Text

Enclosure 2c - Revision 1 of the Revised FSAR Chapter 7 - Instrumentation and Control Systems - Redacted
	ML21302A103
Person / Time
Site:	Armed Forces Radiobiology Research Institute
Issue date:	10/28/2021
From:	; US Dept of Defense, Armed Forces Radiobiology Research Institute, US Dept of Defense, Uniformed Services Univ of the Health Sciences
To:	; Office of Nuclear Reactor Regulation
Shared Package
ML21302A096	List: ML21302A097; ML21302A100; ML21302A103; ML21302A106; ML21302A107;
References
	EPID L-2020-NFA-0012, GA/EMS-5084
	Download: ML21302A103 (83)
	v • d • e

Enclosure 2c - Redacted - Available to the Public Revision 1 of the Revised FSAR Chapter 7 - Instrumentation and Control Systems

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 7 INSTRUMENTATION AND CONTROL SYSTEMS The role of the AFRRI Reactor I&C is to provide monitoring, protection, and control functions for the reactor with a means to acquire and record data. It provides complete information on the status of the reactor and reactor-related systems.

The reactor is operated from a Control System Console (CSC) located in the control room while the Data Acquisition Cabinet (DAC) is located in the reactor room and houses the mixed analog/digital neutron linear/log power channel and the driver modules for the control rod stepping motors.

7.1 DESIGN OF INSTRUMENTATION AND CONTROL SYSTEMS The Reactor I&C system is a hybrid computer based system which includes a hardwired Reactor Protection System (RPS) with dedicated displays and controls so that safe operation and monitoring of the reactor can continue should the computers become unavailable. The primary function of the RPS is to scram the reactor by allowing the control rods to fall into the core in response to automatic protective actions or actions initiated by the operator from the Control System Console (CSC) operator interface in response to other abnormal reactor operating conditions that may arise during the course of operations. The equipment installed in the Data Acquisition Cabinet (DAC) acquires data in the form of electronic signals from instrumentation in the reactor and auxiliary systems, processes it, and transmits it to the operator via multiple displays on the CSC. There are six major subsystems that make up the AFRRI system as stated below:

1) Reactor Instrumentation The Reactor I&C system receives input from various detectors and sensors. These include three fission chambers, a compensated ionization chamber, an uncompensated ionization chamber, a Cerenkov detector, and fuel elements with integrated thermocouples. Signals from these units are processed in the DAC which is housed in the reactor room.

2) Reactor Control System (RCS)

The reactor control system includes control rod drives (CRD), automatic control, reactor interlocks, and the facility interlock system (FIS).

3) Reactor Protection System (RPS)

The Reactor Protection System includes the scram logic circuitry, rod withdrawal prevention, facility interlocks, and lead shield door control. The RPS is designed with a fail-safe centric design.

4) Control System Console (CSC)

The CSC is a desk type control console with modularized instrumentation drawers and panels. The computers and monitors are mounted on the console. The operator interface provides the necessary controls and interfaces for the operator to safely startup, manipulate reactor parameters, monitor operating parameters in their various modes of operation, and safely shutdown the reactor. The CSC contains the indicators, annunciators, and monitors to present the data to the operator in meaningful engineering units using graphic displays.

The CSC relies on two computer systems. The User Interface Terminal (UIT) system has graphic displays of reactor activities while the Console Computer System (CCS) controls 7-1 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 the reactor and monitors all input and output. The CSC computers (the CCS and the UIT) also provide data storage and logging capabilities on their hard drives.

5) Data Acquisition Cabinet (DAC)

The DAC acquires data in the form of electronic signals from instrumentation in the reactor and auxiliary systems, processes it, and transmits it to the operator via various displays which are part of the CSC operator interface. It houses the nuclear instrument modules, the drivers for the control rod drives, as well as equipment to process analog and digital inputs.

6) Process Instrumentation Additional parameters available to the operator include pool water level, primary water temperature and primary water conductivity (local only).

7.1.1 Design Criteria The Reactor I&C system receives input from various detectors and sensors. Design considerations and technical specification requirements are listed in each subsystem. In general, they outline a fail-safe design focus with redundancy and diversity whenever possible.

While there are various modes of operation for the AFRRI Reactor, they all fall under the same operational envelope. The system measures the power level and the fuel temperature and thereby protects the fuel from exceeding the safety limit. The system must perform for the design basis events or those anticipated operational occurrences which are used to determine the design requirements, i.e. reactor power and fuel temperature. The decision criteria for determining the design basis events which are selected are those which have a consequence that can exceed the capabilities of the reactor safety system. Because the safe operating envelope of the reactor would be exceeded, safety scrams are included to prevent the condition. The design basis events are therefore:

the operation of the reactor at a steady state power level in excess of the corresponding technical specification.

the insertion of reactivity which causes the reactor to exceed the temperature limit during a pulse.

For the latter of these, the reactivity insertion is determined from the worth of the control rods and the core excess reactivity. Both are independent of the design of the reactor instrumentation and are physically measured values. The reactivity protection mechanism is thus dependent on the accuracy of the measurement of the neutron flux and by extension rod worth and core excess reactivity.

There are no conditions in which the facility could be placed, regardless of safety function actuation, which would be adverse to the health and safety of the public. Therefore, only those events which would cause excessive steady-state power levels or give incorrect indication to the reactor operator and the facility staff are selected. For any design basis event, the system must be capable of shutting down the reactor in a safe and timely manner.

Safety scrams are provided to prevent the design basis event from being exceeded. These scrams and their setpoint value are outlined in Table 2 of the Technical Specifications and detailed below in Section 7.4.5. Additionally, assurance of accurate reactivity measurements is provided through facility approved procedures and system testing. The scrams are for power level and pulse time 7-2 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 (ensuring fuel temperature requirements), high voltage loss to a safety channel (ensuring flux measurement accuracy), watchdog timer (ensuring continuous communication), and pool water level criteria (radiation safety and adequate cooling). Scrams are automatically actuated.

Because the neutron flux is spatially dependent, at least two detectors are on range at any steady-state operating power value. These detectors are located around the core to prevent inaccurate indication from phenomena such as rod shadowing and flux tilt.

The neutron flux levels are measured from subcritical source multiplication range through licensed maximum power range. Since not all of the neutron flux instruments are capable of this, continuous indication is ensured by maintaining a minimum of one decade of overlap in indication while observation is transferred from one instrument channel to another.

In the event a setpoint is exceeded, a scram is initiated. The time from initiation of a scram to full insertion of the rods is less than one second. The scram is achieved through both the removal of magnet power to the standard rod drives and the removal of air pressure to the transient rod. Upon removal of magnet power and air pressure, the rods fall into the core due to the force of gravity.

In steady-state and transient operational modes as well as during normal, abnormal, and accident scenarios, the Reactor I&C system is designed to operate in the following conditions:

Operating temperature range: 10°C to 40°C

Operating voltage: 120 VAC +/- 10% 50/60 Hz

Relative humidity: 10% to 90% non-condensing

Pressure: atmospheric

CSC computers, monitor mountings, and DAC cabinet are designed to meet the requirements for Seismic Qualification Performance Category 2.

The DAC dissipates heat generated by internal components by convection to reactor room air. The entire front and rear panels of the DAC are made of perforated metal, providing security (when closed and locked) and air flow to ambient air. Air in the reactor room is continuously circulated, and this air current is sufficient to cause flow through the DAC front and rear panels and provide cooling for all interior equipment. Note that the modern, low-power electronics in most of the instrumentation will generate less heat than previous, less efficient equipment.

The nuclear instrument modules have been tested to ensure that they perform their intended safety functions up to a temperature of 50°C.

In the control room, the console is a more enclosed design, with sheet metal covers. Thus, a circulating fan is placed high in one side panel of the console and is energized anytime the console is powered on. This fan will pull cooler room air from existing opening in the bottom of the console, up through the console, and out into the room. Control room HVAC should have little difficulty cooling this load, as it is almost certainly significantly less than the previous console, which presented no difficulty.

Although the components have not been specifically tested for electromagnetic or radio frequency interference (EMI/RFI), best design practices were used to separate digital from analog signals to minimize the potential for interference. Instruments are constructed with metal enclosures to minimize outside interference and incorporate AC input to filters to suppress conducted noise.

7-3 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 No reasonable hypothetical scenario would cause appreciable increases in temperature, humidity or other environmental conditions that would exceed these design conditions. In the event of excessive supply power, temperature, humidity, vibration, radiation, fire, explosion, earthquake, flood, lightning, missiles, and wind which leads to the failure of a channel, the system will initiate an automatic shutdown through the fail-safe design of the neutron flux monitoring channels.

Additionally, manual actuation of a scram is available to the operator to initiate a shutdown if the conditions warrant.

Other than aging, there are no environmental conditions which have the potential for a functional degradation of the Reactor I&C system. Regular functionality tests, operations, and calibrations are sufficient to alert facility staff of deteriorating system performance.

During operations, there is no design basis or criteria which would necessitate bypass capability for any part of the Reactor I&C system. Audible alarms may be manually bypassed which allows the operator to focus on changing facility conditions and perform testing without distraction. In addition to functional bypasses not being needed, the system is designed such that there are no inadvertent manipulations of operating parameters and that administrative controls exist which are appropriate for the safety function performed. Procedures and manuals are provided which enable facility staff to safely test, calibrate, maintain, and operate the system.

The Reactor I&C system is designed such that reliability is reasonably assured during long term reactor operations and standard shutdown intervals. These consistent performance metrics are assured through both the AFRRIs quality assurance plan and the vendors quality assurance plan and has been validated by a comprehensive verification and validation testing program. Because there are no special requirements of the AFRRI reactor, there are no additional quality assurance requirements needed to accommodate any unusual or unique aspects of the design of the Reactor I&C system.

7-4 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Figure 7 Reactor Instrumentation and Control System Block Diagram The instrumentation and control system is designed to provide the following:

complete information on the status of the reactor and reactor-related systems

a means for manually withdrawing or inserting control rods

automatic control of reactor power level

automatic scrams in response to overpower, loss of detector high voltage, or high fuel temperature conditions

automatic scrams in response to a loss of operability of the digital computer system

monitoring of radiation and airborne radioactivity levels 7.1.2 Design Bases The primary design basis for the AFRRI Reactor is the safety limit on fuel temperature. To prevent exceeding the safety limit of 1000°C, design features, operating limitations, and automatic scrams are provided while interlocks limit the magnitude of transient reactivity insertion.

7-5 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 7.2 REACTOR INSTRUMENTATION The key design criteria for the Reactor I&C System is that the nuclear instruments provide indications of reactor power from subcritical multiplication through full licensed maximum power.

For redundancy, there are at least two operable channels for all steady-state modes of operation.

Because the fuel temperature is the primary reactor parameter to be protected, there are at least two fuel temperature safety channels operable for all modes of operation. The nuclear instruments do not have any single failure points that are not counter balanced with a fail-safe design. Although they all ultimately rely on the same source of power, all instruments are wholly independent of each other otherwise. The power source is provided by an Uninterruptible Power Supply (UPS) and in the event of a loss of AC supply power to the UPS or UPS failure, a scram is automatically initiated. The UPS is discussed in detail in Section 7.6.3.2.

Systematic nonrandom concurrent failures of elements in the design is prevented by using independent channels with fundamentally different detection mechanisms (fission chambers, ionization chambers, and fuel temperature monitoring). In the event of a channel failure, a scram will be automatically initiated, and the reactor will enter into a safe shutdown condition. This ensures a fail-safe design.

7.2.1 Data Acquisition Cabinet The Data Acquisition Cabinet (DAC) is located on the reactor floor near the reactor pool. The DAC serves as the data gathering and control interface between the reactor and the control system console. It monitors the reactor power from the safety channels (NP/NPP-1000), the operational channels (NLW-1000 and NMP-1000),and the fuel temperature channels (NFT-1000). The DAC also contains the scram loop circuitry, and control rod drive controllers.

The DAC acquires data in real-time from the various sensors associated with the reactor and facility. The DAC stores this data and transmits them via the network to the Control System Console (CSC). In turn, the DAC receives commands from the CSC, and reissues those commands to raise/lower the control rods or scram the reactor. It communicates with the CSC via an Ethernet data network. The DAC controls the positions of the control rods, either in response to operator inputs entered in at the CSC console, or automatically using the power feedback loop during automatic operation. See Figure 7-2 for a block diagram of the DAC.

AC power is supplied to the DAC by the UPS located in the CSC. AC power is distributed to three identical rackmount power strips. Each strip has 8 outlets and features a 15A resettable circuit breaker and a lighted power switch. All DAC devices that require AC input power are plugged into these power strips. For a detailed block diagram of the AC power distribution see Figure 7-3 below.

7-6 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Figure 7 Block Diagram of the Data Acquisition Cabinet (DAC) 7-7 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Figure 7 Data Acquisition Cabinet AC Power Distribution The DAC is composed of five major components, the Power Supply Drawer, the Digital Input Drawer, Analog Input Drawer, Rod Control Drawer, Relay Drawer and the Linear and Log Power Instrument Drawers 7.2.1.1 Power Supply Drawer The power supply drawer supplies Vdc power for the components located in the DAC along with a power supply for the control rod magnets and transient rod air solenoid. The following power supplies are located on the power supply drawer:

PS1 +5 Vdc Power Supply provides power the secondary side of the digital isolator modules on the digital input drawer.

PS2 +15 Vdc Instrument Power Supply is used to generate input signals to the nuclear instrument remote connectors. It also provides the pulse gain signal for the NPP-1000.

PS3 +24 Vdc Utility Power Supply is a 50W power supply that is used to power digital switch contacts external to the DAC (FIS, Rod Drives, etc.). Input to output isolation is 3,000V.

PS4 +24 Vdc Solenoid Power Supply provides power to the transient rod air solenoid.

PS5 +24 Vdc Utility Power Supply is used to power digital switch contacts external to the console. Input to output isolation is 3,000V.

PS6 +24 Vdc Magnet Power Supply provides power to the standard control rod drive magnets. It is monitored by a ground fault detector (GFD), which is also mounted in the 7-8 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 power supply drawer. The GFD monitors both the high and low legs of the scram loop. If any point in the scram loop shorts to earth ground, the GFD will detect it and generate a fault indication to the console. The GFD has a display, test mode and various indicators.

When no fault is present, a green LED will be lit. When a fault is detected, yellow LEDs will be lit. The GFD is powered by PS5.

7.2.1.2 Digital Input Drawer The purpose of the digital input drawer is to isolate all digital inputs from the computer. The digital input drawer houses two identical printed circuit board assemblies (PWA) populated with digital isolators. Every isolator accepts a 2.5 to 28Vdc input signal to activate on the primary side. When active, a red LED is lit. The inputs are referenced to the 24V digital power supply (PS3) on the power supply drawer. The secondary side is powered by 5V (PS1). The outputs of the digital isolators generate an input to the digital input module that are part of the printed circuit board. The signals are passed from the isolator boards to the digital input board via DIN rail mounted terminal boards that accommodate the required connector configuration.

7.2.1.3 Analog Input Drawer The analog input/output drawer houses signal conditioning modules that feature galvanic input to output isolation of 3,500 V. Of the 18 signal conditioning modules, 7 of them are designed to accept either current or voltage signal, 6 are designed to read potentiometer inputs, and 5 are designed to connect to 100 RTD sensors. The outputs are configured for 0 to 10 Vdc, to be read by modules mounted in the analog drawer. The signal conditioning modules are powered by a +24 Vdc, 120W switching power supply. Every module has two calibration potentiometers for zero and span adjustments.

7.2.1.4 Rod Control Drawer The rod control drawer houses the modules. All modules are directly powered by the DAC AC power.

7.2.1.5 Relay Drawer The relay drawer houses three relay boards with electro-mechanical relays, two socketed relays and a number of terminal blocks for signal distribution. This drawer houses all the relays that are associated with the scram loop and magnet power.

The relay board housing the scram loop contains 24 relays. The 24V relay coils are driven by various inputs to the scram loop. The outputs are part of the scram loop wiring or are used in the generation of digital signals to the console.

Two other relay boards can house up to 8 standard plug-in relays each, either for AC or DC loads.

These relays are controlled by the CCS computer. When the computer activates a relay, a corresponding green LED on the relay will be lit.

