ML21302A106
| ML21302A106 | |
| Person / Time | |
|---|---|
| Site: | Armed Forces Radiobiology Research Institute |
| Issue date: | 10/28/2021 |
| From: | US Dept of Defense, Armed Forces Radiobiology Research Institute, US Dept of Defense, Uniformed Services Univ of the Health Sciences |
| To: | Office of Nuclear Reactor Regulation |
| Shared Package | |
| ML21302A096 | List: |
| References | |
| EPID L-2020-NFA-0012, GA/EMS-5084 | |
| Download: ML21302A106 (166) | |
Text
Enclosure 3c - Redacted - Available to the Public Revision 1 of the Supplemental Information for the License Amendment Request for the Upgrade of the Instrumentation and Control System for the Armed Forces Radiobiology Research Institute TRIGA Reactor
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 AFRRI Unif?rmed Services University Supplemental Information for the License Amendment Request for the Upgrade of the Instrumentation and Control System for the Armed Forces Radiobiology Research Institute TRIGA Reactor Revision 1 29 September 2021 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Table of Contents AFRRI Digital Instrumentation and Control Summary of Changes ............................................................. 1 1 Data Acquisition Cabinet (DAC) - Component #1 ............................................................................. 2 1.1 NP-1000 Linear Power Channel - Component 1a.................................................................... 11 1.1.1 Design Function .............................................................................................................. 12 1.1.2 Description of Old NP-1000 ............................................................................................ 12 1.1.3 Comparison of Old NP-1000 vs. New NP-1000 ................................................................ 13 1.1.4 Detailed Description of New NP-1000 ............................................................................. 13 1.1.5 Safety Analysis................................................................................................................ 15 1.1.6 Technical Specifications .................................................................................................. 17 1.1.7 Quality Assurance........................................................................................................... 18 1.2 NPP-1000 Linear Power Pulsing Channel - Component 1b...................................................... 19 1.2.1 Design Function .............................................................................................................. 20 1.2.2 Description of Old........................................................................................................... 20 1.2.3 Comparison of Old vs. New............................................................................................. 21 1.2.4 Detailed Description of New ........................................................................................... 21 1.2.5 Safety Analysis................................................................................................................ 24 1.2.6 Technical Specifications .................................................................................................. 26 1.2.7 Quality Assurance........................................................................................................... 26 1.3 NLW-1000 Log Power Channel with PA-1000 Preamplifier - Component 1c ........................... 28 1.3.1 Design Function .............................................................................................................. 29 1.3.2 Description of Old........................................................................................................... 29 1.3.3 Comparison of Old vs. New............................................................................................. 30 1.3.4 Detailed Description of New ........................................................................................... 30 1.3.5 Safety Analysis................................................................................................................ 35 1.3.6 Technical Specifications .................................................................................................. 36 1.3.7 Quality Assurance........................................................................................................... 37 1.3.8 List of Deployments at other Facilities ............................................................................ 38 1.4 NMP-1000 Multi-range Linear Channel - Component 1d ........................................................ 39 1.4.1 Design Function .............................................................................................................. 40 1.4.2 Description of Old........................................................................................................... 40 1.4.3 Comparison of Old vs. New............................................................................................. 41 ii Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 1.4.4 Detailed Description of New ........................................................................................... 41 1.4.5 Safety Analysis................................................................................................................ 44 1.4.6 Technical Specifications .................................................................................................. 46 1.4.7 Quality Assurance........................................................................................................... 46 1.4.8 List of Deployments at other Facilities ............................................................................ 47 1.5 NFT-1000 Fuel Temperature Channels - Component 1e ......................................................... 48 1.5.1 Design Function .............................................................................................................. 49 1.5.2 Description of Old........................................................................................................... 49 1.5.3 Comparison of Old vs. New............................................................................................. 50 1.5.4 Detailed Description of New ........................................................................................... 50 1.5.5 Safety Analysis................................................................................................................ 52 1.5.6 Technical Specifications .................................................................................................. 54 1.5.7 Quality Assurance........................................................................................................... 55 1.6 Scram Loop - Component 1f .................................................................................................. 56 1.6.1 Design Function .............................................................................................................. 57 1.6.2 Description of Old........................................................................................................... 57 1.6.3 Comparison of Old vs. New............................................................................................. 58 1.6.4 Detailed Description of New ........................................................................................... 59 1.6.5 Safety Analysis................................................................................................................ 63 1.6.6 Technical Specifications .................................................................................................. 64 1.6.7 Quality Assurance........................................................................................................... 65 1.6.8 List of Deployments at other Facilities ............................................................................ 66 1.7 Rod Control and Rod Drives - Component 1g ......................................................................... 67 1.7.1 Design Function .............................................................................................................. 67 1.7.2 Description of Old Control Rod Drive Mechanisms (CRDM) ............................................. 67 1.7.3 Comparison of Old CRDM vs. New CRDM ....................................................................... 68 1.7.4 Detailed Description of New CRDM ................................................................................ 68 1.7.5 Safety Analysis................................................................................................................ 69 1.7.6 Technical Specifications .................................................................................................. 70 1.7.7 Quality Assurance........................................................................................................... 72 1.7.8 List of Deployments at other Facilities ............................................................................ 73 1.8 Process Instrumentation - Component 1h.............................................................................. 74 1.8.1 Primary Water Temperature Measuring Channels .......................................................... 74 iii Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 1.8.2 Pool Level Measuring Channel ........................................................................................ 74 1.8.3 Primary Coolant Conductivity ......................................................................................... 74 1.8.4 Safety Analysis................................................................................................................ 75 1.8.5 Technical Specifications .................................................................................................. 76 1.8.6 Quality Assurance........................................................................................................... 76 2 Facility Interlock System - Component 2........................................................................................ 78 2.1 Design Function ..................................................................................................................... 78 2.2 Description of Old .................................................................................................................. 78 2.3 Comparison of Old vs. New .................................................................................................... 78 2.4 Detailed Description of New................................................................................................... 79 2.4.1 Interlocks ....................................................................................................................... 80 2.4.2 Reactor Tank Lead Shield Door ....................................................................................... 80 2.4.3 Core Support Carriage .................................................................................................... 83 2.4.4 Exposure Room Plug Doors ............................................................................................. 83 2.5 Safety Analysis ....................................................................................................................... 85 2.6 Technical Specifications.......................................................................................................... 85 2.7 Quality Assurance .................................................................................................................. 86 3 Control System Console - Digital - Component 3 ........................................................................... 88 3.1 Rod Control Panel - Component 3a ........................................................................................ 94 3.1.1 Design Function .............................................................................................................. 94 3.1.2 Description of Old........................................................................................................... 94 3.1.3 Comparison of Old vs. New............................................................................................. 94 3.1.4 Detailed Description of New ........................................................................................... 94 3.1.5 Safety Analysis................................................................................................................ 95 3.1.6 Technical Specifications .................................................................................................. 96 3.1.7 Quality Assurance........................................................................................................... 96 3.2 Reactor Mode Control Panel - Component 3b........................................................................ 98 3.2.1 Design Function .............................................................................................................. 98 3.2.2 Description of Old........................................................................................................... 98 3.2.3 Comparison of Old vs. New............................................................................................. 98 3.2.4 Detailed Description of New ........................................................................................... 99 3.2.5 Safety Analysis.............................................................................................................. 101 3.2.6 Technical Specifications ................................................................................................ 101 iv Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 3.2.7 Quality Assurance......................................................................................................... 101 3.3 CCS Computer - Component 3c............................................................................................ 103 3.3.1 Design Function ............................................................................................................ 103 3.3.2 Description of Old......................................................................................................... 103 3.3.3 Comparison of Old vs. New........................................................................................... 103 3.3.4 Detailed Description of New ......................................................................................... 103 3.3.5 Safety Analysis.............................................................................................................. 103 3.3.6 Technical Specifications ................................................................................................ 104 3.3.7 Quality Assurance......................................................................................................... 104 3.4 UIT Computer - Component 3d ............................................................................................ 108 3.4.1 Design Function ............................................................................................................ 108 3.4.2 Description of Old......................................................................................................... 108 3.4.3 Comparison of Old vs. New........................................................................................... 108 3.4.4 Detailed Description of New ......................................................................................... 108 3.4.5 Safety Analysis.............................................................................................................. 116 3.4.6 Technical Specifications ................................................................................................ 116 3.4.7 Quality Assurance......................................................................................................... 117 3.5 Bargraphs - Component 3e .................................................................................................. 120 3.5.1 Design Function ............................................................................................................ 120 3.5.2 Description of Old......................................................................................................... 120 3.5.3 Comparison of Old vs. New........................................................................................... 120 3.5.4 Detailed Description of New ......................................................................................... 121 3.5.5 Safety Analysis.............................................................................................................. 121 3.5.6 Technical Specifications ................................................................................................ 121 3.5.7 Quality Assurance......................................................................................................... 122 3.6 Recorders - Component 3f................................................................................................... 123 3.6.1 Design Function ............................................................................................................ 123 3.6.2 Description of Old......................................................................................................... 123 3.6.3 Comparison of Old vs. New........................................................................................... 123 3.6.4 Detailed Description of New ......................................................................................... 123 3.6.5 Safety Analysis.............................................................................................................. 124 3.6.6 Technical Specifications ................................................................................................ 124 3.6.7 Quality Assurance......................................................................................................... 124 v
