ML21302A103
| ML21302A103 | |
| Person / Time | |
|---|---|
| Site: | Armed Forces Radiobiology Research Institute |
| Issue date: | 10/28/2021 |
| From: | US Dept of Defense, Armed Forces Radiobiology Research Institute, US Dept of Defense, Uniformed Services Univ of the Health Sciences |
| To: | Office of Nuclear Reactor Regulation |
| Shared Package | |
| ML21302A096 | List: |
| References | |
| EPID L-2020-NFA-0012, GA/EMS-5084 | |
| Download: ML21302A103 (83) | |
Text
E nc lo s u r e 2c - Redact ed - Ava i la b le t o t he P ublic
Re vis io n 1 o f t he Revised FS AR Chapt er 7 - I nst ru me nt at io n a nd Co nt ro l S yst e ms
Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390
7 INSTRUMENTATION AND CONTROL SY STEMS Th e r ol e of t h e AF RR I R ea ct or I& C i s t o p r ovi d e m on i t or i n g, p r ot e ct i on, an d con t r ol fu n ct i on s for the react or with a means to acquire and record data. It provides complete infor mati on on the status of the react or and react or-related s yst ems.
The reactor is operated from a Contr ol System Console (CSC) located in the contr ol room while the Data Acquisition Cabinet (DAC) is located in the reactor room and houses t h e mixed analog/di gital neutron linear/ log power channel and the driver modules for the control rod stepping m ot or s.
7.1 DESIGN OF INSTRUMENTATION AND CONTROL SYSTEMS The Reactor I&C s ystem is a hybrid computer based s ystem which includes a hardwired React or Protection System (RPS) with dedicated displays and controls so that safe operation and monitoring of the reactor can continue should the computers become unavailable. The primary function of the RPS is to s cr am the reactor by allowing the control rods to fall into the core in response to automatic protective actions or actions initiated by the operator from the Control System Console (CSC) o perator interface in response to other abnormal reactor operating conditions that ma y arise during the course of operations. The equipment installed in the Data Acquisition Cabinet (DAC) acquires data in the form of electroni c signals from instrumentation in the react or and auxiliar y s ystems, processes it, and transmits it to the operator via multiple displays on the CSC. There are six major subs ystems that make up the AFRR I s yst em as stated below :
- 1) Reactor Instrumentation The React or I&C s ystem recei ves input from various detectors and sensors. These include three fission chambers, a compensated ionization chamber, an uncompensated ionization chamber, a Cerenkov detector, and fuel elements with integrated thermocouples. Signals from these units are processed in the DAC whi ch is housed in the reactor room.
- 2) Rea ct or Contr ol S yst em (RCS)
The reactor contr ol s ystem includes control rod drives (CRD), automatic control, reactor interlocks, and the facilit y interlock s ystem (F IS).
- 3) Reactor Protection S ystem (RPS)
The Reactor Protection System includes the scram logic circuitry, rod withdrawal prevention, facility interlocks, and lead shield door control. The RPS is designed with a fail-safe centric design.
- 4) Cont r ol S ys t em C ons ol e ( CS C)
The CSC is a desk type control console with modularized instrumentation drawers and panels. The computers and monitors are mounted on the cons ole. The o perator interface provides the necessar y contr ols and interfa ces for the operat or to safel y startup, manipulate react or parameters, monit or operatin g paramet ers in their various modes of op eration, and safely shutdown the reactor. The CSC contains the indicators, annunciators, and monitors to present the data to the operator in meaningful engineering units using graphi c displays.
The CSC relies on two computer s ystems. The User Inter face Terminal (UIT) s ystem has graphic displays of reactor activities while the Console Computer S ystem (CCS) contr ols
7-1 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390
the reactor and monitors all input and output. The CSC computers (the CCS and the UIT) also provide data storage and logging capabilities on their hard drives.
- 5) Data Acquisition Cabinet (DAC)
The DAC acquires data in the form of electroni c signals from instrumentation in the reactor and auxiliary s ystems, processes it, and transmits it to the operator via various displays which are part of the CSC o perator interface. It h o u s e s the nuclear instrument modules, t h e drivers for the control r od drives, as well as equipment to process analog and di gital inputs.
- 6) P r o cess Instrumentation Additional parameters available to the operator include pool water level, primar y water temperature and primar y water condu ct i vi t y (local onl y).
7.1.1 Design Criteria The Rea ct or I&C s ystem recei ves input from various detectors and sensors. Design considerations and technical specification requirements are listed in each subs ystem. In general, they outline a fail-safe design focus with redundancy and di versity whenever possible.
While there are various modes of operation for the AFRR I Reactor, they all fall under the same operati onal envel ope. The s ystem measures the power level and the fuel temperature and thereb y protects the fuel from exceeding the safety limit. The s ystem must perform for the design basis events or those anticipated operational occurrences which are used to determine the design requirements, i.e. reactor power and fuel temperature. The decision criteria for determining the design basis events which are selected are those which have a consequence that can exceed the capabilities of the rea ct or safet y s yste m. Be cause the safe op erating en vel ope of the rea ct or woul d be exceeded, safet y s cr a ms are included to prevent the condition. The design basis events are therefore:
- the operation of the reactor at a steady state power level in excess of the corresponding techni cal specifi cation.
- the insertion of reacti vit y whi ch causes the reactor to ex ceed the temperature limit during a pulse.
For the latter of these, the reactivit y insertion is determined fr om the worth of the control r ods and the core excess reacti vit y. Both are independent of the design of the react or instrumentation and are physicall y measured values. The reactivit y protection mechanism is thus dependent on the accuracy of the measurement of the neutron flux and by extension rod worth and core excess reacti vit y.
There are no conditions in which the facilit y could be placed, regardless of safety function actuation, which would be ad verse to the health and safety of the public. Therefore, onl y those events which would cause excessive steady-state power levels or give incorrect indication to the react or operat or and the facilit y staff are selected. For an y design basis event, the s ystem must be capable of shutting down the react or in a safe and timel y mann er.
Safet y s cr a ms are provided t o prevent the design b asis event from being ex ceeded. These s cr am s and their setpoint value are outlined in Table 2 of the Techni cal Specifi cati ons and detailed bel ow in S ect i on 7.4.5. Additi onall y, assurance of accurat e reacti vit y measurements is provided throu gh facilit y approved pr ocedures and s ystem testing. The s cr a ms are for power level and pulse time
7-2 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390
(ensuring fuel temperature requirements), high voltage loss to a safety channel (ensuring flux measurement accuracy), watchdog timer (ensuring continuous communication), and pool water level criteria (radiation safet y and adequate coolin g). S cr am s are automati call y actuated.
Because the neutron flux is spatially dependent, at least two detectors are on range at an y stead y-state operating power value. These detectors are located around the core to prevent inaccurate indicati on fr om phenomena such as rod shadowing and flux tilt.
The neutron flux levels are measured from subcritical source multipli cati on range throu gh licensed maxi mu m pow er range. Since n ot all of the neutron flux instruments are capable of this, continu ous indication is ensured by maintaining a minimum of one decade of overlap in indication while observati on is transferred from one instrument channel to another.
In the event a setpoint is exceeded, a scram is initiated. The time from initiation of a scram to full insertion of the rods is less than one second. The scram is achieved through both the removal of magnet p ower to the standard rod drives and the removal of air pressure to the transient rod. Upon removal of magnet power and air pressure, the rods fall into the core due to the for ce of gravit y.
In stead y-state and transient operati onal modes as well as during normal, abnor mal, and accident scenarios, the Reactor I&C s ystem is designed to operate in the following conditions :
- Operating temperature range: 10°C t o 40°C
- Operating voltage: 120 VAC +/- 10% 50/60 Hz
- Relative humidit y: 10% to 90% non -condensing
- Pressure: at mospheric
- CSC computers, monitor mountings, and DAC cabinet are designed to meet the requirements for Seismi c Qualifi cati on Performan ce Categor y 2.
The D AC dissipates heat generated b y internal components b y con ve cti on to react or room air. The entire front and rear panels of the DAC are made of perforated metal, providing security (when cl osed and l ocked) and air fl ow t o ambi ent air. Air in the react or room is continuousl y cir culated, and this air current is sufficient to cause flow through the DAC fr ont and rear panels and provide cooling for all interior equipment. Note that the modern, low -power electronics in most of the instrumentation will generate less heat than previous, less efficient equipment.
The nucl ear instrument modules have been tested to ensure that they perfor m their intended safet y functi ons up to a temperature of 50°C.
In the control room, the console is a more enclosed design, with sheet metal covers. Thus, a cir culatin g fan is placed high in one side panel of the console and is energized an ytime the consol e is powered on. This fan will pull cooler room air from existing opening in the bottom of the cons ole, up through the cons ole, and out into the room. Control room HVAC should have little difficult y cooling this load, as it is almost certainly significantl y less than the previous console, which presented no diffi cult y.
Although the comp onents have not been speci fi call y tested for ele ctroma gneti c or radio frequen c y interference (EM I/RF I), best design practi ces were used to separate digital from anal og signals t o mini mi ze the potential for interferen ce. Instruments are constructed with metal enclosures to mini mi ze outside interferen ce and incorp orate AC input to filters to suppress conducted noise.
7-3 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390
No reasonable hypotheti cal scenari o would cause appreciable increases in temperature, humidit y or other environmental condition s that would exceed these design conditions. In the event of excessive supply power, temperature, humidity, vibration, radiation, fire, explosion, earthquake, fl ood, lightning, missiles, and wind which leads to the failure of a channel, the s ystem will initiate an automatic shutdown through the fail-safe design of the neutron flux monitoring channels.
Additionall y, manual actuation of a scram is available to the operator to initiate a shutdown if the conditi ons warrant.
Other than aging, there are no environmental conditions which have the potential for a functional degradation of the Reactor I&C s ystem. Regular functionalit y tests, operations, and calibrations are sufficient to alert facility staff of deteriorating s ystem performance.
During operations, there is no design basis or criteria which would necessitate bypass capabilit y for an y part of the React or I&C s yst em. Audible al arms ma y be manuall y b ypassed which allows the operator to focus on changing facility conditions and perfor m testing without distraction. In addition to functional bypasses not being needed, the s ystem is designed such that there are no inadvertent manipulati ons of operating parameters and that administrative contr ols exist which are appropriate f or the safet y functi on perfor med. Procedures and manuals are provided whi ch enabl e facilit y staff to safel y test, calibrate, maintain, and operate the s ystem.
The Reactor I&C s ystem is designed such that reliability is reasonabl y assured during long term reactor operations and standard shutdown intervals. These consistent performance metrics are assured through both the AFRRIs qualit y assurance plan and the vendor s qualit y assurance plan and has been validated by a comprehensive verifi cation and validati on testing program. Because there are no special requirements of the AF RR I react or, there are no additi onal qualit y assurance requirements needed to accommodate any unusual or unique aspects of the design of the Reactor I&C s ystem.
7-4 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390
Figure 7 Reactor Instrumentation and Control System Block Diagram
The instrumentation and contr ol s ystem is designed to provide the foll owing:
- complete infor mati on on the status of the reactor and react or-related s ystems
- a means for manuall y withdrawing or inserting control rods
- aut omat i c cont r ol of r ea ct or power l e vel
- automatic scrams in response to over p ower, loss of detect or high volta ge, or high fuel temperature conditi ons
- automatic scrams in response to a loss of operability of the digital computer s ystem
- monitoring of radiation and airborne radioactivity levels 7.1.2 Design Bases The primar y desi gn basis for the AFRRI Re a ct or is the safet y limit on fuel temperature. T o p r even t exceedin g the safet y li mit of 1000°C, design featur es, operating limitati ons, and automati c s crams are provided while interlocks limit the magnitude of transient reactivit y insertion.
7-5 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390
7.2 REACTOR INSTRUMENTATION The key design criteria for the Reactor I&C System is that the nuclear instruments provide indicati ons of react or power from subcritical multip licati on through full licensed maxi mum power.
For redundancy, there are at least two operable channels for all steady-state modes of operation.
Because the fuel temperature is the primar y reactor parameter to be protected, there are at least two fu el temperature safet y channels operable for all mod es of operati on. The nu clear instruments do not have an y sin gle failure points that are not counter balanced with a fail-safe design. Alth ou gh they all ultimatel y rel y on the same source of power, all instruments are wholly independent of each other otherwise. The power sour ce is provided by an Uninterruptible Power Supply (UPS) and in the event of a l os s of AC s uppl y p ower t o t he UP S or UPS failure, a scram is automaticall y initiated. The UPS is discussed in detail in Section 7.6.3.2.
Systematic nonrandom concurrent failures of elements in the design is prevented by using independent channels with fundamentally different detection mechanisms (fission chambers, ioni zati on chambers, and fuel temperature monitor ing). In the event of a channel failure, a scram will be automati call y initiated, and the reactor will enter into a safe shutdown condition. This ensures a fail-safe design.
7.2.1 Data Acquisition Cabinet The Data Acquisition Cabinet (DAC) is located on the reactor floor near the reactor pool. The D AC s er ves as the data gathering and control interface between the rea ctor and the control s yste m cons ole. It monit ors the reactor power from the safet y channels (NP/NPP-1000), the operational chann els (NLW-1000 and NMP-1000),and the fuel temperature channels (NFT-1000). The D AC also contains the scram loop cir cuitr y, and contr ol rod dr i ve controllers.
The DAC acquires data in real-time from the various sensors associated with the rea ct or and facilit y. The DAC stores this data and transmits them via the network to the Control S yste m Cons ole (CSC). In turn, the DAC recei ves comman ds from the CSC, and reissues those commands to raise/lower the contr ol rods or scram the react or. It commu n i cat es with the CSC via an Ethernet data network. The DAC controls the positions of the control rods, either in response to operator inputs entered in at the CSC console, or automaticall y using the power feedback loop during automati c operation. See F i gur e 7-2 for a block diagram of the DAC.
AC power is supplied to the DAC by the UPS located in the CSC. AC power is distributed to three identical rackmount power strips. Each strip has 8 outlets and features a 15A resettable cir cuit breaker and a lighted power switch. All DAC devices that require AC input power are plugged into these power strips. For a detailed block diagram of the AC power distribution see F igur e 7-3 bel ow.
7-6 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390
Figure 7 B l oc k Diagram of the Data A cquisition Cabinet (DAC)
7-7 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390
Figure 7 Data Acquisition Cabinet AC P ower Distribution
The DAC is composed of five major components, the Power Supply Drawer, the Digital Input Drawer, Anal og Input Drawer, Rod Contr ol Drawe r, Rela y Drawer and the Linear and Log Power Instru ment Drawers 7.2.1.1 P ower Supply Drawer The power suppl y drawer supplies Vdc power for the components located in the DAC al ong with a power supply for the contr ol rod magnets and transient rod air solenoid. The following p ower supplies are located on the power suppl y drawer :
- PS1 +5 Vdc Power Supply provides power the secondary side of the digital isolator modules on the digital input drawer.
- PS2 +15 Vdc Instrument P ower Supply is used to generate input signals to the nuclear instrument remote connect ors. It also provides the pulse gain signal for the NPP-1000.
- PS3 +24 Vdc Utility P ower Supply is a 50W power supply that is used to power digital switch contacts external to the DAC (FIS, Rod Drives, etc.). Input to output isolation is 3,000V.
- PS4 +24 Vdc Solenoid P ower Supply pr ovi des power t o the transient rod air solenoid.
- PS5 +24 Vdc Utility Power Supply is used to power digital switch contacts external to the console. Input to output isolation is 3,000V.
- PS6 +24 Vdc Magnet Power Supply provides power to the standard control rod drive magnets. It is monitored by a gr ound fault detector (GFD), which is also mounted in the
7-8 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390
power supply drawer. The GFD monitors both the high and low legs of the scram loop. If any point in the scram loop shorts to earth gr ound, the GFD will detect it and generate a fault indication to the console. The GFD has a display, test mode and various indicators.
When no fault is present, a green LED will be lit. When a fault is detected, yellow LEDs will be lit. The GFD is powered by PS5.
7.2.1.2 Digital Input Drawer The purpose of the digital input drawer is to isolate all digital inputs from the comput er. The digital input drawer houses two identical printed cir cuit board assemblies (PWA) populated with digital isolators. Ever y isolat or accepts a 2.5 to 28Vdc input signal to activate on the primar y side. When active, a red LED is lit. The inputs are referenced to the 24V digital power supply (PS3) on the power supply drawer. The secondar y side is powered by 5V (PS1). The outputs of the digital isolators generate an input to the digital input modu le that are part of the printed circuit board. The signals are passed from the isolat or boards to the di gital input board via DIN rail mounted terminal boards that accommodate the required connect or confi guration.
7.2.1.3 Analog Input Drawer The anal og input/output drawer houses signal conditioning modules that feature gal vani c input t o output isolation of 3,500 V. Of the 18 signal conditioning modules, 7 of them are designed to accept either current or voltage signal, 6 are designed to read potentiometer inputs, and 5 are designed to connect to 100 RTD sensors. The outputs are confi gured for 0 to 10 Vdc, to be read b y modules mounted in the analog drawer. The signal conditi onin g modules are powered b y a +24 Vdc, 120W switching power suppl y. Ever y module has two calibration potentiometers for zer o and span adjustments.
7.2.1.4 Rod Control Drawer The rod contr ol drawer houses the modules. All modules are directly powered by t h e D AC AC p ower.
-7.2.1.5 Relay Drawer The relay drawer houses three relay boards with electr o-mechanical relays, two socketed rela ys and a number of terminal blocks for signal distribution. This drawer houses all the relays that are associated with the scram l oop and magnet power.
The relay board housing the s cram loop contains 24 relays. The 24V rela y coils are driven by various inputs to the scram loop. The outputs are part of the scram loop wiring or are used in the generation of digital signals to the cons ole.
Two other relay b oards can house up t o 8 standard plug-in rela ys ea ch, either for AC or DC l oads.
These relays are controlled by the CCS computer. When the computer activates a relay, a corresponding green LED on the relay will be lit.
Two socketed 4PDT (K1and K2) relays are used in the scram l oop to generate the operate signal for the F IS. K1 perfor ms the reset and latchin g fu ncti ons and indicates all scrams clear. K2 is on when the cons ole ke y switch is in the ON position. K1 and K2 are driven by 24Vdc. When the relay coil is activated, a red tab becomes visible in a display window on top of the relay.
7-9 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390
7.2.1.6 Linear and Log P ower Instrument Drawers The linear power drawer houses one NMP-1000 and one NFT-1000 nuclear instrument. Both the NMP and NFT instruments are part of the scram l oop. The scra ms for the NMP are b ypassed. The NMP-1000 is connected to a compensated ion chamber. The NFT-1000 is connected to three instrumented fuel elements.