Two socketed 4PDT (K1and K2) relays are used in the scram loop to generate the operate signal for the FIS. K1 performs the reset and latching functions and indicates all scrams clear. K2 is on when the console key switch is in the ON position. K1 and K2 are driven by 24Vdc. When the relay coil is activated, a red tab becomes visible in a display window on top of the relay.

7-9 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 7.2.1.6 Linear and Log Power Instrument Drawers The linear power drawer houses one NMP-1000 and one NFT-1000 nuclear instrument. Both the NMP and NFT instruments are part of the scram loop. The scrams for the NMP are bypassed. The NMP-1000 is connected to a compensated ion chamber. The NFT-1000 is connected to three instrumented fuel elements.

The log power drawer houses one NP-1000, one NPP-1000 and one NLW-1000 nuclear instrument. The NP and NPP are part of the scram loop. The NLW, NP and NPP are all connected to fission chambers for steady-state operation. The NPP is also connected to an uncompensated ion chamber and a Cerenkov detector for pulsing operations.

7.2.2 Subsystem Description 7.2.2.1 Neutron Flux Monitoring Equipment Four independent power measuring channels are provided for a continuous indication of power from subcritical neutron source multiplication range to the maximum steady-state licensed power level. Peak power resulting from the maximum allowed pulse reactivity insertion is monitored with a special channel capable of reading the high power levels achieved during a pulse.

Figure 7-4 shown below indicates the power ranges of the channels and how overlap between differing operational modes is achieved.

Figure 7-5 shown below indicates the transmission of signals from the neutron flux and temperature channels to the reactor to the console.

Figure 7-6 shows the location of the neutron detectors for the nuclear instrumentation channels with respect to the core.

7-10 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 2500MW 1 - - -

1000MW t - - -

100MW

______ /

10MW l.lMW 1MW

* ------------ 100%

100kW 10%

10 kW 1%

NP-1000 NPP-1000 1 kW t - - - ---- -----

1---------~----------------------- 10*1 %

1 kW Interlock 100W 10W NLW-1000 NMP-1000 1W

0. 1 W 10-5 %

Source Level _

0.01W 0.001 W *------------ --------------------------------------

, ----------------------*--- 10*1 %

Source Interlock 0.0001 W L-------&..--------------------..

NMP-1000 Compensated Ion Chamber NLW-1000 Fission Chamber NP-1000 Fission Chamber Fission Chamber (Steady-state Mode)

NPP-1000 Uncompensated Ion Chamber (Pulse Mode)

Figure 7 AFRRI Power Instrument Ranges 7-11 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Figure 7 Neutron Flux Monitoring Channels 7-12 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 7.2.2.1.1. NLW-1000 Log Power Channel The NLW-1000 is designated as the Log Power Channel. The design function of the NLW-1000 is to measure neutron flux in order to provide the following:

Wide range logarithmic power indication.

Reactor period indication.

Bistable trip/signal for interlocks.

Analog outputs to th e bargraphs and recorders for steady-state operation.

Digital outputs to the reactor control console for steady-state operation.

The NL W-1000 monitoring channel is a wide range logarithmic that operates with a fission cham ber an d a PA-1 000 pream lifier that decou les and am lifies ulses that ori inate at the fission cham ber. The module The logarithmic reactor power signal is monitored by a period circuit which generates an output propoliional to the rate of change in reactor power at any given instant. This signal called period is a measure of the time (in seconds) it takes for the reactor power to chan ge by a factor of e (2.718). The period indication is from -30 seconds to +3 seconds.

7-13 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 The NLW-1000 relies on analog signal processing (no software) for detector signal processing for both the power signal and the period signal, along with the bistable trip activation. The NLW-1000 also provides analog outputs to the bargraphs and chart recorder for use at the reactor control console.

Figure 7 Block Diagram of the NLW-1000 Log Power Monitor The trip/alarm board contains six identical circuits to generate all trip/alarm indications. Every circuit is jumper configurable for a rising or falling trip. A comparator monitors an incoming signal voltage and compares it to a reference voltage. The reference voltage is user adjustable via a potentiometer. When the circuit is configured for a rising trip, the comparator will switch states when the amplitude of the incoming signal exceeds the reference signal. A falling trip works the opposite way; when the incoming signal amplitude falls below the reference voltage, the comparator will switch states. Once a trip has occurred, the circuit latches in the tripped state. The only way to unlatch the circuit is for the user to apply a reset signal, even if all signal levels return to nominal prior to the reset. Diodes and opto-isolators are used for isolation of the trip/alarm signals.

The analog trip relays are held energized in a fail-safe condition until an alarm (or loss of power) de-energizes the coil. Three of the six bistable trips are active and are listed in Table 7-1 and 7-14 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 described below. All ti*ips associated with the NLW-1000 are rod withdrawal interlocks and are enforced via software.

The loss of high voltage u-ip signal is sent to the CSC, which in tum enforces the control rod interlock required for loss of HV to the channel.

The period signal from the NLW-1000 is sent to the CSC, which uses this signal to determine if to enforce the less than 3 second period conu-ol rod interlock and also as an input to the automatic mode conu-ol PID algorithm.

The greater than 1 kW Pulse Interlock uses one of the NL W-1000 analog bistable ti*ips as an interlock for operation in Pulse Mode. The CSC reads the bistable ti-ip signal and uses software to enforce the interlock.

Table 7-1-Trips Associated with the NLW-1000 Trip Function Trip Setpoint Action Control Rod Withdrawal HV Low Interlock 20% loss of HV Inhibit Control Rod Withdrawal Period Interlock < 3 seconds Inhibit Pulse Interlock > 1 kW Pulse Interlock Pulse Mode Interlock The NLW-1000 contains a digital interface board with microprocessors and circuiti*y that conve1is the analog signals to digital an d u-ansmits them for use at the conu-ol console.

7.2.2.1.2. NMP-1000 Multi-range Linear Power Channel The NMP-1000 is designated as the Linear Power Channel. The design function of the NMP-1000 is to measure neuu-on flux in order to provide the following:

Multi-range percent linear power indication.

Bistable ti*ips for interlocks.

Analog output to the recorder for steady-state operation.

Digital outputs to the reactor conti*ol console for steady-state operation.

The NMP-1000 uses a compensated ion chamber. The NMP-1000 relies on software to conduct auto-ranging and subsequent bistable ti*ips. The NMP-1000 was developed under NQA-1 quality conti*ol.

7-15 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 The NMP-1000 is a microprocessor based wide-range linear power module which provides percent reactor power indication and bi-stable trip circuits. The NMP-1000 module processes current of 1x10-11 to 1x10-3 Amperes from a compensated ion chamber. A compensating volta.ge power supply is provided for use with the compensated ion chamber. The input cunent is converted into 0 to 10 V in 9 one-decade ranges giving power indication from startup through 120% power on a linear scale (displaying in progressively wider ranges, one decade at a time).

When the NMP-1000 is in auto-ranging mode the ove1power warning only occurs on the highest range (i.e. 100% foll power). Whereas, when the range is selected by the operator, a warning occurs at 110% of that specific range. The appropriate decade is selected either automatically by software (auto-ranging mode) or by the user (manual ranging mode) via the touch screen display or selecting the desired checkbox on the MODE SELECTION Pane.

The NMP-1000 has two modes of operation, local or remote. In local mode, the module accepts commands via the front panel touch screen. In remote mode, the module accepts commands via the Ethernet port or the analog remote interface connector on the rear panel.

Figure 7 Block Diagram of the NMP-1000 The trip/alann board contains six identical circuits to generate all trip/alann indications. Every circuit is jumper configurable for a rising or falling trip. A comparator monitors an incoming signal 7-1 6 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 voltage and compares it to a reference voltage. The reference voltage is user adjustable via a potentiometer. When the circuit is configured for a rising trip, the comparator will switch states when the amplitude of the incoming signal exceeds the reference signal. A falling trip works the opposite way; when the incoming signal amplitude falls below the reference voltage, the comparator will switch states. Once a trip has occurred, the circuit latches in the ti*ipped state. The only way to unlatch the circuit is for the user to apply a reset signal, even if all signal levels return to nominal prior to the reset. Diodes and opto-isolators are used for isolation of the ti*ip/alaim signals.

The analog ti*ip relays ai*e held energized in a fail-safe condition until an alai-in (or loss of power) de-energizes the coil. Two of the six bistable trips ai*e active and ai*e listed in Table 7-2 and described below. All trips associated with the NMP-1000 ai*e wainings or rod withdrawal interlocks and are enforced via software.

The loss of high voltage ti*ip signal is sent to the CSC, which in generates a warning for loss ofHV to the channel.

The low source rate interlock uses one of the NMP-1000 analog bistable ti*ips as an interlock for conti*ol rod withdrawal if power level falls below 1 x 10-5 watts. This ensures that there is sufficient indication of source neutrons to approach criticality in a conti*olled manner. The CSC reads the bistable trip signal and uses softwai*e to enforce the interlock.

Table 7-2-Trips Associated with the NMP-1000 Trip Function Trip Action HV Low Interlock 20% loss of HV Warning Control Rod Withdrawal Low Source Rate < 1 x 10-5 watts Inhibit The NMP-1000 contains a digital interface board with microprocessors and circuiti*y that converts the analog signals to digital and transmits them for use at the control console.

The NMP-1000 test modes allow for testing the proper perfo1mance of the electrometer and to ensure the functionality of all ti*ip circuits. Test modes include HV, calibrate high, calibrate low, and manual current. The HV and calibrate high test modes cause the bi-stable trips to alaim ; current low gives fixed power indication in the highest range; and manual test allows for varying the current over all ranges with the front panel potentiometer. Test modes can be enabled via the touch screen or a remote interface.

7.2.2.1.3. NP-1000 Linear Power Channel The NP-1000 is designated as Safety Channel No. 1. The design function of the NP-1000 is to measure neutron flux in order to provide the following:

7-1 7 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Percent linear power indication.

Automatic scram on overpower conditions.

Analog outputs to the bargraphs and recorders for steady-state operation.

Digital outputs to the reactor control console for steady-state operation.

The NP-1000 is a nuclear instnnnent module that provides percent reactor power indication, bi-stable trip circuits and outputs to other devices. The module processes current from a fission chamber.

The performance of the safety function (i.e., measurement of signal from detector and actuation of bistable tr*ips) is retained in the analog poliion of the instrument while the analog to digital conversion of the signal for use at the control console computers has been integrated into what is now the digital portion of the instrument.

The NP-1000 percent reactor power monitoring instrument is a linear current-to-voltage signal conditioning device which includes a high-voltage power supply, adjustable bistable trip circuits for local and remote alarms and isolated current or voltage outputs for display by other devices.

The NP-1000 unit provides linear power output when the reactor is at power, approximately 1%

through 120% power. This channel is designated as Safety Power Channel #1.

Figure 7 Block Diagram of the NP-1000 The tr*ip/alann board contains six identical circuits to generate all trip/alann indications. Every circuit is jumper configurable for a rising or falling tr*ip. A comparator monitors an incoming signal voltage and compares it to a reference voltage. The reference voltage is user adjustable via a potentiometer. When the circuit is configured for a rising tr*ip, the comparator will switch states 7-1 8 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 when the amplitude of the incoming signal exceeds the reference signal. A falling trip works the opposite way; when the incoming signal amplitude falls below the reference voltage, the comparator will switch states. Once a trip has occurred, the circuit latches in the ti*ipped state. The only way to unlatch the circuit is for the user to apply a reset signal, even if all signal levels return to nominal prior to the reset. Diodes and opto-isolators are used for isolation of the ti*ip/alaim signals.

The analog trip relays are held energized in a fail-safe condition until an alai-in (or loss of power) de-energizes the coil. Two of the six bistable trips ai*e active and are listed in Table 7-3 and described below. All ti*ips associated with the NP-1000 are scrains and are enforced by hardware and ai*e not dependent on any softwai*e.

The relays are provided with two sets of contacts, each set with one n01mally open and one n01mally closed pair of contacts. The relays are held energized in a fail-safe condition until an alaim de-energizes the coil.

The loss of high voltage trip signal generates a scram when high voltage (HV) to the channel falls below the setpoint.

The ove1power trip signal generates a scram when reactor power is greater than the setpoint.

Table 7-3 -Trips Associated with the NP-1000 Trip Function Trip Setpoint Action HV voltage low 20% loss of HV Scram Overpower 2:1.1 MW Scram The NP-1000 has two modes of operation, local or remote. In local mode, the module accepts commands via the front panel touch screen. In remote mode, the module accepts commands via the Ethernet port or the analog remote interface connector on the rear panel.

The NP-1000 has test modes to allow for testing the proper perfo1mance of the electrometer and to ensure the fonctionality of all trip circuits. Test modes include High Power, Ramp, Manual and HV Low. The HV Low and High Power test modes cause the bi-stable trips to alaim . The Ramp and Manual test modes cause the bi-stable trips to alann when the ti*ip set point is exceeded as the power is ramped up. Test modes can be enabled via the touch screen or a remote interface.

7.2.2.1.4. NPP-1000 Linear Power Pulsing Monitor The NPP-1000 is designated as Safety Channel No. 2. The design fonction of the NPP-1000 is to meas ure neutron flux in order to provide the following:

Percent linear power indication.

Automatic scram on overpower conditions.

Analog outputs to the bargraphs and recorders for steady-state operation.

Digital outputs to the reactor conti*ol console for steady-state operation.

In addition, the insti1unent is to measure the neutron flux for pulsing operations and to provide that information to the reactor conti*ol console for post pulse storage and analysis.

7-19 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 The NPP-1000 is a nuclear instrument module that provides percent reactor power indication, bi-stable trip circuits, circuitry applicable to pulse monitoring and outputs to other devices. In steady-state mode the module processes current from a fission chamber.

The NPP-1000 percent reactor power monitoring instrument is a linear current-to-voltage signal conditioning device which includes a high-voltage power supply, adjustable bistable trip circuits for local and remote alarms and isolated current or voltage outputs for display by other devices.

The NPP-1000 also measures reactor power during the pulsing mode of operation. Because reactor power may reach levels several thousand times greater than the maximum steady-state power levels during a pulse, the NPP-1000 has special hardware to measure this event accurately. This includes circuitry to allow remote gain selection.

The NPP-1000 provides linear power measurement from approximately 1% power through the pulsing range up to 6500 MW and is designated as Safety Power Channel #2. The detection mechanism for the NPP-1000 is chosen based on the mode of operation. A fission chamber is used when the reactor is in steady-state mode while an uncompensated ionization chamber or Cerenkov detector may be used when the reactor is in pulse mode.

Figure 7 Block Diagram of the NPP-1000 The trip/alarm board contains six identical circuits to generate all trip/alarm indications. Every circuit is jumper configurable for a rising or falling trip. A comparator monitors an incoming signal voltage and compares it to a reference voltage. The reference voltage is user adjustable via a potentiometer. When the circuit is configured for a rising trip, the comparator will switch states 7-20 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 when the amplitude of the incoming signal exceeds the reference signal. A falling trip works the opposite way; when the incoming signal amplitude falls below the reference voltage, the comparator will switch states. Once a trip has occurred, the circuit latches in the ti*ipped state. The only way to unlatch the circuit is for the user to apply a reset signal, even if all signal levels return to nominal prior to the reset. Diodes and opto-isolators are used for isolation of the ti*ip/alaim signals.

The analog trip relays are held energized in a fail-safe condition until an alai-in (or loss of power) de-energizes the coil. Three of the six bistable trips are active and are listed in Table 7-4 and described below. All ti*ips associated with the NPP-1000 ai*e scrams and ai*e enforced by hardware and ai*e not dependent on any softwai*e.

The relays are provided with two sets of contacts, each set with one n01mally open and one n01mally closed pair of contacts. The relays are held energized in a fail-safe condition until an alaim de-energizes the coil.

The loss of high voltage trip signal generates a scram when high voltage (HV) to the channel falls below the setpoint.

The ove1power trip signal generates a scram when reactor power is greater than the setpoint The ove1power trip is only active in steady state mode.

NVT High generates a scram signal if the total energy of a pulse is greater than the setpoint. The NVT High ti*ip is only active is pulse mode.

