate if reactivity ( 1 )
Representative data for the standard control rods are given in Table 5.
34 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Table 5 - Representative Data for the Standard Control Rods Differential Rod Worth in Insertion Rate Standard Control Rod Critical Region
($/sec)
($/inch)
Regulating Safety Shim TOTAL It is also assumed that the less than 3-second period interlock is non-functional.
The first scenario starts at an initial low power of 100 watts. It is calculated that reactor power will reach the scram setpoint of 1.1 MW in 2.52 seconds with a maximum reactivity insertion of $1.19, well below the maximum pulse reactivity pulse limit of $3.50.
The second scenario starts at an initial high power of 1.0 MW. It is calculated that reactor power will reach the scram setpoint of 1.1 MW in 0.22 seconds with a maximum reactivity insertion of $0.284, also well below the maximum pulse reactivity pulse limit of $3.50.
Therefore, from the analysis above, it is concluded that the failure of the NLW-1000, which renders the 3-second period interlock nonfunctional, is of minimal consequence.
The NLW-1000 provides, independently, both an analog signal and a digital signal to the control console for display by both bargraphs and recorder and by the console computer display interface. The reactor operator can use these two independent signals as a means to cross-check the validity of the indicated power level and reactor period. In addition, the reactor operator also receives power indication from the NP-1000, NPP-1000, NMP-1000, NFT-1000 channel 1 and NFT-1000 channel 2. The information from these other channels is also displayed on the bargraphs and recorder panel, along with the console display screen. Therefore, in the case that erroneous information is being provided by the NLW-1000, there are five other channels that the operator can use for power level verification.
It is concluded that the NLW-1000 will continue to perform the design function required by this channel in a safe and reliable manner without imposing any undue risk to the health and safety of the public.
1.3.6 Technical Specifications With the exception of a minor change to the wording for TS4.2.2 (refer to redline changes below), all existing technical specifications[5] remain unchanged for this replacement. The technical specifications that apply to this channel are:
3.2.1 Reactor Control System Specification
- a. The reactor shall not be operated unless the measuring channels listed in Table 1 are operable for the specific mode of operation.
Table 1 Minimum Measuring Channels, requires one Log Power Channel for steady-state mode.
The NLW-1000 satisfies this requirement.
3.2.2 Reactor Safety Systems 35 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Specification The reactor shall not be operated unless the safety systems described in Tables 2 and 3 are operable for the specific mode of operation.
Table 2 Minimum Reactor Safety System Scrams, does not require any scrams for the NLW-1000.
Table 3 Minimum Reactor Safety System Interlocks, requires an interlock for:
(1) Withdrawal of any control rod if reactor period is less than 3 seconds (2) Any rod withdrawal if high voltage is lost to the operational channel (3) Pulse initiation at power levels greater than 1 kW.
4.2.2 Reactor Safety Systems Specifications
- b. A channel test of each of each of the reactor safety system channels for the intended mode of operation shall be performed weekly, whenever operations are planned.
- c. Channel calibration shall be made of the NP, NPP, NM1000, NLW, NMP or any other console instrumentation designated to provide direct power level information to the operator, annually not to exceed 15 months.
The surveillance specifications and periodicities listed in TS Section 4.2.2 that pertain to the NM-1000 are applicable and appropriate for the NLW-1000.
1.3.7 Quality Assurance NLW-1000 Software Requirements Specification T9S900D970-SRS[3]
This document defines the software requirements for the Digital Interface Board (DIB) and local touchscreen LCD display which are part of the General Atomics Electronic Systems Inc. (GA-ESI) NLW-1000 monitoring channel.
This document has been developed per the guidance provided in IEEE Standard 830-1998, IEEE Recommended Practice for Software Requirements Specifications. The intended audience of this specification is the engineering, product assurance and management personnel involved in DIB and touchscreen LCD display software development.
The DIB and local touchscreen LCD display software were produced from this specification. The software is used on all NLW-1000 DIBs and touchscreen LCD.
The objectives of the software development are to provide functions, status information, monitor and control hardware, communications, internal and self-test functions per the requirements that have been allocated to the NLW-1000 system.
Acceptance Test Procedure (ATP), Wide-Range Log Module NLW-1000, T3322000-1AT[14]
Factory Acceptance Test Procedure System Assembly, AFFRI TRIGA T3A10087371-FAT Rev A[7]
This test demonstrates that the Replacement I&C Console meets the requirements of the SOW and the Functional Requirements Specifications (FRS). GA performed separate, in-depth tests of the components, the nuclear instruments, the control system console, and the system as a whole. These tests, their traceability to the SOW and their results are provided to AFRRI in accordance with the SOW.
36 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Armed Forces Radiobiology Research Institute TRIGA Reactor Instrumentation and Control Console Replacement Site Acceptance Test Procedure, Part 1. T3A100B7372-SAT Rev A[8]
Site Acceptance Test Part 2: Replacement of the Instrumentation and Control Console for the AFRRI TRIGA REACTOR T3A100B7373-SAT Rev A[9]
This document is the Site Acceptance Test (SAT) for the Replacement I&C Console provided by General Atomics (GA) for the AFRRI facility. This test demonstrates that the Replacement I&C Console procured by AFRRI from GA has been installed correctly for operation at AFRRI and meets the technical and functional requirements.
This SAT is not intended to be an exhaustive test of the system at the component or subassembly level.
GA has factory tested in-depth, and calibrated according to manufacturer specifications, the various components and subsystems, the individual nuclear instrument channels, the rod control system, the auxiliary plant parameter measurement systems, and has tested the integrated system to demonstrate that the Replacement I&C System performed in the factory as intended. This was demonstrated by GA and accepted by AFRRI representatives during exhaustive factory acceptance testing (FAT). The SAT demonstrates satisfactory at-reactor installation of the system, and verifies, by adequate operational demonstration, that the system can be used to operate the AFRRI TRIGA in accordance with the facility operating requirements.
The SAT involved tests to confirm proper installation and functionality of all components and subsystems of the Replacement I&C System, including the nuclear power measuring channels, reactivity control systems, and all other balance of plant systems controlled and monitored by the replacement system.
1.3.8 List of Deployments at other Facilities The NRAD reactor at the DOE Idaho National Laboratory has an NLW-1000 in use. This system was reviewed and approved by the DOE regulatory body.
37 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 1.4 NMP-1000 Multi-range Linear Channel - Component 1d Figure 14 - Picture of Old NM-1000 and New NMP-1000 Figure 15 - Simplified Block Diagram of Old System vs. New System 38 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Figure 16 - Detailed Block Diagram of new NMP-1000 1.4.1 Design Function The NMP-1000 is designated as the Linear Power Channel. The design functions of the NMP-1000 are:
Measure neutron flux in order to provide multi-range percent linear power indication (0-120%).
Provide bistable trips for scrams/interlocks.
Provide an analog output to the recorder for steady-state operation.
Provide digital outputs to the reactor control console for steady-state operation.
1.4.2 Description of Old
Reference:
GA Operation and Maintenance Manual NM-1000 Neutron Monitoring System, E117-1000, 1989[12]
NM-1000 was designated as the operational channel and consisted of both the multi-range linear channel and the wide range log channel utilizing the signal from one fission chamber. This model, dating back to the late eighties was obsolete. The NM-1000 was a digital instrument that used software and a microprocessor to calculate values for power and period. The trips then relied on these calculated values.
39 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 The original NM-1000 was designed to operate from the source range, through the intermediate range to the power range utilizing a single fission chamber.
The complete channel provided wide range logarithmic and linear outputs covering the entire neutron flux range from source to full power, with a source range output covering the lower six decades and a linear percent power output covering the upper two decades of reactor power.
The original NM-1000 consisted of a fission chamber, amplifier/signal conditioning assembly and a processor/output assembly each mounted in separate large wall mounted enclosures.
The processor assembly consisted of communication electronics (between amplifier and processor), a microprocessor, a control/display module, low voltage power supply and isolated outputs. The processor assembly, using software, calculated reactor power and reactor period. The calculations were then used by control system console.
1.4.3 Comparison of Old vs. New The new General Atomics NMP-1000 is one of two instruments that is replacing the old NM-1000.
Specifically, the NMP-1000 replaces the multi-range linear portion of the NM-1000 while the NLW-1000 replaces the wide range logarithmic portion of the NM-1000 and is discussed separately in Section 1.3.
The NMP-1000 uses a new compensated ion chamber. The new NMP-1000 relies on software to conduct auto-ranging and subsequent bistable trips. The NMP-1000 was developed under NQA-1 quality control.
The NMP-1000 provides an analog output to the chart recorder for use at the reactor control console.
1.4.4 Detailed Description of New
Reference:
NMP-1000, Multi-range Linear Module, User Manual, Document T3401000-1UM, Rev C, January 2018[15]
The NMP-1000 is a microprocessor based multi-range linear power module which provides percent reactor power indication and bistable trip circuits. The NMP-1000 module processes current of 1x10-11 to 1x10-3 Amperes from a compensated ion chamber. A compensating voltage power supply is provided for use with the compensated ion chamber. The NMP-1000 is an auto-ranging device and will scale itself based on the current power level. The input current is converted into 0 to 10 V in 9 one-decade ranges giving power indication from startup through 120% power on a linear scale (displaying in progressively wider ranges, one decade at a time).
When the NMP-1000 is in auto-ranging mode the overpower scram only occurs on the highest range (i.e.
100% full power). Whereas, when the range is selected by the operator, a scram occurs at 110% of that specific range. The appropriate decade is selected either automatically by software (auto-ranging mode) or by the user (manual ranging mode) via the touch screen display or by a remote input.
The NMP-1000 module is packaged in a flameproof steel and mounted in the Data Acquisition Cabinet located in the Reactor Room. The module processes the current produced by a compensated ion chamber and contains nine major subassemblies: Motherboard, Analog Amplifier, Trip/Alarm Board, Isolation Amplifier Board, Digital Interface Board, Display Module, Front Panel Board, HV Power Supply, and Compensation Power Supply.
1.4.4.1 Motherboard Refer to schematic T3400111[15] for circuit details.
40 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 The motherboard of the NMP-1000 serves as the backplane for all NMP-1000 printed wiring assemblies (PWA) (i.e., daughter cards). It provides the power for all daughter cards and HV power supply and compensation power supply. Connections between all daughter cards and peripheral devices such as the front panel display and remote connectors are made via the motherboard. It also contains the electrometer measuring detector current and circuitry to generate various test signals for the self-test functions.
Incoming signal lines for control signals originating at the remote connector on the rear panel are protected by a resistor/diode network. Outgoing signals are isolated via relays, opto-isolators, or other methods.
1.4.4.2 Analog Amplifier Refer to schematic T3400131[15] for circuit details.
The analog amplifier board measures the incoming current signal from the detector and converts it into a linear analog voltage in nine one-decade ranges. For every decade of current, the analog board returns a 0 to +10 Vdc signal. Because the NMP-1000 is designed to measure power up to 120% of nominal reactor power, an output voltage of +10 Vdc represents 1.2x nominal current in every decade (e.g. 120nA or 1.2mA).
At the heart of the analog amplifier board is a high input impedance operational amplifier. For every decade of current, a relay switches in the appropriate feedback resistor to generate the expected output signal. The 1x10-11 is the default range and always active. Other ranges are switched into the circuit in parallel as determined by the microprocessor. Every range has an adjustment potentiometer that allows for calibration of the circuit. The high impedance amplifier is followed by a buffer amplifier with an adjustable gain potentiometer.
Three self-test circuits are located on the analog board: calibration low, calibration high, and manual current. The user can initiate these tests via the touch screen or remote connectors. The calibration low circuit will generate a current signal of approximately 0.2mA. It is not adjustable. The calibration high current can be adjusted by the user via a potentiometer and is usually set around 1.2mA. The manual current is adjusted with a potentiometer on the front panel of the NMP-1000. The circuit is designed to generate a current from 0 to >1.2mA over the range of the potentiometer.
While any of the test modes are active, a relay disconnects the current input from the detector to the NMP-1000. A signal from the microprocessor activates this relay. This relay can be activated via the Ethernet interface or via a remote connector.
1.4.4.3 Trip/Alarm Board Refer to schematic T3301131[15] for circuit details.
The trip/alarm board contains six identical circuits to generate all trip and alarm indications. Every circuit is jumper configurable for a rising or falling trip. A comparator monitors an incoming signal voltage and compares it to a reference voltage. The reference voltage is user adjustable via a potentiometer. When the circuit is configured for a rising trip, the comparator will switch states when the amplitude of the incoming signal exceeds the reference signal. A falling trip works the opposite way; when the incoming signal amplitude falls below the reference voltage, the comparator will switch states. Once a trip has occurred, the circuit latches in the tripped state. The only way to unlatch the circuit is for the user to apply a reset signal, even if all signal levels return to nominal prior to the reset.
Every trip has a DPDT (Form C) relay that the user can connect to via the remote connectors. The relay is controlled by the output of the comparator and the operate signal. Taking the NMP-1000 out of operate 41 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 mode (such as during a self-test) will immediately activate all trip relays. This is considered the failsafe condition, when all trips are set and latched, but not necessarily indicated by the front panel LEDs or remotely.
The trip logic signal (comparator output) is only activated when the comparator input exceeds its setpoint.
Simply taking the NMP-1000 out of operate mode will not activate the trip logic signal. The front panel LEDs, opto-isolator outputs, and Ethernet indications are driven by the trip logic signal, and so will only indicate a trip when the comparator input exceeds the setpoint.
The instrument has six (6) bistable trips. The analog relays are held energized in a fail-safe condition until an alarm (or loss of power) de-energizes the coil. The trips will either generate a scram or prevent the withdrawal of the control rods and are listed in Table 6.
Table 6 - List of Trips Associated with the NMP-1000 Trip Function Trip Action Control Rod Withdrawal Inhibit HV Low Interlock 20% loss of HV (software enforced)
Control Rod Withdrawal Inhibit Low Source Count Rate < 0.5 cps (software enforced)
Overpower (steady-state) 110% Scram 1.4.4.4 Isolation Amplifier Board Refer to schematic T3133111[15] for circuit details.
The isolation amplifier board houses two isolated analog outputs that can be jumper configured for either voltage or current output. The isolators are commercially available voltage to current converters. The converters provide 1500 Vrms galvanic isolation. Adjustment potentiometers allow the isolators to be calibrated for offset and span. The isolation amplifiers provide a 4 to 20 mA or 0 to +10 Vdc output that is available to the user via the remote connectors. These isolated outputs provide the analog signals to the bargraphs and recorders mounted in the control console.
1.4.4.5 Digital Interface Board Refer to schematic T3133301[15] for circuit details.
The digital interface board houses the microprocessor and circuitry that interfaces with the other boards.
It contains power supplies for digital power, A/D converters, communications circuitry, and the watchdog timer. The microprocessor is part of the microprocessor assembly, a commercially available microprocessor with integrated memory, Ethernet communication, and other peripherals.
A watchdog timer (WDT) monitors the activity of the microprocessor on the digital interface board. If the WDT receives no input from the microprocessor for more than 1.6 seconds, the WDT sends an alarm and takes the module out of operate. When a WDT alarm occurs, the heartbeat LED will stop blinking, the loss of communications will cause all trips to set (and thus cause a reactor scram), and the console WDT Alarm will occur. A WDT alarm is latching in the instrument and can only be reset by cycling power. A WDT alarm is expected to be an extremely rare event.
42 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 1.4.4.6 Display Module The display on the front of the module is a Monochrome LCD Display with white LED backlight. The display has a viewing area of 3.8 inches (diagonal) and a resolution of 320 X 240 (QVGA). The display includes an integrated touch panel and integrated digital backlight & contrast controls. A complete graphical operating system that executes graphical user interface (GUI) applications 1.4.4.7 Front Panel Board Refer to schematic T3400121[15] for circuit details.
The front panel board houses the red LED indicators for all trips that are activated by the trip/alarm board.
The remote/local switch lets the user control whether the module is in remote or local mode. A green LED indicator is wired in the circuit with the switch. The LED is lit when the module is in remote mode. A potentiometer lets the user manually control the current in test mode. This potentiometer is accessible with a knob on the front panel. Two recessed potentiometers, accessible via the front panel with an adjustment tool, let the user adjust the compensation power supply voltage on the NMP-1000.
1.4.4.8 HV Power Supply The 4W high voltage power supply is powered from +24 Vdc and can supply up to +1,000 Vdc. An internal sense circuit returns 0 to +1 Vdc for an output of 0 to +1,000 Vdc. Circuitry on the motherboard amplifies this sense voltage to +10 Vdc at maximum output. Additional circuitry is connected to the sense line to enable the HV self-test. A potentiometer located on the motherboard lets the user manually adjust the HV output.
1.4.4.9 Compensation Power Supply The compensation power supply (T3401000-002) produces an output voltage from -8 to -50 Vdc. The +5 Vdc input power is derived from the +15 Vdc analog supply and a linear regulator. The output of the compensation power supply is controlled by a 0 to +3 Vdc programming voltage that can be adjusted by the user with potentiometers accessible on the front panel of the NMP-1000. The compensation power supply is short circuit protected with two external resistors. A voltage sense circuit monitors the output and returns 0 to +10 Vdc for 0 to maximum output voltage. To accommodate a variety of detection systems and user situations, three different compensation power supplies are available:
1.4.5 Safety Analysis The NMP-1000 is one of two new channels that have replaced the NM-1000. The NMP-1000 has been designed and manufactured to meet or exceed the requirements of the previous NM-1000. The NMP-1000 has undergone rigorous testing and NQA-1 quality assurance at multiple steps in the design, manufacture and installation phases. Due to this, it is expected that the NMP-1000 will be as dependable as the NM-1000.
43 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Figure 17 - Location of the New NMP-1000 Compensated Ion Chamber The NMP-1000 uses a new compensated ion chamber (CIC) to measure the neutron flux. The new CIC is located excore and adjacent to the NP-1000. The location was chosen so that that there is no interference with other reactor systems and component, such as the control rods. Also of importance is that the new CIC would not shadow any other of the nuclear instruments. Being located adjacent to the NP-1000 allows for the verification and validation of the new CIC with a proven power channel.
The NMP-1000 provides overpower scram protection at power levels 110% along with a scram due to loss of high voltage to the ion chamber.
The NMP-1000 provides the control rod withdrawal interlock for count rates less than 0.5 cps. This interlock requiring a minimum count rate to be measured by the NMP-1000 ensures that there are sufficient source neutrons to bring the reactor critical under controlled conditions. In the event that a failure of the NMP-1000 renders this interlock non-functional, could lead to an uncontrolled withdrawal of the standard control rods resulting in a ramp reactivity insertion accident. This would be bounded by the analysis presented in Section 1.3.5.
Therefore, from the analysis above, it is concluded that the failure of the NMP-1000 which renders the less than 0.5 cps interlock non-functional is of minimal consequence.
The NMP-1000 provides, independently, both an analog signal and digital signal to the control console for display by both the recorder and by the console computer display interface. The reactor operator can use these two independent signals as a means to cross-check the validity of the indicated power level and reactor period. In addition, the reactor operator also receives power indication from the NP-1000, NPP-1000, NLW-1000, NFT-1000 channel 1 and NFT-1000 channel 2. The information from these other channels is also displayed on the bargraphs and recorder panel along with the console display screen.
44 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Therefore, in the case that erroneous information is being provided by the NMP-1000, there are five other channels that the operator can use for power level verification.
It is concluded that the NMP-1000 will continue to perform the design function required by this channel in a safe and reliable manner without imposing any undue risk to the health and safety of the public.
1.4.6 Technical Specifications With the exception of a minor change to the wording for TS4.2.2 (refer to redline changes below), all existing technical specifications[5] remain unchanged for this replacement. The technical specifications that apply to this channel are:
3.2.1 Reactor Control System Specification
- a. The reactor shall not be operated unless the measuring channels listed in Table 1 are operable for the specific mode of operation.
Table 1 Minimum Measuring Channels, requires one Linear Power Channel for steady-state mode.
The NMP-1000 satisfies this requirement for steady-state mode.
3.2.2 Reactor Safety Systems Specification The reactor shall not be operated unless the safety systems described in Tables 2 and 3 are operable for the specific mode of operation.
Table 2 Minimum Reactor Safety System Scrams, does not require any scrams for the NMP-1000.
4.2.2 Reactor Safety Systems Specifications
- b. A channel test of each of each of the reactor safety system channels for the intended mode of operation shall be performed weekly, whenever operations are planned.
- c. Channel calibration shall be made of the NP, NPP, NM1000, NLW, NMP or any other console instrumentation designated to provide direct power level information to the operator, annually not to exceed 15 months.
