Text

Enclosure 1c - Revision 1 of the License Amendment Request for the Upgrade of the Instrumentation and Control System for the Armed Forces Radiobiology Research Institute Triga Reactor - Redacted
	ML21302A100
Person / Time
Site:	Armed Forces Radiobiology Research Institute
Issue date:	10/28/2021
From:	; US Dept of Defense, Armed Forces Radiobiology Research Institute, US Dept of Defense, Uniformed Services Univ of the Health Sciences
To:	; Office of Nuclear Reactor Regulation
Shared Package
ML21302A096	List: ML21302A097; ML21302A100; ML21302A103; ML21302A106; ML21302A107;
References
	EPID L-2020-NFA-0012, GA/EMS-5084
	Download: ML21302A100 (135)
	v • d • e

Enclosure 1c - Redacted - Available to the Public Revision 1 of the License Amendment Request for the Upgrade of the Instrumentation and Control System for the Armed Forces Radiobiology Research Institute TRIGA Reactor

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 AFRRI Unif?rmed Services University License Amendment Request for the Upgrade of the Instrumentation and Control System for the Armed Forces Radiobiology Research Institute TRIGA Reactor Revision 1 29 September 2021 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Table of Contents Executive Summary ..................................................................................................................... viii 1 Introduction .......................................................................................................................... 1-1 2 Summary Description ........................................................................................................... 2-1 2.1 Reactor Instrumentation ................................................................................................ 2-2 2.2 Reactor Control System (RCS) ..................................................................................... 2-2 2.3 Reactor Protection System ............................................................................................ 2-3 2.4 Control System Console (CSC)..................................................................................... 2-3 2.5 Data Acquisition Cabinet (DAC) .................................................................................. 2-4 2.6 Process Instrumentation ................................................................................................ 2-4 3 Reactor Control System (RCS) ............................................................................................ 3-1 3.1 Nuclear Instruments ...................................................................................................... 3-1 3.1.1 Design Criteria ....................................................................................................... 3-2 3.1.2 Design Bases .......................................................................................................... 3-6 3.1.3 Subsystem Description........................................................................................... 3-7 3.1.4 Operation and Performance ................................................................................. 3-24 3.1.5 Conclusion ........................................................................................................... 3-25 3.2 Process Instruments ..................................................................................................... 3-25 3.2.1 Design Criteria ..................................................................................................... 3-25 3.2.2 Design Bases ........................................................................................................ 3-26 3.2.3 Subsystem Description......................................................................................... 3-26 3.2.4 Operation and Performance ................................................................................. 3-27 3.2.5 Conclusion ........................................................................................................... 3-28 3.3 Data Acquisition Cabinet (DAC) ................................................................................ 3-28 3.3.1 Design Criteria ..................................................................................................... 3-28 3.3.2 Design Bases ........................................................................................................ 3-29 3.3.3 Subsystem Description......................................................................................... 3-29 3.3.4 Operation and Performance ................................................................................. 3-36 3.3.5 Conclusion ........................................................................................................... 3-36 3.4 Control Rod Drives ..................................................................................................... 3-37 3.4.1 Design Criteria ..................................................................................................... 3-37 3.4.2 Design Bases ........................................................................................................ 3-38 3.4.3 Subsystem Description......................................................................................... 3-38 3.4.4 Operation and Performance ................................................................................. 3-49 3.4.5 Conclusion ........................................................................................................... 3-50 3.5 Facility Interlock System (FIS) ................................................................................... 3-50 3.5.1 Design Criteria ..................................................................................................... 3-50 ii Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 3.5.2 Design Bases ........................................................................................................ 3-50 3.5.3 Subsystem Description......................................................................................... 3-51 3.5.4 Operation and Performance ................................................................................. 3-52 3.5.5 Conclusion ........................................................................................................... 3-58 4 Reactor Protection System ................................................................................................... 4-1 4.1 Design Criteria .............................................................................................................. 4-1 4.2 Design Bases ................................................................................................................. 4-2 4.3 Subsystem Description.................................................................................................. 4-3 4.3.1 Scram Loop Circuit ................................................................................................ 4-5 4.3.2 Functions of the Scram Loop Contacts .................................................................. 4-6 4.3.3 Function of Relay K1............................................................................................. 4-8 4.3.4 Function of Relay K2............................................................................................. 4-9 4.3.5 Magnet Power and Digital Inputs .......................................................................... 4-9 4.3.6 Ground Fault Detector ........................................................................................... 4-9 4.4 Operation and Performance........................................................................................... 4-9 4.5 Conclusion................................................................................................................... 4-11 5 Engineered Safety Features Actuation Systems ................................................................... 5-1 6 Control Console and Display Instruments............................................................................ 6-1 6.1 Design Criteria .............................................................................................................. 6-1 6.2 Design Bases ................................................................................................................. 6-2 6.3 Subsystem Description.................................................................................................. 6-2 6.3.1 Left Side Status Display......................................................................................... 6-4 6.3.2 Right Side Graphics Display.................................................................................. 6-7 6.3.3 Reactor M ode Control Panel................................................................................ 6-17 6.3.4 Rod Control Panel ................................................................................................ 6-20 6.3.5 Bargraphs and Recorder Panel ............................................................................. 6-21 6.3.6 Uninterruptable Power Supply (UPS).................................................................. 6-23 6.3.7 AC Power Distribution......................................................................................... 6-23 6.3.8 Console Power Supply Drawer ............................................................................ 6-24 6.3.9 Digital Inputs Drawer........................................................................................... 6-24 6.3.10 Utility Drawer ...................................................................................................... 6-24 6.4 Operation and Performance......................................................................................... 6-26 6.5 Conclusion................................................................................................................... 6-27 7 Reactor Scram and Setpoint Determination ......................................................................... 7-1 7.1 Fuel Temperature Limit ................................................................................................ 7-1 8 Cyber-Security...................................................................................................................... 8-1 9 FSAR - Chapter 13 - Accident Analysis ............................................................................. 9-1 10 Quality Assurance ........................................................................................................... 10-1 iii Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 10.1 Functional Requirements Specifications ..................................................................... 10-2 10.2 System Requirements Specifications .......................................................................... 10-2 10.2.1 Software Requirements Specifications ................................................................ 10-3 10.2.2 Hardware Requirements Specifications ............................................................... 10-4 10.3 Factory Acceptance Test ............................................................................................. 10-4 10.3.1 Acceptance Test Procedure, Console, AFRRI TRIGA........................................ 10-5 10.3.2 Acceptance Test Procedure, Cabinet Assembly, DAC........................................ 10-5 10.3.3 Acceptance Test Procedure, Facility Interlock System ....................................... 10-5 10.4 Site Acceptance Test ................................................................................................... 10-5 10.5 Requirements Traceability M atrix - T3A100D915-RTM ........................................... 10-6 10.6 Configuration M anagement......................................................................................... 10-6 10.6.1 Software Development Plan................................................................................. 10-6 10.6.2 Software Quality Plan .......................................................................................... 10-7 10.6.3 Software Configuration M anagement .................................................................. 10-8 11 Technical Specification Changes .................................................................................... 11-1 11.1 Technical Specification Change #1. ............................................................................ 11-1 11.2 Technical Specification Change #2. ............................................................................ 11-1 12 Conclusion ...................................................................................................................... 12-1 13 References ....................................................................................................................... 13-1 List of Tables Table 1 Summary of Changes................................................................................................ 1-2 Table 3 TS Table 2. M inimum Reactor Safety System Scrams ............................................ 3-3 Table 3 Design Basis Event Overview .................................................................................. 3-3 Table 3 TS Table 1. M inimum M easuring Channels ............................................................ 3-5 Table 3 Location of Significant Core Components ............................................................. 3-23 Table 3 DAC Input/Output List ........................................................................................... 3-35 Table 3 TS Table 3 - M inimum Reactor Safety System Interlocks .................................... 3-37 Table 4 TS Table 2. M inimum Reactor Safety System Scram.............................................. 4-2 Table 4 Specific Instruments Performing Safety Functions ................................................ 4-10 List of Figures Figure 2 Reactor Instrumentation and Control System Block Diagram................................ 2-1 Figure 3 Ranges of Neutron Flux M onitoring Channels ....................................................... 3-8 Figure 3 Neutron Flux M onitoring Channels ........................................................................ 3-9 Figure 3 Wide-range Log M odule NLW-1000, Front and Rear View ................................ 3-11 Figure 3 NLW-1000 M odule Block Diagram ..................................................................... 3-11 Figure 3 M ulti-range Linear M odule NM P-1000, Front and Rear View ............................ 3-13 iv Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Figure 3 NM P-1000 Module Block Diagram ...................................................................... 3-14 Figure 3 Linear M odule NP-1000, Front and Rear View .................................................... 3-15 Figure 3 NP-1000 M odule Block Diagram ......................................................................... 3-16 Figure 3 Linear Power Pulsing M odule NPP-1000, Front and Rear View ......................... 3-17 Figure 3 NPP-1000 M odule Block Diagram ..................................................................... 3-18 Figure 3 Fuel Temperature M onitoring M odule NFT-1000, Front and Rear View .......... 3-20 Figure 3 NFT-1000 M odule Block Diagram ..................................................................... 3-21 Figure 3 Instrumented Fuel Element ................................................................................. 3-22 Figure 3 Core Locations of the Instrumented Fuel Elements ............................................ 3-23 Figure 3 Data Acquisition Cabinet .................................................................................... 3-28 Figure 3 Data Acquisition Cabinet Block Diagram........................................................... 3-30 Figure 3 AC Power Distribution Data Acquisition Cabinet .............................................. 3-31 Figure 3 Rod Control Block Diagram ............................................................................... 3-39 Figure 3 Control Rod Diagram .......................................................................................... 3-40 Figure 3 Schematic Diagram ................................................................... 3-42 Figure 3 Transient Rod ...................................................................................................... 3-43 Figure 3 Transient Rod Limit Switches............................................................................. 3-44 Figure 3 Automatic M ode Functional Block Diagram ...................................................... 3-46 Figure 3 Rod Control Panel ............................................................................................... 3-48 Figure 3 Prior installation of the FIS (Left) and the new FIS (right) ................................ 3-51 Figure 3 Facility Interlock System Block Diagram ........................................................... 3-52 Figure 3 Scram Loop Interlock Wiring Diagram .............................................................. 3-52 Figure 3 Lead Door Interlock Wiring Diagram ................................................................. 3-54 Figure 3 Core Support Carriage Interlock Wiring Diagram .............................................. 3-56 Figure 3 Exposure Room Door Interlock Wiring Diagram ............................................... 3-57 Figure 3 FIS Interlock Diagram......................................................................................... 3-59 Figure 4 Scram Circuit Diagram............................................................................................ 4-5 Figure 6 Control System Console (CSC) Block Diagram ..................................................... 6-1 Figure 6 Left Side Status Display .......................................................................................... 6-5 Figure 6 Right Side Graphics Display - Reactor Display #1 ................................................ 6-9 Figure 6 Right Side Graphics Display - Reactor Display #2 .............................................. 6-11 Figure 6 Reactor Prestart Tests Display .............................................................................. 6-12 Figure 6 Pulse Display (with data) ...................................................................................... 6-13 Figure 6 Administration Display ......................................................................................... 6-14 Figure 6 Test Function Display ........................................................................................... 6-14 Figure 6 Playback Display................................................................................................... 6-16 Figure 6 Reactor Control M ode Panel ............................................................................... 6-18 Figure 6 Core Support Carriage Regions........................................................................... 6-18 Figure 6 Rod Control Panel ............................................................................................... 6-20 Figure 6 Bargraphs and Recorder Panel ............................................................................ 6-21 Figure 6 Console AC Power Distribution.......................................................................... 6-24 Figure 6 Configuration....................................................................................... 6-26 Figure 10 Quality Assurance Workflow Diagram............................................................... 10-2 v

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 List of Abbreviations, Acronyms and Symbols

°C degree Celsius 4PDT four pole, double throw A ampere A/D analog to digital AC alternating current AFRRI Armed Forces Radiobiology Research Institute ANS American Nuclear Society ANSI American National Standards Institute CCS Console Computer System CCW counterclockwise CIC compensated ion chamber COTS Commercial off the shelf cps counts per second CRD Control rod drive CSC Control System Console CSV comma separated variable CW clockwise D/A digital to analog DAC Data Acquisition Cabinet DC direct current ER Exposure room ESF engineered safety feature FIS facility interlock system GA General Atomics GA-ESI General Atomics - Electromagnetic Systems GFD ground fault detector HP History playback HV high voltage Hz hertz I&C Instrumentation and Control I/O input/output IAW in accordance with IFE instrumented fuel element LAN local area network LAR License amendment request lb pound LCD liquid crystal display LCO limiting condition of operation LED light emitting diode LSSS limiting safety system setting mA milliamperes M CC motor control center msec milliseconds MW megawatt vi Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 NQA Nuclear Quality Assurance NRC Nuclear Regulatory Commission NSAB Naval Support Activity Bethesda O&M Operator and M aintenance OEM original equipment manufacturer PID proportional, integral, derivative RAM radiation area monitor RCS Reactor Control System RPI rod position indication RPS Reactor Protection System RTD resistance temperature detector RWP Rod withdrawal permit SAR safety analysis report SOW statement of work SR surveillance requirement TB terminal board TRIGA Training, Research, Isotopes, General Atomics TS technical specification UIT user interface terminal UPS uninterruptible power supply USB universal serial bus V voltage V/F voltage to frequency VAC voltage, alternating current VDC voltage, direct current W watts WDT Watchdog timer vii Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Executive Summary The AFRRI TRIGA M ark-F reactor is an open pool-type light water reactor which can operate in either the steady-state mode up to 1.1 megawatt (thermal) or pulse mode in pulses of up to 2,500 megawatts occurring in about 0.1 second. The reactor and associated experimental facilities and equipment are contained in the reactor building located in the AFRRI complex. The AFRRI TRIGA M ark-F reactor serves as a source of both gamma and neutron radiation for research and radioisotope production. The unique flexibility of the AFRRI TRIGA reactor is achieved by the horizontally movable core which can traverse from one irradiation position to another.

The reactor is operated from a Control System Console (CSC) located in the control room. The Data Acquisition Cabinet (DAC) is located in the reactor room and houses the digital neutron power channels and the driver modules for the control rod drive stepping motors. With the exception of the neutron flux detectors the entire control system has been replaced. The primary motivation for this replacement was due to parts obsolescence and equipment maintainability, which had become increasingly difficult with the existing system.

This system provides the basic monitoring, protection, and control functions for the reactor. The instrumentation and control system is designed to provide the following:

Complete information on the status of the reactor and reactor-related systems

A means for manually withdrawing or inserting control rods

Automatic control of reactor power level

Automatic scrams in response to over-power, loss of detector high voltage, or high fuel temperatures

Automatic scrams in response to a loss of operability of the digital computer system Annunciators are provided to indicate when abnormal conditions exist to help ensure that the reactor is operated within design limits. Other parameters such as pool water level and pool water temperature are also monitored and displayed.

The Reactor Protection System (RPS) is independent of the normal reactivity control system and provides an automatic, analog scram system that shuts down the reactor if the nuclear safety channels power or temperature limits are reached. Unlike the system that it replaces, the upgraded neutron flux safety channels use only analog signal processing (no software) for detector signal processing and scram activation.

The Reactor I&C System has undergone a complete quality assurance verification and validation program. The program included functional requirements, system requirements, both hardware and software, factory acceptance testing and finally site acceptance testing, which included a checkout of the system at full steady-state power level and pulsing operation.

In order to return to reactor operations this License Amendment Request (LAR) has been produced for review and approval by the U.S. Nuclear Regulatory Commission (NRC).

viii Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 1 Introduction Control of research and test reactors, including the TRIGA family of reactors, was originally accomplished using vacuum tube circuits, and progressed to instrumentation and control (I&C) systems based on solid-state, hardwired and analog circuitry. The logic for these control systems was developed through many years of experience and includes attention to matters such as:

(i) necessary redundancy in single inputs, signal processing and controls, and (ii) prevention of single mode failure mechanisms Development of computers and digital signal processing provides the opportunity to either replace, supplement or combine this earlier solid-state analog circuitry to create I&C systems using microprocessor based software driven control.

The AFRRI Reactor Instrumentation and Control (I&C) System includes instrumentation for monitoring reactor parameters during all operational states and for recording all variables important to reactor operation. It incorporates (i) a wide range neutron power monitor using proven analog designs supplemented by firmware based features for calibration and maintenance, (ii) power safety channels using proven analog designs supplemented by firmware based features for calibration and maintenance and (iii) digital data acquisition and control features for a user friendly operator interface for controlling the reactor, including managing all control rod movements taking into account the choice of operating mode and interlocks The system is installed in the Control System Console (CSC) and Data Acquisition Cabinet (DAC) and acquires data from instrumentation in the reactor and auxiliary systems, processes it, and transmits it to the operator via multiple displays at the CSC. All safety systems are hardwired such that reactor safety is not compromised by computer failures.

The technology utilized in General Atomics (GA) latest research reactor I&C system incorporates all the features, controls and protection systems proven in its prior, successful analog/digital system designs, and couples it with state-of-the-art signal processing and display technology to provide a hybrid system which maintains the prior proven architecture and greatly enhances the user interfaces for ease of operation, as well as system and component diagnostic features and simplifies operational surveillance requirements. The system is designed and manufactured using the guidance given in ANSI/ANS Standard, Criteria for the Reactor Safety Systems of Research Reactors (ANSI/ANS 15.15-1978)[1].

A primary design intent in this upgrade was to replace the existing system with a new system that is form and function identical to the existing system to the maximum extent possible. This was done to minimize licensing issues. The primary motivation for this upgrade is parts obsolescence and equipment maintainability, which have become increasingly difficult with the existing system.

Refer to the Functional and System Requirements Specifications documents.[13,14]

The radiation protection system is housed in an auxiliary console adjacent to the main console and displays the radiation levels at select locations throughout the facility. There are no changes to the auxiliary console or radiation protection system or the ventilation system in this license 1-1 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information W ithhold From Pub lic Disclosure Under 10 CFR 2.390 amendment request, therefore all Technical Specifications pertaining to those sys terns remain valid and unchanged.

Table I -I - Summary of Changes FACILITY INTIRWCK SYSTIM WAS JS DISCUSSION Stand-alone cabinet mth sensor input, relays, Stand-alone cabinet mth new, reacbly Lights aremoch larger for greater visibility at indicator lights, override smtch, interacts available compooents. l!Xlicatocp~elin JI'E'P distance. Very old mring mth cracked mth console primarily through pennis.<ive area mil be replaced mth modern, readal:Je insulation or crumbling cloth insulatm relay contact. version. replaced mth newmring. All relays are l'lied for 100,000 cycles. Addedbypasssmtchesin ER to enforce the t\\O operator inspect criteria.

STANDARD CONlROL ROD DRIVIS (no change to Transient Rod)

WAS JS DISCUSSION NUCLFAR INS1RUMENT S UITE WAS JS DISCUSSION Included tv.o identical NFT instruments, roe One NFT instnment housing mth three New NFT enables readout of all three IFE for each thermocoqile channel. independent chamels, able to read all three thermocouples mth one lDlit. Only ccmm:,n IFE thermocouples simultaneously. New parts are pov.er sqiply, display, andhotmg NFT performs pulse data capture locally (okl If power supply dies, all trips go to fail-sd'e system did not capture continuous data dtmg condition.

pulse) .

1-2 Proprietary Information W ithhold From Pub lic Disclosure Under 10 CFR 2.390

Proprietary Information W ithhold From Pub lic Disclosu re Under 10 CFR 2.390 NP -1000 andNPP -1000 safety channels All instruments output 0- IOV signals. Digital All new instruments have analog ti1) Enables greater control and flexibility m conversion occtned in a separate COTS channels, but digital conversion fur prevents noise-pickup prior to digital ADC, then was sent totheconsolecorqnt er. operatioos occurs inside the instrument. All conversicn. Anahg oulplt still used to chive instruments use on-board Ethemet console bargraphs. All reactor-niteK!

co=\Dlications for reliability. equipment is connectffi to an isolated (air-gap) netw:>rk. Access to instnmeuts n the Data Acquisition Cabinet (DAC) and the Console in the control room is via locked cabinet doors.

CONlROL CONSOLE WAS JS DISCUSSION Scram and Interlock Test switch Tw:> scram and Interlock test switches to Same functionality. Additional test points, acco=odate increased number of test including NMP-1000.

points, due to adding a third fuel tempelltu'e channel and the new NMP-1000 instrument.

COTS standalone cowt-up/do\\Il SCJ'llll Timer built-in to console software, user Timer functionality is identical. Instea:i of timer with binary output toconsolesoftware. interacts via display. relying on COTS equipment with wcertan design and quality, timer incorporated iato console software.

COTS pulse timer Timer built into console software, user Max value set in software configuration file.

interacts via display Analog bargraphs display critical operati:mal information Same exceptnewadditional IFE tempelltu'e channel will be added to displays.

F\Dlctionally identical setup - provrls sufficient informltion to monitoc and shutdo\\Il the reactor safely inclepend!t of COC.

Rod bank selection done by harc!w,re Rod bank selection done with GUI buttons switches on console, \\bich were read ~ on-screen.

computer and used to enforce opelli<r selection.

1-3 Proprietary Information W ithhold From Pub lic Disclosu re Under 10 CFR 2.390

Proprietary Information W ithhold From Pub lic Disclosure Under 10 CFR 2.390 Low source level interlock montored and Low source level interlock montored aod No effective change activated via NM-1000 signal activated via NMP-1000 signal OTIIER WAS JS DISCUSSION RAM&'CAMS and other miscellaneou; No change.

instruments reado\t on amiliary console.

No independent training and test platfcnn New standalone platfonn (TINA) built, New, additional capabilityperthe contract.

exists replicates console computers and emulates system response to enable off-line tramig and test capability.

Amiliary console AUKiliary console No change - not in scope of contract Rod Drop Tinting was manual (stopw.idi) Rod Drop Timing is measured electrooically Added feature to console software.

and subject to significant uncertainty. for greater precision and accuracy.

The design and operating characteristics of the Anned Forces Radiobiology Research Institute (AFRRI) instmmentation and control (I&C) systems are described and discussed in this License Amendment Request (LAR). Info1mation is included to explain the design criteria and bases and to discuss the functional and safety analyses of the I&C subsystems. The I&C provides protective fonctions such as scraimning the reactor and initiating safety actions as well as standai*d control fonctions such as monitoring reactivity. T hese systems and their outputs ai*e consolidated into a control console. The AFRRI Training, Research, Isotopes , General Atomics (TRIGA) reactor is designed and operated to pose insignificant risk to the public without isolating the Reactor Protection System (RPS) from the other subsystems.

The RPS monitors operating pai*aineters such as the neutron flux and foel temperature. These measurements , when monitored by the RPS, ensure facility and personnel safety is maintained by limiting the operating conditions to those within analyzed and acceptable ranges. The Reactor Control System (RCS) monitors many of the same parameters as the RPS and gives info1mation for automatic and manual control. The instmments collectively present system status infonnation to the operator for monitoring. T his instmmentation system provides the way in which automatic or operator control actions ai*e transmitted for execution by the RCS. Radiation instmments show radiation levels in the reactor bay , iirndiation rooms, and throughout the facility . The radiation level data is displayed on the auxiliaiy console and does not inte1face with control system console and remains unchanged as a pait of this LAR.

This discussion of the AFRRI I&C includes the functional requii*ements, design criteria and bases, system descriptions, system pe1fonnance analyses, and the bases of technical specification (T S) 1-4 Proprietary Information W ithhold From Pub lic Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 limiting safety system settings (LSSSs), limiting conditions of operation (LCOs), and surveillance requirements.

1-5 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 2 Summary Description The role of the AFRRI Reactor I&C is to provide monitoring, protection, and control functions for the reactor with a means to acquire and record data. It provides complete information on the status of the reactor and reactor-related systems. Refer to Figure 2-1, AFRRI System Block Diagram.

Figure 2 Reactor Instrumentation and Control System Block Diagram The Reactor I&C system is a hybrid computer based system which includes a hardwired Reactor Protection System (RPS) with dedicated displays and controls so that safe operation and monitoring of the reactor can continue should the computers become unavailable. The primary function of the RPS is to scram the reactor by allowing the control rods to fall into the core in response to automatic protective actions or actions initiated by the operator from the Control System Console (CSC) operator interface in response to other abnormal reactor operating conditions that may arise during the course of operations. The equipment installed in the Data Acquisition Cabinet (DAC) acquires data in the form of electronic signals from instrumentation in the reactor and auxiliary systems, processes it, and transmits it to the operator via multiple displays on the CSC. There are six major subsystems that make up the AFRRI system as stated below:

1) Reactor Instrumentation

2) Reactor Control System (RCS) 2-1 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information W ithhold From Pub lic Disclosure Under 10 CFR 2.390

3) Reactor Protection System (RPS)

4) Control System Console (CSC)

5) Data Acquisition Cabinet (DAC)

6) Process Instmmentation 2.1 Reactor Instrumentation The Reactor l&C system receives input from various detectors and sensors. These include three fission chambers, a compensated ionization chamber, an uncompensated ionization chamber, a Cerenkov detector, and fuel elements with integrated thennocouples. Signals from these units are processed in the DAC which is housed in the reactor room.

2.2 Reactor Control System (RCS)

The reactor control system includes control rod drives (CRD), automatic control, reactor interlocks, and the facility interlock system (FIS).

The control rod drives (CRDs) are updated units ve1y similar to the previous CRDs. Three standaid control rod drives have been rep laced with the new console; the existin transient rod has not been modified. T he rimai difference between the old and new CRDs is The reactor control system has four explicitly defined states: time delay, operate, scram and test.

The time delay state begins when no emergency stops ai*eactive, all facility interlocks ai*e satisfied, and the magnet power key switch is turned to Reset. T his initiates a 30-second countdown and given no intenupts, the system proceeds to the operate state. The operate state allows magnet power to be applied by again turning the key switch to Reset and the operator may begin to inse1t reactivity . The scram state occurs when a fault is detected during operation. Any fault on the scram loop removes magnet power (and air pressure to the transient rod) releasing the control rods and allowing gravity to fully inse1t the rods into the core. Finally, the test state exists when the reactor has been scrainmed and the operator is testing vai*ious inputs and functions .

The RCS features manual and automatic control. M anual control of the reactor is perfo1med by depressing the rod UP or DOWN pushbuttons for the transient, shim, safety, or regulating rods.

T hese will move the con esp onding drive motor in the up or down direction.

In automatic control (sometimes known as auto mode or servo mode), the rods are moved bas ed on the evaluation of signal from the NM P-l000powermeasurement and the NLW-1 000 period measurement in order to maintain the p ower demand selection.

Once the reactor is in steady-state mode at a p ower level less than 1 kW, it may be switched to Square wave mode. With the transient rod anvil set at a height to con esp ond to the desired reactivity inse1tion (and therefore level of p ower to be achieved), the Square Wave Mode switch is depressed which makes the mode change. The transient rod FIRE button can be pressed to initiate the increase of p ower to the desired level and automatic mode is activated to maintain the 2-2 Proprietary Information W ithhold From Pub lic Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 power level. If more than 30 seconds pass without achieving the desired power level, the control system will default back to manual mode and alert the operator.