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 4 References................................................................................................................................... 126 Appendix A - Summary Table WAS/IS.................................................................................................. 128 Appendix B - Photos of Components ................................................................................................... 130 Appendix B.1 - Data Acquisition Cabinet ......................................................................................... 130 Appendix B.2 - Facility Interlock System .......................................................................................... 137 Appendix B.3 - Control System Console........................................................................................... 141 List of Tables Table 1 - Data Acquisition Cabinet - Comparison of Old vs. New ............................................................. 6 Table 2 - List of Trips Associated with the NP-1000 ............................................................................... 14 Table 3 - List of Trips Associated with the NPP-1000 ............................................................................. 23 Table 4 - List of Interlocks Associated with the NLW-1000 ..................................................................... 33 Table 5 - Representative Data for the Standard Control Rods ................................................................ 36 Table 6 - List of Trips Associated with the NMP-1000 ............................................................................ 43 Table 7 - List of Trips Associated with the NFT-1000 .............................................................................. 51 Table 8 - Comparison of Old vs. New Scram Loop Contacts ................................................................... 58 Table 9 - Cross Reference of Limit Switch Terminology.......................................................................... 82 Table 10 - Console System Console - Comparison of Old vs. New ......................................................... 90 Table 11 - List of Recorder Inputs ........................................................................................................ 124 List of Figures Figure 1 - Diagram of Major Components for the AFRRI Instrumentation and Control System................. 1 Figure 2 - Picture of Old and New DAC .................................................................................................... 2 Figure 3 - Block Diagram of the New Data Acquisition Cabinet (DAC) ...................................................... 3 Figure 4 - Data Acquisition Cabinet AC Power Distribution ...................................................................... 4 Figure 5 - Trip Circuit Diagram................................................................................................................. 5 Figure 6 - Picture of Old and New NP-1000 ........................................................................................... 11 Figure 7 - Simplified Block Diagram of Old System vs. New System ....................................................... 11 Figure 8 - Detailed Block Diagram of new NP-1000................................................................................ 12 Figure 9 - Picture of Old and New NPP-1000 ......................................................................................... 19 Figure 10 - Simplified Block Diagram of Old System vs. New System...................................................... 19 Figure 11 - Detailed Block Diagram of new NPP-1000............................................................................ 20 vi Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Figure 12 - Picture of Old NM-1000 and New NLW-1000 ....................................................................... 28 Figure 13 - Simplified Block Diagram of Old System vs. New System...................................................... 28 Figure 14 - Detailed Block Diagram of new NLW-1000........................................................................... 29 Figure 15 - Picture of Old NM-1000 and New NMP-1000....................................................................... 39 Figure 16 - Simplified Block Diagram of Old System vs. New System...................................................... 39 Figure 17 - Detailed Block Diagram of new NMP-1000 .......................................................................... 40 Figure 18 - Location of the New NMP-1000 Compensated Ion Chamber................................................ 45 Figure 19 - Picture of Old Fuel Temperature Channels and New NFT-1000 ............................................ 48 Figure 20 - Simplified Block Diagram of Old System vs. New System...................................................... 48 Figure 21 - Detailed Block Diagram of new NFT-1000 ............................................................................ 49 Figure 22 - Picture of the Scram Loop and Major Components .............................................................. 56 Figure 23 - Detailed Schematic of the Scram Loop................................................................................. 57 Figure 24 - Picture of Old and New Control Rod Drive Mechanism ........................................................ 67 Figure 25 - STATUS Pane ....................................................................................................................... 75 Figure 26 - Picture of Old and New Facility Interlock System Cabinet .................................................... 78 Figure 27 - Facility Interlock System (FIS) Interlock Diagram .................................................................. 81 Figure 28 - Block Diagram of Facility Interlock System (SAR Figure 7-10) ............................................... 82 Figure 29 - Core Support Carriage Regions ............................................................................................ 83 Figure 30 - Picture of Old and New Exposure Room Doors Status Panel ................................................ 84 Figure 31 - Picture of Old and New Exposure Room Plug Door Control Boxes ........................................ 84 Figure 32 - Picture of Old and New Control System Console .................................................................. 88 Figure 33 - Block Diagram of New Control System ................................................................................. 88 Figure 34 - Control System Console (CSC) AC Power Distribution .......................................................... 89 Figure 35 - Picture of Old and New Rod Control Panel ........................................................................... 94 Figure 36 - Rod Control Panel................................................................................................................ 94 Figure 37 - Picture of Old and New Reactor Mode Control Panel ........................................................... 98 Figure 38 - Reactor Mode Control Panel................................................................................................ 99 Figure 39 - Left Side Status Display...................................................................................................... 109 Figure 40 - MODE Selection Pane ........................................................................................................ 110 Figure 41 - Right Side Graphics Display - Reactor Display #1 ............................................................... 112 Figure 42 - Picture of Old and New Bargraphs ..................................................................................... 120 Figure 43 - Picture of Old and New Chart Recorders ............................................................................ 123 Figure 44 - Data Acquisition Cabinet ................................................................................................... 130 vii Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Figure 45 - Data Acquisition Cabinet - Power Supplies ........................................................................ 131 Figure 46 - Data Acquisition Cabinet - Digital Input/Output ................................................................ 132 Figure 47 - Data Acquisition Cabinet - Analog Input/Output ............................................................... 133 Figure 48 - Data Acquisition Cabinet - Nuclear Instruments ................................................................ 134 Figure 49 - Data Acquisition Cabinet - Control Rod Drive .................................................................... 135 Figure 50 - Scram Loop ....................................................................................................................... 136 Figure 51 - Facility Interlock System - Cabinet Outside........................................................................ 137 Figure 52 - Facility Interlock System - Cabinet Inside .......................................................................... 138 Figure 53 - Facility Interlock System - Exposure Room Control Box ..................................................... 139 Figure 54 - Facility Interlock System - Exposure Room Status Panel .................................................... 140 Figure 55 - Control System Console - Front ......................................................................................... 141 Figure 56 - Control System Console - Rear .......................................................................................... 141 Figure 57 - Control System Console - Power Supplies ......................................................................... 142 Figure 58 - Control System Console - UPS ........................................................................................... 143 Figure 59 - Control System Console - Digital Input .............................................................................. 144 Figure 60 - Control System Console - Digital Output ........................................................................... 145 Figure 61 - Control System Console - Rod Control Panel - Front ......................................................... 146 Figure 62 - Control System Console - Reactor Mode Control Panel - Front ......................................... 147 Figure 63 - Control System Console - Reactor Mode Control Panel - Back .......................................... 148 Figure 64 - Control System Console - Computers - Left Side Display ................................................... 149 Figure 65 - Control System Console - Computers - Right Side Display ................................................. 150 Figure 66 - Control System Console - Bargraphs and Recorders .......................................................... 151 Figure 67 - Control System Console - Bargraphs - Front ..................................................................... 152 Figure 68 - Control System Console - Recorders - Front ..................................................................... 153 Figure 69 - Control System Console - Bargraphs and Recorders Panel - Back ...................................... 154 viii Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 List of Abbreviations, Acronyms and Symbols
°C degree Celsius 3PDT three pole, double throw 4PDT four pole, double throw A ampere A/D analog to digital AC alternating current AFRRI Armed Forces Radiobiology Research Institute ANS American Nuclear Society ANSI American National Standards Institute CCS Console Computer System CCW counterclockwise CIC compensated ion chamber COTS Commercial off the shelf cps counts per second CRD Control rod drive CSC Control System Console CSV comma separated variable CW clockwise D/A digital to analog DAC Data Acquisition Cabinet DC direct current ER Exposure room ESF engineered safety feature FIS facility interlock system GA General Atomics GA-ESI General Atomics - Electromagnetic Systems GFD ground fault detector HP History playback HV high voltage Hz hertz I&C Instrumentation and Control I/O input/output IAW in accordance with IFE instrumented fuel element LAN local area network LAR License amendment request lb pound LCD liquid crystal display LCO limiting condition of operation LED light emitting diode LSSS limiting safety system setting mA milliamperes MCC motor control center msec milliseconds MW megawatt NQA Nuclear Quality Assurance ix Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 NRC Nuclear Regulatory Commission NSAB Naval Support Activity Bethesda O&M Operator and Maintenance OEM original equipment manufacturer PID proportional, integral, derivative RAM radiation area monitor RCS Reactor Control System RPI rod position indication RPS Reactor Protection System RTD resistance temperature detector RWP Rod withdrawal permit SAR safety analysis report SOW statement of work SR surveillance requirement TB terminal board TRIGA Training, Research, Isotopes, General Atomics TS technical specification UIT user interface terminal UPS uninterruptible power supply USB universal serial bus V voltage V/F voltage to frequency Vac voltage, alternating current Vdc voltage, direct current W watts WDT Watchdog timer x
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 AFRRI Digital Instrumentation and Control Summary of Changes A primary design intent of this upgrade was to replace the old system with a new system that is form and function identical to the old system to the maximum extent possible. The primary motivation for this upgrade was due to parts obsolescence and equipment maintainability, which had become increasingly difficult with the old system. Refer to the Functional and System Requirements Specifications documents.
Figure 1, shown below, is a diagram of the major components of the Instrumentation and Control (I&C)
System. The items highlighted in green are old components and remain installed and unchanged, and are used in the new system. The items highlighted in blue are new components that have functionally replaced old components. There are three major subcategories: (1) Data Acquisition Cabinet, (2) Facility Interlock System, and (3) Control System Console. Detailed in the following document is a summary of the new system and how it compares to the old system along with the safety analysis of each new subcomponent and any associated changes to the technical specification that are needed.
The Auxiliary Console along with the radiation monitoring system remains unchanged. All radiation monitors readouts are located in the Auxiliary Console in the control room and do not interface with the Control System Console.
Figure 1 - Diagram of Major Components for the AFRRI Instrumentation and Control System 1
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 1 Data Acquisition Cabinet (DAC) - Component #1 Figure 2 - Picture of Old and New DAC The Data Acquisition Cabinet (DAC) was located on the reactor floor near the reactor pool and was completely replaced. The DAC served as the data gathering and control interface between the reactor and the control system console. It monitored the reactor power from the safety channels (NP/NPP-1000), the NM-1000 (mounted separately on the wall), along with the fuel temperature channels (
modules), water temperature channels, and control rod position.
The DAC acquired data in real-time from the various sensors associated with the reactor and facility. The DAC stored this data and transmitted them via the network to the Control System Console (CSC). In turn, the DAC received commands from the CSC, and reissued those commands to raise/lower the control rods or scram the reactor. It communicated with the CSC via an Ethernet data network. The DAC controlled the positions of the control rods, either in response to operator inputs entered in at the CSC console, or automatically using the power feedback loop during automatic operation.
The overall function of the new DAC remains unchanged. It still acquires data from instrumentation in the reactor and associated systems, processes it, and transmits via Ethernet it to the CSC. The new DAC is installed in the same location as the old DAC. It houses the as well as equipment to process analog and digital inputs. A comparison of the original DAC versus the new DAC is detailed in Table 1 below.
2 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Figure 3 - Block Diagram of the New Data Acquisition Cabinet (DAC)
AC power is supplied to the DAC by the UPS located in the CSC. AC power is distributed to three identical rackmount power strips. Each strip has 8 outlets and features a 15A resettable circuit breaker and a lighted power switch. All DAC devices that require AC input power are plugged into these power strips. For a detailed block diagram of the AC power distribution see Figure 4 below.
The DAC dissipates heat generated by internal components by convection to reactor room air. The entire front and rear panels of the DAC are made of perforated metal, providing security (when closed and locked) and air flow to ambient air. Air in the reactor room is continuously circulated, and this air current is sufficient to cause flow through the DAC front and rear panels and provide cooling for all interior equipment. Note that the modern, low-power electronics in most of the instrumentation will generate less heat than previous, less efficient equipment.
The nuclear instrument modules have been tested by the manufacturer to ensure that they perform their intended safety functions up to a temperature of 50°C.
Although the components have not been specifically tested for electromagnetic or radio frequency interference (EMI/RFI), best design practices were used to separate digital from analog signals to minimize the potential for interference. In addition, Instruments are constructed with metal enclosures to further minimize outside interference and incorporate AC input to filters to suppress conducted noise.
3 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Figure 4 - Data Acquisition Cabinet AC Power Distribution Trip Circuit Diagram Figure 5 below shows a typical trip circuit and may be helpful in understanding the following discussion.
Following the figure is a discussion of the major functional portions of the circuit. In particular, note that the comparator output is split, branching to the trip relay and, in a separate branch, leading to the LEDs and console software For normal operation, assume a calibrated channel with the trip/operate jumper set to ENABLE. If the monitored parameter value exceeds the trip comparator setpoint, it will de-activate the comparator output for as long as the condition occurs. This low signal propagates from left to right in the circuit, is split in two, and passes through the blocking diodes. The top branch of the circuit will then cause transistor to shut off. Since must all be conducting for current to flow through the relay and I
be energized, this will de-energizing the trip relay in this example) and set the trip relay A and B contacts. Simultaneously, the bottom branch of the circuit will send the signal to the ,
which drives the local LED signal and tells the console which trip has occurred. The is not used in the console and is available for external use if desired.
4 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Figure 5 - Trip Circuit Diagram 5
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Table 1 - Data Acquisition Cabinet - Comparison of Old vs. New Power Supplies Function: Supplies Vdc pow er for the components located in the DAC along w ith a pow er supply for the control rod magnets and transient rod air solenoid.