The surveillance specifications and periodicities listed in TS Section 4.2.2 that pertain to the NM-1000 are still applicable and appropriate for the NMP-1000.
1.4.7 Quality Assurance The NMP-1000 was developed and tested in accordance with ANS/ASME NQA-1-2000, Quality Assurance Requirements for Nuclear Facility Applications[16]. Performance of these additional quality assurance activities should support use of the NMP-1000 as digital safety equipment.
NMP-1000 Software Requirements Specification T9S900D941-SRS Rev A[17]
This document defines the software requirements for the Digital Interface Board (DIB) and local touchscreen LCD display which are part of the General Atomics Electronic Systems Inc. (GA-ESI) NMP-1000 monitoring channel.
This document has been developed per the guidance provided in IEEE Standard 830-1998, IEEE Recommended Practice for Software Requirements Specifications. The intended audience of this 45 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 specification is the engineering, product assurance and management personnel involved in DIB and touchscreen LCD display software development.
The DIB and local touchscreen LCD display software were produced from this specification. The software is used on all NMP-1000 DIBs and touchscreen LCD.
The objectives of the software development are to provide functions, status information, monitor and control hardware, communications, internal and self-test functions per the requirements that have been allocated to the NMP-1000 system.
GA Acceptance Test Procedure (ATP), NMP-1000, Nuclear Power Instrument, T3401000-1AT[18]
Factory Acceptance Test Procedure System Assembly, AFFRI TRIGA T3A10087371-FAT Rev A[7]
This test demonstrates that the Replacement I&C Console meets the requirements of the SOW and the Functional Requirements Specifications (FRS). GA performed separate, in-depth tests of the components, the nuclear instruments, the control system console, and the system as a whole. These tests, their traceability to the SOW and their results are provided to AFRRI in accordance with the SOW.
Armed Forces Radiobiology Research Institute TRIGA Reactor Instrumentation and Control Console Replacement Site Acceptance Test Procedure, Part 1. T3A100B7372-SAT Rev A[8]
Site Acceptance Test Part 2: Replacement of the Instrumentation and Control Console for the AFRRI TRIGA REACTOR T3A100B7373-SAT Rev A[9]
This document is the Site Acceptance Test (SAT) for the Replacement I&C Console provided by General Atomics (GA) for the AFRRI facility. This test demonstrates that the Replacement I&C Console procured by AFRRI from GA has been installed correctly for operation at AFRRI and meets the technical and functional requirements.
This SAT is not intended to be an exhaustive test of the system at the component or subassembly level.
GA has factory tested in-depth, and calibrated according to manufacturer specifications, the various components and subsystems, the individual nuclear instrument channels, the rod control system, the auxiliary plant parameter measurement systems, and has tested the integrated system to demonstrate that the Replacement I&C System performed in the factory as intended. This was demonstrated by GA and accepted by AFRRI representatives during exhaustive factory acceptance testing (FAT). The SAT demonstrates satisfactory at-reactor installation of the system, and verifies, by adequate operational demonstration, that the system can be used to operate the AFRRI TRIGA in accordance with the facility operating requirements.
The SAT involved tests to confirm proper installation and functionality of all components and subsystems of the Replacement I&C System, including the nuclear power measuring channels, reactivity control systems, and all other balance of plant systems controlled and monitored by the replacement system.
1.4.8 List of Deployments at other Facilities The NRAD reactor at the DOE Idaho National Laboratory has three NMP-1000 units in operation, with a 2-of-3 scram logic implemented. This system was reviewed and approved by the DOE regulatory body.
46 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 1.5 NFT-1000 Fuel Temperature Channels - Component 1e Figure 18 - Picture of Old Fuel Temperature Channels and New NFT-1000 Figure 19 - Simplified Block Diagram of Old System vs. New System 47 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Figure 20 - Detailed Block Diagram of new NFT-1000 1.5.1 Design Function The NFT-1000 is designated as the Fuel Temperature Measuring Channels. The design functions of the NFT-1000 are:
Measure fuel temperature in order to provide fuel temperature indication.
Provide an automatic scram(s) on high fuel temperature conditions.
Provide analog outputs to the bargraphs and recorders for steady-state operation.
Provide digital outputs to the reactor control console for steady-state operation.
1.5.2 Description of Old Reference - GA Operation and Maintenance Manual, E117-1006, 1989[19]
The thermocouple inputs from the instrumented fuel elements (IFE) were conditioned by modules. The signal conditioning modules provided a 4-20 mA output that was proportional to the fuel element temperature. The outputs were then monitored by an high limit trip module. If a temperature exceeded the preset limit setpoint, the contacts on the would open in the scram loop, while a second set of contacts would close in the digital scanner circuit. A fuel temperature scram was provided in both the supply and return legs of the scram loop.
48 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 1.5.3 Comparison of Old vs. New One NFT-1000 instrument housing with three independent channels with the ability to read all three IFE thermocouples simultaneously. The old system utilized two modules to read only two of the three IFEs. The third IFE was not used.
New NFT-1000 allows for the readout of all three IFE thermocouples with one unit. The only common parts that are shared between the three channels are the power supply, the front panel display, and the housing. If the power supply fails, all trips go to fail-safe condition generating a reactor scram.
1.5.4 Detailed Description of New
Reference:
NFT-1000, Nuclear Fuel Temperature Module, User Manual, Document T3291000-1UM, Rev A, January 2018[20]
The NFT-1000 is a nuclear fuel temperature module that provides fuel temperature indication, bistable trip circuits and outputs to other devices. The module is packaged in a flameproof steel enclosure and mounted in the Data Acquisition Cabinet located in the Reactor Room. The module has three independent channels to process inputs from Type K thermocouples. Temperature transducers convert the millivolt inputs from the thermocouples to usable voltage levels that drive bistable trips for local and remote alarms and isolated current or voltage outputs for display by other devices. The NFT-1000 is calibrated to measure temperature from 0 to 1000°C.
The NFT-1000 nuclear fuel temperature monitoring module has a capability to measure and capture pulse data, which is temperature values recorded and stored frequently, for a short period during and after a reactor pulse.
Each of the three channels (A, B, and C) has two bistable trips used to alarm on high temperature. Relays are provided with two sets of contacts for customer use, each set with one normally open and one normally closed pair of contacts. The relays are held energized in a fail-safe condition until an alarm de-energizes the coil.
The NFT-1000 has test modes to allow the user to test the proper performance of the module and to ensure the functionality of all trip circuits. Test modes include High Temp, Low Temp, Manual A, Manual B, and Manual C. All test modes will cause the bistable trip relays to de-energize and alarm. The manual modes allow the user to adjust a front panel potentiometer to cause a bi-stable trip to alarm. Test modes can be enabled via the touch screen or a remote interface.
The module contains six major subassemblies: Motherboard, Trip/Alarm Board, Isolation Amplifier Board, Digital Interface Board, Display Module, and Front Panel Board.
1.5.4.1 Motherboard Refer to schematic T3290101[20] for circuit details.
The motherboard serves as the backplane for all NFT-1000 printed wiring assemblies (PWA) (i.e., daughter cards). It provides the power for all daughter cards. Connections between all daughter cards and peripheral devices such as the front panel display, temperature transducers and remote connectors are made via the motherboard. Incoming signal lines for control signals originating at the remote connector on the rear panel are protected by opto-isolators. Outgoing signals are isolated via relays, opto-isolators, or other methods. It contains circuitry to generate various test signals and offset adjustment to the temperature transducers.
Identical setups provide inputs for up to three thermocouples. They are configured as follows. In normal operation, the input signal from a K-type thermocouple lands on the motherboard via the rear panel. The 49 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 signal is routed through normally closed relays to a temperature transducer mounted inside the instrument. The relays are specifically designed to switch very small signals, such as from a thermocouple.
The transducer returns a voltage that is a representation of the temperature inside the instrumented fuel element. The factory setting is 0 to 10V of transducer output for 0 to 1000°C fuel temperature input.
Following the transducer is an offset adjustment circuit that is used to calibrate out small offset errors.
In self-test mode, the normally closed relays carrying the thermocouple signal open. A second set of relays close and apply a test signal to the transducer. The test signal originates from a circuit that produces voltages in the mV range to simulate the output from a thermocouple. The output of this circuit is adjustable and is capable of simulating any temperature from 0 to 1000°C. The circuit accepts three different test inputs that are enabled by the user via firmware. The selected input signal is applied via solid state relays. Selections are low temp, high temp and manual temp, and all have an adjustment range from 0 to 1000°C.
1.5.4.2 Trip/Alarm Board Refer to schematic T3301131[20] for circuit details.
The trip/alarm board is an analog board and contains six identical circuits to generate all trip and alarm indications. Every circuit is jumper configurable for a rising or falling trip. A comparator monitors an incoming signal voltage and compares it to a reference voltage. The reference voltage is user adjustable via a potentiometer. When the circuit is configured for a rising trip, the comparator will switch states when the amplitude of the incoming signal exceeds the reference signal. A falling trip works the opposite way; when the incoming signal amplitude falls below the reference voltage, the comparator will switch states. Once a trip has occurred, the circuit latches in the tripped state. The only way to unlatch the circuit is for the user to apply a reset signal, even if all signal levels return to nominal prior to the reset.
Every trip has a DPDT (Form C) relay that the user can connect to via the remote connectors located on the back of the module. The relay is controlled by the output of the comparator and the operate signal.
Taking the NFT-1000 out of operate mode (such as during a self-test) will immediately activate all trip relays. This is considered the failsafe condition, when all trips are set and latched, but not necessarily indicated by the front panel LEDs or remotely.
The trip logic signal (comparator output) is only activated when the comparator input exceeds the setpoint. Simply taking the NFT-1000 out of operate mode will not activate the trip logic signal. The front panel LEDs, opto-isolator outputs, and Ethernet indications are driven by the trip logic signal, and so will only indicate a trip when the comparator input exceeds the setpoint.
The instrument has six (6) bistable trips (two per channel). The analog relays are held energized in a fail-safe condition until an alarm (or loss of power) de-energizes the coil. The trips are listed in Table 7.
Table 7 - List of Trips Associated with the NFT-1000 Trip Function Old New High Fuel Temp Channel A 600 °C 600 °C High Fuel Temp Channel B 600 °C 600 °C High Fuel Temp Channel C NA 600 °C 50 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 1.5.4.3 Isolation Amplifier Board Refer to schematic T3133111[20] for circuit details.
The isolation amplifier board is an analog board that houses two isolated analog outputs that can be jumper configured for either voltage or current output. The isolators are commercially available voltage to current converters. The converters provide 1500 Vrms galvanic isolation. Adjustment potentiometers allow the isolators to be calibrated for offset and span. The isolation amplifiers provide a 4 to 20 mA or 0 to +10 Vdc output that is available to the user via the remote connectors. These isolated outputs provide the analog signals to the bargraphs and recorders mounted in the control console.
1.5.4.4 Digital Interface Board Refer to schematic T3133301[20] for circuit details.
The digital interface board houses the microprocessor and circuitry that interfaces with the other boards.
It also contains power supplies for digital power, A/D converters, communications circuitry, and the watchdog timer. The microprocessor is part of the microprocessor subassembly and is a commercially available microprocessor with integrated memory, Ethernet communication, and other peripherals.
Analog signals are read by a four channel 12-bit A/D converter. The incoming analog signals (+10 Vdc full scale) are divided in half by op-amp circuitry and sent to the A/D converter. The A/D converter communicates with the microprocessor via isolated Serial Peripheral Interface (SPI) bus.
A watchdog timer (WDT) monitors the activity of the microprocessor on the digital interface board. If the WDT receives no input from the microprocessor for more than 1.6 seconds, the WDT sends an alarm and takes the module out of operate. When a WDT alarm occurs, the heartbeat LED will stop blinking, the loss of communications will cause all trips to set (and thus cause a reactor scram), and the console WDT Alarm will occur. A WDT alarm is latching in the instrument and can only be reset by cycling power. A WDT alarm is expected to be an extremely rare event.
1.5.4.5 Display Module The display on the front of the module is a Monochrome LCD Display with white LED backlight. The display has a viewing area of 3.8 inches (diagonal) and a resolution of 320 X 240 (QVGA). The display includes an integrated touch panel and integrated digital backlight & contrast controls. A complete graphical operating system that executes graphical user interface (GUI) applications 1.5.4.6 Front Panel Board Refer to schematic T3400121[20] for circuit details.
The front panel board houses the red LED indicators for all trips that are activated by the trip/alarm board.
The remote/local switch lets the user control whether the module is in remote or local mode. A green LED indicator is wired in the circuit with the switch. The LED is lit when the module is in remote mode.
A potentiometer lets the user manually control the current in test mode. This potentiometer is accessible with a knob on the front panel.
1.5.5 Safety Analysis The NFT-1000 incorporates the digital to analog conversion into the module while retaining the separation of the analog portion for the performance of the safety related functions. The NFT-1000 maintains its independence from all other power monitoring channels and is hardwired into the Reactor Protection System (RPS) scram loop, therefore all scram functionality associated with the channel is maintained 51 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 should malfunctions occur in the digital portion of the instrument or in the console computers.
Furthermore, the Reactor I&C System and RPS are designed such that there are no means available to the reactor operator to bypass the scrams associated with the NFT-1000 so operation of the reactor beyond the limits defined in the technical specifications and safety analysis report is not possible. For redundancy and diversity in the information provided to the reactor operator by the NFT-1000, a dedicated analog output is directly wired to an updated bargraph display along with an updated recorder, thus ensuring information is available to the reactor operator for the safe operation and monitoring of the reactor and can also be used as a cross-check for the console computer display.
The NFT-1000 has been designed and manufactured to meet or exceed the requirements of the previous system and components. The NFT-1000 has undergone rigorous testing and quality assurance at multiple steps in the design, manufacture and installation phases. Due to this, it is expected that the NFT-1000 will be as dependable as the old system. Nevertheless, the failure of the NFT-1000 is of minimal consequence since the reactor core is monitored by at least five independent channels that monitor the power level or fuel temperature of the core during steady-state operation and at least three independent channels that monitor the power level or fuel temperature of the core during pulse operations. Due to this independence, redundancy and diversity, the failure of the NFT-1000 to perform high fuel temperature protective action would not result in an increase in the consequence of any accident. Any foreseeable failure that impairs the ability of the NFT-1000 to perform its safety function would initiate a fail-safe response and scram the reactor.
The main accident type that the NFT-1000 is designed to mitigate is the insertion of excess reactivity resulting in overpower conditions. This insertion can be either as a step insertion or ramp insertion. The initiating event can be the failure of a high worth experiment, improper fuel element handling, and numerous other types of events that can inadvertently insert excess reactivity into the core. In the safety analysis it is assumed that one of the two safety channels (NP-1000 or NPP-1000) fails while the second channel would act as designed and terminate the insertion. Due to this independence and redundancy in the number of safety channels providing automatic overpower protective actions, the consequences of an excess reactivity insertion accident remains unchanged in the event of a failure of the new NFT-1000.
The NFT-1000 integrated the fuel temperature measuring channels into one common housing. Other than a common power supply, the circuits for each channels are independent. The units are designed to provide redundancy for the automatic high fuel temperature protective action. The reactor scram actions are performed in the analog portion of the units while the digital portion only provides non-safety related functions. Therefore, erroneous software code cannot be a source of common cause failure that would result in a loss of protective actions. In fact, there are no known common cause failures (CCF), other than as a possible result of some internal or external hazard (e.g., fire, flooding, dropped load, earthquake exceeding the design basis, etc.). As previously noted, the independence of the channels, and diversity designed into the RPS provides a large measure of protection against common cause failures. However; it is important to note that should a CCF occur, it would not prevent the system from performing its primary safety function (i.e., shutting down the reactor) because the system is designed to be fail-safe. A loss of electrical power or multiple circuit damage due to a fire, explosion, dropped load, or some other cause will result in a loss of power to the electromagnets, causing the control rods to drop into the core, safely shutting down the reactor.
The NFT-1000 provides, independently, both an analog signal and digital signal to the control console for display by both bargraphs and recorder and by the console computer display interface. The reactor operator can use these two independent signals as a means to cross-check the validity of the indicated fuel temperature and thus the corresponding power level. In addition, the reactor operator also receives power indication from the NP-1000, NPP-1000, NLW-1000, and the NMP-1000. The information from 52 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 these other channels is also displayed on the bargraphs and recorder panel along with the console display screen. Therefore, in the case that erroneous information is being provided by the NFT-1000, there are four other channels that the operator can use for power level verification.
The design basis limit for fission product barrier protection, i.e. fuel cladding, is ultimately fuel temperature. This limit of 1000 °C remains unchanged with the upgrade to the NFT-1000. The basis for the limit for automatic protective action for the overpower scram is to prevent exceeding the fuel temperature limit. This limit of 600 °C for the scram setpoint limit remains unchanged.
It is concluded that the upgraded to the NFT-1000 will continue to perform the design function required by this safety channel in a safe and reliable manner without imposing any undue risk to the health and safety of the public.
1.5.6 Technical Specifications All existing technical specifications[5] remain unchanged for this replacement. The technical specifications that apply to this channel are:
3.2.1 Reactor Control System Specification
- a. The reactor shall not be operated unless the measuring channels listed in Table 1 are operable for the specific mode of operation.
Table 1 Minimum Measuring Channels, requires two Fuel Temperature Safety Channels for both steady-state and pulse mode.
3.2.2 Reactor Safety Systems Specification The reactor shall not be operated unless the safety systems described in Tables 2 and 3 are operable for the specific mode of operation.
Table 2 Minimum Reactor Safety System Scrams, requires two scrams for fuel temperature (maximum set point of 600°C).
4.2.2 Reactor Safety Systems Specifications
- b. A channel test of each of each of the reactor safety system channels for the intended mode of operation shall be performed weekly, whenever operations are planned.
4.2.3 Fuel Temperature Specifications
- a. A channel check of the fuel temperature scrams shall be made each day that the reactor is to be operated.
- b. A channel calibration of the fuel temperature measuring channels shall be made annually, not to exceed 15 months.
- c. A weekly channel test shall be performed on fuel temperature measuring channels, whenever operations are planned.
53 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
- d. If a reactor scram caused by high fuel element temperature occurs, an evaluation shall be conducted to determine whether the fuel element temperature exceeded the safety limit.
The surveillance specifications and periodicities listed in TS Section 4.2.2 and TS Section 4.2.3 that pertain to the old NFT system and components are still applicable and appropriate for the NFT-1000.
1.5.7 Quality Assurance NFT-1000 Software Requirements Specification T3297960-SRS Rev A[21]
This document defines the software requirements for the NFT-1000 Digital Interface Board (DIB) and local touchscreen LCD display which are part of the General Atomics Electromagnetic Systems Inc. (GA-EMS)
TRIGA radiation monitoring channel similar to the existing NP-1000, NPP-1000, NMP-1000 and NLW-1000 channels. For generality, software belonging to the NFT-1000 DIB will be called NI Software in this document.
The NI Software was produced from this specification. The software will be common on all NFT-1000 DIBs and touchscreen LCD displays. The objectives of the software produced is to provide the functions, status information, monitor and control of hardware, Ethernet/serial communications, internal tests and self-test functions per the requirements that have been allocated to the NFT-1000 system.
GA Acceptance Test Procedure (ATP), NFT-1000, Nuclear Power Instrument, T3291000-1AT[22]
Factory Acceptance Test Procedure System Assembly, AFFRI TRIGA T3A10087371-FAT Rev A[7]
This test demonstrates that the Replacement I&C Console meets the requirements of the SOW and the Functional Requirements Specifications (FRS). GA performed separate, in-depth tests of the components, the nuclear instruments, the control system console, and the system as a whole. These tests, their traceability to the SOW and their results are provided to AFRRI in accordance with the SOW.
Armed Forces Radiobiology Research Institute TRIGA Reactor Instrumentation and Control Console Replacement Site Acceptance Test Procedure, Part 1. T3A100B7372-SAT Rev A[8]
Site Acceptance Test Part 2: Replacement of the Instrumentation and Control Console for the AFRRI TRIGA REACTOR T3A100B7373-SAT Rev A[9]
This document is the Site Acceptance Test (SAT) for the Replacement I&C Console provided by General Atomics (GA) for the AFRRI facility. This test demonstrates that the Replacement I&C Console procured by AFRRI from GA has been installed correctly for operation at AFRRI and meets the technical and functional requirements.
This SAT is not intended to be an exhaustive test of the system at the component or subassembly level.