Table 7 Trips Associated with the NPP-1000 Trip Function Trip Setpoint Action HV voltage low 20% loss of HV Scram Overpower (steady-state) 2:1.1 MW Scram NVT high (pulsing only) 50MW*s Scram Relays ai*e provided with two sets of contacts, each set with one normally open and one normally closed pair of contacts. The relays are held energized in a fail-safe condition until an alarm deenergizes the coil.

The NPP-1000 has two modes of operation, local or remote. In local mode, the module accepts commands via the front panel touch screen. In remote mode, the module accepts commands via the Ethernet port or the analog remote interface connector on the rear panel.

The NPP-1000 has test modes to allow for testing the proper performance of the electrometer and to ensure the functionality of all ti*ip circuits. Test modes include High Power, Ramp, Manual, HV Low and Pulse. The HV Low and High Power test modes cause the bi-stable ti*ips to alann. The Ramp and Manual test modes cause the bi-stable ti*ips to alarm when the ti*ip set point is exceeded as the power is ramped up. The Pulse test mode is used to test pulsing. Test modes can be enabled via the touch screen or a remote interface.

7-21 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 7.2.2.2 Fuel Temperature Monitoring Equipment 7.2.2.2.1. NFT-1000 Fuel Temperature Monitor The NFT-1000 is designated as the Fuel Temperature Measuring Channels. The design function of the NFT-1000 is to measure fuel temperature in order to provide the following:

Fuel temperature indication.

Automatic scram(s) on high fuel temperature conditions.

Analog outputs to the bargraphs and recorders for steady-state operation.

Digital outputs to the reactor control console for steady-state operation The NFT-1000 is a nuclear fuel temperature module that provides fuel temperature indication, bi-stable trip circuits and outputs to other devices. The module has three independent channels to process inputs from Type K thermocouples. Temperature transducers convert the millivolt inputs from the thermocouples to usable voltage levels that drive bi-stable trips for local and remote alarms and isolated current or voltage outputs for display by other devices. The NFT-1000 is calibrated to measure temperature from 0 to 1000°C.

The NFT-1000 nuclear fuel temperature monitoring module has a capability to measure and capture pulse data, which is temperature values recorded and stored frequently, for a short period during and after a reactor pulse.

Figure 7 Block Diagram of the NFT-1000 The trip/alarm board contains six identical circuits to generate all trip/alarm indications. Every circuit is jumper configurable for a rising or falling trip. A comparator monitors an incoming signal 7-22 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2 .390 voltage an d compar es it to a reference voltage. The reference voltage is user adjustable via a potentiometer. When the circuit is configured for a rising trip, the comparator will switch states when the amplitude of the incoming signal exceeds the reference signal. A falling trip works the opposite way; when the incoming signal amplitude falls below th e reference voltage, the compar ator will switch states. Once a trip has occurred, the circuit latches in the ti*ipped state. The only way to unlatch the circuit is for the user to apply a reset signal, even if all signal levels return to nominal prior to the reset. Diodes and opto-isolators are used for isolation of the ti*ip/alaim signals.

The an alog ti*ip relays ai*e held energized in a fail-safe condition until an alai-in (or loss of power) de-energizes th e coil. Three of the six bistable trips are active and are listed in Table 7-5 and described below. All ti*ips associated with the NFT-1000 are scrams an d ai*e enforced by hardware and ar e not dependent on any softwar e.

The relays are provided with two sets of contacts, each set with one n01mally open and one n01mally closed pair of contacts. The relays ai*e held energized in a fail-safe condition until an alaim de-energizes the coil.

The three independent High Fuel Temperature scrains ar e generated when the fuel temperature is greater than the setpoint.

Table 7-5 -Trips Associated with the NFT-1000 Trip Function Trip Setpoint Action High Fuel Temp Channel 1 2:600 °C Scram High Fuel Temp Channel 2 2:600 °C Scram High Fuel Temp Channel 3 2:600 °C Scram Relays are provided with two sets of contacts, each set with one normally open and one normally closed pair of contacts . The relays are held energized in a fail-safe condition until an alan n de-energizes the coil.

The technical specifications only require two fuel temperature measuring channels an d associated scram s to be operational. The third channel provides redundancy and is an installed fully function al m-serv1ce spare.

The NFT channels ai*e labeled 1, 2 and 3 while the ti*ips are labeled with numbers 1 through 6, since there ai*e 2 trips per channel. Channel 1 has ti-ip 1 and 2, Channel 2 has ti*ips 3 and 4 and Channel 3 has trips 5 and 6. The odd numbered trips ai*e scrams while the even numbered ti*ips are wainings. SCRAM Pane on the Left Side Display is labeled as "NFT Hi Temp SCRAM".

The WARNINGS annunciator on the Left Side Display is labelled as:

NFTl Hi T l " (scram)

NFTl Hi T2" (wai*ning)

NFT2 Hi T3" (scram) 7-23 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2 .390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 NFT2 Hi T4 (warning)

NFT3 Hi T5 (scram)

NFT3 Hi T6 (warning)

The NFT-1000 has two modes of operation, local or remote. In local mode, the module accepts commands via the front panel touch screen. In remote mode, the module accepts commands via the Ethernet port or the analog remote interface connector on the rear panel.

The NFT-1000 has test modes to allow for testing the proper performance of the module and to ensure the functionality of all trip circuits. Test modes include High Temp, Low Temp, Manual A, Manual B and Manual C. All test modes cause the bi-stable trip relays to de-energize and alarm.

The manual modes allow the user to adjust a front panel potentiometer to cause a bi-stable trip to alarm. Test modes can be enabled via the touch screen or a remote interface.

7.2.2.2.2. Instrumented Fuel Element The NFT measures the thermocouple inputs from the instrumented fuel element (IFE) shown in Figure 7-12. Although each individual IFE has three independent thermocouples for measuring fuel temperature as shown in Figure 7-12, only one thermocouple from a single IFE is used to provide an input to the NFT-1000 module. Each NFT-1000 module provides a high-temperature scram. While only two are required for the Technical Specifications, all three are used. One fuel temperature channel is used to drive an analog bar graph on the console and to provide a signal for the existing paper chart recorder in the auxiliary console. Each of the three fuel temperature signals are independently analyzed but housed in the same NFT-1000 module.

7-24 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 7-25 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Figure 7 Core Locations of the Instrumented Fuel Elements Table 7-6 -Locations of Significant Core Components Component Grid Location Instn 1mented Fuel Elements (IFE) B5, C2, C6 Fuel Follower Control Rods D-1 , D-7, D-13 Transient Control Rod A-1 Non-Fuel Location, Al Tube-Filled Hole E-23 Non-Fuel Location, Water-Filled Hole F-9 7-26 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 7.3 REACTOR CONTROL SYSTEM (RCS)

The Reactor Control System (RCS) performs several functions, including system startup, system shutdown, maintaining a shutdown state, changing power levels and maintaining operation at a set power level. Since the reactor is of TRIGA design, the RCS is capable of rapidly inserting reactivity into the reactor core to produce high power pulses through activation of the transient rod. The RCS subsystems are: control rod drives, automatic control, control rod interlocks and the facility interlock system. The interlocks are separated into two groups: those which protect the reactor itself and those which protect facility personnel. There are no experiment specific facility interlocks.

This section shows that the reactor control system will maintain the system within licensed limits during normal operation and ensure the impact of failures in the control system is appropriately included in the accident analyses. It shows how the RCS system design is suitable for performing the functions stated in the design bases.

The design criteria for the Reactor Control System are:

A single failure will not prevent achieving and maintaining a safe shutdown condition.

Instruments and equipment are designed to fail-safe or to assume a safe state.

Redundancy and diversity

Systematic, nonrandom, concurrent failures of redundant elements in the design through the use of independence, separation, redundancy and protection against anticipated events.

7.3.1 Control Rod Drives The standard control rod drives are rack and pinion type that are driven by . The controllers for the and limit switches are housed in the Data Acquisition Cabinet (DAC). The control rod drives are designed such that there is no single point failure amongst the drives and that in the event of a failure, they default to a safe status. The drives are independent of each other and redundancy is achieved through using separate rod drive motors for each drive, that is, the rods are not coupled together in any way. Systematic nonrandom concurrent failures of the drives is prevented whenever possible.

The specific function of the control rod drives is to manipulate reactivity in the core at the appropriate time. The rod drives are coupled to either an electromagnet or an anvil (transient rod).

As the rod drives travel through their range of operation, their position is made available to the DAC and thereby presented to the operator.

The rod drives themselves do not provide any safety function. In the event of a scram, the magnets are de-energized (or air pressure released for the transient rod drive) and the control rods are dropped into the core by the force of gravity, while the drives are driven to their bottom limit. To prevent a scenario in which the safety limit could be threatened, or otherwise unsafe conditions created, interlocks are provided which prohibit rod withdrawal. Refer to Section 7.3.4.

All rod drives receive power from a common source and a common system provides actuating logic for the drive mechanism. The logic is handled in the control console while the drive communication channels are housed in the DAC.

7-27 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 The mounted on each control rod drive assembly drives a pinion gear and a 10-tum potentiometer via a chain and pulley gear mechanism. The potentiometer provides rod position infonnation on the operator console. The pinion gear engages a rack attached to the magnet draw tube.

The control rod drives are connected to the control rods through a connecting rod assembly. An electromagnet, attached to the lower end of the magnet draw tube, engages an iron aim ature, which in tum is screwed an d pinned into the upper end of the connecting rod that terminates at its lower end in the control rod itself. The magnet, the aim ature, an d the upper portion of the connecting rod ai*e housed in a tubular barrel that extends below the reactor water line. Located paii way down th e connecting rod is a piston. The upper portion of the baiTel is ventilated to pe1mit unrestricted movement of the piston in water, whereas the lower 2 inches of the ba1Tel provides a damping action when the electromagnet is de-energized and the control rod is released. Refer to Figure 7-1 4 for a diagram of a standai*d control rod drive.

When th e is energized (via the rod control UP or DOWN button on the operator console rod control panel), the pinion geai* shaft rotates, thus raising th e magnet draw tube. If the electromagnet is energized, the annature an d the connecting rod will raise with the draw tube so that the control rod is withdrawn from the reactor core. In the event of a reactor scram, the magnet is de-energized, and the aim ature will be released. The connecting rod, the piston, and the control rod will then drop; thus reinse1iing the control rod by gravity into th e reactor core.

7.3.1.1 Control Rod Drive Limit Switches A spring-loaded pull rod extends ve1i ically through a housing and up through the block. The lower end of this rod tenninates in an adjustable foot that protmdes through a window in the side of the baiTel. The foot is placed so as to be depressed by the ai*mature when the connecting rod is fully lowered. Raising the rod releases th e foot, allowing the pull rod to be driven upwai*d by the force of the compression spring. The top of the pull rod te1minates in a fixture which engages the actuating lever on a Inicroswitch. As a result, the microswitch reverses position according to whether or not the aim ature is at its bottom liinit. This Inicroswitch is the rod DOWN switch.

A push rod extends down through the block into the upper po1iion of the baiTel. It is aiTanged so as to engage the top surface of the magnet assembly when the magnet draw tube is raised to its upper limit. The upper end of the push rod is fitted with an adjustment screw which engages the actuator of a second Inicroswitch. Thus, this Inicroswitch reverses position according to whether the magnet is at or below its full up position. This Inicroswitch is the magnet UP switch.

A bracket, fitted with an adjustment screw, is mounted on top of the magnet draw tube. A third Inicroswitch is aiTanged so that its actuating lever is operated by the adjustment screw on the bracket. The switch will thus reverse position according to whether the magnet draw tube is at or above its completely inse1ied position. This Inicroswitch is the magnet DOWN switch.

7-28 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 The up/down rod control signals, limit switch signals, Rod Position Indication (RPI) information, and magnet power are interconnected between the DAC and control rod by a cable assembly. The rod drive motor control signals are connected to each translator via a second cable assembly.

Rl>.CKDRIVE - - - L IMIT SWITCH 1>.CTUl>.TOR (CONTROL ROD DRIVE DOWN)

CONTROL ROD DOWN. - -~ _ _CONTROL ROD ORNE LIMIT SWITCH - DOWN LIMIT SWITCH CONTROL ROD DRIVE UP,---.._

LIMIT SWITCH.

CONTROL ROD DRIVE UP. _ _____

PUSH ROD PULL ROO- - - - - - <oj Mt>,GNET*- -- --1-Ut:!::::::~. -- - -Bl>.RREL ARlv~TURE------H,~~J_=lrl AIR DAMPENER- - -'

~ - - --CONNECTING ROD Figure 7 Standard Control Rod Drive and Limit Switches 7-29 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 7.3.2 Transient Rod The transient rod is pneumatically and electrically driven. AC power is used to activate the motor.

Limit switches are used to control the AC power. The pneumatic electromechanical drive allows operations in two different modes:

Steady-state mode, air pressure holds the transient rod up against an anvil, allowing fine position control via the motor drive;

Square wave or pulse mode, the anvil may be prepositioned and application of air pressure permits ejection of a predetermined amount of the transient rod from the core.

Figure 7-15 is representative of the transient rod installed at AFRRI.

The pneumatic portion is a single acting pneumatic cylinder with the piston attached by a connecting rod to the control rod. When the cylinder and transient rod are down, actuating the air solenoid allows air to be applied to the cylinder. With air applied, as the cylinder is run off its bottom position with the motor and associated gear box, the rod rises. The motor drives a ball nut assembly through a worm gear. The balls engage in threads on the outside of the cylinder which can thus be raised or lowered to limit the upper position of travel of the transient rod. A potentiometer is gear driven by the worm gear shaft to provide rod position indication. The direction of the motor is controlled by the user via the console rod control panel UP and DOWN buttons. A Scram of the transient rod is accomplished by de-energizing the air solenoid valve which interrupts the air and relieves the pressure in the cylinder so that the rod will reinsert under gravity.

The motor driving the transient rod has two windings, one for up and one for down motion. When the rod is in steady-state (not moving), both motor windings are energized, holding the motor in a locked position. To move the rod, the motor winding opposite to the desired direction of movement is de-energized.

The transient rod drive employs three limit switches. They are motor (cylinder) up, motor (cylinder) down and rod down. Refer to Figure 7-16 for a diagram of the transient rod limit switches. A bracket extends over the top of the cylinder. A switch on the bracket opens a contact in the up circuitry when the shock absorber assembly contacts it. The bracket itself is substantial enough to stall the motor should the switch contact fail to open.

For pulsed reactor operation, the cylinder is raised to the desired height to control the overall travel and hence the reactivity inserted for the pulse. With no air pressure applied, the rod stays at the bottom. If all necessary conditions for pulsing are met, compressed air is admitted at the lower end of the cylinder to drive the piston upwards. The air being compressed above the piston is forced out through vents at the upper end of the cylinder. At the end of its stroke, the piston strikes the anvil of the shock absorber. The piston is thus decelerated at a controlled rate at the end of its stroke. This action minimizes rod vibration after transit. The resulting reactivity insertion is dependent on the position of the cylinder prior to applying air.

7-30 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 VENT tfOl.fS - - - -- ..,./

PISTON 1

~ 1 - - - - -WOR.Vi

'.: t- - + - - - - BALLIIIJT PlSTON ROIJ'

===::::.:::::-_- . SUPPLY AIR SUPP\..Y 1-DS:E SO..EJ\100 VAL.VE _j BOTTOM hlT - - - - '*

Figure 7 Transient Rod Drive 7-31 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 6,,

POTBiTIOf.lETER FOR AOOPOGITIOtC ttO CAlCA LOYeUMIT$\fTQ-I

.~- - -FOOTSMTCH

~!.-------""'"'"'""'

Figure 7 Transient Rod Drive Limit Switches 7-32 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 7.3.3 Manual and Automatic Mode The reactor power regulating system manages all control rod movements taking into account the choice of operating mode and interlocks. The system has two control modes, manual and automatic. Both control modes may be used for reactor operation from source level to 100% power.

The reactor can be started up in manual mode or automatically at a constant reactor period. The control rods are prevented from being withdrawn in automatic mode if the reactor power period is shorter than +8 seconds. In manual mode, the control rod drives operate at the maximum speed as set by the potentiometer whereas in automatic mode, slower speeds may be initiated to create a slower rate of reactivity change.