Safety Analysis: The new pow er supplies are COTS components and have been manufactured to meet or exceed the requirements of the previous units. The pow er supplies receive 120 Vac primary side pow er from the DAC AC pow er distribution system which originates from the console UPS. The power supplies are of the sw itching type and provide input-to-output isolation w ith internal overvoltage and overcurrent protection. There are six pow er supplies. There is no necessit y for redundancy in the design criteria of the pow er supplies. Since the system is designed to fail-safe, the failure of a pow er supply w ill not inhibit any safety function.
It is concluded that the new pow er supplies will continue to perform the design function required in a safe and reliable manner without imposing any undue risk to the health and safety of the public OLD NEW There w ere four pow er supplies: PSl +S Vdc Power Supply provides pow er the secondary side of the digital PSl +24 Vdc Magnet Power Supply supplied isolator modules on the digital input draw er.
magnet pow er to the control rod drive electromagnets in the scram circuit. A n - PS2 +15 Vdc Instrument Power Supply *
- served as the Magnet Pow er Supply ) is used to generate input Ground Fault Detector (GFD). It detected a fault to signa ls to the nuclear instrument remote chassis ground on both the supply and return connectors. It also provides the pulse gain signal buss. for the NPP-1000.
PS2 Potentiometer Power Supply supplied pow er PS3 +24 Vdc Utility Power Supply -
to the potentiometers that monitor rod posit ion. - ) is a SOW pow er supply that is used to pow er digital switch contacts externa l to the DAC PS3 +24 Vdc Solenoid Power Supply provided (FIS, Rod Drives, etc.). Input to output isolation is pow er to the solenoid controlling the air for the 3,000V.
transient rod mechanism.
PS4 +24 Vdc Solenoid Power S u p p l y -
PS4 +12 Vdc Auxiliary Power Supply furnished
- ) provides pow er the transient rod air pow er for control relays, opto-isolators, and the solenoid.
DIS064 scanner board.
PSS +24 Vdc Utility Power Supply -
- ) is used to pow er digital switch contacts externa l to the console. Input to output isolation is 3,000V.
PS6 +24 Vdc Magnet Power Supply -
- ) provides pow er to the standard control rod drive magnets. It is monitored by a ground fault detector (GFD) ),
which is also mounted in the pow er supply draw er. The GFD monitors both the high and low legs of the scram loop. If any point in the scram 6
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 loop shorts to earth ground, the GFD will detect it and generate a fault indication to the console. The GFD has a display, test m ode and various indicators. When no fault is present, a green LED will be lit. When a fault is detected, yel low LEDs will be lit . The GFD is pow ered by PSS .
Digital Input/Output Function: The purpose of the digital input/ output draw er is to isolate all digita l inputs and outputs and transmit those signals to the control system console.
Safety Analysis: The new digital input boards and isolators are COTS components and have been manufactured to meet or exceed the requirements of the previous units. The new digita l input boards and isolators have undergone rigorous test ing and qua lity assurance at mult iple steps in the design, manufacture and installation phases. Due to this, it is expected that the digita l input boards and isolators will be as dependable as the old unit.
Nevertheless, the failure of either the digital input board or one or more of the digital isolators is of minima l consequence since a failure will not prevent the automatic protective actions from other independent channels (e.g. NP-1000 or NPP-1000) from being performed. In addition the interlock functions that are being performed by the digita l inputs (e.g., FIS limit switches) w ill still be performed in the event of a failure of the digital 1/0 components since the interlocks are designed to be fail-safe.
It is concluded that DAC Digita l 1/0 will continue to perform the design function in a safe and reliable manner without imposing any undue risk to the hea lth and safety of the public.
OLD NEW DC digital input/output. Relay boards and digita l The purpose of the digital input draw er is to input scanner board - ). isolate all digital inputs from the computer. The digital input draw er houses t w o identical printed circuit board assemblies (PWA) populated with digital isolators.
Components:
I Analog Input/Output Function: Ana log input/ output draw er is designed to accept analog inputs from various sensors and equipment and retransmit them for use at the control system console.
Safety Analysis: The new ana log input boards and signal condit ioners are COTS components and have been manufactured to meet or exceed the requirements of the previous units. The new analog input boards and conditioners have undergone rigorous testing and quality assurance at multiple steps in the design, manufacture and installation phases. Due to this, it is expected that the ana log input boards and condit ioners will be as dependable as the old unit.
7 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Nevertheless, the failure of either the analog input board or one or more of the analog signa l condit ioners is of minima l consequence since the components that perform a safety function, such as the pool w ater temperature, are designed to fail-safe, and any failure will result in a scram. In addition, a failure will not prevent the automatic protective actions from other independent channels (e.g. NP-1000 or NPP-1000) from being performed. The safety analysis for the individual process instrumentation channels are discussed in Section 1.8.
It is concluded that DAC Analog 1/0 will continue to perform the design function in a safe and reliable manner without imposing any undue risk to the hea lth and safety of the public.
OLD NEW
- Signa l conditioners and lim it modules The analog input/ output draw er houses signal used to monitor fuel temperatures, w ater condit ioning modules that feature galvanic input temperature, and magnet voltage. to output isolation of 3,500 V. Of the 18 signal condit ioning modules, 7 of them are designed to accept either current or voltage signal, 6 are designed to read potentiometer inputs, and 5 are designed to connect to 1000 RTD sensors. The outputs are configured for Oto 10 Vdc, to be read by modules mounted in the ana log draw er. The signa l conditioning modules are pow ered by a +24 Vdc, 120W switching pow er supply Every module has t w o calibration potentiometers for zero and span adjustments.
Components:
I Nuclear Instruments Function: To house the nuclear instrument modules.
Safety Analysis: The safety analysis for the individual nuclear instrument channels are discussed in detai l in Section 1.1 through Section 1.5.
OLD NEW Nuclear instruments. Nuclear Instruments.
- NP-1000
- NP-1000
- NPP-1000
- NPP-1000
- NM-1000 (mounted separately on the w all)
- NLW-1000
- NMP-1000 w ith new Compensated Ion The NFT instruments w ere not consolidated in a Chamber standalone package like the new NFT-1000, but
- NFT-1000 consisted of COTS components, w hich w ere signal condit ioners and alarm/ trip 8
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 modules connected to the thermocouples from the instrumented fuel elements {IFE).
Control Rod Drive Mechanism (CROM)
Function: To house the modu le and various other electronic components related to the CRDMs.
Safety Analysis: The safety analysis for the CRDMs is discussed in detai l in Section 1.7.
OLD NEW convertor for the regulating The rod control draw er houses the motor and high speed data convertor modu le and three board for acquiring the pulse data. Relay boards modules. All modules are directly for controlli ng rod movement. Isolators for pow ered by the DAC AC pow er.
condit ioning the rod control analog signals to Components digital. The driver modules w ere mounted separately on the w all of the reactor room.
Scram Loop Function: The design function of the scram loop is to de-energize both the magnets for the standard control rods and the solenoid for the transient rod air, causing the control rods to insert into the core placing the reactor in a safe shutdow n condition. This is in response to, either automatic or manual actions for certain abnorma l reactor operating condit ions.
Safety Analysis: The safety analysis for the scram loop is discussed in detail in Section 1.6.
OLD NEW The scram loop w as completely hardw ired and Components:
did not depend on the computer or softw are to perform any required action.
Data Acquisition Computer Function: The computers have been relocated to the CSC and are discussed in detail in Section 4.
9 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 OLD NEW DAC Computer. based computer. All computers have been moved to the control system console.
I -
10 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 1.1 NP-1000 Linear Power Channel - Component 1a Figure 6 - Picture of Old and New NP-1000 Figure 7 - Simplified Block Diagram of Old System vs. New System 11 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Figure 8- Detailed Block Diagram of new NP-1000 1.1.1 Design Function The NP-1000 is designated as Safety Channel No. 1. The design functions of the NP-1000 are:
- Measure neutron flux in order to provide percent linear pow er indication (0-120%).
- Provide an automatic scram on overpow er condit ions.
- Provide analog outputs to the bargraphs and recorders for steady-state operation.
- Provide digital outputs to the reactor control console for steady-state operation.
1.1.2 Description of Old NP-1000 Reference - GA Operation and Maintenance Manual NP-1000/ NPP-1000 Percent Pow er Channel, E117-1010 Revision 2, 1991111 The original General Atomics NP-1000 w as a percent pow er monitoring channel packaged in a flameproof steel enclosure that w as connected to a fission chamber. The original NP-1000 w as a linear current to vo ltage conditioning device w hich included a commercial-off-the-shelf (COTS) high vo ltage pow er supply for the fission chamber and tw o bistable trip circuits. One for loss of HV and the other for overpow er protection. The original NP-1000 provided isolated current outputs for display by the original bargraphs and paper chart recorders.
The instrument w as analog, with the analog/ digital (A/ D) conversion taking place outside of the unit in a COTS A/ D converter. Analog outputs from the original NP-1000 fed A/ D convertors. This digita l signal w as then made available to the console computers for display on the user interface.
12 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 1.1.3 Comparison of Old NP-1000 vs. New NP-1000 The new General Atomics NP-1000 is an updated version of the original, obsolete unit and utilizes the original fission chamber. The location of the fission chamber on the core periphery remains unchanged.
The new unit is an analog/digita l hybrid w hereas the old unit w as entirely analog. The circuit and associated relays that provide the contact closures for the scram loop remain analog. The output signals to the bargraph and recorder have also remained analog.
The performance of the safety function (i.e., measurement of signal from detector and actuation of bistable trips) is retained in the analog portion of the instrument while the analog to digital conversion of the signa l for use at the control console computers has been integrated into w hat is now the digital portion of the instrument. The advantage of this integration is to reduce the noise pickup in the analog signal prior to digital conversion. The addition of a digital display provides loca l pow er indication and control for various testing and configuration settings via a touchscreen panel.
1.1.4 Detailed Description of New NP-1000
Reference:
NP-1000, Nuclear Pow er Modu le, User Manual, Document T3271000-1UM, Rev A, December 2018121 The NP-1000 module is packaged in a flameproof enclosure and mounted in the Data Acquisition Cabinet located in the Reactor Room. The module processes the current produced by a fission chamber and contains seven major subassemblies: Motherboard, Trip/ Alarm Board, Isolation Amplifier Board, Digital Interface Board, Display Module, Front Panel Board, and HV Pow er Supply.
13 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Pu blic Disclosure Under 10 CFR 2.390 Table 2 - List of Trips Associated with the NP-1000 Trip Function Old New HV voltage low 20% loss of HV 20% loss of HV Overpower 2:1.l MW 2:1.l MW 14 Proprietary Information Withhold From Pu blic Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 1.1.5 Safety Analysis The new NP-1000 is an updated version of the old unit that incorporates the digital to analog conversion into the module w hile retaining the separation of the analog portion for the performance of the safety related functions. The new NP-1000 maintains its independence from all other pow er monitoring channels and is hardw ired into the Reactor Protection System (RPS) scram loop, therefore all scram functionality associated with the channel is maintained should malfunctions occur in the digita l portion of the instrument or anywhere outside of the unit, including the console computers. Furthermore, the Reactor l&C System and RPS are designed such that there are no means available to the reactor operator to bypass the scrams associated with the NP-1000 so operation of the reactor beyond the limits defined in the 15 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 technical specifications and safety analysis report is not possible. For redundancy and diversity in the information provided to the reactor operator by the NP-1000, a dedicated analog output is directly wired to an updated bargraph display along with an updated recorder, thus ensuring information is available to the reactor operator for the safe operation and monitoring of the reactor and can also be used as a cross-check for the console computer display.