GA has factory tested in-depth, and calibrated according to manufacturer specifications, the various components and subsystems, the individual nuclear instrument channels, the rod control system, the auxiliary plant parameter measurement systems, and has tested the integrated system to demonstrate that the Replacement I&C System performed in the factory as intended. This was demonstrated by GA and accepted by AFRRI representatives during exhaustive factory acceptance testing (FAT). The SAT demonstrates satisfactory at-reactor installation of the system, and verifies, by adequate operational demonstration, that the system can be used to operate the AFRRI TRIGA in accordance with the facility operating requirements.
The SAT involved tests to confirm proper installation and functionality of all components and subsystems of the Replacement I&C System, including the nuclear power measuring channels, reactivity control systems, and all other balance of plant systems controlled and monitored by the replacement system.
54 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 1.6 Scram Loop - Component 1f Figure 21 - Picture of the Scram Loop and Major Components 55 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Figure 22 - Detailed Schematic of the Scram Loop 1.6.1 Design Function The design function of the scram loop is to de-energize both the magnets for the standard control rods and the solenoid for the transient rod air, causing the control rods to insert into the core placing the reactor in a safe shutdown condition. This is in response to either automatic or manual actions for certain abnormal reactor operating conditions.
1.6.2 Description of Old Reference - GA Operation and Maintenance Manual, E117-1006, 1989[19]
The old scram logic circuitry involves a set of open-on-failure logic relay switches in series. Any scram signal or component failure in the scram logic results in a loss of control rod magnet power and a loss of air to the transient rod cylinder, resulting in a reactor scram. The loop consisted of contacts that were operated by both analog circuits (e.g., NP-1000) and digital circuits (e.g., watchdog alarms).
56 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 1.6.3 Comparison of Old vs. New The old and new scram loops operate in a similar manner. Both were a set of relay contacts arranged in a loop. When any relay is de-energized, the contact for the relay would open, breaking the loop causing both the magnets for the control rods and the solenoid for the transient rod air to de-energize thereby scramming the reactor. Table 8 below compares the contacts of the old scram loop to the new scram loop.
Additional contacts are added, some for redundancy, others as spares.
Table 8 - Comparison of Old vs. New Scram Loop Contacts Scram Contacts Old New Steady-state timer (hardware) Steady-state timer (software)
Pulse timer (hardware and software) Pulse timer (software)
Manual scram button (hardware) Manual scram button (hardware)
Console Key to OFF (hardware) Console Key to OFF (hardware)
Reactor Permissive ROX (FIS) Reactor Permissive ROX (FIS)
Loss of AC Power Loss of AC Power to the UPS NP-1000, %PWR (hardware) NP-1000, %PWR (hardware)
NPP-1000, %PWR, NVT (hardware) NPP-1000, %PWR, NVT (hardware)
NP-1000, HV (hardware) NP-1000, HV (hardware)
NPP-1000, HV (hardware) NPP-1000, HV (hardware)
NMP HV, %PWR (hardware and software)
NFT-1000 #1 (hardware) NFT-1000 #1 (hardware)
NFT-1000 #2 (hardware) NFT-1000 #2 (hardware)
NFT-1000 #3 (hardware)
Low Pool Level Low Pool Level (hardware)
DAC WDT UIT WDT (software)
Software (software)
EXT 1 (not used)
EXT 2 (not used)
EXT 3 (not used) 57 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 1.6.4 Detailed Description of New
Reference:
T3A100E800-000, T3A300E150, T3A300E151[23]
The Reactor Protection System initiates a reactor scram in response to a trip signal being generated by one of the sensors in the scram loop, a manual scram signal from the reactor operator or a scram demand by the control system console by interrupting the current to the electromagnets that link the control rods to the control rod drives and by removing power from the transient rod air solenoid valve. The magnets release the control rods, which fall into the core by gravity. All scram conditions are automatically indicated on the console displays.
The new scram loop consists of a set of normally open relay switches wired in series. Power for both the control rod magnets and the solenoid for the air supply of the transient rod is provided by the scram loop.
Under normal conditions, i.e. no scrams in demand, the relay contacts are held closed by power applied to the coil. When a scram occurs, the power to the coil is removed and the contact opens. The scram loop is designed to be fail-safe, so that in the event of a power failure, or other such type failure, the contacts will return to their normally open state generating a scram. The relays for the scram loop are commercial Form C electromechanical relays mounted on a PWA (printed wiring assembly) board. A total of 24 relays are installed on the board, although not all are currently being used. The coils to the relays are either energized by completely analog circuits, such as the NP-1000, NPP-1000, NFT-1000, etc., or by digitally controlled circuits, such as the watchdog alarms from the control console. Also included in the scram loop are electromechanical relays ( that are controlled by the control console computer.
The relays control contacts for:
- 1. Software generated scrams
- 2. Power to each individual control rod
- 3. Transient air solenoid
- 4. The key reset scram
- 5. The key reset for the facility interlock system.
It is important to note that all fuel temperature and high power scrams required by the technical specifications are generated by analog circuits.
Along with the scram loop relays are the K1 and K2 relays. The K1 performs the reset and latching functions, indicates all SCRAMs clear, and completes the circuit that enables the transient rod air solenoid to be activated. The K2 relay is energized when the console key switch is in the ON position and provides the operate signal for the Facility Interlock System. The relays are identical 1.6.4.1 Functions of the Scram Loop Contacts In the event of that an unsafe or abnormal condition occurs, the reactor operator has two scram options from the control console: manual scram push button and magnet power key switch scram.
Manual Scram is a push button labeled SCRAM on the rod control panel. Pushing this button will interrupt current in both the positive and negative legs of the scram loop along with the transient rod air pressure.
This is a momentary switch.
Magnet Power Key Switch has three positions: OFF, ON, and RESET. It must be in the ON position to complete the loop and supply current to the magnets. RESET is a momentary contact. It generates a digital input to the software that is only present as long as it is activated by the operator and is used for resetting the loop via the KEY RESET relay. When the reactor is operating, moving the console key to the off or reset position will cause a scram.
58 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 The power level scrams ensures the reactor can be shutdown prior to the fuel temperature safety limit being exceeded. In the steady state mode, the two channels to perform the high flux scrams are the NP-1000 and NPP-1000. In pulse mode, only the NPP performs a high-power scram, and the NP scram contacts are temporarily bypassed.
The neutron flux detectors rely on a high voltage differential to perform their measurement function. If the high voltage drops significantly, their ability to detect neutrons is inhibited and will result in an underestimation of the neutron flux within the core. Therefore, a loss of high voltage to any of the detectors for high flux safety channels will cause a reactor scram.
NMP-1000 monitors percent reactor power and high voltage (HV) going to the detector. The NMP-1000 has to indicate a fault (either sees Trip 1 at 110% reactor power or NMP HV Low) before the reactor is scrammed.
NP-1000 (with Pulse Bypass switch) monitors percent reactor power and HV going to the detector. The NP has to indicate a fault (either sees Trip 1 at 110% reactor power or NP HV Low) before the reactor is scrammed. Note: This contact is bypassed during pulsing reactor operation.
NPP-1000 monitors percent reactor power, HV going to the detector and high neutron flux (NVT). The NPP-1000 has to indicate a fault (either sees Trip 1 at 110% reactor power, NPP HV Low or NVT high) before the reactor is scrammed.
CCS and UIT watchdog timers monitor the Linux and Windows computers. If either of the computers fails to send a signal to their WDT at least once approximately every 7 seconds, the respective WDT will time out and a scram occurs. Communication between the system components is necessary for the transmission of information to the operator. In the event of a loss of communication, a watchdog timer will initiate a scram.
Low Pool Level is set when the pool level float switch indicates that the pool level has fallen 6 inches below normal. The reactor pool water ensures adequate radiation shielding to the reactor bay as well as cooling capacity to the reactor. In the event the coolant level drops to 14 feet above the core, a reactor scram is initiated.
NFT1 monitors the temperature for Temp A of the instrumented fuel element. The NFT has to indicate a fault (Temperature 1 is above the High Trip 1, 600°C) before the reactor is scrammed.
NFT2 monitors the temperature for Temp B of the instrumented fuel element. The NFT has to indicate a fault (Temperature 2 is above the High Trip 3, 600°C) before the reactor is scrammed.
NFT3 monitors the temperature for Temp C of the instrumented fuel element.
The fuel temperature scram ensures the reactor can be shutdown prior to the fuel temperature safety limit being exceeded. In both the steady-state and pulse modes, at least two fuel temperature channels must be operable. The NFT-1000 instrument provides independent channels for each of three thermocouple inputs. Each channel has separate contacts in the scram loop.
EXTERNAL 1 is an external scram loop input for future use. Note: This input is jumpered.
EXTERNAL 2 is an external scram loop input for future use. Note: This input is jumpered.
EXTERNAL 3 is an external scram loop input for future use. Note: This input is jumpered.
Software is an input that causes a scram when commanded to do so by the CCS computer. It deactivates when communication with any board is interrupted. Note that this is a redundant feature. When the board loses communication with the computer, it will put all relays in a failsafe state, thus 59 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 scramming the reactor. It also deactivates when the magnet power key switch is turned to the RESET position, thus scramming the reactor.
Scram occurs when the scram timer on the left side status display has expired.
Two types of timed scrams are available to the safety system and work within the scram logic. These are used for experiments which need a predetermined exposure time and to ensure a pulse does not create excessive energy within the fuel.
Steady-state timer causes a reactor scram after a predetermined elapsed time. This value is entered on the control console during steady-state power operations. During a run, the timer may be started and stopped by the operator.
Pulse timer causes a reactor scram when in pulse mode. The timer may be set for a duration shorter than 15 seconds. However, the console will automatically initiate a scram timeout after 15 seconds.
UPS Power Loss is a scram that occurs when AC input power has been lost and the UPS is supplying power to the reactor control system. In the course of normal operations, a UPS unit provides power to the console. The UPS is supplied by building AC power. A loss of supply to the UPS will initiate a scram, however the console remains on. This enables monitoring of reactor conditions and allows a graceful shutdown of the console computers.
Reactor Permissive Relay is an input from the FIS. If no emergency stops are active and all the facility interlocks are satisfied after a 30-second count down (TIME DELAY), the Reactor Permissive is satisfied.
Emergency stops are provided in each of the exposure rooms to prevent accidental radiation exposures.
Additionally, an emergency stop switch exists on the console for the operator to stop door motion and core motion. Any of these switches will initiate an immediate reactor scram and give scram indication to the operator on the console. Once the emergency stop has been activated, it must be cleared by turning the key switch to reset. If the emergency stop was initiated from one of the exposure rooms, the local switch must also be reset. The buttons are push-to-activate and must be manually pulled out to permit operation. Once the reset is activated, the horns in the exposure rooms will activate again with the associated time delay. This reset is required to initiate magnet power and begin inserting reactivity to the core.
Lead shield doors are provided to reduce radiation levels and allow entry to exposure rooms (i.e.; core in region 3, doors closed, ok to open ER1). Power for door rotation is transmitted through a set of reduction gears. Each shield door is connected to a reduction gear mounted on the side of the carriage track by a vertical shaft extending from the top of each door. Full travel path takes approximately three minutes (from fully closed to fully open). Once in a fully opened or closed position, limit switches are used to indicate status. These are located on top of the reduction gears and are part of the facility interlock system. The lead shield doors must be fully opened before the core can be relocated outside of a region.
LATCH contact is designed to permanently de-energize the loop after a scram has occurred. This contact is part of K1. The loop will stay de-energized until the operator places the Magnet Power Key Switch to the Reset position.
1.6.4.2 Function of Relay K1 K1 is a socketed four pole, double throw (4PDT) relay. All four of its contacts are wired:
- 1. One contact latches the coil ON after a Key Reset (HOLD)
- 2. One contact indicates ALL SCRAMS CLEAR to the computer
- 3. One contact performs the LATCH function described earlier 60 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
- 4. One completes the circuit that enables the transient rod air solenoid to be activated After the console is powered up or a scram has occurred, the coil of K1 is de-energized and all wired contacts for K1 are open. When the operator activates the Key Reset switch on the rod control panel, a digital signal is generated and read by the computer. The computer then activates the KEY RESET relay to energize the coil of K1 and all wired contacts close, assuming all scram conditions have been cleared. At this point, the coil of K1 receives power via its own HOLD contact and gets latched in the ON state.
When any of the scram loop contacts open, power to K1 is lost, and the coil is de-energized. All K1 contacts then default to the normally open position, permanently interrupting loop current until a Key Reset is initiated by the operator.
1.6.4.3 Function of Relay K2 K2 is a socketed 4PDT relay that is energized whenever the magnet power key switch is in the ON position.
It generates a signal that is used as an interlock in the FIS for satisfying the reactor permissive and shield door movement circuits.
1.6.4.4 Magnet Power and Digital Inputs Three additional relays are part of the individual magnet loops: SHIM MAG, SAF MAG, and REG MAG.
These relays are controlled by the computer and are designed to activate and deactivate magnet power to individual rods. The magnet power can only be activated when K1 has been successfully reset and indicates ALL SCRAMS CLEAR.
1.6.4.5 Ground Fault Detector The Ground Fault Detector module monitors the loop for a ground fault. If one occurs, it will give an indication to the computer for display on the screen, but it will not trigger a scram.
1.6.5 Safety Analysis The RPS is automatic and completely independent of other systems, including the reactor control system.
All overpower and fuel temperature scram circuits required by the technical specifications are hardwired and do not depend on the CSC computers or any software. The reactor I&C system and RPS are designed such that there are no means available to the reactor operator to bypass the trips so that the reactor can be operated at conditions that are beyond the limits defined by the trip set points.
The RPS, and thus the scram loop, has no known susceptibility to common cause failures other than as a possible result of some undefined internal or external hazard (e.g., fire, flooding, dropped load, earthquake exceeding the design basis, and others). As previously noted, the independence (of the safety channels), and diversity designed into the RPS provides a large measure of protection against common cause failures. However; it is important to note that even should they occur, common cause failures cannot prevent the system from performing its primary safety function (i.e., shutting down the reactor) because the system is designed to be fail-safe. A loss of power or multiple circuit damage due to a fire, explosion, dropped load, or some other cause will result in a loss of power to the electromagnets that connect the control rods and control rod drives, causing the control rods to drop into the core.
The limited actions performed by the RPS are entirely adequate to ensure that the reactor remains safe under all conditions. Once initiated, the actions initiated by the RPS cannot be impaired or prevented by manual intervention and no manual actions are necessary within a short time to supplement the RPS actions. Also, the actions initiated by the RPS are not self-resetting. The reactor operator must clear all scrams before reactor operation can be resumed.
61 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 1.6.6 Technical Specifications With the exception of the wording for the watchdog scram (refer to redline changes below), all existing technical specifications[5] remain unchanged for this replacement. The technical specifications that apply to this channel are:
3.2.2 Reactor Safety Systems Specification The reactor shall not be operated unless the safety systems described in Tables 2 and 3 are operable for the specific mode of operation.
All scrams listed in Table 2 Minimum Reactor Safety System Scrams, are included in the scram loop.
Effective Mode Channel Maximum Set Point Steady-state Pulse Fuel Temperature 600°C 2 2 Percent, High Flux 1.1 MW 2 0 Console Manual Scram Button Closure switch 1 1 High Voltage Loss to Safety 20% Loss 2 1 Channel Pulse Time 15 Seconds 0 1 Emergency Stop (1 in each exposure room, 1 on Closure switch 3 3 console) 14 feet from the Pool Water Level 1 1 top of the core Watchdog (DAC to CSC) (UIT On digital console 1 1 and CCS) 4.2.2 Reactor Safety Systems Specifications
- a. A channel test of the scram function of the high-flux safety channels shall be made each day that reactor operations are planned.
- e. The emergency stop scram shall be tested annually, not to exceed 15months.
- f. The low pool water scram shall be tested weekly not to exceed 10 days whenever operations are planned.
- g. The console manual scram button shall be tested weekly not to exceed 10 days whenever operations are planned.
Technical Specification 3.2.2, Table 2, Minimum Reactor Safety System Scrams, requires a scram upon 20% or greater loss of high voltage. This specification has never had a companion surveillance specification, so one should be added to Section 4.2.2 of the Technical Specifications.
62 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 4.2.3 Fuel Temperature Specifications
- a. A channel check of the fuel temperature scrams shall be made each day that the reactor is to be operated.
The surveillance specifications and periodicities listed in TS Section 4.2.2 and TS Section 4.2.3 that pertain to the old unit are still applicable and appropriate for the updated unit.
1.6.7 Quality Assurance GA Acceptance Test Procedure (ATP), Acceptance Test Procedure, Cabinet Assembly, DAC, T3A300E100-1AT[24]
Factory Acceptance Test Procedure System Assembly, AFFRI TRIGA T3A10087371-FAT Rev A[7]
This test demonstrates that the Replacement I&C Console meets the requirements of the SOW and the Functional Requirements Specifications (FRS). GA performed separate, in-depth tests of the components, the nuclear instruments, the control system console, and the system as a whole. These tests, their traceability to the SOW and their results are provided to AFRRI in accordance with the SOW.
Armed Forces Radiobiology Research Institute TRIGA Reactor Instrumentation and Control Console Replacement Site Acceptance Test Procedure, Part 1. T3A100B7372-SAT Rev A[8]
Site Acceptance Test Part 2: Replacement of the Instrumentation and Control Console for the AFRRI TRIGA REACTOR T3A100B7373-SAT Rev A[9]
This document is the Site Acceptance Test (SAT) for the Replacement I&C Console provided by General Atomics (GA) for the AFRRI facility. This test demonstrates that the Replacement I&C Console procured by AFRRI from GA has been installed correctly for operation at AFRRI and meets the technical and functional requirements.
This SAT is not intended to be an exhaustive test of the system at the component or subassembly level.
GA has factory tested in-depth, and calibrated according to manufacturer specifications, the various components and subsystems, the individual nuclear instrument channels, the rod control system, the auxiliary plant parameter measurement systems, and has tested the integrated system to demonstrate that the Replacement I&C System performed in the factory as intended. This was demonstrated by GA and accepted by AFRRI representatives during exhaustive factory acceptance testing (FAT). The SAT demonstrates satisfactory at-reactor installation of the system, and verifies, by adequate operational demonstration, that the system can be used to operate the AFRRI TRIGA in accordance with the facility operating requirements.
The SAT involved tests to confirm proper installation and functionality of all components and subsystems of the Replacement I&C System, including the nuclear power measuring channels, reactivity control systems, and all other balance of plant systems controlled and monitored by the replacement system.
1.6.8 List of Deployments at other Facilities All 68 TRIGA reactors ever built utilize a scram loop. The contact inputs may vary slightly from facility to facility, but the concept and the basic technical design are the same for all TRIGA reactors.
63 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 1.7 Rod Control and Rod Drives - Component 1g Figure 23 - Picture of Old and New Control Rod Drive Mechanism 1.7.1 Design Function The stepper motor control rod drive mechanism is an actuated linear drive equipped with a magnetic coupler and a feedback potentiometer. The design functions of the control rod drive mechanism are:
Position the reactor control rod elements as directed by the reactor operator or control system console computers.
Provide the reactor operator indication of control rod position.
1.7.2 Description of Old Control Rod Drive Mechanisms (CRDM)
NOTE: This only applies to the 3 standard control rod drives designated at AFRRI as safe, shim and reg.
The Transient drive was NOT modified during this modification/upgrade.
The original CRDMs were wall-mounted COTS control rod drives mechanisms. The maximum speed of approximately was same for all CRDMs and was set by potentiometer feedback . A variable speed Shim rod allowed speeds of less-than-max for fine automatic mode control.
The combination of the module and motor resulted in a torque vs. speed characteristic of 240 oz-in. of torque at the operating speeds of the control rod drives. The motor drove a pinion gear and a 10-turn potentiometer via a chain and pulley gear mechanism. The potentiometer was used to provide rod position information. The 64 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 pinion gear engaged a rack attached to the magnet draw tube. The electromagnet was attached to the lower end of the draw tube which engaged with an iron armature attached to the upper end of the connecting rod of the control rod.
A set of three limit switches provided indication of position as follows:
Rod DOWN - Indicated when the control rod was at the lower limit of travel.
Magnet UP - Indicated when the magnet was at the upper limit position and halted the movement of the drive.
Magnet DOWN - Indicated when the magnet was at the lower limit position and halted the movement of the drive.
Position of the control was inferred by a combination of the Rod DOWN and magnet DOWN/UP limit switches.
1.7.3 Comparison of Old CDRM vs. New CDRM 1.7.4 Detailed Description of New CDRM 1.7.4.1 Rod Drive Mechanism The rod drive mechanism is an motor actuated linear drive equipped with a magnetic coupler and a feedback potentiometer. The purpose of the rod drive mechanism is to position the reactor control rod elements.
The up/down rod control signals, limit switch signals, Rod Position Indication (RPI) information, and magnet power are interconnected between the DAC and control rod by a cable assembly. The rod drive motor control signals are connected to each translator via a second cable assembly.