7.3.3.1 Manual Mode Manual control of the reactor is performed by engaging both the magnet power and air for the transient rod and depressing the rod UP or DOWN buttons on the rod control panel for the transient, shim, safety, or regulating rods. These will move the corresponding drive motor in the up or down direction. The logic to determine the safe movement of a control rod is performed with software and contains several conditionals to ultimately allow voltage application to the motor.

1) Control rod DOWN buttons are given precedence over UP

2) Any number of DOWN buttons can be selected at once to initiate multiple rod insertions

3) UP buttons are only active in Manual mode

4) Only one UP button can be pressed at a time

5) Drive motion stops upon pressing multiple UP buttons

6) Banked movement is allowed when the rod select switch is activated in auto mode The MAGNET and AIR buttons on the top row is used to quickly insert the associated control rod by interrupting the current to the rod drive magnet or by removing the air to the transient rod. If the rod is above the down limit, the rod will fall back into the core by gravity when the button is pushed. The magnet is then automatically driven to the down limit, where it again contacts the armature on the connecting rod. The operator can scram all of the rods at any time in either mode of operation by pressing the SCRAM button on the right side of the control panel.

The middle row of buttons (UP) and the bottom row (DOWN) are used to position the control rods.

Pressing one of the buttons causes the control rod to move in the indicated direction. A digital position indicator on the rod drive determines the position of each control rod.

ROO CONTROL a 8 a'l TRANSENT SHM SAFETY AEO OFF [ [ ] RESET I MAGN1 G G MAONET POWER

[G] II DOWNII B B Figure 7 Rod Control Panel 7-33 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 7.3.3.2 Automatic Mode The reactor control system, when placed in Automatic Mode, will automatically control positions of the Shim, Safety and Reg rods, depending on bank selection, to maintain a specific power level based on the % Power reading from the NMP-1000, the reactor period from the NLW-1000 and the demand power level. The demand power level is taken from the setting of the power demand set on the Left Side Status display and indicated at top left of the Right Side graphics display.

In Automatic Mode, the computer controls the rods based on the bank selection according to a PID algorithm to drive the rods either up or down based on a comparison of the reactor power with the demand power and reactor period. The computer controlled rods have a range of 1% to 99% of rod travel (i.e., Automatic Mode will not allow the rods to be withdrawn past 990 units, or inserted below 10 units). A trip from the NMP-1000 or a communication error will result in rod control reverting back to Manual Mode. Automatic Mode must be re-enabled once condition(s) clear.

In automatic mode, the following rod combinations can be selected for banked rod movement:

Regulating Rod Only Shim and Regulating Rod Shim, Safety, and Regulating Rod When utilizing the automatic mode, the reactor power is compared against the power demand setting to obtain an error number. When the power demand has more than 2% deviation from the measurement from the NMP-1000, the rods (as selected by the combinations listed above) are moved into or out of the core. Rods are controlled with variable speed to allow for minor corrections in reactor power with small deviation and major corrections in reactor power for large deviations. Variable speed also enables the algorithm to achieve the desired power with minimum overshoot or undershoot. The rod speed may never exceed hardwired limit of 30 inches/minute.

The NLW-1000s period signal is provided and will inhibit rod withdrawal if the reactor period exceeds +8 seconds.

Operating in Square Wave mode must be done with the reactor in steady-state mode. With the power less than 1000 W (as determined by the NLW-1000) and the transient rod air supply turned off, the Square Wave mode switch can be depressed. This will change the console from steady-state to Square Wave mode. Upon pressing the FIRE button, the reactor power will increase to the demand power level. Upon achieving the desired power level, the console will switch to Automatic Mode to maintain the reactor at this constant power level. If the desired power level is not reached within 30 seconds, the system will switch to Manual Mode and display a message to the operator on the Annunciator Pane.

7.3.4 Rod Withdrawal Interlocks Rod Withdrawal Interlocks prevent the movement of the control rods from their inserted core position in the upward direction under the following conditions:

Scrams not reset

Low count rate on the NMP-1000

NMP-1000 exhibiting a High-Voltage Low condition

NLW-1000 Reactor period shorter than +3 seconds 7-34 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

More than one UP switch depressed at the same time on the rod control panel

Mode switch in AUTOMATIC position

The 1-kW interlock to prevent pulsing when wide range log power is above 1 kW

Interlock to prevent the shim, safety and regulating rods from being withdrawn in pulse mode

Interlock to prevent the application of air to the transient rod drive mechanism in the steady-state mode unless the drive cylinder is fully inserted

Interlock to ensure that only one control rod can be manually withdrawn at a time in the square wave mode, excluding the transient rod

Demineralizer Inlet Temp above 60°C

Pool Level below 1 There are no interlocks that prevent downward motion of the control rods.

7.3.5 Facility Interlock System (FIS)

The Facility Interlock System (FIS) is designed to eliminate the possibility of accidental radiation exposure of personnel working in the exposure rooms or the preparation area and to prevent interference (i.e., contact or impact) between the reactor tank lead shield doors and reactor core shroud. These interlocks prevent rotation (i.e., opening or closing) of the reactor tank shield doors and the operation and movement of the reactor core between different regions unless specific operating conditions are satisfied.

The FIS is designed such that if any of the relays fail, they will default to the more conservative setting of an open circuit and thereby prevent facility operation.

The FIS is designed to prevent inadvertent operation of the facility when a set of conditions have not been met. All of the interlocks are binary (on/off, open/closed, etc) and must be met prior to operation. The FIS consists of a central cabinet and various peripherals such as motor control centers (MCC), horns, limit switches, etc. The FIS central cabinet houses the relay logic that controls the FIS. The FIS using limit switches and pushbuttons enforces a straightforward logic table to perform its function. The FIS interfaces to the console and DAC via relays to electrically isolate the various systems.

The FIS interfaces to the console Magnet Power key switch to enforce its logic and to also sound a horn in the necessary exposure room(s) for 30 seconds when the reactor is about to start operation. Since some biological experiments are noise sensitive it is possible to bypass the horn.

The horn bypass for each exposure room consists of two switches wired in parallel located inside the exposure room. Only after two operators have verified that the room is empty may the horns be bypassed.

Refer to Figure 7-18 for a block diagram of the FIS.

7-35 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Figure 7 Facility Interlock System Block Diagram Certain facility interlock permits must be satisfied before the scram loop can be completed and the standard control rod magnet power circuits and the transient control rod air circuits can be energized. The following must be true:

1. The Key Switch must be in the ON position.

AND

2. All emergency stop circuits in the exposure rooms and control system console must be energized.

AND one of the following:

3a. The tank lead shield doors must be fully closed, AND the plug door for the exposure room against which the reactor is to be operated must be closed, AND the reactor must be in the corresponding region.

OR 3b. The tank lead shield doors must be fully opened, AND both plug doors for the exposure rooms must be closed.

Once these permits have been satisfied, the input to the scram loop can be satisfied and the control rod magnet and air circuits can be energized using the procedure detailed below.

1) Momentarily turn the console key switch to RESET. Release the key. The horn sounds for 30 seconds and creates an audible alarm. At the end of the 30 second startup delay, the input to the scram loop is complete.

7-36 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 NOTE: The Time Delay light on the Mode Control Panel will extinguish after the 30 second startup delay. The Reactor Power indicator on the Mode Control panel will be illuminated when the reactor permissive has been satisfied and magnet power can be applied.

2) After another RESET from the console key switch, power is now supplied to the magnet and transient rod air circuit, assuming all other scram loop inputs were also satisfied.

7.3.6 Technical Specifications for Reactor Control System 3.2.1.a. The reactor shall not be operated unless the measuring channels listed in Table 1 are operable for the specific mode of operation.

3.2.1.b. The reactor shall not be operated unless the four control rod drives are operable except:

a. the reactor may be operated at a power level no greater than 250kw with no more than one control rod drive inoperable with the associated control rod drive fully inserted.

3.2.1.c. The time from scram initiation to the full insertion of any control rod from a full up position shall be less than 1 second.

Table 1. Minimum Measuring Channels Effective Mode Measuring Channel Steady State Pulse Fuel Temperature Safety Channel 2 2 Linear Power Channel 1 0 Log Power Channel 1 0 High-Flux Safety Channel 2 1 (1) Any Linear Power, Log Power, High-Flux Safety or Fuel Temperature Safety Channels may be inoperable while the reactor is operating for the purpose of performing a channel check, test, or calibration.

(2) If any required measuring channel becomes inoperable while the reactor is operating for reasons other than that identified in the previous footnote (1) above, the channel shall be restored to operation within five minutes or the reactor shall be immediately shutdown.

7.3.7 Technical Specifications for Facility Interlock System Facility interlocks shall be provided so that:

3.2.3.a. The reactor cannot be operated unless the lead shield doors within the reactor pool are either fully opened or fully closed; 7-37 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 3.2.3.b. The reactor cannot be operated unless the exposure room plug door adjacent to the reactor core position is fully closed and the lead shield doors are fully closed; or if the lead shield doors are fully opened, both exposure rooms plug doors must be fully closed; and 3.2.3.c. The lead shield doors cannot be opened to allow movement into the exposure room projection unless a warning horn has sounded in that exposure room, or unless two licensed reactor operators have visually inspected the room to ensure that no personnel remain in the room prior to securing the plug door.

7.3.8 Technical Specifications for Control Rod Interlocks The reactor shall not be operated unless the safety systems described in Tables 2 and 3 are operable for the specific mode of operation.

Table 3. Minimum Reactor Safety System Interlocks Effective Mode Action Prevented Steady Pulse State Pulse initiation at power levels greater than 1 kW X Withdrawal of any control rod except transient X Any rod withdrawal with count rate below 0.5 cps as X X measured by the operational channel Simultaneous manual withdrawal of two standard rods X Any rod withdrawal if high voltage is lost to the X X operational channel Withdrawal of any control rod if reactor period is less X

than 3 seconds Application of air if the transient rod drive is not fully down. This interlock is not required in square wave X mode.

Reactor safety system interlocks shall be tested daily whenever operations involving these functions are planned 7-38 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 7.4 REACTOR PROTECTION SYSTEM In the event of a monitored parameter exceeding a specified limit or upon operator intervention, the Reactor Protection System (RPS) will place and maintain the reactor in a safe, subcritical, shutdown. This prevents the operation of the facility where risks such as fuel damage, release of radioactive materials, or overexposure of personnel to radiation could occur. Parameters monitored for this purpose include neutron flux, fuel temperature, coolant level, area radiation, and the release of radioactive materials. The accident analyses of Chapter 13 of the SAR discuss postulated accident scenarios and demonstrate that in the event of a complete failure of the reactor safety system coincident with the most adverse accident results in negligible radiological consequences.

Given this conclusion, it is not necessary for the Reactor Protection System to be separate and independent of the Reactor Control System. Redundancy exists for the most important parameters measured in the facility including fuel temperature, neutron flux monitoring, and radiation levels.

The reactor protection system evaluates the signal from the reactor instrumentation system and may take protective action if the parameter is outside acceptable range. The RPS is primarily housed in the Data Acquisition Cabinet (DAC), although some components (such as a manual scram switch) are located in the control console. The components which make up the RPS include the NMP-1000, PA-1000 (adjacent to the DAC), NLW-1000, NP-1000, NPP-1000, and the NFT-1000. These units all evaluate their respective analog signal and may scram the reactor. There is no communication between units and the scram functionality of one does not depend on any of the others. Additionally, the units split the analog signal and provide it to analog bargraphs visible to the operator as well as a digital conversion for transmission to the main operator control screen and data archiving. The transmission of data from the units to the console is via air gapped Ethernet communication. The analog scram function of the units does not depend on the digital conversion capability. The neutron flux range of each instrument is shown in Figure 7-4. The fuel temperature measurement is measured in the range of 0 to 1000°C. The period measurement covers the range of available periods possible.

There is no voting among the channels in order to determine if there should be a scram of the system. Any single parameter that is outside of the normal operating range will cause a scram.

When a scram is initiated, magnet power is removed (and transient rod air pressure removed) and the control rods fall into the core under the force of gravity. The shim, safety, regulating, and transient rod drive motors all drive to the bottom limit switch after a scram.

7.4.1 Design Criteria As with the design of the rest of the facility, there are no single failures of any subsystem of the RPS which would prevent the greater system from functioning as expected. Each individual component will cause a scram regardless of the status of any other module. Fail-safe design is achieved through allowing any one system to initiate protective action. There is no voting or other logic whereby communication between channels is required.

Standard criteria for the design of nuclear facilities is the application of redundancy and diversity.

This practice is achieved in the RPS by having multiple instruments measuring parameters throughout the operating range of the facility. Multiple measurements of the power level and the fuel temperature are made by independent channels. There is no possibility of systematic nonrandom concurrent failures of elements in the design due to the independence between the channels, various locations of detectors around the core, and fail-safe design.

7-39 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 7.4.2 Design Basis Before the fuel temperature safety limit is exceeded, the fuel temperature and power level scrams provide protection to ensure that the reactor can be shutdown. While the fuel temperature limit can never be exceeded, other facility parameters such as power level and period are dependent on the operating mode of the reactor. These modes can be classified as steady-state and pulse modes. The power level can vary from shutdown through 1.1 MW in steady-state mode and up to several thousand MW in pulse mode. The power level measurement is performed by at least two channels at all steady-state powers. In pulse mode, the reactor power is measured by the NPP-1000 and supplemented by the fuel temperature measurement. Local indication of the power level is available on the instrument face as well as at the control console on analog bargraphs and the main operator display screens. Following shutdown, the power is exponentially decaying and approaches shutdown levels. During a postulated accident, the reactor power should never exceed the maximum pulse power and remains within the measurement capacity of the system.

In steady-state mode, the period can vary between -30 seconds and +3 seconds and is measured by the NLW-1000. There are no period limitations in pulse mode. The measured reactor period is displayed on the face of the channel itself as well on the operator console via analog bargraphs and the main operator display screen. Following shutdown, the reactor period initially goes to -30 seconds and slowly returns to infinity with time.

Additionally, regardless of the operating mode, the fuel temperature shall never exceed 600°.

This fuel temperature is measured by three thermocouples in the reactor and three independent processing units of the NFT-1000. These channels have local indication as well as on the operator console with the analog bargraphs and operator display. Following shutdown, the fuel temperature will return to equilibrium with the bulk coolant. The rate of temperature decrease is dependent on the differential between the fuel and coolant temperatures. During a postulated accident the fuel temperature should never exceed the limitations of the NFT-1000.

To prevent incorrect measurement of the neutron flux (and by extension the reactor power), the reactor will trip on a high voltage loss of the safety channel. The detector high voltage is typically in the 750 Vdc range and is maintained at the appropriate value provided the reactor system is powered on. In normal operations, high voltage is applied to the detectors regardless of facility status. During a postulated accident, there are no scenarios where the high voltage applied to neutron flux detectors would be changed. The high voltage value is displayed on the local instrument, but a low-HV trip is displayed on both the local instrument and at the control console.

Sufficient pool water level ensures cooling capacity and radiation protection at the pool top. The Technical Specifications require that it should be no less than 14 feet from the top of the core, however, when the pool is completely full, the value is approximately 16 feet. The measurement is performed by a float in the reactor pool. Actuation of the pool float switch is visible from the control room or through visual inspection. The coolant level is maintained regardless of the operating state of the reactor. During a postulated accident, the coolant level should remain constant. Additional coolant water is available within the facility to provide replacement for any decrease in normal operating levels.

7-40 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 7.4.3 Subsystem Description The Reactor Protection System (RPS) provides messages to the Status display in the form of scram messages, Annunciators/alarms and interlocks. Alarm messages are logged in the Annunciator Pane of the Right Side Graphics display.

The primary function of the RPS is to scram the reactor by causing the control rods to insert into the core in response to certain abnormal reactor operating conditions. The RPS initiates a reactor scram in response to a trip being generated by one of the sensors in the scram loop, a manual scram signal from the reactor operator or an external scram signal from other sensors connected to the scram loop by interrupting the current to the electromagnets that link the control rods to the control rod drives and by removing the air from the transient rod air solenoid valve. After a delay of about 25 msec (for the magnetic field to decay), the magnets release the control rods, which fall into the core by gravity, taking no more than one second to fully insert. All scram conditions are automatically indicated on the console displays. The manual scram may be used for a normal fast shutdown of the reactor. The reactor can also be scrammed by turning the magnet power key switch to the OFF or RESET positions.