The Facility Interlock System is designed to eliminate the possibility of accidental radiation exposure of personnel working in the exposure rooms or the preparation area and to prevent interference (i.e., contact or impact) between the reactor tank lead shield doors and reactor core shroud. The system provides a reactor permissive signal to the CSC that is part of the scram loop.

2.3 Reactor Protection System The Reactor Protection System includes the scram logic circuitry, rod withdrawal prevention, facility interlocks, and lead shield door control. The I&C System is a fail-safe centric design. Upon the initiation of a scram signal, magnet power is cut to the electromagnets and air is released from the transient drive causing the control rods to fall into the core under the force of gravity. The individual channels all perform internal checks and will initiate a scram if any of these checks fail.

Therefore, the system always takes the operational conservative approach and shuts down upon an abnormal condition.

Diversity is achieved in the system by having multiple measurements of the reactor power at any given non-pulsing power level. The NLW-1000 and NM P-1000 indicate reactor power below 1.1 M W while the NP-1000 gives additional indication from about 0.01 M W to full licensed power.

The NPP-1000 monitors reactor power from 0.01 M W through 6500 M W. However, the principal parameter to protect against at the highest powers is high fuel temperature. This is measured by three instrumented fuel elements and monitored by the NFT-1000. While all three elements are monitored by a single NFT-1000 unit, signal processing and protective functions are independent of each other within the NFT-1000. Each thermocouple has its own, independent protective channel within the unit. Each unit does not communicate with the others. Their function is solely dependent on the signal input from their associated neutron flux monitor or thermocouple.

Diversity of indication is also achieved through the addition of the NPP-1000.

2.4 Control System Console (CSC)

The AFRRI Reactor I&C system software relies on two computer systems. The User Interface Terminal (UIT) system has graphic displays of reactor activities and runs under

, while the Console Computer System (CCS) controls the reactor and monitors all input and output channels and .

The CSC is a desk type control console with modularized instrumentation drawers and panels. The computers and monitors are mounted on the console. The operator interface provides the necessary controls and interfaces for the operator to safely startup, manipulate reactor parameters, monitor operating parameters in their various modes of operation, and safely shutdown the reactor. The CSC contains the indicators, annunciators, and monitors to present the data to the operator in meaningful engineering units using graphic displays. The CSC computers (the CCS and the UIT) also provide data storage and logging capabilities on their hard drives. The system includes system data logging and historian capabilities within the control room.

While signal evaluation and trip functionality are performed via analog circuitry, the resulting parameter (such as reactor power level) is communicated from the neutron flux monitoring unit and DAC to the Console Computer System (CCS) through an air gapped Ethernet cable connection. Because the parameter is determined locally, there will be reduced noise in the signal as it is prepared for display to the operator. The CCS communicates with the User Interface 2-3 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information W ithhold From Pub lic Disclosure Under 10 CFR 2.390 T enninal (UIT) through digital cormnunication lines as well. A secondary indication of reactor power level, fuel temperature, and period are p resented to the operator on physical bar*graph meters. These obtain their signal directly from the analog output of the respective neutron flux monitoring unit and have no interface with digital components. The cha11 recorders obtain their signal in the same analog fashion as a te11iary indicator of reactor status. T he operator may cross check infonnation between the data p resented on the two high resolution operator disp lay screens and the chari recorders. Facility interlocks and manual rod motion cormnands ar*e provided to the CCS and conve1ied to a digital command for the coITesponding rod stepper motor.

Consideration of human factors and man-machine inte1faces has been included in developing the design of the system. T he operator controls have been designed so that operators can perfo1m their tasks easily and coITectly . T he choice of controls used in the system takes into account the needs of the operator for a simple eITor proof system that will optimize the operator's perfo1mance under all conditions . Examp les of human-machine interface principles employed ar*e ready access to design par*arneters in as few navigation actions as possible, text with suitable size for ease of reading and color coordination of the text and annunciator bar*s to indicate actuation vs nominal status .

2.5 Data Acquisition Cabinet (DAC)

The DAC acquires data in the fo1m of electronic signals from instmmentation in the reactor and auxiliary systems, processes it, and transmits it to the operator via var-ious displays which ar*e part of the CSC O erator Interface. T he DAC is installed in the same location as the p revious DAC. It nuclear* instmments , the and di *tal in uts . The 2.6 Process Instrumentation Additional p ar*arneters available to the op erator include p ool water level an d p11mary water temp erature.

2-4 Proprietary Information W ithhold From Pub lic Disclosure Under 10 CFR 2.390

Proprietary Information W ithhold From Pub lic Disclosure Under 10 CFR 2.390 3 Reactor Control System (RCS)

The RCS p e1fonns several :fonctions, including system sta11up, system shutdown, maintaining a shutdown state, changing power levels and maintaining operation at a set power level. Since the reactor is of TRIG A design, the RCS is capable of rapidly inse11ing reactivity into the reactor core to produce high-power p ulses through activation of the trans ient rod. T he RCS subsystems are:

nuclear instmments , p rocess instmments , data acquisition, control rod drives, and the facility interlock system. T he interlocks are sep arated into two groups: those which p rotect the reactor itself and those which protect facility personnel. T here are no experiment specific facility interlocks .

The RCS features manual and automatic control. M anual control of the reactor is perfo1m ed by engaging both the magnet power and air for the trans ient rod and depressing the rod UP or D OWN buttons for the trans ient, s him, safety, orregulating rods . These will move the con es ponding drive motor in the up or down direction. T he logic to dete1mine the safe movement of a control rod is pe1fonned with software and contains several conditionals to ultimately allow voltage application to the motor.

In automatic control (sometimes known as auto mode or servo mode), there is a rod select switch on the op erator disp lay screen. With this op erational condition, only those rods which have not been selected with the Rod Select switch can be inse1ied manually . No UP buttons are active in automatic control. When Automatic mode is selected T his section shows that the reactor control system will maintain the system within licensed limits dming n01m al operation an d ensure the imp act of failures in the control system is ap propriately included in the accident analyses . It shows how the RCS system design is suitable for p eifonning the fonctions stated in the design bases.

3.1 Nuclear Instruments T he nuclear instmment channels in the AFRRI reactor control system measure the neutron flux from subcritical source multip lication range through the critical range, through the inten nediate flux range to foll p ower and puls ing operations . T he instmments disp lay both the thennal p ower (in percentage of foll licensed p ower of 1.1 MW) as well as the rate of change of reactor p ower, in the fo1m of reactor p eriod. T he neutron flux infon nation is displayed in both a logarithmic an d a 3-1 Proprietary Information W ithhold From Pub lic Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 linear scale. The detectors themselves are located near the reactor core while the fuel temperature measurements are taken directly from the instrumented fuel elements. The nuclear instrument processing modules are housed in the Data Acquisition Cabinet (DAC) located on the Reactor Bay floor.

3.1.1 Design Criteria While there are various modes of operation for the AFRRI Reactor, they all fall under the same operational envelope. The system measures the power level and the fuel temperature and thereby protects the fuel from exceeding the safety limit. The system must perform for the design basis events or those anticipated operation occurrences which are used to determine the design requirements, i.e. reactor power and fuel temperature. The decision criteria for determining the design basis events which are selected are those which have a consequence that can exceed the capabilities of the reactor safety system. Because the safe operating envelope of the reactor would be exceeded, safety scrams are included to prevent the condition. The design basis events are therefore:

the operation of the reactor at a steady-state power level in excess of the corresponding technical specification.

the insertion of reactivity which causes the reactor to exceed the temperature limit during a pulse.

For the latter of these, the reactivity insertion is determined from the worth of the control rods and the core excess reactivity. Both are independent of the design of the reactor instrumentation and are physically measured values. The reactivity protection mechanism is thus dependent on the accuracy of the measurement of the neutron flux and by extension rod worth and core excess reactivity.

There are no conditions in which the facility could be placed, regardless of safety function actuation, which would be adverse to the health and safety of the public. Therefore, only those events which would cause excessive steady-state power levels or give incorrect indication to the reactor operator and the facility staff are selected. For any design basis event, the system must be capable of shutting down the reactor in a timely and safe manner.

Safety scrams are provided to prevent the design basis event from being exceeded. These scrams and their setpoint value are outlined in Table 2 of the Technical Specifications [2] and shown below in Table 3-1. Additionally, assurance of accurate reactivity measurements is provided through facility approved procedures and system testing. The scrams are for power level and pulse time (ensuring fuel temperature requirements), high voltage loss to a safety channel (ensuring flux measurement accuracy), watchdog timer (ensuring continuous communication), and pool level criteria (radiation safety and adequate cooling). Scrams are automatically actuated.

Because the neutron flux is spatially dependent, at least two detectors are on range at any steady state operating power value. These detectors are located around the core to prevent inaccurate indication from phenomena such as rod shadowing and flux tilt.

The neutron flux levels are be measured from subcritical source multiplication range through licensed maximum power range. Since not all of the neutron flux instruments are capable of this, continuous indication is ensured by maintaining a minimum of one decade of overlap in indication 3-2 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information W ithhold From Pub lic Disclosure Under 10 CFR 2.390 while obse1v at ion is transfen ed from instmment channel to another. Additionally, the watchdog timer ens ures continuous communication between subsystems.

Table 3 TS Table 2. Minimum Reactor Safety System Scrams Effective Mode Maximum Channel Set Point Steady State Pulse Fuel T emperature 600°C 2 2 Percent Power, High Flux 1.l MW 2 0 Console M anual Scram Button Closure switch 1 1 High Voltage Loss to Safety Channel 20% Loss 2 1 Pulse Time 15 seconds 0 1 Emergency Stop Closure switch 3 3 (l in each exoosure room, 1 on console) 14 feet from the top of Pool Water Level 1 1 the core Watchdog (UIT and CCSl On digital console 1 1 aThis specification has been modified and is p rop osed. Refer to Chapter 11 for more details .

Table 3 Design Bas;s Event Overview Safety Parameter D esign Basis Event Function Actuation Interlock Measured N eutron Flux M easured Prevent exceeding foel N eutron Flux M easurement (at Automatic Power Level temperature limit (% Power) power)

Calculated N eutron Flux Reactivity measurement N eutron Flux Reactivity None Measurement accuracy (% Powe1)

Inse1t ion Continuous Watchdog Ensure continuous Automatic Time Communication Timer communication Ensure integrity of Measured T emperature Fuel T emperature T emperature fiss ion p roduct banier Automatic oc is maintained Prevent op eration with Water height Adequate Coolant and Pool Height insufficient coolant and Automatic (binaiy Radiation Protection Criterion radiation protection criteria) 3-3 Proprietary Information W ithhold From Pub lic Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 In the event a setpoint is exceeded, a protective action is initiated. The time from initiation of scram to full insertion of the rods is less than one second as required by the Technical Specifications. The scram is achieved through both the removal of magnet power to the standard rod drives and the removal of air pressure to the transient rod. Upon removal of magnet power and air pressure, the rods fall into the core due to the force of gravity.

In steady-state and transient operational modes as well as during normal, abnormal, and accident scenarios, the Reactor I&C system is designed to operate in the following conditions [3]:

Operating temperature range: 10°C to 40°C

Operating voltage: 120 VAC +/- 10% 50/60 Hz

Relative humidity: 10% to 90% non-condensing

Pressure: atmospheric

CSC computers, monitor mountings, and DAC cabinet are designed to meet the requirements for Seismic Qualification Performance Category 2.

The DAC dissipates heat generated by internal components by convection to reactor room air. The entire front and rear panels of the DAC are made of perforated metal, providing security (when closed and locked) and air flow to ambient air. Air in the reactor room is continuously circulated, and this air current is sufficient to cause flow through the DAC front and rear panels and provide cooling for all interior equipment. Note that the modern, low-power electronics in most of the instrumentation will generate less heat than previous, less efficient equipment.

The nuclear instrument modules have been tested to ensure that they perform their intended safety functions up to a temperature of 50°C.

In the control room, the console is a more enclosed design, with sheet metal covers. Thus, a circulating fan is placed high in one side panel of the console and is energized anytime the console is powered on. This fan will pull cooler room air from existing opening in the bottom of the console, up through the console, and out into the room. Control room HVAC should have little difficulty cooling this load, as it is almost certainly significantly less than the previous console, which presented no difficulty.

Although the components have not been specifically tested for electromagnetic or radio frequency interference (EM I/RFI), best design practices were used to separate digital from analog signals to minimize the potential for interference. In addition, instruments are constructed with metal enclosures to further minimize outside interference and incorporate AC input to filters to suppress conducted noise.

No reasonable hypothetical scenario would cause appreciable increases in temperature, humidity or other environmental conditions. In the event of excessive supply power, temperature, humidity, vibration, radiation, fire, explosion, earthquake, flood, lightning, missiles, and wind which leads to the failure of a channel, the system will initiate an automatic shutdown through the fail-safe design of the neutron flux monitoring channels. Additionally, manual actuation of a scram is available to the operator to initiate a shutdown if the conditions warrant.

Other than aging, there are no environmental conditions which have the potential for a functional degradation of the Reactor I&C system. Regular functionality tests, operations, and calibrations are sufficient to alert facility staff of deteriorating system performance.

3-4 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information W ithhold From Pub lic Disclosure Under 10 CFR 2.390 During n01mal operations, there is no design basis or criteria which would necessitate bypass capability for any pa11 of the Reactor l&C system. Audible ala1ms may be manually bypassed which allows the operator to focus on changing facility conditions and perfo1m testing without distraction. In addition to functional bypasses not being needed, the system is designed such that there are no inadve11ent manip ulations of operating parameters and that administrative controls exist which are app rop riate for the safety function pe1fonned. Procedures and manuals are provided which enable facility staff to safely test, calibrate, operate, and maintain the system.

The Reactor l&C system is designed s uch that reliability is reasonably assured during long te1m reactor operations and standard shutdown inte1vals. These consistent perfo1m ance metrics are assured through both the AFRRl's quality assurance plan and the vendor's quality assurance plan and has been validated by a comp rehensive verification and validation testing program. Because there are no special requirements of the AFRRI reactor, there are no additional quality assurance requirements needed to acc01mnodate any unusual or unique aspects of the design of the Reactor l&C system.

The design criteria for the Reactor Control System are:

A single failure will not prevent achieving and maintaining a safe shutdown condition.

Instmments and equipment are designed to fail-safe or to assume a safe state.

Redundancy and diversity

Systematic, nomandom, concmTent failures of redundant elements in the design are protected against througli the use of independence, separation, redundancy and protection against anticipated events.

The key design criteria for the Reactor Control System is that the nuclear instmments provide indications of reactor power from subcritical multiplication through full licensed maximum power.

For redundancy , there are at least two operable channels for all steady-state modes of operation.

Because the fuel temperature is the primaiy reactor pai*aineter to be protected, there ai*e at least two fuel temperature safety channels operable for all modes of operation. The nucleai* instmments do not have any single failure points that ai*e not counter balanced with a fail-safe design. Althougli they all ultimately rely on the saine source of power, all instmments ai*e wholly independent of each other othe1wise. The power source is provided by an Unintenu ptible Power Supply (UPS) and in the event of a UPS failure, a scrain is initiated. Figure 3-1, p age 3-8, shows the redundancy in power indication throughout the licensed operation range of 1.1 MW.To fuii her gt1ai*antee that multiple channels ai*e available dming reactor operations, Section 3.2.1 of the AFRRI Technical Specifications states, " [t]he reactor s hall not be operated unless the measming channels listed in T able 1 ai*e operable for the specific mode of operation." T S Table 1 lists:

Table 3 TS Table I. Minimum Measuring Channels Effective Mode Measuring Channel Steady State Pulse Fuel T emperature Safety Channel 2 2 3-5 Proprietary Information W ithhold From Pub lic Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Linear Power Channel 1 0 Log Power Channel 1 0 High-Flux Safety Channel 2 1 Additionally, in the Technical Specifications, Any Linear Power, Log Power, High-Flux Safety or Fuel Temperature Safety Channel may be inoperable while the reactor is operating for the purpose of performing a channel check, test, or calibration. However, if any of the channels become inoperable for a reason not listed above, the channel must be restored to operation within five minutes or the reactor shall be immediately shutdown.

Table 3-1 above outlines the scrams from the RPS. These require a fuel temperature scram at 600°C. Additionally, the high flux scram setpoint (in steady-state mode) requires a Scram at 1.1 M W. In the event of a pool level drop, a scram is also initiated. Finally, there is a scram requirement if there is a 20% loss in high voltage on a safety channel.

Systematic nonrandom concurrent failures of elements in the design is prevented by using independent channels with fundamentally different detection mechanisms (fission chambers, ionization chambers, and fuel temperature monitoring). In the event of a channel failure, a scram will be initiated, and the reactor will enter into a safe shutdown condition. This assures a fail-safe design.

3.1.2 Design Bases 3.1.2.1 Neutron Flux Monitoring Equipment The purpose of the neutron flux monitoring equipment is to determine the reactor power from subcritical neutron source multiplication range (<0.5 cps or 1 x 10-5 watts) through full licensed steady state power of 1.1 M W. Additionally, the reactor period is measured in the standard range of -30 seconds to +3 seconds. When the setpoint, as defined in the Technical Specifications, is exceeded the neutron flux monitoring equipment will interrupt the magnet power circuit and cause a scram. Each channel communicates both the parameter value and scram status for that parameter to the console but communication with the console is not required to perform any safety function.

The modules are designed to operate within a temperature range: 10°C to 50°C without any active heating or cooling mechanisms.

3.1.2.2 Fuel Temperature Monitoring Equipment To protect the integrity of the fuel cladding, fuel temperature is the primary parameter to be monitored. As such, the fuel temperature monitoring equipment has an operational range of 0°C through the safety limit of the reactor of 1000°C. In all modes of operation, the two fuel temperature monitoring channels are required to be functional. As required by the Technical Specifications, these channels will initiate a scram when the measured temperature of the fuel exceeds the safety system setting of 600°C. The fuel temperature channels receive power from a common power supply and provide parameter indication to the operator as well as scram capability to the reactor protection system. The modules are designed to operate within a temperature range:

10°C to 50°C without any active heating or cooling mechanisms.

3-6 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 3.1.3 Subsystem Description 3.1.3.1 Neutron Flux Monitoring Equipment Four independent power measuring channels are provided for a continuous indication of power from subcritical neutron source multiplication range to the maximum steady-state licensed power level. Peak power resulting from the maximum allowed pulse reactivity insertion is monitored with a special channel capable of reading the high power levels achieved during a pulse.

3-7 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Figure 3-1 shown below indicates the power ranges of the channels and how overlap between differing operational modes is achieved.

2500MW ~ - -

1000MW ~ - -

100MW 10MW l.lMW

______ /_____ --------------* ~-------------* L------------

1MW 100%

100kW ~ -- 10%

10 kW 1%

NP-1000 NPP-1000 1 kW ~----------- ~----------~------------------------ 10*1 %

1 kW Interlock 100W 10W NLW-1000 NMP-1000 1W 10.. %

0. 1 W 10-5 %

Source Level 0.01W 0.001 W

~---------------------------------------

----------~-------------------------- 10*7 %

Source Interlock 0.0001 W L..------.&.--------------------..

Figure 3 Ranges of Neutron Flux Monitoring Channels 3-8 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information W ithhold From Pub lic Disclosure Under 10 CFR 2.390 Figure 3-2 s hown below indicates the transmission of signals from the neutron flux and temperature channels to the reactor to the console.

Figure 3 Neutron Flux Monitoring Channels 3.1.3.1.1 NLW-1000 Log Power Monitor1 41 The NLW-1000 is a wide range logarithmic power monitoring module. It operates with a fission chamber and a PA-1000 pream lifier that decou les and am lifies ulses that ori

ate at the fission chamber. The module he logarithmic reactor power s ignal 1s momtore ya peno cucmt w generates an output propo1tional to the rate of change in reactor power at any given instant. This s ignal, called period, is a measure of the time (in seconds) it takes for the reactor power to change by a factor of e (2 .718). The period indication is from -30 seconds to +3 seconds . The module provides reactor power, reactor period and isolated analog and digital outputs for use at a console.

3-9 Proprietary Information W ithhold From Pub lic Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 The module provides six bi-stable trip outputs for use by the Reactor I&C system. The trips are as follows:

The High Voltage Trip is configured as a decreasing trip when the high voltage is below a setpoint. The HV Trip is used as the HV Low Rod Withdrawal Interlock.

The Period Trip is configured as an increasing trip when the period exceeds a setpoint. The Period Trip is used as the less than 3 second period Rod Withdrawal Interlock.

Trip 1 is configured as an increasing trip and is a spare.

Trip 2 is configured as an increasing trip and is a spare.

Trip 3 is configured as an increasing trip when power level exceeds a setpoint. Trip 3 is used as the 1kW interlock trip for pulsing reactor applications.

Trip 4 is configured as a decreasing trip as a decreasing trip and is a spare.

Two communication interfaces, an Ethernet communications interface for communications with a reactor console and an RS-232 interface for a remote display or maintenance computer, are provided. The maintenance interface may be used for loading software. Calibration, test, and operational modes are controlled either by local or remote inputs as configured by the NLW-1000 front panel controls. Via connector pins on the rear of the module; the module accepts remote Trip Reset, Remote Test mode selection, and remote signal to disconnect the detector input for pulse mode operation. The NLW-1000 will automatically reset to OPERATE mode from any calibration/test mode after 50 seconds to prevent inadvertent reactor operation with the module in calibrate or test modes.

The front and rear panel of the NLW-1000 is shown below in Figure 3-3.

lo NLW 1000 J9 J4 J5 J&

~

NUCLUII LOO - - -

lD N

m 0

~-

J1

--,y 0 _

@o

_..T JS B

POWER Cl J7

[Q_;] Bl ~

-Tlll'S-ON OFF Q IIDH WlfMlE 0 QPOIIOD J2 I,:io I o-*

0

~

'111P '

0 '111P 2 0 '111P 3 115VAC SOHz l) 0 ., our 0 ~

3-10 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information W ithhold From Pub lic Disclosure Under 10 CFR 2.390 Figure 3 Wide-range Log Module NLW-1000, Front and Rear View Figure 3-4 is a block diagram for the NLW-1000 Module.

Figure 3 NLW-1000 Module Block Diagram 3.1.3.1.2 NMP-1000 Multirange Linear Power Monitorl5 1 The NM P-1000 is a microprocessor based wide-range linear power module which provides percent reactor power indication and bi-stable trip circuits. The NMP-1000 module processes cunent of 1x10- 11 to 1x10-3 Amperes from a compensated ion chamber. A compensating voltage power supply is provided for use with the compensated ion chamber. The input cmTent is conve1ted into 0 to 10 Vin 9 one-decade ranges giving power indication from startup through 120% power on a linear scale (displaying in progressively wider ranges, one decade at a time). The NMP-1 000 is an auto-ranging device and will scale itself based on the cunent power level. The operator may also manually select the range from the control console. When the range is selected by the operator, a warning occurs at 110% of that specific range. The appropriate decade is selected either automatically by software (automatic mode) or by the user (manual mode) via the touch screen display or by selecting the desired checkbox on the MODE SELECTION Pane on the Left-side Display of the UIT .

3-11 Proprietary Information W ithhold From Pub lic Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 The NM P-1000 has two modes of operation, local or remote. In local mode, the module accepts commands via the front panel touch screen. In remote mode, the module accepts commands via the Ethernet port or the analog remote interface connectors on the rear panel.

The module provides three bi-stable trip outputs for use by the Reactor I&C system. The following trips are:

The High Voltage Trip is configured as a decreasing trip when the high voltage is below a setpoint. This trip is bypassed.

Trip 1 is independently adjustable for when reactor power exceeds 110%. This trip is bypassed.

Trip 2 is independently adjustable and is a spare.

The relays are provided with two sets of normally open and normally closed contacts for use by the Reactor I&C system. The relays are held energized in a fail-safe condition until an alarm de-energizes the coil.

The NM P-1000 has test modes to allow testing for the proper performance of the electrometer and to ensure the functionality of all trip circuits. Test modes include HV, calibrate high, calibrate low, and manual current. The HV and calibrate high test modes cause the bi-stable trips to alarm; current low gives fixed power indication in the highest range; and manual test allows for varying the current over all ranges with the front panel potentiometer. Test modes can be enabled via the touch screen or a remote interface.

The front and rear panel of the NM P-1000 is shown below in Figure 3-5.

3-12 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 J9 J* J5 J&

~-

J1

@)

ON 0 TIii' 1 0 11111' 2 Q HIGH 1101..TMIE 115VAC IOHz 0 NV OUf 0

Figure 3 Multi-range Linear Module NMP-1000, Front and Rear View Figure 3-6 is a block diagram for the NM P-1000 M odule.

3-13 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Figure 3 NMP-1000 Module Block Diagram 3.1.3.1.3 NP-1000 Linear Power Monitor[6]

The NP-1000 is a nuclear instrument module that provides percent reactor power indication, bi-stable trip circuits and outputs to other devices. The module processes current from a fission chamber.

The NP-1000 percent reactor power monitoring instrument is a linear current-to-voltage signal conditioning device which includes a high-voltage power supply for the fission chamber, adjustable bistable trip circuits for local and remote alarms and isolated current or voltage outputs for display by other devices. The NP-1000 unit provides linear power output when the reactor is at power, approximately 1% through 120% power. This channel is designated as Safety Power Channel #1.

The NP-1000 has two modes of operation, local or remote. In local mode, the module accepts commands via the front panel touch screen. In remote mode, the module accepts commands via the Ethernet port or the analog remote interface connectors on the rear panel.

The module provides five bi-stable trip outputs for use by the Reactor I&C system. The trips are as follows:

The High Voltage Trip is configured as a decreasing trip when the high voltage is below a setpoint.

3-14 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Trip 1 is independently adjustable for when reactor power exceeds 110%.

Trip 2 is independently adjustable and is a spare.

Trip 3 is independently adjustable and is a spare.

Trip 4 is independently adjustable and is a spare.

The relays are provided with two sets of contacts, each set with one normally open and one normally closed pair of contacts. The relays are held energized in a fail-safe condition until an alarm de-energizes the coil.

The NP-1000 has test modes to allow for testing the proper performance of the electrometer and to ensure the functionality of all trip circuits. Test modes include High Power, Ramp, M anual and HV Low. The HV Low and High Power test modes cause the bi-stable trips to alarm. The Ramp and M anual test modes cause the bi-stable trips to alarm when the trip set point is exceeded as the power is ramped up. Test modes can be enabled via the touch screen or a remote interface.

The front and rear panel of the NP-1000 is shown below in Figure 3-7, while Figure 3-8 is a block diagram for the NP-1000 M odule.

i"

s. . . ,~r.:-=

.. Ci f 7J1RJ* NP 1000 J9 J4 J5 J6 NUCI..EAR PDWER INSTRUMENT D ... ...

a

~

0 0

.......... ........ **o***

o*

{,

J1 **

SIGNAL INPUT 0

o*

~

o*

J3 COMPEN!w\T ION VOLTAGE Q 0 JB REl,jOTE l)ISPLAY

~

POWER c=i J7 PA- 1000

[BJ [ D~9 ]

TRIPS -

['~ ,~~~ 0 HV TRIP ON OFF J2 0 (ID (ID

~

TRIP 1 ml 0 Q

- TEST - TRIP 2 MANUAL CURRENT Q TRIP 3 ADJUST Q m 1P-1 11 5VAC 60Hz

@ © D © HV OUT

~ 0 ~

Figure 3 Linear Module NP-1000, Front and Rear View 3-15 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information W ithhold From Pub lic Disclosure Under 10 CFR 2.390 Figure 3 NP-1000 Module Block Diagram 3.1.3.1.4 NPP-1000 Linear Power Pulsing Monitorl7 1 The NPP-1000 is a nuclear instrnment module that provides percent reactor power indication, bi-stable trip circuits, circuitiy applicable to pulse monitoring and outputs to other devices. In steady-state mode the module p rocesses cun ent from a fission chamber.