The log power drawer houses one NP-1000, one NPP-1000 and one NLW-1000 nuclear instrument. The NP and NPP are part of the scram loop. The NLW, NP and NPP are all connected to fission chambers for stead y-state operation. The NPP is also connected to an uncompensated ion chamber and a Cerenkov de tect or for pulsing operations.
7.2.2 Subsystem Description 7.2.2.1 Neutron F lux Monitoring Equipment Four independent power measuring channels are provided for a continuous indication of power from subcritical neutr on sour ce multiplication range to the maximum steady-stat e licensed pow er level. Peak power resulting from the maximum allowed pulse reactivity insertion is monitored with a special channel capable of reading the high power levels achieved during a pulse.
F i gur e 7-4 shown below indicates the power ranges of the channels and how overlap between differin g op erational modes is achieved.
F i gur e 7-5 s hown below indicates the transmission of signals from the neutron flux and temperature ch annels to the react or to the console.
F i gur e 7-6 s hows the locati on of the neutron detectors for the nuclear instrumentation channels with respect to the core.
7-10 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390
2500MW 1---
1000MW t---
100MW
10MW l.lM W
______ / __ _ --------------* ------------
1MW 100%
100kW 10%
10 kW 1%
NP -1000 NPP-1000
1 kW t--- ---- ----- 1---------~---------- ------------- 10*1 %
1 kW Interlock 100W
10W NLW-1000 1W NMP-1000
0. 1 W 10-5 %
0.01W Source Level _
0.001 W ---------- --- - --------------- -- - -- -- --10*1 %
Source Interlock 0. 0001 W L-------&..--------------------..
NMP-1000 Compensated Ion Chamber N LW-1000 Fission Chamb er NP-1000 Fission Chamb er NPP-1000 Fission Chamb er (Stead y-state Mode)
Uncompensated Ion Chamber (Pulse Mode)
Figure 7 AFRRI P ower Instrument Ranges
7-11 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390
Figure 7 Neutron Flux Monitoring Channels
7-12 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390 P roprietar y In for m atio n Withh old F rom Pub lic D isclos ure Un der 10 CFR 2.390
7.2.2.1.1. NLW-1000 Log Power Channel Th e NLW-1000 is designa ted as t h e Log Power Ch ann el. Th e des i gn fun ctio n o f t he NLW - 1000 i s to m eas ure neu tron fl ux in or der t o provide t h e follow in g:
- Wi de ran ge l ogar i thmi c p ower indicatio n.
- R eactor p eriod indicatio n.
- Bistab le trip /signa l fo r int erl ock s.
- Ana l og ou tp u ts to th e b argra phs and r ecor ders fo r steady -state operat i on.
- Digi tal outpu ts t o th e r eacto r control conso le fo r steady -state operati on.
Th e N L W-1000 m onitorin g channe l is a w i de ran ge l ogari thm ic th at op erates with a fissio n cham ber an d a PA-1 000 prea m li fi er that deco u les and a m li fies ulses t hat ori inate at the fissio n cham ber. The m odul e
Th e l ogar ithmi c r eactor p ower s i gnal is m oni tored by a per i od circui t w hich ge nerates an ou tpu t pro p oliion al to the rate of change in r eactor p ower at any give n instant. Thi s si gnal called per iod i s a m eas ur e o f t h e t ime (in seco nds) it tak es fo r the reactor powe r to ch an ge b y a facto r o f e (2.7 18). The p eriod indicatio n is fro m -30 seco n ds to +3 seco n ds.
7 - 13 P roprietary In formatio n Withh old F rom Pub lic Disclos ure Un der 10 CFR 2.390 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390
The N LW-1000 relies on analog signal processing (no software) for detect or signal processing f or both the power signal and the period signal, along with the bistable trip activation. The NLW -1000 al s o provides analog outputs to the bargraphs and chart recorder for use at the reactor control cons ol e.
Figure 7 Block Diagram of the NLW-1000 Log P ower Monit or
The trip/alarm board contains six identical circuits to generate all trip/alarm indications. Ever y cir cuit is jumper confi gurable for a rising or falling trip. A comparat or monit ors an incomin g sign al voltage and compares it to a reference voltage. The reference voltage is user adjustable via a potentiometer. When the circuit is configured for a rising trip, the comparator will switch states when the amplitude of the incoming signal exceeds the reference signal. A falling trip works the opposite way; when the incoming signal amplitude falls below the reference voltage, the comparat or will switch states. Once a trip has occurred, the circuit latches in the tr ipped state. The onl y wa y t o unlat ch the cir cuit is for the user to appl y a reset signal, even i f all signal levels return to nominal prior to the reset. Diodes and opto-isolators are used for isolation of the trip/alarm signals.
The analog trip relays are held energized in a fail-safe condition until an alarm (or loss of power )
de-energizes the coil. Three of the six bistable trips are active and are listed in Table 7 -1 and
7-14 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390 P roprietar y In for m ation Withh old F rom Pub lic D isclos ure Un der 10 CF R 2.390
desc ribed b el ow. All ti*ips assoc i ated w ith t he NLW - 1000 ar e rod with drawa l interl ocks and ar e en fo r ced via softwa r e.
Th e l oss of high voltage u-ip signal is sen t to the CSC, which in tum enfo r ces t he contro l rod inte rl ock r equired for loss of HV to th e chann el.
Th e p eriod s i gnal fr om t h e NL W - 1000 is sen t to th e CSC, w hi ch u ses t his signa l to determin e i f to en fo r ce the l ess than 3 secon d per iod con u-ol rod interl ock an d also as an inp ut to th e autom atic m ode con u-ol PID al gori thm.
Th e gr eater th an 1 k W Pulse Interl ock u ses o ne of th e NL W-1000 an alog bistab le ti*ips as an inte rl ock for op eratio n in Pulse Mode. The CSC r eads the bistab le ti-ip signal and uses softwa r e to en fo r ce th e interlock.
Table 7-1-Trip s A ssociated with the NLW-1000
Trip Function Trip Setpoint Action
HV Low Interlock 20 % loss of HV Control Rod Withdrawal Inhibit Period Interlock < 3 s econds Control Rod Withdrawal Inhibit Pul se Interlock > 1 kW Puls e Interlock Pul s e Mode Interlock
Th e N L W-1000 con ta ins a digi tal interface b oar d wit h mi croprocessors and circui ti*y t hat conve1is th e an alog signals to digital an d u-ansmi ts t hem fo r use at the con u-ol consol e.
7.2.2.1.2. NMP-1000 Multi-range Linear Power Channel Th e NM P-1000 is designated as th e Linear Power Chann e l. Th e des i gn fun ction of the NMP -1000 is to m eas ure neu u-on fl ux in or der to provide th e follow in g:
- M u lti-ran ge pe rce nt l in ear p ower in dicatio n.
- Bistab le ti*ips for interl ocks.
- Ana l og outp ut to th e recorder fo r steady -state op erati on.
- Digi tal outpu ts to t h e r eactor conti*ol conso le fo r steady -state operati on.
Th e NM P-1000 uses a co mpe nsated i on ch amb er. The NM P -1000 r eli es on softwa r e to con du ct au to-ranging and sub sequ ent b istab le ti*ips. The NM P-1000 was devel oped und er NQA-1 qua lit y conti*o l.
7-15 P roprietar y In formatio n Withh old F rom Pub lic Disclos ure Un der 10 CF R 2.390 Proprietar y Inform ation Withhold From Public Disclos ure Under 10 CF R 2.390
The NMP-1000 is a micropro cessor based wide -range lin ear p ower m odule which provides percent reactor power indic ation and bi-stab l e t rip circuits. The NMP-1000 module pro cesses current of 1x 10-11 to 1x 10-3 Ampere s from a co mpen sated ion cham ber. A co mpen sat in g vo lta.ge power suppl y is provided for use with t h e compen sated ion ch amb er. The inpu t cunent is converted into 0 to 10 V in 9 one -de cade ranges giving power indicatio n from startup through 120% power on a line ar sca le ( di sp laying in progressively wider ranges, one decade at a time).
When the NMP-1000 is in auto-ranging mode t he ove1power warnin g onl y occurs on the high est range (i.e. 100% foll p ower). Whereas, wh en the range is selected by the operat o r, a warning occurs at 110% of that specific range. The appropriate decade is se lected either automatically b y softwa re (au to-rangin g mod e) or b y the user (manu al ranging mod e) via the touch scr ee n display or selecti n g the desired checkbox o n the MODE SELECTION Pane.
The NMP-1000 h as two mod es of opera tion, local or remo te. In local m ode, t he module accep ts commands via the front panel touch screen. In remote mode, the module accep ts command s via the Etherne t port or the analog remote interface connector on the rear panel.
Figure 7 Block Diagram of the NMP-1000
The trip /a l ann b oard contains s ix identical circuits to generate all trip / alann indications. Every circuit is jumper configurable fo r a ris ing or falling trip. A comparator monit ors an incomin g signal
7-1 6 Proprietar y Inform ation Withhold From Public Disclosure Under 10 CF R 2.390 Proprietar y Inform atio n Withhold From Public Disclos ure Under 10 CFR 2.390
vo ltage and compares it to a reference vo ltage. The reference voltage is user adju stable via a potentiometer. When the circuit is configured for a ris ing trip, the comparator will swi t ch states when the amplitude of the incomin g signa l exceeds the r efere nce signa l. A falling trip works the opposite way; when the inco min g signa l amplitude falls below the referen ce vo ltage, the comparator w ill switc h states. Once a trip h as occurr ed, the circuit latches in the ti*ipped state. The only way to unlatch the circuit is fo r the use r to appl y a reset signa l, even if a ll sign al le ve ls return to n omin al pri or to the re set. Diodes and opto-iso lato r s are used for isolation o f the ti*ip/ alaim signa ls.
The analog ti*ip r e lays ai*e hel d energized in a fail-safe condition until an alai-in ( or loss of power) de -energiz es the coil. Two of the six bistab le trips ai*e active and ai*e listed in Table 7 -2 and described b elow. All trip s associated with the NMP-1000 ai*e wainin gs or rod withdra wal interlock s and are enforced via softwa re.
The loss of high voltage ti*ip signal i s sent to the CSC, which in ge nerates a war nin g fo r loss ofHV to the channel.
The low source rate interlock uses o ne of the NMP-1000 analog bistab le ti*ips as an interlo ck for conti*ol rod withdra wal if power level falls b elow 1 x 10-5 wat ts. This ensures that there is s ufficient indica tio n of source n eutro n s to approach criticality in a conti*olled manner. The CSC reads the bistable trip signa l and uses softwai*e to enforce the interl ock.
Table 7-2-Trips Associated with the NMP-1000
Trip Function Trip Action
HV Low Interlock 20% loss of HV Warning
Low Source Rate < 1 x 10-5 watts Control Rod Withdrawal Inhibit
The NMP-1000 conta ins a digita l interfa ce board w ith microprocessors and circuiti*y that con verts the analog signals to digital and tran smits them for use at the control consol e.
The NMP-1000 te st m odes allow for testing the proper p erfo1manc e of the electrometer and to ensure the functi on alit y of all ti*ip circuits. T est m ode s includ e HV, calibrate high, calibrate low, and manu al current. The HV and calibrate high test mod es cause the bi-stable trips to alaim ; current l ow gives fixed p ower indic atio n in the highe st range ; and m anual test allows for varying the current over all ran ges with the front panel potentiometer. Test m odes can b e enabled via the t o u ch scr ee n or a remote interfa ce.
7.2.2.1.3. NP-1000 Linear Power Channel The NP-1000 is designated as Safety Channel No. 1. The design fun cti on of the NP-1000 is to me as ure neutron flux in orde r to provide the follow ing:
7 -1 7 Proprietar y Inform atio n Withhold From Public Disclosure Under 10 CFR 2.390 Proprietar y Inform atio n Withhold From Public Disclos ure Under 10 CFR 2.390
- Percent linear p ower indi catio n.
- Autom atic scram o n overp ower conditions.
- Analog output s to the bar graphs and recorders for steady-state operation.
- Digital output s to the re acto r control console for steady -state operati on.
The N P-1000 is a nucle ar instnnnent module that pro vide s p ercent r eacto r power indic atio n, bi-stab l e trip circuits and output s to oth er devices. The m odul e processes current fro m a fissio n chamber.
The p erformance of the safety fun ctio n (i.e., mea surem ent of signal from detector and actuation of bistable tr*ips) is retained in the analog polii on of the instrument while the an al og to digital conversion of the signa l fo r use at the control con sole computers h as been inte grate d into w hat is now the digital p orti o n of the ins trument.
The N P-1000 p ercent reactor power m onit oring ins trument i s a linear current-to-voltage signal conditioning device which includ es a high-vo ltage power supp l y, adjustable bistable trip circuit s for local and r em ote alarms and isolated curr ent or volta ge output s for display by other devices.
The NP-1000 unit provides lin ear power output when the reactor i s at power, approxi mate l y 1%
through 120% power. This channel is designa te d as Safet y P ower C hannel #1.
Figure 7 Block Diagram of the NP-1000
The tr*ip/a l ann b oard contains s ix identical circuits to generate all trip / alann indications. Every circuit is jumper configurable fo r a ris ing or falling tr*ip. A comparator monit ors an incomin g signal voltage and compares it to a reference voltage. The reference voltage is user adju stable via a potentiometer. When the circuit is configured for a ris ing tr*ip, the comparator will swi t ch states
7 -1 8 Proprietar y Inform atio n Withhold From Public Disclosure Under 10 CFR 2.390 Proprietar y Inform ation Withhold From Public Disclos ure Under 10 CF R 2.390
when the amplitude of t he incomin g signa l exceeds the r efer ence signa l. A falling trip works t he opposite way; when the inco ming signal amplitude falls bel ow the referen ce vo ltage, t he comparator w ill switc h states. Once a trip h as occurred, t he circuit latche s in the ti*ipped state. The only way to unlatch the circuit is for the user to appl y a re set signal, even if a ll sign al le ve ls r eturn to n omin al pri or to the re set. Diodes and opto-iso lato r s are used for isolation of the ti*ip/ alaim signa ls.
The analog trip r e lays ar e hel d energized in a fail-safe condition until an alai-in ( o r loss of power) de-energizes t he coil. Two of the six bistab le trips ai*e active and are listed in T able 7-3 and desc ribed below. All ti*ips associated with the NP-1000 are scrains and are enforced b y h ardware and ai*e n ot dependent o n any softw ai*e.
The relays are provided wit h two sets of contacts, each set with one n01mally open and one n01mall y closed pair of contacts. The relays are hel d energized in a fail-safe con ditio n until an alaim de -en ergize s t he coil.
The loss of high vo ltage trip s ign al ge nerate s a scram wh en high volta ge (HV) to the channel falls below the se tp o int.
The ove1power trip sign al ge nerate s a scram when reactor p ower is g reater than the setpo int.
Table 7-3 -Trips Associated with the NP-1000
Trip Function Trip Setpoint Action
HV voltage low 20% loss of HV Scram Overpower 2:1.1 MW Scram
The N P-1000 h as two m odes of operatio n, local or remote. In local m ode, the m odul e accep ts commands via the front panel touch scree n. In remote mode, the module accep ts command s via the Etherne t port or the analog remote interface co nnector on the rear panel.
The NP-1000 has test m odes to allow for testing the proper p erfo1mance of the electr ometer and to ensure the fon cti ona li ty of all trip circuits. Test m odes include High Power, R amp, Manual and HV Low. The HV Low and High Powe r test m ode s cause the bi-stab le trips to alaim. The Ramp and Man ual test m ode s cause t he bi-stab le trips to alann when the ti*ip set point is exceeded as the power is ramped up. Test m odes can be enabled via the touch screen or a r emote interface.
7.2.2.1.4. NPP-1000 Linear Power Pulsing Monitor The N PP-1000 is designated as Safet y Chann e l No. 2. The design fon ction of the NPP-1000 is to meas ure neutron flux in order to provide the follow ing:
- Percen t linear p ower indic atio n.
- Au to m atic scra m o n overp ower condition s.
- Analog output s to the bargraphs and r ecorders for steady-state operation.
- Digital outpu ts to t he re acto r conti*ol console for steady -state operati on.
In addi ti on, t he insti1unent is to m eas ur e the neutron flux for pulsing operatio ns an d to provide t h at informati on to the reactor conti*ol console for post pulse storage and analysis.
7-19 Proprietar y Inform ation Withhold From Public Disclosure Under 10 CF R 2.390 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390
The NPP-1000 is a nuclear instrument module that provides percent reactor power indication, bi-stable trip circuits, circuitr y appli cable t o pulse monitoring and outputs to other devi ces. In stead y -
state mode the module processes current from a fission chamber.
The NPP-1000 percent reactor power monitoring instrument is a linear current-to-volta ge s ignal conditioning device which includes a high-voltage power supply, adjustable bistable trip circuits for local and remote alarms and isolated current or voltage outputs for display by other devices.
The NPP-1000 also measures reactor power during the pulsing mode of operation. Because reactor power may reach levels several thousand times greater than the maximum steady-state power levels during a pulse, the NPP-1000 has special hardware to measure this event accuratel y. This includes cir cuitr y to allow remote gain selection.
The NPP-1000 provides linear power measurement from approximatel y 1% power through the pulsing range up to 6500 MW and is designated as Safety Power Channel #2. The detection mechanis m for the NPP-1000 is chosen based on the mode of operati on. A fission chamber i s u s ed when the react or is in stead y-state mode while an uncompensated ioni zati on ch amb er or Cerenkov detect or ma y be used when the reactor is in pulse mode.
Figure 7 Block Diagram of the NPP-1000
The trip/alarm board contains six identical circuits to generate all trip/alarm indications. Ever y cir cuit is jumper confi gurable for a rising or falling trip. A comparat or monit ors an incomin g sign al voltage and compares it to a reference voltage. The reference voltage is user adjustable via a potentiometer. When the circuit is configured for a rising trip, the comparator will switch states 7-20 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390 Proprietar y Inform atio n Withhol d From Public Disclos ure Under 10 CFR 2.390
when the ampli tude o f t he incomin g signa l exceeds the r efer ence signa l. A falling trip works t he opposite way; when the inco min g signa l amplitude falls bel ow the referen ce vo ltage, t he comparator w ill switc h states. Once a trip h as occurred, t he circuit latches in the ti*ipped state. The only way to unlatch the circuit is for the user to appl y a re set signa l, even if a ll sign al le ve ls r eturn to n omin al pri or to the re set. Diodes and opto-iso lato r s are used for isolation o f the ti*ip/ alaim signa ls.
The analog trip r e lays ar e hel d energized in a fail-safe condition unt il an alai-in ( o r loss of power) de-energizes the coi l. Three of the six bistable trips are active and are listed in Table 7 -4 and desc ribed below. All ti*ips assoc iated wit h t he N PP-1000 ai*e scrams and ai*e enforc ed by h ardware and ai*e n ot dependent o n any softw ai*e.