The RPS is automatic and completely independent of other systems, including the power regulating system. The scram circuits and components are completely hardwired and do not in any way depend on the CSC computers or any software to perform a scram. Furthermore, the Reactor I&C System and RPS are designed such that there are no means available to the reactor operator to bypass the trips so that the reactor can be operated at conditions that are beyond the limits defined by the trip set points.

The RPS has no known susceptibility to common cause failures other than as a possible result of some undefined internal or external hazard (e.g., fire, flooding, dropped load, earthquake exceeding the design basis, etc.). As previously noted, the independence (of the safety channels),

and diversity designed into the RPS provides a large measure of protection against common cause failures. However; it is important to note that even should they occur, common cause failures cannot prevent the system from performing its primary safety function (i.e., shutting down the reactor) because the system is designed to be fail-safe. A loss of power or multiple circuit damage due to a fire, explosion, dropped load, or some other cause will result in a loss of power to the electromagnets that connect the control rods and control rod drives, causing the control rods to drop into the core.

The limited actions performed by the RPS are entirely adequate to ensure that the reactor remains safe under all off-normal and accident conditions. Once initiated, the actions initiated by the RPS cannot be impaired or prevented by manual intervention, and no manual actions are necessary within a short time to supplement the RPS actions. Also, the actions initiated by the RPS are not self-resetting. The reactor operator must clear all scrams before reactor operation can be resumed.

7-41 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 7.4.3.1 Scram Loop Circuit The scram logic circuitry involves a set of open-on-failure (fail-safe) logic relay switches in series.

Any scram signal or component failure results in a loss of magnet power and loss of air to the transient rod cylinder. Figure 7-19 details the scram loop.

. r" I . ,~,

I I,--

' *)

'T ~

(1*) [ ,~~ ( * )

.r ~ .. l

/~~----

°'~ ......,

.....l/111 =

~-~...

o-~ n'*:*

- i I~-,-

1'r-Figure 7 Scram Circuit Diagram The scram loop is powered by a +24 Vdc power supply which supplies current to the magnets. In the event of a fault, a number of contacts all have the capability to interrupt this current. The following contacts are part of the scram loop:

Manual Scram External 1 (Not Used)

Key Switch External 2 (Not Used)

NP, HV and %PWR External 3 (Not Used)

NPP, NVT, HV and %PWR Software CCS WDT AC Power Loss UIT WDT Reactor Permissive Relay Low Pool Level LATCH NFT1 Hi T1 Key Reset NFT2 Hi T3 Safety Magnet Switch NFT3 Hi T5 Shim Magnet Switch Reg Magnet Switch In the event of that an unsafe or abnormal condition occurs, the reactor operator has two scram options from the control console: the manual scram push button and the magnet power key switch scram.

7-42 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Manual Scram is a push button labeled SCRAM on the rod control panel. Pushing this button will interrupt current in both the positive and negative legs of the scram loop along with the transient rod air pressure. This is a momentary switch.

The Magnet Power Key Switch has three positions: OFF, ON, and RESET. It must be in the ON position to complete the loop and supply current to the magnets. RESET is a momentary contact.

It generates a digital input to the software that is only present as long as it is activated by the operator and is used for resetting the loop via the KEY RESET relay. When the reactor is operating, moving the console key to the off or reset position will cause a scram.

It is important to note that when the key switch is in the OFF position the scram loop is mechanically broken and that this is not controlled via software.

Power level scrams ensures the reactor will be shutdown prior to the fuel temperature safety limit being exceeded. In the steady-state mode, the two channels that perform the high power scrams are the NP-1000 and NPP-1000. In pulse mode, only the NPP performs a high-power scram, and the NP scram contacts are temporarily bypassed.

The neutron flux detectors rely on a high voltage differential to perform their measurement function. If the high voltage drops significantly, their ability to detect neutrons is inhibited and will result in an underestimation of the neutron flux within the core. Therefore, a loss of high voltage to any of the detectors for high flux safety channels will cause a reactor scram.

NP-1000 (with Pulse Bypass switch) monitors percent reactor power and HV going to the detector.

The NP has to indicate a fault (either sees Trip 1 at 110% reactor power or NP HV Low) before the reactor is scrammed. Note: This contact is bypassed during pulsing reactor operation.

NPP-1000 monitors percent reactor power, HV going to the detector and high neutron flux (NVT).

The NPP-1000 has to indicate a fault (either sees Trip 1 at 110% reactor power, NPP HV Low or NVT high) before the reactor is scrammed.

The CCS and UIT watchdog timers monitor the Linux and Windows computers. If either of the computers fails to send a signal to their WDT at least once approximately every 7 seconds, the respective WDT will time out and a scram occurs. Communication between the system components is necessary for the transmission of information to the operator. In the event of a loss of communication, a watchdog timer will initiate a scram.

Low Pool Level is set when the pool level float switch indicates that the pool level has fallen 6 inches below normal. The reactor pool water ensures adequate radiation shielding to the reactor bay as well as cooling capacity to the reactor.

NFT1 monitors the temperature for Temp 1 of the instrumented fuel element. The NFT has to indicate a fault (Temperature 1 is above the High Trip 1, 600°C) before the reactor is scrammed.

This is labelled on WARNINGS Pane as NFT1 Hi T1 and on the SCRAMS Pane as NFT Hi Temp SCRAM.

NFT2 monitors the temperature for Temp 2 of the instrumented fuel element. The NFT has to indicate a fault (Temperature 2 is above the High Trip 3, 600°C) before the reactor is scrammed.

This is labelled on WARNINGS Pane as NFT2 Hi T3 and on the SCRAMS Pane as NFT Hi Temp SCRAM.

7-43 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 NFT3 monitors the temperature for Temp 3 of the instrumented fuel element. The NFT has to indicate a fault (Temperature 3 is above the High Trip 5, 600°C) before the reactor is scrammed.

This is labelled on WARNINGS Pane as NFT3 Hi T5 and on the SCRAMS Pane as NFT Hi Temp SCRAM.

The fuel temperature scram ensures the reactor can be shutdown prior to the fuel temperature safety limit being exceeded. In both the steady-state and pulse modes, at least two fuel temperature channels must be operable. The NFT-1000 instrument provides independent channels for each of three thermocouple inputs. Each channel has separate contacts in the scram loop.

EXTERNAL 1 is an external scram loop input for future use. This input is jumpered.

EXTERNAL 2 is an external scram loop input for future use. This input is jumpered.

EXTERNAL 3 is an external scram loop input for future use. This input is jumpered.

Software is an input that causes a scram when commanded to do so by the CCS computer. It deactivates when communication with the hub is lost. Note that this is a redundant feature. When the hub loses communication with the computer, it will put all relays in a failsafe state, thus scramming the reactor. It also deactivates when the magnet power key switch is turned to the RESET position, thus scramming the reactor.

Scram occurs when the scram timer on the Left Side Status display has expired.

Two types of timed scrams are available to the safety system and work within the scram logic.

These are used for experiments which need a predetermined exposure time and to ensure a pulse does not create excessive energy within the fuel.

The steady-state timer causes a reactor scram after a predetermined elapsed time. This value is entered on the control console during steady-state power operations. During a run, the timer may be started and stopped by the operator.

The pulse timer causes a reactor scram when in pulse mode. The timer may be set for a duration shorter than 15 seconds. However, the console will automatically initiate a scram timeout after 15 seconds.

AC Power Loss is a scram that occurs when AC input power to the UPS has been lost and the UPS battery is supplying power to the reactor control system. In the course of normal operations, a UPS unit provides power to the console while the UPS is supplied by building AC power. A loss of supply to the UPS will initiate a scram, however the console remains on. The UPS will provide approximately 15 minutes of runtime. The UPS is not a safety-related item, since upon the complete loss of all power, the reactor would automatically scram and enter and remain in a safe shutdown condition. The UPS enables monitoring of reactor conditions and allows a graceful shutdown of the console computers.

Reactor Permissive Relay is an input from the FIS. If no emergency stops are active and all the facility interlocks are satisfied after for a 30-second count down (TIME DELAY), the Reactor Permissive is satisfied.

To ensure personnel safety in the event of an administrative oversight, emergency stops are provided in each of the exposure rooms. Additionally, an emergency stop switch exists on the console for the operator to stop door motion and core motion. Any of these switches will initiate an immediate reactor scram and give indication to the operator on the console. Once the emergency 7-44 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 stop has been activated, it must be cleared by turning the key switch to reset. If the emergency stop was initiated from one of the exposure rooms, the local switch must also be reset. The buttons are push-to-activate and must be manually pulled out to permit operation. Once the reset is activated, the horns in the exposure rooms will once again activate with the associated time delay. This reset is required to initiate magnet power.

Lead shield doors are provided to reduce exposure from the core in undesired portions of the facility based on the current core location. Power for door rotation is transmitted through a set of reduction gears. Each shield door is connected to a reduction gear mounted on the side of the carriage track by a vertical shaft extending from the top of each door. Full travel path takes approximately three minutes (from full shut to full open). Once in a fully opened or closed position, limit switches are used to indicate status. These are located on top of the reduction gears and are part of the Facility Interlock System. The lead shield doors must be fully opened before the core can be relocated. If the reactor tank shield doors are in any position other than fully open or fully closed, a reactor scram will be initiated.

The LATCH contact is designed to permanently de-energize the loop after a scram has occurred.

The loop will stay de-energized until the operator places the Magnet Power Key Switch to the Reset position. Table 7-7 below lists the specific channels that perform automatic protective actions.

Table 7 Specific Channels Performing Safety Functions Effective Mode Channel Maximum Set Point Steady State Pulse NFT-1000 (1 & 2) 600°C 2 2 NP-1000, NPP-1000 1.1 MW 2 0 Console Scram Button Closure Switch 1 1 NP-1000, NPP-1000 20% HV Loss 2 1 Console Software 15 seconds 0 1 Exposure Room Switches (1 in each exposure Closure Switch 3 3 room, 1 on console) 14 feet from the top of the Float Switch 1 1 core Console Watchdogs On digital console 1 1 7-45 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 7.4.4 Reactor Fuel Temperature Scram Setpoint Determination The following uncertainty and safety system setpoint calculation for fuel temperature has been performed according to the general guidance and methodology provided in NRC Reg Guide 1.105.

The important parameter for a TRIGA reactor is the fuel element temperature. This parameter is well suited as a single specification because it can be measured via the instrumented fuel element.

A loss in the integrity of the fuel element cladding could arise from a buildup of excessive pressure between the fuel-moderator and cladding if the fuel temperature exceeds the safety limit. The pressure is caused by the presence of air, fission product gases, and hydrogen from the dissociation of the hydrogen and zirconium in the fuel- moderator. The magnitude of this pressure is determined by the fuel-moderator temperature and the ratio of hydrogen to zirconium in the alloy. The safety limit for the TRIGA fuel is based on data which indicates that the stress in the cladding will remain below the ultimate stress, provided that the temperature of the fuel does not exceed 1,000°C and the fuel cladding is water cooled.

To prevent exceeding the 1,000°C safety limit, the both the limiting safety system setting (LSSS) and limiting condition for operation (LCO) for the fuel temperature is 600°C as measured by the IFEs located in the B and C rings.

Instrumented fuel elements utilize K-type thermocouples connected to an NFT-1000 processing unit. The uncertainty associated with a standard K-type thermocouple is +/-2.2°C or +/-0.75%

whichever is greater. Therefore, at 600°C the uncertainty would be +/-4.5°C. The NFT-1000 processing unit has an uncertainty of +/-1% of full scale (1000°C), or +/-10°C. The total channel uncertainty would then be +/-11°C. Therefore, a 2 uncertainty would be +/-22°C. The actual safety system setpoint for fuel temperature shall be no more than 578°C.

K-Type Thermocouple uncertainty:

600 x 0.75% = +/-4.5 NFT-1000 Module uncertainty:

1000 x 1% = +/-10 Total Channel uncertainty:

= (4.5)2 + (10)2 = +/-11 2 = +/-22 7-46 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 7.4.5 Technical Specifications for Reactor Safety System 2.1 The maximum temperature in a TRIGA fuel element shall not exceed 1,000°C under any mode of operation.

2.2 The limiting safety system setting shall be equal to or less than 600°C, as measured in the instrumented fuel elements. There shall be two fuel temperature safety channels. One channel shall utilize an instrumented fuel element in the B ring, and the second channel shall utilize an instrumented fuel element in the C ring.

3.2.2 The reactor shall not be operated unless the safety systems described in Tables 2 and 3 are operable for the specific mode of operation.

Table 2. Minimum Reactor Safety System Scrams Effective Mode Maximum Channel Set Point Steady Pulse State Fuel Temperature 600°C 2 2 Percent Power, High Flux 1.1 MW 2 0 Console Manual Scram Closure switch 1 1 Button High Voltage Loss to Safety 20% Loss 2 1 Channel Pulse Time 15 seconds 0 1 Emergency Stop (1 in each exposure room, Closure switch 3 3 1 on console) 14 feet from the top of the Pool Water Level 1 1 core Watchdog (UIT to CCS) On digital console 1 1 7-47 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 7.5 ENGINEERED SAFETY FEATURES ACTUATION SYSTEMS There are no engineered safety feature actuation systems.

7-48 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 7.6 CONTROL CONSOLE AND DISPLAY INSTRUMENTS The Control System Console (CSC), where the operator conducts all licensed reactor operations, consists of two physically distinct sections: the reactor instrumentation and control console and the auxiliary console.

The CSC contains the computers (UIT and CCS), monitors, contrnl panels, modularized drawers, indicators, meters and recorders to present the data to the operator in meaningful engineering units.

The CSC operator interface provides the necessaiy controls and interfaces for the operator to safely staitup, manipulate reactor parameters, monitor the various operating parameters in its vai*ious modes of operation, and safely shutdown the reactor. See Figure 7-20 for a block diagram of the console.

Figure 7 Control System Console (CSC) Block Diagram 7.6.1 Design Criteria Outside of the common power source for the console, there are no single failures in the design of the reactor instrumentation and control system. Loss of any one screen or component on the control console does not propagate toward inhibiting the protective function of the RPS. Additionally, the control console is designed to fail-safe, therefore any failure will result in the reactor entering a safe shutdown. There are no protective functions as required by the minimum reactor safety system scrams that also rely on the operation of the contrnl console. The watchdog timer ensures the 7-49 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 information presented to the operator is current and active. In the event of a watchdog failure or any other malfunction of the control console, the operation of the individual reactor monitoring modules is not affected.

Redundancy and diversity are achieved in the control console by having a diverse set of important parameter indications on the console itself. These include analog bargraphs, chaii recorders, and the digital screen. Should any parameter 's trnstwo1ihiness be called into question, it may be validated by crosschecking the displays .

7.6.2 Design Basis The control console collects the data communicated by facility sensors and presents that data to the operator. These pai*ameters range from startup through pulse range. Additionally, the control console aids the operator in testing the functionality of the system and perfonning staiiup testing.

The startup test mode allows the operator to cycle through the required checks prior to operation.

An administrative mode allows approved facility personnel to perfo1m more advanced testing of the system.

7.6.3 Control System Console The Control System Console is composed of the following major components: The Console Computer System (CCS), the User Interface Terminal (UIT), the UPS, the Rod Control Panel, the Reactor Mode Control Panel the Bai* *a hand Recorder Panel and the com onent drawers.

Figure 7 Control System Console (CSC) AC Power Distribution 7.6.3.1 AC Power Distribution AC power is supplied to the console and lands on TB 1 on the te1minal block panel A7. From there, AC power is fanned out to the UPS and one rackmount power strip. Four more identical rackmount power strips plug into the UPS. Every strip has 8 outlets and features a 15A resettable circuit 7-50 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 breaker. Power can be turned on and off with a lighted switch on the console. All console drawers and devices that require uninterruptable AC input power are plugged into one of the four power strips connected to the UPS. Non-essential equipment such as the printer and reactivity computer are plugged into the power strip not connected to the UPS. The UPS also supplies AC power to the DAC. Figure 7-21 shows the power distribution for the console.