The NPP-1000 percent reactor power monitoring instrnment is a linear cmTent-to-voltage signal conditioning device which includes a high-voltage power supply for the fission chamber, adjustable bistable trip circuits for local and remote alan ns and isolated cmTent or voltage outputs for display by other devices. T he NPP-1000 also measures reactor power dming the pulsing mode of operation. Because reactor power may reach levels several thousand times greater than the maximum steady-state power levels during a pulse, the NPP-1000 has special hardware to measure this event accurately . This includes circuitiy to allow remote gain selection.

The NPP-1000 provides linear power measurement from approximately 1% power through the pulsing range up to 6500 MW and is designated as Safety Power Channel #2. The detection mechanism for the NPP-1000 is chosen based on the mode of operation. A fission chamber is used when the reactor is in steady state mode while an uncompensated ionization chamber or Cerenkov detector may be used when the reactor is in pulse mode.

The NPP-1000 has two modes of operation, local or remote. In local mode, the module accepts cormnands via the front panel touch screen. In remote mode, the module accepts cormnands via the Ethernet po1t or the analog remote inte1face connectors on the rear panel.

The module provides six bi-stable trip outputs for use by the Reactor l&C system. The trips are as follows:

3-1 6 Proprietary Information W ithhold From Pub lic Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

The High Voltage Trip is configured as a decreasing trip when the high voltage is below a setpoint.

Trip 1 is independently adjustable for when reactor power exceeds 110%.

Trip 2 is independently adjustable and is a spare.

Trip 3 is independently adjustable and is a spare.

Trip 4 is independently adjustable and is a spare.

Trip 5 is set to alarm on NVT (Total Energy) during pulsing operation.

Relays are provided with two sets of contacts, each set with one normally open and one normally closed pair of contacts. The relays are held energized in a fail-safe condition until an alarm deenergizes the coil.

The NPP-1000 has test modes to allow for testing the proper performance of the electrometer and to ensure the functionality of all trip circuits. Test modes include High Power, Ramp, M anual, HV Low and Pulse. The HV Low and High Power test modes cause the bi-stable trips to alarm. The Ramp and M anual test modes cause the bi-stable trips to alarm when the trip set point is exceeded as the power is ramped up. The Pulse test mode is used to test pulsing. Test modes can be enabled via the touch screen or a remote interface.

The front and rear panel of the NPP-1000 is shown below in Figure 3-9, while Figure 3-10 is a block diagram for the NPP-1000 M odule.

arm - - NPP 1000 9 -

NUCLEAR PULSE POWER INSTRUWENT J5 J6

() ,()

0 0 J8 REMOTE DISPLAY POWER J7 PA.-1 000

[~M OTE CO~RO] TRIPS C NVr TRIP ON I[- oJI OFF

[ Dr@l9 ]

0 C HV TRIP C TRIP 1 J2 C

0

~

TEST TRIP 2 MANUAL C TRIP J CURRENT ADJUST C TRIP .

11 5VAC 60Hz

Figure 3 Linear Power Pulsing Module NPP-1000, Front and Rear View 3-17 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Figure 3 NPP-1000 Module Block Diagram 3.1.3.2 NFT-1000 Fuel Temperature Monitoring Equipment[8]

The NFT-1000 is a nuclear fuel temperature module that provides fuel temperature indication, bi-stable trip circuits and outputs to other devices. The module has three independent channels to process inputs from Type K thermocouples. Temperature transducers convert the millivolt inputs from the thermocouples to usable voltage levels that drive bi-stable trips for local and remote alarms and isolated current or voltage outputs for display by other devices. The NFT-1000 is calibrated to measure temperature from 0 to 1000°C.

The NFT-1000 nuclear fuel temperature monitoring module has a capability to measure and capture pulse data, which is temperature values recorded and stored frequently, for a short period during and after a reactor pulse.

The NFT-1000 has two modes of operation, local or remote. In local mode, the module accepts commands via the front panel touch screen. In remote mode, the module accepts commands via the Ethernet port or the analog remote interface connectors on the rear panel.

The module provides two bi-stable trip outputs for each of the three thermocouple channels (1, 2, 3). The trips are as follows:

Trip 1 is independently adjustable for when fuel temperature exceeds a setpoint on channel 1.

Trip 2 is independently adjustable for when fuel temperature exceeds a setpoint on channel 1.

3-18 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Trip 3 is independently adjustable for when fuel temperature exceeds a setpoint on channel 2.

Trip 4 is independently adjustable for when fuel temperature exceeds a setpoint on channel 2.

Trip 5 is independently adjustable for when fuel temperature exceeds a setpoint on channel 3.

Trip 6 is independently adjustable for when fuel temperature exceeds a setpoint on channel 3.

Relays are provided with two sets of contacts, each set with one normally open and one normally closed pair of contacts. The relays are held energized in a fail-safe condition until an alarm de-energizes the coil.

The NFT-1000 has test modes to allow for testing the proper performance of the module and to ensure the functionality of all trip circuits. Test modes include High Temp, Low Temp, M anual 1, M anual 2 and M anual 3. All test modes cause the bi-stable trip relays to de-energize and alarm.

The manual modes allow the user to adjust a front panel potentiometer to cause a bi-stable trip to alarm. Test modes can be enabled via the touch screen or a remote interface.

The front and rear panel of the NFT-1000 is shown below in Figure 3-11, while Figure 3-12 is a block diagram for the NFT-1000 M odule.

3-19 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 HrT tOOO J9 J4 J6 Jl6 HUCl.£AA M L TtMP ltATURE INST!I\Jlilf.HT (f)

Q 0 0 v . .

@o

@o o*

o*

oO o*

o*

{,

JS

..: ... *o*

o**

lt!MOl1: llSf'LAY 0

o*

o:.

0 0 PO\\IIER INPurT A TESTICAL

=--

I I CJ d b

[BJ *

[~c::1 INIPUT 1:1 TESTICAL I 1rn 0 ffllO r- 00 (i) (i) d b Q

1-e TRI? 'J A I ~o~ ~r Q IP~ 1115VAC 60Hz 0 TRI? 4 INPurT C TllSTiCAL I 1rn Q TRIP Q TRI? 6 d b 0 ~

Figure 3 Fuel Temperature Monitoring Module NFT-1000, Front and Rear View 3-20 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Figure 3 NFT-1000 Module Block Diagram 3-21 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 3.1.3.2.1 Instrumented Fuel Element The NFT measures the thermocouple inputs from the instrumented fuel element (IFE) shown in Figure 3-13. Although each individual IFE has three independent thermocouples for measuring fuel temperature as shown in Figure 3-13, only one thermocouple from a single IFE is used to provide an input to a specific NFT-1000 module. While only two IFEs are required for the Technical Specifications [2], all three are used. The third channel provides redundancy and is an installed fully functional in-service spare. Each NFT-1000 module is capable of providing a high temperature scram. Each fuel temperature channel is used to drive an analog bargraph on the console. Each of the three fuel temperature signals are independently analyzed but housed in the same NFT-1000 module.

Figure 3 Instrumented Fuel Element 3-22 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information W ithhold From Pub lic Disclosure Under 10 CFR 2.390 Figure 3 Core Locations of the Instrumented Fuel Elements Table 3 Location of Significant Core Components Component Grid Location Instmmented Fuel Elements (IFE) B5, C2, C6 Fuel Follower Control Rods D-1, D-7, D-13 Transient Control Rod A-1 Non-Fuel Location, Al Tube-Filled Hole E-23 Non-Fuel Location, Water-Filled Hole F-9 3-23 Proprietary Information W ithhold From Pub lic Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 3.1.3.3 Interlocks There are several interlocks which interface with the neutron flux and fuel temperature monitoring systems.

The NLW-1000 signal drives a +3 second period rod withdrawal interlock.

The NLW-1000 signal drives an interlock to prevent pulsing when power is greater than 1 kW.

The NLW-1000 provides a rod withdrawal interlock when the HV to the channel is below the setpoint.

The NM P-1000 signal drives a low source level rod withdrawal interlock when power level is below the threshold.

3.1.4 Operation and Performance The surveillance requirements for the AFRRI I&C are satisfied by those outlined in the Technical Specifications. While operators should remain vigilant in comparing values from the analog bargraphs to the values displayed on the operator console, the calibration of channels, as outlined in TS 4.2.2 meets or surpasses the recommended frequency for equipment by the vendor.

The design criteria as outlined in Section 3.1.1 and the design bases as outlined in Section 3.1.2 are met. The nuclear instruments and fuel temperature monitoring equipment are capable of measuring the power level and the fuel temperature to protect against exceeding the safety limit.

The instruments selected, when considering their function and operational mechanisms, provide both reasonable assurance of measurement of important reactor performance and protection from a single failure causing an unsafe reactor status. There are several independent measurements of reactor power level, particularly at full power. There is additionally a neutron flux measurement for high power pulses and temperature measurements on the fuel for determining peak fuel temperature. Continuous communication is ensured through the implementation of the watchdog functionality, however, communication with the console is not required for the equipment to perform its safety function. The neutron flux measuring equipment measures the power from startup through full power range or it is accompanied by counterparts which are designed such that there is overlap between measurement ranges. Additionally, the NLW-1000 measures the period of the reactor across the steady-state operating range. Historic usage as well as integrated testing shows the channel response time from scram signal to rod bottom as dropped from full height to be less than 1 second in duration. The design documentation of the neutron flux monitoring units shows its reliability in commonly found environmental conditions. M anual actuation of a scram is available to the operator through the key switch and console scram button.

The currently established Technical Specifications [2] are appropriate and adequate for the operation of the I&C. The specifications are:

Technical Specification 4.2.2.a requires A channel test of the percent power, high flux scram function of the high-flux safety channels shall be made each day that reactor operations are planned.

Technical Specification 4.2.2.b requires A channel test of the each of the reactor safety system channels for the intended mode of operation shall be performed weekly, whenever operations are planned.

3-24 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Technical Specification 4.2.2.c requires Channel calibration, including verification of the high voltage loss to safety channel scrams, shall be made of the NP, NPP, NLW, NM P or any other console instrumentation designated to provide direct power level information to the operator, annually not to exceed 15 months.

Technical Specification 4.2.2.d requires A thermal power calibration shall be completed annually not to exceed 15 months.

The basis for these intervals are recommended by the manufacturer. With a history of usage and operations coupled with the onsite testing, these intervals provide assurance of reliability and that any drift in calibration does not affect the safety envelope of the integrated system.

3.1.5 Conclusion The implemented design to monitor the neutron flux and the fuel temperature meets or exceeds the design criteria and design basis. At all steady-state power levels, the reactor status is monitored by two separate and independent channels. During a pulse, the fuel temperature is monitored by multiple instrumented fuel elements. This diversity in design, in conjunction with the implementation testing, ensures safe operation of the AFRRI I&C.

3.2 Process Instruments Instrumentation in the reactor pool, primary water cooling system, and primary water purification system permits the measurement of parameters important to the safe operation of the reactor and associated cooling system. These parameters include primary coolant temperature, pool water level and primary water conductivity.

3.2.1 Design Criteria The process instruments are designed to support the safe operation of the reactor. Certain parameters in the reactor facility must be measured to ensure a coolant state that does not degrade the quality of the fuel clad, can remove heat from the core, and protects facility personnel from high radiation levels. When any of these fall out of the relevant technical specification, the operator is notified by an alarm. Immediate shutdown of the reactor may be necessary by automatic or manual scram actuation.

The parameters for conductivity and temperature are measured in more than one location. The conductivity of the coolant is measured on both the inlet and outlet of the process system.

Temperature is measured near the core and in the bulk coolant volume to ensure the most conservative point is taken and protected against a single point failure. Finally, to ensure adequate cooling capacity, as well as protecting facility personnel from high radiation levels, water level is measured to provide an early warning alert on low water level, and a scram when the water drops below the setpoint.

There are several technical specifications which outline the requirements regarding the coolant system. Table 3 TS Table 2. M inimum Reactor Safety System Scram in the Reactor Protection System section outlines the scrams from the RPS. These require a scram from the pool water level if it drops below 14 feet from the top of the core. This Technical Specification will stop operations if there is low coolant level. Additionally,

Technical Specification 3.3.c states, Both audible and visual alarms shall be provided to alert the AFRRI security guards and other personnel to any drop in reactor pool water level greater than 6 inches.

3-25 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 When the primary coolant temperature becomes excessively high, the resins in the water purification system begin to break down. M anufacturer data discourages sustained operation at elevated temperature levels, therefore,

Technical Specification 3.3.a states, The reactor shall not be operated if the bulk water temperature exceeds 60°C.

To protect the primary fission product barrier between the fuel and the bulk coolant, cladding integrity must be maintained.

Technical Specification 3.3.b states, The reactor shall not be operated if periodic measurements taken IAW TS 4.3 show conductivity of the bulk water greater than 5 micromhos/cm 3.2.2 Design Bases The three principal parameters to be measured in the process instruments are:

coolant temperature

conductivity

water level Coolant temperature can range from several degree Celsius to boiling. The temperature measuring channels are capable of measuring a range of 0 to 100°.

The conductivity measured in micromhos/cm should not exceed 5 micromhos/cm with typical measurements to be in the 2-3 micromhos/cm range. The sensors are capable of measuring in a range inclusive of these values. Conductivity is measured in the pump room and is only displayed locally. It was planned to have conductivity displayed on the left-side display of the UIT but this was never implemented. The conductivity is greyed out.

Reactor pool level is measured in a manner which gives clear indication to the operator of sufficient levels. A float mechanism is used so that it is set to give a high/low status at the calibrated level.

An early warning notice of low pool level is provided as well as an alarm for insufficient pool water level. The accuracy of this measurement is at least the nearest 1/2 inch of water.

3.2.3 Subsystem Description 3.2.3.1 Coolant Parameters The following coolant parameters are available to the operator: pool water temperature and demineralizer outlet temperature. The primary coolant water temperature is measured at three locations:

Above the reactor core inside the core shroud Six inches below the pool surface Water monitor box of the primary water purification system The water temperature is measured by a resistance-temperature sensing element (RTD) in a bridge circuit and has a range of 0 to 100°C. This water temperature readout is provided on the reactor status display.

3-26 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Primary cooling water resistivities are measured at several points by resistivity cells containing titanium electrodes in microprocessor-based circuitry with a range of 0.2 megaohm-cm to 20 megohm-cm. Water resistivity is measured at the water monitor box (upstream from the mixed-bed demineralizers) and the outlet from each demineralizer. Readouts for the resistivity monitors are located locally.

3.2.3.2 Water Height The level of the reactor tank water is monitored by two independent switches mounted on a rod and actuated by a float. The first switch activates 1 below full pool level. The second switch will cause an automatic reactor scram if the water level drops below 6 of full pool level. Along with the scram, the second switch will also cause an alarm on the reactor console as well as an audible and visual alarm on the facility hall panel during non-duty hours. This will alert the security watchman of an unusual situation so that appropriate corrective action may be taken.

A third float type switch is located the pool to alarm when the pool level is greater than 1 above the zero reference height. This alarm located separate from the control console is intended to alert reactor staff when the pool level is high, such as during refilling operations.

3.2.3.3 Interlocks The demineralizer inlet temperature provides a high inlet temperature interlock. When the inlet water temperature is greater than 60°C the inlet water temperature rod withdrawal prevent interlock is activated.

Additionally, if the reactor pool water level float switch is activated, a rod withdrawal prevent interlock is activated.

3.2.4 Operation and Performance The process instruments meet or exceed the design criteria and design bases. The water temperature, water resistivity and pool water level are all measured with accuracy and frequency appropriate with their safety function. M ultiple measurement locations provide reasonable assurance to the operator that the protective function is being performed. Resistivities of the coolant near the process system ensures the protection of the fuel clad, while the diverse location of coolant temperature ensures resin bed integrity and cooling capacity of the facility. The two water height measurements notify facility personnel of low and extremely low water levels. All measurements are performed over a range that includes normal operations and levels which exceed the allowed limit.

Surveillances on the parameters are specified in the Technical Specifications and include operability tests. The frequency is based on engineering judgement and from historical operating characteristics. M oderate drifts in conductivity over the course of weeks and months show slow changes in the water process systems ability to maintain coolant status. Continuous temperature information is available to the operator such that they may discontinue high power operations with increasing coolant temperature. The Technical Specifications regarding surveillance of the primary coolant system are:

Technical Specification 4.3.a requires, The pool water temperature, as measured near the input to the water purification system, shall be measured daily, whenever operations are planned.

3-27 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Technical Specification 4.3.b requires, The conductivity of the bulk water shall be measured monthly, not to exceed 6 weeks. Historical timelines of bulk conductivity have shown very modest drifts in the parameter value over the course of several weeks. This frequency is sufficient for monitoring coolant status and ensuring clad integrity.

Technical Specification 4.3.d requires, The audible and visual reactor pool level alarms shall be tested quarterly, not to exceed 4 months.

The historic frequency is adequate for the safety function and is not being changed.

3.2.5 Conclusion The AFRRI process instruments perform their role in a safe and consistent manner. They are implemented to comply with the design criteria and bases. All components feature multiple measurements of the parameter value with a level of rigor commensurate with the safety function performed.

3.3 Data Acquisition Cabinet (DAC)

The Data Acquisition Cabinet (DAC)[3] that interfaces with the CSC is in the reactor room. It serves as the data collection center for all the data processed by the CSC.

Figure 3 Data Acquisition Cabinet 3.3.1 Design Criteria Data is acquired and provided to the operator so they may take control or protective actions. The DAC is an important component in presenting data to the operator and archiving it for future access. The DAC houses the neutron flux and fuel temperature monitoring channels as well as the communications equipment to the main operator console. Features are included to ensure the 3-28 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 operator is aware of the reliability of the data. The operability of data retrieval and communication does not affect the operability of the safety system. Additionally, the failure of any single subsystem within the data acquisition cabinet (i.e. a single failure of one of the neutron flux monitoring channels) does not affect the ability to transmit data for the rest of the cabinet. This independence criteria ensures the redundancy and diversity from the multiple neutron flux monitors is not overcome by a data acquisition failure.

3.3.2 Design Bases The DAC collects information from each of the applicable subsystems which interface with the cabinet such as neutron flux monitors and fuel temperature elements. That data is then transmitted to the operator console through all normal operational ranges through the limit of the respective measurement device. The DAC communicates the status of the individual modules to the operator such that an accurate understanding of facility status is obtained. A watchdog is featured to ensure a timely and continuous flow of information from the cabinet to the console. Each individual system sends its data through the cabinet and is not reliant on the other modules for operability.

The watchdog timer will initiate a scram after no more than 15 seconds after a loss of communication.

The DAC has a single mode of operation regardless of the status of the facility. Data is continuously sent to the operator console. While it is important for the operator to receive this information, automatic protection function in any postulated accident scenario is performed by the local modules and their ability to communicate data to the rest of the facility is not related to the respective safety function performed. This demonstrates that the reactor control, communication, and data archival functionality is not required for safety functions to be accomplished.

3.3.3 Subsystem Description The equipment in the DAC acquires data in the form of electronic signals from instrumentation in the reactor and auxiliary systems, processes it, and transmits it to the UIT for display. See Figure 3-16 for a block diagram of the DAC.

3-29 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Figure 3 Data Acquisition Cabinet Block Diagram There are several drawers in the DAC cabinet which contain the majority of the components required for operation of the reactor. These drawers are power supplies, isolated digital input, analog inputs and outputs, rod control, digital outputs and relays, linear power monitors, log power monitor and fuel temperature monitors. The Data Acquisition Cabinet (DAC) includes the following equipment.

Power supply drawer

Digital Input drawer

Analog Input drawer

Rod control drawer

Relay drawer

Linear power drawer (NFT-1000 and NM P-1000)

Log power drawer (NP-1000, NPP-1000 and NLW-1000)

AC power is supplied to the DAC by the console UPS. AC power is fanned out to three identical rackmount power strips. Every strip has 8 outlets and features a 15A resettable circuit breaker.

Power can be turned on and off with a lighted switch. All DAC drawers and devices that require AC input power are plugged into these power strips. Figure 3-17 shows the power distribution for the DAC 3-30 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Figure 3 AC Power Distribution Data Acquisition Cabinet 3.3.3.1 Power Supply Drawer The power supply drawer houses various power supplies that are required in the DAC. All power supplies are of the switching type, provide input to output isolation and come with internal overvoltage and overcurrent protection. The following power supplies are located in the DAC:

PS1 +5VDC Power provides up to 7.5W to power the secondary side of the digital isolator modules on the digital input drawer.

PS2 +15VDC Power is a 10W power supply that can be used to generate input signals to the nuclear instrument remote connectors. In the current configuration, it provides the pulse gain signal for the NPP.

PS3 +24VDC Power is a 50W power supply that is used to power all digital switch contacts external to the DAC (FIS, Rod Drives, etc.). Input to output isolation is 3,000V.

PS4 +24VDC Power is a 50W power supply that is used to power the transient rod air solenoid.

PS5 +24VDC Utility Power is a 50W power supply that is used to power all digital switch contacts external to the console, as well as digital inputs that originate within the console. Input to output isolation is 3,000V.

PS6 +24VDC Magnet Power is a 50W power supply that provides power to the magnets. It is monitored by a ground fault detector (GFD), which is also housed on the power supply drawer.

The GFD monitors both the high and low legs of the scram loop. If any point in the scram loop 3-31 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information W ithhold From Pub lic Disclosure Under 10 CFR 2.390 shoits to ea1i h ground, the GFD will detect it and generate a fault indication to the console. T he GFD has a display, test mode and various indicators. When no fault is present, a green IED will be lit. When a fault is detected, yellow IEDs will be lit. T he GFD is powered by PSS.

3.3.3.2 Digital Input Drawer Thepmposeofthe digital input drawer is to isolate all digital inputs from the computer. T he digital input drawer houses two identical - printed circuit board assemblies populated with digital isolators . T here are 24 isolators p ~ for a total of 48 digital inputs . The isolation voltage is 4,000V. Eve1y isolator accepts a 2.5 to 28VDC input signal to activate on the primaiy side. When active, a red IED is lit. T he inputs ai*e referenced to the 24V digital power supply (PS3) on the power supp ly drawer. T he secon - side is powered by 5V (PSI). The outputs of the digital isolators generate an input to the digital input module via pull-up resistors t h ~

of the printed circuit boai*d. T hesigna s ai*e passed from the- isolator boai*ds to the-digital input boai*d via DIN rail mounted tenninal boai*ds that accommodate the required connector configuration.

3.3.3.3 Analog Input Drawer The analog input drawer houses 18 DRF type - signal conditioning modules that feature galvanic input to output isolation of 3 ,500V. Offueissignal conditioning modules, 7 of them ai*e designed to accept either cmTent or voltage signal inputs from external equipment, 6 ai*e designed to read potentiometer inputs, and 5 ai*e designed to connect to a lOOQ RTD sensor. T he outputs ai*e configured for Oto l OV, to be read by the - modules on the - analog drawer. T he signal conditioning modules ai*e ~ 24VDC, 120W ~ power supply. Eve1y module has two potentiometers for zero and span adjustments for calibration.

3.3.3.4 Rod Control Drawer The rod control drawer houses

- modules. All modu es ai*e irect y powere y t e DAC AC power. T e AC power

~ eon the exciter is fused with a IA fuse.

The - module can~ to eight ~ er modules. It consists of a moth ~d and several - daughte~ module is designed to accept analo control volta es from + 10 to -1 OVDC one er rod drive, and conve11 them to pulse trains

. These ai*e then fed into t e w er mo u es. T e contro vo tages ongmate on t e analog 1/0 modules on the - analog drawer and ai*e ultimately controlled by the CCS computer.

A negative voltage ~ t in the rod drive moving the rod down, and a positive voltage will drive the rod up .

The motherboai*d contains low voltage lineai* power supplies that generate the power for all plug-in daughter boai*ds. T he voltages generated ai*e +/-12V and +5V. The motherboai*d also distributes incoming and outgoing signals .

Each daughter boai*d is designed to control two Their function is to conve11 the incomin 3-32 Proprietary Information W ithhold From Pub lic Disclosure Under 10 CFR 2.390

Proprietary Information W ithhold From Pub lic Disclosure Under 10 CFR 2.390 Jumper settings on the daughter board set the rod travel time range. Jumpers are installed in position TB3 (for channel 1) and TB8 (for channel 2). A potentiometer adjusts the fine rate for the rod travel speed, another potentiometer the dead band. Refer to schematics TOS250D561 and T OS250D571 for circuit details and rod speed limits.

The T e A.C.O. OFF settmg, w en ena e , automahca y turns off the motor cmTent when the inside temperature of the driver exceeds 176°F (80°C). The OFF/S.D. function enables low vibration/low noise operation at low speeds without changing the AC power originating from the rod control drawer is supplied to the transient rod via the relay drawer, where computer controlled relays switch the UP and DOWN power on and off. Power is fosed with two 4A foses . At the transient rod, AC power is also used to monitor the limit switches.

The rod control drawer houses 3 relays that interface with the transient rod's limit switches and level shift the incoming AC signal to +24VDC that can then be read by the digital input drawer.

3.3.3.5 Relay Drawer The relay drawer houses three relay boards with electro-mechanical relays, two socketed relays and a number of tenninal blocks for signal distribution. T his drawer houses all the relays that are associated with the scram loop and magnet power.

The relay board housing the scram loop contains 24 relays . Each relay is rated for IA @ 24VDC.

The 24V relay coils are driven by various inputs to the scram loop. The outputs are pait of the scram loop wiring or are used in the generation of digital signals to the console.

The other relay boards, two - modules, can house up to 8 standard plug-in relays each, either for AC or DC lo~ s can switch 30VDC loads at up to 7A and 120VAC loads at up to 7.5A. Relays are controlled by the CCS computer. When the computer activates a relay , a coITesponding green LED on the relay will be lit.

The socketed4PDT (Kland K2) relays are used in the scram loop to generate the operate signal for the FIS. K l perfonns the reset and latching functions and indicates all scrarns clear*. K2 is on when the console key switch is in the ON position. K l and K2 ar*e driven by 24VDC. T he contacts ar*e rated for 3A @ 30VDC. When the relay coil is activated, a red tab becomes visible in a disp1ay window on top of the relay .

For detailed descriptions of the relay boar*ds refer to the manufacturer data sheets. For a detailed description of the scram loop and signal assignments, refer to Figure 4-1 for the scrarn loop diagram.

3.3.3.6 Linear Powe r Dra'\1\"er T he linear p ower drawer houses one NM P-1000 and one NFT-1000 nuclear* instnunent. Both the NM P and NFT instmments ar*e pa1t of the scram loop. T he NMP-1 000 is connected to a 3-33 Proprietary Information W ithhold From Pub lic Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 compensated ion chamber. The NFT-1000 is connected to an instrumented fuel element. The NMP and NFT communicate with the CCS computer via air gapped Ethernet. Trip status, self-test modes, power levels, ranges and temperatures are all communicated to the CCS computer via air gapped Ethernet. The NM P-1000 accepts operator range selection directly from the range selection on the Left Side Status display. The trips are hardwired into the scram system. The NM P-1000 trips are bypassed by a jumper installed in the scram loop.