The new NP-1000 has been designed and manufactured to meet or exceed the requirements of the previous unit. The new NP-1000 has undergone rigorous testing and quality assurance at multiple steps in the design, manufacture and installation phases. Due to this, it is expected that the new NP-1000 will be as dependable as the old unit. Nevertheless, the failure of the NP-1000 is of minimal consequence since the reactor core is monitored by at least five independent channels that monitor the power level or fuel temperature of the core during steady-state operation and at least three independent channels that monitor the power level or fuel temperature of the core during pulse operations. Due to this independence, redundancy and diversity, the failure of NP-1000 to perform overpower protective action would not result in an increase in the consequence of any accident. Any foreseeable failure that impairs the ability of the NP-1000 to perform its safety function would initiate a fail-safe response and scram the reactor.
The main accident type that the NP-1000 is designed to mitigate is the insertion of excess reactivity resulting in overpower conditions. This insertion can be either as a step insertion or ramp insertion. The initiating event can be the failure of a high worth experiment, improper fuel element handling, and numerous other types of events that can inadvertently insert excess reactivity into the core. In the safety analysis it is assumed that one of the two safety channels (NP-1000 or NPP-1000) fails while the second channel would act as designed and terminate the insertion. Due to this independence and redundancy in the number of safety channels providing automatic overpower protective actions, the consequences of an excess reactivity insertion accident remain unchanged in the event of a failure of the new NP-1000.
Both the NP-1000 and NPP-1000 are being replaced as part of the upgrade. The units are designed to provide redundancy for the automatic overpower protective action. The reactor scram actions are performed in the analog portion of the units while the digital portion only provides non-safety related functions. Therefore, erroneous software code cannot be a source of common cause failure that would result in a loss of protective actions. In fact, there are no known common cause failures (CCF), other than as a possible result of some internal or external hazard (e.g., fire, flooding, dropped load, earthquake exceeding the design basis, etc.). As previously noted, the independence of the safety channels, and diversity designed into the RPS provides a large measure of protection against common cause failures.
However; it is important to note that should a CCF occur, it would not prevent the system from performing its primary safety function (i.e., shutting down the reactor) because the system is designed to be fail-safe.
A loss of electrical power or multiple circuit damage due to a fire, explosion, dropped load, or some other cause will result in a loss of power to the electromagnets, causing the control rods to drop into the core, safely shutting down the reactor.
The NP-1000 provides, independently, both an analog signal and digital signal to the control console for display by both bargraphs and recorder and by the console computer display interface. The reactor operator can use these two independent signals as a means to cross-check the validity of the indicated power level. In addition, the reactor operator also receives power indication from the NPP-1000, NLW-1000, NMP-1000, NFT-1000 channel 1 and NFT-1000 channel 2. The information from these other channels is also displayed on the bargraphs and recorder panel along with the console display screen.
Therefore, in the case that erroneous information is being provided by the NP-1000, there are five other channels that the operator can use for power level verification.
16 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 The design basis limit for fission product barrier protection, i.e. fuel cladding, is ultimately fuel temperature. This limit of 1000 °C remains unchanged with the upgrade of the NP-1000. The basis for the limit for automatic protective action for the overpower scram is to prevent exceeding the fuel temperature limit. This limit of 1.1 MW for the scram setpoint limit remains unchanged. The automatic scram for loss of HV is to ensure that the channel has the required voltage to be operational. This scram action also remains unchanged.
It is concluded that the upgraded NP-1000 will continue to perform the design function required by this safety channel in a safe and reliable manner without imposing any undue risk to the health and safety of the public.
1.1.6 Technical Specifications All existing technical specifications[5] remain unchanged for this replacement. The technical specifications that apply to this channel are:
3.2.1 Reactor Control System Specification
- a. The reactor shall not be operated unless the measuring channels listed in Table 1 are operable for the specific mode of operation.
Table 1 Minimum Measuring Channels, requires two High-Flux Safety Channels for steady-state mode. The NP-1000 satisfies one of the two required for steady-state mode.
3.2.2 Reactor Safety Systems Specification The reactor shall not be operated unless the safety systems described in Tables 2 and 3 are operable for the specific mode of operation.
Table 2 Minimum Reactor Safety System Scrams, requires a scram for Percent Power High Flux (maximum setpoint of 1.1 MW) and High Voltage Loss to Safety Channel (maximum setpoint of 20% below nominal) 4.2.2 Reactor Safety Systems Specifications
- a. A channel test of the percent power, high flux scram function of the high-flux safety channels shall be made each day that reactor operations are planned.
- b. A channel test of each of each of the reactor safety system channels for the intended mode of operation shall be performed weekly, whenever operations are planned.
- c. Channel calibration, including verification of the high voltage loss to safety channel scrams, shall be made of the NP, NPP, NM1000, NLW, NMP or any other console instrumentation designated to provide direct power level information to the operator, annually not to exceed 15 months.
Technical Specification 3.2.2, Table 2, Minimum Reactor Safety System Scrams, requires a scram upon 20% or greater loss of high voltage. This specification has never had a companion surveillance specification, so one should be added to Section 4.2.2 of the Technical Specifications.
The surveillance specifications and periodicities listed in TS Section 4.2.2 that pertain to the old unit are still applicable and appropriate for the updated unit.
17 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 1.1.7 Quality Assurance TRIGA NP/NPP-1000 Software Requirements Specification T3287960-SRS141 This document defines the softw are requirements for the NP/ NPP-1000 Digital Interface Board (DIS) and GA Acceptance Test Procedure (ATP), NP-1000, Nuclear Power Instrument, T3271000-1AT161 This procedure specifies the steps required to perform a functiona l test and ca libration on the NP-1000, Nuclear Pow er Instrument, P/ N T3271000-001.
Factory Acceptance Test Procedure System Assembly, AFFRI TRIGA T3A10087371-FAT Rev A 171 This test demonstrates that the Replacement l&C Console meets the requirements of the SOW and the Functional Requirements Specifications (FRS). It should be noted that GA performed separate, in-depth tests of the components, the nuclear instruments, the control system console, and the system as a w hole.
These tests, their traceability to the SOW and their results are provided in accordance w ith the SOW.
Armed Forces Radiobiology Research Institute TRIGA Reactor Instrumentation and Control Console Replacement Site Acceptance Test Procedure, Part 1. T3A10087372-SAT Rev A 181 Site Acceptance Test Part 2: Replacement of the Instrumentation and Control Console for the AFRRI TRIGA REACTOR T3A10087373-SAT Rev A191 This document is the Site Acceptance Test (SAT) for the Replacement l&C Console provided by General Atomics (GA) for the AFRRI facility. This test demonstrates that the Replacement l&C Console procured by AFRRI from GA has been installed correctly for operation at AFRRI and meets the technical and functional requirements.
This SAT is not intended to be an exhaustive test of the system at the component or subassembly level.
GA has factory tested in-depth, and calibrated according to manufacturer specifications, the various components and subsystems, the individual nuclear instrument channels, the rod control system, the auxiliary plant parameter measurement systems, and has tested the integrated system to demonstrate that the Replacement l&C System performed in the factory as intended. This w as demonstrated by GA and accepted by AFRRI representatives during exhaustive factory acceptance testing (FAT). The SAT demonstrates satisfactory at-reactor installation of the system, and verifies, by adequate operational demonstration, that the system can be used to operate the AFRRI TRIGA in accordance w ith the facility operating requirements.
The SAT involved tests to confirm proper installation and functionality of all components and subsystems of the Replacement l&C System, including the nuclear pow er measuring channels, reactivity control systems, and all other ba lance of plant systems controlled and monitored by the replacement system.
18 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 1.2 NPP-1000 Linear Power Pulsing Channel - Component 1b Figure 9 - Picture of Old and New NPP-1000 Figure 10 - Simplified Block Diagram of Old System vs. New System 19 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Figure 11 - Detailed Block Diagram of new NPP-1000 1.2.1 Design Function The NPP-1000 is designated as Safety Channel No. 2. The NPP-1000 design function is to:
Measure neutron flux in order to provide percent linear power indication (0-120%).
Provide an automatic scram on overpower conditions.
Provide analog outputs to the bargraphs and recorders for steady-state operation.
Provide digital outputs to the reactor control console for steady-state operation.
In addition, the instrument is to measure the neutron flux for pulsing operations and to provide that information to the reactor control console for post pulse storage and analysis.
1.2.2 Description of Old Reference -GA Operation and Maintenance Manual NP-1000/NPP-1000 Percent Power Channel, E117-1010 Revision 2, 1991[1]
General Atomics NPP-1000 with a fission chamber for steady-state operations, uncompensated ion chamber or Cerenkov detector for pulsing operations. The original NPP-1000 pulse power monitoring channel was a linear current to voltage conditioning device which included a COTS high voltage power supply for the fission chamber and three bistable trip circuits. One for loss of HV, the second for overpower 20 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 protection and the third for NVT. The original NP-1000 provided isolated current outputs for display by the original bargraphs and paper chart recorders.
The original NPP-1000 had the following pulse circuitry: NVT (total Energy) Integrator, Time-to-peak Circuit, and Peak Follow and Hold circuit. The pulse data capture was performed outside of the unit as was incapable of continuous data capture during a pulse.
The original NPP-1000 is packaged in a flameproof steel enclosure. The instrument was analog with the analog/digital (A/D) conversion taking place outside of the unit in a commercial off the shelf (COTS) A/D converter.
1.2.3 Comparison of Old vs. New The new General Atomics NPP-1000 is an updated version of the old, obsolete unit and uses the same suite of detectors and multiplexer (MUX) box that was used previously. The new unit is an analog/digital hybrid whereas the old unit was analog. The output of an analog signal to the control console for display on bargraphs and recorders is maintained.
The location of the detectors with respect to the reactor core remains unchanged.
The performance of the safety function (i.e., measurement of signal from detector and actuation of bistable trips) is retained in the analog portion of the instrument while the analog to digital conversion of the signal for use at the control console computers has been integrated into the instrument. The advantage of this is to reduce the noise pickup in the analog signal prior to digital conversion. The addition of a digital display provides local power indication and control for various testing and configuration settings via a touchscreen panel.
The pulse data capture has also been integrated into the instrument and is approximately 10 times faster than the previous system.
1.2.4 Detailed Description of New
Reference:
NPP-1000, Nuclear Power Module, User Manual, Document T3281000-1UM, Rev A, January 2018[10]
The new NPP-1000 module is packaged in a flameproof steel enclosure and mounted in the Data Acquisition Cabinet located in the Reactor Room. The module processes the current produced by a fission chamber, uncompensated ion chamber or Cerenkov detector and contains seven major subassemblies:
Motherboard, Trip/Alarm Board, Isolation Amplifier Board, Digital Interface Board, Display Module, Front Panel Board, and HV Power Supply.
21 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 22 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Pu blic Disclosure Under 10 CFR 2.390 Table 3 - List of Trips Associated with the NPP-1000 Trip Function Old New HV voltage low 20% loss of HV 20% loss of HV Overpower (steady-state) 2:1.l MW 2:1.l MW NVT high (pulsing only) S0MW*s S0MW*s 23 Proprietary Information Withhold From Pu blic Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 1.2.5 Safety Analysis The new NPP-1000 is an updated version of the old unit that incorporates the digital to analog conversion into the modu le w hile retaining the separation of the analog portion for the performance of the safety related functions. The new NPP-1000 maintains its independence from all other pow er monitoring channels and is hardw ired into the Reactor Protection System (RPS) scram loop, therefore al l scram functionality associated with the channel is maintained shou ld malfunctions occur in the digita l portion of the instrument or anyw here outside of the unit, including the console computers. Furthermore, the Reactor l&C System and RPS are designed such that there are no means available to the reactor operator to bypass the scrams associated w ith the NPP-1000 so operation of the reactor beyond the limits defined in the technical specifications and safety analysis report is not possible. For redundancy and diversity in the information provided to the reactor operator by the NPP-1000, a dedicated analog output is directly wired to an updated bargraph display along w ith an updated recorder, thus ensuring information is avai lable to the reactor operator for the safe operation and monitoring of the reactor and can also be used as a cross-check for the console computer display.