The relays are pro vided wit h two sets of contacts, each set with one n01mally open and one n01mall y closed pair o f contacts. The relays are hel d energized in a fail-safe con ditio n unt il an alaim de -en ergize s t he coil.
The loss of high vo ltage trip s ign al ge nerate s a scram w h en high volta ge (HV) to the channel falls below the se tp o int.
The ove1power trip signa l genera t es a scram w h en reactor p ower is gr eater than the setpo int The ove1power trip is o nl y active in stead y state m ode.
NVT High genera tes a scram signa l if the total energy of a pulse is gre ater t han t he setpo int. The NVT High ti*ip is only active is pul se mode.
Table 7 Trips Associated with the NPP-1000
Trip Function Trip Setpoint Action
HV voltage low 20% loss of HV Scram Overpower (steady-state) 2:1.1 MW Scram NVT high (pulsing only) 50MW*s Scram
R e lays ai*e pro vided with two sets of contacts, eac h set with on e n orm ally open and o ne normall y close d pair of contacts. The relays are held energized in a fail-safe conditi on until an alarm deenergizes the coil.
The N PP-1000 has two m odes o f operat i o n, local or rem ot e. In local m ode, the module accep ts command s via the front panel touch scree n. In remote mode, the modul e accep ts command s via the Etherne t por t or the analog remo t e interface connecto r on the rear panel.
The NPP-1000 h as t est m odes to allow for test ing the proper performance o f the electrometer and to ensure t he function alit y of all ti*ip circui ts. Test m odes include High Power, Ramp, Manual, HV Low and Pul se. The HV Low and High P ower tes t m ode s cause t he bi-stable ti*ips to alann. The R amp and Manual tes t m odes cause the bi-stab le ti*ips to alarm when the ti*ip set point is excee ded as the power is ramped up. The Pul se tes t m ode is used to test pulsing. Test m odes can b e enabled via the tou ch screen or a remote interface.
7 -21 Proprietar y Inform atio n Withhold From Public Disclosure Under 10 CFR 2.390 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390
7.2.2.2 Fuel Temperature Monitoring Equipment 7.2.2.2.1. NFT-1000 Fuel Temperature Monito r The NFT-1000 is designated as the Fuel Temperature Measuring Channels. The design function of the NFT-1000 is to measure fuel temperature in order to provide the foll owing:
Fuel temperature indicati on.
Aut omati c scram(s) on high fuel temperature conditions.
Anal og outputs to the bargraphs and recorders for steady-state op eration.
Digital outputs to the reactor contr ol console for steady-state operati on The NFT-1000 is a nuclear fuel temperature modul e that provides fuel temperature indication, bi-stable trip circuits and outputs to other devices. The module has three independent channels to process inputs from T ype K thermocouples. Temperature transducers convert the millivolt inputs from the thermocouples to usable voltage levels that drive bi-stable trips for local and remote alarms and isolated current or voltage outputs for display b y other devices. The NFT-1000 is calibrated to measure temperature from 0 to 1000°C.
The NFT-1000 nuclear fuel temperature monitoring module has a capabilit y to measure and capture pulse data, which is temperature values recorded and stored frequently, for a short period during and after a react or pulse.
Figure 7 Block Diagram of the NF T-1000
The trip/alarm board contains six identical circuits to generate all trip/alarm indications. Ever y cir cuit is jumper confi gurable for a rising or falling trip. A comparat or monit ors a n incomin g sign al
7-22 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390 P roprieta r y In for m atio n Withh old F rom Pub lic D isclos ure Un der 10 CF R 2.390
vo ltage an d comp ar es i t to a refere n ce vo ltage. The refere n ce voltage is use r adju s t ab le via a pote n tio m eter. Whe n the c ircu it is con fig ur ed fo r a r ising tr ip, the comp arato r will swi t ch s t ates w h en th e am p li tu de of t h e inco min g signa l excee d s the r efere n ce signa l. A falling tr ip works t h e oppos i te way; w h en the incomin g signa l amp litu de falls be l ow th e r efer en ce vo ltage, t h e comp ar ator w i ll switc h states. Once a tr ip h as occurr ed, t h e cir cu it l at ch es in the ti*ipped state. Th e onl y way to unl at ch the circu it is fo r th e use r to ap p l y a rese t signa l, eve n i f a ll sign al l eve ls retu rn to n omin al pri or t o t h e r eset. Diodes and opt o - iso lato r s are used for iso latio n o f th e ti*ip/ a laim signa ls.
Th e an alog ti*ip r e lays ai*e h eld en ergize d in a fai l-safe con ditio n until an alai-in ( or loss of powe r )
de - en er gizes th e coi l. Three of th e six bistab le trips ar e active an d are listed in Tab le 7 - 5 and described be l ow. All ti*ips associated w ith t h e NFT-1000 are scra m s an d ai*e en forced by h ardwar e an d ar e n ot depe n dent o n any softwa r e.
Th e relays ar e p rovided wit h two sets of contacts, eac h set with on e n01mally op en and on e n 01mall y closed pai r of contacts. The relays ai*e h eld en er gize d in a fai l-safe con ditio n until an alaim de - en erg i zes th e coi l.
Th e t hr ee ind ep en den t High F u el T empera tur e scr ains ar e gen erated w h en th e fue l t emp erat ure i s gr eater th an th e setpo int.
Table 7-5 -Trip s As s ociated with the NFT-1000
Trip Function Trip Setpoint Action
High Fuel Temp Channel 1 2:600 ° C S cram High Fuel Temp Channel 2 2:600 ° C S cram High Fuel Temp Channel 3 2:600 ° C S cram
R e lays ar e p rovided with two sets of con tacts, eac h set with on e n ormally open an d o n e n ormall y close d pair o f con tacts. The r el ays ar e h eld en er gized in a fai l-safe con ditio n unti l an al an n de-en ergizes th e coi l.
Th e t echni cal speci fi catio n s onl y r equi re two fu el tem peratur e m eas urin g chann e ls an d associated scra m s to be operatio n al. The thir d ch ann el provides r edund an cy an d is an installed fully fun ctio n al..
m-ser v1ce spare.
Th e NFT ch annels ai*e lab el ed 1, 2 and 3 w hil e the ti*ips a re l abel ed w i th numb ers 1 throu gh 6, s in ce t h ere ai*e 2 trips per ch ann el. C hann el 1 has ti-ip 1 an d 2, Ch annel 2 has ti*ips 3 an d 4 an d Chann el 3 h as trips 5 and 6. The odd numbered trips ai*e scr am s w h i l e th e eve n number ed ti*ips are wainin gs. SCRAM P an e on t h e Left Side Disp lay i s l abele d as "NFT H i T emp SCRAM".
Th e WARNINGS annun ciato r on th e Le ft Sid e Disp l ay i s labe lled as:
NF Tl H i T l " (sc r am)
NFTl H i T2" (wai*ning)
NFT2 H i T3 " (sc r am)
7 -23 P roprietary In formatio n Withh old F rom Pub lic Disclos ure Un der 10 CF R 2.390 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390
NFT2 Hi T4 (warning)
NFT3 Hi T5 (scram)
NFT3 Hi T6 (warning)
The NFT-1000 has two modes of operation, local or remote. In local mode, the module accepts commands via the front panel touch screen. In remote mode, the module accepts commands via the Ethernet port or the analog remote interface connect or on the rear panel.
The NFT-1000 has test modes to allow for testing the proper performance of the module and to ensure the functionalit y of all trip circuits. T est modes include High Temp, Low Temp, Manual A, Manual B and Manual C. All test modes cause the bi-stable trip relays to de-energi ze and alarm.
The manual modes allow the user to adjust a front panel potentiometer to cause a bi-stable trip to alarm. Test modes can be enabled via the tou ch scr een or a remote interface.
7.2.2.2.2. Instrumented Fuel Elem e nt The NFT measures the thermocouple inputs from the instrumented fuel element ( IF E ) shown in F i gur e 7-12. Although each individual IFE has three independent thermocouples for measuring fuel temperature as shown in F i gur e 7-12, only one thermocouple from a single IFE is used to provide an input to the NFT-1000 module. Ea ch NFT-1000 module provides a high -temperature s cr am. While onl y two are required for the Techni cal Specifi cations, all three are used. One fuel temperature chann el is used to drive an analog bar graph on the consol e and to provide a signal for the existing paper chart recorder in the auxiliar y console. Each of the three fuel temperature signals are independentl y anal yzed but housed in the same NFT -1000 module.
7-24 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390
7-25 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390 P roprietar y In form ation Withh old F rom Pub lic D isclos ure Un der 10 CF R 2.390
Figure 7 Core Location s of the In strumented Fuel Element s
Table 7 -6 -Location s of Significant Core Component s
Component Grid Location
Instn 1ment ed Fu el E lem ents (IF E) B5, C2, C6
Fuel Fo ll ower Control Rods D-1, D-7, D-13
T ran sien t Contro l Rod A-1
Non-F ue l Locatio n, Al T ube-F ill ed Hol e E -23
Non-F ue l Locatio n, Water-Fi lled Hole F-9
7-26 P roprietary In formatio n Withh old F rom Pub lic Disclos ure Un der 10 CF R 2.390 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390
7.3 REACTOR CONTROL SYSTEM (RCS)
The Rea ct or C ontr ol S ys te m (RCS) perfor ms several functions, including s ystem startup, s ystem shutdown, maintaining a shutdown state, chan ging power levels and maintaining operati on at a set power level. Since the reactor is of TRIGA design, the RCS is capable of rapidly inserting reactivit y int o the react or core to produ ce hi gh power pulses through activation of the transient rod. The RCS subs ystems are: contr ol rod drives, automati c control, contr ol rod interlocks and the facilit y interlock system. The interlocks are separated into two groups : those which protect the reactor itself and those which protect facility personnel. There are no experiment specific facilit y interlocks.
This section shows that the reactor control s ystem will maintain the s ystem within licensed limits during nor mal operation and ensure the impact of failures in the contr ol s ystem is appropriatel y included in the accident anal yses. It shows how the RCS s ystem design is suitable for performing the functi ons stated in the design bases.
The design criteria for the Reactor Control S ystem are:
- A single failure will not prevent achieving and mai ntaining a safe shutdown conditi on.
- Instruments and equipment are designed to fail-safe or to assume a safe state.
- Redundancy and diversit y
- S ystemati c, nonrandom, concurrent failures of redundant elements in the design through the use of independence, separation, redundancy and protecti on against anticipated events.
7.3.1 Con t r ol Rod Dri ves The standard control r od drives are rack and pinion t ype that are driven b y. The contr ollers for the and limit switches are housed in the Data Acquisition Cabinet (D AC). The control rod drives are designed such that there is no single point failure amongst the drives and that in the event of a failure, they defaul t to a safe status. The drives are independent of each oth er and redundancy is achieved throu gh usi ng separate rod dri ve mot ors for each dri ve, that is, the rods are not coupled t ogether in any wa y. S yst emati c nonrandom concurrent failures of the dr i ves i s pr evented whenever possible.
The specific function of the control rod drives is to manipulate reactivit y in the core at the appropriate time. Th e rod drives are coupled t o eit her an electr oma gnet or an an vil (transient rod).
As the r od dr i ves tr avel thr ou gh their range of operation, their position is made available to the D AC and thereb y presented to the operat or.
The rod drives themselves do not provide an y safet y fun cti on. In the event of a scram, the magnets are de-energi zed (or air pressure released for the transient rod drive) and the control rods are dropped int o the core b y the for ce of gravit y, whil e the drives are driven t o their bottom li mit. To prevent a scenario in which the safet y limit could be threatened, or otherwise unsafe conditions created, interlocks are provided whi ch prohibit rod withdrawal. Refer to S ect i on 7.3.4.
All rod drives receive power from a common source and a common s ystem provides actuatin g logic for the drive mechanism. The logic is handled in the control console while the drive communi cati on channels are housed in the DAC.
7-27 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390 P roprietar y In for m atio n Withh old F rom Pub lic D isclos ure Un der 10 CFR 2.390
Th e m ount ed on each contro l rod drive asse mb ly dr ives a p ini on gear and a 10-tum pote nti om eter vi a a ch ain an d p ull ey gear m ech ani sm. T h e pote n tio m eter pro vides rod pos i tion info nnatio n on the operato r con sole. The p ini on gear engages a rack attach ed t o t h e m agne t draw t u be.
Th e contr ol rod dr ives ar e connected to th e contr ol rods through a conn ecting rod asse mb ly. An electro m agnet, attac h ed t o th e lower en d o f the magn et draw tub e, engages an iron aim ature, which in tum is screwed an d p inned into t he upp er en d o f th e conn ect ing rod t h at termin ates at its lower en d in the con tro l rod itse lf. T h e m agne t, t he aim ature, an d th e upp er p orti on o f th e connect in g rod ai*e housed in a tubular barrel t hat exten ds b el ow t h e r eactor wate r l ine. Located paii way dow n th e connectin g ro d is a p isto n. Th e upp er portion of the baiTel is ventil ated to pe1mit unr es tricted m ove m ent of the p isto n in wate r, w h ereas th e lower 2 inches o f the b a1Tel provides a da mp in g actio n w h en th e elec t rom agnet i s de-e n ergize d and the con tro l rod is re l ease d. R e fer to Figur e 7 -1 4 fo r a di agram o f a stan dai*d con trol rod drive.
When th e is en ergized (vi a the rod control U P or D OWN b u tton on th e operato r console rod contro l panel), the p ini on ge ai* sh a ft rotates, thu s rais ing th e magnet draw tub e. If t h e electro m agnet is en erg i zed, t he annature an d th e connectin g rod w i ll rai se wi th t h e draw tube so th at t h e contro l rod is withd raw n fr om t he reacto r cor e. In th e even t of a r eacto r scra m, the m agnet i s de-en ergized, and t h e aim ature wi ll b e r el eased. The conn ect ing rod, the p isto n, and the control rod will th en d rop ; thu s r einse1iing the control rod by gravity into th e r eact or cor e.
7.3.1.1 Control Rod Drive Limit Switche s A sprin g-loaded p ull rod exte nds ve1i ically throu gh a h ous ing and u p t hrough t h e b lock. The lowe r en d of t his rod tennin ates in an a dj ustab l e foot th at protm des t hrough a w indow in t h e side o f the baiTe l. The foot is p l aced so as t o b e depressed b y the ai*matur e w h en t h e connectin g rod is fully l owered. R ai s ing the rod releases th e foot, all owing t h e pull rod to b e drive n upwai*d b y t h e force of th e comp r essio n sprin g. The top o f t he pull rod te1minates in a fixtur e w hi ch engages t h e actuatin g leve r on a Ini crosw i tch. As a r es ul t, the m icroswitc h r everses positio n accord in g t o w h eth er or n ot th e aim ature is at its bott o m liini t. Thi s Ini croswi t ch i s the rod D OWN switc h.
A push rod exten d s down th rou gh th e b lock into th e upp er po1iion of the baiTel. It i s aiTanged so as to engage t h e top surface of t he m agne t asse m bl y w hen the m agnet draw t u be is raised to its uppe r limit. The upp er en d o f the push rod i s fi tted w i th an adj ust m ent scr ew w hich en gages t h e actuato r of a seco nd Ini croswi t ch. Thu s, this Ini croswitc h r everses p ositi on accordin g to w h eth er th e m agnet i s at or be low i ts full u p p ositi on. This Inicroswitc h i s t h e m agnet UP swi tch.
A brac k et, fitted with an adjus tmen t scr ew, is m ount ed o n top of t h e m agnet draw tube. A third Inicroswi t ch is aiTan ged so th at its actuat in g leve r i s operated by th e adjus tment screw on the brack et. Th e swi t ch will th us reverse pos i tion accord ing t o w h eth er the magnet draw tube is at or ab ove i ts comp l etely inse1ied p ositi on. This Ini crosw i tch is the m agnet DOWN swi tch.
7 -28 P roprietary In formatio n Withh old F rom Pub lic D isclos ure Un der 10 CFR 2.390 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390
The up/down r od contr ol signals, limit switch signals, Rod Position Indication (RP I) information, and magn et power are interconnected between the D AC and contr ol rod b y a cable assembl y. Th e rod drive mot or contr ol signals are conn ected to each translator via a second cable assembl y.
Rl>.CKDRIVE ---LI MIT SWITCH 1>.CTUl>.TOR
( CONTROL ROD DRIVE DOWN)
CONTROL ROD LI MIT SWITCH -DOWN. --~ __ CONTROL ROD ORNE DOWN LIMIT SWITCH
CONTROL ROD LI MIT DRIVE SWITCH. UP,---.._
CONTROL ROD DRIVE UP.. __ ____
PUSH ROD
PULL ROO------< oj
Mt>,GNET*-----1-Ut:!::::::~.---- Bl>.RREL ARlv~TURE------H, ~~J_=lrl
AI R DAMPENER--- '
~--- -CONN ECTING ROD
Figure 7 Standard Control Rod Drive and Limit Switches 7-29 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390
7.3.2 Transient Rod The transient rod is pneumaticall y and electri call y driven. AC power is used to acti vate the mot or.
Limit switches are used to contr ol the AC power. The pneumati c electr omechani cal drive allows operati ons in two different modes :
- Stead y-state mode, air pressure holds the transient rod up against an anvil, allowing fine position control via the motor drive;
- Square wave or pulse mode, the anvil ma y be prep ositioned and appli cati on of air pressure permits ejecti on of a predetermined amount of the transient rod from the core.
F i gur e 7-15 is representative of the transient rod installed at AFRR I.
The pneumatic portion is a single acting pneumatic cylinder with the piston attached by a connecting r od t o the control r od. When the cylinder and transient rod are down, actuating the air s olen oid allows air to be applied to the cylinder. With air applied, as the cylinder is run off its bott om position with the mot or and associated gear box, the rod rises. The mot or drives a ball nut assembl y thr ough a worm gear. The balls engage in threads on the outside of the cylinder which can thus be raised or lowered to limit the upper position of travel of the transient rod. A potentiometer is gear driven b y the worm gear shaft to provide rod position indication. The direction of the motor is controlled b y the user via the cons ole rod contr ol panel UP and DOWN buttons. A Scram of the transient rod is accomplished by de-energizing the air solenoid valve which interrupts the air and relieves the pressure in the cylinder so that the rod will reinsert under gr a vi t y.
The motor dri ving the transient rod has two windings, one for up and on e for d own motion. When the rod is in steady-state (not moving), both motor windings are energized, holding the motor in a locked p osition. To move the rod, the motor windin g opp osite to the desired directi on of movement is de-energi zed.
The transient rod drive employs three limit switches. They are motor (cylinder) up, motor (cylinder) down and rod down. Refer to F i gur e 7-16 for a diagram of the transient rod limit switches. A bracket extends over the top of the cylinder. A switch on the bracket opens a contact in the up circuitr y when the shock absorber assembl y contacts it. The bracket itself is substantial enough to stall the motor should the switch contact fail to open.