The maximum speed is same for the CRDMs and is set by a combination of the All drives are variable speed to allow fine control in automatic mode. Hardware and software settings for rod speeds are only available via password-protected computer access or locked cabinet hardware access.
1.7.4.2 1.7.4.3 The have been replaced with new units. The new units are COTS units are much smaller and quieter. The new units are located in the DAC.
65 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 1.7.4.4 The factory settings are near the maximum values and exceed the requirements for this application. The factory settings are maintained as the systems passed all QA tests, including lifting ability and holding torque sufficient to hold a 35 lb. weight.
1.7.4.5 Potentiometer ( )
The potentiometers have been replaced with new units. The new units are the same model number, wire-wound precision potentiometer/position sensor.
1.7.4.6 Limit Switches ( )
The limit switches have been replaced with new units. The new units are the same model number, limit switches.
The new limit switches work exactly how the old switches worked. A set of three limit switches provided indication of position as follows:
Rod DOWN - Indicates when the control rod is at the lower limit of travel.
Magnet UP - Indicates when the magnet is at the upper limit position and halts the movement of the drive.
Magnet DOWN - Indicates when the magnet is at the lower limit position and halts the movement of the drive.
Position of the control is inferred by a combination of the Rod DOWN and magnet DOWN/UP limit switches. The functionality of the CDRMs and limit switches remains unchanged and is as follows.
A spring-loaded pull rod extends vertically through a housing and up through the block. The lower end of this rod terminates in an adjustable foot that protrudes through a window in the side of the barrel. The foot is placed so as to be depressed by the armature when the connecting rod is fully lowered. Raising the rod releases the foot, allowing the pull rod to be driven upward by the force of the compression spring.
The top of the pull rod terminates in a fixture which engages the actuating lever on a microswitch. As a result, the microswitch reverses position according to whether or not the armature is at its bottom limit.
This microswitch is the rod DOWN switch. A push rod extends down through the block into the upper portion of the barrel. It is arranged so as to engage the top surface of the magnet assembly when the magnet draw tube is raised to its upper limit. The upper end of the push rod is fitted with an adjustment screw which engages the actuator of a second microswitch. Thus, this microswitch reverses position according to whether the magnet is at or below its full up position. This microswitch is the magnet UP switch. A bracket, fitted with an adjustment screw, is mounted on top of the magnet draw tube. A third microswitch is arranged so that its actuating lever is operated by the adjustment screw on the bracket.
The switch will thus reverse position according to whether the magnet draw tube is at or above its completely inserted position. This microswitch is the magnet DOWN switch.
1.7.5 Safety Analysis The new control rod drive mechanisms (CRDM) are similar in form to the original units. As with the original system the new system is based on limit switches, stepper motors, stepper drivers, and a voltage to frequency exciter.
66 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 The new control rod drive mechanism (CRDM) uses COTS components that have been designed and manufactured to meet or exceed the requirements of the system. The CRDMs have undergone rigorous testing and quality assurance at multiple steps in the design, manufacture and installation process. Due to this, it is expected that the new CRDMs will be as dependable as the old system. Nevertheless, the failure of the CRDMs is of minimal consequence since the reactor core is monitored by at least five independent channels that monitor the power level or fuel temperature of the core during steady-state operation and at least three independent channels that monitor the power level or fuel temperature of the core during pulse operations. Due to this independence, redundancy, and diversity, the failure of the CRDMs to would not result in an increase in the consequence of any accident.
The main type of accident that is associated with the CRDMs is a malfunction that causes the simultaneous withdrawal of all three standard control rods resulting in a ramp insertion of excess reactivity. This accident was previously evaluated and is detailed in the response for the request for additional information (RAI) dated September 30, 2016 (ML16278A111)[25] and is also discussed in the Safety Evaluation Report (SER) dated November 2016 (ML16278A347)[26] prepared by the U.S. Nuclear Regulatory Commission during the most recent license renewal process.
The maximum speed of the new CRDM is hardware limited to The analysis presented in the RAI response, and discussed in the SER, remains valid since the ramp insertion of excess reactivity scenario is mitigated by the three second period interlock and not the speed of the control rods. Further analysis presented in Section 1.3.5 shows that the failure of the 3 second period interlock is of minimal consequence for ramp insertions of excess reactivity. Therefore, this type of accident scenario poses no significant challenge to the integrity of the reactor fuel.
The design basis limit for fission product barrier protection, i.e. fuel cladding, is ultimately fuel temperature. This limit of 1,000 °C remains unchanged with the upgrade of the CRDMs. The basis for the three second period interlock is to minimize the possibility of exceeding the fuel temperature safety limit.
The potentiometers mounted on the CRDMs provide the analog signal to the CSC to be converted to a digital signal. The CSC then provides the position indication to the reactor operator on the UIT. In the event that this signal becomes corrupt, thereby causing the reactor operator or the CSC computer to inadvertently withdrawal the control rods farther than required, power level is bounded by the redundant safety channels scrams. Therefore, a malfunction of the CRDMs that causes erroneous information to be provided to the reactor operator or .CSC computer is of minimal consequence.
There are no known common cause failures (CCF), other than as a possible result of some internal or external hazard (e.g., fire, flooding, dropped load, earthquake exceeding the design basis, etc.). As previously noted, the independence of the safety channels, and diversity designed into the RPS provides a large measure of protection against common cause failures. However; it is important to note that should a CCF occur, it would not prevent the system from performing its primary safety function (i.e., shutting down the reactor) because the system is designed to be fail-safe. A loss of electrical power or multiple circuit damage due to a fire, explosion, dropped load, or some other cause will result in a loss of power to the electromagnets, causing the control rods to drop into the core, safely shutdown down the reactor.
It is concluded that the new CRDMs will continue to perform the design function in a safe and reliable manner without imposing any undue risk to the health and safety of the public.
1.7.6 Technical Specifications All existing technical specifications[5] remain unchanged for this replacement. Only the control rod drive mechanisms for the standard control rods were updated. The control rods and the core configuration 67 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 remain unchanged, therefore, the excess reactivity and shutdown margin remains unchanged. This will be verified as part of the Startup Plan. The control rod drop times along with the interlocks listed in Table 3 of the technical specifications will also be verified as part of the Startup Plan.
The technical specifications that apply to this channel are:
3.1.3 Reactivity Limitations Specification
- a. The reactor shall not be operated with the maximum available excess reactivity greater than $5.00 (3.5% k/k).
- b. The shutdown margin provided by the remaining control rods with the most reactive control rod in the most reactive position shall be greater than $0.50 (0.35% k/k) with the reactor in the reference core condition, all irradiation facilities and experiments in place, and the total worth of all non-secured experiments in their most reactive state.
3.2.1 Reactor Control System Specification
- b. The reactor shall not be operated unless the four control rod drives are operable except:
- a. the reactor may be operated at a power level no greater than 250kw with no more than one control rod drive inoperable with the associated control rod drive fully inserted.
- c. The time from scram initiation to the full insertion of any control rod from a full up position shall be less than 1 second.
3.2.2 Reactor Safety Systems Specification The reactor shall not be operated unless the safety systems described in Tables 2 and 3 are operable for the specific mode of operation.
Table 2 Minimum Reactor Safety System Scrams does not have any requirements for the control rods.
Table 3 Minimum Reactor Safety System Interlocks requires an interlock for:
Effective Mode Action Prevented Steady-state Pulse Pulse initiation at power levels great than 1 kW X Withdrawal of any control rod except transient X Any rod withdrawal with count rate below 0.5 cps X X as measured by the operational channel Simultaneous manual withdrawal of two standard X
rods Ant rod withdrawal if high voltage is lost to the X X operational channel 68 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Withdrawal of any control rod if reactor period is X
less than 3 seconds Application of air if the transient rod drive is not fully down. This interlock is not required in square X wave mode.
- Reactor safety system interlocks shall be tested daily whenever operations involving these functions are planned.
4.2.1 Reactor Control Systems Specifications
- b. The control rod drop times of all rods shall be measured semiannually, not to exceed 7.5 months. After work is done on any rod or its rod drive mechanical components, the drop time of that particular rod shall be verified.
The surveillance specifications and periodicities listed in TS Section 4.2.1 that pertain to the old CRDMs are still applicable and appropriate for the updated CDRMs.
1.7.7 Quality Assurance GA Acceptance Test Procedure (ATP), Acceptance Test Procedure, Cabinet Assembly, DAC, T3A300E100-1AT[24]
GA Acceptance Test Procedure (ATP), Acceptance Test Procedure, Console, AFRRI TRIGA, T3A200E100-1AT[27]
Factory Acceptance Test Procedure System Assembly, AFFRI TRIGA T3A10087371-FAT Rev A[7]
This test demonstrates that the Replacement I&C Console meets the requirements of the SOW and the Functional Requirements Specifications (FRS). GA performed separate, in-depth tests of the components, the nuclear instruments, the control system console, and the system as a whole. These tests, their traceability to the SOW and their results are provided to AFRRI in accordance with the SOW.
Armed Forces Radiobiology Research Institute TRIGA Reactor Instrumentation and Control Console Replacement Site Acceptance Test Procedure, Part 1. T3A100B7372-SAT Rev A[8]
Site Acceptance Test Part 2: Replacement of the Instrumentation and Control Console for the AFRRI TRIGA REACTOR T3A100B7373-SAT Rev A[9]
This document is the Site Acceptance Test (SAT) for the Replacement I&C Console provided by General Atomics (GA) for the AFRRI facility. This test demonstrates that the Replacement I&C Console procured by AFRRI from GA has been installed correctly for operation at AFRRI and meets the technical and functional requirements.
This SAT is not intended to be an exhaustive test of the system at the component or subassembly level.
GA has factory tested in-depth, and calibrated according to manufacturer specifications, the various components and subsystems, the individual nuclear instrument channels, the rod control system, the auxiliary plant parameter measurement systems, and has tested the integrated system to demonstrate that the Replacement I&C System performed in the factory as intended. This was demonstrated by GA and accepted by AFRRI representatives during exhaustive factory acceptance testing (FAT). The SAT demonstrates satisfactory at-reactor installation of the system, and verifies, by adequate operational demonstration, that the system can be used to operate the AFRRI TRIGA in accordance with the facility operating requirements.
69 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 The SAT involved tests to confirm proper installation and functionality of all components and subsystems of the Replacement I&C System, including the nuclear power measuring channels, reactivity control systems, and all other balance of plant systems controlled and monitored by the replacement system.
1.7.8 List of Deployments at other Facilities The NRAD reactor at the DOE Idaho National Laboratory has the same updated CRDMs installed. This system was reviewed and approved by the DOE regulatory body.
70 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 1.8 Process Instrumentation - Component 1h 1.8.1 Primary Water Temperature Measuring Channels The primary water temperature is measured at three locations:
Above the reactor core inside the core shroud Six inches below the pool surface Water monitor box of the primary water purification system The water temperature is measured by a resistance temperature sensing element (RTD) in a bridge circuit and has a range of 0 to 100°C. The sensors used are the original sensors in the original locations.
The original system used Action Pak signal conditioners and alarm modules. The new system uses Omega DRF RTD Signal Conditioners. The signal is sent to the CSC to be displayed on the reactor status display.
The CSC also uses the signal to provide a rod withdrawal interlock when the inlet water temperature to the demineralizer is greater than 60°C.
1.8.2 Pool Level Measuring Channel The level of the reactor tank water is monitored by two independent switches mounted on a common rod and actuated by a float. The first switch activates 1 inch below full pool level and triggers an interlock on the withdrawal of the control rods. The second switch is part of the scram loop and will cause an automatic reactor scram if the water level drops below 6 inches of full pool level. Along with the scram, the second switch will also cause an alarm on the reactor console as well as an audible and visual alarm on the facility hall panel during non-duty hours. The hall panel will alert the security watchman of an unusual situation so that appropriate notifications and actions may be taken.
The float and switches remain unchanged and are mounted in the original location.
1.8.3 Safety Analysis The process instrumentation reuses all the original sensors in conjunction with new COTS components (signal conditioners and relays) that have been designed and manufactured to meet or exceed the requirements of the old system. The channels have undergone rigorous testing and quality assurance at multiple steps in the design, manufacture and installation process. Due to this, it is expected that the new channels will be as dependable as the old channels. Nevertheless, the failure of a process channel is of minimal consequence since the water temperature and pool level are typically slowly changing parameters where the reactor operator can perform manual actions as appropriate.
It is concluded that the process instrumentation channels will continue to perform their design functions in a safe and reliable manner without imposing any undue risk to the health and safety of the public.
1.8.4 Technical Specifications All existing technical specifications[5] remain unchanged for this replacement. The technical specifications that apply to these channels are:
3.2.2 Reactor Safety Systems Specification The reactor shall not be operated unless the safety systems described in Tables 2 and 3 are operable for the specific mode of operation.
Table 2 Minimum Reactor Safety System Scrams, requires a scram for Pool Water Level at no less than 14 feet from the top of the core.
71 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 3.3 Coolant Systems Specification
- a. The reactor shall not be operated if the bulk water temperature exceeds 60°C.
- c. Both audible and visual alarms shall be provided to alert the AFRRI security guards and other personnel to any drop in reactor pool water level greater than 6 inches.
4.2.2 Reactor Safety Systems Specifications
- f. The low pool water scram shall be tested weekly not to exceed 10 days whenever operations are planned.
4.3 Coolant Systems Specifications
- a. The pool water temperature, as measured near the input to the water purification system, shall be measured daily, whenever operations are planned.
- d. The audible and visual reactor pool level alarms shall be tested quarterly, not to exceed 4 months.
The surveillance specifications and periodicities listed in TS Section 4.2.2 and TS Section 4.3 that pertain to the old system and components are still applicable and appropriate for the new systems and components.
1.8.5 Quality Assurance GA Acceptance Test Procedure (ATP), Acceptance Test Procedure, Cabinet Assembly, DAC, T3A300E100-1AT[24]
Factory Acceptance Test Procedure System Assembly, AFFRI TRIGA T3A10087371-FAT Rev A[7]
This test demonstrates that the Replacement I&C Console meets the requirements of the SOW and the Functional Requirements Specifications (FRS). GA performed separate, in-depth tests of the components, the nuclear instruments, the control system console, and the system as a whole. These tests, their traceability to the SOW and their results are provided to AFRRI in accordance with the SOW.
Armed Forces Radiobiology Research Institute TRIGA Reactor Instrumentation and Control Console Replacement Site Acceptance Test Procedure, Part 1. T3A100B7372-SAT Rev A[8]
Site Acceptance Test Part 2: Replacement of the Instrumentation and Control Console for the AFRRI TRIGA REACTOR T3A100B7373-SAT Rev A[9]
This document is the Site Acceptance Test (SAT) for the Replacement I&C Console provided by General Atomics (GA) for the AFRRI facility. This test demonstrates that the Replacement I&C Console procured by AFRRI from GA has been installed correctly for operation at AFRRI and meets the technical and functional requirements.
This SAT is not intended to be an exhaustive test of the system at the component or subassembly level.
GA has factory tested in-depth, and calibrated according to manufacturer specifications, the various components and subsystems, the individual nuclear instrument channels, the rod control system, the auxiliary plant parameter measurement systems, and has tested the integrated system to demonstrate that the Replacement I&C System performed in the factory as intended. This was demonstrated by GA 72 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 and accepted by AFRRI representatives during exhaustive factory acceptance testing (FAT). The SAT demonstrates satisfactory at-reactor installation of the system, and verifies, by adequate operational demonstration, that the system can be used to operate the AFRRI TRIGA in accordance with the facility operating requirements.
The SAT involved tests to confirm proper installation and functionality of all components and subsystems of the Replacement I&C System, including the nuclear power measuring channels, reactivity control systems, and all other balance of plant systems controlled and monitored by the replacement system.
73 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 2 Facility Interlock System - Component 2 Figure 24 - Picture of Old and New Facility Interlock System Cabinet 2.1 Design Function The design functions of the Facility Interlock System (FIS) is:
- Eliminate the possibility of accidental radiation exposure of personnel working in the exposure rooms.
- Prevent interference (i.e., contact or impact) between the reactor tank lead shield doors and reactor core shroud.
These design functions are achieved through the use of interlocks that prevent the rotation (i.e., opening or closing) of the reactor tank shield doors and the movement of the reactor core between different regions unless specific conditions are satisfied.
2.2 Description of Old The design and implementation of the original Facility Interlock System was to perform the interlock functions listed above. Given the status of core position, reactor tank shield doors, and the exposure room plug doors, physical movement of the reactor were either allowed or prohibited by a logic table.
Emergency stops are provided in each of the exposure rooms to prevent accidental radiation exposures.
The prior system was housed in a stand-alone cabinet. The sensor inputs, relays, indicator lights, and override switch interacted with the control console primarily through a permissive relay contact 2.3 Comparison of Old vs. New The new Facility Interlock System directly replaces the old Facility Interlock System with new COTS components and wiring.
Components that are new:
74 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Cabinet Pilot Lights Relays RC Network (capacitors)
Circuit Breakers Fuses Emergency Stop Pushbuttons Horns Horn Bypass Switches Wiring All functionality remains unchanged. There are no changes to the overall logic of the system. The new FIS remains in a standalone cabinet installed in the same location as the original cabinet. The lights in the new cabinet are much larger for enhanced visibility. Additionally, new relays are rated for 100,000 cycles to ensure performance over a reasonable timeframe.
The exposure room control boxes and status panel have been replaced with new functionally equivalent units. The design of the status panel was updated to make it more readily apparent if it is safe to enter the exposure rooms.
Operator bypass switches have been added to the exposure rooms. The purpose of these switches is to bypass the horns in the ER to accommodate the needs of experiments that are sensitive to noise.
2.4 Detailed Description of New The FIS consists of a series of limit switches and pushbuttons that enforces a straightforward logic table to perform its function. The FIS interfaces with the control system console and DAC via relays to electrically isolate the various functions. The FIS logic and implementation remains unchanged in the console upgrade however the wiring, relays, limit switches, pushbuttons, etc., were replaced with new readily available functionally equivalent COTS components.
The FIS interfaces with the console Magnet Power Key Switch to enforce its logic and also sound a horn in the necessary exposure room(s) for 30 seconds when the reactor is about to start operation. The horn may be manually bypassed per AFRRI administrative procedures.
New Components:
2.4.1 Interlocks Certain facility interlocks must be satisfied before the Scram loop can be completed and the standard control rod magnet power circuits and the transient control rod air circuit can be energized. These interlocks include:
- 1. The Key Switch must be in the ON position.
- 2. All emergency stop circuits in the exposure rooms and control system console must be energized.
75 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
- 3. The tank lead shield doors must be fully closed, AND the plug door for the exposure room against which the reactor is to be operated must be closed, AND the reactor must be in the corresponding region.
- 4. The tank lead shield doors must be fully opened, AND both plug doors for the exposure rooms must be closed.
Once these interlocks have been satisfied, the input to the Scram loop can be satisfied and the control rod magnet and air circuits can be energized. The locations of interlock limit switches for various doors are shown in Figure 25.
2.4.2 Reactor Tank Lead Shield Door The interlocks listed below must be satisfied before the reactor tank lead shield doors can be electrically operated.
The reactor must be in Position 1 or Position 3.
- 1. The fast neutron (ER2) and thermal neutron exposure room (ER1) plug doors must be closed.
- 2. The console key switch must be turned to the ON position.
- 3. All emergency stop circuits in the exposure rooms and console must be energized.
2.4.2.1 To Open Lead Shield Door
- 1. Momentarily depress the door OPEN button on the Reactor Mode Control Panel. Relay D2MX1 will operate, applying voltage to the delay relay D2T and horn relay D2, both of which lock themselves in via D2. D2 also applies operating voltage to relay HX2 which in turn sounds an audible alarm during the 30 second startup delay period. At the end of the delay period, a normally open D2T contact will close, operating relay D2MX2 which locks itself in with a holding contact.
- 2. The tank shield doors may be closed even if the key switch is in the OFF position and console power is OFF.
- 3. At the conclusion of the 30 second delay period, again depress the door OPEN switch on the Reactor Mode Control Panel. Relay D2MX1 and contactor D2M-0 have now been operated, thus initiating rotation of the shield doors to the open position. When the lead shield doors reach their fully open position, switch D20 will actuate, operating relay D20X. A normally closed contact on D20X releases the OPEN contactor D2M-0, stopping the door drive motor.
2.4.2.2 To Close Lead Shield Door Closing the tank lead shield doors requires that the core be in Position 1 or 3 (in this case Position 1).