Refer to the Operator and M aintenance (O&M ) manual, T3401000-1UM [5], for a detailed description of the NM P-1000. Refer to the O&M manual, T3291000-1UM [8], for a detailed description of the NFT-1000.

3.3.3.7 Log Power Drawer The log power drawer houses one NP-1000, one NPP-1000 and one NLW-1000 nuclear instrument. The NP and NPP are part of the scram loop. The NLW, NP and NPP are all connected to fission chambers. All three instruments communicate with the CCS computer via air gapped Ethernet. Trip status, self-test modes, power level and period are all communicated to the CCS computer via air gapped Ethernet. The NLW Log Power % and NP % Power analog signals are wired directly to the digital chart recorders.

Refer to the O&M manual, T3322000-1UM [4], for a detailed description of the NLW.

Refer to the O&M manual, T3271000-1UM [6], for a detailed description of the NP.

Refer to the O&M manual, T3281000-1UM [7], for a detailed description of the NPP.

3-34 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information W ithhold From Pub lic Disclosure Under 10 CFR 2.390 Table 3 DAC Input/Output Dst 3-35 Proprietary Information W ithhold From Pub lic Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Low Pool Level On/Off Scram Float Switch Low Level -6 Scram 3.3.4 Operation and Performance As shown in Table 3-5, the DAC gets input signals from the rod drives, the temperature thermocouples for the NFTs, fission chambers, and ion chambers. The DAC contains rod drive control, signal processing, I/O, Ethernet hubs, the NFT-1000, NM P-1000, NLW-1000, NP-1000 and the NPP-1000. It processes the incoming information and forwards it to the CSC.

The neutron flux and fuel temperature modules (noted above with the -1000 suffix) utilize modules to sense analog and digital inputs. Ethernet and RS-232 serial communication lines report the data to the CSC. There are typically 4-8 A/D channels, 0-8 D/A channels, and 8-48 digital I/O channels. A serial port on the back of the channels case is used as a debug output port during the startup process and can be used to mirror data sent to other locations on a remote LCD display.

The data acquisition system has a sample rate of approximately 100 msec. It will record data to the external data storage devices as data changes with this nominal 100 msec period. The recording time may be faster but will not exceed 25 msec. The watchdog timer trip period will cause the relay driver outputs to go to failsafe mode within 15 seconds of a loss of communication. The loss of communications will be sensed by the control console and initiate a scram.

Some modules will allow a single input and provide multiple outputs. The NPP-1000 for example accepts signal from its respective neutron flux detector and outputs three 4-20 mA signals: power level in steady state, pulse power, and integrated energy. Additionally, it outputs via ethernet the values of these three parameters and the status of the two related trip points, namely the high power scram and the high voltage scram. Additional notes on Table 3-5 can be found in Appendix A of the System Requirements Specification[14] by the vendor.

The DAC provides the required signals to the CSC for operator access and historic retrieval. The collected information provides important and required information to the operator for normal operating ranges. The implemented watchdog will assure continuous communication. The Operator receives both information of the status of a signal and whether any trips have been actuated. Redundant signal is provided through different devices measuring similar parameters and this signal is available to the operator in a variety of locations.

The nuclear instruments feature certain test mode capability. When designated switches are set in the correct position, diagnostic capabilities are permitted. The channel will continue to operate in a standard fashion while in test mode and protective functions are maintained. Similarly, a maintenance mode is available for debug output and logging.

Specific testing of the communication capability of the DAC is not required as inability to communicate with the console would prohibit startup of the facility. If communications are lost for no more than 15 seconds during operations, a scram would be initiated by the watchdog timer.

3.3.5 Conclusion The Data Acquisition Cabinet (DAC) is capable of reading, processing, and communicating data to the operator under normal and anomalous conditions. The DACs data frequency, independence, redundancy, and fail safe design ensure accurate and continuous facility status are readily available 3-36 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information W ithhold From Pub lic Disclosure Under 10 CFR 2.390 to the operator. Functionality of the DAC is not required for the RPS to function appropriately, however verification of RPS actions are provided through the DAC to the operator.

3.4 Control Rod Drives The standard control rod drives are rack and pinion type that are driven by . The controllers for the and limit switches are housed in the DAC.

The AFRRI reactor features an automatic control that maintains the reactor power at a point set by the operator with a 2% dead band. The automatic control system compares the output of the NMP-1000 and NLW-1000 channels against an operator supplied setpoint and adjusts the control rods to increase or reduce reactor power as it drifts. This sys tern is implemented through a digital control algorithm.

Additionally, as is common with most reactors of this type, a transient rod is available to be rapidly removed from the core and increase power. The degree of removal is set by withdrawing the transient anvil to a predetennined height. This will make the reactor supercritical and allow the core power to achieve a high level for a sho1t inte1val. Square wave power increases can also be achieved.

The RCS has a set of equipment protection interlocks and rod withdrawal inhibits which restrict operation unless ce1tain conditions are met. The Technical Specifications require minimum indicated power level on the NMP-1000 to ensure there is a neutron population significant to initiate the chain reaction in the reactor and nuclear instmmentation is responding appropriately.

3.4.1 Design Criteria The control rod drives are designed such that there is no single point failure amongst the drives and that in the event of a failure, they default to a safe status. The drives are independent of each other and redundancy is achieved through using separate rod drive motors for each drive, that is, the rods are not coupled together in any way . Systematic nonrandom concmTent failures of the drives is prevented whenever possible.

Technical Specification 3.2.1.b states, "The reactor shall not be operated unless the four control rod drives are operable except that the reactor may be operated at a power level no greater than 250 kW with no more than one control rod drive inoperable with the associated control rod drive folly inse1ted."

The interlock and other rod drive requirements, as taken from the Technical Specifications, are listed below in T able 3-6.

Table 3 TS Table 3 - Minimum Reactor Safety System Interlocks Effective Mode Action Prevented Steady Pulse State Pulse initiation at power levels greater than 1 kW X Withdrawal of any control rod except transient X 3-37 Proprietary Information W ithhold From Pub lic Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Any rod withdrawal with power level below a minimum level as X X measured by the operational channel Simultaneous manual withdrawal of two standard rods X Any rod withdrawal if high voltage is lost X X to the operational channel Application of air if the transient rod drive is not fully down.

X This interlock is not required in square wave mode.

3.4.2 Design Bases The specific function of the control rod drives is to manipulate reactivity in the core at the appropriate time. The rod drives are coupled to either an electromagnet or an anvil (transient rod).

As the rod drives travel through their range of operation, their position is made available to the DAC and thereby presented to the operator.

The rod drives may be controlled in manual or automatic mode. In manual mode, they operate with a single speed (the maximum speed) as set by the potentiometer. In automatic mode, slower speeds may be initiated to create a slower rate of reactivity change. The rod drives themselves do not provide any safety function. In the event of a scram, the magnets are de-energized and the control rods are dropped into the core by the force of gravity, while the drives are driven to their bottom limit. To prevent a scenario in which the safety limit could be threatened, or otherwise unsafe conditions created, interlocks are provided which prohibit rod withdrawal. Refer to Table 3-6.

All rod drives receive power from a common source and a common system provides actuating logic for the drive mechanism. The logic is handled in the control console while the drive communication channels are housed in the DAC.

3.4.3 Subsystem Description The reactor control system allows the control rods to be moved individually using the Rod Control Panel on the CSC, which allows the reactor operator to energize the magnet and stepping motor on the control rod drive assembly (Figure 3-19) mounted on the reactor bridge. The drives are connected to the control rods through a connecting rod assembly which uses a magnetic coupling and an armature connected to a connecting rod. A system of interlocks prevents the upward movement of more than one rod at a time.

The drive utilizes a rod drive mechanism, which is an electric actuated linear drive connected to the magnetic coupler and a positive feedback potentiometer.

Refer to Figure 3-18 for an overview of the Rod Control System.

3-38 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Figure 3 Rod Control Block Diagram 3-39 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

't\

1 - - - - - Magnet Wire Pl'Otectl11e eo11el' - -*

Rad Down

,imit Switch Pull-rod Housing

-+-- - - - BOl'l'BI 1tit- - - - - Magnet IJIIOW TUIJe

- - - - - Magnet Pull-rad - - - -

eonnecting Rod To Control Rod Figure 3 Control Rod Diagram The mounted on each control rod drive assembly drives a pinion gear and a 10-turn potentiometer via a chain and pulley gear mechanism. The potentiometer provides rod position information on the operator console. The pinion gear engages a rack attached to the magnet draw tube.

The control rod drives are connected to the control rods through a connecting rod assembly. An electromagnet, attached to the lower end of the magnet draw tube, engages an iron armature, which 3-40 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information W ithhold From Pub lic Disclosure Under 10 CFR 2.390 in tum is screwed and pinned into the upper end of the connecting rod that tenninates at its lower end in the control rod itself.

The magnet, the arm ature, and the upper po1tion of the connecting rod ai*e housed in a tubular*

baITel that extends below the reactor water line. Located p a.it way down the connecting rod is a piston . The upperpo1tion of the baiTel is ventilated to pe1mit unrestricted movement of the p iston in water, whereas the lower 2-inch of the baiTel provides a damp ing action when the electromagnet is de-energized and the control rod is released.

When the - is energized (via the rod control UP/DOWN switch on the operator console ro~ , the p inion gear* s haft rotates, thus raising the magnet draw tube. If the electromagnet is energized, the arm ature and the connecting rod will raise with the draw tube so that the control rod is withdrawn from the reactor core. In the event of a reactor scram, the magnet is de-energized, and the arm ature will be released. T he connecting rod, the p iston, and the control rod will then drop; thus reinse1ting the control rod by gravity into the reactor core.

3.4.3.1 Rod Drive Mechanism The rod drive mechanism is an electric - actuated linear* drive equipped with a magnetic coupler and a feedback potentiomete~ e of the rod drive mechanism is to position the reactor control rod elements .

The up/down rod control signals , limit switch s ignals, Rod Position Indication (RPI) info1mation, and magnet power ai*e interconnected between the DAC and control rod by a cable assembly . The rod drive motor control signals ai*e connected to each trans lator via a second cable assembly . Figure 3-20 provides a schematic diagram of the drive.

A spring-loaded pull rod extends ve1tically through a hous ing and up through the block. The lower end of this rod tenninates in adjustable foot that protmdes through a window in the s ide of the baITel. The foot is p laced so as to be depressed by the an nature when the connecting rod is folly lowered. Rais ing the rod releases the foot, allowing the pull rod to be driven upwai*d by the force of the compression spring. The top of the p ull rod te1minates in a fixture which engages the actuating lever on a microswitch . As a result, the microswitch reverses position according to whether or not the arm ature is at its bottom limit. This microswitch is the rod D OWN switch.

A p ush rod extends down through the block into the upperpo1tion of the baiTel. It is aiTanged so as to engage the top surface of the magnet assembly when the magnet draw tube is raised to its upp er limit. The upper end of the push rod is fitted with an adjustment screw which engages the actuator of a second micros witch. T hus, this micros witch reverses position according to whether the magnet is at or below its foll up position . T his microswitch is the magnet U P switch .

A bracket, fitted with an adjustment screw, is mounted on top of the magnet draw tube. A third microswitch is aiTanged so that its actuating lever is operated by the adjustment screw on the 3-41 Proprietary Information W ithhold From Pub lic Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 bracket. The switch will thus reverse position according to whether the magnet draw tube is at or above its completely inserted position. This microswitch is the magnet DOWN switch.

Figure 3 Schematic Diagram 3.4.3.2 Transient Rod The transient rod remains unchanged for this LAR but is included in this discussion for informational purposes.

The transient rod is pneumatically and electrically driven. AC power is used to activate the motor.

Limit switches are used to control the AC power. The pneumatic electromechanical drive allows operations in two different modes:

Steady-state mode, air pressure holds the transient rod up against an anvil, allowing fine position control via the motor drive;

Square wave or pulse mode, the anvil may be prepositioned and application of air pressure permits ejection of a predetermined amount of the transient rod from the core.

Figure 3-21 is representative of the transient rod installed at AFRRI.

3-42 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 SHOCK ASSORBER VENTtaES

g EXTERNAI..LY

~ ~

I CYUtl~

PISTON HOUSNG P'ISTONROO I

AJRSU'?l.Y H:)SE SQ.ENOOVALVE OOTTCN Ut.lT- - - - CXlNN£Cll()\l TO 14--- - CXlNTROl ROO Figure 3 Transient Rod The pneumatic portion is a single acting pneumatic cylinder with the piston attached by a connecting rod to the control rod. When the cylinder and transient rod are down, actuating the air solenoid allows air to be applied to the cylinder. With air applied, as the cylinder is run off its bottom position with the motor and associated gear box, the rod rises. The motor drives a ball nut assembly through a worm gear. The balls engage in threads on the outside of the cylinder which can thus be raised or lowered to limit the upper position of travel of the transient rod. The direction of the motor is controlled by the user via the console rod control panel UP and DOWN buttons.

De-energizing the solenoid interrupts the air and relieves the pressure in the cylinder so that the rod will reinsert under gravity.

The motor driving the transient rod has two windings, one for up and one for down motion. When the rod is in steady state (not moving), both motor windings are energized, holding the motor in a 3-43 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 locked position. To move the rod, the motor winding opposite to the desired direction of movement is de-energized.

The transient rod drive employs three limit switches. They are motor (cylinder) up, motor (cylinder) down and rod down. A position potentiometer provides a resistive value that is proportional to the height of the cylinder. Refer to Figure 3-22 for a diagram of the transient rod limit switches.

~-

0

_./ - STAllO!IAAV

/ CIJltc lUlE lCY.ER UIMT $ ',ITCH Figure 3 Transient Rod Limit Switches 3-44 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 For pulsed reactor operation, the cylinder is raised to the desired height to control the overall travel and hence the reactivity inserted for the pulse. With no air pressure applied, the rod stays at the bottom. If all necessary conditions for pulsing are met, compressed air is admitted at the lower end of the cylinder to drive the piston upwards. The air being compressed above the piston is forced out through vents at the upper end of the cylinder. At the end of its stroke, the piston strikes the anvil of the shock absorber. The piston is thus decelerated at a controlled rate at the end of its stroke. This action minimizes rod vibration after transit.

3.4.3.3 Manual and Automatic Mode The reactor power regulating system manages all control rod movements taking into account the choice of operating mode and interlocks. The system has two control modes, manual and automatic. Both control modes may be used for reactor operation from source level to 100% power.

The reactor can be started up in manual mode or automatically at a constant reactor power period.

The control rods are prevented from being withdrawn in automatic mode if the reactor power period is shorter than +8 seconds.

3.4.3.3.1 Manual Mode M anual control of reactor power is accomplished by operating the control rods using buttons on the rod control panel. Each of the buttons (M AGNET and AIR) in the top row is used to quickly insert its associated control rod (equivalent to a scram for that rod) by interrupting the current to the rod drive magnet or by removing the air to the transient rod. If the rod is above the down limit, the rod will fall back into the core by gravity when the button is pushed. The magnet or anvil is then automatically driven to the down limit, where it again contacts the armature on the connecting rod. The operator can scram all of the rods at any time in any mode of operation by pressing the SCRAM button on the right side of the control panel.

On the Rod Control Panel, the middle row of buttons (UP) and the bottom row (DOWN) are used to position the control rods. Pressing one of the buttons causes the associated control rod to move in the indicated direction. A digital position indicator on the rod drive determines the position of each control rod. The position readout is accurate to within 0.2%. Interlocks prevent the movement of the control rods from their inserted core position in the upward direction under the following conditions:

Scrams not reset

Startup source level below minimum level

NLW-1000 exhibiting a High-Voltage Low condition.

M ore than one UP switch depressed at the same time on the rod control panel

M ode switch in AUTOM ATIC position (UP buttons inactive)

NLW Reactor period too short (software configurable)

M agnet not coupled to armature

Inlet Temp high

Low Pool Level active

Pulse M ode Prohibit Above 1 kW 3-45 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

TR: Fire Invalid - Transient Rod not on bottom

TR: Two up pressed at one time There are no interlocks that prevent downward motion of the control rods.

3.4.3.3.2 Automatic Mode The TRIGA control system, when placed in Automatic M ode, will automatically control positions of the Shim, Safety and Reg rods, depending on bank selection, to maintain a specific power level based on the % Power reading from the NM P-1000, the reactor period from the NLW-1000 and the demand power level. The demand power level is taken from the setting of the power demand set on the Left Side Status display and indicated at top left of the Right Side graphics display.

Refer to Figure 3-23 for a Functional Block Diagram of the Automatic M ode.

Figure 3 Automatic Mode Functional Block Diagram In Automatic M ode, the computer controls the rods based on the bank selection. The computer controls the rods according to a PID algorithm to drive the rods either up or down based on a comparison of the reactor power with the demand power and reactor period. The computer-controlled rods have a range of 1% to 99% of rod travel (i.e., Automatic M ode will not allow the rods to be withdrawn past 990 units, or inserted below 10 units). A trip from the NM P or a communication error will result in rod control reverting back to M anual M ode. Automatic M ode must be re-enabled once condition(s) clear.

3-46 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 A PID algorithm involves three separate parameters and is sometimes called three-term control:

the proportional, the integral and derivative values, denoted P, I, and D. These values can be interpreted in terms of time: P depends on the present error, I on the accumulation of past errors, and D is a prediction of future errors, based on current rate of change. A weighted sum of these three actions is used to adjust reactor power by moving the rods.

The proportional term (present error) is calculated as the difference between the demand power and the actual power; however, the rod speed is maxed out (equal to manual rod speed) if the proportional term reaches +/- 20% beyond the demand power. The integral (~looking into the past) and differential (~looking into the future) terms are input to the algorithm by using the reactor period. Conceptually, the period tracks past rod speed and predicts future rod speed.

The four control rods are positioned by control rod drives mounted on the reactor carriage. The regulating, shim, and safety rod drives are rack-and-pinion linear actuators. These rod drives use a that can operate at variable speeds when operated by the servo system. For all rods other than the transient rod, the rod drives move an electromagnet which may or may not be energized. Starting with the rod drive completely lowered (at the down limit switch), energizing the electromagnet will attract an armature which is physically connected to the poison absorber portion of the control rod. When the rod drive is moved upwards, the rod is lifted out of the core.

The control rod will move with the rod drive as long as the electromagnet is energized and attracts the armature. In a scram, the electromagnet is de-energized, releasing the armature and allowing the control rod to fall into the core under the force of gravity. For the transient rod, an anvil is located on the bottom end of the rod drive. Starting again with the transient rod drive fully down, when all appropriate conditions are met, the operator presses the FIRE button, and this forces air pressure under a piston connected to the top of the transient poison absorber, holding it up against the force of gravity to the anvil. When the transient rod drive motor is then moved up, air pressure holds the piston against the anvil, causing the transient control rod to travel up with the drive.

When a scram occurs, a solenoid valve releases the air pressure under the piston, allowing the transient rod to fall into the core under the force of gravity. A mechanical dash pot is incorporated into the barrel surrounding each control rod to decelerate the rod near the bottom of the travel path following a scram. This protects the physical integrity of the rod over time. Limit switches sense when the drive is fully withdrawn, the drive is fully inserted, and when the actual poison rod is fully inserted. Coupled to the pinion shaft is a potentiometer which provides rod height indication.

3-47 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 ROD CONTROL TRANSIENT SHIM . SAFETY RESET ii II ii II MAl:iNET POWER II Ii II ii Figure 3 Rod Control Panel M ovement of the rod drives is done in manual mode through the rod control panel shown in Figure 3-24 above. This has 15 momentary contact switches and a key switch. The shim, safety, and regulating drives all have a magnet, up, and down switch. The transient rod has an up, down, air, and fire switch. An annunciator acknowledge switch is provided for the operator to indicate to the control system an alarm or message has been recognized. A manual scram switch is provided to remove magnet power (or air pressure for the transient rod). Finally, a magnet power key switch is available to permit magnet power and transient rod air pressure (on and off) as well as reset the system. The reset function is used to initiate the start-up time delay and acts as a magnet power permissive. The on pole and the reset pole are made available as inputs to the control console software.

The scram button is hard-wired directly into the system scram loop wiring. See Section 4: Reactor Protection System for more information.

When the reactor is in Operate mode, the Acknowledge button communicates with the control console software to acknowledge any trips, scrams, or warnings. These are displayed on the annunciate pane of the main graphics window.

The air button engages a latch that releases air pressure supplied to the transient rod. Air pressure is applied by pressing the transient rod Fire button. This air pressure can be removed by a scram or by pressing the air button again. This Fire button signal is processed strictly by software. Any software problem that prevents operation will be detected and a scram will be initiated, thereby releasing the air pressure holding the rod up against the anvil and dropping the transient rod.

The rod Down button on the rods will communicate to the software to drive the corresponding rod down until the down limit switch is active. However, in automatic mode, only those rods which have not been selected with the Rod Select switch can be manually inserted. The software provides an analog output signal that controls the speed of the rod control motor, although the maximum rod speed in AUTO equals the M ANUAL rod speed. Any number of down buttons can be pressed simultaneously and always take precedence over an Up button.

The Up buttons on the rods send a software signal which will apply output voltage to move the corresponding drive up, following a logic check. These up buttons are only active in manual mode and at most one button can be pressed at a time. When multiple Up buttons are selected, the system 3-48 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 will ignore all of them. In automatic mode, none of the Up buttons are active and the software handles all rod movements. In Square Wave or Pulse modes, the Up buttons are inactive.

There are several operating modes for the reactor: manual, automatic, square wave, and pulse. In manual mode control rods are operated manually on the rod control switch panel.

In automatic mode, the following rod combinations can be selected for banked rod movement:

Regulating Rod Only Shim and Regulating Rod Shim, Safety, and Regulating Rod When utilizing the automatic mode, the reactor power is compared against the power demand setting to obtain an error number. When the power demand has more than 2% deviation from the power measurement of the NM P-1000, the rods (as selected by the combinations listed above) are moved into or out of the core. Rods are inserted with variable speed to allow for minor corrections in reactor power with small deviation and major corrections in reactor power for large deviations.

Variable speed also enables the algorithm to achieve the desired power with minimum overshoot/undershoot. The speed cannot exceed that which is set for manual mode. The NLW-1000s period signal is provided and will inhibit rod withdrawal if the reactor period exceeds +8 seconds.

Initiating Square Wave mode must be done with the reactor in steady-state mode. With the power less than 1000 W (as determined by the NLW-1000) and the transient rods air supply turned off, the Square Wave mode switch can be depressed. This will change the console from steady-state to Square Wave mode. Upon pressing the Fire button, the Transient Rod will FIRE and reactor power will increase to the demand power level. Upon achieving the desired power level, the console will switch to Auto mode to maintain the reactor at this constant power level. If the desired power level is not reached within 30 seconds, the system will switch to M anual M ode and display a message to the operator on the Annunciator Pane.

There is additional functionality available to the operator to initiate a scram after a predetermined amount of time. The reactor status display discussed in Section 6 allows for a configurable up/down steady-state scram timer.

3.4.4 Operation and Performance Normally, all the rod drives are operable, but the Technical Specifications allow for the operation of the reactor with one rod drive inoperable, provided that mechanism is at its full insertion. When the magnet power is turned off (or air not activated for the transient rod), the rod drives may be moved from the core without inserting reactivity. In periods of extended shutdown, this may be performed as a preventative maintenance measure.

The intervals of the inspection for the rod drives are provided in the Technical Specification and meet the vendor recommendations. Both the electro-mechanical rod drives and the pneumatic transient rod drive are heavily based on a simple design that has been in use for many decades across dozens of TRIGA reactors, both in the USA and globally. The most recent update replaced the vendor for the motors due to obsolescence, with a corresponding improvement in position accuracy due . These updated drives have been in use at the NRAD TRIGA in Idaho National Lab for several years with no issues, and have passed all testing at the AFRRI installation. The function of the drives, to insert or remove reactivity to the core, is 3-49 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 clearly achieved by the design. The interface with the Facility Interlock System ensures the rod drives do not move when the movement will initiate an unsafe condition within the facility. The Facility Interlock System, although complex, provides a single permissive to the scram loop.

Technical Specification 4.2.1.c requires in part that, On each day that pulse mode operation of the reactor is planned, the transient rod system is channel tested to verify that the system is operable.

3.4.5 Conclusion The design and implementation of the control rod drives performs the basic functionality of altering the reactivity of the core when permissive conditions are met. Following standard rod design and manufacturing processes, the implemented system does not affect the safe operation of the reactor.

3.5 Facility Interlock System (FIS)

The facility interlock system[3] is designed to eliminate the possibility of accidental radiation exposure of personnel working in the exposure rooms or the preparation area and to prevent interference (i.e., contact or impact) between the reactor tank lead shield doors and reactor core shroud. These interlocks prevent rotation (i.e., opening or closing) of the reactor tank shield doors and the operation and movement of the reactor core between different regions unless specific operating conditions are satisfied.

3.5.1 Design Criteria The FIS is designed such that if any of the relays fail, they will default to the more conservative setting of an open circuit and thereby prevent facility operation.

Verification of the operability of the FIS is required in the Technical Specification. Specifically, TS 4.2.4 states, With the lead shield doors open, neither exposure room plug door can be electrically opened. Technical Specification 4.2.4.b requires The core dolly cannot be moved into region 2 with the lead shield doors closed. Technical Specification 4.2.4.c requires, The lead shield doors cannot be opened to allow movement into the exposure room projection unless a warning horn has sounded in that exposure room, or unless two licensed reactor operators have visually inspected the room to ensure that no personnel remain in the room prior to securing the plug door. These surveillances are performed in accordance with the listed periodicity in the TS.

3.5.2 Design Bases The FIS is designed to prevent inadvertent operation of the facility when a set of conditions have not been met. All of the interlocks are binary (on/off, open/closed, etc) and must be met prior to operation. TS 3.2.3 states, The objective is to provide sufficient warning and interlocks to prevent movement of the reactor core to the exposure room in which someone may be working, or prevent the inadvertent contact between the core and the lead shield doors. Other than the operability of the switches at the locations of the check, there are no other support requirements for the FIS.

3-50 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 3.5.3 Subsystem Description The Facility Interlock System (FIS) consists of a central cabinet and various peripherals such as motor control centers (M CC), horns, limit switches, etc. The FIS central cabinet houses the relay logic that controls the FIS. Refer to Figure 3-26 for a block diagram of the FIS.

The FIS consists of 12 limit switches and 17 pushbuttons and enforces a straightforward logic table to perform its function. The FIS interfaces to the console and DAC via relays to electrically isolate the various systems. The FIS logic and implementation remains unchanged in the console upgrade however the wiring and relays were replaced in a like for like manner.

Finally, the FIS interfaces to the console M agnet Power keyswitch to enforce its logic and also sound a horn in the necessary exposure room(s) for 30 seconds when the reactor is about to start operation. The horn may be locally manually bypassed per AFRRI administrative procedures.

3-51 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 1UISWl10l(S lfAD00011 lfAD00011 <CM-I

""""' MOTOO....,_

a.-*

a._, .................