The new NPP-1000 has been designed and manufactured to meet or exceed the requirements of the previous unit. The new NPP-1000 has undergone rigorous testing and quality assurance at mult iple steps in the design, manufacture and installation phases. Due to this, it is expected that the new NPP-1000 w ill be as dependable as the o ld unit. Nevertheless, the fail ure of the NPP-1000 is of m inimal consequence since the reactor core is monitored by at least fi ve independent channels that monitor the pow er level or 24 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 fuel temperature of the core during steady-state operation and at least three independent channels that monitor the power level or fuel temperature of the core during pulse operations. Due to this independence, redundancy and diversity, the failure of NPP-1000 to perform overpower protective action would not result in an increase in the consequence of any accident, Any foreseeable failure that impairs the ability of the NPP-1000 to perform its safety function would initiate a fail-safe response and scram the reactor.
The main accident type that the NPP-1000 is designed to mitigate is the insertion of excess reactivity resulting in overpower conditions. This insertion can be either as a step insertion or ramp insertion. The initiating event can be the failure of a high worth experiment, improper fuel element handling, and numerous other types of events that can inadvertently insert excess reactivity into the core. In the safety analysis it is assumed that one of the two safety channels (NP-1000 or NPP-1000) fails while the second channel would act as designed and terminate the insertion. Due to this independence and redundancy in the number of safety channels providing automatic overpower protective actions, the consequences of an excess reactivity insertion accident remains unchanged in the event of a failure of the new NPP-1000.
Both the NP-1000 and NPP-1000 are being replaced as part of the upgrade. The units are designed to provide redundancy for the automatic overpower protective action. The reactor scram actions are performed in the analog portion of the units while the digital portion only provides non-safety related functions. Therefore, erroneous software code cannot be a source of common cause failure that would result in a loss of protective actions. In fact, there are no known common cause failures (CCF), other than as a possible result of some internal or external hazard (e.g., fire, flooding, dropped load, earthquake exceeding the design basis, etc.). As previously noted, the independence of the safety channels, and diversity designed into the RPS provides a large measure of protection against common cause failures.
However; it is important to note that should a CCF occur, it would not prevent the system from performing its primary safety function (i.e., shutting down the reactor) because the system is designed to be fail-safe.
A loss of electrical power or multiple circuit damage due to a fire, explosion, dropped load, or some other cause will result in a loss of power to the electromagnets, causing the control rods to drop into the core, safely shutting down the reactor.
The NPP-1000 provides, independently, both an analog signal and digital signal to the control console for display by both bargraphs and recorder and by the console computer display interface. The reactor operator can use these two independent signals as a means to cross-check the validity of the indicated power level. In addition, the reactor operator also receives power indication from the NP-1000, NLW-1000, NMP-1000, NFT-1000 channel 1 and NFT-1000 channel 2. The information from these other channels is also displayed on the bargraphs and recorder panel along with the console display screen.
Therefore, in the case that erroneous information is being provided by the NPP-1000, there are five other channels that the operator can use for power level verification.
The design basis limit for fission product barrier protection, i.e. fuel cladding, is ultimately fuel temperature. This limit of 1000 °C remains unchanged with the upgrade of the NPP-1000. The basis for the limit for automatic protective action for the overpower scram is to prevent exceeding the fuel temperature limit. This limit of 1.1 MW for the scram setpoint limit remains unchanged. The automatic scram for loss of HV is to ensure that the channel has the required voltage to be operational. This scram action also remains unchanged.
It is concluded that the upgraded NPP-1000 will continue to perform the design function required by this safety channel in a safe and reliable manner without imposing any undue risk to the health and safety of the public.
25 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 1.2.6 Technical Specifications All existing technical specifications[5] remain unchanged for this replacement. The technical specifications that apply to this channel are:
3.2.1 Reactor Control System Specification
- a. The reactor shall not be operated unless the measuring channels listed in Table 1 are operable for the specific mode of operation.
Table 1 Minimum Measuring Channels, requires two High-Flux Safety Channels for steady-state mode and one for pulsing mode. The NPP-1000 satisfies one of the two required for steady-state mode and the one required for pulsing mode.
3.2.2 Reactor Safety Systems Specification The reactor shall not be operated unless the safety systems described in Tables 2 and 3 are operable for the specific mode of operation.
Table 2 Minimum Reactor Safety System Scrams, requires a scram for Percent Power High Flux (maximum set point of 1.1 MW) and High Voltage Loss to Safety Channel (maximum set point of 20%)
4.2.2 Reactor Safety Systems Specifications
- a. A channel test of the percent power, high flux scram function of the high-flux safety channels shall be made each day that reactor operations are planned.
- b. A channel test of each of each of the reactor safety system channels for the intended mode of operation shall be performed weekly, whenever operations are planned.
- c. Channel calibration, including verification of the high voltage loss to safety channel scrams, shall be made of the NP, NPP, NM1000, NLW, NMP or any other console instrumentation designated to provide direct power level information to the operator, annually not to exceed 15 months.
Technical Specification 3.2.2, Table 2, Minimum Reactor Safety System Scrams, requires a scram upon 20% or greater loss of high voltage. This specification has never had a companion surveillance specification, so one should be added to Section 4.2.2 of the Technical Specifications.
The surveillance specifications and periodicities listed in TS Section 4.2.2 that pertain to the old unit are still applicable and appropriate for the updated unit.
1.2.7 Quality Assurance TRIGA NP/NPP-1000 Software Requirements Specification T3287960-SRS[4]
26 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 GA Acceptance Test Procedure (ATP), NPP-1000, Nuclear Power Instrument, T3281000-1AT[11]
Factory Acceptance Test Procedure System Assembly, AFFRI TRIGA T3A10087371-FAT Rev A[7]
This test demonstrates that the Replacement I&C Console meets the requirements of the SOW and the Functional Requirements Specifications (FRS). GA performed separate, in-depth tests of the components, the nuclear instruments, the control system console, and the system as a whole. These tests, their traceability to the SOW and their results are provided to AFRRI in accordance with the SOW.
Armed Forces Radiobiology Research Institute TRIGA Reactor Instrumentation and Control Console Replacement Site Acceptance Test Procedure, Part 1. T3A100B7372-SAT Rev A[8]
Site Acceptance Test Part 2: Replacement of the Instrumentation and Control Console for the AFRRI TRIGA REACTOR T3A100B7373-SAT Rev A[9]
This document is the Site Acceptance Test (SAT) for the Replacement I&C Console provided by General Atomics (GA) for the AFRRI facility. This test demonstrates that the Replacement I&C Console procured by AFRRI from GA has been installed correctly for operation at AFRRI and meets the technical and functional requirements.
This SAT is not intended to be an exhaustive test of the system at the component or subassembly level.
GA has factory tested in-depth, and calibrated according to manufacturer specifications, the various components and subsystems, the individual nuclear instrument channels, the rod control system, the auxiliary plant parameter measurement systems, and has tested the integrated system to demonstrate that the Replacement I&C System performed in the factory as intended. This was demonstrated by GA and accepted by AFRRI representatives during exhaustive factory acceptance testing (FAT). The SAT demonstrates satisfactory at-reactor installation of the system, and verifies, by adequate operational demonstration, that the system can be used to operate the AFRRI TRIGA in accordance with the facility operating requirements.
The SAT involved tests to confirm proper installation and functionality of all components and subsystems of the Replacement I&C System, including the nuclear power measuring channels, reactivity control systems, and all other balance of plant systems controlled and monitored by the replacement system.
27 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 1.3 NLW-1000 Log Power Channel with PA-1000 Preamplifier - Component 1c Figure 12 - Picture of Old NM-1000 and New NLW-1000 Figure 13 - Simplified Block Diagram of Old System vs. New System 28 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Figure 14 - Detailed Block Diagram of new NLW-1000 1.3.1 Design Function The NLW-1000 is designated as the Log Power Channel and replaces a portion of the NM-1000 as described in Section 1.3.3and Section 1.4. The design functions of the NLW-1000 are:
Measure neutron flux in order to provide wide range logarithmic power indication.
Provide period indication.
Provide bistable trip/signal for interlocks.
Provide analog outputs to the bargraphs and recorders for steady-state operation.
Provide digital outputs to the reactor control console for steady-state operation.
1.3.2 Description of Old
Reference:
GA Operation and Maintenance Manual NM-1000 Neutron Monitoring System, E117-1000, 1989[12]
NM-1000 was designated as the operational channel and consisted of both the multi-range linear channel and the wide range log channel utilizing the signal from one fission chamber. This model, dating back to 29 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 the late eighties w as obsolete. The NM-1000 w as a digital instrument that used softw are and a microprocessor to calculate values for pow er and period. The trips then relied on these calculated values.
The original NM-1000 w as designed to operate from the source range, through the intermediate range to the pow er range utilizing a single fission chamber.
The complete channel provided wide range logarithmic and linear outputs covering the entire neutron flux range from source to full pow er, w ith a source range output covering the low er six decades and a linear percent pow er output covering the upper t w o decades of reactor pow er.
The origina l NM-1000 consisted of a fission chamber, amplifier/ signal conditioning assembly and a processor/ output assembly, each mounted in separate large w all mounted enclosures.
The processor assembly consisted of communication electronics (betw een amplifier and processor), a microprocessor, a control/display modu le, low voltage pow er supply and isolated outputs. The processor assembly, using softw are, calculated reactor pow er and reactor period. The ca lcu lations w ere then used by control system console.
1.3.3 Comparison of Old vs. New The new General Atomics NLW-1000 is one of t w o instruments that is replacing the old NM-1000.
Specifically, the NLW-1000 replaces the wide range logarithmic function of the NM-1000 and provides the reactor period w hile the NMP-1000 replaces the mult i-range linear portion of the NM-1000 and is discussed separately in Section 1.4.
The NLW-1000 uses a fission chamber. The NLW-1000 relies on ana log signal processing (no softw are) for detector signa l processing, both the pow er signal and the period signal, along w ith the bistable trip activation. The NLW-1000 provides analog outputs to the bargraphs and chart recorder for use at the reactor control console.
1.3.4 Detailed Description of New
Reference:
NLW-1000, Wide Range Log Pow er Module, User Manual, Document T3322000-1UM, Rev B, June 2015 1131 The NLW-1000 monitoring channel is a w ide range logarithmic that operates with a fission chamber and a PA-1000 preamplifier that decouples and amplifies pulses that originate at the fission chamber.
The logarithmic reactor pow er signa l is monitored by a period circuit w hich generates an output proportional to the rate of change in reactor pow er at any given instant.
The device includes adjustable bistable trip circuits for local and remote alarms and isolated current outputs for display by other devices.
The NLW operates . Both modes generate an ana log voltage. The summing amplifier adds both voltages and generates the log pow er signa l. An offset adjustment is provided, but is usually set to OV. The log pow er signal is sent to the digital interface board for display.