- 1. Depress the door CLOSE button on the Reactor Mode Control Panel. This operates contactor D2M-C which in turn operates the door motor control in the closed direction. When the lead doors are fully closed, limit switch D2C will actuate and operate relay D2CX, whose normally closed contact releases the door contactor, stopping the door drive motor.
76 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Figure 25 - Facility Interlock System (FIS) Interlock Diagram 77 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 2.4.3 Core Support Carriage The Core Support Carriage regions are shown in Figure 25.
Figure 26 - Core Support Carriage Regions 2.4.3.1 Core Support Carriage Movement from Position 3 to Position 1 Once the 30 second startup delay has expired and the lead shield doors are open, the core support carriage can be moved from Region 3 to Region 1 by following the procedure detailed below. The procedure for moving back to Region 1 from Region 3 is similar.
- 1. Depress the Region 1 switch on the Reactor Mode Control panel or activate the Region 1 foot pedal located on the floor in front of the console. Relay RP1M operates, which in turn operates RPS (carriage motor slow contactor). The carriage will move at a slow speed (1.5 feet per minute) until it is at the inner limit of Position 3. At this point, limit-switch RP3A will actuate, releasing relay RP3AX, which will cause contactor RPS to release and contactor RPF (carriage motor fast contactor) to operate. Now, the carriage will continue to move toward Region 1 but at a faster speed (2.25 feet per minute). When the carriage reaches the inner limit of Region 1, limit-switch RP1A will actuate, operating relay RP1AX, which in turn will release motor contactor RPF. The operation of the relay RP1AX also operates the carriage motor contactor RPS, which again automatically reduces carriage speed to 1.5 feet per minute.
- 2. To stop the carriage at any point, release the Region 1 switch or foot pedal.
- 3. The carriage can be moved back and forth within Region 1 with the switch or foot pedal when two operators are present. Limit-switch RP1B determines the outermost Region 1 limit.
2.4.4 Exposure Room Plug Doors Refer to drawing T3A100E830-000[23] for the wiring diagram for the Exposure Room Plug Doors.
Figure 27 - Picture of Old and New Exposure Room Doors Status Panel 78 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 The Exposure Room Status Panel has been updated to make more readily apparent if it is safe to enter the exposure rooms. The original status panel, as shown in Figure 27, was difficult to read and lacked labelling.
Figure 28 - Picture of Old and New Exposure Room Plug Door Control Boxes 2.4.4.1 Opening the Thermal Neutron Exposure Room Plug Door (ER1)
Certain elements of the facility interlock system must be satisfied before the thermal neutron exposure room plug door can be opened. These elements include:
- 1. The tank lead shield doors must be closed (D2C active).
- 2. The reactor must be in Position 1 (RP1A active).
- 3. The thermal neutron exposure room door control power key switch must be in the ON position.
To open the plug door:
- 1. Connect the reel mounted power cable to the plug door.
- 2. Depress and hold the OPEN button on the plug door control panel. Motor contactor D3M-0 used in operating the door in an open direction will operate. The neutron exposure room door will continue to move in an open direction until limit switch D30 is actuated, which will release the motor contactor stopping the door drive motor.
- 3. To stop the door during its opening operation, momentarily depress the STOP button. This action releases the open contactor D3M-0 which de-energizes the drive motor.
NOTE: If the door or drive drags or jams the motor overload (OL) will energize automatically releasing motor contactor D3M-0 stopping the door movement.
2.4.4.2 Closing the Thermal Neutron Exposure Room Plug Door (ER1)
To close the thermal neutron exposure room plug door:
- 1. Momentarily depress the CLOSE button on the plug door control panel. Motor contact D3MC, used to operate the door in the closed direction will operate. This contactor electrically locks itself in. The thermal neutron exposure room plug door will continue to move in a closing direction until limit switch D3C actuates which will operate D3CX whose normally closed contact will release motor contactor D3MC stopping the door's movement.
NOTE: Final closure of either exposure room plug door involves manual operation of the door drive mechanism.
79 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 2.5 Safety Analysis The new Facility Interlock System uses COTS components that are similar in form and function to the original units. As with the original system the new system is based on analog components, i.e., limit switches, relays, and indicator lights and horns to enforce interlock requirements.
The FIS components have been designed and manufactured to meet or exceed the requirements of the original system. The FIS has undergone rigorous testing and quality assurance at multiple steps in the design, manufacture and installation process. Due to this, it is expected that the new FIS will be as dependable as the old system. Nevertheless, the failure of the FIS is of minimal consequence since the system is designed to fail-safe.
There are no known common cause failures (CCF), other than as a possible result of some internal or external hazard (e.g., fire, flooding, dropped load, earthquake exceeding the design basis, etc.). However; it is important to note that should a CCF occur, it would not prevent the system from performing its primary safety function (i.e., enforcing interlocks) because the system is designed to fail to the safe condition. A loss of electrical power or multiple circuit damage due to a fire, explosion, dropped load, or some other cause will result in an interlock condition that must be addressed before reactor operation can proceed. There are no means for the reactor operator to manually bypass any interlocks.
It is concluded that the new FIS will continue to perform the design function in a safe and reliable manner without imposing any undue risk to the health and safety of the public.
2.6 Technical Specifications All existing technical specifications[5] remain unchanged for this replacement. The technical specifications that apply to these channels are:
3.2.3 Facility Interlock System Specification Facility interlocks shall be provided so that:
- a. The reactor cannot be operated unless the lead shield doors within the reactor pool are either fully opened or fully closed;
- b. The reactor cannot be operated unless the exposure room plug door adjacent to the reactor core position is fully closed and the lead shield doors are fully closed; or if the lead shield doors are fully opened, both exposure rooms plug doors must be fully closed; and
- c. The lead shield doors cannot be opened to allow movement into the exposure room projection unless a warning horn has sounded in that exposure room, or unless two licensed reactor operators have visually inspected the room to ensure that no personnel remain in the room prior to securing the plug door.
4.2.4 Facility Interlock System Specifications Functional checks shall be made annually, not to exceed 15 months, to ensure the following:
- a. With the lead shield doors open, neither exposure room plug door can be electrically opened.
- b. The core dolly cannot be moved into region 2 with the lead shield doors closed.
80 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
- c. The lead shield doors cannot be opened to allow movement into the exposure room projection unless a warning horn has sounded in that exposure room, or unless two licensed reactor operators have visually inspected the room to ensure that no personnel remain in the room prior to securing the plug door.
The surveillance specifications and periodicities listed in TS Section 4.2.4 that pertain to the old system and components are still applicable and appropriate for the new systems and components.
2.7 Quality Assurance GA Acceptance Test Procedure (ATP), Acceptance Test Procedure, FIS, T3A400E100-1AT[28]
Factory Acceptance Test Procedure System Assembly, AFFRI TRIGA T3A10087371-FAT Rev A[7]
This test demonstrates that the Replacement I&C Console meets the requirements of the SOW and the Functional Requirements Specifications (FRS). GA performed separate, in-depth tests of the components, the nuclear instruments, the control system console, and the system as a whole. These tests, their traceability to the SOW and their results are provided to AFRRI in accordance with the SOW.
Armed Forces Radiobiology Research Institute TRIGA Reactor Instrumentation and Control Console Replacement Site Acceptance Test Procedure, Part 1. T3A100B7372-SAT Rev A[8]
Site Acceptance Test Part 2: Replacement of the Instrumentation and Control Console for the AFRRI TRIGA REACTOR T3A100B7373-SAT Rev A[9]
This document is the Site Acceptance Test (SAT) for the Replacement I&C Console provided by General Atomics (GA) for the AFRRI facility. This test demonstrates that the Replacement I&C Console procured by AFRRI from GA has been installed correctly for operation at AFRRI and meets the technical and functional requirements.
This SAT is not intended to be an exhaustive test of the system at the component or subassembly level.
GA has factory tested in-depth, and calibrated according to manufacturer specifications, the various components and subsystems, the individual nuclear instrument channels, the rod control system, the auxiliary plant parameter measurement systems, and has tested the integrated system to demonstrate that the Replacement I&C System performed in the factory as intended. This was demonstrated by GA and accepted by AFRRI representatives during exhaustive factory acceptance testing (FAT). The SAT demonstrates satisfactory at-reactor installation of the system, and verifies, by adequate operational demonstration, that the system can be used to operate the AFRRI TRIGA in accordance with the facility operating requirements.
The SAT involved tests to confirm proper installation and functionality of all components and subsystems of the Replacement I&C System, including the nuclear power measuring channels, reactivity control systems, and all other balance of plant systems controlled and monitored by the replacement system.
81 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 3 Control System Console - Digital - Component 3 Figure 29 - Picture of Old and New Control System Console Figure 30 - Block Diagram of New Control System 82 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 The Control System Console (CSC) contains the computers (User Interface Terminal (UIT) and Console Computer System (CCS)), display monitors, control panels, modularized drawers, indicators, meters and recorders to present the data to the operator in meaningful engineering units. The CSC Operator Interface provides the necessary controls and interfaces for the operator to safely startup, manipulate reactor parameters, monitor the various operating parameters in its various modes of operation, and safely shutdown the reactor.
Reference - GA Operation and Maintenance Manual, E117-1006, 1989[19]
The previous console contained a single computer with multiple digital and analog input/output plug-in cards and a dual-video driver to allow display on two terminals. It monitored the pushbuttons on the control rod panel and drove the indicator lights on the console. It also displayed reactor power, control rod position, and other operating parameters on the monitors, and accepted user input.
The COTS electromechanical count-down/count-up scram timer in the old console has been replaced with a software version in the new console; no functional or operational change. The COTS maximum pulse timer in the old console has been replaced with a software version in the new console; no functional or operational change. In the old console, the History Playback software module ran simultaneously with the reactor operating software; in the new console, the software architecture prevents this, so the reactor operating software must be shutdown prior to starting up the History Playback module. In the old console, rod bank selections were made with physical switches, which were then read by the computer, and enforced by software; in the new console, the rod bank selections are made on-screen directly in software.
The old console computer ran real-time operating system first released in 1982; used custom GA Configurator software to drive the display, and for communications to the rest of the system. The new console features two computers. The CCS computer runs for input and output operations, It uses a custom GA protocol for communications to the rest of the system. A second computer runs and is used as a display driver for the GUI.
Reference T3A100B7911-1OM Rev.A[23]
The new console contains two computers, each with its own monitor. The CCS uses a and handles input and output data, monitors the pushbuttons on the control rod panel and drives the indicator lights on the console. The CCS code The User Interface Terminal (UIT) uses a Table 9 - Console System Console - Comparison of Old vs. New Power Supplies and UPS Function: Supplies Vdc power for the components located in the Control System Console.
Safety Analysis: The new power supplies are COTS components and have been manufactured to meet or exceed the requirements of the previous units. The power supplies receive 120 Vac primary side power from the DAC AC power distribution system which originates from the console UPS. The power supplies are of the switching type and provide input-to-output isolation with internal overvoltage and 83 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 overcurrent protection. There are six power supplies. There is no necessity for redundancy in the design criteria of the power supplies. A failure of a power supply will more than likely result in a scram thereby placing the reactor in a safe shutdown condition.
It is concluded that the new power supplies will continue to perform the design function required in a safe and reliable manner without imposing any undue risk to the health and safety of the public OLD NEW PS1 +5 Vdc Power Supply (
provides power the secondary side of the digital isolator modules on the digital input drawer.
PS2 +24 Vdc Utility Power Supply (
) is a 50W power supply that is used to power digital switch contacts in the control console. Input to output isolation is 3,000V.
PS3 +12 Vdc Power Supply (
Digital Input/Output Function: The purpose of the digital input/output drawer is to isolate all digital inputs and outputs located in the Control System Console and send them to the Control System Computer.
Safety Analysis: The new digital input boards and isolators are COTS components and have been manufactured to meet or exceed the requirements of the previous units. The new digital input boards and isolators have undergone rigorous testing and quality assurance at multiple steps in the design, manufacture and installation phases. Due to this, it is expected that the digital input boards and isolators will be as dependable as the old unit.
Nevertheless, the failure of either the digital input board or one or more of the digital isolators is of minimal consequence since the components do not perform any safety related functions. A failure will not prevent the automatic protective actions from other independent channels (e.g. NP-1000 or NPP-1000) from being performed. In addition the interlock functions that are being performed by the digital inputs (e.g., FIS limit switches) will still be performed in the event of a failure of the digital I/O components since the interlocks are designed to be fail-safe.
It is concluded that CSC Digital I/O will continue to perform the design function in a safe and reliable manner without imposing any undue risk to the health and safety of the public.
OLD NEW DC digital input/output. Digital input scanner The purpose of the digital input drawer is to board ( ) that monitors all CSC digital inputs, isolate all digital inputs from the computer. The e.g., pushbuttons and thumbwheel switches and digital input drawer houses two identical printed transmit the data to the CSC computer. circuit board assemblies (PWA) populated with digital isolators.
84 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Mounted on the Digital Input Drawer Components:
Rod Control Panel Function: To provide pushbutton for the manual control of the control rods, a key switch for the application of magnet power, a manual scram pushbutton and a pushbutton to acknowledge alarms and messages.
Safety Analysis: The safety analysis for the Rod Control Panel is discussed in detail in Section 3.1.
OLD NEW Located below the two color displays and Located below the two color displays and contained reactor key switch and all the contained reactor key switch and all the pushbutton switches necessary to control the pushbutton switches necessary to control the movement of the control rod drive mechanisms. movement of the control rod drive mechanisms.
Reactor Mode Control Panel Function:
Safety Analysis: The safety analysis for the Reactor Mode Control Panel is discussed in detail in Section 3.1.
OLD NEW Located on the left side of the CSC. Contained the Located on the left side of the CSC. Contained the instrument power ON pushbutton switch, along instrument power ON pushbutton switch, along with the reactor operating mode pushbuttons, with the reactor operating mode pushbuttons, scram and interlock test rotary select switch and scram and interlock test rotary select switch and additional switches with regard to the Facility additional switches with regard to the Facility Interlock System. Interlock System.
Console Computers - CCS and UIT Function: To monitor all input and output channels, provide reactivity control of the reactor (via control rod movements) and to provide a graphical user interface for the reactor operator.
Safety Analysis: The safety analysis for the Console Computers are discussed in detail in Section 3.3 and Section 3.4 85 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 OLD NEW Components:
Bargraphs and Recorders Panel Function: Provide power indication along with trending and recording capabilities that is independent of the control system computers.
Safety Analysis: The safety analysis for the Bargraphs and Recorders Panel are discussed in detail in Section 3.5 and Section 3.6.
OLD NEW Panel containing eight vertical LED bargraph Panel containing eight vertical LED bargraph meters and two paper strip chart recorders. The meters and two videographic chart recorders. The components receive an analog signal from the NP- components receive an analog signal from the NP-1000, NPP-1000, NM-1000 and the Fuel 1000, NPP-1000, NLW-1000, NMP-1000 and the Temperature Channels. NFT-1000 Fuel Temperature Channels.
86 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 3.1 Rod Control Panel - Component 3a Figure 31 - Picture of Old and New Rod Control Panel 3.1.1 Design Function The design functions of the Rod Control Panel are:
- Provide for manual control of the control rod drives.
- Application of magnet power via a key switch
- Fire the transient rod.
- Manually scram the reactor.
- Acknowledge alarms and messages.
3.1.2 Description of Old The original Rod Control Panel was used to manually control the control rod drives, apply magnet power, fire the transient rod, manually scram the system and acknowledge alarms and messages.
3.1.3 Comparison of Old vs. New The new panel is functionally equivalent to the original panel with an interface that is designed to be as close to the original as possible. The magnet power key switch and pushbuttons on the new panel are the same model numbers as the original panel.
3.1.4 Detailed Description of New Figure 32 - Rod Control Panel 87 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 The Rod Control Panel is located beneath the Right Side Graphics Display and the UIT computer. This panel is used to manually control the control rod drives, apply magnet power, fire the transient rod, manually scram the system and acknowledge messages in the Annunciator Pane of the Right Side Graphics display.
The Rod Control Panel performs the same functions, in the same way as the original panel. A description of the functions for the components is detailed here for convenience.
3.1.4.1 Magnet Power Key Switch In the upper left corner is the MAGNET POWER key switch. The key switch has three positions: OFF (maintained), ON (maintained) and RESET (momentary). If the switch is OFF, then all power is removed from the rod magnets. The ON position is wired in with the Scram Loop. The switch has to be in the ON position to complete the loop. The switch is momentarily turned to the RESET position to initiate the time delay in the FIS prior to activating the reactor permissive relay (ROX). After the time delay, and if the ROX and the rest of the Scram Loop inputs are satisfied, the switch is momentarily turned to the RESET position again to apply magnet power. The switch will remain in the ON position during reactor operation. If at any time during reactor operation the switch is turned to the RESET position, the reactor will scram. Turning the key switch to RESET is also the only way to remotely reset trips on the nuclear instruments in the DAC, assuming the trip condition has cleared.
3.1.4.2 FIRE Pushbutton In the bottom left corner is the FIRE button. When all conditions to fire the transient rod are met, pushing the Fire button will apply air pressure to the rod for pulsed reactor operation.
3.1.4.3 Rod Control Pushbuttons In the middle of the panel is the Rod Control section which includes the AIR button, MAGNET buttons, UP buttons and DOWN buttons. The AIR is used to remove air from the Transient Rod. The MAGNET buttons are used to remove the magnet power for the Shim, Safety and Regulating rods. Pressing the MAGNET button turns off magnet power and therefore drops the rod into the reactor core. Pressing the UP or DOWN buttons generates a digital input to the CCS computer to move the control rods.
3.1.4.4 SCRAM Pushbutton In the upper right corner is the reactor SCRAM pushbutton. It is hardwired into the Scram Loop. If this button is depressed, the switch breaks the Scram loop in both upper and lower legs, and all rods will drop to shutdown the reactor.
3.1.4.5 ACKNOWLEDGE Pushbutton The ACKNOWLEDGE button is used to acknowledge messages in the Annunciator Pane of the right side display. It generates a digital input to the CCS computer to indicate an operator has acknowledged a visual or audible alert.
3.1.5 Safety Analysis The new Rod Control Panel is an updated version that uses the same model pushbuttons and magnet power key switch as the original panel. As with the original panel, the new Rod Control Panel does not directly control the control rods but provides the digital inputs to the CCS Computer which in turn provides the control logic for the control rods. Also as with the original panel, the manual scram pushbutton provides a direct input to the Scram Loop, without relying on software to perform the TS required scram action.
88 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Since the new components are the same models and perform the same functions, and in the same way as the original, it is expected that the new Rod Control Panel will be as dependable as the original unit.
Nevertheless, the failure of the Rod Control Panel, such as a shorted manual scram pushbutton, is of minimal consequence since there is a redundant emergency stop pushbutton installed on the Reactor Mode Control Panel.
A stuck rod control pushbutton could potentially cause a ramp insertion of excess reactivity accident.
Since there in an interlock preventing the manual control of more than one control rod, the reactivity inserted due to a single control rod is bounded by the three control rod insertion event as detailed in Section 1.7.5, therefore, it is of minimal consequence.
It is concluded that the new Rod Control Panel will continue to perform the design function in a safe and reliable manner without imposing any undue risk to the health and safety of the public.
3.1.6 Technical Specifications All existing technical specifications[5] remain unchanged for this replacement. The technical specifications that apply to this channel are:
3.2.2 Reactor Safety Systems Specification The reactor shall not be operated unless the safety systems described in Tables 2 and 3 are operable for the specific mode of operation.
The Console Manual Scram Button as listed in Table 2 Minimum Reactor Safety System Scrams, is located on this panel.
4.2.2 Reactor Safety Systems Specifications
- g. The console manual scram button shall be tested weekly not to exceed 10 days whenever operations are planned.
The surveillance specification and periodicity listed in TS Section 4.2.2 that pertains to the manual scram pushbutton is still applicable and appropriate for the updated unit.
3.1.7 Quality Assurance GA Acceptance Test Procedure (ATP), Acceptance Test Procedure, Console, AFRRI TRIGA, T3A200E100-1AT[27]
Factory Acceptance Test Procedure System Assembly, AFFRI TRIGA T3A10087371-FAT Rev A[7]
This test demonstrates that the Replacement I&C Console meets the requirements of the SOW and the Functional Requirements Specifications (FRS). GA performed separate, in-depth tests of the components, the nuclear instruments, the control system console, and the system as a whole. These tests, their traceability to the SOW and their results are provided to AFRRI in accordance with the SOW.