~

IOUI..

am..,,,,_,

M*Pll'OOM

""""' IOUTUII c:o.o.llt,0, WDOQIIQQIU)

Utl 1:PM'f(ltOflM.Tltollt Ull'WG WOOC.QJ;,lM.D OOOIIMOTOt INO'OOIOOf<I

...., 00005 Ol'OI 121<1 UAD 000iG 0.0RD lll OOOl:oP(Jt w 121<1 00011CO,,"'°'

I.MfSVrffCM UUl'WG w

OOOIIMOTOI MOfOI a,,,_1'101.

f6STAM

'""'"ICX>fQ w..,...

. . .,* .,_....u,,cm W 00011 Ol'OI w

00011a,o,,-

,MTSW,,O, WlSJO, NIUAMflCIH

_,_AAIA W"°""~

WlSlOP .,,.-.

Figure 3 Facility Interlock System Block Diagram 3.5.4 Operation and Performance 3.5.4.1 Scram and Magnet Power Circuits

~ L~ L.

~

"~ ~: '"

'" f~

Ji~ 1: -- d-,,,~ r""

r*

~

m

~" IT(H

~m ~

f~"'1 _ f~*~

,~

~ ~

~ m g;_

I m, c ----11:

r:-*

I ~,

J.,.

I.,.

L..

r~L C--------7

'E '

F -----------------7 I~-~-- I

! : [ -$TOP + 21" ! ! ~~i° !

l__ ------ __J L __ ----- __ _J

~

Figure 3 Scram Loop Interlock Wiring Diagram 3-52 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Certain facility interlock permissives must be satisfied before the scram loop can be completed and the standard control rod magnet power circuits and the transient control rod air circuits can be energized. These permissives include:

The tank lead shield doors must be fully closed (D2C active) and the plug door for the exposure room against which the reactor is to be operated must be secured (either D1C or D3C active). The reactor must be in the corresponding region (either RP1A or RP3A active).

The tank lead shield doors must be fully opened (D2O active) and both plug doors for the exposure rooms must be secured (both D1C and D3C active).

The Key Switch must be in the "ON" position.

All emergency stop circuits in the exposure rooms and console must be energized.

Once these permissives have been satisfied, the ROX input to the scram loop can be satisfied and the control rod magnet and air circuits can be energized using the procedure detailed below.

1) M omentarily turn the console key switch to RESET. Release the key. Relay RRX1 operates, applying voltage to the 30 second delay timer ROT and horn relay RO. A normally open RO contact operates relay HX1 which activates the horn for 30 seconds and creates an audible alarm.

Another normally open RO contact locks the timer in. At the end of the 30 second startup delay, a normally open ROT contact operates relay ROX. ROX then completes the input to the scram loop.

NOTE: The Time Delay light on the M ode Control Panel will extinguish after the 30 second startup delay. The Reactor Power indicator on the M ode Control panel will be illuminated when the reactor permissive has been satisfied and magnet power can be applied.

2) After another RESET from the console key switch, power is now supplied to the magnet and transient rod air circuit, assuming all other scram loop inputs were also satisfied.

3.5.4.2 Lead Door Interlock Limit Switches The locations of interlock limit switches for various doors are shown in Figure 3-31.

The operating sequence to be used in explaining the inter-relationships between various interlock circuit elements consists of:

Opening the tank lead shield doors.

Closing the tank lead shield doors.

M oving the core support carriage from Position 3 to Position 1.

Opening the thermal neutron exposure room plug door, and

Closing the thermal neutron exposure room plug door.

3.5.4.3 Lead Door Operation The permissives listed below must be satisfied before the tank lead shield doors can be electrically operated.

The reactor must be in Position 1 or Position 3 (RP1A or RP3A active).

The fast neutron and thermal neutron exposure room plug doors must be closed (D1C and D3C active).

3-53 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

The console key switch must be turned to the ON position.

All emergency stop circuits in the exposure rooms and console must be energized.

...... ...... [ -!iTQP

,a

MCC ----- - - - ----------- - - -- - - - ----------- - --- - - ---------- - - - --- - - - --------- - - - --- - -

7 :'"' ---------7

'[t '

'0" ' '" ' - - - - - - - - - - - - - - - -

I O,ER,>!E ..uy I

[__ __ __ j L __ * :.:.--- __ _J Figure 3 Lead Door Interlock Wiring Diagram To open shield doors:

1) M omentarily depress the door OPEN button on the Reactor M ode Control Panel. Relay D2MX1 will operate, applying voltage to the delay relay D2T and horn relay D2, both of which lock themselves in via D2.D2 also applies operating voltage to relay HX2 which in turn sounds an audible alarm during the 3 minute startup delay period. At the end of the delay period, a normally open D2T contact will close, operating relay D2M X2 which locks itself in.

2) The tank shield doors may be closed even if the key switch is in the OFF position and console power is OFF.

3) At the conclusion of the 3 minute delay period, again depress the door OPEN switch on the Reactor M ode Control Panel. Relay D2M X1 and contactor D2M -0 have now been operated, thus initiating rotation of the shield doors to the open position. When the lead shield doors reach their fully open position, switch D20 will actuate, operating relay D20X. A normally closed contact on D20X releases the "open" contactor D2M -0, stopping the door drive motor.

Closing the tank lead shield doors requires that the core be in Position 1 or 3 (in this case Position 1).

To close the shield doors:

Depress the door CLOSE button on the Reactor M ode Control Panel. This operates contactor D2M -C which in turn operates the door motor control in the closed direction. When the lead doors 3-54 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 are fully closed, limit switch D2C will actuate and operate relay D2CX, whose normally closed contact releases the door contactor, stopping the door drive motor.

3.5.4.4 Core Support Carriage Operation Core Support Carriage Movement from Position 3 to Position 1 Once the 3 minute startup delay has expired and the lead shield doors are open, the core support carriage can be moved from Region 3 to Region 1 by following the procedure detailed below.

1) Depress the Region 1 switch on the Reactor M ode Control panel or activate the Region 1 foot pedal located on the floor in front of the console. Relay RP1M operates, which in turn operates RPS (carriage motor slow contactor). The carriage will move at a slow speed (1.5 feet per minute) until it is at the inner limit of Position 3. At this point, limit-switch RP3A will actuate, releasing relay RP3AX, which will cause contactor RPS to release and contactor RPF (carriage motor fast contactor) to operate. Now, the carriage will continue to move toward Region 1 but at a faster speed (2.25 feet per minute). When the carriage reaches the inner limit of Region 1, limit-switch RP1A will actuate, operating relay RP1AX, which in turn will release motor contactor RPF. The operation of the relay RP1AX also operates the carriage motor contactor RPS, which again automatically reduces carriage speed to 1.5 feet per minute.

2) To stop the carriage at any point, release the Region 1 switch or foot pedal.

3) To facilitate the setting and testing of the limit switches, the carriage can be moved within Region 2 with the lead door closed by using the override toggle switch. By facility procedure, an operator has to be present in the reactor room when using the override switch. Limit-switch RP1B determines the outermost Region 1 limit.

3-55 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

}~1: 1~ l~

""'- ~--~---~--~-

K 02Clt l k )C200I

~

'°"

~ ""'

NO r*-- ---------

Af'S¢L MCC L-----------........ --------- ..

~ SOL£ --------------:

I I

L___ -------- '

Figure 3 Core Support Carriage Interlock Wiring Diagram Exposure Room Door Interlocks Certain elements of the facility interlock system must be satisfied before an exposure room door can be opened. These elements include:

The tank lead shield doors must be closed (D2C active).

The reactor must be in Position 1 (RP1A active).

The exposure room door control power key switch must be in the ON position.

To open the exposure room door:

1) Connect the reel mounted power cable to the plug door.

2) Depress and hold the "open" button on the plug door control panel. M otor contactor D3M-0 used in operating the door in an open direction will operate. The exposure room door will continue to move in an open direction until limit switch D30 is actuated, which will release the motor contactor stopping the door drive motor.

3) To stop the door during its opening operation, momentarily depress the "stop" button. This action releases the open contactor D3M -0 which de-energizes the drive motor.

NOTE: If the door or drive drags or jams the motor overload (OL) will energize automatically releasing motor contactor D3M -0 stopping the door movement.

3-56 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

""'*- - ~ - - - - - - - - - - - - - - - - ~ - - - - - - - - - - - - - -

ER1 DOOR CONTJtOL EJl2 DOOR OONTJtOl po;wr,st,E

... O!P!~M ,r **-:... :... Cl_°!?!~~

,'r --- :...

'><*., ___ I-1.:.,--,,;;,.,

\ ./'

la..,<;,., . ,___ I-

---~-

I):).')

r**---------------- -----, r I ------------- -------- -----,

MOC *oe c)w:m.111

(,.....,

~ "

L---******** --------******** ----- L-----****** ~ (,L - - - - - - - * * * * * * - - - - -

Figure 3 Exposure Room Door Interlock Wiring Diagram To close the thermal neutron exposure room plug door:

M omentarily depress the "close" button on the exposure room door control panel. M otor contact D3M C, used to operate the door in the closed direction will operate. This contactor electrically locks itself in. The exposure room door will continue to move in a closing direction until limit switch D3C actuates which will operate D3CX whose normally closed contact will release motor contactor D3M C stopping the door's movement.

NOTE: Final closure of either exposure room door involves manual operation of the door drive mechanism. This operation is described in the TRIGA Systems M anual[3].

Historic operations have shown this system to perform its function in a reliable and effective manner. The annual periodicity of the functional check is sufficient to detect deterioration of components or any off-normal behavior. The refurbished status of the equipment with identical logic diagram enhances safety and reliability of the system. In the event of a relay or switch failure, the system defaults to a conservative setting and disallows system operation.

Surveillance tests specific for the FIS are in TS 4.2.4 and are listed below.

Technical Specification 4.2.4.a requires With the lead shield doors open, neither exposure room plug door can be electrically opened.

Technical Specification 4.2.4.b requires The core dolly cannot be moved into region 2 3-57 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 with the lead shield doors closed.

Technical Specification 4.2.4.c requires The lead shield doors cannot be opened to allow movement into the exposure room projection unless a warning horn has sounded in that exposure room, or unless two licensed reactor operators have visually inspected the room to ensure that no personnel remain in the room prior to securing the plug door.

3.5.5 Conclusion The FIS is an effective and proven system which prevents inadvertent exposure of facility personnel. The rewiring and refurbishment of the system is performed commensurate with sound engineering practice. The fail-safe design ensures malfunction of the system does not adversely affect the safety envelope of the facility.

3-58 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

:'l 1**----------------------- ,:

l I

F OlC Plug Door Close limit Switch Fast

'\ Neutron 1

Door Tracks Exposure

\. Room Door

~ 010 Plug Door Open Limit Swtich i

I I

1 Posit ion 1 i RPlB Region l End Stop Limit Switch l

) RPlA Entering Region l limit Switch I

1 Lead Doors Close Limit Switch FIS SYSTEM Lead Doors Open limit Switch RP3A Entering Region 3 Limit Switch RP3B Region 3 End Stop Limit Switch Posit ion 3 ~

030 Plug Door Open Limit Swtich l

~

Thermal 1

Neutron I Exposure I Door Tracks I Room I

\.

1 l 1

t Door I

03C Plug Door Close Limit Swatch I :

I ---*--*--*---*--------------!

Figure 3 FIS Interlock Diagram 3-59 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 4 Reactor Protection System In the event of a monitored parameter exceeding a specified limit or upon operator intervention, the RPS will place and maintain the reactor in a safe, subcritical, shutdown. This prevents the operation of the facility where risks such as fuel damage, release of radioactive materials, or overexposure of personnel to radiation could occur. Parameters monitored for this purpose include neutron flux, fuel temperature, coolant level, area radiation, and the release of radioactive materials. The accident analyses of Chapter 13 of the SAR discuss postulated accident scenarios and demonstrate that in the event of a complete failure of the reactor safety system coincident with the most adverse accident results in negligible radiological consequences. Given this conclusion, it is not necessary for the Reactor Protection System to be separate and independent of the Reactor Control System. Redundancy exists for the most important parameters measured in the facility including fuel temperature, neutron flux monitoring, and radiation levels.

The reactor protection system evaluates the signal from the reactor instrumentation system and may take protective action if the parameter is outside acceptable range. The RPS is primarily housed in the Data Acquisition Cabinet (DAC), although some components (such as a manual scram switch) are located in the console. The components which make up the RPS include the NM P-1000, PA-1000 (adjacent to the DAC), NLW-1000, NP-1000, NPP-1000, and the NFT-1000. These units all evaluate their respective analog signal and may trip the reactor. There is no communication between units and the trip functionality of one does not depend on any of the others. Additionally, the units split the analog signal and provide it to analog bargraphs visible to the operator as well as a digital conversion for transmission to the main operator control screen and data archiving. The transmission of data from the GA units to the console is via Ethernet communication. The analog trip function of the units does not depend on the digital conversion capability. The neutron flux range of each instrument is shown in Figure 2. The fuel temperature measurement is measured in the range of 0 to 1000°C. The period measurement covers the range of available periods possible.

There is no voting among the channels in order to determine if there should be a trip of the system.

Any single parameter that is outside of the normal operating range will cause a trip. When a trip is initiated it may be a rod withdrawal prevent (RWP) or full scram. When a scram is initiated, magnet power is removed (and transient rod air pressure removed) and the neutron absorber rods fall into the core under the force of gravity. The shim, safety, regulating, and transient rod drive motors all drive to the bottom limit switch after a scram.

4.1 Design Criteria Commensurate with the design of the rest of the facility, there are no single failures of any subsystem of the RPS which would prevent the greater system from functioning as expected. Each individual component will trip regardless of the status of any other module. Fail-safe design is achieved through allowing any one system to initiate protective action. There is no voting or other logic whereby communication between channels is required.

Standard criteria for the design of nuclear facilities is the application of redundancy and diversity.

This practice is achieved in the AFRRI RPS by having multiple instruments measuring parameters throughout the operating range of the facility. M ultiple measurements of the power level and the fuel temperature are made by independent channels. There is no possibility of systematic 4-1 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information W ithhold From Pub lic Disclosure Under 10 CFR 2.390 nomandom concmTent failures of elements in the design as a result of the independence between the channels, various locations of detectors around the core, and fail-safe design.

There are a set of Technical Specifications[2 l which dictate the operational setpoints and response requirements for the facility .

AFRRI Technical Specification 3.1.1 specifies, " The reactor steady state power level shall not exceed 1.1 MW." The Safety Analysis Rep o1t demonstrates that operations at this power do not result in overheating of the foel clad and are within the heat removal capacity of the reactor water process system.

In the event of a scram, the SAR shows that unexpected transients which are unchecked for up to one second will not affect the integrity of the foel. AFRRI Technical Specification 3.2.1.c specifies, " The time from scram initiation to the foll inse1tion of any control rod from a foll up position shall be less than 1 second."

TS 3.2.2 requires all safety systems described below to be operable for the specific mode of operation. These setpoints assure foel integrity, ability of the operator to manually shutdown the system, prevent incoITect measurement of neutron flux, maintain low radiation levels at the pool top , as sure cooling capacity, and finally to validate continuous flow of infonnation to the operator.

Table 4 TS Table 2. Minimum Reactor Safety System Scram Effective M ode Maximum Channel Set Point Steady State Pulse Fuel Temperature 600°C 2 2 Percent Power, High Flux 1.1 MW 2 0 Console M anual Scram Button Closure switch 1 1 High Voltage Loss to Safety Channel 20% Loss 2 1 Pulse Time 15 seconds 0 1 Emergency Stop Closure switch 3 3 (1 in each exnosure room. 1 on console) 14 feet from the top of Pool Water Level 1 1 the core Watchdog (UIT and CCSl On digital console 1 1 aThis specification has been modified and is proposed. Refer to Chapter 11 for more details .

4.2 Design Bases Before the foel temperature safety limit is exceeded, the foel temperature and power level scrams provide protection to ensure that the reactor can be shutdown. While the foel temperature limit can never be exceeded, other facility parameters such as power level and period are dependent on the operating mode of the reactor. These modes can be classified as steady state and pulse modes. The power level can vaiy from zero through 1.1 M W in steady state mode and up to several thousand 4-2 Proprietary Information W ithhold From Pub lic Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 M W in pulse mode. The power level measurement is performed by at least two channels at all steady state powers. In pulse mode, the reactor power is measured by the NPP-1000 and supplemented by the fuel temperature measurement. Local indication of the power level is available on the instrument face as well as at the control console on analog bargraphs and the main operator display screens. Following shutdown, the power is exponentially decaying and approaches zero. During a postulated accident, the reactor power should never exceed the maximum pulse power and remains within the measurement capacity of the system.

In steady state mode, the period can vary between -30 seconds and +3 seconds and is measured by the NLW-1000. There are no period limitations in pulse mode. The measured reactor period is displayed on the face of the channel itself as well on the operator console via analog bargraphs and the main operator display screen. Following shutdown, the reactor period initially goes to -30 seconds and slowly returns to zero with time. During a postulated accident, the negative temperature feedback inherent in the design of the TRIGA reactor initiates a shutdown.

Additionally, regardless of the operating mode, the fuel temperature shall never exceed 600°.

This fuel temperature is measured by three thermocouples in the reactor and three independent processing units of the NFT-1000. These channels have local indication as well as on the operator console with the analog bargraphs and operator display. Following shutdown, the fuel temperature will return to equilibrium with the bulk coolant. The rate of temperature decrease is dependent on the differential between the fuel and coolant temperatures. During a postulated accident the fuel temperature should never exceed the limitations of the NFT-1000.

To prevent incorrect measurement of the neutron flux (and by extension the reactor power), the reactor should trip on a high voltage loss of the safety channel. The high voltage is typically in the 750 V DC range. The detector voltage is maintained at the appropriate value provided the reactor system is powered on. In normal operations, high voltage is applied to the detectors regardless of facility status. During a postulated accident, there are no scenarios where the high voltage applied to neutron flux detectors would be changed. The high voltage value is displayed on the local instrument, but a low-HV trip is displayed on both the local instrument and at the control console.

The pool water ensures cooling capacity and radiation protection at the pool top. It should be no less than 14 feet from the top of the core, however, when the pool is completely full, the value is approximately 16 feet. The measurement is performed by a float in the reactor pool. Actuation of the pool float switch is visible from the control room or through visual inspection. The coolant level is maintained regardless of the operating state of the reactor. During a postulated accident, the coolant level should remain constant. Additional coolant water is available within the facility to provide replacement for any decrease in normal operating levels.

4.3 Subsystem Description The Reactor Protection System (RPS) provides control of the rods and messages to the Status display in the form of scram messages, Annunciators/alarms and interlocks. Alarm messages are logged in the Annunciator Pane of the Right Side Graphics display. Interlocks also control rod movement.

The primary function of the RPS is to scram the reactor by causing the control rods to insert into the core in response to certain abnormal reactor operating conditions.

The RPS initiates a reactor scram in response to a trip being generated by one of the sensors in the scram loop, a manual scram signal from the reactor operator or an external scram signal from other 4-3 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 sensors connected to the scram loop by interrupting the current to the electromagnets that link the control rods to the control rod drives and by removing the air from the transient rod air solenoid valve. After a delay of about 25 msec (for the magnetic field to decay), the magnets release the control rods, which fall into the core by gravity, taking about one second to fully insert. All scram conditions are automatically indicated on the console displays. The manual scram may be used for a normal fast shutdown of the reactor. The reactor can also be scrammed by turning the magnet power key switch to the OFF or RESET positions.

The RPS is automatic and completely independent of other systems, including the power regulating system. The scram circuits and components are completely hardwired and do not in any way depend on the CSC computers or any software to perform a scram. Furthermore, the reactor I&C system and RPS are designed such that there are no means available to the reactor operator to bypass the trips so that the reactor can be operated at conditions that are beyond the limits defined by the trip set points.

The RPS has no known susceptibility to common cause failures other than as a possible result of some undefined internal or external hazard (e.g., fire, flooding, dropped load, earthquake exceeding the design basis, etc.). As previously noted, the independence (of the safety channels),

and diversity designed into the RPS provides a large measure of protection against common cause failures. However; it is important to note that even should they occur, common cause failures cannot prevent the system from performing its primary safety function (i.e., shutting down the reactor) because the system is designed to be fail-safe. A loss of power or multiple circuit damage due to a fire, explosion, dropped load, or some other cause will result in a loss of power to the electromagnets that connect the control rods and control rod drives, causing the control rods to drop into the core.

The limited actions performed by the RPS are entirely adequate to ensure that the reactor remains safe under all off-normal and accident conditions. Once initiated, the actions initiated by the RPS cannot be impaired or prevented by manual intervention, and no manual actions are necessary within a short time to supplement the RPS actions. Also, the actions initiated by the RPS are not self-resetting. The reactor operator must clear all scrams before reactor operation can be resumed.

4-4 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 4.3.1 Scram Loop Circuit 7

t f. r

--If--

,~..

Sw ~ ~ n _

)

I

I I

~ '" ! ~l_ L, I I I I I

1.,, :

rJ""_Ji ?+o-

tj r-r*_J*1~

r--,~. ,

f~

I I

I i r +cc n* ~~:~ i . *****11_,,,

r t'

f~

[ L T;~, \ :,

F T

f't -l 7i ?1Y"'--

T

-i I

84' = C:>-7 C ~ fl-"-

I I ~ J, I I

f---------11------ *- * -II -* I

~~P 'lrl

~,~

rcw,c~ lO~~

Figure 4 Scram Circuit Diagram Figure 4-1 details the scram loop. The scram loop is powered by a +24VDC power supply which supplies current to the magnets (M ). In the event of a fault, a number of switch contacts all have the capability to interrupt this current. The following contacts are part of the scram loop:

M anual Scram External 1 (Not Used)

Key Switch External 2 (Not Used)

NM P, HV and %PWR (Bypassed) External 3 (Not Used)

NP, HV and %PWR (with Pulse Software Bypass switch) AC Power Loss NPP, NVT, HV and %PWR Reactor Permissive Relay CCS WDT LATCH UIT WDT Key Reset Low Pool Level Safety M agnet Switch NFT1 Temp Shim M agnet Switch NFT2 Temp Reg M agnet Switch NFT3 Temp Technical Specification 3.2.2 applies to the reactor safety systems and outlines the minimum number of reactor safety system channels that shall be operable for the safe operation of the AFRRI reactor. The systems described in Table 4-1 outline those components central to the RPS.

4-5 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 The scram logic circuitry involves a set of open-on-failure (fail-safe) logic relay switches in series.

Any scram signal or component failure results in a loss of magnet power and loss of air to the transient rod cylinder.

4.3.2 Functions of the Scram Loop Contacts In the event of that an unsafe or abnormal condition occurs, the reactor operator has two scram options from the control console: manual scram push button and magnet power key switch scram.

Manual Scram is a push button labeled SCRAM on the rod control panel. Pushing this button will interrupt current in both the positive and negative legs of the scram loop along with the transient rod air pressure. This is a momentary switch.

The Magnet Power Key Switch has three positions: OFF, ON, and RESET. It must be in the ON position to complete the loop and supply current to the magnets. RESET is a momentary contact.

It generates a digital input to the software that is only present as long as it is activated by the operator and is used for resetting the loop via the KEY RESET relay.

When the reactor is operating, moving the console key to the off or reset position will cause a scram. It is important to note that when the key switch is in the OFF position the scram loop is mechanically broken and that this is not controlled via software.

The power level scram ensures the reactor can be shutdown prior to the fuel temperature safety limit being exceeded. In the steady state mode, the two channels to perform the high flux scrams are the NP-1000 and NPP-1000. In pulse mode, only the NPP performs a high-power scram, and the NP scram contacts are temporarily bypassed.

The neutron flux detectors rely on a high voltage differential to perform their measurement function. If the high voltage drops significantly, their ability to detect neutrons is inhibited and will result in an underestimation of the neutron flux within the core. Therefore, a loss of high voltage to any of the detectors for high flux safety channels will cause a reactor scram.

NMP-1000 monitors percent reactor power and high voltage (HV) going to the detector. The NM P-1000 has to indicate a fault (either sees Trip 1 at 110% reactor power or NM P HV Low) before the reactor is scrammed. These scrams are not required and are bypassed.

NP-1000 (with Pulse Bypass switch) monitors percent reactor power and HV going to the detector.

The NP has to indicate a fault (either sees Trip 1 at 110% reactor power or NP HV Low) before the reactor is scrammed. Note: This contact is bypassed during pulsing reactor operation.

NPP-1000 monitors percent reactor power, HV going to the detector and high neutron flux (NVT).

The NPP-1000 has to indicate a fault (either sees Trip 1 at 110% reactor power, NPP HV Low or NVT high) before the reactor is scrammed.

The CCS and UIT watchdog timers monitor the Linux and Windows computers. If either of the computers fails to send a signal to their WDT at least once approximately every 7 seconds, the respective WDT will time out and a scram occurs.

Communication between the system components is necessary for the transmission of information to the operator. In the event of a loss of communication, a watchdog timer will initiate a scram.

Low Pool Level is set when the pool level float switch indicates that the pool level has fallen 6 inches below normal.

4-6 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 The reactor pool water ensures adequate radiation shielding to the reactor bay as well as cooling capacity to the reactor. In the event the coolant level drops to 14 feet above the core, a reactor scram is initiated.

NFT1 monitors the temperature for Temp 1 of the instrumented fuel element. The NFT has to indicate a fault (Temperature 1 is above the High Trip 1, 600°C) before the reactor is scrammed.

NFT2 monitors the temperature for Temp 2 of the instrumented fuel element. The NFT has to indicate a fault (Temperature 2 is above the High Trip 3, 600°C) before the reactor is scrammed.

NFT3 monitors the temperature for Temp 3 of the instrumented fuel element. The NFT has to indicate a fault (Temperature 3 is above the High Trip 5, 600°C) before the reactor is scrammed.

The fuel temperature scram ensures the reactor can be shutdown prior to the fuel temperature safety limit being exceeded. In both the steady-state and pulse modes, at least two fuel temperature channels must be operable. The NFT-1000 instrument provides independent channels for each of three thermocouple inputs. Each channel has separate contacts in the scram loop. The technical specifications only require two fuel temperature measuring channels and associated scrams to be operational. The third channel provides redundancy and is an installed fully functional in-service spare.

EXTERNAL 1 is an external scram loop input for future use. It should be a switch that is normally closed. Note: This input was jumpered by GA before shipping.

EXTERNAL 2 is an external scram loop input for future use. It should be a switch that is normally closed. Note: This input was jumpered by GA before shipping.

EXTERNAL 3 is an external scram loop input for future use. It should be a switch that is normally closed. Note: This input was jumpered by GA before shipping.

Software is an input that causes a scram when commanded to do so by the CCS computer. It deactivates when communication with the hub is lost. Note that this is a redundant feature. When the hub loses communication with the computer, it will put all relays in a failsafe state, thus scramming the reactor. It also deactivates when the magnet power key switch is turned to the RESET position, thus scramming the reactor.

Scram occurs when the scram timer on the left side status display has expired.

Two types of timed scrams are available to the safety system and work within the scram logic.

These are used for experiments which need a predetermined exposure time and to ensure a pulse does not create excessive energy within the fuel.

The steady-state timer causes a reactor scram after a predetermined elapsed time. This value is entered on the control console during steady-state power operations. During a run, the timer may be started and stopped by the operator.

The pulse timer causes a reactor scram when in pulse mode. The timer may be set for a duration shorter than 15 seconds. However, the console will automatically initiate a scram timeout after 15 seconds.