30 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 For self-test and calibration purposes, a circuit is provided whose output is a linear ramp. The ramp is adjusted to 0 .145V/s, corresponding to a period of 3 seconds. When applied to the differentiator circuit, the period gain circuit can be adjusted. While in test modes (except period test) or pulsed pow er operation, the period trip lock circuit prevents generation of the period signal.
The NLW-1000 module is packaged in a flameproof steel and mounted in the Data Acquisition Cabinet located in the Reactor Room . The module processes the current produced by a fission chamber and contains ten major subassemblies: Motherboard, Log Count Rate Board, Log Current Board, Trip/ Alarm Board, Isolation Amplifier Board, Digita l Interface Board, Display Module, Front Panel Board, HV Pow er Supply, and PA-1000 Preamplifier.
31 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 32 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Table 4 -list of Interlocks Associated with the NLW-1000 Trip Function Trip Action Control Rod Withdrawal Inhibit HV Low Interlock 20% loss of HV (software enforced)
Control Rod Withdrawal Inhibit Period Interlock < 3 seconds (software generated)
Pulse Mode Interlock Pulse Interlock > 1 kW Pulse Interlock (hardware/software enforced) 33 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 1.3.4.10 PA-1000 Preamplifier Board Refer to schematic T3371101l13l for circuit detai ls.
The PA-1000 is a high gain amplifier that is designed to connect to a fission chamber. It processes the signals from the fission chamber and sends the resulting pulses to the NLW for counting. The PA-1000 is configured to w ork w ith a one port fission chamber and as such, it extracts the signa l directly from the high voltage supply.
The amplifier section is follow ed by a discriminator that incorporates a high speed comparator. It is used to compare the height of the amplifi ed neutron pulses w ith the discriminator level supplied by a circuit on the NLW-1000 motherboard. Any pulses that exceed this discriminator level are processed and sent to the NLW-1000 for counting via a driver circuit .
In self-test mode, the PA-1000 receives a count rate high or count rate low signal (pulse train) from the NLW-1000 motherboard. Frequencies are usua lly set to . The PA-1000 uses these signals to generate an input to the amplifier stages just as a detector signal w ould, to be counted by the NLW-1000. A separate control signal disables the input from the detector w hile the self-tests are active.
34 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 1.3.5 Safety Analysis The NLW-1000 is one of two new channels that have replaced the NM-1000. The NLW-1000 has been designed and manufactured to meet or exceed the requirements of the previous NM-1000. The NLW-1000 has undergone rigorous testing and quality assurance at multiple steps in the design, manufacture and installation phases. Due to this, it is expected that the NLW-1000 will be as dependable as the NM-1000.
The NLW-1000 provides the Greater than 1 kW Pulse Interlock. This interlock prevents operation in Pulse Mode when reactor power is greater than 1 kW. In the event of a failure of this interlock, pulsing operations are also administratively controlled with standard operating procedures (SOP) and checklists.
Therefore, a failure of pulse mode interlock is of minimal consequence.
The NLW-1000 provides the reactor period signal to the CSC which in turn enforces (via software) the Less than 3-second period interlock protection.
Uncontrolled withdrawal of a control rod may be caused by operator error or equipment malfunction.
The automatic mode allows for the simultaneous withdrawal of all three standard control rods. Normally, a less than 3 second period interlock limits the reactivity insertion rate, however in the event that the NLW-1000 fails in such a way that the 3-second period interlock is rendered non-functional (e.g., the NLW-1000 provides an erroneous period signal to CSC), a ramp reactivity insertion accident may occur.
Scenarios initiating at a power level of 100 watts and 1 MW are analyzed.
It is assumed that the new standard control rod drive mechanisms are withdrawing all 3 standard control rods at the maximum speed of 0.5 inches/second. The high power scram setpoint is assumed to be at the technical specification maximum of 1.1 MW and that the maximum delay time between reaching the scram setpoint and the start of the insertion of all control rods is 0.5 seconds. This delay allows for the closure of relay contacts and the bleeding off of the magnetic field from the control rod drive magnets.
For a single delayed neutron group model with the prompt jump approximation, a linear (ramp) reactivity increase results in the following equation for power as a function of time:
() 1+
=
0 where: () = power at time (0) = initial power level
= total delayed neutron fraction = 0.007
= one group decay constant = 0.405 1
= time (sec)
= linear insertion rate if reactivity ( 1 )
Representative data for the standard control rods are given in Table 5.
35 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Table 5 - Representative Data for the Standard Control Rods Differential Rod Worth in Insertion Rate Standard Control Rod Critical Region
($/sec)
($/inch)
Regulating Safety Shim TOTAL It is also assumed that the less than 3-second period interlock is non-functional.
The first scenario starts at an initial low pow er of 100 w atts. It is calculated that reactor pow er will reach the scram setpoint of 1.1 MW in 2.52 seconds with a maximum reactivit y insertion of $1.19, w ell below the maximum pu lse reactivity pulse limit of $3.50.
The second scenario starts at an initial high pow er of 1.0 MW. It is calculated that reactor pow er will reach the scram setpoint of 1.1 MW in 0 .22 seconds with a maximum reactivit y insertion of $0.284, also w ell below the maximum pu lse reactivity pulse limit of $3.50.
Therefore, from the analysis above, it is concluded that the failure of the NLW-1000, which renders the 3-second period interlock nonfunctional, is of minimal consequence.
The NLW-1000 provides, independently, both an ana log signal and a digital signal to the control console for display by both bargraphs and recorder and by the console computer display interface. The reactor operator can use these tw o independent signals as a means to cross-check the validit y of the indicated pow er level and reactor period. In addit ion, the reactor operator also receives pow er indication from the NP-1000, NPP-1000, NMP-1000, NFT-1000 channel 1 and NFT-1000 channel 2. The information from these other channels is also displayed on the bargraphs and recorder panel, along with the console display screen . Therefore, in the case that erroneous information is being provided by the NLW-1000, there are fi ve other channels that the operator can use for pow er level verification.
It is concluded that the NLW-1000 will continue to perform the design function required by this channel in a safe and reliable manner without imposing any undue risk to the hea lth and safety of the public.
1.3.6 Technical Specifications W ith the exception of a minor change to the w ording for TS4.2.2 (refer to redline changes below), all existing technical specificationsl5l remain unchanged for this replacement. The technica l specifi cations that apply to this channel are:
3.2.1 Reactor Control System Specification
- a. The reactor shall not be operated unless the measuring channels listed in Table 1 are operable for the specific mode of operation.
Table 1 Minim um Measuring Channels, requires one Log Pow er Channel for steady-state mode.
The NLW-1000 satisfies this requirement.
3.2.2 Reactor Safety Systems 36 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Specification The reactor shall not be operated unless the safety systems described in Tables 2 and 3 are operable for the specific mode of operation.
Table 2 M inimum Reactor Safety System Scrams, does not require any scrams for the NLW-1000.
Table 3 M inimum Reactor Safety System Interlocks, requires an interlock for:
(1) Withdraw al of any control rod if reactor period is less than 3 seconds (2) Any rod withdraw al if high voltage is lost to the operational channel (3) Pulse init iation at pow er levels greater than 1 kW.
4.2.2 Reactor Safety Systems Specifications
- b. A channel test of each of each of the reactor safety system channels for the intended mode of operation shall be performed w eekly, w henever operations are planned.
- c. Channel calibration, including verification of the high voltage loss to safety channel scrams, shal l be made of the NP, NPP, ~Ml:999, NLW, NMP or any other console instrumentation designated to provide direct pow er level information to the operator, annua lly not to exceed 15 months.
The surveillance specifications and periodicit ies listed in TS Section 4.2.2 that pertain to the NM-1000 are applicable and appropriate for the NLW-1000.
1.3.7 Quality Assurance NLW-1000 Software Requirements Specification T9S900D970-SRS 131 Acceptance Test Procedure (ATP), Wide-Range Log Module NLW-1000, T3322000-1AT1141 Factory Acceptance Test Procedure System Assembly, AFFRI TRIGA T3A10087371-FAT Rev A 171 This test demonstrates that the Replacement l&C Console meets the requirements of the SOW and the Functional Requirements Specifications (FRS). GA performed separate, in-depth tests of the components, the nuclear instruments, the control system console, and the system as a w hole. These tests, their traceabilit y to the SOW and their results are provided to AFRRI in accordance with the SOW.
37 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Armed Forces Radiobiology Research Institute TRIGA Reactor Instrumentation and Control Console Replacement Site Acceptance Test Procedure, Part 1. T3A100B7372-SAT Rev A[8]
Site Acceptance Test Part 2: Replacement of the Instrumentation and Control Console for the AFRRI TRIGA REACTOR T3A100B7373-SAT Rev A[9]
This document is the Site Acceptance Test (SAT) for the Replacement I&C Console provided by General Atomics (GA) for the AFRRI facility. This test demonstrates that the Replacement I&C Console procured by AFRRI from GA has been installed correctly for operation at AFRRI and meets the technical and functional requirements.
This SAT is not intended to be an exhaustive test of the system at the component or subassembly level.
GA has factory tested in-depth, and calibrated according to manufacturer specifications, the various components and subsystems, the individual nuclear instrument channels, the rod control system, the auxiliary plant parameter measurement systems, and has tested the integrated system to demonstrate that the Replacement I&C System performed in the factory as intended. This was demonstrated by GA and accepted by AFRRI representatives during exhaustive factory acceptance testing (FAT). The SAT demonstrates satisfactory at-reactor installation of the system, and verifies, by adequate operational demonstration, that the system can be used to operate the AFRRI TRIGA in accordance with the facility operating requirements.
The SAT involved tests to confirm proper installation and functionality of all components and subsystems of the Replacement I&C System, including the nuclear power measuring channels, reactivity control systems, and all other balance of plant systems controlled and monitored by the replacement system.
1.3.8 List of Deployments at other Facilities The NRAD reactor at the DOE Idaho National Laboratory has an NLW-1000 in use. This system was reviewed and approved by the DOE regulatory body.
38 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 1.4 NMP-1000 Multi-range Linear Channel - Component 1d Figure 15 - Picture of Old NM-1000 and New NMP-1000 Figure 16 - Simplified Block Diagram of Old System vs. New System 39 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Figure 17 - Detailed Block Diagram of new NMP-1000 1.4.1 Design Function The NMP-1000 is designated as the Linear Power Channel. The design functions of the NMP-1000 are:
Measure neutron flux in order to provide multi-range percent linear power indication (0-120%).
Provide bistable trips for scrams/interlocks.
Provide an analog output to the recorder for steady-state operation.
Provide digital outputs to the reactor control console for steady-state operation.
1.4.2 Description of Old
Reference:
GA Operation and Maintenance Manual NM-1000 Neutron Monitoring System, E117-1000, 1989[12]
NM-1000 was designated as the operational channel and consisted of both the multi-range linear channel and the wide range log channel utilizing the signal from one fission chamber. This model, dating back to the late eighties was obsolete. The NM-1000 was a digital instrument that used software and a microprocessor to calculate values for power and period. The trips then relied on these calculated values.
40 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 The original NM-1000 was designed to operate from the source range, through the intermediate range to the power range utilizing a single fission chamber.
The complete channel provided wide range logarithmic and linear outputs covering the entire neutron flux range from source to full power, with a source range output covering the lower six decades and a linear percent power output covering the upper two decades of reactor power.
The original NM-1000 consisted of a fission chamber, amplifier/signal conditioning assembly and a processor/output assembly each mounted in separate large wall mounted enclosures.
The processor assembly consisted of communication electronics (between amplifier and processor), a microprocessor, a control/display module, low voltage power supply and isolated outputs. The processor assembly, using software, calculated reactor power and reactor period. The calculations were then used by control system console.