Armed Forces Radiobiology Research Institute TRIGA Reactor Instrumentation and Control Console Replacement Site Acceptance Test Procedure, Part 1. T3A100B7372-SAT Rev A[8]
Site Acceptance Test Part 2: Replacement of the Instrumentation and Control Console for the AFRRI TRIGA REACTOR T3A100B7373-SAT Rev A[9]
89 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 This document is the Site Acceptance Test (SAT) for the Replacement I&C Console provided by General Atomics (GA) for the AFRRI facility. This test demonstrates that the Replacement I&C Console procured by AFRRI from GA has been installed correctly for operation at AFRRI and meets the technical and functional requirements.
This SAT is not intended to be an exhaustive test of the system at the component or subassembly level.
GA has factory tested in-depth, and calibrated according to manufacturer specifications, the various components and subsystems, the individual nuclear instrument channels, the rod control system, the auxiliary plant parameter measurement systems, and has tested the integrated system to demonstrate that the Replacement I&C System performed in the factory as intended. This was demonstrated by GA and accepted by AFRRI representatives during exhaustive factory acceptance testing (FAT). The SAT demonstrates satisfactory at-reactor installation of the system, and verifies, by adequate operational demonstration, that the system can be used to operate the AFRRI TRIGA in accordance with the facility operating requirements.
The SAT involved tests to confirm proper installation and functionality of all components and subsystems of the Replacement I&C System, including the nuclear power measuring channels, reactivity control systems, and all other balance of plant systems controlled and monitored by the replacement system.
90 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 3.2 Reactor Mode Control Panel - Component 3b Figure 33 - Picture of Old and New Reactor Mode Control Panel 3.2.1 Design Function The design functions of the Reactor Mode Control Panel are:
- Provide indication for the status of facility components.
- Provide Scram and Interlock selection test switches
- Instrument Power ON pushbutton 3.2.2 Description of Old The original Reactor Mode Control Panel was located on the right side of the CSC. The panel provided pushbuttons and switches to apply instrument power, to select operating mode, and to select the power level for automatic mode. Also located on the panel the core position status, lead shield door position and exposure room plug door status. The scram and interlock test rotary switch was also located on the panel.
3.2.3 Comparison of Old vs. New The new Reactor Mode Control Panel is similar to the original. Some of the original functions have been moved entirely to software, such as the steady-state timer and reactor mode selection, and can be accessed via the UIT display interface.
In both the new and original panels, with the exception the emergency stop pushbutton, all other pushbutton and switches provide a digital input to the CSC, which then provides the logic in performing the required function.
91 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 3.2.4 Detailed Description of New Figure 34 - Reactor Mode Control Panel The Reactor Mode Control Panel is located in the right side of the console. This panel contains the status indicators for Core Position, Door Position, Indicators, Pulse Detector Selection, Lamp Test, Emergency Stop, Instrument Power ON, and Watchdog timers for the CCS and UIT computers. Two rotary test switches for the scrams and interlocks are also located on the new panel.
3.2.4.1 Reactor Core and Shield Door Position The Reactor Mode Control Panel provides two switches with backlights, an indicator and a digital readout to indicate core position. The two switches, Region 1 and Region 3, can be used to move the reactor core.
Backlights will be illuminated when the door limit switch is activated. The foot pedals can also be used to move the reactor core. The Region 2 indicator will be lit whenever the core is not in Region 1 or Region 3.
Also, there is a digital readout for the core position. Refer to Figure 26 for a drawing of the core regions and the associated digital readout values.
Three door position switches with backlights are provided: Lead Door Open, Lead Door Stop and Lead Door Close. The switches can be used to open, stop and close the lead door. When the switch is active, the backlight is illuminated.
92 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 3.2.4.2 Indicators Three other indicators are provided: Reactor Operate, Time Delay and Exposure Room Open. The Reactor Operate indicator is illuminated when all interlocks have been satisfied and magnet power can be applied.
The Time Delay indicator is illuminated while the 30 second reactor interlock delay is active. The Exposure Room Open is used to indicate that the Exposure Room door is open.
The Pulse Detector button selects which type of detector is connected to the NPP-1000 instrument. In steady state operation, a Fission Chamber detector is connected to the NPP-1000 and none of the button lights are lit. The detector selection is performed per the following:
Pushing the detector select button once selects detector 1 (currently Uncompensated Ion Chamber detector) and the Detector 1 backlight will illuminate, or Pushing the detector select button again selects detector 2 (currently Cerenkov detector) for pulsed reactor operation and the Detector 2 backlight will illuminate.
A Lamp Test button is provided to test the lamps on the Reactor Mode Control Panel. The lamp Test button itself does not light up.
An Emergency Stop button is provided to scram the reactor in an emergency. It ties in with the FIS and upon pressing it, deactivates the reactor permissive (ROX) relay that is an input to the Scram loop. The Emergency Stop is a latching switch; the first push activates it, the second push deactivates it.
An Instrument Power ON button and indicator light are provided. The instrument power on switch has a backlight that will be illuminated when console power is on. Pushing the button activates or deactivates the UPS. Because the UPS input is heavily filtered to protect against spurious inputs, the UPS turn on or shutdown occurs 2 to 3 seconds after the button has been pushed.
Watchdog timer lights are provided for both the CCS and UIT to indicate when a watchdog timer timeout has occurred.
3.2.4.3 Scram and Interlock Test Switches SCRAM and Interlock Test 1 Rotary Switch is used to select the test. A test button is used to run the test.
The following tests are provided for selection on the Test 1 switch:
- 1. NLW: 1 KW, Low Source, Period, NLW HV Lo
- 3. NP: NP HV Lo, NP Pwr Hi
- 4. NPP: NPP HV Lo, NPP Pwr Hi SCRAM and Interlock Test 2 Rotary Switch is used to select the test. A test button is used to run the test.
The following tests are provided for selection on the Test 2 switch:
- 1. Watchdogs: CCS WDT, UIT WDT
- 2. Pool Level: Pool Lo
- 3. NFT Temperatures: FT 1, FT 2, FT 3
- 4. Pool Temperature: Pool Temp 3.2.5 Safety Analysis The new Reactor Mode Control Panel is an updated version that uses the same model pushbuttons and similar rotary switches as the original panel. As with the original panel, the new Reactor Mode Control Panel provides the digital inputs to the CCS Computer which in turn provides the control logic for the pushbuttons and test switches. Also as with the original panel, the emergency stop pushbutton provides 93 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 an indirect input to the Scram Loop via the Facility Interlock System, without relying on software to perform the TS required action.
Since the new components are the mostly the same models and perform the same functions, and in the same way as the original, it is expected that the new Reactor Mode Control Panel will be as dependable as the original unit. Nevertheless, the failure of the Reactor Mode Control Panel, such as a shorted emergency stop pushbutton, is of minimal consequence since there is a redundant manual scram pushbutton installed on the Rod Control Panel.
It is concluded that the new Rod Control Panel will continue to perform the design function in a safe and reliable manner without imposing any undue risk to the health and safety of the public.
3.2.6 Technical Specifications All existing technical specifications[5] remain unchanged for this replacement. The technical specifications that apply to this channel are:
3.2.2 Reactor Safety Systems Specification The reactor shall not be operated unless the safety systems described in Tables 2 and 3 are operable for the specific mode of operation.
The Console Emergency Stop as listed in Table 2 Minimum Reactor Safety System Scrams, is located on this panel.
4.2.2 Reactor Safety Systems Specifications
- e. The emergency stop scram shall be tested annually, not to exceed 15 months.
The surveillance specification and periodicity listed in TS Section 4.2.2 that pertains to the manual scram pushbutton is still applicable and appropriate for the updated unit.
3.2.7 Quality Assurance GA Acceptance Test Procedure (ATP), Acceptance Test Procedure, Console, AFRRI TRIGA, T3A200E100-1AT[27]
Factory Acceptance Test Procedure System Assembly, AFFRI TRIGA T3A10087371-FAT Rev A[7]
This test demonstrates that the Replacement I&C Console meets the requirements of the SOW and the Functional Requirements Specifications (FRS). GA performed separate, in-depth tests of the components, the nuclear instruments, the control system console, and the system as a whole. These tests, their traceability to the SOW and their results are provided to AFRRI in accordance with the SOW.
Armed Forces Radiobiology Research Institute TRIGA Reactor Instrumentation and Control Console Replacement Site Acceptance Test Procedure, Part 1. T3A100B7372-SAT Rev A[8]
Site Acceptance Test Part 2: Replacement of the Instrumentation and Control Console for the AFRRI TRIGA REACTOR T3A100B7373-SAT Rev A[9]
This document is the Site Acceptance Test (SAT) for the Replacement I&C Console provided by General Atomics (GA) for the AFRRI facility. This test demonstrates that the Replacement I&C Console procured by AFRRI from GA has been installed correctly for operation at AFRRI and meets the technical and functional requirements.
94 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 This SAT is not intended to be an exhaustive test of the system at the component or subassembly level.
GA has factory tested in-depth, and calibrated according to manufacturer specifications, the various components and subsystems, the individual nuclear instrument channels, the rod control system, the auxiliary plant parameter measurement systems, and has tested the integrated system to demonstrate that the Replacement I&C System performed in the factory as intended. This was demonstrated by GA and accepted by AFRRI representatives during exhaustive factory acceptance testing (FAT). The SAT demonstrates satisfactory at-reactor installation of the system, and verifies, by adequate operational demonstration, that the system can be used to operate the AFRRI TRIGA in accordance with the facility operating requirements.
The SAT involved tests to confirm proper installation and functionality of all components and subsystems of the Replacement I&C System, including the nuclear power measuring channels, reactivity control systems, and all other balance of plant systems controlled and monitored by the replacement system.
95 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 3.3 CCS Computer - Component 3c 3.3.1 Design Function The design functions of the CCS Computer are:
- Process all Digital Inputs and Outputs.
- Process all control rod drive movements.
- Monitors all inputs and outputs
- Control the reactor 3.3.2 Description of Old The old CSC computer ran , along with a custom GA software to drive the display, and for communications to the rest of the system.
The CSC computer received digital signals from the console input scanner board along with the signals from the DAC. The CSC computer then made this information available to the reactor operator on the two console displays.
3.3.3 Comparison of Old vs. New The two units perform the same functionality with the exception that the Pulse Timer and Steady-state Scram Timer functions are now performed entirely in software. The functionality of all other physical switches remain unchanged where the selections are read by the computer as a digital input and enforced by software.
3.3.4 Detailed Description of New Reference T3A100B7911-1OM Rev.A[23]
The CCS uses a and handles input and output data, monitors the pushbuttons on the control rod panel and drives the indicator lights on the console. The CCS code is written in The CCS computer system in the console has a display associated with it. This display is not normally needed during the operation of the reactor; it exists mainly for startup, shutdown, and console debugging purposes. Other than determining that the CCS has come up and is operating properly, there is no reason for having this display present on the console. During normal operation of the software, it displays the digital and analog inputs/outputs on the screen. Having this screen handy is useful to determine whether the CCS has locked up if the system freezes (the numbers are constantly changing if the CCS computer is operating properly). The display is also useful for shutting down the CCS system (though this can also be done from the UIT computer).
3.3.5 Safety Analysis The new CCS computer has been designed and manufactured to meet or exceed the requirements of the previous unit computer. The new computer and associated software has undergone rigorous testing and quality assurance at multiple steps in the design, manufacture and installation phases. Due to this, it is expected that the new computer will be as dependable as the original unit.
96 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 In the event that the CCS computer malfunctions, i.e. becomes unresponsive, the CCS Watchdog Timer will initiate a scram. If the timer fails, then reactor operator can always manually scram the reactor via the hardwired manual scram pushbutton.
There are no accident scenarios associated with the CCS computer and the failure of the computer is of minimal consequence since the computer does not provide any safety functions that are intended to prevent the fuel temperature safety limit of 1000 °C from being exceeded.
It is concluded that the CCS Computer will continue to perform the design function required by this channel in a safe and reliable manner without imposing any undue risk to the health and safety of the public.
3.3.6 Technical Specifications With the exception of the wording for the watchdog scram (refer to redline changes below), all existing technical specifications[5] remain unchanged for this replacement. The technical specifications that apply to this channel are:
3.2.2 Reactor Safety Systems Specification The reactor shall not be operated unless the safety systems described in Tables 2 and 3 are operable for the specific mode of operation.
The pulse timer scram is generated from the CCS computer.
The Watchdog listed in Table 2 Minimum Reactor Safety System Scrams, needs to be revised to Watchdog (DAC to CSC) (UIT and CCS).
3.3.7 Quality Assurance Significant software QA was performed on all GA developed software. Extensive test documentation is available for review and is summarized below.
Software Development Plan, AFRRI TRIGA Version 1.0 Software Development Plan, T3S900D905-DOC Rev A[29]
The Software Development Plan (SDP) applies to the software development and release of the TRIGA Console and Channels subsystems to support replacement of the existing TRIGA Mark F Research Reactor Instrumentation and Control System Console (CSC) at Armed Forces Radiobiology Research Institute (AFRRI). The Instrumentation that are housed in the new Data Acquisition Cabinet (DAC) located in the reactor room includes the nuclear channels, power supplies, rod drive control, signal processing, analog I/O and Ethernet interface. The CSC includes the two computer systems, User Interface Terminal (UIT) which runs on one computer that operates to display reactor activities. The other is the Console Computer System (CCS) which operates to display reactor functions and conditions. This SDP describes the development process, organization, management structure, activities performed and resources used in the development of the AFRRI TRIGA software.
Furthermore, the SDP describes the planning of management, process, procedures, organization, staffing, scheduling, methods, resources, tasks, products, and reviews that are used to develop the AFRRI TRIGA software.
In addition to providing traditional project planning information, this SDP is also used to tailor the standard Software Engineering activities to fit the needs and constraints of this project. Separate documents, such as the TRIGA Software Configuration Management Plan (SCMP) and the Software Quality Assurance (SQA) 97 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Plan (SQP) will be used to describe how software configuration and software quality processes are applied to this project. This SDP is the prevailing document for software development activities. In the event of conflict between this SDP and other planning document, this SDP shall take precedence in matters related to software development.
Software Quality Plan, USUHS/AFRRI Software Quality Assurance Verification and Validation Plan, T3S99001-SQAP Rev X3[30]
The purpose of this Software Quality Assurance Verification and Validation Plan is to define:
- The Software Quality organization for the AFRRI TRIGA Replacement Console Project at General Atomics Electromagnetics Systems (GA-EMS)
- The Software Quality tasks, Verification & Validation (V&V) tasks and responsibilities
- The standards, practices, and conventions used to perform Software Quality and V&V activities
- The tools, techniques, and methods that will be used to support Software Quality and V&V activities and reporting.
The AFRRI TRIGA project will be a replacement and upgrade effort where GA-ESI will provide replacement Console hardware and software, as well as installation services, for support of the existing monitoring, control and safety systems of the Mark F Research Reactor.
The plan articulates the Software Quality activities, including software quality engineering, software quality assurance, V&V, and software testing, performed throughout the software development life cycle of the AFRRI TRIGA Replacement Console Project.
The plan will define Software Quality and V&V support functions for this project and specify the reporting activities of Software Quality to Quality management, with communication links to the AFFRI TRIGA Project Manager and the project Software Engineering Manager.
A key goal of the Software Quality function is to verify that all software and documentation to be delivered meet all technical requirements and to ensure compliance to contractual requirements, and GA-ESI processes and procedures for software development.
The Software Quality and V&V tasks defined herein shall be used to examine deliverable software and project work products, assess conformance of planned tasks and activities to processes and procedures, and to determine compliance with technical and regulatory compliance requirements.
The Software Quality Assurance plan is written to comply with all contractual Quality Assurance Requirements and recognizes ANSI/ANS 15.8 Quality Assurance Program Requirements for Research Reactors, ANS/ANSI 10.4 Guidelines for the Verification and Validation of Scientific and Engineering Computer Programs for the Nuclear Industry, NRC Regulation 1.152 and the applicable sections of IEEE 7-4.3.2 for non-power research reactors.
The plan also complies with GA-ESIs Quality Management System, Quality Manual & procedures, and RMS Engineering Operating procedures.
The plan aligns with GA-ESI Procedure EP-021 which describes the standard product development process and GA-ESI Quality procedure QAP 03-03 Software Quality Assurance Planning that supports the lifecycle phases listed below for a waterfall software development model:
- Concept/Planning
- Requirements
- Design
- Implementation & Coding 98 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
- Testing
- Installation and Checkout Software Configuration Management, TRIGA AFRRI Software Configuration Management Plan, T3S900D906-DOC Rev X1[31))
The Software Configuration Management (SCM) Plan (SCMP) provides the guidelines to be used to manage changes to the TRIGA software at General Atomics Electronic Systems, Inc. (GA-ESI). The intended audience for the document includes and is not limited to Project Management, Software Quality Assurance, and Software Engineering personnel.
This SCMP will be used to ensure compliance to the SCM requirements as listed in the Armed Forces Radiobiology Research Institute (AFRRI) Statement of Work (SOW)[32].
Software Configuration Management functions will be performed as described in the document throughout the Software Development Life Cycle (SDLC). This SCMP will be used to track and control changes in project documentation, software source code, software build artifacts, test tools, and test artifacts as described the document. The SCMP is used in conjunction with GA-ESI Configuration Management (CM) operating procedures. There are no known limitations to this plan and assumptions have been made with respects to this plan.
Software Configuration Management is the discipline of controlling and tracking changes made to a software system throughout the SDLC. SCM is applicable and not limited to software requirements, design, source code, and project documentation. The following describes the activities involved with SCM, including:
- Configuration identification A Configuration Item (CI) is any component of a system, including documentation, which will be under the control of CM. These items are identified, recorded and managed within a Configuration Management System (CMS) and maintained throughout the lifecycle of the project.
Configuration Items for a software system consist of software process plans, specification documentation, software source code, test documentation, technical manuals and version description documentation.
- Configuration control Configuration control defines the process for requesting, evaluating, approving or disapproving, and implementing changes to baselined CIs. Changes can include but are not limited to defect, enhancements and new requirements.
A baseline provides a static reference point to a grouping of CIs that make up a system at a given point in time. Baselines establish a version of the software configuration which serves as the basis for further development. After a baseline has been established, changes scope can only be performed through a formal change request process as identified in the SCMP.
- Configuration status accounting The SCM engineer is responsible for the recording and reporting of software configuration status.
For software product builds performed by the SCM engineer, a configuration status report will be generated identifying the built software version, included issues, known software limitations, and additional developer notes associated with each issue.
99 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Configuration status reports will be controlled as release notes and stored on the projects SharePoint site. A copy of the release notes will be provided with each build in the designated build area located on the GA-ESI network. Refer to the SCMP for the base location of where builds are stored on the GA-ESI network.
- Configuration evaluations and reviews Configuration evaluations and reviews will be used as the mechanism to evaluate a baseline. The SCM engineer along with the SQA engineer will schedule audits, on an as needed basis, to determine the extent to which the physical and functional characteristics of a CI are met. At a minimum, configuration reviews should take place upon definition and completion of the Requirements and Product Baselines.
- Release management and deliveries The standard software release management and delivery process will be used.
100 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 3.4 UIT Computer - Component 3d 3.4.1 Design Function The design functions of the UIT Computer are:
- Provide the graphical user interface (GUI) for the reactor operator.
- Provide status of reactor parameters.
- Provide alarms and messages.
3.4.2 Description of Old The original CSC computer was an computer located in the lower right hand compartment of the console. The CSC computer displayed reactor operational information on two color CRT monitors.
The left side display contained information in text form on the status of the reactor facility. The three windows associated with the text monitor were, STATUS, WARNING and SCRAM windows.
The right side display terminal was located directly above the Rod Control Panel and displayed reactor information, including reactor power, control rod positions, and temperatures. This display used simulated bargraphs and an animated representation of the reactor core to provide the operator with a near real-time graphic display of the operating parameters of the reactor.
3.4.3 Comparison of Old vs. New The new displays were designed to replicate the original displays to the maximum extent possible. The terminology that was used on the original display, e.g. STATUS pane, WARNING pane, SCRAM pane, etc.,
was maintained in the new displays.
3.4.4 Detailed Description of New Reference T3A100B7911-1OM Rev.A[23]
The User Interface Terminal (UIT) uses a system to display parameters and accept user input. The UIT code is written in . The UIT consists of two display screens. The Left Side Status Display and the Right Side Graphics Display.
101 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 3.4.4.1 Left Side Status Display Figure 35 - Left Side Status Display The Left Side Status Display screen is used to display operating information about the reactor. There are five display panes:
3.4.4.1.1 STATUS Pane The STATUS pane presents current information about the status of the system including power readings, period, temperatures and pool level. The core position and shielding door positions are also displayed.