AC Power Loss is a scram that occurs when AC input power has been lost and the UPS is supplying power to the reactor control system.

4-7 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 In the course of normal operations, a UPS unit provides power to the console. The UPS is supplied by building AC power. A loss of supply to the UPS will initiate a scram, however the console remains on. This enables monitoring of reactor conditions and allows a graceful shutdown of the console computers. The UPS will provide approximately 15 minutes of runtime. The UPS is not a safety-related item, since upon the complete loss of all power, the reactor will automatically scram and enter and remain in a safe shutdown condition. The UPS enables monitoring of reactor conditions and allows a graceful shutdown of the console computers Reactor Permissive Relay is an input from the FIS. If no emergency stops are active and all the facility interlocks are satisfied after a 30-second count down (TIM E DELAY), the Reactor Permissive is satisfied.

To ensure personnel safety in the event of an administrative oversight, emergency stops are provided in each of the exposure rooms. Additionally, an emergency stop switch exists on the console for the operator to stop door motion and core motion. Any of these switches will initiate an immediate reactor scram and give indication to the operator on the console. Once the emergency stop has been activated, it must be cleared by turning the key switch shown in Figure 4-1 to reset.

If the emergency stop was initiated from one of the exposure rooms, the local switch must also be reset. The buttons are push-to-activate and must be manually pulled out to permit operation. Once the reset is activated, the horns in the exposure rooms will activate again with the associated time delay. This reset is required to initiate magnet power and begin inserting reactivity to the core.

Lead shield doors are provided to reduce exposure from the core in undesired portions of the facility based on the current core location. Power for door rotation is transmitted through a set of reduction gears. Each shield door is connected to a reduction gear mounted on the side of the carriage track by a vertical shaft extending from the top of each door. Full travel path takes approximately three minutes (from full shut to full open). Once in a fully opened or closed position, limit switches are used to indicate status. These are located on top of the reduction gears and are part of the facility interlock system. The lead shield doors must be fully opened before the core can be relocated. If the reactor tank shield doors are in any position other than fully open or fully closed, a reactor scram will be initiated.

The LATCH contact is designed to permanently de-energize the loop after a scram has occurred.

This contact is part of K1. The loop will stay de-energized until the operator places the M agnet Power Key Switch to the Reset position.

4.3.3 Function of Relay K1 K1 is a socketed four pole, double throw (4PDT) relay. All four of its contacts are wired:

One contact latches the coil ON after a Key Reset (HOLD)

One contact indicates ALL SCRAM S CLEAR to the computer

One contact performs the LATCH function described earlier

One completes the circuit that enables the transient rod air solenoid to be activated After the console is powered up or a scram has occurred, the coil of K1 is de-energized and all wired contacts for K1 are open. When the operator activates the Key Reset switch on the rod control panel, a digital signal is generated and read by the computer. The computer then activates the KEY RESET relay to energize the coil of K1 and all wired contacts close, assuming all scram 4-8 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 conditions have been cleared. At this point, the coil of K1 receives power via its own HOLD contact and gets latched in the ON state.

When any of the scram loop contacts open, power to K1 is lost, and the coil is de-energized. All K1 contacts then default to the normally open position, permanently interrupting loop current until a Key Reset is initiated by the operator.

4.3.4 Function of Relay K2 K2 is a socketed 4PDT relay that is energized whenever the magnet power key switch is in the ON position. It generates a signal that is used as an interlock in the FIS for satisfying the reactor permissive and shield door movement circuits.

4.3.5 Magnet Power and Digital Inputs Three additional relays are part of the individual magnet loops: SHIM M AG, SAF M AG, and REG M AG. These solid-state relays are controlled by the computer and are designed to activate and deactivate magnet power to individual rods. The magnet power can only be activated when K1 has been successfully reset and indicates ALL SCRAM S CLEAR.

4.3.6 Ground Fault Detector The Ground Fault Detector module monitors the loop for a ground fault. If one occurs, it will give an indication to the computer for display on the screen, but it will not trigger a scram.

4.4 Operation and Performance The system as described meets or exceeds the needs outlined in the design criteria and bases. There are no single failures which prevent normal system operation. With no communication among individual modules, the system is designed such that any individual trip actuation will initiate a reactor shutdown. The system shows redundancy in its scram capability for both high power and high temperature readings. M ultiple console scram switches are available to the operator and continuous communication is ensured through a watchdog. Any single scram will remove magnet power (and transient rod air pressure) and cause the rods to fall into the core in less than one second. The described system meets the minimum Reactor Safety System scrams as listed in Table 4-1 (which is TS Table 2). Fuel temperature in and fuel clad integrity is ensured through all operating ranges and the thermocouples are capable of measuring well beyond normal system operational ranges. The Table is repeated below and explicitly lists the instruments which are performing the required safety function to meet the Design Criteria and Bases.

TRIGA system components have proven operational reliability. Daily channel tests ensure reliable scram functions and ensure the detection of channel drift or other possible deterioration of operating characteristics for the neutron flux channels, while weekly channel tests provides reliable fuel temperature measurements. The channel checks ensure that the safety system channel scrams are operable on a daily basis or prior to an extended run. The annual fuel temperature channel and power level channel calibration will ensure that the reactor is operated within the authorized power levels.

Operational experience with the TRIGA systems demonstrates that annual calibration and weekly channel tests provides reliable fuel temperature 4-9 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information W ithhold From Pub lic Disclosure Under 10 CFR 2.390 Table 4 Specific Instruments Performing Safety Functions Effective Mode Maximum Set Channel Point Steady State Pulse NFT-1 000 (1 & 2) 6 00°C 2 2 NP-1 000, NPP-1000 1.1 MW 2 0 Console Scram Button Closure Switch 1 1 NP-1 000, NPP-1000 20% HVLoss 2 1 Console Software 15 seconds 0 1 Exposure Room Switches (1 in each exposure room, 1 on Closure Switch 3 3 console) 14 feet from the Float Switch 1 1 top of the core Console Watchdogs On digital console 1 1 The smveillance requirements for the reactor safety system and fuel temperature channels detailed in TS Section 4.2.2 and 4.2.3 meet or exceed the vendor recommendations and are therefore unchanged. T he specifications are listed below.

4.2.2 REACTOR SAFETY SYSTEMS 4.2.2.a A channel test of the percent power, high flux scram function of the high-flux safety channels shall be made each day that reactor operations are planned.

4.2.2.b A channel test of each of the reactor safety system channels for the intended mode of operation shall be perfo1m ed weekly, whenever operations are planned.

4.2.2.c Channel calibration,including verification of the high voltage loss to safety channel scrams , shall be made of the NP, NPP, NLW, NM P or any other console instrnmentation designated to provide direct power level info1mation to the operator, annually not to exceed 15 months.

4.2.2.d A the1mal power calibration shall be completed annually not to exceed 15 months.

4.2.2.e The emergency stop scram system shall be tested annually not to exceed 15 months.

4-10 Proprietary Information W ithhold From Pub lic Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 4.2.2.f The low pool water scram shall be tested weekly not to exceed 10 days whenever operations are planned.

4.2.2.g The console manual scram button shall be tested weekly not to exceed 10 days whenever operations are planned.

4.2.3 FUEL TEM PERATURE 4.2.3.a A channel check of the fuel temperature scrams shall be made each day that the reactor is to be operated.

4.2.3.b A channel calibration of the fuel temperature measuring channels shall be made annually, not to exceed 15 months.

4.2.3.c A weekly channel test shall be performed on fuel temperature measuring channels, whenever operations are planned.

4.2.3.d If a reactor scram caused by high fuel element temperature occurs, an evaluation shall be conducted to determine whether the fuel element temperature exceeded the safety limit.

4.5 Conclusion The design function of the Reactor Protection System is to prevent the fuel temperature limitations of the TRIGA fuel from being exceeded by limiting reactor power, operational modes, and verifying other facility parameters. The previously licensed criteria listed in the Technical Specifications are met in this License Amendment Request. Diverse parameter indication and measurement ensures no single point failure and the facility operation is not inimical to public health and safety.

4-11 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 5 Engineered Safety Features Actuation Systems The AFRRI facility does not have any Engineered Safety Features, therefore there is no Engineered Safety Feature (ESF) Actuation System.

5-1 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information W ithhold From Pub lic Disclosure Under 10 CFR 2.390 6 Control Console and Display Instruments The Control System Console (CSC), where the operator conducts all licensed reactor operations, consists of two p hysically distinct sections: the reactor instnnnentation and control console and the auxiliaiy console. The auxiliaiy console is not altered or changed in this license amendment request is not discussed fwt her.

The CSC contains the computers (UIT and CCS), monitors, control p anels, modulai-ized drawers, indicators, meters and recorders to presentthedata to the operator in meaningful engineering units.

The CSC Op erator Interface provides the necessaiy controls and inte1faces for the operator to safely sta1t up , manip ulate reactor pai*ameters, monitor the vai*ious operating paraineters in its various modes of op eration, and safely shutdown the reactor. See Figure 6-1 for a block diagram of the console.

Figure 6 Control System Console (CSC) Block Diagram Access control to the comp uter systems is controlled by a user ID/password scheme, administrative and p hysical controls regai*ding personnel access, and restraints on personnel with access to the p hysical reactor key . Access control is discussed fwther in Section 8.

6.1 Design Criteria Outside of the common power source for the console, there are no single failures in the design of the reactor instmmentation and control system. Loss of any one screen or component on the control console does not propagate towai*d inhibiting the protective :fonction of the RPS. Additionally, the control console is designed to fail-safe, therefore any failure will result in the reactor entering into 6-1 Proprietary Information W ithhold From Pub lic Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 a safe shutdown. There are no protective functions as required by the minimum number of nuclear instruments that also rely on the operation of the control console. The watchdog timer ensures the information presented to the operator is current and active. In the event of a watchdog failure or any other malfunction of the control console, the operation of the individual reactor monitoring modules is not affected.

Redundancy and diversity are achieved in the control console by having a diverse set of important parameter indications on the console itself. These include analog bargraphs, chart recorders, and the digital screen. Should any parameters trustworthiness be called into question, it may be validated by crosschecking the displays.

6.2 Design Bases The control console collects the data communicated by facility sensors and presents that data to the operator. These parameters range from startup through pulse range. Additionally, the control console aids the operator in testing the functionality of the system and performing startup testing.

As a generally accepted state of the art practice, prior to each days operation, each of the scram functionalities as required by the Technical Specification are tested.

There are two operational modes (automatic and manual). Additionally, on the control console, there is a startup test mode and an administrative mode. The startup test mode allows the operator to cycle through the required checks prior to operation. The administrative mode allows approved facility personnel to perform more advanced testing of the system beyond normal.

The Reactor I&C system is designed to operate in the following conditions listed below and therefore is capable to perform its functions under all anticipated conditions [3].

Operating temperature range: 10°C to 40°C

Operating voltage: 120 VAC +/- 10% 50/60 Hz

Relative humidity: 10% to 90% non-condensing

Pressure: atmospheric

CSC computers, monitor mountings, and DAC cabinet are designed to meet the requirements for Seismic Qualification Performance Category 2.

The CSCs only support requirement is building power. The main electrical supply is fed through a UPS unit which regulates the power. In the event of a loss of offsite power, the reactor safety system will initiate a scram and the UPS will allow for orderly shutdown of the CSC. Primary safety functions (fuel temperature and reactor power scrams) are not dependent on the CSC as these are housed in the DAC and will continue to provide all safety functions in the event of a CSC failure.

6.3 Subsystem Description The following sections describe the layout of the CSC and basic design considerations. The CSC contains the components required for the operator to control and monitor the reactor and the auxiliary systems. This includes the Console Computer System (CCS) and User Interface Terminal (UIT), the Rod Control Panel and the Bargraph/Recorder Panel. Recording and playback capabilities are provided by the computers for diagnostic and administrative purposes.

The following equipment is mounted in the Control System Console.

Computer Equipment o Left Side Status Display (UIT) 6-2 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 o Right Side Graphics Display (UIT) o Keyboard/mouse o Printer NOTE: An Ethernet network is used to connect the DAC (including instruments), CCS, and UIT components. This network is air gapped from all other networks including the internet.

The CCS ( ) and UIT ( ) computers are industrial grade computers. The specifications for each computer are detailed in TRIGA Reactor Instrumentation and Control System - Operation and M aintenance M anual Document T3A100B7911-1OM [3].

Bargraph/Recorder Panel:

o Bargraphs o Digital chart recorders

Rod Control Panel o M agnet Power ON/OFF keyswitch o FIRE Button (Transient Rod) o Control rod drive M AGNET/UP/DOWN control buttons and AIR/UP/DOWN for Transient Rod o M anual SCRAM button o ACKNOWLEDGE button

Reactor M ode Control Panel o Core Position (2 switches with lights, 1 indicator and digital display) o Door Position (3 switches with lights) o Indicators (3 lights) o Pulse Detector Select Switches with lights o Lamp Test switch o Emergency Stop switch and light o Control System Instrument Power Switch with light o Watchdog Timer status lights (CCS and UIT) o SCRAM and Interlock Test 1 Rotary Test Switch o SCRAM and Interlock Test 2 Rotary Test Switch

UPS

Console Power Supply Drawer

Console Digital Input Drawer

Console Utility Drawer

Core M ovement Foot Pedals The updated values of operating parameters and the status of systems and equipment are displayed on the main control console and other display instruments systems and equipment. Additionally, the rod movement and system mode are selected on the control console. These displays show important information to the operator including alarms and trip information from the Reactor Protection System (RPS). The control console and display instruments have been designed to collect and display operating information that is readily observed and interpreted by the operator through the diverse and complete presentation of information. The most important facility parameters such as neutron flux and fuel temperature are presented in various forms (bargraphs, trended displays, and numerical values) using independent mechanisms. Additionally, the human machine interface is presented such that a minimal number of clicks are necessary for display 6-3 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 navigation. Important manual control inputs such as rod pushbuttons and switches are given an independent physical panel through which they can be activated. Testing units are also given a physical location on the console to facilitate operator use.

There are two high-resolution display screens on the CSC Console where important information has been grouped by type to streamline information flow from the system to the operator. Examples of this grouping includes:

Left Side Display o Status o Scrams o Warnings o M ode Selection o Interlocks

Right Side Display o Reactor displays (2) for normal operation, which includes independent graphical and numerical control rod position indications o Prestart tests o Pulse Display o Administration (available only to logged in administrators) o Test Functions Given this collection of information, the operator may read and evaluate system performance and take prompt and accurate steps to supply control inputs on which the Reactor Control System (RCS) can act. The system is combined and integrated in a way to readily aid the operator in controlling operation of the reactor. With the left side display showing the scram status, as well as any operational warnings or interlocks, the operator has an accurate picture of the facility status.

Additionally, reactor operations and status are available on the right side display. This separation of binary information (alarm or no alarm; interlock or no interlock) in conjunction with trended information allows the operator to identify if the system is trending toward an operational limit and determine when that limit may be exceeded.

6.3.1 Left Side Status Display The Left Side Status Display screen is used to display operating information about the reactor.

There are five display panes:

1) STATUS

2) SCRAM

3) WARNINGS

4) M ODE SELECTION

5) INTERLOCKS The screen shot for the Left Side Status Display is shown in Figure 6-2.

6-4 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Figure 6 Left Side Status Display 6.3.1.1 STATUS Pane The STATUS pane presents current information about the status of the system including power readings, period, temperatures and pool level. The core position and shielding door positions are also displayed. Also, the remote/local state of each channel is displayed. During a pulsing operation, an additional Inhibited field will be shown for the NLW and NM P and an additional Bypassed field will be shown for the NP. These fields are displayed to the right of the remote/local field. These fields are shown to indicate when the devices are inhibited or bypassed during a pulsing operation.

6.3.1.2 SCRAM Pane The SCRAM pane displays scram conditions. If a scram were to occur in the reactor, an operator would reference the Status Display to quickly identify the cause of the scram. The SCRAM pane also provides buttons to conduct operational tests of the scram system. For the buttons to be enabled, a check box must be selected which reads, Enable Scram Tests.

NOTE: All scram/alarm messages displayed on the SCRAM and WARNINGS panes are first displayed on the left STATUS display, as opposed to the information panes on the graphic display.

6.3.1.3 WARNINGS Pane The WARNINGS pane displays warnings of which the operator should be aware. An alarm disable checkbox is provided for each warning. If the checkbox is not checked and a trip occurs, the horn will sound, an ANNUNCIATOR Pane message will be displayed and a yellow box will be displayed for the warning. If the checkbox is checked and a trip occurs, the yellow box will still be displayed for the warning, but the horn will not sound and an ANNUNCIATOR Pane message will not be displayed. The primary purpose of this audible inhibit functionality is to minimize 6-5 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 distractions during system setup and testing or prolonged warning situations. By default, alarm disable checkboxes are provided but not used by the software for:

NM P %Pwr 1 NM P %Pwr 2 NP %Pwr 1 NP HV Low NPP %Pwr 1 NPP HV Low NFT1 Hi T1 NFT2 Hi T3 NFT3 Hi T5.

For these warnings, the horn will always sound and an ANNUNCIATOR Pane message will always be displayed.

6.3.1.4 MODE SELECTION Pane The M ODE SELECTION pane allows the operator to select the mode in which to operate the reactor. These modes are:

1) M anual M ode (Steady-state)

2) Automatic M ode (AUTO)

3) Square Wave

4) Pulse.

This pane also contains a text box and a button that allows the operator to enter the demand power setting. Once set, Demand is selected for the input power (in Watts); this will update the Demand Power as shown on the upper left corner of the Reactor Display. When the demand power setting is selected and the reactor is in Automatic M ode, those rods selected in the banked movement will adjust their position to insert or remove reactivity to maintain power at the demand setting.

The M ODE SELECTION pane also contains text boxes with checkboxes that allow the operator to manually select NM P Range and to indicate the current range selection for the NM P. As an automatic ranging device, in normal operations, the NM P would change its scale based on the reactor power. By manually selecting a range, the operator will prevent that action by the NM P. If the power continues to rise and the NM P reaches 110% of its selected scale, it will initiate a warning. The NM P is an operational channel and is not credited in the minimum reactor safety system scrams.

This pane also allows the operator to set timed actuations. The Set Pulse Time button allows the operator to set the length of time before an automatic scram after a reactor pulse. The time is entered into a text box and actuated with a button. The reactor power pulse is a function of core physics and typically lasts a few hundred milliseconds. Normally, the operator will manually scram the reactor after a few seconds, but as required by the Technical Specifications, the system will automatically scram if the Set Pulse Time limit is reached. The Set Scram Time button is used to 6-6 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 set the time of a scram from steady-state mode. There are buttons to start, stop, and reset this timer.

It may be directed to count up or count down.

6.3.1.5 INTERLOCKS Pane The INTERLOCKS pane displays interlock conditions. An alarm disable checkbox is provided for each interlock. If the checkbox is not checked and an interlock occurs, the horn will sound, an ANNUNCIATOR Pane message will be displayed and a yellow box for the interlock will be displayed. If the checkbox is checked and a trip occurs, the yellow box will be displayed for the interlock. The horn will not sound and an ANNUNCIATOR Pane message will not be displayed.

6.3.2 Right Side Graphics Display While the Status Display shows the current facility mode and operational settings, the Right Side Graphics Display is the primary means by which the operator monitors and controls the reactor.

Where the Status Display is divided into several different panes, all of which are simultaneously visible, the Graphics Display has six different screens which must be selected to be visible to the operator. Figure 6-3 through Figure 6-9 show typical screens for the Graphics Display. The six tabs are as follows:

1) Reactor Display #1 for normal reactor operation

2) Reactor Display #2 for normal reactor operation

3) Reactor Prestart Tests (available only if magnet power is not applied to the control rods)

4) Pulse Display (available only for reactor with pulsing capability)

5) Administration (available only when a system administrator is logged in)

6) Test Functions (for system administrator use only)

At the top of the graphic display, regardless of the display tab selected, the system menu bar displays the following menu items:

1) RUN: Exit to Windows or Restart UIT.

2) OPERATOR: Provides the ability to log in, log out, and display selected operator statistics.

3) HISTORY: System must be scrammed, then starts the execution of the history playback program.

4) DISPLAY: Refreshes the graphics displays (this option is rarely used).

6.3.2.1 System Status, Annunciator, and Site/Operator The three information panes immediately below the display menu bar are always present: System Status, Annunciator, and the Site/Operator.

The System Status box in the upper left corner of the reactor display will always show the following information:

1) Date and Time

2) M ode

3) Reboot Time

4) Demand Power Level 6-7 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 The reboot time is the time since the reactor console was last turned on.

The Annunciator box in the upper middle will display interlock, warning and/or scram messages.

The message will be displayed until acknowledged using the ACKNOWLEDGE button on the Rod Control Panel. Several messages may be queued and waiting for acknowledgement. The border on the right-hand side of the Annunciator box will consist of a single line if there is only one message and will consist of two lines if more than one message is in the annunciator queue.

Scrams are automatically moved to the front of the queue. All other messages are stacked in the order of occurrence (oldest to newest). These stacked messages will display in order as the messages are acknowledged. During routine operations and with no scrams, alarms, or warnings active, this panel will be empty and black which is a simple visual check for the operator.

The Site/Operator box in the upper right section displays system site name (AFRRI TRIGA Reactor), user login, login time, system version information and total megawatt-hours produced by the current core loading.

During reactor operation (non-scrammed mode), there are two display tabs (Reactor Display #1 and Reactor Display #2) that provide two separate views of the reactor's operation. The screen shot for the Reactor Display #1 is shown in Figure 6-3.

6.3.2.2 Reactor Display #1 On the left side of the Reactor Display #1 there are scales for the following:

LINEAR POWER: This bargraph shows the current reactor power level in watts on a linear scale. This information is obtained from the NM P-1000 Nuclear M ulti-range Power Channel.

LOG POWER: This bargraph shows the current reactor power level as a percentage of maximum power, on a logarithmic scale. This information is obtained from the NLW-1000 nuclear channel.

NP % POWER: This bargraph shows the current reactor power. This graph uses a linear scale and is redundant because it displays the information derived from the NP-1000 which is independent of the NPP-1000. This channel is denoted as Safety Channel 1.

NPP % POWER: This bargraph shows the current reactor power. This graph uses a linear scale and is redundant because it displays the information derived from the NPP-1000 which is independent of the NP-1000. This channel is denoted as Safety Channel 2.

6-8 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Figure 6 Right Side Graphics Display - Reactor Display #1 The central portion of Reactor Display #1 shows a graphical representation of the reactor cross section with information about the status of the control rods. For the shim rod, the safety rod and the regulator rod, the small square box at the top of the control rod indicates the status of the control rod magnet power. For the transient rod, the small square box at the top of the control rod indicates the status of the air. The operator is able to quickly understand if a control rod is at its lower limit, the status of the magnet or air, the height of the control rods, and the measured drop time (if a drop is initiated from full height). When the magnet or air is activated, a representative box changes from black to yellow. Additionally, when the control rod bottom limit switch is not activated, the control rod color changes from black to green. Therefore, anytime the control rod is off the bottom of its travel path, the box should be yellow and the rod green. Once the control rod has been lifted to its upper limit and activated the control rod upper limit switch, the control rod color will turn magenta.

Above each control rod position in the display, the individual control rod drop times are displayed.

Below each control rod position in the display is a small box that indicates the current position of the control rod drive mechanism. The scale for the position readout ranges from 0 to 999. The position is 0 if the control rod drive is all the way down and the position is 999 if the control rod drive is all the way up. If the control rod is all the way down and the magnets are energized, its color will be gray. When the control rod down limit switch is activated, the position indicator is forced to zero units. If it is all the way up (and the control rod up limit switch is actuated), the color will be magenta and the position indicator is forced to 999 units. The control rod color will be green between the magnet and the bottom of the control rod when positioned anywhere between fully down or fully up.

At the bottom of the graphical display screen, several rectangles representing the physical rod control buttons on the Rod Control Panel are displayed. When a button is pressed on the Rod 6-9 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Control Panel, the system will highlight the button on the graphics display. This portion is particularly useful in automatic mode, for when a control rod drive is in motion, as dictated by the automatic control PID algorithm, the operator is able to verify proper control rod movement.

The ACKNOWLEDGE button on the Rod Control Panel provides a method to acknowledge trips, scrams, warnings, etc. that are displayed on the Annunciator Pane of the main graphics window.

Pressing the ACKNOWLEDGE button will clear the top message in the annunciator window.

The SCRAM button on the rod control panel is hard-wired directly into the system scram loop (i.e., this signal is not processed by software, but status is provided to the software so the program can determine when the operator presses the SCRAM button). The SCRAM box indicates when the operator presses this SCRAM button.

On the right side of the Reactor Display #1 there are scales for the following:

PERIOD: This bargraph shows the rate of change of the reactor power although somewhat indirectly. Period is inversely proportional to the rate of change. If reactor power is steady, the rate of change is equal to zero and the period is infinity. The greater the rate of change becomes, the less the period becomes. This information is obtained from the NLW channel.

NFT1 TEMP: This bargraph shows the NFT1 fuel temperature in ºC on a linear scale.

This information is obtained from the NFT channel.

NFT2 TEMP: This bargraph shows the NFT2 fuel temperature in ºC on a linear scale.

This information is obtained from the NFT channel.

POOL TEMP: This bargraph shows the pool temperature in ºC on a linear scale. This information is obtained from pool temperature RTD.

The bottom left section of Reactor Display #1 shows the core position in the reactor pool. Because the AFRRI Reactor features a movable reactor core, this provides additional information to the operator and may be verified through visual inspection. This simple graphic has indication of the lateral location of the core, as well as the shield door position and the exposure room door positions.

6.3.2.3 Reactor Display #2 The second reactor display shows the same bargraphs as Reactor Display #1 but the central portion of the screen is replaced with a strip recorder display with the four parameters: linear power, log power, period, and coolant temperatures. The screen shot for the Reactor Display #2 is shown in Figure 6-4.

6-10 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Figure 6 Right Side Graphics Display - Reactor Display #2 6.3.2.4 Prestart Tests Display When the reactor is scrammed and magnet power is not applied, the graphics display will include two additional tabs: Reactor Prestarts Tests and Pulse Display. When the operator presses the Prestarts tab on the Graphics display, the system shows the prestart tests that are available.

NOTE: This prestart mode is not available when conducting operational (manual) prestart tests from the Status Display using the Test Enable function, which requires that magnet power be applied to withdraw the control rods. While magnet power is applied, the Prestart Tests tab will not be displayed. The screen shot for the Reactor Prestart Tests is shown in Figure 6-5.

6-11 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Figure 6 Reactor Prestart Tests Display This Prestart Tests tab is used for the software generated prestart tests, and is not available when the reactor is operating. While running these prestart tests, the remaining tabs are disabled. A RUN button is provided to start the prestart tests. As each prestart test is completed, Passed or Failed will be displayed (along with a reason for a failure if the test fails). If a particular test fails, then the user must press the DONE or CONTINUE button on the display (using the mouse). Pressing the DONE button aborts the testing process. Pressing CONTINUE causes the system to continue with the next prestart test in the sequence. At the end of all the tests, pressing DONE clears the prestart and returns control to the main reactor display tab. At any time while the system is waiting for the operator to press the CONTINUE or DONE button, the operator can press the PRINT button to send a copy of the prestart report to the system printer.