1.4.3 Comparison of Old vs. New The new General Atomics NMP-1000 is one of two instruments that is replacing the old NM-1000.
Specifically, the NMP-1000 replaces the multi-range linear portion of the NM-1000 while the NLW-1000 replaces the wide range logarithmic portion of the NM-1000 and is discussed separately in Section 1.3.
The NMP-1000 uses a new compensated ion chamber. The new NMP-1000 relies on software to conduct auto-ranging and subsequent bistable trips. The NMP-1000 was developed under NQA-1 quality control.
The NMP-1000 provides an analog output to the chart recorder for use at the reactor control console.
1.4.4 Detailed Description of New
Reference:
NMP-1000, Multi-range Linear Module, User Manual, Document T3401000-1UM, Rev C, January 2018[15]
The NMP-1000 is a microprocessor based multi-range linear power module which provides percent reactor power indication and bistable trip circuits. The NMP-1000 module processes current of 1x10-11 to 1x10-3 Amperes from a compensated ion chamber. A compensating voltage power supply is provided for use with the compensated ion chamber. The NMP-1000 is an auto-ranging device and will scale itself based on the current power level. The input current is converted into 0 to 10 V in 9 one-decade ranges giving power indication from startup through 120% power on a linear scale (displaying in progressively wider ranges, one decade at a time).
When the NMP-1000 is in auto-ranging mode the overpower scram only occurs on the highest range (i.e.
100% full power). Note that the NMP-1000 scram is not required and is currently bypassed. Whereas, when the range is selected by the operator, a scram occurs at 110% of that specific range. The appropriate decade is selected either automatically by software (auto-ranging mode) or by the user (manual ranging mode) via the touch screen display or by selecting the desired checkbox on the MODE SELECTION Pane on the Left-side Display of the UIT.
The NMP-1000 module is packaged in a flameproof steel and mounted in the Data Acquisition Cabinet located in the Reactor Room. The module processes the current produced by a compensated ion chamber and contains nine major subassemblies: Motherboard, Analog Amplifier, Trip/Alarm Board, Isolation Amplifier Board, Digital Interface Board, Display Module, Front Panel Board, HV Power Supply, and Compensation Power Supply.
41 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 42 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Pu blic Disclosure Under 10 CFR 2.390 Table 6 - List of Trips Associated with the NMP-1000 Trip Function Trip Action NMP HV Low W ARNING HV Low WARNING 20% loss of HV (software enforced)
Cont rol Rod Withdrawal Inhibit Low Source Count Rate < 1 x 10-5 watts (software enforced) 43 Proprietary Information Withhold From Pu blic Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 1.4.5 Safety Analysis The NMP-1000 is one of t w o new channels that have replaced the NM-1000. The NMP-1000 has been designed and manufactured to meet or exceed the requirements of the previous NM-1000. The NMP-1000 has undergone rigorous testing and NQA-1 qua lity assurance at mu lt iple steps in the design, manufacture and installation phases. Due to this, it is expected that the NMP-1000 will be as dependable as the NM-1000.
44 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Figure 18 - Location of the New NMP-1000 Compensated Ion Chamber The NMP-1000 uses a new compensated ion chamber (CIC) to measure the neutron flux. The new CIC is located excore and adjacent to the NP-1000. The location was chosen so that that there is no interference with other reactor systems and component, such as the control rods. Also of importance is that the new CIC would not shadow any other of the nuclear instruments. Being located adjacent to the NP-1000 allows for the verification and validation of the new CIC with a proven power channel.
The NMP-1000 provides the control rod withdrawal interlock for power levels less than 1 x 10-5 watts. This interlock requiring a minimum power indication to be measured by the NMP-1000 ensures that there are sufficient source neutrons to bring the reactor critical under controlled conditions. In the event that a failure of the NMP-1000 renders this interlock non-functional, could lead to an uncontrolled withdrawal of the standard control rods resulting in a ramp reactivity insertion accident. This would be bounded by the analysis presented in Section 1.3.5.
Therefore, from the analysis above, it is concluded that the failure of the NMP-1000 which renders the lLow Source interlock non-functional is of minimal consequence.
The NMP-1000 provides, independently, both an analog signal and digital signal to the control console for display by both the recorder and by the console computer display interface. The reactor operator can use these two independent signals as a means to cross-check the validity of the indicated power level and reactor period. In addition, the reactor operator also receives power indication from the NP-1000, NPP-1000, NLW-1000, NFT-1000 channel 1 and NFT-1000 channel 2. The information from these other channels is also displayed on the bargraphs and recorder panel along with the console display screen.
Therefore, in the case that erroneous information is being provided by the NMP-1000, there are five other channels that the operator can use for power level verification.
45 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 It is concluded that the NMP-1000 will continue to perform the design function required by this channel in a safe and reliable manner without imposing any undue risk to the health and safety of the public.
1.4.6 Technical Specifications With the exception of a minor change to the wording for TS4.2.2 (refer to redline changes below), all existing technical specifications[5] remain unchanged for this replacement. The technical specifications that apply to this channel are:
3.2.1 Reactor Control System Specification
- a. The reactor shall not be operated unless the measuring channels listed in Table 1 are operable for the specific mode of operation.
Table 1 Minimum Measuring Channels, requires one Linear Power Channel for steady-state mode.
The NMP-1000 satisfies this requirement for steady-state mode.
3.2.2 Reactor Safety Systems Specification The reactor shall not be operated unless the safety systems described in Tables 2 and 3 are operable for the specific mode of operation.
Table 2 Minimum Reactor Safety System Scrams, does not require any scrams for the NMP-1000.
4.2.2 Reactor Safety Systems Specifications
- b. A channel test of each of each of the reactor safety system channels for the intended mode of operation shall be performed weekly, whenever operations are planned.
- c. Channel calibration, including verification of the high voltage loss to safety channel scrams, shall be made of the NP, NPP, NM1000, NLW, NMP or any other console instrumentation designated to provide direct power level information to the operator, annually not to exceed 15 months.
The surveillance specifications and periodicities listed in TS Section 4.2.2 that pertain to the NM-1000 are still applicable and appropriate for the NMP-1000.
1.4.7 Quality Assurance The NMP-1000 was developed and tested in accordance with ANS/ASME NQA-1-2000, Quality Assurance Requirements for Nuclear Facility Applications[16]. Performance of these additional quality assurance activities should support use of the NMP-1000 as digital safety equipment.
NMP-1000 Software Requirements Specification T9S900D941-SRS Rev A[17]
46 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 GA Acceptance Test Procedure (ATP), NMP-1000, Nuclear Power Instrument, T3401000-1AT[18]
Factory Acceptance Test Procedure System Assembly, AFFRI TRIGA T3A10087371-FAT Rev A[7]
This test demonstrates that the Replacement I&C Console meets the requirements of the SOW and the Functional Requirements Specifications (FRS). GA performed separate, in-depth tests of the components, the nuclear instruments, the control system console, and the system as a whole. These tests, their traceability to the SOW and their results are provided to AFRRI in accordance with the SOW.
Armed Forces Radiobiology Research Institute TRIGA Reactor Instrumentation and Control Console Replacement Site Acceptance Test Procedure, Part 1. T3A100B7372-SAT Rev A[8]
Site Acceptance Test Part 2: Replacement of the Instrumentation and Control Console for the AFRRI TRIGA REACTOR T3A100B7373-SAT Rev A[9]
This document is the Site Acceptance Test (SAT) for the Replacement I&C Console provided by General Atomics (GA) for the AFRRI facility. This test demonstrates that the Replacement I&C Console procured by AFRRI from GA has been installed correctly for operation at AFRRI and meets the technical and functional requirements.
This SAT is not intended to be an exhaustive test of the system at the component or subassembly level.
GA has factory tested in-depth, and calibrated according to manufacturer specifications, the various components and subsystems, the individual nuclear instrument channels, the rod control system, the auxiliary plant parameter measurement systems, and has tested the integrated system to demonstrate that the Replacement I&C System performed in the factory as intended. This was demonstrated by GA and accepted by AFRRI representatives during exhaustive factory acceptance testing (FAT). The SAT demonstrates satisfactory at-reactor installation of the system, and verifies, by adequate operational demonstration, that the system can be used to operate the AFRRI TRIGA in accordance with the facility operating requirements.
The SAT involved tests to confirm proper installation and functionality of all components and subsystems of the Replacement I&C System, including the nuclear power measuring channels, reactivity control systems, and all other balance of plant systems controlled and monitored by the replacement system.
1.4.8 List of Deployments at other Facilities The NRAD reactor at the DOE Idaho National Laboratory has three NMP-1000 units in operation, with a 2-of-3 scram logic implemented. This system was reviewed and approved by the DOE regulatory body.
47 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 1.5 NFT-1000 Fuel Temperature Channels - Component 1e Figure 19 - Picture of Old Fuel Temperature Channels and New NFT-1000 Figure 20 - Simplified Block Diagram of Old System vs. New System 48 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Figure 21- Detailed Block Diagram of new NFT-1000 1.5.1 Design Function The NFT-1000 is designated as the Fuel Temperature Measuring Channels. The design functions of the NFT-1000 are:
- Measure fuel temperature in order to provide fuel temperature indication.
- Provide an automatic scram (s) on high fuel temperature condit ions.
- Provide analog outputs to the bargraphs and recorders for steady-state operation.
- Provide digital outputs to the reactor control console for steady-state operation.
1.5.2 Description of Old Reference - GA Operation and Maintenance Manual, Ell 7-1006, 19891191 The thermocouple inputs from the instrumented fuel elements {IFE) w ere conditioned by modules. The signal conditioning modules provided a 4-20 mA output that w as proportional to the fuel element temperature. The outputs w ere then monitored by an high limit trip module. If a temperature exceeded the preset limit setpoint, the contacts on w ou ld open in the scram loop, w hile a second set of contacts w ould close in the digita l scanner circuit. A fuel temperature scram w as provided in both the supply and return legs of the scram loop.
49 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 1.5.3 Comparison of Old vs. New One NFT-1000 instrument housing with three independent channels with the ability to read all three IFE thermocouples simultaneously. The old system utilized two modules to read only two of the three IFEs. The third IFE was not used.
New NFT-1000 allows for the readout of all three IFE thermocouples with one unit. The only common parts that are shared between the three channels are the power supply, the front panel display, and the housing. If the power supply fails, all trips go to fail-safe condition generating a reactor scram.
1.5.4 Detailed Description of New
Reference:
NFT-1000, Nuclear Fuel Temperature Module, User Manual, Document T3291000-1UM, Rev A, January 2018[20]
The NFT-1000 is a nuclear fuel temperature module that provides fuel temperature indication, bistable trip circuits and outputs to other devices. The module is packaged in a flameproof steel enclosure and mounted in the Data Acquisition Cabinet located in the Reactor Room. The module has three independent channels to process inputs from Type K thermocouples. Temperature transducers convert the millivolt inputs from the thermocouples to usable voltage levels that drive bistable trips for local and remote alarms and isolated current or voltage outputs for display by other devices. The NFT-1000 is calibrated to measure temperature from 0 to 1000°C.
The NFT-1000 nuclear fuel temperature monitoring module has a capability to measure and capture pulse data, which is temperature values recorded and stored frequently, for a short period during and after a reactor pulse.
Each of the three channels (1, 2, and 3) has two bistable trips used to alarm on high temperature. Relays are provided with two sets of contacts for customer use, each set with one normally open and one normally closed pair of contacts. The relays are held energized in a fail-safe condition until an alarm de-energizes the coil.