Also, the remote/local state of each channel is displayed. During a pulsing operation, an additional Inhibited field will be shown for the NLW and NMP and an additional Bypassed field will be shown for the NP. These fields are displayed to the right of the remote/local field. These fields are shown to indicate when the devices are inhibited or bypassed during a pulsing operation.
3.4.4.1.2 SCRAM Pane The SCRAM pane displays scram conditions. If a scram were to occur in the reactor, an operator would reference the Status Display to quickly identify the cause of the scram. The SCRAM pane also provides buttons to conduct operational tests of the scram system. For the buttons to be enabled, a check box must be selected which reads, Enable Scram Tests.
NOTE: All scram/alarm messages displayed on the SCRAM and WARNINGS panes are first displayed on the left STATUS display, as opposed to the information panes on the graphic display.
3.4.4.1.3 WARNINGS Pane The WARNINGS pane displays warnings of which the operator should be aware. An alarm disable checkbox is provided for each warning. If the checkbox is not checked and a trip occurs, the horn will sound, an ANNUNCIATOR Pane message will be displayed and a yellow box will be displayed for the warning. If the checkbox is checked and a trip occurs, the yellow box will still be displayed for the warning, but the horn 102 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 will not sound and an ANNUNCIATOR Pane message will not be displayed. The primary purpose of this audible inhibit functionality is to minimize distractions during system setup and testing or prolonged warning situations.
3.4.4.1.4 MODE SELECTION Pane The MODE SELECTION pane allows the operator to select the mode in which to operate the reactor. These modes are:
- 1. Manual Mode (Steady-state)
- 2. Automatic Mode (AUTO)
- 3. Square Wave
- 4. Pulse.
This pane also contains a text box and a button that allows the operator to enter the demand power setting. Once set, Demand is selected for the input power (in watts); this will update the Demand Power as shown on the upper left corner of the Reactor Display. When the demand power setting is selected and the reactor is in Automatic Mode, those rods selected in the banked movement will adjust their position to insert or remove reactivity to maintain power at the demand setting.
The MODE SELECTION pane also contains text boxes with checkboxes that allow the operator to manually select NMP-1000 Range and to indicate the current range selection for the NMP-1000. As an automatic ranging device, in normal operations, the NMP-1000 would change its scale based on the reactor power.
By manually selecting a range, the operator will prevent that action by the NMP-1000. If the power continues to rise and the NMP-1000 reaches 110% of its selected scale, it will initiate a scram. The NMP-1000 is an operational channel and is not credited in the minimum reactor safety system scrams.
This pane also allows the operator to set timed actuations. The Set Pulse Time button allows the operator to set the length of time before an automatic scram after a reactor pulse. The time is entered into a text box and actuated with a button. The reactor power pulse is a function of core physics and typically lasts a few hundred milliseconds. Normally, the operator will manually scram the reactor after a few seconds, but as required by the Technical Specifications, the system will automatically scram if the Set Pulse Time limit is reached. The Set Scram Time button is used to set the time of a scram from steady-state mode.
There are buttons to start, stop, and reset this timer. It may be directed to count up or count down.
3.4.4.1.5 INTERLOCKS Pane The INTERLOCKS pane displays interlock conditions. An alarm disable checkbox is provided for each interlock. If the checkbox is not checked and an interlock occurs, the horn will sound, an ANNUNCIATOR Pane message will be displayed and a yellow box for the interlock will be displayed. If the checkbox is checked and a trip occurs, the yellow box will be displayed for the interlock. The horn will not sound and an ANNUNCIATOR Pane message will not be displayed.
3.4.4.2 Right Side Graphics Display While the Left Side Status Display shows the current facility mode and operational settings, the Right Side Graphics Display is the primary means by which the operator monitors and controls the reactor.
At the top of the Right Side Graphics Display the system menu bar displays the following menu items:
- 1. RUN: Exit to Windows or Restart UIT.
- 2. OPERATOR: Provides the ability to log in, log out, and display selected operator statistics.
- 3. HISTORY: System must be scrammed, then starts the execution of the history playback program.
- 4. DISPLAY: Refreshes the graphics displays (this option is rarely used).
103 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Where the Left Side Status Display is divided into several different panes, all of which are simultaneously visible, the Right Side Graphics Display has six different screens which must be selected to be visible to the operator. The six screens are as follows:
3.4.4.2.1 Reactor Display #1 Figure 36 - Right Side Graphics Display - Reactor Display #1 Reactor Display #1 is for normal reactor operation. On the left portion of the Reactor Display #1 there are scales for the following:
- 1. LINEAR POWER: This bargraph shows the current reactor power level in watts on a linear scale.
This information is obtained from the NMP-1000 Nuclear Multi-range Power Channel.
- 2. LOG POWER: This bargraph shows the current reactor power level as a percentage of maximum power, on a logarithmic scale. This information is obtained from the NLW-1000 nuclear channel.
- 3. NP % POWER: This bargraph shows the current reactor power. This graph uses a linear scale and is redundant because it displays the information derived from the NP-1000 which is independent of the NPP-1000. This channel is denoted as Safety Channel 1.
- 4. NPP % POWER: This bargraph shows the current reactor power. This graph uses a linear scale and is redundant because it displays the information derived from the NPP-1000 which is independent of the NP-1000. This channel is denoted as Safety Channel 2.
The central portion of Reactor Display #1 shows a graphical representation of the reactor cross section with information about the status of the control rods. For the shim rod, the safety rod and the regulator rod, the small square box at the top of the control rod indicates the status of the control rod magnet power. For the transient rod, the small square box at the top of the control rod indicates the status of the air. The operator is able to quickly understand if a control rod is at its lower limit, the status of the magnet or air, the height of the control rods, and the measured drop time (if a drop is initiated from full height).
When the magnet or air is activated, a representative box changes from black to yellow. Additionally, when the control rod bottom limit switch is not activated, the control rod color changes from black to 104 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 green. Therefore, anytime the control rod is off the bottom of its travel path, the box should be yellow and the rod green. Once the control rod has been lifted to its upper limit and activated the control rod upper limit switch, the control rod color will turn magenta.
Above each control rod position in the display, the individual control rod drop times are displayed.
Below each control rod position in the display is a small box that indicates the current position of the control rod drive mechanism. The scale for the position readout ranges from 0 to 999. The position is 0 if the control rod drive is all the way down and the position is 999 if the control rod drive is all the way up.
If the control rod is all the way down and the magnets are energized, its color will be gray. When the control rod down limit switch is activated, the position indicator is forced to zero units. If it is all the way up (and the control rod up limit switch is actuated), the color will be magenta and the position indicator is forced to 999 units. The control rod color will be green between the magnet and the bottom of the control rod when positioned anywhere between fully down or fully up.
At the bottom of the graphical display screen, several rectangles representing the physical rod control buttons on the Rod Control Panel are displayed. When a button is pressed on the Rod Control Panel, the system will highlight the button on the graphics display. This portion is particularly useful in automatic mode, for when a control rod drive is in motion, as dictated by the automatic control PID algorithm, the operator is able to verify proper control rod movement.
The ACKNOWLEDGE button on the Rod Control Panel provides a method to acknowledge trips, scrams, warnings, etc. that are displayed on the Annunciator Pane of the main graphics window. Pressing the ACKNOWLEDGE button will clear the top message in the annunciator window.
The SCRAM button on the rod control panel is hard-wired directly into the system scram loop (i.e., this signal is not processed by software, but status is provided to the software so the program can determine when the operator presses the SCRAM button). The SCRAM box indicates when the operator presses this SCRAM button.
On the right portion of the Reactor Display #1 there are scales for the following:
- 1. PERIOD: This bargraph shows the rate of change of the reactor power although somewhat indirectly. Period is inversely proportional to the rate of change. If reactor power is steady, the rate of change is equal to zero and the period is infinity. The greater the rate of change becomes, the less the period becomes. This information is obtained from the NLW channel.
- 2. NFT1 TEMP: This bargraph shows the NFT1 fuel temperature in ºC on a linear scale. This information is obtained from the NFT channel.
- 3. NFT2 TEMP: This bargraph shows the NFT2 fuel temperature in ºC on a linear scale. This information is obtained from the NFT channel.
- 4. POOL TEMP: This bargraph shows the pool temperature in ºC on a linear scale. This information is obtained from pool temperature RTD.
The bottom left portion of Reactor Display #1 shows the core position in the reactor pool. Because the AFRRI Reactor features a movable reactor core, this provides additional information to the operator and may be verified through visual inspection. This simple graphic has indication of the lateral location of the core, as well as the shield door position and the exposure room door positions.
3.4.4.2.2 Reactor Display #2 The Reactor Display #2 shows the same bargraphs as Reactor Display #1 but the central portion of the screen is replaced with a strip recorder display with the four parameters: linear power, log power, period, and coolant temperatures.
105 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 3.4.4.2.3 Reactor Prestart Tests When the reactor is scrammed and magnet power is not applied, the Right Side Graphics Display will include two additional tabs: Reactor Prestarts Tests and Pulse Display. When the operator presses the Prestarts tab on the Right Side Graphics Display, the system shows the prestart tests that are available.
NOTE: This prestart mode is not available when conducting operational (manual) prestart tests from the Status Display using the Test Enable function, which requires that magnet power be applied to withdraw the control rods. While magnet power is applied, the Prestart Tests tab will not be displayed.
This Prestart Tests tab is used for the software generated prestart tests, and is not available when the reactor is operating. While running these prestart tests, the remaining tabs are disabled. A RUN button is provided to start the prestart tests. As each prestart test is completed, Passed or Failed will be displayed (along with a reason for a failure if the test fails). If a particular test fails, then the user must press the DONE or CONTINUE button on the display (using the mouse). Pressing the DONE button aborts the testing process. Pressing CONTINUE causes the system to continue with the next prestart test in the sequence.
At the end of all the tests, pressing DONE clears the prestart and returns control to the main reactor display tab. At any time while the system is waiting for the operator to press the CONTINUE or DONE button, the operator can press the PRINT button to send a copy of the prestart report to the system printer.
On the right side of the display, buttons are provided to run each of the prestart tests individually. A Test Off button is provided to stop the tests.
The available prestart tests include:
- 1. NMP: Low Current, High Current, High Voltage (Low), Low Count
- 2. NLW: Low Current, High Current, High Count, High Voltage (Low), Period
- 3. Watchdog: CCS Watch, UIT Watch
- 4. NP: Ramp, High Power, High Voltage (Low)
- 5. NPP: Ramp, High Power, High Voltage (Low)
- 6. NFT: 1 Low Temp, 1 High Temp, 2 Low Temp, 2 High Temp, 3 Low Temp, 3 High Temp 3.4.4.2.4 Pulse Display The Pulse Display tab is automatically displayed after a successful pulse operation. It will display the results of the last pulse in graphic form. The pulse data file, stored on the computer as a CSV formatted file, will have the date, time, width at half power, pulse time, number of entries, period, total energy, peak pulse power, peak fuel temperature, and the pulse reactivity. The user can scroll horizontally along the time of the pulse and can scale the y-axis of the selected parameter. Prior pulses may be loaded to viewing when the reactor is in a non-operational mode.
3.4.4.2.5 Administration Display When an operator is logged in as a system administrator and the system is scrammed, the Administration tab will be added to the display tab list. This screen displays all the operators by name and operator number; as well as their logged in times, magnet on time (their run times/time spent in an operational mode), and their cumulative Megawatt (MW) Hours (operator time when reactor produced MW). This information is kept in plain text form on the CCS LINUX machine as well, so that a system administrator can reset values to zero by editing this file (or resetting all statistics by deleting the file). This is a useful feature for when a new reactor operator requalification cycle starts.
106 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 3.4.4.2.6 Test Functions Display When an operator is logged in as a system administrator and the system is scrammed, the Tests Functions tab will be added to the display tab list. The test display is intended for diagnostic, testing, and informative purposes. There are four major sections: Digital Outputs, Digital Inputs, Analog Outputs and Analog Inputs.
In the Digital Outputs section, there is a checkbox on many buttons on the test screen. Checking one of these checkboxes will turn on that particular output; clearing the checkbox will turn off that particular output. However; the test functions only work while in scrammed mode, therefore attempting to turn on the magnet power outputs will not actually supply power to the magnets since the hardwired scram loop prevents that from occurring. When checking one of the magnet power output checkboxes, the system will write the output to the hardware port (on the Sensory 2653 board), and the user can verify that the output is present by the corresponding LED on that board and magnet power is cut off after that point.
Note that the transient rod is controlled by digital outputs which are located in this section. You can move the cylinder up and down using the test functions, but you cannot fire the rod from the test screen. Many other buttons are provided to initiate the test modes and trip reset for all of the channels.
In the Digital Inputs section, the input data in displayed in two forms. First, all of the digital inputs are displayed in a binary string (ones and zeros) with each bit of that string corresponding to one of the hardware inputs (0=off, 1=on). Second, the test display also shows the digital inputs using signal names.
The name is white text when the signal is zero (off), and with red text when the signal is one (on). Also, the trips, Local/Remote status, Comm status and range (NMP-1000 Only) are shown as signal names. The name is blue text when the signal is zero (off), and red text when the signal is one (on).
In the Analog Outputs (rod control) section, the Tests Functions provides text edit boxes into which the operator can type a value between -10.0 and +10.0. This voltage is written to the corresponding D/A converter that drives the regulating, shim, safety and transient rod control drives. Note that because both magnet power and air pressure cannot be applied in scrammed mode, only the control rod drives and magnets will move and not the actual control rods.
In the Analog Inputs sections, the Tests Functions displays the raw 16-bit numeric value and the converted value for each of the analog inputs.
3.4.4.2.7 Data Recording and Playback Display The system captures all events written to the UIT displays and records them to a file on the UIT computer for future playback. These filenames are coded so a reactor administrator or operator can locate the run history for a particular reactor run and playback those files.
107 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 3.4.5 Safety Analysis The new UIT computer has been designed and manufactured to meet or exceed the requirements of the previous unit computer. The new computer and associated software has undergone rigorous testing and quality assurance at multiple steps in the design, manufacture and installation phases. Due to this, it is expected that the new computer will be as dependable as the original unit.
Consideration of human factors and man-machine interfaces has been included in developing the design of the display. The operator controls have been designed so that operators can perform their tasks easily and correctly. The choice of controls used in the system takes into account the needs of the operator to optimize performance under all conditions.
In the event that the UIT computer malfunctions, i.e. becomes unresponsive, the UIT Watchdog Timer will initiate a scram. If the timer fails, then reactor operator can always manually scram the reactor via the hardwired manual scram pushbutton.
The NP-1000, NPP-1000, NLW-1000 power channels and the NFT-1000 fuel measuring channels provide, independently, both an analog signal and digital signal to the control console for display by the bargraphs, by the chart recorder and by the UIT computer display interface. The reactor operator can use these independent signals as a means to cross-check the validity of the indicated power level or fuel temperature. Therefore, in the case that the UIT computer malfunctions and provides erroneous information, there are other redundant and diverse channels that the operator can use to verify power level or fuel temperature.
There are no accident scenarios associated with the UIT computer and the failure of the computer is of minimal consequence since the computer does not provide any safety functions that are intended to prevent the fuel temperature safety limit of 1000 °C from being exceeded.
It is concluded that the UIT Computer will continue to perform the design function required by this channel in a safe and reliable manner without imposing any undue risk to the health and safety of the public.
3.4.6 Technical Specifications With the exception of the wording for the watchdog scram (refer to redline changes below), all existing technical specifications[5] remain unchanged for this replacement. The technical specifications that apply to this channel are:
3.2.2 Reactor Safety Systems Specification 108 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 The reactor shall not be operated unless the safety systems described in Tables 2 and 3 are operable for the specific mode of operation.
The Watchdog listed in Table 2 Minimum Reactor Safety System Scrams, needs to be revised to Watchdog (DAC to CSC) (UIT and CCS).
3.4.7 Quality Assurance Significant software QA was performed on all GA developed software. Extensive test documentation is available for review and is summarized below.
Software Development Plan, AFRRI TRIGA Version 1.0 Software Development Plan, T3S900D905-DOC Rev A[29]
The Software Development Plan (SDP) applies to the software development and release of the TRIGA Console and Channels subsystems to support replacement of the existing TRIGA Mark F Research Reactor Instrumentation and Control System Console (CSC) at Armed Forces Radiobiology Research Institute (AFRRI). The Instrumentation that are housed in the new Data Acquisition Cabinet (DAC) located in the reactor room includes the nuclear channels, power supplies, rod drive control, signal processing, analog I/O and Ethernet interface. The CSC includes the two computer systems, User Interface Terminal (UIT) which runs on one computer that operates on Windows to display reactor activities. The other is the Console Computer System (CCS) which operates on Linux to display reactor functions and conditions. This SDP describes the development process, organization, management structure, activities performed and resources used in the development of the AFRRI TRIGA software.
Furthermore, the SDP describes the planning of management, process, procedures, organization, staffing, scheduling, methods, resources, tasks, products, and reviews that are used to develop the AFRRI TRIGA software.
In addition to providing traditional project planning information, this SDP is also used to tailor the standard Software Engineering activities to fit the needs and constraints of this project. Separate documents, such as the TRIGA Software Configuration Management Plan (SCMP) and the Software Quality Assurance (SQA)
Plan (SQP) will be used to describe how software configuration and software quality processes are applied to this project. This SDP is the prevailing document for software development activities. In the event of conflict between this SDP and other planning document, this SDP shall take precedence in matters related to software development.
Software Quality Plan, USUHS/AFRRI Software Quality Assurance Verification and Validation Plan, T3S99001-SQAP Rev X3[30]
The purpose of this Software Quality Assurance Verification and Validation Plan is to define:
- The Software Quality organization for the AFRRI TRIGA Replacement Console Project at General Atomics Electromagnetics Systems (GA-EMS)
- The Software Quality tasks, Verification & Validation (V&V) tasks and responsibilities
- The standards, practices, and conventions used to perform Software Quality and V&V activities
- The tools, techniques, and methods that will be used to support Software Quality and V&V activities and reporting.
The AFRRI TRIGA project will be a replacement and upgrade effort where GA-ESI will provide replacement Console hardware and software, as well as installation services, for support of the existing monitoring, control and safety systems of the Mark F Research Reactor.
109 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 The plan articulates the Software Quality activities, including software quality engineering, software quality assurance, V&V, and software testing, performed throughout the software development life cycle of the AFRRI TRIGA Replacement Console Project.
The plan will define Software Quality and V&V support functions for this project and specify the reporting activities of Software Quality to Quality management, with communication links to the AFFRI TRIGA Project Manager and the project Software Engineering Manager.
A key goal of the Software Quality function is to verify that all software and documentation to be delivered meet all technical requirements and to ensure compliance to contractual requirements, and GA-ESI processes and procedures for software development.
The Software Quality and V&V tasks defined herein shall be used to examine deliverable software and project work products, assess conformance of planned tasks and activities to processes and procedures, and to determine compliance with technical and regulatory compliance requirements.
The Software Quality Assurance plan is written to comply with all contractual Quality Assurance Requirements and recognizes ANSI/ANS 15.8 Quality Assurance Program Requirements for Research Reactors[33], ANS/ANSI 10.4 Guidelines for the Verification and Validation of Scientific and Engineering Computer Programs for the Nuclear Industry[34], NRC Regulation 1.152[35] and the applicable sections of IEEE 7-4.3.2[36] for non-power research reactors.
The plan also complies with GA-ESIs Quality Management System, Quality Manual & procedures, and RMS Engineering Operating procedures.
The plan aligns with GA-ESI Procedure EP-021 which describes the standard product development process and GA-ESI Quality procedure QAP 03-03 Software Quality Assurance Planning that supports the lifecycle phases listed below for a waterfall software development model:
- Concept/Planning
- Requirements
- Design
- Implementation & Coding
- Testing
- Installation and Checkout Software Configuration Management, TRIGA AFRRI Software Configuration Management Plan, T3S900D906-DOC Rev X1[28]
The Software Configuration Management (SCM) Plan (SCMP) provides the guidelines to be used to manage changes to the TRIGA software at General Atomics Electronic Systems, Inc. (GA-ESI). The intended audience for the document includes and is not limited to Project Management, Software Quality Assurance, and Software Engineering personnel.
This SCMP will be used to ensure compliance to the SCM requirements as listed in the Armed Forces Radiobiology Research Institute (AFRRI) Statement of Work (SOW).
Software Configuration Management functions will be performed as described in the document throughout the Software Development Life Cycle (SDLC). This SCMP will be used to track and control changes in project documentation, software source code, software build artifacts, test tools, and test artifacts as described the document. The SCMP is used in conjunction with GA-ESI Configuration Management (CM) operating procedures. There are no known limitations to this plan and assumptions have been made with respects to this plan.