The AC power distribution for the CSC is shown in Figure 7-21 above. AC power is supplied via a UPS unit that has been selected to provide approximately 15 minutes of runtime. Since the reactor safety systems are designed to fail to a safe condition, the UPS is not required for the performance of any safety function, but it is desirable as it allows for a graceful shutdown of the console computers in the event of the loss of offsite power. When power is lost to the UPS an AC Power Loss scram is generated.

7.6.3.2 Uninterruptable Power Supply (UPS)

The UPS assembly consists of a UPS with batteries and a digital interface. It is designed to power the entire console, including the instrumentation, computers and displays, for at a minimum of 15 minutes. The input to the UPS is 120VAC nominal and is intended to be connected to a 20A circuit.

The UPS is not required for the performance of any safety function, but it is desirable as it allows for a graceful shutdown of the console computers in the event of the loss of offsite power.

The UPS is equipped with a relay I/O smart card that allows the UPS to be controlled remotely from the console. For this purpose, the instrument power switch on the Reactor Mode Control panel is wired up to the UPS. When the switch is pressed, it sends a signal to the UPS to either turn power on or off. The signal has to be present for a minimum of 1 second before it is recognized as a valid input by the UPS. Therefore, a slight delay will occur between the operator pushing the switch and the UPS turning on or off.

Upon loss of AC input power, the UPS will emit four beeps every 30 seconds. When 2 minutes of run time remain, the UPS emits continuous beeping.

7.6.3.3 Power Supply Drawer Supplies Vdc power for the components located in the Control System Console.

PS1 +5 Vdc Power Supply provides power the secondary side of the digital isolator modules on the digital input drawer.

PS2 +24 Vdc Utility Power Supply is a 50W power supply that is used to power digital switch contacts in the control console. Input to output isolation is 3,000V.

PS3 +12 Vdc Power Supply provides power to all the lights on the Reactor Mode Control Panel.

7.6.3.4 Digital Inputs Drawer The purpose of the digital input drawer is to isolate all digital inputs from the computer. The digital input drawer houses two identical printed circuit board assemblies populated with digital isolators.

There are 24 isolators per board, for a total of 48 digital inputs. Every isolator accepts a 2.5 to 28Vdc input signal to activate on the primary side. When active, a red LED is lit. The inputs are referenced to the 24V digital power supply (PS2) on the power supply drawer. The secondary side is powered by 5V (PS1). The outputs of the digital isolators generate inputs to the digital input board that are part of the printed circuit board. The signals are passed from the isolator boards to 7-51 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 the digital input board via DIN rail mounted terminal boards that accommodate the required connector configuration.

7.6.3.5 Utility Drawer The Console Utility drawer contains the CCS and UIT watchdog timers, the I/O module and the digital output module. PS1 (50W) generates +24Vdc utility power for the I/O module and the watchdog timers. The I/O module supplies power and communications to the digital output module and the digital input module on the digital input drawer. The I/O module communicates with the CCS computer via the Ethernet hub mounted inside the console.

The digital output module provides 16 plug-in solid-state relays for DC loads. The relays were chosen to switch 5-60Vdc. The relays are controlled by the CCS computer. When the computer activates a relay, a corresponding green LED will be lit on the board. In the console, the relays are mainly used to activate the lights in the reactor mode control switches.

The watchdog timers that monitor the UIT and CCS computers and are hardwired into the scram loop. The software must periodically send a keep-alive signal to the watchdog timers to prevent them from alarming and thus scramming the reactor. The time delay before an alarm occurs is adjustable between 5 and 15 seconds and is normally set at 15 seconds. When the watchdog timers lose power, their outputs will default to a failsafe condition, which will also scram the reactor.

7.6.3.6 Rod Control Panel The Rod Control Panel is located beneath the Right Side Graphics Display and the UIT computer.

This panel is used to manually control the control rod drives, apply magnet power, fire the transient rod, manually scram the system and acknowledge messages in the Annunciator Pane of the Right Side Graphics display.

The design functions of the Rod Control Panel are:

Provide for manual control of the control rod drives.

Application of magnet power via a key switch

Fire the transient rod.

Manually scram the reactor.

Acknowledge alarms and messages.

IROO CONTROL 8

ON lRANSENT SAFETY REO OFF rnRESET SHM 0 8 IIMAGN~

8 G G G G MAONET POWEl'l B I DOWN I I DOWN I I DOWN I 11° 0

~ I B

Figure 7 Rod Control Panel 7-52 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 7.6.3.6.1. Magnet Power Key Switch In the upper left corner is the MAGNET POWER key switch. The key switch has three positions:

OFF (maintained), ON (maintained) and RESET (momentary). If the switch is OFF, then all power is removed from the rod magnets. The ON position is wired in with the scram loop. The switch has to be in the ON position to complete the loop. The switch is momentarily turned to the RESET position to initiate the time delay in the FIS prior to activating the reactor permissive relay. After the time delay, the switch is momentarily turned to the RESET position again to apply magnet power. The switch will remain in the ON position during reactor operation. If at any time during reactor operation the switch is turned to the RESET position, the reactor will scram. Turning the key switch to RESET is also the only way to remotely reset trips on the nuclear instruments in the DAC.

7.6.3.6.2. FIRE Pushbutton In the bottom left corner is the FIRE button. When all conditions to fire the transient rod are met, pushing the FIRE button will apply air pressure to the transient rod for pulsed reactor operation.

7.6.3.6.3. Rod Control Pushbuttons In the middle of the panel is the Rod Control section which includes the AIR button, MAGNET buttons, UP and DOWN buttons. The AIR button is used to remove air from the transient rod. The MAGNET buttons are used to remove the magnet power for the shim, safety and regulating rods.

Pressing the MAGNET button turns off magnet power and therefore drops the control rod into the reactor core. Pressing the UP or DOWN buttons generates a digital input to the CCS computer to move the control rods.

7.6.3.6.4. SCRAM Pushbutton In the upper right corner is the reactor SCRAM pushbutton. It is hardwired into the scram loop. If this button is depressed, the switch breaks the scram loop in both the positive and negative legs, and all rods will drop to shut down the reactor.

7.6.3.6.5. Acknowledge Pushbutton The ACKNOWLEDGE button is used to acknowledge messages in the Annunciator Pane of the Right Side Display. It generates a digital input to the CCS computer to indicate an operator has acknowledged a visual or audible alert.

7.6.3.7 Reactor Mode Control Panel The Reactor Mode Control Panel is a physical panel located in the right side of the console. This panel contains the status indicators for Core Position, Door Position, Indicators, Pulse, Test, Stop, Instrument Power ON, Watchdog timers for the CCS and UIT computers and two rotary test switches. Refer to Figure 7-24 for a layout of the Reactor Mode Control Panel.

The design functions of the Reactor Mode Control Panel are:

Provide indication for the status of facility components.

Provide Scram and Interlock selection test switches

Instrument Power ON pushbutton 7-53 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 7.6.3.7.1. Reactor Core and Shield Door Position The Reactor Mode Control Panel provides status of the core position. Two switches with backlights, an indicator and a digital readout to indicate core position. The two switches, Region 1 and Region 3, can be used to move the reactor core. Backlights will be illuminated when the door limit switch is activated. Foot pedals can also be used to move the reactor core. The Region 2 indicator will be lit whenever the core is not in Region 1 or Region 3. Also, there is a digital readout for the core position. Refer to Figure 7-23 below for a drawing of the core regions and the associated digital readout values.

Status of lead door positions is also given on the Reactor Mode Control Panel. Three door position switches with backlights are provided: Lead Door Open, Lead Door Stop and Lead Door Close.

The switches can be used to open, stop and close the lead door. When the switch is active, the backlight is illuminated.

r -" *oo--- - - - . + - - - - - - - - - - - - - - - - - - - - - -- oo- - - - - - - - - - - - - - - - - - - - - - - ! - - - -12_cn------j I

250 300 500 700 750 Digital Indicator position Figure 7 Core Support Carriage Regions 7-54 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 0 0 OOlllE l'OSIITION 0 E] EJ INSTRUVENT POWER 0

I 118.a.Br 11

[ i ; f'!ATCHOOG llM!aRS"'al

~ ~

SCRAM AN~ INT!aRLOOI(

§ § TlES7r 1 (Q)

,_...,.H r,r HY LO 0 0

-HVLO ' \ I ,. ....... H NDICA7rOIRS ,._WINLO _ _ ,..,.HVLO E] @J PIIIOD -

,. I \ '

-. lff l"Wft H I §I IEaT Q 0 PULSE 0 SCRAM AND INTEl1LOCIK 1EST 2 n~,:,<lif-

,.,. POOi.,.....

TEST

§I POOL L.0 ~- -

..., ""' ,. I \ '

0CS llVT STOf' 0 IEaT Q 0 0 0 Figure 7 Reactor Control Mode Panel 7.6.3.7.2. Indicators Three other indicators are provided: Reactor Operate, Time Delay and Exposure Room Open. The Reactor Operate indicator is illuminated when the reactor permissive has been satisfied and magnet power can be applied. The Time Delay indicator is illuminated while the reactor permissive 30 second delay is active. The Exposure Room Open is used to indicate that either of the Exposure Room doors are open.

The Pulse Detector button selects which type of detector is connected to the NPP-1000 instrument.

In steady-state operation, a fission chamber detector is connected to the NPP-1000 and none of the button lights are lit. In pulse mode, the detector selection is performed per the following:

Pushing the detector select button once selects detector 1 (uncompensated ion chamber detector) and the Detector 1 backlight will illuminate, or

Pushing the detector select button again selects detector 2 (Cerenkov detector) for pulsed reactor operation and the Detector 2 backlight will illuminate.

A Lamp Test button is provided to test the lamps on the Reactor Mode Control Panel. The lamp Test button itself does not light up.

7-55 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 An Emergency Stop button is provided to scram the reactor in an emergency. It ties in with the Facility Interlock System (FIS) and upon pressing it, deactivates the reactor permissive relay that is an input to the scram loop. The Emergency Stop is a latching switch; the first push activates, the second push deactivates.

An Instrument Power ON button and indicator light are provided. The instrument power on switch has a backlight that will be illuminated when console power is on. Pushing the button activates or deactivates power from the UPS. Because the UPS input is heavily filtered to protect against spurious inputs, the UPS turn on or shutdown occurs 2 to 3 seconds after the button has been pushed.

Watchdog timer lights are provided for both the CCS and UIT to indicate when a watchdog timer timeout has occurred.

7.6.3.7.3. Scram and Interlock Test Switches SCRAM and Interlock Test #1 Rotary Switch is used to select the test. A test button is used to run the test. The rotary test switches are independent of each other and may be activated simultaneously so that the system will respond accordingly as if both event actually occurred.

The following tests are provided for selection on the Test #1 switch:

1) NLW: 1 KW, Period, NLW HV Lo

2) NMP: NMP HV Lo, Low Source, NMP Pwr Hi

3) NP: NP HV Lo, NP Pwr Hi

4) NPP: NPP HV Lo, NPP Pwr Hi SCRAM and Interlock Test #2 Rotary Switch is used to select the test. A test button is used to run the test.

The following tests are provided for selection on the Test #2 switch:

1) Watchdogs: CCS WDT, UIT WDT

2) Pool Level: Pool Lo

3) NFT Temperatures: FT 1, FT 2, FT 3

4) Pool Temperature: Pool Temp 7.6.3.8 Bargraphs and Recorder Panel The Bargraphs and Recorder Panel is located on the left side of the console and contains the bar graphs and digital chart recorders. The Bargraphs and Recorder Panel is shown in Figure 7-25.

7-56 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 0 0 0 0 1

-,o~

J

-,o~

0 0 ft C HANNU M.tTAl OX JI CHAHND. DKm'AL QX 0 0 0 0 0 0 Figure 7 Bargraphs and Recorder Panel 7.6.3.8.1. Bargraphs The bargraphs are analog signals that are hardwired to the nuclear instrument modules and are fully independent from the console software.

The design functions of the Bargraphs are:

Provide power indication that is available to the reactor operator.

Be independent of the control system computers.

Provides redundancy and diversity in the event of the computer system failure.

The input to the NPP NV Peak bar graph is wired to one of the solid-state relays on the utility drawer. The relay is controlled by the CCS computer and active only during pulsed reactor operation. During steady-state reactor operation, the input to the bargraph is disconnected. This is done because the NPP peak detect circuit produces an output at all times but only needs to be displayed while the reactor is pulsed.

The panel includes nine bar graphs:

7-57 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2 .390

1) Safety 1 (%) (NP-1 000)

2) Safety 2 (%) (NPP-1000)

3) Log Power (%) (NLW-1000)

4) Period (sec) (NLW-1000)

5) Fuel Temp 1 (°C) (NFT-1 000)

6) Fuel Temp 2 (°C) (NFT-1 000)

7) Fuel Temp 3 (°C) (NFT-1 000)

8) NVT (MW sec) (NPP-1000)

9) NV Peak (MW) (NPP-1 000) 7.6.3.8.2. Digital Chart Recorders The chart recorders use a high-resolution digital LCD display (5.7 inches) that provides clear, bright images and a wider viewing angle than other display types . The touch-screen interface and graphical icons mak e them easy to use, while the display can be customized to access the best representation of process data. Each recorder suppo1is up to 12 analog and 16 digital inputs. They can store data to a secure digital (SD) car d an d/or USB memory stick.

The design functions of the Recorders are:

Provide power indication and trending that is available to the reactor operator.

Provide a pe1manent record of reactor power.

Be independent of the control system computers.

Provides redundancy and diversity in the event of the computer system failure.

As a minimum, the chaii recorder on the left recor ds Log Power (NL W-1000), the chaii recorder on the right records Lineai* Power (NP-1000). However, all analog signals from the nuclear instruments ai*e hai*dwired to the chart recorders and are available for display and storage. The reactor operator has the option to enable additional inputs to be viewed an d recorded. The signals connected to the recorders ar e listed in Table7-8 below.

Table 7 List of Recorder Inputs Left Recorder Right Recorder NLW-1000 Log Power (default) NP-1 000 Safety 1 Lineai* Power (default)

NPP-1 000 Safety 2 Power (optional) NFT-1000 Fuel Temp 2 (optional)

NLW-1 000 Period (optional) NFT-1000 Fuel Temp 3 (optional)

NPP-1 000 NVT (optional) NMP-1 000 Multi-Range Power (optional)

NPP-1000 NV (optional)

NFT-1000 Fuel Temp 1 (optional) 7-58 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2 .390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 7.6.4 Subsystem Description The following sections describe the layout of the CSC and basic design considerations. The CSC contains the components required for the operator to control and monitor the reactor and the auxiliary systems. This includes the Console Computer System (CCS) and User Interface Terminal (UIT), the Rod Control Panel and the Bargraph/Recorder Panel.

The contrnl console and display instruments have been designed to collect and display operating information that is readily observed and interpreted by the operator through the diverse and complete presentation of info1mation. The most important facility parameters such as neutron flux levels and fuel temperatures are presented in various forms (bargraphs, trended displays, and numerical values) using independent mechanisms. Additionally, the human machine interface is presented such that a minimal number of "clicks" are necessaiy for display navigation. hnportant manual control inputs such as rod pushbuttons and switches are given an independent physical panel through which they can be activated. Testing units are also given a physical location on the console to facilitate operator use.

The updated values of operating pai*ameters and the status of systems and equipment are displayed on the main control console and other display instruments systems and equipment. Additionally, the rod movement and system mode are selected on the control console. These displays show impo1iant infonnation to the operator including alaims and scram info1mation from the Reactor Protection System (RPS).

There are two high-resolution display screens on the CSC Console where impo1iant info1mation has been grouped by type to sti*eamline infonnation flow from the system to the operator. With the Left Side display showing the scram status, as well as any operational wai*nings or interlocks, the operator has an accurate picture of the facility status. Reactor operations and status are available on the Right Side display.

Given this collection of info1mation, the operator may read and evaluate system performance and take prompt and accurate steps to supply control inputs on which the Reactor Conti*ol System (RCS) can act. The system is combined and integrated in a way to readily aid the operator in conti*olling operation of the reactor.