On the right side of the display, buttons are provided to run each of the prestart tests individually.

A Test Off button is provided to stop the tests.

The available prestart tests include:

1) NM P: Low Current, High Current, High Voltage (Low), Low Count

2) NLW: Low Current, High Current, High Count, High Voltage (Low), Period

3) Watchdog: CCS Watch, UIT Watch

4) NP: Ramp, High Power, High Voltage (Low)

5) NPP: Ramp, High Power, High Voltage (Low)

6) NFT: 1 Low Temp, 1 High Temp, 2 Low Temp, 2 High Temp, 3 Low Temp, 3 High Temp 6-12 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 6.3.2.5 Pulse Display The Pulse Display tab is automatically displayed after a successful pulse operation. It will display the results of the last pulse in graphic form. The pulse data file, stored on the computer as a CSV formatted file, will have the date, time, width at half power, pulse time, number of entries, period, total energy, peak pulse power, peak fuel temperature, and the pulse reactivity. The user can scroll horizontally along the time of the pulse and can scale the y-axis of the selected parameter. Prior pulses may be loaded to viewing when the reactor is in a non-operational mode. A screen shot for the Pulse Display with data is shown in Figure 6-6.

Figure 6 Pulse Display (with data) 6.3.2.6 Administration Display When an operator is logged in as a system administrator and the system is scrammed, the Administration tab will be added to the display tab list. The screen shot for the Administration Display is shown in Figure 6-7.

This screen displays all the operators by name and operator number; as well as their logged in times, magnet on time (their run times/time spent in an operational mode), and their cumulative M egawatt (M W) Hours (operator time when reactor produced M W). This information is kept in plain text form on the CCS LINUX machine as well, so that a system administrator can reset values to zero by editing this file (or resetting all statistics by deleting the file). This is a useful feature for when a new reactor operator requalification cycle starts.

6-13 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Figure 6 Administration Display 6.3.2.7 Test Functions Display When an operator is logged in as a system administrator and the system is scrammed, the Tests Functions tab will be added to the display tab list. The screen shot for the Test Functions Display is shown in Figure 6-8.

6-14 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 The test display is intended for diagnostic, testing, and informative purposes. There are four major sections: Digital Outputs, Digital Inputs, Analog Outputs and Analog Inputs.

In the Digital Outputs section, there is a checkbox on many buttons on the test screen. Checking one of these checkboxes will turn on that particular output; clearing the checkbox will turn off that particular output. However; the test functions only work while in scrammed mode, therefore attempting to turn on the magnet power outputs will not actually supply power to the magnets since the hardwired scram loop prevents that from occurring. When checking one of the magnet power output checkboxes, the system will write the output to the hardware port (on the board), and the user can verify that the output is present by the corresponding LED on that board and magnet power is cut off after that point. Note that the transient rod is controlled by digital outputs which are located in this section. You can move the cylinder up and down using the test functions, but you cannot fire the rod from the test screen. M any other buttons are provided to initiate the test modes and trip reset for all of the channels.

In the Digital Inputs section, the input data in displayed in two forms. First, all of the digital inputs are displayed in a binary string (ones and zeros) with each bit of that string corresponding to one of the hardware inputs (0=off, 1=on). Second, the test display also shows the digital inputs using signal names. The name is white text when the signal is zero (off), and with red text when the signal is one (on). Also, the trips, Local/Remote status, Comm status and range (NM P Only) are shown as signal names. The name is blue text when the signal is zero (off), and red text when the signal is one (on).

In the analog outputs (rod control) section, the Tests Functions provides text edit boxes into which the operator can type a value between -10.0 and +10.0. This voltage is written to the corresponding D/A converter that drives the regulating, shim, safety and transient rod control drives. Note that because both magnet power and air pressure cannot be applied in scrammed mode, only the control rod drives and magnets will move and not the actual control rods.

In the analog inputs sections, the Tests Functions displays the raw 16-bit numeric value and the converted value for each of the analog inputs.

6.3.2.8 Data Recording and Playback The system captures all events written to the UIT displays and records them to a file on the UIT computer for future playback. These filenames are coded so a reactor administrator or operator can locate the run history for a particular reactor run and playback those files. The screen shot for the Playback Display is shown in Figure 6-9.

6-15 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information W ithhold From Pub lic Disclosure Under 10 CFR 2.390 Figure 6 Playback D;splay 6-16 Proprietary Information W ithhold From Pub lic Disclosure Under 10 CFR 2.390

Proprietary Information W ithhold From Pub lic Disclosure Under 10 CFR 2.390 6.3.3 Reactor Mode Control Panel The Reactor Mode Control Panel is a physical panel located in the right side of the console. This panel contains the status indicators for Core Position, Door Position, Indicators, Pulse, Test, Stop, Instmment Power ON, Watchdog timers for the CCS and UIT computers and two rotary test switches . Refer to Figure 6-10 for a layout of the Reactor Mode Control Panel.

6-1 7 Proprietary Information W ithhold From Pub lic Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 0

0 OOA!E POSOTIDN EJ E] E]

F COOfflOL SYS11EM

~ TRUl,E 'IT POWER [ : ]

~

0 0

1 11.8.8.8j I SCRAM AND INT!aRLOCIK llESll" 1 0 ,.,..,, ... , \ I_, ,..,... ,.

fMl' P'llll tl "'HYLO 0

PLW tN LD - <<A _,.,. HV LO

\\LJ

.....,. ., I \ '

Pl!IIOO - - .., P'lllll H tuT Q 0 0 SCRAM AND INTEllLOCIK llEST 2

~A:~'([j/:

,i-a POOL 'T!Jill TEST "1"WUT . , / \ '

a:s llVT STOf' 0 tuT Q 0 0 0 Figure 6 Reactor Control Mode Panel The Reactor M ode Control Panel provides status of the core position. Two switches with backlights, an indicator and a digital readout to indicate core position. The two switches, Region 1 and Region 3, can be used to move the reactor core. Backlights will be illuminated when the door limit switch is activated. Foot pedals can also be used to move the reactor core. The Region 2 indicator will be lit whenever the core is not in Region 1 or Region 3. Also, there is a digital readout for the core position. Refer to Figure 6-11 below for a drawing of the core regions and the associated digital readout values.

r - - -12. 00---- -l--- - - - - - - - - - - - - - - - -- OO-- - - - - - - - - - - - - - - - -----l-~ -,2.00- j I

250 300 500 700 750 Digital Indicator position Figure 6 Core Support Carriage Regions 6-18 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Status of lead door positions is also given on the Reactor M ode Control Panel. Three door position switches with backlights are provided: Lead Door Open, Lead Door Stop and Lead Door Close.

The switches can be used to open, stop and close the lead door. When the switch is active, the backlight is illuminated.

Three other indicators are provided: Reactor Operate, Time Delay and Exposure Room Open. The Reactor Operate indicator is illuminated when the reactor permissive has been satisfied and magnet power can be applied. The Time Delay indicator is illuminated while the reactor permissive 30 second delay is active. The Exposure Room Open is used to indicate that either of the Exposure Room doors are open.

The Pulse Detector button selects which type of detector is connected to the NPP-1000 instrument.

In steady-state operation, a fission chamber detector is connected to the NPP-1000 and none of the button lights are lit. In pulse mode, the detector selection is performed per the following:

1) Pushing the detector select button once selects detector 1 (uncompensated ion chamber detector) and the Detector 1 backlight will illuminate, or

2) Pushing the detector select button again selects detector 2 (Cerenkov detector) for pulsed reactor operation and the Detector 2 backlight will illuminate.

A Lamp Test button is provided to test the lamps on the Reactor M ode Control Panel. The lamp Test button itself does not light up.

An Emergency Stop button is provided to scram the reactor in an emergency. It ties in with the Facility Interlock System (FIS) and upon pressing it, deactivates the reactor permissive relay that is an input to the scram loop. The Emergency Stop is a latching switch; the first push activates, the second push deactivates.

An Instrument Power ON button and indicator light are provided. The instrument power on switch has a backlight that will be illuminated when console power is on. Pushing the button activates or deactivates power from the UPS. Because the UPS input is heavily filtered to protect against spurious inputs, the UPS turn on or shutdown occurs 2 to 3 seconds after the button has been pushed.

Watchdog timer lights are provided for both the CCS and UIT to indicate when a watchdog timer timeout has occurred.

SCRAM and Interlock Test #1 Rotary Switch is used to select the test. A test button is used to run the test. The rotary test switches are independent of each other and may be activated simultaneously so that the system will respond accordingly as if both events actually occurred.

The following tests are provided for selection on the Test #1 switch:

1) NLW: 1 KW, Period, NLW HV Lo

2) NM P: NM P HV Lo, NM P Pwr Hi, Low Source

3) NP: NP HV Lo, NP Pwr Hi

4) NPP: NPP HV Lo, NPP Pwr Hi SCRAM and Interlock Test #2 Rotary Switch is used to select the test. A test button is used to run the test.

The following tests are provided for selection on the Test #2 switch:

6-19 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

1) Watchdogs: CCS WDT, UIT WDT

2) Pool Level: Pool Lo

3) NFT Temperatures: FT 1, FT 2, FT 3

4) Pool Temperature: Pool Temp 6.3.4 Rod Control Panel Beneath the right-side display and the UIT computer is the physical Rod Control Panel. This panel is used to control the control rod drives manually, apply magnet power, fire the transient rod, scram the system and acknowledge messages in the Annunciator Pane of the Right Side Graphics display.

The Rod Control Panel is shown in Figure 6-12.

IROO CONTROL 8

ON lRANSENT SAFETY REO OFF rnRESET SHM 0 8 IIMAGN~

8 G G G G MAONET POWEl'l B I DOWN I I DOWN I I DOWN I 11° 0

~ I B

Figure 6 Rod Control Panel In the upper left corner is the M AGNET POWER key switch. The key switch has three positions:

OFF (maintained), ON (maintained) and RESET (momentary). If the switch is OFF, then all power is removed from the rod magnets. The ON position is wired in with the scram loop. The switch has to be in the ON position to complete the loop. The switch is momentarily turned to the RESET position to initiate the time delay in the FIS prior to activating the reactor permissive relay (ROX).

After the time delay, and if the ROX and the rest of the scram loop inputs are satisfied, the switch is momentarily turned to the RESET position again to apply magnet power. The switch will remain in the ON position during reactor operation. If at any time during reactor operation the switch is turned to the RESET position, the reactor will scram. Turning the key switch to RESET is also the only way to remotely reset trips on the nuclear instruments in the DAC, assuming the condition has cleared.

In the bottom left corner is the FIRE button. When all conditions to fire the transient rod are met, pushing the FIRE button will apply air pressure to the transient rod for pulsed reactor operation.

In the middle of the panel is the Rod Control section which includes the AIR button, M AGNET buttons, UP buttons and DOWN buttons. The AIR button is used to remove air from the transient rod. The M AGNET buttons are used to remove the magnet power for the shim, safety and regulating rods. Pressing the M AGNET button turns off magnet power and therefore drops the control rod into the reactor core. Pressing the UP or DOWN button moves the control rod manually.

6-20 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 In the upper right corner is the reactor SCRAM switch. It is hardwired into the scram loop. If this button is depressed, the switch breaks the scram loop in both the positive and negative legs, and all rods will drop to shut down the reactor.

The ACKNOWLEDGE button is used to acknowledge messages in the Annunciator Pane of the right side display. It generates a digital input to the CCS computer to indicate an operator has acknowledged a visual or audible alert.

6.3.5 Bargraphs and Recorder Panel The Bargraph/Recorder Panel is located on the left side of the console and contains the bargraphs and digital chart recorders. The Bargraph/Recorder Panel is shown in Figure 6-13.

0 0 0 0

_,,-1

-,o~

-IO~

0 0 H C HANNU M.iTAl OX 11 CHAHND. DKm'AL QX 0 0 0 0 0 0 Figure 6 Bargraphs and Recorder Panel 6.3.5.1 Bargraphs The bargraphs are analog signals that are hardwired to the nuclear instrument modules and are fully independent from the console software. The input to the NPP NV Peak bargraph is wired to one of the solid state relays on the utility drawer. The relay is controlled by the CCS computer and active only during pulsed reactor operation. During steady-state reactor operation, the input to the 6-21 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 bargraph is disconnected. This is done because the NPP peak detect circuit produces an output at all times but only needs to be displayed while the reactor is pulsed. The panel includes nine bargraphs:

1) Safety 1 (%) (NP)

2) Safety 2 (%) (NPP)

3) Log Power (%) (NLW)

4) Period (sec) (NLW)

5) Fuel Temp 1 (ºC) (NFT)

6) Fuel Temp 2 (ºC) (NFT)

7) Fuel Temp 3 (ºC) (NFT)

8) NVT (M W sec) (NPP)

9) NV Peak (M W) (NPP) 6.3.5.2 Digital Chart Recorder The chart recorders are Honeywell M initrend GR models. They use a high-resolution digital LCD display (5.7 inches) that provides clear, bright images and a wider viewing angle than other display types. The touch-screen interface and graphical icons make them easy to use, while the display can be customized to access the best representation of process data. They record data in a secure digital format, eliminating interpolation errors that can arise from transposing data from a chart to a spreadsheet for analysis. Each recorder supports up to 12 analog and 16 digital inputs. They can store data to a secure digital (SD) card and/or USB memory stick.

As a minimum, the chart recorder on the left records Log Power (NLW), the chart recorder on the right records Linear Power (NP). However, all analog signals from the nuclear instruments are hardwired to the chart recorders and are available for display and storage. The user has the option to enable additional inputs to be viewed and recorded. The analog signals are connected to the recorders as follows:

1) NLW Log Power (Left, displayed)

2) NPP Safety 2 Power (Left, optional)

3) NLW Period (Left, optional)

4) NPP NVT (Left, optional)

5) NPP NV (Left, optional)

6) NFT Fuel Temp 1 (Left, optional)

7) NP Safety 1 Linear Power (Right, displayed)

8) NFT Fuel Temp 2 (Right, optional)

9) NFT Fuel Temp 3 (Right, optional)

10) NM P M ulti-Range Power (Right, optional) 6-22 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Note: Data written to the digital strip chart recorder is only saved in internal memory when the input value actually changes.

6.3.6 Uninterruptable Power Supply (UPS)

The UPS assembly consists of a UPS with batteries and a digital interface. It is designed to power the entire console, including the instrumentation, computers and displays, for at a minimum of 15 minutes. The UPS can provide a maximum power of 1,600W/2200VA. The input to the UPS is 120VAC nominal and is intended to be connected to a 20A circuit.

The UPS is not required for the performance of any safety function, but it is desirable as it allows for a graceful shutdown of the console computers in the event of the loss of offsite power.

The UPS is equipped with a relay I/O smart card that allows the UPS to be controlled remotely from the console. For this purpose, the instrument power switch on the Reactor M ode Control panel is wired up to the UPS. When the switch is pressed, it sends a signal to the UPS to either turn power on or off. The signal has to be present for a minimum of 1 second before it is recognized as a valid input by the UPS. Therefore, a slight delay will occur between the operator pushing the switch and the UPS turning on or off.

Upon loss of AC input power, the UPS will emit four beeps every 30 seconds. When 2 minutes of run time remain, the UPS emits continuous beeping.

6.3.7 AC Power Distribution AC power is supplied to the console and lands on TB1 on the terminal block panel A7. From there, AC power is fanned out to the UPS and one rackmount power strip. Four more identical rackmount power strips plug into the UPS. Every strip has 8 outlets and features a 15A resettable circuit breaker. Power can be turned on and off with a lighted switch on the console. All console drawers and devices that require uninterruptable AC input power are plugged into one of the four power strips connected to the UPS. Non-essential equipment such as the printer and reactivity computer are plugged into the power strip not connected to the UPS. The UPS also supplies AC power to the DAC. Figure 6-14 shows the power distribution for the console.

The AC power distribution for the CSC is shown in Figure 6-14 below. AC power is supplied via a UPS unit that has been selected to provide approximately 15 minutes of runtime. Since the reactor safety systems are designed to fail to a safe condition, the UPS is not required for the performance of any safety function, but it is desirable as it allows for a graceful shutdown of the console computers in the event of the loss of offsite power. When power is lost to the UPS an AC Power Loss scram is generated.

6-23 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information W ithhold From Pub lic Disclosure Under 10 CFR 2.390 Figure 6 Console AC Power Distribution 6.3.8 Console Power Supply Drawer The Console Power Supply Drawer contains three switch mode power supplies:

PSI (7.5W) supplies +5VDC to the digital isolators on the digital input drawer.

PS2 (50W) supplies +24VDC power to all digital contacts throughout the console, and

PS3 (72W) supplies + I2VDC power to all lights on the reactor mode control panel.

6.3.9 Digital Inputs Drawer Thepmposeofthe digital input drawer is to isolate all digital inputs from the computer. T he digital input drawer houses two identical - printed circuit board assemblies populated with digital isolators . T here are 24 isolators per board, for a total of 48 digital inputs . The isolation voltage is 4,000V. Eve1y isolator accepts a 2.5 to 28VDC input signal to activate on the primaiy side. When active, a red LED is lit. T he inputs ai*e referenced to the 24V digital power supply (PS2) on the power supply drawer. T he sec~ de is powered by 5V (PSI). The outputs of the digital isolators generate inputs to the - digital input bo~ u l l-up resistors that ai~

the printed circuit boai*d. T he signals ai*e passed from the- isolator boai*ds to the-digital input boai*d via DIN rail mounted tenninal boai*ds that accommodate the required connector configuration.

6.3.10 Utility Drawer The Console U~ ontains the CCS and UIT watchdog timers, the 1/0 module and the- d igital outputmodule. PSI (50W) generates +24VDC utility power for the 1/0 module and the watchdog timers . The 1/0 module supplies power and communications to the - digital output module and the - digital input module on the digital input drawer.

6-24 Proprietary Information W ithhold From Pub lic Disclosure Under 10 CFR 2.390

Proprietary Information W ithhold From Pub lic Disclosure Under 10 CFR 2.390 The 1/0 module communicates with the CCS computer via the Ethernet hub mounted inside the console.

Thellll digital output module provides 16 plug-in solid-state relays for DC loads. The relays wereTo;en to switch 5-60VDC loads at up to 3A@45°C ambient. Due to the internal constmction of the relays, the proper DC polarity must be obse1ved. The solid-state relays provide 4000V of isolation between the switch contacts and control logic. The relays are controlled by the CCS computer. When the computer activates a relay, a coITesponding green LED will be lit on the board. In the console, the relays are mainly used to activate the lights in the reactor mode control switches .

The watchdog timers that monitor the UIT and CCS computers and are hardwired into the scram loop . The software must periodically send a keep-alive signal to the watchdog timers to prevent them from alanning and thus scraimning the reactor. The time delay before an alaim occurs is adjustable between 5 and 15 seconds and is nonnally set at 15 seconds . When the watchdog timers lose power, their outputs will default to a failsafe condition, which will also scrain the reactor.

6-25 Proprietary Information W ithhold From Pub lic Disclosure Under 10 CFR 2.390

Proprietary Information W ithhold From Pub lic Disclosure Under 10 CFR 2.390 6.4 Operation and Perlonnance The reactor control console is designed for ease of operator use and manipulation of the reactor control system. When considering the integrated console design featuring diverse indication of reactor status as well as the varied display layout, a licensed operator can reasonably be expected to perfo1m control functions commensurate with the intend operational practices.

There are no specific smveillance tests with the CSC that have not been previously outlined in this LAR. Operators will be required to validate acceptable console perfo1mance when pe1fonning nonnal facility prestait testing.

The design of the CSC and associated components meets or exceeds the expectations outlined in the design criteria and bases . Given the diversity and redundancy of indication of the pai*aineters, as well as the multip le sources of this data, the operator will always have an indication of reactor status available. T he RPS is sufficiently independent from the RCS that there is no possibility of an failure within the CSC propagating to the neutron flux or foel temperature monitoring modules.

The watchdog timer will ensure the operator has continually updating info1mation.

~ enerally, all digital c01mnunication links (CCS, UIT , Nucleai* Instmments, and-

- ) have watchdog features that ensure continuity of c01mnunications and infonnation. T he operator is iimnediately info1med of loss of c01mnunications in any of these links and protective action is automatically taken as requiI*ed.

6-26 Proprietary Information W ithhold From Pub lic Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 6.5 Conclusion The Control Console and associated hardware and software are designed such that the operator will have continuous information provided in a manner readily accessible. This is done in a manner consistent with sound operational principles. The various screens present the information required for safe operation of the AFRRI reactor.

6-27 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 7 Reactor Scram and Setpoint Determination The following uncertainty and safety system setpoint calculations have been performed according to the general guidance and methodology provided in NRC Reg Guide 1.105[9]. Two-sigma (2) uncertainties are as detailed below.

7.1 Fuel Temperature Limit The important parameter for a TRIGA reactor is the fuel element temperature. This parameter is well suited as a single specification because it can be measured via the instrumented fuel element.

A loss in the integrity of the fuel element cladding could arise from a buildup of excessive pressure between the fuel-moderator and cladding if the fuel temperature exceeds the safety limit. The pressure is caused by the presence of air, fission product gases, and hydrogen from the dissociation of the hydrogen and zirconium in the fuel- moderator. The magnitude of this pressure is determined by the fuel-moderator temperature and the ratio of hydrogen to zirconium in the alloy. The safety limit for the TRIGA fuel is based on data which indicates that the stress in the cladding will remain below the ultimate stress, provided that the temperature of the fuel does not exceed 1,000°C and the fuel cladding is water cooled.

To prevent exceeding the 1,000°C safety limit, the both the limiting safety system setting (LSSS) and limiting condition for operation (LCO) for the fuel temperature is 600°C as measured by the IFEs located in the B and C rings.

Instrumented fuel elements utilize K-type thermocouples connected to an NFT-1000 processing unit. The uncertainty associated with a standard K-type thermocouple is +/-2.2°C or 0.75%

whichever is greater. Therefore, at 600°C the uncertainty would be +/-4.5°C. The NFT-1000 processing unit has an uncertainty of +/-1% of full scale (1000°C), or 10°C. The total channel uncertainty would then be +/-11°C. Therefore, a 2 uncertainty would be +/-22°C. The actual safety system setpoint for fuel temperature shall be no more than 578°C. Currently, the setpoint is 575°C.

K-Type Thermocouple uncertainty:

600 x 0.75% = 4.5 NFT-1000 M odule uncertainty:

1000 x 1% = 10 Total Channel uncertainty:

= (4.5)2 + (10)2 = 11 2 = 22 7-1 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 8 Cyber-Security The reactor control console and associated equipment have several physical as well as administrative access control features. These features are designed to prevent unauthorized access to the Reactor Instrumentation and Control System.

The physical access consists of multiple layers:

AFFRI is located on Naval Support Activity Bethesda (NSAB). Access to the base is controlled.

Access to the AFRRI complex is controlled 24/7.

Access to the reactor area inside AFRRI is controlled.

Access to the controlled access area is controlled.

Access to the electronic enclosures is controlled.

Access to the data ports is controlled.

Access to the reactor console key is controlled.

To prevent the unauthorized use of the reactor controls, reactor operation is prevented without the use of the reactor console key and the correct user ID/password authentication input at the control console. Access levels include operator level access and system administrator access. Remote computers are not connected to the CSC computers via a local area network (LAN) because of the potential for the remote computers to be used to control the reactor. Port locks are installed to prevent the unauthorized use of removable storage media.

Access to the reactor console key is restricted to licensed senior reactor operators or license reactor operators. When not in use the key is kept in a locked location.

Only individuals that have been subject to the AFRRI security process as detailed in the reactor Physical Security Plan[10] have unescorted access to the areas where the I&C is installed. All other individuals are escorted at all times.

The Reactor I&C System is housed in multiple electronic enclosures all of which have physical locks to prevent the unauthorized access to system components.

The approved software version number is verified prior to reactor startup.

8-1 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 9 FSAR - Chapter 13 - Accident Analysis The accidents analyzed in the FSAR[11] range from anticipated events to a postulated fission product release with radiological consequences that exceed those of any accident considered to be credible. The analysis for all accidents in the FSAR remain valid and unaffected by the upgrade of the reactor I&C system and are detailed below.

Handling Radioactive M aterial Precautions are taken in the handling of these materials using established administrative, operational, and health physics procedure along with equipment and procedures which are needed to maintain the as low as reasonably achievable (ALARA) concept of radiation protection. Reactor operations are supervised by responsible individuals who are trained in the detection and evaluation of radiological consequences. These controls along with the radiation protection system for the reactor remain unchanged by the upgrade to the reactor instrumentation and control, therefore this accident scenario remains unchanged.

Reactor Power Transients The upgrade to the Reactor I&C system did not change the technical specification limits or requirements for any LCOs, especially those pertaining to steady-state operations, pulsing operations, reactivity limits, reactor control system or the reactor protection system.

Therefore, the analysis for a step insertion of reactivity remains unchanged and valid. The control rod drive was replaced as part of this upgrade but the 3-second period rod withdrawal interlock, as listed in TS Table 3, remains in place. Therefore, any ramp reactivity insertion event is bounded by the step insertion and remains unchanged.

Improper Fuel Loading Fuel loading of the reactor is always supervised by trained, licensed supervisory personnel.

All reactor monitoring and shutdown will be operational during fuel loading. devices along Administrative procedure and controls remain unchanged. The Reactor I&C System upgrade does not affect this scenario.

Production of Radioactive Gases in the Reactor Coolant The production of radioactive gases by the reactor in its associated facilities originates through neutron activation of elements in the air or water and is by-product of normal reactor operation. The upgrade of the reactor instrumentation and control system does not affect this accident scenario.

Experiments All experiments performed as part of the TRIGA reactor operations are reviewed by the Reactor and Radiation Facilities Safety Subcommittee and must be authorized prior to being conducted. The Technical Specifications contain requirements that must be met before such experiments can be performed using the AFRRI-TRIGA reactor. Limits on experiments (TS 3.6) remain unchanged, therefore this accident scenario remains unchanged by the upgrade of the Reactor I&C System.

9-1 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Loss of Coolant Accident A loss-of-coolant accident (LOCA) occurs when there is a leak in the reactor tank and the pool water drains to a level below the core. A shutdown scram is initiated before the water level falls to less than 14 feet above the core. The technical specification on pool water level listed in Table 2 of TS and TS-3.3.c for the 6 alarm remains unchanged. The assumptions in the analysis, specifically the amount of time it takes to uncover the reactor core, remains unchanged, therefore this accident scenario remains unchanged following the upgrade to the Reactor I&C System.

If the water shield is lost, the possible exposure to AFRRI personnel or the general public would be due to direct or scattered gamma radiation from the exposed reactor fuel inside the reactor tank. The upgrade of the Reactor I&C System does not affect radiation levels coming from the uncovered core, therefore this accident scenario remains unchanged.

Radioactive Contamination of Reactor Shielding Water Contaminant material susceptible to neutron irradiation in the shield water is maintained at low concentrations by the water purification system and an in-line set of particulate filters which remove particulates of 5 microns or larger. The technical specification on primary water quality (TS-3.3.b) along with the filtration system remains unchanged by the upgrade of the Reactor I&C System, therefore the analysis for his accident remains unchanged and valid.