For pulsed reactor op eration, the c ylinder is raised to the desired height to contr ol the overall travel and hence the reactivit y inserted for the pulse. With no air pressure applied, the rod stays at the bott om. If all ne cessar y conditions for pulsing are met, compressed air is admitted at the low er end of the cylinder to drive the piston upwards. The air being compressed above the piston is for ced out through vents at the upper end of the cylinder. At the end of its stroke, the piston strikes the anvil of the shock absorber. The piston is thus decelerated at a controlled rate at the end of its stroke. This action minimizes rod vibration after transit. The resulting reactivity insertion is dependent on the position of the cylinder prior to appl ying air.
7-30 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390
VENT tfOl.fS ---- -..,./
PISTON
1~ 1----- WOR.
Vi
'.:t--1--+---- BALL IIIJT
PlSTON ROIJ'
===::::.:::::-_-. SUPPLY
1-DS:AIR SUPP\\.. E Y
SO..EJ\\100 VAL.VE _j
BOTTOM hlT ----'
- Figure 7 Transient Rod Drive
7-31 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390
6,,
POTBiTIOf.lETER
- FOR AOOPOGITIOtC
- *,. -, ttO CAlCA
LOYeUMIT$ \\fTQ-I
.~ --- FOOTSMTCH
~!.-------""'"'"'""'
Figure 7 Transient Rod Drive Limit Switches
7-32 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390
7.3.3 Manual and Automatic Mode The react or power regulating s ystem manages all contr ol rod movements taking into account the choice of operating mode and interlocks. The system has two control modes, manual and automati c. Both contr ol modes ma y b e used for reactor operati on fr om sour ce level to 100% power.
The reactor can be started up in manual mode or automaticall y at a constant reactor period. The contr ol rods are prevent ed fr om bein g withdrawn in automati c mode if the rea ct or p ower period is s hor t er t han +8 seconds. In manu al mod e, t he cont r ol r od dr i ves operate at the maximum speed as set by the potentiometer whereas in automatic mode, slower speeds may be initiated to create a slower rate of reactivit y chan ge.
7.3.3.1 Manual Mode Manual control of the reactor is performed by engaging both the magnet power and air for the transient rod and depressing the rod UP or DOWN buttons on the rod control panel for the transient, shim, safety, or regulating rods. These will move the corresponding drive motor in the up or down directi on. The l ogi c t o deter mine the safe move ment of a contr ol rod is perfor med with software and contains several conditionals to ultimately allow voltage application to the motor.
- 1) Cont r ol rod D O WN buttons are gi ven preced en ce over UP
- 2) An y number of DO WN buttons can be selected at once to initiate multiple rod insertions
- 3) UP buttons are onl y acti ve in Manual mode
- 4) O n l y o n e UP button can be pressed at a time
- 5) Drive moti on stops upon pressing multiple UP buttons
- 6) Banked movement is allowed when the rod select switch is activated in auto mode The M AGN ET and AIR butt ons on the top r ow is used to quickl y insert the as s oci at ed con t r ol r od by interrupting the current to the rod drive magnet or by removing the air to the transient rod. If the rod is above the down limit, the rod will fall back into the core b y gravit y when the button is pushed. The magnet is then automaticall y driven to the down limit, where it again contacts the armature on the connectin g r od. The operator can s cr a m all of the rods at an y time in eith er m od e of operati on by pressing the SCRAM button on the right side of the contr ol panel.
The middle row of buttons (UP) and the bottom row (DOWN) are used to position the contr ol rods.
Pressing one of the buttons causes the control rod to move in the indicated direction. A digital position indi cat or on the rod drive determines the position of each contr ol rod.
ROO CONTROL a'l TRANSENT SHM SAFETY AEO
OFF ((] RESET a IIMAGN1 8
MAONET POWER G G
[G] II DOWN II B B
Figure 7 Rod Con t rol P an el
7-33 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390
7.3.3.2 Au t omat i c M od e The react or control s ystem, when placed in Aut omatic Mode, will automaticall y contr ol positions of the Shim, Safet y and Reg rods, dependin g on b ank selecti on, to maintain a specifi c p ower level based on the % Power reading fr om the NMP-1000, the reactor period from the NLW-1000 and the demand p ower level. The demand p ower level is taken from the setting of the p ower deman d set on the Left Side Status display and indicated at top left of the Right Side graphi cs display.
In Aut omati c M ode, the computer contr ols the rods based on the bank selection accordin g t o a P ID algorithm t o dri ve the rods either up or d own based on a comparison of the react or power with the demand p ower and react or period. Th e computer contr olled rods have a ran ge of 1% t o 99% of rod travel (i.e., Automatic Mode will not allow the rods to be withdrawn past 990 units, or inserted below 10 units). A trip fr om the NMP-1000 or a communication error will result in rod control reverting back t o Manual Mode. Aut omati c Mode must be re-enabled on ce conditi on(s) clear.
In aut omati c m ode, t he fol l owing rod combinations can be selected for banked rod movement :
Regulating Rod Onl y Shim and Regulating Rod Shim, Safet y, and Regul ating Rod When utilizing the automati c mode, the reactor power is compared against the power demand setting to obtain an err or number. When the power demand has more than 2% deviati on fr om the measurement from the NMP-1000, the rods (as selected by the combinations listed above) are moved into or out of the core. Rods are contr olled with variable speed to allow for minor cor r e ct i ons i n r eact or power wi t h s mal l devi at i on and maj or cor r e ct i ons i n r eact or power f or l ar ge deviati ons. Variable speed also enables the algorithm t o a chie ve the desired power with mini mum overshoot or undershoot. The r od speed may never exceed hardwired limit of 30 inches/minute.
The N LW-1000s period signal is provided and will inhibit rod withdrawal if the reactor period exceeds +8 seconds.
Operating in Square Wave mode must be done with the reactor in steady-state mode. With the power less than 1000 W (as determined b y the NLW-1000) and the transient rod air suppl y turned off, the Square Wave mode switch can be depressed. This will change the cons ole from steady-state to Square Wave mod e. Upon pressing the F IR E button, the react or power will increase to the demand p ower level. Up on achievin g the desired power level, the console will switch t o Aut o mati c Mode to maintain the react or at this constant power level. If the desired power level is not reached within 30 seconds, the s ystem will switch to Manual Mode and display a message to the operator on the Annunciat or Pane.
7.3.4 Rod Withdrawal Interlocks Rod Withdrawal Interlocks prevent the movement of the control rods from their inserted core position in the upward direction under the following conditions :
- Scrams not reset
- Low count rate on the N MP-1000
- NMP-1000 exhibiting a High-V olta ge Low conditi on
- N LW-1000 React or period shorter than +3 second s
7-34 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390
- More than one UP switch depressed at the same time on the rod control panel
- Mode switch in AUTOM AT IC position
- The 1-k W interlock t o prevent pulsing when wide range log power is above 1 kW
- Interlock to prevent the shim, safety and regulating rods from being withdrawn in pulse m ode
- Interlock to prevent the application of air to the transient rod drive mechanism in the stead y-state mode unless the drive cylinder is fully inserted
- Interlock to ensure that only one control rod can be manually withdrawn at a time in the square wave mode, excludin g the transient rod
- Deminerali zer Inlet Temp above 60°C
- P ool Le vel bel ow 1 There are no interlocks that prevent downward motion of the contr ol rods.
7.3.5 F acility Interlock S ystem (FIS)
The Facilit y Interlock S ys t e m ( F IS ) is designed to eliminate the possibility of accidental radiation exposure of personnel working in the exposure rooms or the preparation area and to prevent interference (i.e., contact or impact) between the reactor tank lead shield doors and reactor core shroud. These interlocks prevent rotati on (i.e., opening or closin g) of the react or tank shield doors and the operation and movement of the reactor core between different regions unless specific operatin g conditi ons are satisfied.
The FIS is designed such that if any of the relays fail, they will default to the more conservative setting of an open cir cuit and thereby prevent facili t y operation.
The F IS is designed to prevent inadvertent operation of the facilit y when a set of conditions have not been met. All of the interlocks are binar y (on/off, open/closed, etc) and must be met prior to oper at i on. The FIS consists of a central cabinet and various peripherals such as motor control centers (MCC), horns, limit switches, etc. The FIS central cabinet houses the relay logic that contr ols the F IS. The F IS using limit switches and pushbuttons enfor ces a straightforward logic table to perform its function. The FIS interfaces to the console and DAC via relays to electricall y isolate the various s ystems.
The F IS interfaces to the console Magnet Power key switch to enfor ce its logic and t o also sound a horn in the necessar y exposure room(s) for 30 seconds when the react or is about to start oper at i on. S i n ce some biol ogi cal experi ments are noise sensitive it is possible to bypass the horn.
The horn bypass for each exp osure room consists of two switches wired in parallel located inside the exposure room. Onl y after t w o oper at or s have verified that the room is empt y ma y the horns be b ypassed.
Refer to F i gur e 7-18 for a block diagram of the F IS.
7-35 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390
Figure 7 Facility Interlock S ystem Block Diagram
Certain facilit y interl ock permits must be satisfied before the s cr am loop can be completed and the standard control rod magnet power circuits and the transient control rod air circuits can be energi zed. The foll owing must be true:
- 1. The Ke y Swit ch must be in the ON position.
AND
- 2. All emergency stop cir cuits in the exposure rooms and control s ystem cons ole must be energi zed.
AND on e of t h e f ol l owi n g:
3a. The tank lead shield doors must be full y cl osed, AND the plug door for the exposure room against which the react or is to be operated must be cl osed, AND the react or must be in the corresponding regi on.
OR 3b. The tank lead shield doors must be fully opened, AND both plug doors for the exposure rooms must be closed.
Once these permits have been satisfied, the input to the s cr am loop can be satisfied and the contr ol rod magnet and air cir cuits can be energi zed using the procedure detailed below.
- 1) Momentarily turn the cons ole key switch to RESET. Release the key. The horn sounds for 30 seconds and creates an audible alarm. At the end of the 30 second startup delay, the input to the scram loop is complet e.
7-36 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390
NOTE: The Time Dela y light on the Mode Contr ol Panel will extinguish after the 30 second startup delay. The React or Power indi cator on the Mode Control panel will be illuminated when the reactor permissive has been satisfied and magnet power can be applied.
- 2) After another RESET from the console ke y switch, power is now supplied to the magnet and transient rod air circuit, assuming all other s cr am loop inputs were also satisfied.
7.3.6 Technical Specifications for Reactor C ontrol System 3.2.1.a. The react or shall not be operated unless the measuring chann els listed in Table 1 are operable for the specifi c mode of operation.
3.2.1.b. The react or shall not be operated unless the four control rod drives are operable ex cept :
- a. the react or ma y be operated at a power level no greater than 250kw with no more than one contr ol rod drive inoperable with the associat ed contr ol rod drive full y inserted.
3.2.1.c. The time fr om scram initiation to the full insertion of any contr ol rod from a full up position shall be less than 1 second.
Table 1. Minimum Measuring Channels
Effective Mode Measuring Channel Steady State Pulse
Fuel Temperature Safet y Channel 2 2
Lin ear Power Channel 1 0
Log P ower Channel 1 0
Hi gh-Flux Safet y Ch annel 2 1
(1) An y Lin ear P ower, Log P ower, High-Flux Safet y or Fuel Temperature Safet y Ch annels ma y be in operable while the reactor is operating for the purpose of perfor ming a channel check, test, or calibration.
(2) If an y required measuring ch annel becomes inopera ble while the reactor is operating for reasons other than that identified in the previous f o ot n ot e ( 1 ) ab ove, the channel shall be restored to operati on within five minutes or the react or shall be immediatel y shutdown.
7.3.7 Technical Specifications for F acility Interlock S ystem Facilit y interlocks shall be provided so that :
3.2.3.a. The react or cannot be operated unless the lead shield doors within the react or pool are either full y op ened or full y cl osed ;
7-37 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390
3.2.3.b. The react or cannot be operated unless the exposure room plug door adjacent to the react or core position is full y cl osed and the lead shield doors are full y cl osed; or if the lead shield doors are full y opened, both exposure rooms plug doors must be full y cl osed; and 3.2.3.c. The lead shield doors cannot be opened t o allow movement into the exposure room pr ojecti on unless a warning horn has sounded in that exposure room, or unless two licensed react or oper ators have visuall y inspected the room t o ensure that no personnel remain in the room prior to securing the plug door.
7.3.8 Technical Specifications f or Con t r ol Rod I n t erl oc ks The react or shall not be operated unless the safet y s ystems described in Tables 2 and 3 are operable for the specifi c mode of operation.
Table 3. Minimum React or Safet y S ystem Interl ocks
Effective Mode Action Prevented Steady State Pulse
Pulse in itiation at power levels gr eater than 1 kW X
Withdrawal of any control rod except transient X
Any rod withdrawal with count rate below 0.5 cps as measur ed by th e oper ational chann el X X
Si m ult an eous man ua l wi th dr a wa l of t wo stan dard r ods X
Any rod withdrawal if high voltage is lost to the operational channel X X Withdrawal of any control rod if reactor period is less th an 3 secon ds X Application of air if the transient rod drive is not fully down. This interlock is not required in square wave X m ode.
- React or safet y s ystem interlocks shall be tested dail y whenever operati ons invol ving these functi ons are planned
7-38 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390
7.4 REACTOR P ROTECTION SY STEM In the event of a monit ored parameter exceeding a specified li mit or upon operat or interventi on, the React or Protecti on S yste m (RPS) will p l ace and maintain the reactor in a safe, subcritical, shutdown. This prevents the operation of the facility where risks such as fuel damage, release of radioa cti ve materials, or overexposure of personnel to radiation could occur. Parameters monit ored for this purpose include neutron flux, fuel temperat ure, coolant level, area radiation, and the release of radioactive materials. The accident analyses of Chapter 13 of the SAR discuss postulated accident scenarios and demonstrate that in the event of a complete failure of the reactor safet y s ystem coincident with the most adverse accident r esults in negligible radiological c onsequen ces.
Given this conclusion, it is not necessar y for the Reactor Protection System to be separate and independent of the React or Control S ystem. Redun dancy exists for the most imp ortant parameters measured in the facilit y including fuel temperature, neutron flux monit oring, and radiation levels.
The reactor protection s ystem evaluates the signal from the reactor instrumentation s ystem and ma y take protective action if the parameter is outside acceptable range. The RPS is primarily housed in the Data Acquisition Cabinet (DAC), although some components (such as a manual scram switch) are located in the cont r ol console. The comp onents which make up the RPS include the NMP-1000, PA-1000 (adjacent t o the DAC), NLW-1000, NP-1000, NPP-1000, and the NFT-1000. These units all evaluate their respecti ve analog signal and ma y scram the react or. There is no communi cati on between units and the scram fun cti onalit y of one does not depend on an y of the others. Additionall y, the units split the analog signal and provide it to analog bargraphs visible to the operator as well as a digital conversion for transmission to the main operator control screen and data archi vin g. The transmission of d ata fr om t he units to the cons ole is via air gapped Ethernet communi cati on. The anal og s cr a m function of the units does not depend on the digital conversion cap abilit y. The neutr on flux range of each instrument is shown in F i gur e 7-4. The f u el temp erature measurement is measured in the range of 0 to 1000°C. The period measurement covers the range of available periods possible.
There is no voting among the channels in order to determine if there should be a s cr am of the s ystem. An y single parameter that is outside of the nor mal operating range will cause a s cr a m.
When a scram is initiated, magn et power is removed (and transient rod air pressure removed) and the cont r ol rods fall into the core under the force of gravity. The shim, safety, regulating, and transient rod drive motors all drive to the bottom limit switch after a scram.
7.4.1 Design Criteria As with the design of the rest of the facility, there are no single failur es of an y subs ystem of the RPS which would prevent the greater system from functioning as expected. Each individual component will cause a scram regardless of the status of any other module. Fail-safe design is ach i e v ed t h r ou gh al l owi n g an y on e s ys t e m t o initiate protective action. There is no voting or other logi c whereb y communi cati on between channels is required.
Standard criteria for the design of nuclear facilities is the application of redundancy and diversit y.
This practice is achieved in the RPS by having multiple instruments measuring parameters throughout the operating range of the facilit y. Multiple measurements of the power level and the fuel temperature are made by independent channels. There is no possibility of systematic nonrandom concurrent failures of elements in the design due to the independence between the channels, various locati ons of detect ors around the core, and fail-safe design.
7-39 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390
7.4.2 Design Basis Before the fu el temp erature safet y li mit is exceed ed, the fuel temperature and power level scr a ms provide prote cti on t o ensure that the react or can be shutdown. While the fu el temp erature limit can never be exceeded, other facilit y p arameters such as power level and period are dependent on the operatin g mode of the rea ct or. These modes can be classified as stead y-state and pulse modes. The power level can vary from shutdown through 1.1 MW in steady-state mode and up to several thousand MW in pulse mode. The power level measurement is performed b y at least two channels at all steady-state powers. In pulse mode, the reactor power is measured by the NPP-1000 and supplemented by the fuel temperature measurement. Local indication of the power level is available on the instrument fa ce as well as at the control console on anal og b argraphs and the main operator display screens. Following shutdown, the power is exponentially decaying and approaches shutdown levels. During a postulated accident, the reactor power should never exceed the maximum pulse power and remains within the measurement capacit y of the s ys te m.
In stead y-state mode, the period can var y between - 30 seconds and +3 seconds and is measured b y the NLW-1000. There are no period limitations in pulse mode. The measured reactor period is displayed on the face of the channel itself as well on the operat or cons ole via anal og bargraphs and the main operator display screen. Following shutdown, the reactor period initially goes to -30 seconds and slowl y returns to infinity with time.
Additionall y, regardless of the operating mode, the fuel temperature shall never exceed 600°.
This fuel temperature is measured by three thermocouples in the reactor and three independent processing units of the NFT-1000. These channels have l ocal indication as well as on the operat or cons ole with the anal og bargraphs and operat or display. Foll owing shutdown, the fuel temperature will return to equilibrium with the bulk coolant. The rate of temperature decrease is dependent on the differential between the fuel and coolant temperatures. During a postulated accident the fuel temperature should never ex ceed the limitati ons of the NFT-1000.
To prevent incorrect measurement of the neutron flux (and by extension the reactor power), the react or will t r i p on a hi gh vol t a ge l os s of t he s afet y channel. The detector high voltage is t ypi cal l y in the 750 Vdc r an ge and is maintained at the appropriate value provided the reactor s ystem is powered on. In normal operations, high voltage is applied to the detectors regardless of facilit y status. During a postulated accident, there are no scenarios where the high voltage applied to neutron flux detectors would be changed. The high voltage value is displayed on the local instrument, but a low-HV trip is displayed on both the local instrument and at the control cons ole.