This separation of binai*y information (alarm or no alaim; interlock or no interlock) in conjunction with ti*ended information allows the operator to identify if the system is ti*ending toward an operational limit and dete1mine when that limit may be exceeded.

7.6.4.1 CCS Computer The design functions of the CCS Computer are:

Process all Digital Inputs and Outputs.

Process all control rod drive movements.

Monitors all inputs and outputs

Conti*ol the reactor The CCS uses a and handles input and output data, monitors the es the indicator li ts on the console. The CCS 7-59 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2 .390 The CCS computer system in the console has a display associated with it. This display is not nonnally needed during the operation of the reactor; it exists mainly for startup, shutdown, and console debugging pmposes. Other than detennining that the CCS has come up and is operating properly, there is no reason for having this display present on the console. During n01mal operation of the software, it displays the digital and analog inputs/outputs on the screen. Having this screen handy is useful to dete1mine whether the CCS has locked up if the system freezes.

The display is also useful for shutting down the CCS system (though this can also be done from the UIT computer).

7.6.4.2 UIT Computer The design functions of the UIT Computer are:

Provide the graphical user interface (GUI) for the reactor operator.

Provide status of reactor parameters.

Provide alarms and messages.

The User Interface Te1minal (UIT) uses a to display parameters and accept user input. The UIT code is written in . The UIT consists of two display screens. The Left Side Status Display and the Right Side Graphics Display.

7.6.4.2.1. Left Side Status Display The Left Side Status Display screen is divided into five panes, all of which are simultaneously visible, and used to display operating information about the reactor. The five display panes are:

1) STATUS

2) SCRAM

3) WARNINGS

4) MODE SELECTION

5) INTERLOCKS 7-60 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2 .390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Figure 7 Left Side Status Display STATUS Pane The STATUS pane presents current information about the status of the system including power readings, period, temperatures and pool water level. The core position and shielding door positions are also displayed. Also, the remote/local state of each channel is displayed. During a pulsing operation, an additional Inhibited field will be shown for the NLW-1000 and NMP-1000 and an additional Bypassed field will be shown for the NP. These fields are displayed to the right of the remote/local field and are shown to indicate when the devices are inhibited or bypassed during a pulsing operation.

Figure 7 STATUS Pane 7-61 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 SCRAM Pane The SCRAM pane displays scram conditions. If a scram were to occur in the reactor, an operator would reference the Status Display to quickly identify the cause of the scram. The SCRAM pane also provides buttons to conduct operational tests of the scram system. For the buttons to be enabled, a check box must be selected which reads, Enable Scram Tests.

NOTE: All scram/alarm messages displayed on the SCRAM and WARNINGS panes are first displayed on the left STATUS display, as opposed to the information panes on the graphic display.

Figure 7 SCRAM Pane WARNINGS Pane The WARNINGS pane displays warnings of which the operator should be aware. An alarm disable checkbox is provided for each warning. If the checkbox is not checked and a trip occurs, the horn 7-62 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 will sound, an ANNUNCIATOR Pane message will be displayed and a yellow box will be displayed for the warning. If the checkbox is checked and a trip occurs, the yellow box will still be displayed for the warning, but the horn will not sound and an ANNUNCIATOR Pane message will not be displayed. The primary purpose of this audible inhibit functionality is to minimize distractions during system setup and testing or prolonged warning situations. By default, alarm disable checkboxes are not enabled.

Figure 7 WARNINGS Pane MODE SELECTION Pane The MODE SELECTION pane allows the operator to select the mode in which to operate the reactor. These modes are:

1) Manual Mode (steady-state)

2) Automatic Mode (AUTO) 7-63 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

3) Square Wave Mode

4) Pulse Mode Figure 7 MODE SELECTION Pane This pane also contains a text box and a button that allows the operator to enter the demand power setting. Once set, Demand is selected for the input power (in Watts); this will update the Demand 7-64 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Power as shown on the upper left corner of the Reactor Display. When the demand power setting is selected and the reactor is in Automatic Mode, those rods selected in the banked movement will adjust their position to insert or remove reactivity to maintain power at the demand setting.

The MODE SELECTION pane also contains text boxes with checkboxes that allow the operator to manually select the NMP range and to indicate the current range selection for the NMP. As an automatic ranging device, in normal operations, the NMP would change its scale based on the reactor power. By manually selecting a range, the operator will prevent that action by the NMP. If the power continues to rise and the NMP reaches 110% of its selected scale, it will initiate a warning. The NMP is an operational channel and is not credited in the minimum reactor safety system scrams.

This pane also allows the operator to set timed actuations. The Set Pulse Time button allows the operator to set the length of time before an automatic scram after a reactor pulse. The time is entered into a text box and actuated with a button. The reactor power pulse is a function of core physics and typically lasts a few hundred milliseconds. Normally, the operator will manually scram the reactor after a few seconds, but as required by the Technical Specifications, the system will automatically scram if the Set Pulse Time limit is reached. The Set Scram Time button is used to set the time of a scram from steady-state mode. There are buttons to start, stop, and reset this timer.

It may be directed to count up or count down.

INTERLOCKS Pane The INTERLOCKS pane displays interlock conditions. An alarm disable checkbox is provided for each interlock. If the checkbox is not checked and an interlock occurs, the horn will sound, an ANNUNCIATOR Pane message will be displayed and a yellow box for the interlock will be displayed. If the checkbox is checked and a trip occurs, the yellow box will be displayed for the interlock but the horn will not sound and an ANNUNCIATOR Pane message will not be displayed.

7-65 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Figure 7 INTERLOCKS Pane 7.6.4.2.2. Right Side Graphics Display While the Left Side Status Display shows the current facility mode and operational settings, the Right Side Graphics Display is the primary means by which the operator monitors and controls the reactor.

At the top of the graphic display, regardless of the display screen selected, the system menu bar displays the following menu items:

1) RUN: Exit to or Restart UIT.

2) OPERATOR: Provides the ability to log in, log out, and display selected operator statistics.

3) HISTORY: System must be scrammed, then starts the execution of the history playback program.

4) DISPLAY: Refreshes the graphics displays (this option is rarely used).

Three information panes immediately below the display menu bar are also always present. The panes are: System Status, Annunciator, and Site/Operator.

The System Status box in the upper left corner of the reactor display will always show the following information:

1) Date and Time

2) Mode 7-66 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

3) Reboot Time

4) Demand Power Level The reboot time is the time since the reactor console was last turned on.

The Annunciator box in the upper middle will display interlock, warning and/or scram messages.

The message will be displayed until acknowledged using the ACKNOWLEDGE button on the Rod Control Panel. Several messages may be queued and waiting for acknowledgement. The border on the right-hand side of the Annunciator box will consist of a single line if there is only one message and will consist of two lines if more than one message is in the annunciator queue.

Scrams are automatically moved to the front of the queue. All other messages are stacked in the order of occurrence (oldest to newest). These stacked messages will display in order as the messages are acknowledged. During routine operations and with no scrams, alarms, or warnings active, this panel will be empty and black which is a simple visual check for the operator.

The Site/Operator box in the upper right section displays system site name (AFRRI TRIGA Reactor), user login, login time, system version information and total megawatt-hours produced by the current core loading.

During reactor operation (non-scrammed mode), there are two display tabs (Reactor Display #1 and Reactor Display #2) that provide two separate views of the reactor's operation.

Where the Left Side Status Display is divided into several different panes, the Right Side Graphics Display has six different screens which must be selected to be visible to the operator. The six screens are as follows:

1) Reactor Display #1 for normal reactor operation

2) Reactor Display #2 for normal reactor operation

3) Reactor Prestart Tests (available only if magnet power is not applied to the control rods)

4) Pulse Display

5) Administration (available only when a system administrator is logged in)

6) Test Functions (for system administrator use only) 7.6.4.2.3. Reactor Display #1 On the left side of the Reactor Display #1 there are scales for the following:

LINEAR POWER: This bargraph shows the current reactor power level in watts on a linear scale. This information is obtained from the NMP-1000 Nuclear Multi-range Power Channel.

LOG POWER: This bargraph shows the current reactor power level as a percentage of maximum power, on a logarithmic scale. This information is obtained from the NLW-1000 nuclear channel.

NP % POWER: This bargraph shows the current reactor power. This graph uses a linear scale and is redundant because it displays the information derived from the NP-1000 which is independent of the NPP-1000. This channel is denoted as Safety Channel 1.

7-67 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 NPP % POWER: This bargraph shows the current reactor power. This graph uses a linear scale and is redundant because it displays the information derived from the NPP-1000 which is independent of the NP-1000. This channel is denoted as Safety Channel 2.

The central portion of Reactor Display #1 shows a graphical representation of the reactor cross section with information about the status of the control rods. For the shim rod, the safety rod and the regulating rod, the small square box at the top of the control rod indicates the status of the control rod magnet power. For the transient rod, the small square box at the top of the control rod indicates the status of the air. The operator is able to quickly understand if a control rod is at its lower limit, the status of the magnet or air, the height of the control rods, and the measured drop time (if a drop is initiated from full height). When the magnet or air is activated, a representative box changes from black to yellow. Additionally, when the control rod bottom limit switch is not activated, the control rod color changes from black to green. Therefore, anytime the control rod is off the bottom of its travel path, the box should be yellow and the rod green. Once the control rod has been lifted to its upper limit and activated the control rod upper limit switch, the control rod color will turn magenta.

Below each control rod in the display is a small box that indicates the current position of the control rod drive mechanism. The scale for the position readout ranges from 0 to 999. The position is 0 if the control rod drive is all the way down and the position is 999 if the control rod drive is all the way up. If the control rod is all the way down and the magnets are energized, its color will be gray.

When the control rod down limit switch is activated, the position indicator is forced to zero units.

If it is all the way up (and the control rod up limit switch is actuated), the color will be magenta and the position indicator is forced to 999 units. The control rod color will be green between the magnet and the bottom of the control rod when positioned anywhere between fully down or fully up.

At the bottom of the graphical display screen, several rectangles representing the physical rod control buttons on the Rod Control Panel are displayed. When a button is pressed on the Rod Control Panel, the system will highlight the button on the graphics display. This portion is particularly useful in automatic mode, for when a control rod drive is in motion, as dictated by the automatic control PID algorithm, the operator is able to verify proper control rod movement.

The ACKNOWLEDGE button on the Rod Control Panel provides a method to acknowledge trips, scrams, warnings, etc. that are displayed on the Annunciator Pane of the main graphics window.

Pressing the ACKNOWLEDGE button will clear the top message in the annunciator window.

Even though the SCRAM button on the rod control panel is hard-wired directly into the system scram loop (i.e., this signal is not processed by software), the status is provided to the software so the program can determine when the operator presses the SCRAM button. The SCRAM box indicates when the operator presses this SCRAM button.

On the right side of the Reactor Display #1 there are scales for the following:

PERIOD: This bargraph shows the period or rate of change of reactor power This information is obtained from the NLW channel.

NFT1 TEMP: This bargraph shows the NFT1 fuel temperature in ºC on a linear scale.

This information is obtained from the NFT channel.

7-68 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 NFT2 TEMP: This bargraph shows the NFT2 fuel temperature in ºC on a linear scale.

This information is obtained from the NFT channel.

POOL TEMP: This bargraph shows the pool temperature in ºC on a linear scale. This information is obtained from pool water temperature RTD.

The bottom left section of Reactor Display #1 shows the core position in the reactor pool. Because the AFRRI Reactor features a movable reactor core, this provides additional information to the operator and may be verified through visual inspection. This simple graphic has indication of the lateral location of the core, as well as the shield door position and the exposure room door positions.

7.6.4.2.4. Reactor Display #2 The second reactor display shows the same bargraphs as Reactor Display #1 but the central portion of the screen is replaced with a strip recorder display with the four parameters: linear power, log power, period, and coolant temperature.

7.6.4.2.5. Pulse Display The Pulse Display tab is automatically displayed after a successful pulse operation. It will display the results of the last pulse in graphic form. The pulse data file, stored on the computer as a CSV formatted file, will have the date, time, width at half power, pulse time, number of entries, period, total energy, peak pulse power, peak fuel temperature, and the pulse reactivity. The user can scroll horizontally along the time of the pulse and can scale the y-axis of the selected parameter. Prior pulses may be loaded to viewing when the reactor is in a non-operational mode.

7.6.4.2.6. Prestart Tests Display When the reactor is scrammed and magnet power is not applied, the graphics display will include the Prestarts Tests Display. When the operator presses the Prestarts tab on the Graphics display, the system shows the prestart tests that are available.

NOTE: This prestart mode is not available when conducting operational (manual) prestart tests from the Status Display using the Test Enable function, which requires that magnet power be applied to withdraw the control rods. While magnet power is applied, the Prestart Tests tab will not be displayed.

This Prestart Tests tab is used for the software generated prestart tests and is not available when the reactor is operating. While running these prestart tests, the remaining tabs are disabled. A RUN button is provided to start the prestart tests. As each prestart test is completed, Passed or Failed will be displayed (along with a reason for a failure if the test fails). If a particular test fails, then the user must press the DONE or CONTINUE button on the display (using the mouse). Pressing the DONE button aborts the testing process. Pressing CONTINUE causes the system to continue with the next prestart test in the sequence. At the end of all the tests, pressing DONE clears the prestart and returns control to the main reactor display tab. At any time while the system is waiting for the operator to press the CONTINUE or DONE button, the operator can press the PRINT button to send a copy of the prestart report to the system printer.

On the right side of the display, buttons are provided to run each of the prestart tests individually.

A Test OFF button is provided to stop the tests.

The available prestart tests include:

7-69 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

1) NMP: Low Current, High Current, High Voltage (Low)

2) NLW: Low Current, High Current, Low Count, High Count, High Voltage (Low), Period

3) Watchdog: CCS Watch, UIT Watch

4) NP: Ramp, High Power, High Voltage (Low)

5) NPP: Ramp, High Power, High Voltage (Low)

6) NFT: 1 Low Temp, 1 High Temp, 2 Low Temp, 2 High Temp, 3 Low Temp, 3 High Temp 7.6.4.2.7. Administration Display When an operator is logged in as a system administrator and the system is scrammed, the Administration tab will be added to the display tab list. This screen displays all the operators by name and operator number; as well as their logged in times, magnet on time (their run times/time spent in an operational mode), and their cumulative Megawatt (MW) Hours (operator time when reactor produced MW). This information is kept on the CCS machine as well, so that a system administrator can reset values to zero by editing this file (or resetting all statistics by deleting the file). This is a useful feature for when a new reactor operator requalification cycle starts.

7.6.4.2.8. Test Functions Display When an operator is logged in as a system administrator and the system is scrammed, the Tests Functions tab will be added to the display tab list. The test display is intended for diagnostic, testing, and informative purposes. There are four major sections: Digital Outputs, Digital Inputs, Analog Outputs and Analog Inputs.

In the Digital Outputs section, there is a checkbox on many buttons on the test screen. Checking one of these checkboxes will turn on that particular output; clearing the checkbox will turn off that particular output. However; the test functions only work while in scrammed mode, therefore attempting to turn on the magnet power outputs will not actually supply power to the magnets since the hardwired scram loop prevents that from occurring. When checking one of the magnet power output checkboxes, the system will write the output to the hardware port and the user can verify that the output is present by the corresponding LED on that board and magnet power is cut off after that point. Note that the transient rod is controlled by digital outputs which are located in this section. You can move the cylinder up and down using the test functions, but you cannot fire the rod from the test screen. Many other buttons are provided to initiate the test modes and trip reset for all of the channels.

In the Digital Inputs section, the input data in displayed in two forms. First, all of the digital inputs are displayed in a binary string (ones and zeros) with each bit of that string corresponding to one of the hardware inputs (0=off, 1=on). Second, the test display also shows the digital inputs using signal names. The name is white text when the signal is zero (off), and with red text when the signal is one (on). Also, the trips, Local/Remote status, Comm status and range (NMP Only) are shown as signal names. The name is blue text when the signal is zero (off), and red text when the signal is one (on).

In the analog outputs (rod control) section, the Tests Functions provides text edit boxes into which the operator can type a value between -10.0 and +10.0. This voltage is written to the corresponding D/A converter that drives the regulating, shim, safety and transient rod control drives. Note that 7-70 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 because both magnet power and air pressure cannot be applied in scrammed mode, only the control rod drives and magnets will move and not the actual control rods.