Fuel Element Cladding Failure For a fuel element cladding failure accident, the conservative assumption is made that the radioactive gases released in the AFRRI reactor room will be released directly to the atmosphere without significant holdup within the facility, even though the current design of the AFRRI reactor room would cause isolation of the reactor room by automatic closure of the ventilation pathway to the AFRRI stack and would prevent excessive leakage to other parts of the AFRRI facility past the access doors that are sealed with compressible gaskets. The ventilation system remains unchanged by the Reactor I&C System upgrade, therefore the analysis remains unchanged and valid.

Fuel Element Drop Accident The cladding failure is postulated to occur when the fuel element is withdrawn from the reactor pool. When the fuel element is exposed to air, a cladding failure could occur coincidentally, or due to a drop of the fuel element. The probability of such an accident is considered to be extremely remote and is not dependent on the Reactor I&C System for mitigation. Therefore this analysis remains unchanged and valid.

There are no other changes or additions which need to be made in the Safety Analysis Report other than the revision of Chapter 7, which deals specifically with Instrumentation & Control.

9-2 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 10 Quality Assurance AFRRI ensured that the equipment/system as provided meets the requirements for the build for the new control console through a series of steps. The vendor contract [12] specified the requirements for the build specifically:

GA-ESI will create a functional specifications document that describes in detail the features and functions of the TRIGA control system that are necessary to fulfill the requirements of this SOW. It will be submitted for approval to AFRRI. Once approved, it will be considered the foundation of the development, tests and acceptance.

Additionally, the specification documents were received, reviewed, and approved by AFRRI staff including facility management and licensed Senior Reactor Operators. These documents included the Functional Requirements Specification[13] and the System Requirements Specification[14]. On finalization of design and manufacturing, a Factory Acceptance Test [15] was conducted with AFRRI staff witnessing and approving the test result. Once the installation was completed at AFRRI, Site Acceptance Testing[16,17] was performed to test the consoles and any applicable hardware and software to ensure that all components worked properly. In the Testing & Validation:

The Contractor must validate the newly installed control consoles for the TRIGA M ark F reactor, The Contractor must obtain final approval from the designated AFRRI subject matter expert and COR once testing is completed.

All testing and validation must be done in a manner that will be deemed acceptable to the licensing body at the time of installation.

The Site Acceptance Test was reviewed and accepted by AFRRI staff prior to performing any tests. The Site Acceptance Test was performed by vendor staff and AFRRI staff.

The following summarizes the Quality Assurance for the Replacement of the Reactor I&C System.

For details refer the individual documents and procedures.

10-1 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 D

I Functional System Factory Site Requirements Requirements Acceptance Acceptance Specification Specification Test Test 1 3S990001 -FRSA T3A100B7101-SYRA T3A100 E100-FA T T3A100Exxx-SAT f- -

Requirements Traceability Acceptance Test Matrix Software Procedure, T3A100D915- RTM Requirements Console, Specification T3Axxx AFRRI TRIGA T3A200E 100- 1AT

~ ~

Hardware Acceptance Test Requirements Procedure, Specification Cabinet Assembly, T3Axxx DAC (drawtngs) T3A300E1 00-1AT

~

Acceptance Test Procedure, Facility Interlock System T3A400E 100-1A T Figure 10 Quality Assurance Workflow Diagram 10.1 Functional Requirements Specifications USUHS/AFRRI TRIGA Reactor Control System Functional Requirements Specification (Conceptual)

T3S990001-FRS Rev A[13]

This document is the Conceptual Functional Requirements Specification (FRS) for the replacement of the existing GA-ESI monitoring, control, and safety systems of the TRIGA M ark F Research Reactor at the Armed Forces Radiobiology Research Institute (AFRRI) in Bethesda, M D. The purpose of this document is to define the conceptual requirements for the design, fabrication, and installation of the replacement systems. The conceptual requirements are defined in Section 2 and Section 3 of this document.

For more details refer to USUHS/AFRRI TRIGA Reactor Control System Functional Requirements Specification (Conceptual) T3S990001-FRS Rev A [13].

10.2 System Requirements Specifications USUHS/AFRRI TRIGA Control System Console System Requirements Specification T3A100B7101-SYRA Rev A[14]

This document is the System Requirements Specification (SyRS) for the replacement of the existing monitoring, control, and safety systems for the AFRRI TRIGA M ark F Research Reactor at the Armed Forces Radiobiology Research Institute (AFRRI) facility in Bethesda, M aryland. The 10-2 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information W ithhold From Pub lic Disclosure Under 10 CFR 2.390 content of the document conveys detailed system design infonnation to the customer beyond the fonctional requirements. This document has been develop ed considering the guidance provided in IEEE Std 1233-1998, IEEE Guide for Developing System Requirements Specifications. The pmpose of the document is to define the requirements for the replacement system as required in contract HT940412C0006.

For more details refer to USUHS/AFRRI TRIGA Control System Console System Requirements Specification T 3Al00B7101 -SYRA Rev Al 141.

10.2.1 Software Requirements Specifications 10.2.1.1 IRIGA NP/NPP-1000 Software Requirements Specification T3287960-SRS This document defines the software requirements for the NP/NPP-1000 Digital Inte1face Board (DIB) and local touchscreen LCD display which are pait of the General Atomics Electromagnetic Systems Inc. (GA-EM S) TRIGAradiation monitoring channel similai* to the existing NMP-1000 and NLW-1000 channels . The nomenclature "NP/NPP-1000" is use throughout this document when the NP and NPP common :fonctionalities applied. For generality, softwai*e belonging to the NP/NPP-1000 DIB will be called "NI Softwai*e".

code for the NP/NPP-1000) and Touchscreen LCD Display Softwai*e co e will be produced from this specification. The softwai*e will be cormnon on all NP/NPP-1000 DIBs and touchscreen LCD.

The objectives of the softwai*e produced is to provide the :fonctions , status info1m ation, monitor and control of hai*dwai*e, Ethernet/serial communications , internal tests and self-test fonctions per the requirements that have been allocated to the NP/NPP-1000 system.

For more details refer to TRIGA NP/NPP-1000 Software Requirements Specification T3287960-SRS1181.

10.2.1.2 NMP-1000 Software Requirements Specification T9S900D941-SRS Rev A This document defines the softwai*e requirements for the Digital Interface Boai*d (DIB) and local touchscreen LCD display which ai*e pait of the General Atomics Electronic Systems Inc. (GA-ESI) NM P-1000 monitoring channel. The NM P-1 000 monitoring channel is a wide-range lineai*

manual and automatic range switching cmTent-to-voltage signal conditioning device which includes adjustable bi-stable trip circuits for local and remote alaims and isolated cmTent outputs for display by other devices.

This document has been developed per the guidance provided in IEEE Standai*d 830-1 998, IEEE Reco1mnended Practice for Softwai*e Requirements Specifications . The intended audience of this specification is the engineering, product assurance and management personnel involved in DIB and touchscreen LCD display softwai*e development.

The DIB and local touchscreen LCD display softwai*e will be produced from this specification.

The softwai*e will be used on all NMP-1000 DIBs and touchscreen LCD.

The objectives of the softwai*e development ai*e to provide fonctions, status infonnation, monitor and control hai*dwai*e, cormnunications, internal and self-test fonctions per the requirements that have been allocated to the NMP-1000 system.

For more details refer to NM P-1000 Softwai*e Requirements Specification T9S900D941-SRS Rev Al 19J_

10-3 Proprietary Information W ithhold From Pub lic Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 10.2.1.3 NFT-1000 Software Requirements Specification T3297960-SRS Rev A This document defines the software requirements for the NFT-1000 Digital Interface Board (DIB) and local touchscreen LCD display which are part of the General Atomics Electromagnetic Systems Inc. (GA-EM S) TRIGA radiation monitoring channel similar to the existing NP-1000, NPP-1000, NM P-1000 and NLW-1000 channels. For generality, software belonging to the NFT-1000 DIB will be called NI Software in this document.

The NI Software ( code for the NFT-1000) and Touchscreen LCD Display Software

( code) will be produced from this specification. The software will be common on all NFT-1000 DIBs and touchscreen LCD displays.

The objectives of the software produced is to provide the functions, status information, monitor and control of hardware, Ethernet/serial communications, internal tests and self-test functions per the requirements that have been allocated to the NFT-1000 system.

For more details refer to NFT-1000 Software Requirements Specification T3297960-SRS Rev A [20].

10.2.2 Hardware Requirements Specifications T3Axxx (Drawings)[21]

10.3 Factory Acceptance Test Factory Acceptance Test Procedure System Assembly, AFFRI TRIGA T3A10087371-FAT Rev A[15]

Test Completed and Accepted by AFRRI Personnel on 20JUL2016.

Final QA Acceptance on 2AUG2016.

This document is the Factory Acceptance Test (FAT) for the Replacement I&C Console for the Armed Forces Radiobiology Research Institute (AFRRI) TRIGA facility. This test demonstrates that the Replacement I&C Console meets the requirements of the SOW and the Functional Requirements Specifications (FRS).

The FAT is the culmination of a series of inspections, requirement specifications, design documents, test procedures, reviews, observations of objective evidence, and tests to show that GA has satisfied the requirements of contract HT940412C0006[12] as amended.

This FAT demonstrates the essential features, operations and safety aspects of the TRIGA Control Console System that are described in the SOW. The FAT is based on FAT procedures that have been conducted on GA's other TRIGA customers to ensure that the TRIGA Control System operates safely and as intended.

The FAT is not intended to be an exhaustive test of the entire system. GA performed separate, in-depth tests of the components, the nuclear instruments, the control system console, and the system as a whole. These tests, their traceability to the SOW and their results are provided to AFRRI in accordance with the SOW.

The FAT was performed at GA's facility in San Diego, CA. The testing exercised a full range of system functions to demonstrate proper software and hardware responses. The test setup is documented in Appendix 1, Test Setup for TRIGA AFRRI Testing of the FAT test procedure.

10-4 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Since the TRIGA AFRRI Reactor I&C System is a complex system; the Test Performer(s) are System Expert(s) or a combination of experts who have very detailed knowledge of the system architecture, functional requirements as well as reactor operational requirements.

This test was run on the AFRRI Triga configuration with the console, DAC, FIS, and FIS test fixture.

Prior to performing the FAT, the system hardware has been verified to be operational and the following prerequisite tests have been completed with no failures:

T3A200E100-1AT, Acceptance Test Procedure, Console, AFRRI TRIGA [22]

T3A300E100-1AT, Acceptance Test Procedure, Cabinet Assembly, DAC[23]

T3A400E100-1AT, Acceptance Test Procedure, Facility Interlock System[24]

T3A100B7363-STP, System Test Procedure[27]

The CCS and UIT computers have been configured and the software has been loaded per ATCDS_STP 001, Console Software Load, Rev B.

10.3.1 Acceptance Test Procedure, Console, AFRRI TRIGA T3A200E100-1AT[22]

Final QA Acceptance on 18JUL2016 10.3.2 Acceptance Test Procedure, Cabinet Assembly, DAC T3A300E100-1AT[23]

Final QA Acceptance on 18JUL2016 10.3.3 Acceptance Test Procedure, Facility Interlock System T3A400E100-1AT[24]

Final QA Acceptance on 18JUL2016 10.4 Site Acceptance Test Armed Forces Radiobiology Research Institute TRIGA Reactor Instrumentation and Control Console Replacement Site Acceptance Test Procedure, Part 1.

T3A100B7372-SAT Rev A[16]

Test Completion and Accepted by AFRRI Personnel on 03MAR2018.

Final QA Acceptance on 07JUN2018.

Site Acceptance Test Part 2: Replacement of the Instrumentation and Control Console for the AFRRI TRIGA REACTOR T3A 100B7373-SAT Rev A[17]

Test Completion and Accepted by AFRRI Personnel on 10MAY2018.

Final QA Acceptance on 07JUN2018.

This document is the Site Acceptance Test (SAT) for the Replacement I&C Console provided by General Atomics (GA) for the AFRRI facility. This test demonstrates that the Replacement I&C Console procured by AFRRI from GA has been installed correctly for operation at AFRRI, and meets the technical and functional requirements of AFRRl's contract HT940412C0006 as amended.

10-5 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 This SAT is not intended to be an exhaustive test of the system at the component or subassembly level. GA has factory tested in-depth, and calibrated according to manufacturer specifications, the various components and subsystems, the individual nuclear instrument channels, the rod control system, the auxiliary plant parameter measurement systems, and has tested the integrated system to demonstrate that the Replacement I&C System performed in the factory as intended. This was demonstrated by GA and accepted by AFRRI representatives during exhaustive factory acceptance testing (FAT). The SAT demonstrates satisfactory at-reactor installation of the system (Part I), and verifies, by adequate operational demonstration, that the system can be used to operate the AFRRI TRIGA in accordance with the facility operating requirements (Part II).

The SAT was be conducted in two parts. This document describes SAT Part I. SAT Part I involved tests to confirm proper installation and functionality (to the extent possible without taking the reactor critical) of all components and subsystems of the Replacement I&C System, including the nuclear power measuring channels, reactivity control systems, and all other balance of plant systems controlled and monitored by the replacement system. At no time during conduct of SAT Part I will the reactor be taken critical. This will be done under SAT Part II.

The following operational tests were conducted satisfactorily under SAT Part II:

Steady state Power Operations and Full Power Run

AUTO M ode Testing

Pulse M ode Testing

Square Wave Testing 10.5 Requirements Traceability Matrix - T3A100D915-RTM This documents [26] traces all of the requirements and specifications listed in the SOW[12].

10.6 Configuration Management Configuration management (CM ) is a significant part of high-quality engineering activities. The quality assurance criteria for the AFRRI control system software is implemented through a configuration management program, which includes criteria for administrative control, design documentation, design interface control, design change control, document control, identification and control of parts and components, and control and retrieval of qualification information associated with parts and components.

Refer the individual documents and plans as detailed below.

10.6.1 Software Development Plan AFRRI TRIGA Version 1.0 Software Development Plan T3S900D905-DOC Rev A[27]

The Software Development Plan (SDP) applies to the software development and release of the TRIGA Console and Channels subsystems to support replacement of the existing TRIGA M ark F Research Reactor Instrumentation and Control System Console (CSC) at Armed Forces Radiobiology Research Institute (AFRRI). The Instrumentation that are housed in the new Data Acquisition Cabinet (DAC) located in the reactor room includes the nuclear channels, power supplies, rod drive control, signal processing, analog I/O and Ethernet interface. The CSC includes the two computer systems, User Interface Terminal (UIT) which runs on one computer that 10-6 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 operates on Windows to display reactor activities. The other is the Console Computer System (CCS) which operates on Linux to display reactor functions and conditions. This SDP describes the development process, organization, management structure, activities performed and resources used in the development of the AFRRI TRIGA software.

Furthermore, the SDP describes the planning of management, process, procedures, organization, staffing, scheduling, methods, resources, tasks, products, and reviews that are used to develop the AFRRI TRIGA software.

In addition to providing traditional project planning information, this SDP is also used to tailor the standard Software Engineering activities to fit the needs and constraints of this project. Separate documents, such as the TRIGA Software Configuration M anagement Plan (SCM P)[28] and the Software Quality Assurance (SQA) Plan (SQP)[29] will be used to describe how software configuration and software quality processes are applied to this project. This SDP is the prevailing document for software development activities. In the event of conflict between this SDP and other planning document, this SDP shall take precedence in matters related to software development.

For more details refer to AFRRI TRIGA Version 1.0 Software Development Plan T3S900D905-DOC Rev A.

10.6.2 Software Quality Plan USUHS/AFRRI Software Quality Assurance Verification and Validation Plan T3S99001-SQAP Rev X3[29]

The purpose of this Software Quality Assurance Verification and Validation Plan is to define:

The Software Quality organization for the AFRRI TRIGA Replacement Console Project at General Atomics Electromagnetics Systems (GA-EM S)

The Software Quality tasks, Verification & Validation (V&V) tasks and responsibilities

The standards, practices, and conventions used to perform Software Quality and V&V activities

The tools, techniques, and methods that will be used to support Software Quality and V&V activities and reporting.

The AFRRI TRIGA project will be a replacement and upgrade effort where GA-ESI will provide replacement Console hardware and software, as well as installation services, for support of the existing monitoring, control and safety systems of the M ark F Research Reactor.

The plan articulates the Software Quality activities, including software quality engineering, software quality assurance, V&V, and software testing, performed throughout the software development life cycle of the AFRRI TRIGA Replacement Console Project.

The plan will define Software Quality and V&V support functions for this project and specify the reporting activities of Software Quality to Quality management, with communication links to the AFFRI TRIGA Project M anager and the project Software Engineering M anager.

A key goal of the Software Quality function is to verify that all software and documentation to be delivered meet all technical requirements and to ensure compliance to contractual requirements, and GA-ESI processes & procedures for software development.

10-7 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 The Software Quality and V&V tasks defined herein shall be used to examine deliverable software and project work products, assess conformance of planned tasks and activities to processes and procedures, and to determine compliance with technical and regulatory compliance requirements.

The AFRRI TRIGA Replacement Console project includes instrumentation for monitoring reactor parameters during all operational states and for recording all variables important to reactor operation. It also manages all control rod movements taking into account the choice of operating mode and interlocks. The TRIGA Control System is a computer-based system but includes dedicated hardwired displays and controls so that safe operation can continue should the computers become unavailable. There are three major system components, the Control System Console (CSC), Data Acquisition and Control (DAC) and the nuclear channels (NLW-1000, NM P-1000, NP-1000, NPP-1000, and NFT-1000)).

The Software Quality Assurance plan is written to comply with all contractual Quality Assurance Requirements and recognizes ANSI/ANS 15.8 Quality Assurance Program Requirements for Research Reactors [30], ANS/ANSI 10.4 Guidelines for the Verification and Validation of Scientific and Engineering Computer Programs for the Nuclear Industry [31], NRC Regulation 1.152[32] and the applicable sections of IEEE 7-4.3.2[33] for non-power research reactors.

The plan also complies with GA-ESIs Quality M anagement System, Quality M anual &

procedures, and RM S Engineering Operating procedures.

The plan aligns with GA-ESI Procedure EP-021 which describes the standard product development process and GA-ESI Quality procedure QAP 03-03 Software Quality Assurance Planning that supports the lifecycle phases listed below for a waterfall software development model:

Concept/Planning

Requirements

Design

Implementation & Coding

Testing

Installation and Checkout For more details refer to USUHS/AFRRI Software Quality Assurance Verification and Validation Plan T3S99001-SQAP Rev X3.

10.6.3 Software Configuration Management TRIGA AFRRI Software Configuration Management Plan T3S900D906-DOC Rev X1[28]

The Software Configuration M anagement (SCM ) Plan (SCM P) provides the guidelines to be used to manage changes to the TRIGA software at General Atomics Electronic Systems, Inc. (GA-ESI).

The intended audience for the document includes and is not limited to Project M anagement, Software Quality Assurance, and Software Engineering personnel.

This SCM P will be used to ensure compliance to the SCM requirements as listed in the Armed Forces Radiobiology Research Institute (AFRRI) Statement of Work (SOW)[12].

10-8 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Software Configuration M anagement functions will be performed as described in the document throughout the Software Development Life Cycle (SDLC). This SCM P will be used to track and control changes in project documentation, software source code, software build artifacts, test tools, and test artifacts as described the document. The SCM P is used in conjunction with GA-ESI Configuration M anagement (CM ) operating procedures. There are no known limitations to this plan and assumptions have been made with respects to this plan.

Software Configuration M anagement is the discipline of controlling and tracking changes made to a software system throughout the SDLC. SCM is applicable and not limited to software requirements, design, source code, and project documentation. The following describes the activities involved with SCM , including:

Configuration identification A Configuration Item (CI) is any component of a system, including documentation, which will be under the control of CM . These items are identified, recorded and managed within a Configuration M anagement System (CM S) and maintained throughout the lifecycle of the project.

Configuration Items for a software system consist of software process plans, specification documentation, software source code, test documentation, technical manuals and version description documentation.

Configuration control Configuration control defines the process for requesting, evaluating, approving or disapproving, and implementing changes to baselined CIs. Changes can include but are not limited to defect, enhancements and new requirements.

A baseline provides a static reference point to a grouping of CIs that make up a system at a given point in time. Baselines establish a version of the software configuration which serves as the basis for further development. After a baseline has been established, changes scope can only be performed through a formal change request process as identified in the SCM P.

Configuration status accounting The SCM engineer is responsible for the recording and reporting of software configuration status. For software product builds performed by the SCM engineer, a configuration status report will be generated identifying the built software version, included issues, known software limitations, and additional developer notes associated with each issue.

Configuration status reports will be controlled as release notes and stored on the projects SharePoint site. A copy of the release notes will be provided with each build in the designated build area located on the GA-ESI network. Refer to the SCM P for the base location of where builds are stored on the GA-ESI network.

Configuration evaluations and reviews Configuration evaluations and reviews will be used as the mechanism to evaluate a baseline. The SCM engineer along with the SQA engineer will schedule audits, on an as 10-9 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 needed basis, to determine the extent to which the physical and functional characteristics of a CI are met. At a minimum, configuration reviews should take place upon definition and completion of the Requirements and Product Baselines.

Release management and deliveries The standard software release management and delivery process will be used.

For more details refer to TRIGA AFRRI Software Configuration M anagement Plan T3S900D906-DOC Rev X1[28].

10-10 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 11 Technical Specification Changes In support of the AFRRI License Amendment Request, the following minor changes need to be made to the Technical Specifications [2].

11.1 Technical Specification Change #1.

On page 14 of the Technical Specifications [2]:

TS Table 2 M inimum Reactor Safety System Scrams requires a minor change. Due to a naming change for the some of the support systems of the newly installed equipment, the last row of the table will be amended from Watchdog (DAC to CSC) to Watchdogs (UIT and CCS).

The change to Table 2 is editorial in nature only as the Watchdog (UIT and CCS) provides the exact same functionality as the previous Watchdogs (DAC to CSC).

Table 2. Minimum Reactor Safety System Scrams Effective Mode Channel Maximum Set Point Steady State Pulse Fuel Temperature 600°C 2 2 Percent Power, High Flux 1.1 M W 2 0 Console M anual Scram Button Closure switch 1 1 High Voltage Loss to Safety Channel 20% Loss 2 1 Pulse Time 15 seconds 0 1 Emergency Stop Closure switch 3 3 (1 in each exposure room, 1 on console) 14 feet from the top of Pool Water Level 1 1 the core Watchdog (DAC to CSC)

On digital console 1 1 Watchdogs (UIT and CCS) 11.2 Technical Specification Change #2.

On Page 28 of the Technical Specifications [2]:

The change to surveillance in section 4.2.2.c the reference to NM 1000 is being deleted. This wide range log channel has been replaced by the log range NLW-1000.

4.2.2.c. Channel calibration shall be made of the NP, NPP, NM 1000, NLW, NM P or any other console instrumentation designated to provide direct power level information to the operator, annually not to exceed 15 months.

11-1 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 12 Conclusion As shown in this license amendment request, the implemented design of the AFRRI Reactor Instrumentation and Control System meets or exceeds the design criteria and design bases for the reactor. The system incorporates redundancy, diversity and independence into a fail-safe design.

For all modes of operation, the reactor status is monitored by a minimum of two separate and independent channels. This design, in conjunction with the quality assurance program and associated implementation testing, ensures the safe operation of the AFRRI Reactor.

12-1 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 13 References

[1] ANSI/ANS 15.15 Criteria for the Reactor Safety Systems of Research Reactors, 1978

[2] Technical Specifications for the AFRRI Facility Rev 25, Aug 14, 2019

[3] TRIGA Reactor Instrumentation & Control System, Operation and M aintenance M anual, Document T3A100B7911-1OM , Rev A, January 2018

[4] NLW-1000, Wide Range Log Power M odule, User M anual, Document T3322000-1UM , Rev B, June 2015

[5] NM P-1000, M ulti-range Linear M odule, User M anual, Document T3401000-1UM, Rev C, January 2018

[6] NP-1000, Nuclear Power M odule, User M anual, Document T3271000-1UM, Rev A, December 2018

[7] NPP-1000, Nuclear Power M odule, User M anual, Document T3281000-1UM, Rev A, January 2018

[8] NFT-1000, Nuclear Fuel Temperature M odule, User M anual, Document T3291000-1UM , Rev A, January 2018

[9] U.S. Nuclear Regulatory Commission, Regulatory Guide 1.105, Setpoints for Safety Related Instrumentation, Rev 3, December 1999

[10] Physical Security Plan for the AFRRI Reactor Facility

[11] Safety Analysis RE: Chapter 13 of the FSAR

[12] Vendor Award/Contract HT940412C0006

[13] USUHS/AFRRI TRIGA Reactor Control System Functional Requirements Specification (Conceptual) T3S990001-FRS Rev A

[14] USUHS/AFRRI TRIGA Control System Console System Requirements Specification T3A100B7101-SYRA Rev A

[15] Factory Acceptance Test Procedure System Assembly, AFFRI TRIGA, T3A10087371-FAT Rev A

[16] Armed Forces Radiobiology Research Institute TRIGA Reactor Instrumentation and Control Console Replacement Site Acceptance Test Procedure, Part 1, T3A100B7372-SAT Rev A

[17] Site Acceptance Test Part 2: Replacement of the Instrumentation and Control Console for the AFRRI TRIGA REACTOR, T3A 100B7373-SAT Rev A

[18] TRIGA NP/NPP-1000 Software Requirements Specification T3287960-SRS

[19] NM P-1000 Software Requirements Specification T9S900D941-SRS Rev A

[20] NFT-1000 Software Requirements Specification T3297960-SRS Rev A

[21] Hardware Requirements Specifications

[22] Acceptance Test Procedure, Console, AFRRI TRIGA, T3A200E100-1AT

[23] Acceptance Test Procedure, Cabinet Assembly, DAC, T3A300E100-1AT

[24] Acceptance Test Procedure, Facility Interlock System, T3A400E100-1AT

[25] System Test Procedure, T3A100B7363-STP

[26] Requirements Traceability M atrix - T3A100D915-RTM 13-1 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

[27] AFRRI TRIGA Version 1.0 Software Development Plan, T3S900D905-DOC

[28] TRIGA AFRRI Software Configuration M anagement Plan, T3S900D906-DOC

[29] USUHS/AFRRI Software Quality Assurance Verification and Validation, T3S99001-SQAP Plan

[30] ANSI/ANS 15.8 Quality Assurance Program Requirements for Research Reactors, 1995

[31] ANS/ANSI 10.4 Guidelines for the Verification and Validation of Scientific and Engineering Computer Programs for the Nuclear Industry, 1987 (R1998)

[32] U.S. Nuclear Regulatory Commission, Regulatory Guide 1.152, Criteria for Use of Computers in Safety Systems of Nuclear Power Plants, Rev 3, July 2011

[33] IEEE 7-4.3.2 Standard Criteria for Programmable Digital Devices in Safety Systems of Nuclear Power Generating Stations 13-2 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

v t e Letter Sequence Request
EPID:L-2020-NFA-0012, Explanation of Enclosures (Approved, Closed)
Initiation Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request Acceptance Supplement, Supplement, Supplement, Supplement, Supplement, Supplement Administration Questions Answers Results Approval Other: ML20318A339, ML21021A182, ML21253A001, ML21302A097, ML21302A103, ML21302A107, ML21316A033, ML21316A036, ML21316A037, ML21316A038, ML22067A246
MONTHYEAR2021-02-04 [Table View]

ML21302A100

Text

Navigation menu

Search