Suffi cient pool water level ensures cooling capacity and radiation protection at the pool top. The Technical Specifications require that it should be no less than 14 feet from the top of the core, however, when the pool is completely full, the value is approximatel y 16 feet. The measurement is performed b y a float in the reactor pool. Actuation of the pool float switch is visible fr om the control room or through visual inspection. The coolant level is maintained regardless of the operating state of the reactor. During a postulated accident, the coolant level should remain constant. Additional coolant water is available within the facility to provide replacement for any decrease in normal operatin g levels.
7-40 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390
7.4.3 Subsystem Description Th e Rea ct or P r ot e ct i on S ys t e m ( RP S ) p r ovi d es mes s ages to the Status display in the for m of s cr a m messages, Annunciators/alarms and interlocks. Alarm messages are logged in the Annunciator Pane of the Ri ght Side Graphics display.
The primar y function of the RPS is to s cr am the react or b y causin g the contr ol rods to insert into the core in response to certain abn ormal react or op erating conditions. The RPS initiates a react or s cr am in response to a trip being generated b y on e of the sensors in the s cr am loop, a manual s cr a m signal from the reactor operator or an external s cr am signal from other sensors connected to the scram l oop b y interrupting the current to the electromagnets that link the contr ol rods to the control rod drives and b y removin g the air from the transient rod air solenoid val ve. After a dela y of ab ou t 25 msec (for the magnetic field to deca y), the magnets release the control rods, which fall into the core by gravit y, taking no more than one second to fully insert. All s cr am conditions are automati call y indi cated on the cons ole displays. The manual s cr a m ma y be used for a normal fast shutdown of the react or. The react or can also be s cr am med b y turnin g the magnet pow er key swit ch to the OFF or RESET positions.
The RPS is automatic and completely independent of other systems, including the power regulating s ystem. The s cr am circuits and comp onents are completel y hardwired and do not in an y way depend on the CSC computers or an y s oftw are to perform a s cr a m. Furthermore, the R ea ct or I&C S ystem and RPS are design ed such that there are no means available t o the r ea ct or oper at or to bypass the trips so that the reactor can be operated at conditions that are beyond the limits defined by the trip set points.
The RPS has no known susceptibilit y to common cause failures other than as a possible result of some undefined internal or external hazard (e.g., fire, flooding, dropped load, earthquake exceedin g the design basis, et c. ). As previousl y noted, the independence (of the safety channels),
and diversit y designed int o the RPS provides a large measure of protecti on a gai ns t com m on caus e failures. However; it is important to note that even should they occur, common cause failures cannot prevent the s ystem from performing its primar y safet y function (i.e., shutting down the react or) be cause the s yste m is designed t o be fail -s afe. A l oss of power or multiple cir cuit damage due to a fire, explosion, dropped load, or some other cause will result in a loss of power to the electromagnets that connect the control rods and control rod drives, causing the control rods to dr op into the core.
The limited actions performed b y the RPS are entirel y adequate to ensure that the react or remains safe under all off-nor mal and accident conditions. Once initiated, the actions initiated by the RPS cannot be impaired or prevented by manual intervention, and no manual actions are necessar y within a short time to supplement the RPS actions. Also, the actions initiated by the RPS are not self-resetting. The reactor operat or must clear all scr a ms before react or operati on can be resumed.
7-41 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390
7.4.3.1 Scram Loop Circuit The scram logi c cir cuitr y invol ves a set of open -on-failure (fail-safe) logi c rela y swit ches in series.
An y s cram signal or component failure results in a loss of magnet power and loss of air to the transient rod cylinder. F i gur e 7-19 details the s cr am loop.
I.,~,
- I
. r" I,--
' *) ~
'T (1*) [,~~.r ~.. ( * ) l
/~~----°'~......,
.....l/111 =
~-~...
o-~ n'*:* - i I~-,-
,........ 1'r-
Figure 7 Scram Circuit Diagram
The s cr a m l oop is powered b y a +24 V dc power suppl y whi ch supplies current to the magnets. In the event of a fault, a number of contacts all have the capability to interrupt this current. The following contacts are part of the s cr am l oop :
Manual Scram External 1 (Not Used)
Key Swit ch External 2 (Not Used)
NP, HV and %P WR External 3 (Not Used)
NPP, NVT, HV and %PWR S oft w ar e CCS WD T AC P ower Los s UIT WDT React or Permissive Relay Low P ool Le vel LATCH NFT1 Hi T1 Key Reset NFT2 Hi T3 Safet y Magnet Switch NFT3 Hi T5 Shim Magnet Switch Reg Magnet Switch
In the event of that an unsafe or abnor mal condition occurs, the reactor operator has two scram op t i on s fr om t h e con t r ol con s ol e : the manual s cram push button and the ma gn et p ower k e y s wit ch s cr am.
7-42 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390
Manual Scram is a push button labeled SCRAM on the rod control panel. Pushing this button will interrupt current in both the positive and negative legs of the s cr a m loop along with the transient rod air pressure. This is a moment ar y switch.
The Magnet P ower Ke y Switch has three positions: OFF, ON, and RESET. It must be in the ON position to complete the loop and supply current to the magnets. RESET is a momentar y contact.
It generates a digital input to the software that is onl y present as long as it is activated b y the operat or and is used for resetting the loop via the KEY RESET rela y. When the react or is operating, moving the console key to the off or reset position will cause a scram.
It is important to note that when the key switch is in the OFF position the scram loop is mechani call y br oken and that this is not controlled via software.
Power level scrams ensures the reactor will be shutdown prior to the fu el temperature safet y li mit being exceeded. In the steady-state mode, the two channels that perform the high p ower s cr a ms are the NP-1000 and NPP-1000. In pulse mode, only the NPP perfor ms a high-p ower scram, and the NP scram contacts are temp oraril y b yp assed.
The neutron flux detectors rely on a high voltage differential to perform their measurement function. If the high voltage drops significantl y, their ability to detect neutrons is inhibited and will result in an underestimation of the neutron flux within the core. Therefore, a loss of high vol t a ge t o an y of the detect ors for high flux safet y chann els will cause a reactor scram.
NP-1000 (with Pulse Bypass switch) monit ors percent reactor power and HV goin g to the detect or.
The NP has to indicate a fault (either sees Trip 1 at 110% reactor power or NP HV Low) before the react or is scrammed. Note: This contact is bypassed during pulsing react or operati on.
NPP-1000 monit ors percent react or power, HV goi ng to the detect or and high neutron flux (NVT).
The NPP-1000 has to indicate a fault (either s ees Trip 1 at 110% react or power, NPP HV Low or NVT high) before the react or is scrammed.
The CCS and UIT watchdog timers monitor the Linux and Windows computers. If either of the computers fails to send a signal to their WDT at least once approximatel y ever y 7 seconds, the respective WDT will time out and a s cr a m occurs. Communication between the system comp onents is necessar y for the transmission of informati on to the op erator. In the event of a loss of communication, a watchdog timer will initiate a scram.
Low P ool Le vel is set when the pool level float switch indicates that the pool level has fallen 6 inches below nor mal. The reactor pool water ensures adequate radiation shielding to the reactor bay as well as cooling cap acit y t o the react or.
NF T1 monitors the temperature for Temp 1 of the instrumented fuel element. The NFT has to indicate a fault (Temp erature 1 is above the Hi gh Trip 1, 600°C) before the react or is scrammed.
This is labelled on WARN INGS Pane as NFT1 Hi T1 and on the SCRAMS Pane as NFT Hi T e m p S C R AM.
NF T2 monitors the temperature for Temp 2 of the instrumented fuel element. The NFT has to indicate a fault (Temp erature 2 is above the Hi gh Trip 3, 600°C) before the react or is scrammed.
This is labelled on WARN INGS Pane as NFT2 Hi T3 and on the SCRAMS Pane as NFT Hi T e m p S C R AM.
7-43 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390
NF T3 monitors the temperature for Temp 3 of the instrumented fuel element. The NFT has to indicate a fault (Temp erature 3 is above the Hi gh Trip 5, 600°C) before the react or is scrammed.
This is labelled on WARN INGS Pane as NFT3 Hi T5 and on the SCRAMS Pane as NFT Hi T e m p S C R AM.
The fuel temp erature scram ensures the react or can be shutdown prior to the fuel temperature safet y limit being exceeded. In both the stead y-state and pulse modes, at least two fuel temperature channels must be operable. The NFT -1000 instrument provides independent channels for each of three thermocouple inputs. Each channel has separate contacts in the scram l oop.
EX TERNAL 1 is an external s cr am l oop input for future use. This input is jumper ed.
EX TERNAL 2 is an external s cr am l oop input for future use. This input is jumper ed.
EX TERNAL 3 is an external s cr am l oop input for future use. This input is jumper ed.
Software is an input that causes a s cr am when commanded to do so b y the CCS computer. It deactivates when communi cation with the hub is lost. Note that this is a redundant feature. When the hub loses communication with the computer, it will put all relays in a failsafe state, thus scramming the reactor. It also deactivates when the magnet power key switch is turned to the RESET position, thus scramming the reactor.
Scram occurs when the scram timer on the L e ft Side Status display has expired.
Two types of timed scrams are available to the safet y s ystem and work within the scram logic.
These are used for experi ments whi ch need a pred etermined exp osure time and t o ensure a pulse does not create ex cessive energ y within the fuel.
The steady-state timer causes a reactor scram after a predetermined elapsed time. This value is entered on the control cons ole during stead y-state power operations. During a run, the timer ma y be started and stopped b y the operat or.
The pulse timer causes a reactor scram when in pulse mode. The timer may be set for a duration shorter than 15 seconds. However, the console will automaticall y initiate a scram timeout after 15 seconds.
AC P ower Los s is a s cr am that occurs when AC input power to the UPS has been lost and the UPS batter y i s s uppl yi n g p ower t o t he r ea ct or cont r ol s ys t em. In the course of n ormal operati ons, a UP S u ni t pr ovi d es p ow er t o t h e con s ol e while the UPS is supplied b y building AC power. A loss of supply to the UPS will initiate a scram, however the cons ole remains on. The UP S wi ll pr ovi d e approximatel y 15 minutes of runtime. The UPS is not a safet y -related item, since upon the complete l os s of all pow er, the r eactor w ould automati call y scram and enter and remain in a safe shutdown condi t i on. The UPS enables monitoring of reactor conditions and allows a graceful shutdown of the console computers.
Reactor P ermissive Relay is an input from the F IS. If n o emer gen cy stops are acti ve and all the facilit y interlocks are satisfied after for a 30 -second count down (TIM E DELAY), the Reactor Permissive is satisfied.
To ensure personnel safet y in the event of an administrative oversight, emergency stops are provided in each of the exposure rooms. Additionally, an emergency stop switch exists on the cons ole for the operator to stop door motion and core motion. An y of these switches will initiate an immediate rea ct or scra m and gi ve indi cati on t o the operat or on the cons ole. Once the e mer gen c y
7-44 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390
stop has been acti vated, it must be cl eared b y turnin g the ke y switch t o reset. If the e mergen c y stop was initiated from one of the exposure rooms, the local switch must also be reset. The buttons ar e push-to-acti vate and must be manuall y pulled out t o permit operati on. Once the reset is activated, the horns in the exposure rooms will on ce a gai n act ivate with the associated time dela y. This reset is required to initiate magnet pow er.
Lead shield doors are provided to reduce exposure from the core in undesired portions of the facilit y based on the current core location. Power for door rotation is transmitted through a set of reduction gears. Each shield door is connected to a reduction gear mounted on the side of the carriage track b y a vertical shaft extending from the top of each door. Full travel path takes approxi matel y three minutes (from full shut to full open). Once in a full y open ed or closed p osition, limit switches are used to indicate status. These are locat ed on top of the reduction gears and are part of the F acility Interlock System. The lead shield doors must be fully opened before the core can be relocated. If the reactor tank shield doors are in any position other than fully open or full y closed, a reactor scram will be initiated.
The LATCH contact is designed to per manentl y d e-ener gi ze the l oop aft er a s cr am has occurred.
The loop will stay de -ener gized until the operator places the Magnet Power Key Switch to the Reset position. Table 7-7 below lists the specific channels that perform automatic protective act i on s.
Table 7 Specific Channels P erforming Safety F unctions
Effective Mode Channel Maximum Set P oint Steady State Pulse
NFT-1000 (1 & 2) 600°C 2 2
NP - 1000, NPP -1000 1.1 MW 2 0
Cons ole Scr a m Butt on Closure Switch 1 1
NP - 1000, NPP -1000 20% HV Loss 2 1
Cons ole Softwar e 15 seconds 0 1 Exposure Room Switches (1 in each exposure Closure Switch 3 3 room, 1 on console)
Float Switch 14 feet from the top of the cor e 1 1
Cons ole Wat chd ogs On digital console 1 1
7-45 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390
7.4.4 Reactor F uel Temperature Scram Setpoint Determination The following uncertaint y and safet y system setpoint calculation for fuel temperature has been perfor med accordin g to the general guidan ce and method ol og y pr ovided in NRC Reg Guide 1.105.
The important parameter for a TRIGA react or is the fuel element temperature. This parameter is well suited as a single specifi cati on be cause it can be measured via the instrumented fu el ele ment.
A loss in the integrit y of the fuel ele ment cladding could arise from a buildup of ex cessive pressure between the fuel-moderator and cladding if the fuel temperature exceeds the safet y limit. The pressure is caused b y the presence of air, fission product gases, and h ydr ogen fr om the dissociation of the h ydr ogen and zir coniu m in the fuel-moderat or. The magnitude of this pressure is determined b y the fuel-moderat or temperature and the ratio of h ydr ogen t o zirconiu m in the all o y. The safet y limit for the TRIGA fuel is based on data which indicates that the stress in the cladding will remain below the ultimate stress, provided that the temp erature of the fuel does not exceed 1,000°C and the fuel cladding is water cooled.
To prevent ex ceedin g the 1,000°C safet y limit, the both the limiting safet y s ystem setting ( LSSS) and limiting condition for operation ( LCO) for the fuel temperature is 600°C as measured b y th e IF Es located in the B and C r i ngs.
Instrumented fuel elements utilize K -t ype ther mocouples connected to an NFT-1000 pr ocessing unit. The uncertainty associated with a standard K-type thermocouple is +/-2.2°C or +/-0.75%
whichever is greater. Therefore, at 600°C the uncertaint y would be +/-4.5°C. The NFT-1000 processing unit has an uncertainty of +/-1% of full scale (1000°C ), or +/-10°C. The total channel uncertaint y would then be +/-11°C. Therefore, a 2 uncertaint y would be +/-22°C. Th e act u al safet y s ystem setpoint for fuel temperature shall be no more than 578°C.
K-T ype Thermocouple uncertaint y:
600 x 0.75% = +/-4.5
NFT-1000 Module uncertaint y:
1000 x 1% = +/-10
Total Channel uncertaint y:
= (4.5)2 + (10)2= +/-11
2= +/-22
7-46 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390
7.4.5 Technical Specifications for Reactor Safety System 2.1 The maxi mu m temp erature in a TRIG A fuel element shall not exceed 1,000°C under any mode of operati on.
2.2 The limiting safety s ystem setting shall be equal to or less than 600°C, as measured in the instrumented fuel elements. There shall be two fuel temperature safet y chann els. One channel shall utilize an instrumented fuel element in the B ring, and the second channel shall utilize an instrumented fuel element in the C ring.
3.2.2 The react or shall not be operated unless the safet y systems described in Tables 2 and 3 are operable for the specifi c mode of operati on.
Table 2. Minimum React or Safet y S ystem S crams
Effective Mode Channel M axi mum Set Point Steady State Pulse
Fuel Temperature 600°C 2 2
Per cen t Power, High Flux 1. 1 MW 2 0
Con sole Man ual Scr am But t on Closure switch 1 1 High Voltage Loss to Safet y 20% Loss 2 1 Channel
Pulse Time 15 seconds 0 1
Emergency Stop (1 in each exposure room, Closure switch 3 3 1 on con sol e)
Pool Water Level 14 feet fr om th e top of th e cor e 1 1
Watchdog (UIT to CCS) On di gi ta l con sol e 1 1
7-47 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390
7.5 ENGINEERED SAF ETY F EATURES ACTUATION SYSTEMS There are no engineered safet y feature actuati on s ystems.
7-48 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390 Proprietar y Inform ation Withhold From Public Disclos ure Under 10 CF R 2.390
7.6 CONTROL CONSOLE AND DISPLAY INSTRUMENTS The Control Syste m Consol e (CSC), wh ere the operat or conducts all licensed r eacto r operations,
consists of two phys ica ll y di stin ct sectio n s: the reactor instrumentation and control console and the auxiliary console.
The CSC contains the co mputers (UIT and CCS), m onitors, contrnl panels, m odulariz ed drawers,
indicat or s, meters and recorders to present the data to the operator in m eaning ful engineering unit s.
The CSC operator interfac e provides the ne cessaiy controls and interfaces for the operator to safely staitup, manipul ate reactor paramet ers, m onitor the variou s op eratin g parameter s in its vai*ious m odes of operation, and safel y shutdow n the r eactor. See Figure 7-20 for a block diagram of the console.
Figure 7-20 - Control System Console (CSC) Block Diagram
7.6.1 Design Criteria Outside of the common power source for the console, there ar e n o s ingle failures in the design of the reactor instrument ation and control syste m. Loss of an y one screen or component on the control console does n ot prop agate toward inhibitin g the protective functi on of the RP S. Additionally, the control consol e is designed to fail-safe, therefore any failure w ill result in the reactor entering a safe shutd own. There are no protective functio ns as required by the minimum r eactor safety syste m scram s that also rely on the operati o n of the contrnl con sole. The watc hd og timer ensure s the
7-49 Proprietar y Inform ation Withhold From Public Disclos ure Under 10 CF R 2.390 Proprietar y Inform ation Withhold From Public Disclos ure Under 10 CF R 2.390
informati on presented to t h e opera tor is current and active. In the eve nt of a watchdo g fai lure or an y other malfunction of the control console, t he op eratio n of the indi vidual r eacto r monitorin g m odule s is not affected.
Redundan cy and diversity ar e achi eved in the control console by havin g a diverse set of impor tant parameter indi catio ns on the console itself. The se include analog bargraphs, chaii recorders, and the digital scree n. Sh ould any param eter ' s trnstwo1ihiness b e called int o question, it m ay be validat ed b y crosschecking the di sp lays.
7.6.2 Design Basis The control console collects the data communicated by fac ility sensor s and presents that data to the ope rator. These pai*ameters ran ge from start up through pulse ran ge. Additiona ll y, the control console aids the operator in test ing t h e fun ctionality o f the syste m and p erfonnin g staiiup testing.