110 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Software Configuration Management is the discipline of controlling and tracking changes made to a software system throughout the SDLC. SCM is applicable and not limited to software requirements, design, source code, and project documentation. The following describes the activities involved with SCM, including:
- Configuration identification A Configuration Item (CI) is any component of a system, including documentation, which will be under the control of CM. These items are identified, recorded and managed within a Configuration Management System (CMS) and maintained throughout the lifecycle of the project.
Configuration Items for a software system consist of software process plans, specification documentation, software source code, test documentation, technical manuals and version description documentation.
- Configuration control Configuration control defines the process for requesting, evaluating, approving or disapproving, and implementing changes to baselined CIs. Changes can include but are not limited to defect, enhancements and new requirements.
A baseline provides a static reference point to a grouping of CIs that make up a system at a given point in time. Baselines establish a version of the software configuration which serves as the basis for further development. After a baseline has been established, changes scope can only be performed through a formal change request process as identified in the SCMP.
- Configuration status accounting The SCM engineer is responsible for the recording and reporting of software configuration status.
For software product builds performed by the SCM engineer, a configuration status report will be generated identifying the built software version, included issues, known software limitations, and additional developer notes associated with each issue.
Configuration status reports will be controlled as release notes and stored on the projects SharePoint site. A copy of the release notes will be provided with each build in the designated build area located on the GA-ESI network. Refer to the SCMP for the base location of where builds are stored on the GA-ESI network.
- Configuration evaluations and reviews Configuration evaluations and reviews will be used as the mechanism to evaluate a baseline. The SCM engineer along with the SQA engineer will schedule audits, on an as needed basis, to determine the extent to which the physical and functional characteristics of a CI are met. At a minimum, configuration reviews should take place upon definition and completion of the Requirements and Product Baselines.
- Release management and deliveries The standard software release management and delivery process will be used.
111 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 3.5 Bargraphs - Component 3e Figure 37 - Picture of Old and New Bargraphs 3.5.1 Design Function The design functions of the Bargraphs are:
- Provide power indication that is available to the reactor operator.
- Be independent of the control system computers.
- Provides redundancy and diversity in the event of the computer system failure.
3.5.2 Description of Old The bargraphs were located to the left of the graphics displays. The panel contained eight vertical LED bargraph meters. The bargraphs meters received 4-20 mA signals from the DAC, NP/NPP-1000, NM-1000 channels and fuel temperature channel signal conditioners. The parameters displayed by the bargraph meters were:
Safety 1 (%) (NP-1000)
Safety 2 (%) (NPP-1000)
Log Power (%) (NM-1000)
Period (sec) (NM-1000)
Fuel Temp 1 (°C)
Fuel Temp 2 (°C)
NVT (MW sec) (NPP-1000)
NV Peak (MW) (NPP-1000)
The bargraphs were .
3.5.3 Comparison of Old vs. New The bargraphs are functional equivalents. Both are microprocessor based LED meters that accept an analog 4 -20 mA signal. The new panel has a ninth bargraph to display the additional fuel temperature channel.
112 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 3.5.4 Detailed Description of New The bargraphs are located on the left side of the console, in about the same position as the old bargraphs.
These bargraphs are hardwired to the modules and are independent of the console computer system. The bargraphs are which the manufacturer recommends as a direct replacement for the previous model .The input to the NPP-1000 NV Peak bargraph is wired to one of the relays on the utility drawer in the CSC. The relay is controlled by the CCS computer and active only during pulsed reactor operation. During steady state reactor operation, the input to the bargraph is disconnected. This is done because the NPP-1000 peak detect circuit produces an output at all times but only relevant and needs to be displayed while the reactor is pulsed.
The panel includes nine bargraphs:
Safety 1 (%) (NP-1000)
Safety 2 (%) (NPP-1000)
Log Power (%) (NLW-1000)
Period (sec) (NLW-1000)
Fuel Temp 1 (°C) (NFT-1000)
Fuel Temp 2 (°C) (NFT-1000)
Fuel Temp 3 (°C) (NFT-1000)
NVT (MW sec) (NPP-1000)
NV Peak (MW) (NPP-1000) 3.5.5 Safety Analysis The new bargraphs maintain independence from the CSC display. The bargraphs are directly wired from the analog outputs of the associated channel and provide an independent means to provide the reactor operator with information pertaining to reactor power level or fuel temperature.
The new bargraphs have been designed and manufactured to meet or exceed the requirements of the previous units. The new bargraphs have undergone rigorous testing and quality assurance at multiple steps in the design, manufacture and installation phases. Due to this, it is expected that the new bargraphs will be as dependable as the old unit.
The NP-1000, NPP-1000, NLW-1000 power channels and the NFT-1000 fuel measuring channels provide, independently, both an analog signal and digital signal to the control console for display by the bargraphs, by the chart recorder and by the console computer display interface. The reactor operator can use these independent signals as a means to cross-check the validity of the indicated power level or fuel temperature. Therefore, in the case that a bargraph fails or malfunctions and provides erroneous information, there are other redundant and diverse channels that the operator can use to verify power level or fuel temperature.
There are no accident scenarios associated with the bargraphs and the failure of a bargraph is of minimal consequence since the bargraphs do not provide any automatic protective actions.
It is concluded that the upgraded bargraphs will continue to perform the design function required by this channel in a safe and reliable manner without imposing any undue risk to the health and safety of the public.
3.5.6 Technical Specifications There are no technical specifications[5] associated with the bargraphs.
113 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 3.5.7 Quality Assurance GA Acceptance Test Procedure (ATP), Acceptance Test Procedure, Console, AFRRI TRIGA, T3A200E100-1AT[27]
Factory Acceptance Test Procedure System Assembly, AFFRI TRIGA T3A10087371-FAT Rev A[7]
This test demonstrates that the Replacement I&C Console meets the requirements of the SOW and the Functional Requirements Specifications (FRS). GA performed separate, in-depth tests of the components, the nuclear instruments, the control system console, and the system as a whole. These tests, their traceability to the SOW and their results are provided to AFRRI in accordance with the SOW.
Armed Forces Radiobiology Research Institute TRIGA Reactor Instrumentation and Control Console Replacement Site Acceptance Test Procedure, Part 1. T3A100B7372-SAT Rev A[8]
Site Acceptance Test Part 2: Replacement of the Instrumentation and Control Console for the AFRRI TRIGA REACTOR T3A100B7373-SAT Rev A[9]
This document is the Site Acceptance Test (SAT) for the Replacement I&C Console provided by General Atomics (GA) for the AFRRI facility. This test demonstrates that the Replacement I&C Console procured by AFRRI from GA has been installed correctly for operation at AFRRI and meets the technical and functional requirements.
This SAT is not intended to be an exhaustive test of the system at the component or subassembly level.
GA has factory tested in-depth, and calibrated according to manufacturer specifications, the various components and subsystems, the individual nuclear instrument channels, the rod control system, the auxiliary plant parameter measurement systems, and has tested the integrated system to demonstrate that the Replacement I&C System performed in the factory as intended. This was demonstrated by GA and accepted by AFRRI representatives during exhaustive factory acceptance testing (FAT). The SAT demonstrates satisfactory at-reactor installation of the system, and verifies, by adequate operational demonstration, that the system can be used to operate the AFRRI TRIGA in accordance with the facility operating requirements.
The SAT involved tests to confirm proper installation and functionality of all components and subsystems of the Replacement I&C System, including the nuclear power measuring channels, reactivity control systems, and all other balance of plant systems controlled and monitored by the replacement system.
114 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 3.6 Recorders - Component 3f Figure 38 - Picture of Old and New Chart Recorders 3.6.1 Design Function The design functions of the Recorders are:
- Provide power indication and trending that is available to the reactor operator.
- Provide a permanent record of reactor power.
- Be independent of the control system computers.
- Provides redundancy and diversity in the event of the computer system failure.
3.6.2 Description of Old The chart recorders were located to the left of the graphics displays. The panel had two paper chart recorders. The chart recorder received 4-20 mA signals from the NM-1000 and fuel temperature channel signal conditioners.
The paper chart recorders ( ) provided a record of the multi-range linear output of the NM-1000 and the fuel temperature channel signal conditioners. All recorder inputs were hardwired to their respective signal sources and therefore did not depend upon the computer for their input signals.
3.6.3 Comparison of Old vs. New The new recorders are videographic compared to the old paper and pen style recorders. The recorders are for indication only and provide no protective actions.
3.6.4 Detailed Description of New The chart recorders ( ) are located on the left side of the console and are hardwired to the modules and are independent of console computer system.
The recorders use a high resolution digital LCD display (5.7 inches) that provides clear, bright images and a wider viewing angle than other display types. The touch-screen interface and graphical icons make them easy to use, while the display can be customized to access the best representation of process data. They record data in a secure digital format, eliminating interpolation errors that can arise from transposing data from a chart to a spreadsheet for analysis. Each supports up to 12 analog and 16 digital inputs. They can store data to a secure digital (SD) card and/or USB memory stick. As a minimum, the chart recorder on the left records Log Power (NLW-1000), the chart recorder on the right records Linear 115 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Power (NP-1000). However, all analog signals from the nuclear instruments are hardwired into the chart recorders and are available for display and storage. The user has the option to enable additional inputs to be viewed and recorded. The analog signals connected to the recorders are listed in Table 9.
Table 10 - List of Recorder Inputs Left Recorder Right Recorder NLW-1000 Log Power NP-1000 Safety 1 Linear Power NPP-1000 Safety 2 Power (optional) NFT-1000 Fuel Temp 2 (optional)
NLW-1000 Period (optional) NFT-1000 Fuel Temp 3 (optional)
NPP-1000 NVT (optional) NMP-1000 Multi-Range Power (optional)
NPP-1000 NV (optional)
NFT-1000 Fuel Temp 1 (optional) 3.6.5 Safety Analysis The new recorders maintain independence from the CSC display. The recorders are directly wired from the analog outputs of the associated channel and provide an independent means to provide the reactor operator with information pertaining to reactor power level or fuel temperature.
The new recorders have been designed and manufactured to meet or exceed the requirements of the previous units. The new recorders have undergone rigorous testing and quality assurance at multiple steps in the design, manufacture and installation phases. Due to this, it is expected that the new recorders will be as dependable as the old unit.
The NP-1000, NPP-1000, NLW-1000, and NMP-1000 power channels and the NFT-1000 fuel measuring channels provide, independently, both an analog signal and digital signal to the control console for display by the bargraphs, by the chart recorder(s) and by the console computer display interface. The reactor operator can use these independent signals as a means to cross-check the validity of the indicated power level or fuel temperature. Therefore, in the case that a recorder fails or malfunctions and provides erroneous information, there are other redundant and diverse channels that the operator can use to verify power level or fuel temperature.
There are no accident scenarios associated with the recorders and the failure of a recorder is of minimal consequence since the recorders do not provide any automatic protective actions.
It is concluded that the upgraded recorders will continue to perform the design function required by this channel in a safe and reliable manner without imposing any undue risk to the health and safety of the public.
3.6.6 Technical Specifications There are no technical specifications[5] associated with the chart recorders.
3.6.7 Quality Assurance GA Acceptance Test Procedure (ATP), Acceptance Test Procedure, Console, AFRRI TRIGA, T3A200E100-1AT[27]
116 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Factory Acceptance Test Procedure System Assembly, AFFRI TRIGA T3A10087371-FAT Rev A[7]
This test demonstrates that the Replacement I&C Console meets the requirements of the SOW and the Functional Requirements Specifications (FRS). GA performed separate, in-depth tests of the components, the nuclear instruments, the control system console, and the system as a whole. These tests, their traceability to the SOW and their results are provided to AFRRI in accordance with the SOW.
Armed Forces Radiobiology Research Institute TRIGA Reactor Instrumentation and Control Console Replacement Site Acceptance Test Procedure, Part 1. T3A100B7372-SAT Rev A[8]
Site Acceptance Test Part 2: Replacement of the Instrumentation and Control Console for the AFRRI TRIGA REACTOR T3A100B7373-SAT Rev A[9]
This document is the Site Acceptance Test (SAT) for the Replacement I&C Console provided by General Atomics (GA) for the AFRRI facility. This test demonstrates that the Replacement I&C Console procured by AFRRI from GA has been installed correctly for operation at AFRRI and meets the technical and functional requirements.
This SAT is not intended to be an exhaustive test of the system at the component or subassembly level.
GA has factory tested in-depth, and calibrated according to manufacturer specifications, the various components and subsystems, the individual nuclear instrument channels, the rod control system, the auxiliary plant parameter measurement systems, and has tested the integrated system to demonstrate that the Replacement I&C System performed in the factory as intended. This was demonstrated by GA and accepted by AFRRI representatives during exhaustive factory acceptance testing (FAT). The SAT demonstrates satisfactory at-reactor installation of the system, and verifies, by adequate operational demonstration, that the system can be used to operate the AFRRI TRIGA in accordance with the facility operating requirements.
The SAT involved tests to confirm proper installation and functionality of all components and subsystems of the Replacement I&C System, including the nuclear power measuring channels, reactivity control systems, and all other balance of plant systems controlled and monitored by the replacement system.
117 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 4 References 1 GA Operation and Maintenance Manual NP-1000/NPP-1000 Percent Power Channel, E117-1010 Revision 2, 1991 2 NP-1000, Nuclear Power Module, User Manual, Document T3271000-1UM, Rev A, December 2018 3 GA Document, T9S900D970-SRS, GA TRIGA Nuclear Module Software Communications Protocol Document 4 TRIGA NP/NPP-1000 Software Requirements Specification T3287960-SRS 5 Technical Specifications for the AFRRI Facility Rev 25, Aug 14, 2019 6 GA Acceptance Test Procedure (ATP), NP-1000, Nuclear Power Instrument, T3271000-1AT 7 Factory Acceptance Test Procedure System Assembly, AFFRI TRIGA T3A10087371-FAT Rev A 8 Armed Forces Radiobiology Research Institute TRIGA Reactor Instrumentation and Control Console Replacement Site Acceptance Test Procedure, Part 1. T3A100B7372-SAT Rev A 9 Site Acceptance Test Part 2: Replacement of the Instrumentation and Control Console for the AFRRI TRIGA REACTOR T3A100B7373-SAT Rev A 10 NPP-1000, Nuclear Power Module, User Manual, Document T3281000-1UM, Rev A, January 2018 11 GA Acceptance Test Procedure (ATP), NPP-1000, Nuclear Power Instrument, T3281000-1AT 12 GA Operation and Maintenance Manual NM-1000 Neutron Monitoring System, E117-1000, 1989 13 NLW-1000, Wide Range Log Power Module, User Manual, Document T3322000-1UM, Rev B, June 2015 14 Acceptance Test Procedure (ATP), Wide-Range Log Module NLW-1000, T3322000-1AT 15 NMP-1000, Multi-range Linear Module, User Manual, Document T3401000-1UM, Rev C, January 2018 16 ANS/ASME NQA-1-2000, Quality Assurance Requirements for Nuclear Facility Applications 17 NMP-1000 Software Requirements Specification T9S900D941-SRS Rev A 18 GA Acceptance Test Procedure (ATP), NMP-1000, Nuclear Power Instrument, T3401000-1AT 19 GA Operation and Maintenance Manual, E117-1006, 1989 20 NFT-1000, Nuclear Fuel Temperature Module, User Manual, Document T3291000-1UM, Rev A, January 2018 21 NFT-1000 Software Requirements Specification T3297960-SRS Rev A 22 GA Acceptance Test Procedure (ATP), NFT-1000, Nuclear Power Instrument, T3291000-1AT 23 TRIGA Reactor Instrumentation & Control System, Operation and Maintenance Manual, Document T3A100B7911-1OM, Rev A, January 2018 118 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 24 GA Acceptance Test Procedure (ATP), Acceptance Test Procedure, Cabinet Assembly, DAC, T3A300E100-1AT 25 Response for the Request for Additional Information (RAI), September 30, 2016 (ML16278A111) 26 Safety Evaluation Report (SER), November 2016 (ML16278A347) 27 GA Acceptance Test Procedure (ATP), Acceptance Test Procedure, Console, AFRRI TRIGA, T3A200E100-1AT 28 GA Acceptance Test Procedure (ATP), Acceptance Test Procedure, FIS, T3A400E100-1AT 29 AFRRI TRIGA Version 1.0 Software Development Plan, T3S900D905-DOC 30 USUHS/AFRRI Software Quality Assurance Verification and Validation, T3S99001-SQAP Plan 31 TRIGA AFRRI Software Configuration Management Plan, T3S900D906-DOC 32 Vendor Award/Contract HT940412C0006 33 ANSI/ANS 15.8 Quality Assurance Program Requirements for Research Reactors, 1995 34 ANS/ANSI 10.4 Guidelines for the Verification and Validation of Scientific and Engineering Computer Programs for the Nuclear Industry, 1987 (R1998) 35 U.S. Nuclear Regulatory Commission, Regulatory Guide 1.152, Criteria for Use of Computers in Safety Systems of Nuclear Power Plants, Rev 3, July 2011 36 IEEE 7-4.3.2 Standard Criteria for Programmable Digital Devices in Safety Systems of Nuclear Power Generating Stations 119 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Appendix A - Summary Table WAS/IS Old New Safety NP-1000 NP-1000 (item 1a) Safety Analysis - no change NPP-1000 NPP-1000 (item 1b) Safety Analysis - no change NM-1000 NLW-1000 (item 1c) Safety Analysis NM-1000 NMP-1000 (item 1d) with new Compensated Safety Analysis Ion Chamber (item 1d)
Action Pak modules NFT-1000 (item 1e) Safety Analysis - no change Scram loop Scram loop (item 1f) Safety Analysis - no change Control rod drive Control rod drive (item 1g) Safety Analysis - no change NOTE: This only applies to the 3 standard control rod drives designated as SAFE, SHIM and REG. The Transient Rod drive was not modified during this upgrade and is original.
Action Pak modules Process Instrumentation (item 1h) Safety Analysis - no change Facility Interlock System Facility Interlock System (item 2) Safety Analysis - no change Control System Console Control System Console (item 3) Safety Analysis Rod Control Panel Rod Control Panel (item3a) Safety Analysis Reactor Mode Control Panel Reactor Mode Control Panel (item3b) Safety Analysis The old console computer ran CCS Computer (item 3c) - The new console No change -no functional or contains two computers, each with its own operational change.
used monitor. The CCS uses a All software was subjected to custom GA Configurator software to and handles input and output extensive quality assurance using drive the display, and data, monitors the pushbuttons on the GA procedures.
for communications to the rest of control rod panel and drives the indicator the system. lights on the console.
120 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 UIT Computer (item 3d) No change - All software was subjected to extensive quality The User Interface Terminal (UIT) uses assurance using GA procedures.
to display parameters and accept user input.
Bargraphs Bargraphs (item 3e) Safety Analysis Chart recorders Chart recorders (item 3f) Safety Analysis 121 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Appendix B - Photos of Components Appendix B.1 - Data Acquisition Cabinet Figure 39 - Data Acquisition Cabinet 122 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Figure 40 - Data Acquisition Cabinet - Power Supplies 123 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Figure 41 - Data Acquisition Cabinet - Digital Input/Output 124 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Figure 42 - Data Acquisition Cabinet - Analog Input/Output 125 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Figure 43 - Data Acquisition Cabinet - Nuclear Instruments 126 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Figure 44 - Data Acquisition Cabinet - Control Rod Drive 127 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 128 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Appendix B.2 - Facility Interlock System Figure 46 - Facility Interlock System - Cabinet Outside 129 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Figure 47 - Facility Interlock System - Cabinet Inside 130 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Figure 48 - Facility Interlock System - Exposure Room Control Box 131 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Figure 49 - Facility Interlock System - Exposure Room Status Panel 132 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Appendix B.3 - Control System Console Figure 50 - Control System Console - Front Figure 51 - Control System Console - Rear 133 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Figure 52 - Control System Console - Power Supplies 134 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Figure 53 - Control System Console - UPS 135 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Figure 54 - Control System Console - Digital Input 136 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Figure 55 - Control System Console - Digital Output 137 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Figure 56 - Control System Console - Rod Control Panel - Front 138 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Figure 57 - Control System Console - Reactor Mode Control Panel - Front 139 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Figure 58 - Control System Console - Reactor Mode Control Panel - Back 140 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Figure 59 - Control System Console - Computers - Left Side Display 141 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Figure 60 - Control System Console - Computers - Right Side Display 142 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Figure 61 - Control System Console - Bargraphs and Recorders 143 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Figure 62 - Control System Console - Bargraphs - Front 144 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Figure 63 - Control System Console - Recorders - Front 145 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Figure 64 - Control System Console - Bargraphs and Recorders Panel - Back 146 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390