In the analog inputs sections, the Tests Functions displays the raw 16-bit numeric value and the converted value for each of the analog inputs.

7.6.4.2.9. Data Recording and Playback The system captures all events written to the UIT displays and records them to a file on the UIT computer for future playback. These filenames are coded so a reactor administrator or operator can locate the run history for a particular reactor run and playback those files.

Whenever the reactor is in operation, the UIT computer records a log of events and device states on the hard disk. This data history-logging automatically begins whenever the operator resets the scrams (a prerequisite to reactor startup). Data is recorded approximately every 100 ms. Also, any time there is a change in the WARNINGS pane or the SCRAM pane, that event is recorded, regardless of time. Logging continues following a system scram until terminated by the operator.

The system accumulates the time each operator is on the console (which also may be seen on the UIT display) and also the reactor megawatt hours. The system also records all the while the reactor is in a scrammed condition, creating a new data file every two hours. At the beginning of each new file, the input states are recorded from the end of the previous file to create continuity of the information between files.

The history logging feature allows reactor operations to be replayed in snapshots when the reactor is shut down. Each snapshot is a recreation of both the Right Side Reactor Display #1 and the Left Side Status Display at the moment the snapshot was taken.

History playback takes the form of replaying snapshots of the two video display screens (Right Side Reactor Display #1 and Left Side Status Display) in sequence as they were recorded.

Whenever a value changes on either of the display screens, that new value is written to the history playback file; writing only the differences helps reduce the size of the playback file. During playback, the operator will see the control rod movements and bargraph displays (from the Reactor Display #1) as they occurred during real time operation. The operator can play back the recorded history either manually or automatically. To play back the data manually, the operator can step through each recorded frame on the playback display. When played back automatically, the data will be displayed automatically in sequence at a variable speed.

7-71 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 7.7 PROCESS INSTRUMENTATION Instrumentation in the reactor pool, primary water cooling system, and primary water purification system permits the measurement of parameters important to the safe operation of the reactor and associated cooling system. These parameters include primary coolant temperature, primary water conductivity and pool water level.

7.7.1 Design Criteria The process instruments are designed to support the safe operation of the reactor. Certain parameters in the reactor facility must be measured to ensure a primary coolant state that does not degrade the quality of the fuel clad, can remove heat from the core, and protects facility personnel from high radiation levels. When any of these fall out of the relevant technical specification, the operator is notified by an alarm. Immediate shutdown of the reactor may be necessary by automatic or manual scram actuation.

The parameters for temperature and conductivity are measured in more than one location.

Temperature is measured near the core and in the bulk coolant volume to ensure the most conservative point is taken and protected against a single point failure. The conductivity of the coolant is measured on both the inlet and outlet of the demineralizer system. Finally, to ensure adequate cooling capacity, as well as protecting facility personnel from high radiation levels, pool water level is measured to provide an early warning alert on low water level, and a scram when the water drops below the setpoint.

7.7.2 Design Bases The three principal parameters to be measured in the process instruments are:

coolant temperature

coolant conductivity

pool water level The water temperature is measured by a resistance temperature sensing element (RTD) in a bridge circuit and has a range of 0 to 100°C.

The conductivity measured in micromhos/cm should not exceed 5 micromhos/cm with typical measurements to be in the 2-3 micromhos/cm range.

Reactor pool level is measured in a manner which gives clear indication to the operator of sufficient levels. A float mechanism is used so that it is set to give a high/low status at the zero reference level. An early warning notice of low pool level is provided as well as an alarm for insufficient pool water level. The accuracy of this measurement is at least the nearest 1/2 inch of water.

7.7.3 Subsystem Description 7.7.3.1 Primary Coolant Temperature The following coolant parameters are available to the operator: pool water temperature, demineralizer outlet temperature, and demineralizer inlet and outlet conductivities. The primary coolant water temperature is measured at three locations:

Above the reactor core inside the core shroud Six inches below the pool surface 7-72 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Water monitor box of the primary water purification system The water temperature is measured by a resistance-temperature sensing element (RTD) in a bridge circuit and has a range of 0 to 100°C. The signal is sent to the CSC to be displayed on the UIT Left-side display in the STATUS Pane. The CSC also uses the signal to provide a rod withdrawal interlock when the inlet water temperature to the demineralizer is greater than 60°C.

7.7.3.2 Primary Coolant Conductivity Primary cooling water conductivity (resistivity) are measured at several points by conductivity cells containing titanium electrodes in microprocessor-based circuitry with a range of 5 µmhos/cm to 0.05 µmhos/cm. Water conductivity is measured at the water monitor box (upstream from the mixed-bed demineralizers) and the outlet from each dernineralizer. Readouts for the conductivity monitors are located locally.

To prevent damage to the resins, the demineralizer inlet temperature provides a high inlet temperature interlock which prevents the withdrawal of the control rods when the demineralizer inlet water temperature is greater than 60°C.

7.7.3.3 Pool Water Level The level of the reactor tank water is monitored by two independent switches mounted on a common rod and actuated by a float. The first switch activates 1" below the zero reference p ool level and prevents the withdrawal of the control rods . The second switch will cause an automatic reactor scram if the water level drops below 6" of the zero reference pool level. Along with the scram, the second switch will also cause an alarm on the reactor console as well as an audible and visual alarm on the facility hall panel during non-duty hours. This will alert the security watchman of an unusual situation so that appropriate conective action may be taken.

A third float type switch is located the pool to alarm when the pool level is greater than 1" above the zero reference height. This alarm located separate for the control console is intended to alert reactor staff when the pool level is high, such as during refilling operations.

Table 7-9 -Trips Associated with the Process Instrumentation Instrument Trip Setpoint Action Coolant temperature at the 2:::60°C Rod Withdrawal Interlock inlet to the Demineralizer Pool Water level 2:::1" below Rod Withdrawal Interlock Scram, and facility hall Pool Water level 2:::6" below panel alarm Pool Water level 2:::1" above Local audible alarm 7.7.4 Technical Specifications for Process Instruments The following specifications for the coolant systems ar*e:

3.3.a. The reactor shall not be operated if the bulk water temperature exceeds 60°C; 7-73 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 3.3.b. The reactor shall not be operated if periodic measurements taken IAW TS 4.3 show conductivity of the bulk water greater than 5 micromhos/cm; and 3.3.c. Both audible and visual alarms shall be provided to alert the AFRRI security guards and other personnel to any drop in reactor pool water level greater than 6 inches.

3.3.d. The reactor shall not be operated if the measurement required by TS 4.3 shows concentrations of radionuclides above the values in 10CFR part 20 appendix B table 2 are found in the primary coolant until the source of the activity is determined and appropriate corrective actions are taken.

7-74 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 7.8 RADIATION MONITORING SYSTEMS The radiation monitoring systems associated with reactor operations at AFRRI are maintained as a means of ensuring compliance with radiation limits established under 10 CFR 20. These systems consist of remote area monitors, continuous air monitors, reactor stack monitors, and AFRRI perimeter monitoring. Detailed information (such as alarm setpoints for the various monitors, appropriate reactor operator responses to radiation alarms, and procedures involving monitor data evaluation and archiving) can be found in References 7-1 and 7-2.

The radiation monitoring systems associated with AFRRI reactor operations provide readouts and radiation alarms at key locations in the AFRRI complex. These locations are:

Reactor Room (Room 3161)

Reactor Control Room (Room 3160)

Emergency Response Center (Room 3430)

Annunciator panel in Hallway 3101 The radiation alarms in the reactor room and the radiation alarm readouts in the reactor control room provide the reactor operators with information necessary for the safe operation of the AFRRI-TRIGA reactor. All radiation monitors readouts are located in the Auxiliary Console in the control room. The radiation monitors do not interface with the Control System Console.

The audible and visual alarms on the annunciator panel in Hallway 3101 alert the Security Watchman (during nonduty hours) of unusual reactor conditions when the reactor is secured. When reactor personnel are present in the reactor administration/control area, the audible alarm on the annunciator panel in Hallway 3101 is turned off.

7.8.1 Remote Area Monitors The remote area monitors (RAMs) in the remote area monitoring system of primary concern to the reactor are R-1, R-2, E-3, and E-6. These units are placed in various areas of the reactor building where potential radiation hazards may exist due to reactor operation.

The monitors utilize scintillation detectors which measure gamma radiation with energies greater than 20 keV. The units have a range of 1 mrem/hr to 105 mrem/hr and a nominal accuracy of +/-15 percent at all levels. The units have a time constant of 2 seconds and a meter and alarm response time of less than 1 second. The monitors activate radiation alarms at various locations within AFRRI; the alarm set points are variable. The monitors also activate visual alarms in the control room and the Emergency Response Center (room 3430).

The RAMs are calibrated at regular intervals using a radiation source of known intensity. The locations of the RAMs, the readouts, and the audible and visual radiation alarms are given in Table 7-10 and Figure 7-32 through Figure 7-34. The alarm setpoints can be found in AFRRI internal documents (References 7-1 and 7-2).

7.8.2 Continuous Air Monitors The continuous air monitors (CAMs) of primary importance to the reactor are two CAMs located in the reactor room. Three additional CAMs, which monitor the exposure rooms and the prep area, are discussed in Section 10. The CAMs provide continuous air sampling and monitoring (gross beta-gamma activity) primarily of airborne particulate matter.

7-75 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 The CAMs draw air with an air pump (~7 cfm) through a shielded filter assembly, which traps any particulate matter greater than 0.3 microns in diameter. A G-M detector measures any radioactive particulates trapped by the filter. The count rate (counts per minute) is recorded by a three-cycle, logarithmic, strip-chart recorder mounted on the CAM itself. The units have a sensitivity range of 50 cpm to 50 x 103 cpm and a nominal accuracy of +/- 10 percent. The units have a time constant which is inversely proportional to the count rate, being 200 seconds at 50 cpm and 1 second at 50,000 cpm. The units have the capability of actuating alarms at two adjustable radiation levels.

Table 7 Reactor Remote Area Monitors RAM Location Readout Radiation alarm R-1 Approximately 7 feet Meter in reactor Activates audible and visual alarm in the above the floor on the control room and reactor room and in the reactor control reactor room east Emergency room; activates visual alarm in the wall Response Center Emergency Response Center (Room (Room 3430) 3030); activates visual and optional audible alarm on annunciator panel in Hallway 3101 R-2 Approximately 7 feet Same as R-1 Activates visual alarm in the reactor above the floor on the control room and in the Emergency reactor room west Response Center (Room 3430) wall E-3 6 feet above the floor Same as R-1 Same as R-2. In addition, there are a on the west wall prep visual and audible local alarm in the area opposite ER #1 prep area near ER #1, and a red light at plug door the front desk.

E-6 6 feet above the floor Same as R-1 Same as E-3, except the visual and on the west wall prep audible local alarm is in the prep area area opposite ER #2 near ER #2 plug door The primary reactor room CAM is located in the southwest corner of the reactor room and is visible from Room 3156. The air sampled by this CAM is taken from approximately 36 inches above the reactor pool surface inside the core support structure. The air is passed through a hose to the CAM.

The air is exhausted by the CAM back to the reactor room. The reactor room CAMs form an integral part of the reactor room containment capability, in that when either CAM's high-level alarm is activated, the supply and exhaust dampers to the reactor room in the ventilation system are automatically closed to isolate the reactor room air volume.

The backup reactor room CAM is located along the west wall of the reactor room and its alarms are visible from the control room and Room 3158. The air sampled by this CAM is taken from a point near the warm drain located along the west side of the reactor pool. The air is exhausted by the backup CAM back to the reactor room.

A description of the CAMs' alarms, locations and read-out is given in Table 7-11 and Figure 7-32 through Figure 7-34. The alarm setpoints can be found in the appropriate AFRRI internal 7-76 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 documents (Reference 7-2). Additionally a flashing visual light on the reactor auxiliary instrumentation console in the reactor control room will be illuminated when either reactor room CAM is set in the TEST mode during testing.

Table 7 Reactor Room Continuous Area Monitors Location of Low-level CAM Readouts High-level alarm air intake Alarm(1)

Approximately 36 Meter in reactor Activates audible and Activates inches above reactor control room visual alarm on unit visual alarm on Primary pool inside core itself the unit itself carriage Strip chart Activates audible and recorder located visual alarm on on the unit itself reactor control room annunciator panel Activates visual alarm on reactor room wall panel Activates audible and visual alarm on annunciator panel in Hallway 3101 Causes solenoid valves to vent and close reactor room ventilation dampers Near the warm drain Strip chart Identical to primary Activates along the west side recorder located CAM alarm visual alarm on Alternate of the reactor tank on the unit itself indications, when the unit itself Backup and meter in connected reactor control room (1)

If the low-level alarm is being used 7-77 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Figure 7-32-AFRRI Radiation Monitors Associated with AFRRI TRIGA Reactor First Level 7-78 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Figure 7-33-AFFRI Radiation Monitors Associated with AFRRI TRIGA Reactor Second Level 7-79 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Figure 7-34-AFRRI Radiation Monitors Associated with AFRRI TRIGA Reactor Third Level 7-80 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 7.8.3 Stack Monitoring Systems The stack monitoring systems consist of the stack flow monitor and the stack gas monitor. These systems provide data about the radioactive effluents discharged through the reactor stack. The stack flow monitor measurements are recorded by a strip chart recorder. Stack gas monitor measurements of Ar-41 emissions are recorded on a strip chart recorder and can be viewed at the end of each day by an operator to verify that no unusual Ar-41 releases have occurred.

7.8.3.1 Stack Flow Monitoring System The stack flow monitoring system measures the average flow rate of air exhausted through the reactor stack. The system consists of a pair of pitot tubes and Magnehelic pressure gauges which mechanically measure the dynamic pressure in the stack and produce a proportional electrical signal. A strip chart recorder located in the reactor control room records the stack flow. There are no level alarms associated with this system, except when exhaust fan EF5 fails, in which case an audible and visual alarm is activated in the reactor control room.

7.8.3.2 Stack Gas Monitoring System The stack gas monitor (SGM) system is a NaI scintillation detection system which samples exhaust air from the reactor stack. The air is passed through a filter to remove particulates before being analyzed. This system will detect those effluents which have been released into the reactor stack, and are set to alarm at the limit currently specified in the AFRRI Reactor Emergency Plan.

The stack gas monitor system is capable of activating alarms at two levels. Additionally, a flashing visual light on the reactor auxiliary instrumentation console in the reactor control room will be illuminated when the stack gas monitoring system pump motor is turned off. The locations of the system readouts and alarms are listed in Table 7-12. The setpoints for the radiation alarms can be found in the appropriate AFRRI internal documents.

Table 7 Stack Monitoring System System Readout Radiation Alarm Stack Flow Strip chart recorder in (Not applicable) However, EF5 Monitoring System reactor control room failure gives audible and visual alarm in reactor control room Stack Gas Monitoring Meter in reactor control Activates audible and visual System room alarm in reactor control room 7.8.4 Perimeter Monitoring An environmental monitoring program is conducted by AFRRI primarily to measure environmental doses received from radionuclides produced by the AFRRI-TRIGA reactor, particularly Ar-41. The environmental monitoring program shall consist of an NRC/EPA approved reporting method.

7-81 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

7.9 REFERENCES

7-1. Armed Forces Radiobiology Research Institute, Health Physics Procedures (HPPS),

Safety and Health Department.

7-2. Armed Forces Radiobiology Research Institute, Reactor Operational and Administrative Procedures, Radiation Sciences Department, Reactor Division.

7-82 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390

v t e Letter Sequence Other
EPID:L-2020-NFA-0012, Explanation of Enclosures (Approved, Closed)
Initiation Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request Acceptance Supplement, Supplement, Supplement, Supplement, Supplement, Supplement Administration Questions Answers Results Approval Other: ML20318A339, ML21021A182, ML21253A001, ML21302A097, ML21302A103, ML21302A107, ML21316A033, ML21316A036, ML21316A037, ML21316A038, ML22067A246
MONTHYEAR2021-02-04 [Table View]

ML21302A103

Text

7.9 REFERENCES

Navigation menu

Search