The star tup test m ode allows t he op erator to cycle through the required che cks pri or to operation.
An admini stra tive m ode all ows appro ve d facility personnel to perfo1m mor e advanced test ing of the syste m.
7.6.3 Control System Console The Control Syste m Console is compo sed of the following m ajo r components: The Conso le Comput er Sys te m (CCS), the Use r Interfac e Terminal (UIT), the UPS, t he Rod Control Panel,
the Re acto r Mode Control Panel the Bai* *a hand Recorder P an el and the com onent drawers.
Figure 7 Control System Console (CSC) AC Power Distribution
7.6.3.1 AC Power Distribution AC power is supplie d to the console and lands on T B 1 o n the te1minal block panel A 7. From t here,
AC power is fanned out to the UPS and o ne rackmount power strip. F our m or e identical rackmount power strip s plug into the UP S. Every strip has 8 outlet s and features a 15A re settable circuit
7-50 Proprietar y Inform ation Withhold From Public Disclos ure Under 10 CF R 2.390 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390
breaker. Power can b e turned on and off with a ligh ted switch on the console. All console drawers and devices that require uninterruptable AC input power are plugged into one of the four power strips connected to the UP S. Non-essential equipment such as the printer and reactivit y computer are plugged into the power strip not connected to the UPS. The UPS also supplies AC power to t h e D AC. F i gur e 7 -21 shows the power distribution for the consol e.
The AC power distribution for the CSC is shown in F i gur e 7 -21 ab ove. AC power is supplied via a UPS unit that has been selected to provide approxi matel y 15 minutes of runtime. Since the react or safet y s yste ms are designed to fail to a safe condition, the UPS is not required for the perfor man ce of an y safet y function, but it is desirable as it allows for a graceful shutdown of the console computers in the event of the loss of offsite power. When power is lost to the UPS an AC Power Loss scram is generated.
7.6.3.2 Uninterruptable P ower Supply (UP S)
The UPS assembl y consists of a UPS with batteries and a digital interface. It is designed to power the entire console, including the instrumentation, computers and displays, for at a minimum of 15 minutes. The input to the UPS is 120V AC n ominal and is intended to be connected t o a 20 A cir cuit.
The UPS is not required for the perfor mance of any safet y functi on, but it is desirable as it allows for a graceful shutdown of the console computers in the event of the loss of offsite power.
The UPS is equipped with a relay I/O smart card that allows the UPS to be controlled remotel y from the console. For this purpose, the instrument power switch on the Reactor Mode Control panel is wired up to the UPS. When the switch is pressed, it sends a signal to the UPS to either turn power on or off. The si gnal has to be present for a minimu m of 1 second before it is recogni zed as a valid input by the UPS. Therefore, a slight delay will occur between the operat or pushing the switch and the UPS turning on or off.
Upon loss of AC input power, the UPS will emit four beeps ever y 30 seconds. When 2 minutes of run time remain, the UPS emits continuous beeping.
7.6.3.3 P ower Supply Drawer Supplies Vdc power for the components located in the Control S ystem Cons ole.
- PS1 +5 Vdc Power Supply provides power the secondary side of the digital isolator modules on the digital input drawer.
- PS2 +24 Vdc Utility P ower Supply is a 50W power supply that is used to power digital switch contacts in the contr ol console. Input to output isolation is 3,000V.
- PS3 +12 Vdc P ower Supply pr ovi des power to all the lights on the React or M od e Con t r ol Panel.
7.6.3.4 Digital Inputs Drawer The purpose of the digital input drawer is to isolate all digital inputs from the comput er. The digital input drawer houses two identical printed cir cuit board assemblies populated with digital isolators.
There are 24 isolators per board, for a total of 48 digital inputs. Ever y is olator accepts a 2.5 to 28Vdc input signal to activate on the primar y side. When active, a red LED is lit. The inputs are referenced to the 24V digital power suppl y (PS2) on the power suppl y drawer. The secondar y side is powered by 5V (PS1). The outputs of the digital isolators generate inputs to the digital input board that are part of the printed cir cuit board. Th e signals are passed from the isolator boards to
7-51 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390
the digital input board via D IN rail mounted terminal boards that accommodate the required conne ct or confi gur ati on.
7.6.3.5 Utility Drawer The Console Utility drawer contains the CCS and UIT watchdog timers, the I/O module and the digital output module. PS1 (50W) generates +24V dc utility power for the I/O module and the watchd og ti mers. The I/O module supplies power and communi cati ons to the digital output modul e and the digital input module on the digital input drawer. The I/O module communicates with the CCS computer via the Ethernet hub mounted inside the cons ole.
The digital output module provides 16 plug-in solid-state relays for DC loads. The rela ys were chosen to switch 5-60Vdc. The relays are controlled by the CCS computer. When the computer acti vates a rela y, a corresponding green LED will be lit on the board. In the consol e, the rela ys are mainl y used to activate the lights in the reactor mode control switches.
The watchdog timers that monitor the UIT and CCS computers and are hardwired into the scram loop. The software must periodicall y send a keep-alive signal to the watchdog timers to prevent them from alarming and thus scramming the reactor. The time delay before an alarm occurs is adjustable between 5 and 15 seconds and is normall y set at 15 seconds. When the watchdog timers lose power, their outputs will default to a failsafe condition, which will also scram the reactor.
7.6.3.6 Rod Con t r ol P an el The Rod Contr ol Panel is locat ed beneath the Ri gh t Side Graphics Display and the UIT computer.
This panel is used to manuall y control the contr ol rod drives, appl y magnet p ower, fire the transient rod, manuall y scram the s ystem and acknowledge messages in the Annunci at or Pane of the Ri ght Side Graphics display.
The design functi ons of the Rod Control Panel are:
- P r ovi d e f or manual cont r ol of t he cont r ol r od dr i ve s.
- Appl i cat i on of ma gnet pow er via a key switch
- Fire the transient rod.
- Manuall y s cram the react or.
- Ackn owled ge alarms and messages.
IROO CONTROL ON lRANSENT SHM SAFETY REO OFF rnRESET 0 8 IIMAGN~ 8 8
MAONET POWEl'l G G G G
I DOWN II II DOWN II II DOWN I 11°0~ I B B
Figure 7 Rod Con t rol P an el
7-52 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390
7.6.3.6.1. Magnet P ower Key Switch In the upper left corner is the MAGNET POWER key switch. The key switch has three positions :
OFF (maintained), ON (maintained) and RESET (momentar y). If the switch is OFF, then all power is removed from the rod magnets. The ON position is wired in with the scram loop. The switch has to be in the ON position to complete the loop. The switch is momentaril y turned to the RESET position to initiate the time delay in the FIS prior to activating the reactor permissive relay. After the time dela y, the switch is momentaril y turned to the RESET position again to a ppl y magnet power. The switch will remain in the ON position during reactor operation. If at an y time during reactor operation the switch is turned to the RESET position, the reactor will scram. Turning the key switch to RESET is also the only wa y to remotely reset trips on the nuclear instruments in the D AC.
7.6.3.6.2. FIRE Pushbutton In the bottom left corner is the F IRE button. When all conditions to fire the transient rod are met, pushing the F IRE button will appl y air pressure to the transient rod for pulsed react or op er at i on.
7.6.3.6.3. Rod Control P ushbuttons In the middle of the panel is the Rod Control section which includes the AIR button, M AGNET buttons, UP and DOWN buttons. The AIR button is used to remove air from the transient rod. The M AGNET buttons are used to remove the magnet power for the shim, safet y and regulating r ods.
Pressing the MAGNET button turns off magnet power and therefore drops the contr ol rod int o the react or core. Pressing the UP or DOWN buttons generates a digital input to the CCS computer to move t he cont r ol r ods.
7.6.3.6.4. SCRAM P ushbutton In the upper right corner is the reactor SCRAM pushbutton. It is hardwired into the scram loop. If this button is depressed, the switch breaks the scram loop in both the positive and negative legs, and all rods will drop to shut down the react or.
7.6.3.6.5. Acknowledge P ushbutton The ACKNOWLEDGE button is used to acknowledge messages in the Annunciator Pane of the Right Side Display. It generates a digital input to the CCS computer to indicate an operator has ackn owl ed ged a visual or audible alert.
7.6.3.7 Reactor Mode C ontrol P anel The Reactor Mode Control Panel is a physical panel located in the right side of the cons ole. This panel contains the status indicat ors for C or e P os i t i on, D o or P os i t i on, In d i cat or s, P u l s e, Tes t, S t op,
Instrument Power ON, Watchdog timers for the CCS and UIT computers and two rotary test switches. Refer to F i gur e 7-24 for a layout of the Reactor Mode Contr ol Panel.
The design functi ons of the React or Mode Control Panel are:
- Provide indication for the status of facilit y components.
- Provide Scram and Interlock selection test switches
- Instrument Power ON pushbutton
7-53 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390
7.6.3.7.1. Reactor C ore and Shield Door P osition The Reactor Mode Control Panel provides status of the core position. Two switches with backlights, an indicator and a digital readout to indicate core position. The two switches, Region 1 and Region 3, can be used to move the reactor core. Backlights will be illuminated when the door limit switch is activated. Foot pedals can also be used to move the react or core. The Regi on 2 indicator will be lit whenever the core is not in Region 1 or Region 3. Also, there is a digital readout for the core p osition. Refer t o F i gur e 7-23 below for a drawing of the core re gi ons and the associated di gital readout values.
St at u s of l ead d oor p os i t i on s i s als o gi v en on t h e React or M od e Con t r ol P an el. Th r ee d oor p os i t i on switches with backlights are provided: Lead Door Open, Lead Door Stop and Lead Door Close.
The switches can be used to open, stop and close the lead door. When the switch is active, the backlight is illuminated.
r-" *oo------.+---------------------- - oo-----------------------!---- 12_cn------j
I 250 300 500 700 75 0 Digital Indicator position
Figure 7 Core Support Carriage Regions
7-54 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390
0 0 OOlllE l'OSIITION 0 0 E] EJ INSTRUVENT POWER
[i;f '!ATCHOOG llM!aRS"'al I 118.a.Br 11
~ ~
SCRAM AN~ INT!aRLTlES7r 1 OOI(
§ §
,_...,.H r,r HY LO 0 -HVLO ' \\ I,........ H 0 NDICA 7rOIRS,._WINLO _ (Q) _,..,.HVLO E] @J PIIIOD - -. lff l"Wft,. ' H
""""" I\\
IEaT Q
0 0 I PULS E §I SCRAM AND INTEl1LOCIK 1EST 2
,.,.. POOi.,.....
TEST n~, :,<lif-
POOL L.0 ~- -
..., ""',. I \\ '
0CS llVT STOf' §I 0 IEaT Q 0
0 0
Figure 7 Reactor Control Mode P anel
7.6.3.7.2. Indicators Three other indicat ors are provided : React or Operate, Time Delay and Exp osure Room Open. The Rea ct or Operate indicat or is illuminated when the rea ctor permissive has been satisfied and ma gnet power can be applied. The Time Delay indicator is illuminated while the reactor permissive 30 second dela y is active. The Exposure Room Open is used to indicate that either of the Exposure Room doors are open.
The Pulse Detect or button selects whi ch t ype of detect or is connected t o the NPP-1000 instrument.
In stead y-state operati on, a fission chamber detect or is connected to the NPP-1000 and none of the button lights are lit. In pulse mode, the detector selection is performed per the following:
- Pushing the detector select button once selects detector 1 (uncompensated ion chamber detector) and the Detector 1 backlight will illuminate, or
- Pushing the detector select button again selects detector 2 (Cerenkov detector) for pulsed reactor operation and the Detector 2 backlight will illuminate.
A Lamp Test button is provided to test the lamps on the React or Mode Contr ol Panel. The lamp Test button itself does not light up.
7-55 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390
An Emer gency Stop button is provided to scram the reactor in an emergency. It ties in with the Facilit y Interlock S ystem (F IS) and upon pressing it, deactivates the reactor permissive relay that is an input to the scram loop. The Emergency St op is a latching switch; the first push activates, the second push deacti vates.
An Instrument Power ON button and indicator light are provided. The instrument power on switch has a backlight that will be illuminated when cons ole power is on. Pushing the button acti vates or deactivates power from the UPS. Because the UPS input is heavil y filtered to protect against spurious inputs, the UPS turn on or shutdown occurs 2 to 3 seconds after the button has been pushed.
Wat chdog ti mer lights are provided for both the CCS and UIT t o indicat e when a watchdog ti mer timeout has occurred.
7.6.3.7.3. Scram and Interlock Test Switches SCRAM and Interlock Test #1 Rotar y Swit ch is used to select the test. A test button is used to run the test. The r ot ar y test switches are independent of each other and may be activated simultaneousl y s o that the s ys tem will respond accordin gl y as if both event actuall y occurred.
The f ol l owi n g t es t s ar e pr ovi ded f or s electi on on t he Test #1 switch:
- 1) N LW: 1 KW, Period, NLW HV Lo
- 3) NP : NP HV Lo, NP Pwr Hi
- 4) NPP : NPP HV Lo, NPP Pwr Hi SCRAM and Interlock Test #2 Rotar y Swit ch is used to select the test. A test button is used to run the tes t.
The following tests are provided for selection on the Test #2 switch:
- 2) P ool Le vel : P ool Lo
- 3) NFT Temperatures : FT 1, FT 2, FT 3
- 4) Pool Temperature: P ool Te mp 7.6.3.8 Bargraphs and Recorder P anel The Bargraphs and Recorder Panel is located on the left side of the cons ole and contains the bar graphs and digital chart recorders. The Bargraphs and Recorder Panel is shown in F i gur e 7-25.
7-56 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390
0 0
0 0
1
-,o~
J
-,o~
0 0
ft C HANNU M.tTAl OX JI CHAHND. DKm'AL QX
0 0
0 0
0 0
Figure 7 Bargraphs and Recorder P anel
7.6.3.8.1. Bargraphs The bargraphs are analog signals that are hardwired to the nuclear instrument modules and are full y independent fr om the cons ole software.
The design functi ons of the Bar graphs are:
- Provid e power indication that is available to the react or op erator.
- Be independent of the control s ystem computers.
- Provides redundancy and di versit y in the event of the computer s ystem failure.
The input to the NPP NV Peak bar graph is wired to one of the solid-state relays on the utilit y drawer. The relay is controlled by the CCS computer and active only during pulsed reactor operati on. During stead y-state react or operati on, the input to the bargraph is disconnected. This is done because the NPP peak detect circuit produces an output at all times but only needs to be displayed while the reactor is pulsed.
The panel includes nine bar graphs:
7-57 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390 P roprietar y Infor m atio n Withh old F rom Public Disclos ure Un der 10 CF R 2.390
- 1) Safe t y 1 (%) (NP -1 000)
- 2) Safe t y 2 (%) (NP P-1000)
- 3) Log P owe r (%) (NLW-1000)
- 4) P eri od (sec) (NLW - 1000)
- 5) F u el T emp 1 (°C) (NFT-1 000)
- 6) F u el T emp 2 (°C) (NFT-1 000)
- 7) F u el T emp 3 (°C) (NFT-1 000)
- 8) NVT (MW sec) (NPP-1000)
- 9) NV P eak (MW) (NP P-1 000) 7.6.3.8.2. Digital Chart Recorders Th e ch art r ecor ders use a high-resolutio n digi tal L CD d i sp l ay (5.7 inches) t hat provides clear,
bri ght images and a wider view ing ang l e than oth er disp l ay types. Th e tou ch -scr een inter face and gra p h ical icons m ak e th em easy to use, w hil e th e disp l ay can be custo m ized t o access t he b est represe n tatio n of p rocess data. Each r ecor de r s uppo1is up t o 12 an alog and 16 digi tal inp uts. They can st or e dat a to a secur e digi tal (SD) car d an d/or U S B m e m ory stic k.
Th e design fun ctio n s of t h e Reco r ders a re:
- Provide p ower indi catio n and t ren ding th at i s avai l able to the reac tor ope r ator.
- Provide a pe1manen t r ecor d of r eact or p ower.
- B e in depe n de n t of the con trol syste m compu ters.
- Provides r edund an cy and d i ver sity in th e even t o f the compu ter syste m failur e.
As a minimu m, th e chaii reco r der on th e l eft r ecor ds Log P ower (NL W-1000), th e chaii reco r der on t h e right reco r ds Lineai* P ower (NP - 1000). H owever, a ll analog s i gnals fro m t he nu clear inst ruments ai*e h ai*d wired to th e chart reco r ders and are avail ab l e for disp l ay an d storage. The reac t or operator h as t h e optio n to en ab l e additio n al inputs to be viewed an d r ecor ded. The signals connect ed t o t h e r ecorder s ar e listed in Tab le7 -8 below.
Table 7 -8 - List of Recorder Input s
Left Recorder Right Recorder
N L W-1000 Log Powe r (defa ul t) N P-1 000 Safety 1 Line ai* Powe r ( d efa ult)
N PP-1 000 Safety 2 Power ( optio nal) NF T -1000 Fuel T emp 2 (optio nal)
N L W -1 000 Peri od (op tion al) NF T -1000 Fuel T emp 3 (optio nal)
N PP-1 000 NVT ( op tion al) NM P-1 000 M ult i-R an ge Power (optio nal)
N PP-1000 NV ( opti on al )
NF T -1000 F u el T emp 1 ( optio nal)
7 -58 P roprietar y In formatio n Withh old F rom Public Disclos ure Un der 10 CF R 2.390 Proprietar y Inform atio n Withhold From Public Disclos ure Under 10 CFR 2.390
7.6.4 Subsystem Description The following sectio ns describe the layout of the CSC and basic de sign considerations. The CSC contains t he components required fo r the operator to control and m onitor the reactor and t he auxi liary systems. Thi s includ es t he Con sole Computer Syste m (CCS) and User Interfac e Terminal (UIT), the R od Control Panel and t h e B ar graph/Recorder Panel.
The contrnl console and display ins trum ents have been designed to collect and display op eratin g informati on that is re adi ly observed and interpret ed by the operato r through the diverse and complete presentation of info1matio n. The m ost imp ortant facility param eter s such as neutron flux l evel s and fuel temperatures are pre sented in var i ous forms (bar grap hs, trend ed displays, and numerical value s) us ing indep endent m echani sms. Addi ti onall y, t he human m achine interfa ce is presented s uch that a minimal number of " click s " ar e nec essaiy for display n avigatio n. hnpor tant manual control inpu ts suc h as rod pushbuttons and switche s ar e given an ind epe ndent physical panel through w hi ch t he y can be activated. Testing uni ts ar e also give n a physical l ocat i on on t he console to facilitate operator use.
The up dated values of operatin g pai*ameters and the status o f syste m s and equipment are displayed on t he m ain control console and other di sp lay ins trumen ts systems and equipmen t. Addi ti onall y, the rod mo ve m ent and syste m m ode are selected o n the control consol e. The se displays sh ow imp o1iant infonnation t o t he operator includin g alaims and scram info1matio n fro m the React or Protecti on Syste m (RPS).
There ar e two high-re solu tion display scree ns on the CSC Conso le w her e impo1iant info1matio n has been group ed by type to sti*eamline infonn atio n flow from t he syste m to the op erato r. With t he Left Side display s howin g t he scra m status, as well as any operati onal wai*nin gs or interl ock s, t he operator has an accurate picture of t he facility stat us. R eacto r operations and s tatus are available on the Right Side display.
Given thi s collection of info1matio n, the operator may r ead and evaluate syste m p erfor man ce and take prompt and accur ate steps to suppl y control input s on w hich the Reactor Conti*ol Syste m (RCS) can act. The sys tem is combined and integrated in a way t o readily aid the operator in conti*olling operat ion of t he re acto r.
This separati on of binai*y informa t ion (alarm or n o alaim ; interlock or no interlock) in conjunction with ti*ended information allows the operat or to identify if the syste m is ti*endin g toward an operational limit and dete1mine w hen th at limit may be exceeded.
7.6.4.1 CCS Computer The design function s of t h e CCS Co mput er are:
- Proc ess all Digital Inpu ts and Outputs.
- Proc ess all control rod drive m ovemen ts.
- Monitors all input s and outputs
- Conti*ol the reactor The CCS u ses a an d handle s inpu t and outpu t data, m onitors t he es t he in dicato r li ts o n the console. The CCS
7 -59 Proprietar y Inform atio n Withhold From Public Disclosure Under 10 CFR 2.390 Proprietar y Inform atio n Withhold From Public Disclos ure Under 10 CF R 2.390
The CCS computer sys tem in the console h as a display associated with it. Thi s display is n ot nonn all y ne eded during the opera tio n o f the r eacto r ; i t exi s t s mainl y for star t up, s hutdo w n, and console debugging pmposes. Other than detennining t h at the CCS h as come up and is ope ratin g properly, there is no r easo n for h aving this display present on t he con so le. Durin g n01mal operation o f the softwa re, it displays t he digital and analog input s / outpu ts o n the screen. H aving this scree n h andy is useful t o dete1mine w het her the CCS h as lock ed up if the syste m fre ezes.
The display i s also useful for s huttin g down the CCS syste m (though t his can a lso b e done from the U IT computer).
7.6.4.2 UIT Computer The design fun ctio n s of t h e UIT Comput er are:
- Pro vide t he grap hical user interface ( GUI) for the reactor operator.
- Pro vide s t at u s of reactor parameters.
- Pro vi d e alarms and m essages.
The User Interfa ce Te1minal (UIT) u ses a t o display parameters and accept u ser inpu t. The U IT code is w ritten in. The U IT consists o f two display screen s. The Left Side S t at u s Disp lay and t he Righ t S ide Graphics Disp lay.
7.6.4.2.1. Left Side Status Display The Left Side St atu s Dis play scree n is divi ded int o fi ve panes, a ll of w hich a re simultaneou s l y vis ible, and used to display opera t ing info rmatio n about the reactor. The five display panes are:
- 1) ST A TUS
- 2) SCRAM
- 3) WARNIN G S
- 4) MODE SELECT ION
- 5) INTERLOCKS
7-60 Proprietar y Inform atio n Withhold From Public Disclosure Under 10 CF R 2.390 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390
Figure 7 Left Side Status Display
STATUS Pane The STATUS pane presents current infor mation about the status of the s ystem including power readings, period, temperatures and pool water level. The core positi on and shielding door positions are also displayed. Also, the remote/local state of each channel is displayed. During a pulsing operation, an additional Inhibited field will be shown for the NLW-1000 and NMP-1000 and an additional B ypassed field will be shown for the NP. These fields are displayed to the right of the remote/local field and are shown to indicate when the devices are inhibited or bypassed during a pulsing operati on.
Figure 7 STATUS Pane
7-61 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390
SCRAM Pane The SCRAM pane displays scram conditions. If a scram were to occur in the react or, an operator would reference the Status Display to quickl y identify the cause of the scram. The SCRAM pane also provides buttons to conduct operational tests of the scram system. For the buttons to be enabled, a check box must be selected which reads, Enable Scram Tests.
NOTE: All scram/alarm messages displayed on the SCRAM and WARN INGS panes are first displayed on the left STATUS display, as opp osed to the informati on panes on the graphi c display.
Figure 7 SCRAM Pane
WARNINGS Pane The WARNINGS pane displays warnings of which the operator should be aware. An alarm disable checkbox is provided for each warning. If the checkbox is not checked and a trip occurs, the horn
7-62 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390
will sound, an ANNUNCIATOR Pane message will be displayed and a yellow box will be displayed for the warning. If the checkbox is checked and a trip occurs, the yellow box will still be displayed for the warning, but the horn will not sound and an ANNUNCIATOR Pane message will not be displayed. The primary purpose of this audible inhibit functionalit y is to minimize distractions during s ystem setup and testing or prolonged warning situations. By default, alarm disable checkboxes are not enabled.
Figure 7 WARNINGS Pane
MODE SELECTION Pane The MODE SELECTION pane allows the operator to select the mode in which to operate the react or. These mod es are:
- 1) Manual Mode (stead y-state)
- 2) Aut omati c Mode ( AUTO)
7-63 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390
- 3) Square Wave M ode
- 4) Pulse M ode
Figure 7 MODE SELECTION P an e
This pane also contains a text box and a button that allows the operator to enter the demand power setting. Once set, Demand is selected for the input power (in Watts); this will update the Demand 7-64 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390
Power as shown on the upper left corner of th e React or Display. When the demand power setting is selected and the react or is in Aut omati c Mode, those rods selected in the banked movement will adjust their position to insert or remove reactivit y to maintain power at the demand setting.
The MODE SELECT ION pane also contains text boxes with checkboxes that allow the operator to manuall y select the NM P range and to indicate the current range selection for the NMP. As an automatic ranging device, in normal operations, the NMP would change its scale based on the react or power. By manuall y selectin g a ran ge, the operat or will prevent that a ction b y the NMP. If the power continues to rise and the NMP reaches 110% of its selected scale, it will initiate a warning. The NMP is an operational channel and is not credited in the minimum reactor safet y system scrams.
This pane also allows the operator to set timed actuations. The Set Pulse Time button allows the operator to set the length of time before an automatic scram after a reactor pulse. The time is entered into a text box and actuated with a button. The reactor power pulse is a function of core ph ysi cs and t ypi call y lasts a few hundred millisecon ds. Normall y, the op erator will manuall y s cram the reactor after a few seconds, but as required by the Technical Specifications, the s ystem will automaticall y s cram if the Set Pulse Time limit is reached. The Set Scram Time button is used to set the time of a scram fr om stead y-state mode. There are buttons to start, stop, and reset this timer.
It ma y be directed t o count up or count down.
INTERLOCKS Pane The INTERLOCKS pane displays interlock conditions. An alarm disable checkb ox is provided for each interlock. If the checkbox is not checked and an interlock occurs, the horn will sound, an ANNUNC IATOR Pane message will be displayed and a yellow box for the interlock will be displayed. If the checkbox is checked and a trip occurs, the yellow box will be displayed for the interlock but the horn will n ot sound and an ANNU NCIATOR Pane message will not be displa yed.
7-65 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390
Figure 7 INTERLOCKS P ane
7.6.4.2.2. Right Side Graphics Display While the Left Side Status Display shows the current facilit y mode and operational settings, the Right Side Graphics Display is the primar y means by which the operator monitors and controls the react or.
At the top of the graphic displa y, regardless of the display screen selected, the s ystem menu bar displays the following menu items :
- 1) RUN: Exit to or Restart UIT.
- 2) OPERATOR: Pr ovides the abilit y to log in, log out, and display selected operat or stati-stics.
- 3) HISTORY: S ystem must be scrammed, then starts the execution of the histor y pla yback program.
- 4) DISP LAY: Refreshes the graphics displays (this option is rarel y used).
Three information panes immediatel y below the display menu bar are also always present. The panes are: S ystem Status, Annunciator, and Site/Operator.
The System Status box in the upper left corner of the reactor display will always show the following infor mation:
- 1) Date and Time
- 2) M ode 7-66 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390
- 3) Reboot Time
- 4) Demand P ower Level The reboot time is the time since the reactor consol e was last turned on.
The Annunciator box in the upper middle will display interlock, warning and/or scram messages.
The message will be displayed until acknowledged using the ACKNOWLEDGE button on the Rod Control Panel. Several messages ma y be queued and waiting for acknowledgement. The border on the r i ght -hand side of the Annunciator box will consist of a single line if there is onl y one message and will consist of two lines if more than one message is in the annunciator queue.
Scrams are automati call y moved t o the fr ont of the queue. All other messages are stacked in the order of occurrence (oldest to newest). These stacked messages will display in order as the messages are acknowledged. During routine operations and with no scrams, alarms, or warnings acti ve, this panel will be empt y and black whi ch is a simple visual check for the operat or.
The Site/Operator box in the upper right section displays system site name (AFRRI TRIG A Reactor), user login, login time, s ystem version inf ormation and total megawatt-hours produced b y th e current core l oadin g.
Dur i ng r eact or op er at i on (non-s crammed mode), there are two display tabs (React or Display #1 and Reactor Display #2) that provide two separate views of the react or 's operation.
Where the Left Side Status Display is divided into several different panes, the Right Side Graphi cs Display has six different screens which must be selected to be visible to the operator. The six screens are as foll ows :
- 1) Reactor Display #1 for normal reactor oper at i on
- 2) Rea ct or Di s pl a y #2 f or nor mal r ea ct or oper at i on
- 3) Reactor Prestart Tests (available onl y if magnet power is not applied to the contr ol rods)
- 4) Pulse Display
- 5) Administration (available onl y when a s ystem administrator is logged in)
- 6) Test Functions (for s ystem administrator use only) 7.6.4.2.3. Reactor Display #1 On the left side of the Reactor Display #1 there are scales for the following:
LINEAR POWER: This bargraph shows the current reactor power level in watts on a linear scale. This information is obtained from the NMP-1000 Nuclear Multi-range Power Channel.
LOG POWER: This bargraph shows the current reactor power level as a percentage of maxi mu m power, on a logarith mi c scale. This informati on is obtained from the NLW-1000 nuclear channel.
NP % POWER: This bargraph shows the current reactor power. This graph uses a linear scale and is redundant because it displays the informati on derived fr om the NP-1000 which is independent of the NPP-1000. This channel is denoted as Safet y Channel 1.
7-67 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390
NPP % POWER: This bargr aph shows the current react or power. This graph uses a linear scale and is redundant because it displays the information derived from the NPP-1000 which is independent of the NP-1000. This channel is denoted as Safet y Channel 2.
The central portion of Reactor Display #1 shows a graphical representation of the reactor cr oss section with information about the status of the control rods. For the shim rod, the safety rod and the regulating rod, the small square box at the top of the control rod indicates the status of the contr ol rod magnet power. For the transient rod, the small square box at the top of the contr ol rod indicates the status of the air. The operator is able to quickl y understand if a contr ol rod is at its lower limit, the status of the magnet or air, the height of the control r ods, and the measured drop time (if a drop is initiated from full height). When the magnet or air is activated, a representative box changes from black to yellow. Additionall y, when the contr ol rod bottom limit switch is not acti vated, the control rod col or chan ges from black to green. Therefore, an ytime the contr ol rod is off the bott om of its travel path, the box should be yell ow and the rod green. Once the contr ol rod has been lifted to its upper limit and activated the contr ol rod upper limit switch, the control rod color will turn magenta.
Below each control r od in the display is a small box that indicates the current position of the control rod drive mechanism. The scale for the position readout ranges from 0 to 999. The position is 0 if the contr ol rod drive is all the way down and the position is 999 if the contr ol rod drive is all the wa y up. If the contr ol rod is all the wa y d own and the ma gnets are ener gi zed, its col or will be gra y.
When the contr ol rod down limit switch is activated, the position indicator is for ced to zero units.
If it is all the way up (and the control rod up limit switch is actuated), the color will be magenta and the position indicator is for ced to 999 units. The control rod color will be green between the magnet and the bottom of the contr ol rod when positioned anywhere between fully down or full y up.
At the bottom of the graphical display s creen, several rectangles representing the physical rod control buttons on the Rod Control Panel are displayed. When a button is pressed on the Rod Control Panel, the system will highlight the button on the graphics display. This portion is particularl y useful in aut omati c mode, for when a contr ol rod drive is in moti on, as dictated by the automati c control P ID al gor i t hm, t he oper at or i s abl e t o ver i f y pr op er cont r ol r od m ove ment.
The ACKNOWLEDGE button on the Rod Control Panel provides a meth od to ackn owled ge trips, scrams, warnings, etc. that are displayed on the Annunciat or Pane of the main graphi cs window.
Pressing the ACKNOWLEDGE butt on will clear the top message in the annunciat or window.
E ven thou gh the SCRAM button on the rod control panel is hard-wired directly into the s yste m scram l oop (i.e., this signal is not processed by s oft ware), t h e status is provided to the softw are so the program can determine when the operator presses the SCRAM button. The SCRAM box indicates when the operator presses this SCRAM button.
On the right side of the Reactor Display #1 there are scales for the following:
P ERI O D: This bargr aph shows the period or rate of change of reactor power This informati on is obtained from the NLW channel.
NF T1 TEMP : This bargraph shows the NFT1 fuel temperature in ºC on a linear scale.
This information is obtained fr om the NFT channel.
7-68 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390
NF T2 TEMP : This bargraph shows the NFT2 fuel temperature in ºC on a linear scale.
This information is obtained fr om the NFT channel.
POOL TEMP : This bargraph shows the pool temperature in ºC on a linear scale. This informati on is obtained from pool water temperature RTD.
The bott om left section of React or Display #1 shows the core position in the reactor pool. Because the AFRR I Reactor features a movable reactor core, this provides additional information to the operator and ma y be verified through visual inspection. This simple graphic has indication of the lateral location of the core, as well as the shield door position and the exposure room door positions.
7.6.4.2.4. Reactor Display #2 The second reactor display sh ows the same bargraphs as React or Display #1 but the central por t i on of the screen is replaced with a strip recorder display with the four parameters : linear power, log power, period, and cool ant temperature.
7.6.4.2.5. Pulse Display The Pulse Display tab is automaticall y displa yed after a successful pulse operation. It will displa y the results of the last pulse in graphic for m. The pulse data file, stored on the computer as a CSV formatted file, will have the date, time, width at half power, pulse time, number of entries, period, total energ y, peak pulse power, peak fuel temperature, and the pulse reactivit y. The user can scroll hori zontall y al ong the time of the pulse and can s cale the y-axis of the selected parameter. Prior pulses ma y be l oaded to viewin g when the react or is in a non-operation al mode.
7.6.4.2.6. Prestart Tests Display When the react or is scrammed and magnet power is not applied, the graphics display will include the Prestarts Tests Display. When the operat or presses the Prestarts tab on the Graphics display, the s ystem shows the prestart tests that are available.
NOTE: This prestart mode is not available when conducting operational (manual) prestart tests from the Status Display using the Test Enable function, which requires that magnet power be applied to withdraw the control rods. While magnet power is applied, the Prestart Tests tab will not be displayed.
This Prestart Tests tab is used for the software generated prestart tests and is not available when the react or is operating. While running these prestart tests, the remaining tabs are disabled. A RUN button is provided to start the prestart tests. As each prestart test is completed, Passed or Failed will be displayed (along with a reason for a failure if the test fails). If a particular test fails, then the user must press the DONE or CONT INUE button on the display (using the mouse). Pressing the DONE button aborts the testing process. Pressing CONTINUE causes the s ystem to continue with the next prestart test in the sequence. At the end of all the tests, pressing DONE clears the prestart and returns control t o the main react or display tab. At an y ti me while the s ystem is waiting for the operator to press the CONTINU E or DONE button, the operator can press the PRINT butt on to send a cop y of the prestart report to the s ystem printer.
On the right side of the display, buttons are provided to run each of the prestart tests individuall y.
A Tes t OFF button is provided t o stop the tests.
The available prestart tests include:
7-69 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390
- 1) NMP: Low Current, High Current, High Voltage (Low)
- 2) NLW: Low Current, High Current, Low Count, High Count, Hi gh Vol t a ge ( Low), P er i od
- 4) NP : Ra mp, Hi gh P ower, Hi gh V ol t age ( Low)
- 5) NP P : Ra mp, Hi gh P ower, Hi gh Vol t a ge ( Low)
- 6) NFT: 1 Low Temp, 1 High Temp, 2 Low Temp, 2 High Temp, 3 Low Temp, 3 High Temp 7.6.4.2.7. Administration Display When an operator is logged in as a system administrator and the system is scrammed, the Administration tab will be added to the display tab list. This screen displays all the operat ors b y name and op erator nu mber; as well as their logged in times, magnet on time (their run times/time spent in an operational mode), and their cumulati ve Megawatt (MW) Hours (operator time wh en reactor produced MW). This information is kept on the CCS machine as well, so that a s ystem administrator can reset values to zer o by editing this file (or resetting all statistics by deleting the file). This is a useful feature for when a new reactor operator requalifi cati on cycl e starts.
7.6.4.2.8. Test Functions Display When an operator is logged in as a s ystem administrator and the s ystem is scrammed, the Tests Functions tab will be added to the display tab list. The test display is intended for diagnostic, testing, and informative purposes. There are four major sections : Digital Outputs, Digital Inputs, Anal og Outputs and Anal og Inputs.
In the Digital Outputs section, there is a checkbox on man y buttons on the test screen. Checking one of these checkb oxes will turn on that particular output; clearing the checkb ox will turn off that particular output. However; the test functions only work while in scrammed mode, therefore attempting to turn on the magnet power outputs will not actuall y supply power to the magnets since the hardwired scram loop prevents that from occurring. When checking one of the magnet power output checkboxes, the s ystem will write the output to the hardware port and the user can verif y that the output is present by the correspondi ng LED on that board and magnet power is cut off after that point. Note that the transient rod is controlled by digital outputs which are located in this section. You can move the cylinder up and down using the test functi ons, but you cannot fire the rod from the test screen. Many other buttons are provided to initiate the test modes and trip reset for all of the channels.
In the Digital Inputs section, the input data in displayed in two for ms. First, all of the digital inputs are displayed in a binar y string (ones and zer os) with each bit of that string corresponding to one of the hardware inputs (0=off, 1=on). Second, the test display also shows the digital inputs using signal names. The name is white text when the signal is zero (off), and with red text when the signal is one (on). Also, the trips, Local/Remote status, Comm status and range (NMP Only) are shown as signal names. The name is blue text when the signal is zero ( off), and red text when the s i gnal i s one ( on).
In the analog outputs (rod control) secti on, the Tests Functions provides text edit boxes into which the operator can t yp e a value between - 10.0 and +10.0. This voltage is written to the corresponding D/A converter that drives the regulating, shim, safety and transient rod control drives. Note that
7-70 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390
because both magn et power and air pressure cannot be applied in scrammed mode, onl y the contr ol rod drives and magnets will move and not the actual control r ods.
In the analog inputs sections, the Tests Functions displays the raw 16-bit numeric value and the converted value for each of the analog inputs.
7.6.4.2.9. Data Recording and Playback The s ystem captures all events written to the UIT displays and records them to a file on the UIT computer for future pla yba ck. These filena mes are coded so a rea ct or administrator or operat or ca n locate the run histor y for a particular react or run and playback those files.
When ever the react or is in operation, the UIT computer records a log of events and devi ce states on the hard disk. This data histor y-l oggin g automaticall y b egins whenever the operator resets the scrams (a prerequisite to react or startup). Data is recorded appr oximatel y e ver y 100 ms. Also, an y time there is a change in the WARN INGS pane or the SCRAM pane, that event is recorded, regardless of time. Logging continues following a s ystem scram until terminated by the operator.
The s ystem accu mulates the time each operat or is on the cons ole (which also ma y be seen on the U IT displa y) and also the react or me ga watt hours. The s yste m also re cords all the while the react or is in a scrammed conditi on, creating a new data file ever y two h ours. At the beginnin g of each new file, the input states are recorded from the end of the previous file to create continuit y of the informati on between files.
The histor y l oggin g feature allows reactor operati ons to be replayed in snapshots when the reactor is shut down. Each snapshot is a recreation of both the Right Side React or Display #1 and the Left Side Status Display at the moment the snapshot was taken.
History pla yback takes the form of replaying snapshots of the two video display screens (Ri ght Side Reactor Display #1 and Left Side Status Display) in sequence as they were recorded.
When e ver a value chan ges on either of the displa y screens, that new value is written to the histor y playback file; writing onl y the differences helps reduce the size of the playback file. During playback, the operator will see the contr ol rod movements and bargraph displays (from the React or Display #1) as they occurred during real time operation. The operator can play back the recorded histor y either manually or automaticall y. To play back the data manuall y, the operator can step through each recorded frame on the playback display. When pla yed back automaticall y, the data will be displayed automati call y in sequence at a variable speed.
7-71 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390
7.7 P ROCESS INSTRUMENTATION Instrumentati on in the react or pool, primar y water cool i n g s ystem, and primar y water purifi cati on s ystem per mits the measurement of parameters important to the safe operati on of the react or and associated coolin g s ystem. These parameters include primar y coolant temperature, primar y water condu ct i vi t y and pool water level.
7.7.1 Design Criteria The process instruments are designed to support the safe operation of the reactor. Certain parameters in the react or facilit y must be measured to ensure a p r i m a r y coolant state that does not degrade the qualit y of the fuel clad, can remove heat from the core, and protects facilit y personnel from high radiation levels. When an y of these fall out of the relevant techni cal specifi cation, the operat or is notified b y an alarm. Immediate shutdown of the react or ma y b e ne cessar y b y aut omati c or manual scram actuati on.
The parameters for temperature and conduct ivity are measured in more than one location.
Temperature is measured near the core and in the bulk coolant volume to ensure the most conservative point is taken and protected against a single point failure. The condu cti vit y of th e coolant is measured on both the inlet and outlet of the deminerali zer s ys t e m. Finally, to ensure adequate cooling capacit y, as well as protecting facilit y personnel fr om high radiati on levels, pool water level is measured to provide an early warning alert on low water level, and a scram when the water drops below the setpoint.
7.7.2 Design Bases The three principal parameters to be measured in the process instruments are:
- coolant temperature
- coolant condu ct i vi t y
- pool water level The water temperature is measured b y a resistance temperature sensing element (RTD) in a bridge cir cuit and has a range of 0 to 100°C.
The condu cti vit y measured in micromhos/cm should not exceed 5 micromhos/cm with t ypical measurements to be in the 2-3 mi cromhos/ cm range.
Rea ct or p o ol l evel is measured in a manner which gi ves clear indicati on to the operat or of suffi ci ent levels. A float mechanism is used so that it is set to give a high/low status at the zero reference level. An earl y warning notice of low p ool level is provided as well as an alarm for insufficient pool water level. The accuracy of this measuremen t is at least the nearest 1/2 i n ch of water.
7.7.3 Subsystem Description 7.7.3.1 P rimary Coolant Temperature The following coolant parameters are available to the operator: pool water temperature, demineralizer outlet temperature, and demineralizer inlet and outlet conductivities. The primar y coolant water temperature is measured at three locations :
Ab ove the reactor core inside the core shroud Six inches below the pool surface 7-72 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390 Proprietar y Inform atio n Withhold From Public Disclos ure Under 10 CFR 2.390
- Water monit or b ox of t he primary wate r purification syste m The wate r temp erature is m eas ur ed by a resistance-temperature se ns ing element (RTD) in a brid ge circuit and has a range of 0 to 100° C. The signa l is sent to t he CSC t o be displayed on t he U IT Left-side display in the STATUS Pane. The CSC a lso uses the s ignal to provide a rod withdra wal inte rl ock when the inlet water tempera t ure t o the demineralizer i s gre ater than 60° C.
7.7.3.2 Primary Coolant Conductivity Primar y cooling wate r conductivity (resistiv i ty) are me asured at several points by conductivity cells con tainin g titanium electrodes in microproc essor -based circ uitr y wit h a range of 5 µmhos / cm to 0.05 µmhos/ cm. Wate r condu ctivi ty i s m easured at the wate r m onit or b ox (up str eam fro m t he mixed-bed demineraliz ers) and the outl et from each dernineralizer. R ead outs for the cond uctivi t y m onit or s are located locally.
T o prevent damage to t he re sins, the de mineralizer inlet te mp erat ure provides a high inlet temperature inte rl ock which prevents the with drawa l o f t he control rods w h en t he de mineraliz er inle t water temperatur e is g reater than 60° C.
7.7.3.3 Pool Water Level The l eve l of the reactor tank wate r i s m onit ored by two indep endent swi t che s m ounted o n a common rod and actuat ed b y a fl oat. The first switc h activates 1" b el ow the zero reference p ool l eve l and prevents the wit hdra wal of t he control rods. The seco nd swi t ch will cause an au tom atic reactor scram if t h e water level drops below 6" of t h e zero referen ce pool level. Al on g with the scra m, the secon d swi t ch wi ll also cau se an alarm on t he reactor consol e as well as an audibl e and visua l a larm on the facility h all panel during n on-dut y h ours. This wi ll a lert the securi ty watc hman o f an unu sua l s i tuatio n so t h at appropriate conective acti on m ay be taken.
A third fl oat type switch is l ocated the pool to alarm w hen the pool level is gre ater t han 1" above the zero reference height. This a larm l ocated separa te for t he control consol e is intended to al ert reactor staff when the p ool l eve l i s high, su ch as durin g refilling opera ti ons.
Table 7-9 -Trips Associated with the Process Instrumentation
Instrument Trip Setpoint Action
Coolant temperature at the 2:::60°C Rod Withdrawal Interlock inlet to the Demineralizer Pool Water level 2:::1" below Rod Withdrawal Interlock
Pool Water level 2:::6" below Scram, and facility hall panel alarm
Pool Water level 2:::1" above Local audible alarm
7.7.4 Technical Specifications for Process Instruments The following specificatio ns for the coolant system s ar*e:
3.3.a. The re acto r sh all n ot be operate d if t he bulk wate r temp erat ure excee d s 60° C ;
7 -73 Proprietar y Inform atio n Withhold F rom Public Disclosure Under 10 CFR 2.390 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390
3.3.b. The react or shall not be operated if periodi c measurements taken IAW TS 4.3 show conducti vit y of the bulk water greater than 5 micr omhos/ cm; and 3.3.c. Both audible and visual alarms shall be provided to alert the AF RR I securit y guards and other personnel to any dr op in react or pool water level greater than 6 inches.
3.3.d. The reactor shall not be operated if the measurement required by TS 4.3 shows concentrations of radionuclides above the values in 10CFR part 20 appendix B table 2 are found in the primar y coolant until the source of the acti vit y is determined and appropriate correcti ve acti ons are taken.
7-74 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390
7.8 RADIATION MONITORING SY STEMS The radiation monitoring s ystems associated with reactor operations at AFRRI are maintained as a means of ensuring complian ce with radiation limits established under 10 CFR 20. These s yste ms consist of remote area monitors, continuous air monit ors, reactor stack monitors, and AFRR I perimeter monitoring. Detailed information (such as alarm setpoints for the various monitors, appropriate react or operat or responses to radiation alarms, and procedures invol vin g monit or data evaluati on and archi vin g) can be found in Referen ces 7-1 and 7-2.
The radiation monit oring s ystems associated with AFRRI react or op erati ons provide read outs and radiation alarms at key l ocati ons in the AFRRI complex. These locati ons are:
- React or Room (Room 3161)
- React or Contr ol Room (Room 3160)
- Emergency Response Center (Room 3430)
- Annunciat or panel in Hallway 3101 The radiation alarms in the reactor room and the radiation alarm readouts in the reactor control room provide the reactor operators with information necessary for the safe operation of the AFRRI-TRIG A reactor. All radiation monitors readouts are located in the Auxiliary Console in the control room. The radiation monitors do not interface with the Control S ystem Console.
The audible and visual alarms on the annunciator panel in Hallway 3101 alert the Securit y Wat ch man (during nondut y h ours) of unusual react or conditi ons when the react or is secured. Wh en reactor personnel are present in the reactor administration/contr ol area, the audible alarm on the annunciat or panel in Hallway 3101 is turned off.
7.8.1 Remote Area Monit ors The remote area monitors (RAMs) in the remote area monit oring s ystem of primar y concern to the react or are R-1, R-2, E-3, and E-6. These units are placed in various areas of the reactor building where potential radiation hazards may exist due to react or operati on.
The monitors utilize scintillation detectors which measure gamma radiation with energies greater than 20 keV. The units have a range of 1 mrem/hr to 105 mrem/hr and a nominal accuracy of +/-15 percent at all levels. The units have a time constan t of 2 seconds and a meter and alar m response time of less than 1 second. The monitors activate radiation alarms at various locations within AFRRI; the alarm set points are variable. The monitors also activate visual alarms in the contr ol room and the Emer gency Response Center (room 3430).
The RAMs are calibrated at regular intervals using a radiation source of known intensity. Th e locati ons of the RAMs, the readouts, and the audible and visual radiation alarms are given in Table 7-10 and F i gur e 7-32 through F i gur e 7-34. The alarm setpoints can be found in AFRR I internal documents (Referen ces 7-1 and 7-2).
7.8.2 Continuous Air Mon i t ors The continuous air monit ors (CAMs) of primar y i mp ortan ce t o the react or are two C AMs locat ed in the reactor room. Three additional CAMs, which monit or the exposure rooms and the prep area, are discussed in Section 10. The CAMs provide continuous air sampling and monitoring (gross beta-gamma activity) primaril y of airborne particulate matter.
7-75 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390
The CAMs draw air with an air pump (~7 cfm) through a shielded filter assembl y, which traps an y particulate matter greater than 0.3 micr ons in diameter. A G-M detector measures an y radioactive particulates trapped by the filter. The count rate (counts per minute) is recorded b y a three-cycle, logarithmic, strip-chart recorder mounted on the CAM itself. The units have a sensitivit y ran ge of 50 cpm to 50 x 103 cpm and a nominal accuracy of +/- 10 percent. The units have a time constant which is inversely proportional to the count rate, being 200 seconds at 50 cpm and 1 second at 50,000 cpm. The units have the capabilit y of actuating alarms at two adjustable radiation levels.
Table 7 Reactor Remote Area Monitors
RAM Location Readout Radiation alarm
R-1 Appr oxi matel y 7 feet Meter in reactor Acti vates audible and visual alarm in the above the fl oor on the contr ol room and react or room and in the reactor contr ol react or room east Emergen cy room; activates visual alarm in the wall Response Center Emergen cy Response Center (Room (Room 3430) 3030); acti vates visual and opti onal audible alarm on annunciat or panel in Hallway 3101 R-2 Appr oxi matel y 7 feet Same as R-1 Acti vates visual alarm in the react or above the fl oor on the contr ol room and in the Emergency react or room west Response Center (Room 3430) wall E-3 6 feet above the fl oor Same as R-1 Same as R-2. In additi on, there are a on the west wall prep visual and audible local alar m in the area opp osite ER #1 prep area near ER #1, and a red light at plug door the front desk.
E-6 6 feet above the fl oor Same as R-1 Same as E-3, except the visual and on the west wall prep audible local alarm is in the prep area area opp osite ER #2 near ER #2 plug door The primar y react or room CAM is located in the southwest corner of the react or room and is visible from Room 3156. The air sampled b y this CAM is taken from approxi matel y 36 inches above the react or pool surface inside the core support structure. The air is passed through a hose to the CAM.
The air is exhausted by the CAM back to the reactor room. The reactor room CAMs form an integral part of the reactor room containment capability, in that when either CAM's high -level alarm is acti vated, the suppl y and exhaust damper s to the react or r oom in the ventilati on s ystem are automati call y cl osed to isolate the react or room air volume.
The backup reactor room CAM is located al ong the west wall of the reactor room and its alarms are visible from the contr ol room and Room 3158. The air sampled b y this CAM is taken fr om a point near the warm drain located alon g the west side of the react or pool. The air is exhausted by the backup CAM back t o the react or room.
A description of the CAMs ' alarms, locations a nd read-out is given in Table 7-11 and F i gur e 7-32 t hr ou gh F i gur e 7-34. The alarm setpoints can be found in the appropriate AFRRI internal 7-76 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390
documents (Reference 7-2). Additionally a flashing visual light on the reactor auxiliary instrumentation console in the reactor contr ol room will be illuminated when either reactor room CAM is set in the TEST mode during testing.
Table 7 Reactor Room Continuous Area Monitors
CAM Locat i on of air intake Readouts High-level alarm Low-l e vel Alarm(1)
Appr oxi matel y 36 Meter in reactor Acti vates audible and Acti vates P r imar y inches above react or contr ol room visual alarm on unit visual alarm on pool inside core itself the unit itself carriage Strip chart Acti vates audible and recorder located visual alarm on on the unit itself r eact or cont r ol r oom annunciat or panel Acti vates visual alarm on react or room wall panel Acti vates audible and visual alarm on annunciat or panel in Hallway 3101 Causes solenoid val ves t o vent and cl ose react or room ventilati on damp ers Near the warm drain Strip chart Identical to primar y Acti vates along the west side recorder located CAM alarm visual alarm on Alternate of the react or tank on the unit itself indicati ons, when the unit itself Backup and meter in connect ed r eact or cont r ol room
(1) If the low-level alarm is being used
7-77 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390 P roprietar y In form ation Withh old F rom Pub lic D isclos ure Un der 10 CF R 2.390
Figure 7-32-AFRRI Radiation Monitor s A ssociated with AFRRI TRIGA Reactor
Firs t Level
7-78 P roprietar y In formatio n Withh old F rom Pub lic D isclos ure Un der 10 CF R 2.390 Proprietar y Inform ation Withhold From Public Disclos ure Under 10 CF R 2.390
Figure 7-33-AFFRI Radiation Monitors Associated with AFRRI TRIGA Reactor
Second Level
7 -79 Proprietar y Inform ation Withhold From Public Disclosure Under 10 CF R 2.390 P roprietar y In form ation Withh old F rom Pub lic D isclos ure Un der 10 CF R 2.390
Figure 7-34-AFRRI Radiation Monitor s A ssociated with AFRRI TRIGA Reactor
Third Level
7-80 P roprietar y In formatio n Withh old F rom Pub lic Disclos ure Un der 10 CF R 2.390 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390
7.8.3 Stack Monitoring S ys t ems The stack monitoring s ystems consist of the stack flow monitor and the stack gas monitor. These systems provide data about the radioactive effluents discharged through the reactor stack. The stack flow monitor measurements are recorded by a strip chart recorder. Stack gas monitor measurements of Ar-41 emissions are recorded on a strip chart recorder and can be viewed at the end of each da y b y an operat or to veri f y that no unusual Ar-41 releases have occurred.
7.8.3.1 S t a c k F low Mon i t ori n g S ys t em The stack flow monitoring s ystem measures the average flow rate of air exhausted through the react or stack. The s ystem consists of a pair of pitot tubes and Magnehelic pressure gauges which mechanically measure the dynamic pressure in the stack and produce a proportional electrical signal. A strip chart recorder located in the reactor contr ol room records the stack flow. There are no level alarms associated with this s ystem, ex cep t when exhaust fan EF5 fails, in which case an audible and visual alarm is activated in the reactor contr ol room.
7.8.3.2 Stack Gas Mon i t ori n g S ys t em The stack gas monit or (SGM) s ystem is a NaI s cintillation detecti on s ystem whi ch samples exhaust air from the reactor stack. The air is passed through a filter to remove p articulates before being anal yzed. This s ystem will detect those effluents which have been released into the react or stack, and are set to alarm at the limit currently specified in the AFRRI Reactor Emer gency Plan.
The stack gas monitor s ystem is capable of acti vati ng alarms at two levels. Additi onall y, a flashing visual light on the reactor auxiliary instrumentation console in the reactor control room will be illuminated when the stack gas monitoring s ystem pump motor is turned off. The locations of the system read outs and alarms are listed in Table 7-12. The setpoints for the radiation alar ms can b e found in the appropriate AFRRI internal document s.
Table 7 Stack Monit oring System
S ys t em Readout Radiation Alarm
Stack Flow Strip chart recorder in (Not applicabl e) However, EF5 M oni t or i n g S ys t em r eact or cont r ol r oom failure gi ves audible and visual alarm in react or contr ol room Stack Gas Monitoring Meter in reactor control Acti vates audible and visual S ys t e m room alarm in react or contr ol room 7.8.4 P erimeter Mon i t ori n g An environmental monitoring program is conducted by AFRRI primarily to measure environmental doses received from radionuclides produced by the AFRRI-TRIGA reactor, particularly Ar -41. The environ mental monitorin g program shall consist of an NRC/EP A approved r epor ting meth od.
7-81 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390
7.9 REF ERENCES 7-1. Ar med For ces Radi obiol og y Resear ch Institute, Health Ph ysi cs Procedures (HPPS),
Safet y and Health Depart ment.
7-2. Armed Force s Radi obiol og y Resear ch Institute, React or Operational and Ad ministrative Procedures, Radiation Scien ces Department, React or Division.
7-82 Proprietar y Informati on Withhold From Publi c Discl osure Under 10 CFR 2.390