The NFT-1000 has test modes to allow the user to test the proper performance of the module and to ensure the functionality of all trip circuits. Test modes include High Temp, Low Temp, Manual 1, Manual 2, and Manual 3. All test modes will cause the bistable trip relays to de-energize and alarm. The manual modes allow the user to adjust a front panel potentiometer to cause a bi-stable trip to alarm. Test modes can be enabled via the touch screen or a remote interface.
The module contains six major subassemblies: Motherboard, Trip/Alarm Board, Isolation Amplifier Board, Digital Interface Board, Display Module, and Front Panel Board.
50 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Pu blic Disclosure Under 10 CFR 2.390 is routed through normally closed relays to a temperature transducer mounted inside t he Table 7 - List of Trips Associated with the NFT-1000 Trip Function Old New High Fuel Temp Channel 1 S600 °C S600 °C High Fuel Temp Channel 2 S600 °C S600 °C 51 Proprietary Information Withhold From Pu blic Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 High Fuel Temp Channel 3 NA S600°C 1.5.5 Safety Analysis The NFT-1000 incorporates the digital to analog conversion into the module while retaining the separation of the analog portion for the performance of the safety related functions. The NFT-1000 maintains its 52 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 independence from all other power monitoring channels and is hardwired into the Reactor Protection System (RPS) scram loop, therefore all scram functionality associated with the channel is maintained should malfunctions occur in the digital portion of the instrument or in the console computers.
Furthermore, the Reactor I&C System and RPS are designed such that there are no means available to the reactor operator to bypass the scrams associated with the NFT-1000 so operation of the reactor beyond the limits defined in the technical specifications and safety analysis report is not possible. For redundancy and diversity in the information provided to the reactor operator by the NFT-1000, a dedicated analog output is directly wired to an updated bargraph display along with an updated recorder, thus ensuring information is available to the reactor operator for the safe operation and monitoring of the reactor and can also be used as a cross-check for the console computer display.
The NFT-1000 has been designed and manufactured to meet or exceed the requirements of the previous system and components. The NFT-1000 has undergone rigorous testing and quality assurance at multiple steps in the design, manufacture and installation phases. Due to this, it is expected that the NFT-1000 will be as dependable as the old system. Nevertheless, the failure of the NFT-1000 is of minimal consequence since the reactor core is monitored by at least five independent channels that monitor the power level or fuel temperature of the core during steady-state operation and at least three independent channels that monitor the power level or fuel temperature of the core during pulse operations. Due to this independence, redundancy and diversity, the failure of the NFT-1000 to perform high fuel temperature protective action would not result in an increase in the consequence of any accident. Any foreseeable failure that impairs the ability of the NFT-1000 to perform its safety function would initiate a fail-safe response and scram the reactor.
The main accident type that the NFT-1000 is designed to mitigate is the insertion of excess reactivity resulting in overpower conditions. This insertion can be either as a step insertion or ramp insertion. The initiating event can be the failure of a high worth experiment, improper fuel element handling, and numerous other types of events that can inadvertently insert excess reactivity into the core. In the safety analysis it is assumed that one of the two safety channels (NP-1000 or NPP-1000) fails while the second channel would act as designed and terminate the insertion. Due to this independence and redundancy in the number of safety channels providing automatic overpower protective actions, the consequences of an excess reactivity insertion accident remains unchanged in the event of a failure of the new NFT-1000.
The NFT-1000 integrated the fuel temperature measuring channels into one common housing. Other than a common power supply, the circuits for each channels are independent. The units are designed to provide redundancy for the automatic high fuel temperature protective action. The reactor scram actions are performed in the analog portion of the units while the digital portion only provides non-safety related functions. Therefore, erroneous software code cannot be a source of common cause failure that would result in a loss of protective actions. In fact, there are no known common cause failures (CCF), other than as a possible result of some internal or external hazard (e.g., fire, flooding, dropped load, earthquake exceeding the design basis, etc.). As previously noted, the independence of the channels, and diversity designed into the RPS provides a large measure of protection against common cause failures. However; it is important to note that should a CCF occur, it would not prevent the system from performing its primary safety function (i.e., shutting down the reactor) because the system is designed to be fail-safe. A loss of electrical power or multiple circuit damage due to a fire, explosion, dropped load, or some other cause will result in a loss of power to the electromagnets, causing the control rods to drop into the core, safely shutting down the reactor.
The NFT-1000 provides, independently, both an analog signal and digital signal to the control console for display by both bargraphs and recorder and by the console computer display interface. The reactor operator can use these two independent signals as a means to cross-check the validity of the indicated 53 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 fuel temperature and thus the corresponding power level. In addition, the reactor operator also receives power indication from the NP-1000, NPP-1000, NLW-1000, and the NMP-1000. The information from these other channels is also displayed on the bargraphs and recorder panel along with the console display screen. Therefore, in the case that erroneous information is being provided by the NFT-1000, there are four other channels that the operator can use for power level verification.
The design basis limit for fission product barrier protection, i.e. fuel cladding, is ultimately fuel temperature. This limit of 1000 °C remains unchanged with the upgrade to the NFT-1000. The basis for the limit for automatic protective action for the overpower scram is to prevent exceeding the fuel temperature limit. This limit of 600 °C for the scram setpoint limit remains unchanged.
It is concluded that the upgraded to the NFT-1000 will continue to perform the design function required by this safety channel in a safe and reliable manner without imposing any undue risk to the health and safety of the public.
1.5.6 Technical Specifications All existing technical specifications[5] remain unchanged for this replacement. The technical specifications that apply to this channel are:
3.2.1 Reactor Control System Specification
- a. The reactor shall not be operated unless the measuring channels listed in Table 1 are operable for the specific mode of operation.
Table 1 Minimum Measuring Channels, requires two Fuel Temperature Safety Channels for both steady-state and pulse mode.
3.2.2 Reactor Safety Systems Specification The reactor shall not be operated unless the safety systems described in Tables 2 and 3 are operable for the specific mode of operation.
Table 2 Minimum Reactor Safety System Scrams, requires two scrams for fuel temperature (maximum set point of 600°C).
4.2.2 Reactor Safety Systems Specifications
- b. A channel test of each of each of the reactor safety system channels for the intended mode of operation shall be performed weekly, whenever operations are planned.
4.2.3 Fuel Temperature Specifications
- a. A channel check of the fuel temperature scrams shall be made each day that the reactor is to be operated.
- b. A channel calibration of the fuel temperature measuring channels shall be made annually, not to exceed 15 months.
- c. A weekly channel test shall be performed on fuel temperature measuring channels, whenever operations are planned.
54 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
- d. If a reactor scram caused by high fuel element temperature occurs, an evaluation shall be conducted to determine whether the fuel element temperature exceeded the safety limit.
The surveillance specifications and periodicities listed in TS Section 4 .2.2 and TS Section 4.2.3 that pertain to the o ld NFT system and components are still applicable and appropriate for the NFT-1000.
1.5.7 Quality Assurance NFT-1000 Software Requirements Specification T3297960-SRS Rev A1211 GA Acceptance Test Procedure (ATP), NFT-1000, Nuclear Power Instrument, T3291000-1AT1221 Factory Acceptance Test Procedure System Assembly, AFFRI TRIGA T3A10087371-FAT Rev A 171 This test demonstrates that the Replacement l&C Console meets the requirements of the SOW and the Functional Requirements Specifications (FRS). GA performed separate, in-depth tests of the components, the nuclear instruments, the control system console, and the system as a whole. These tests, their traceability to the SOW and their results are provided to AFRRI in accordance w ith the SOW.
Armed Forces Radiobiology Research Institute TRIGA Reactor Instrumentation and Control Console Replacement Site Acceptance Test Procedure, Part 1. T3A100B7372-SAT Rev A181 Site Acceptance Test Part 2: Replacement of the Instrumentation and Control Console for the AFRRI TRIGA REACTOR T3A100B7373-SAT Rev A191 This document is the Site Acceptance Test (SAT) for the Replacement l&C Console provided by General Atomics (GA) for the AFRRI facility. This test demonstrates that the Replacement l&C Console procured by AFRRI from GA has been installed correctly for operation at AFRRI and meets the technical and functional requirements.
This SAT is not intended to be an exhaustive test of the system at the component or subassembly level.
GA has factory tested in-depth, and calibrated according to manufacturer specifications, the various components and subsystems, the individual nuclear instrument channels, the rod control system, the auxiliary plant parameter measurement systems, and has tested the integrated system to demonstrate that the Replacement l&C System performed in the factory as intended. This was demonstrated by GA and accepted by AFRRI representatives during exhaustive factory acceptance testing (FAT). The SAT demonstrates satisfactory at-reactor installation of the system, and verifies, by adequate operational demonstration, that the system can be used to operate the AFRRI TRIGA in accordance w ith the facility operating requirements.
The SAT involved tests to confirm proper installation and functionality of all components and subsystems of the Replacement l&C System, including the nuclear power measuring channels, reactivity control systems, and all other ba lance of plant systems controlled and monitored by the replacement system.
55 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 1.6 Scram Loop - Component 1f Figure 22 - Picture of the Scram Loop and Major Components 56 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Figure 23 - Detailed Schematic of the Scram Loop 1.6.1 Design Function The design function of the scram loop is to de-energize both the magnets for the standard control rods and the solenoid for the transient rod air, causing the control rods to insert into the core placing the reactor in a safe shutdown condition. This is in response to either automatic or manual actions for certain abnormal reactor operating conditions.
1.6.2 Description of Old Reference - GA Operation and Maintenance Manual, E117-1006, 1989[19]
The old scram logic circuitry involves a set of open-on-failure logic relay switches in series. Any scram signal or component failure in the scram logic results in a loss of control rod magnet power and a loss of air to the transient rod cylinder, resulting in a reactor scram. The loop consisted of contacts that were operated by both analog circuits (e.g., NP-1000) and digital circuits (e.g., watchdog alarms).
57 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Pu blic Disclosure Under 10 CFR 2.390 1.6.3 Comparison of Old vs. New The old and new scram loops operate in a similar manner. Both w ere a set of relay contact s arranged in a loop. W hen any relay is de-energized, the contact for t he relay w ould open, breaking t he loop causing both t he magnets for the control rods and the solenoid for the transient rod air to de-energize thereby scramming t he reactor. Table 8 below compares the contacts of the old scram loop to the new scram loop.
Additional contacts are added, some for redundancy, others as spares.
Table 8 - Comparison of Old vs. New Scram Loop Contacts Scram Contacts Old New Steady-state t im er (hardw are) Steady-state t imer (softw are)
Pulse t imer (hardw are and softw are) Pulse t imer (softw are)
Manual scram button (hardw are) Manual scram button (hardw are)
Console Key to OFF (hardw are) Console Key t o OFF (hardw are)
Reactor Permissive ROX (FIS) Reactor Perm issive ROX (FIS)
Loss of AC Pow er AC Pow er Loss to the UPS NP-1000, %PWR (hardw are) NP-1000, %PWR (hardw are)
NPP-1000, %PWR, NVT (hardw are) NPP-1000, %PWR, NVT (hardw are)
NP-1000, HV (hardw are) NP-1000, HV (hardw are)
NPP-1000, HV (hardw are) NPP-1000, HV (hardw are)
NM P HV, %PWR (bypassed)
NFT-1000 #1 (hardw are) NFT-1000 #1 (hardw are)
NFT-1000 #2 (hardw are) NFT-1000 #2 (hardw are)
NFT-1000 #3 (hardw are)
Low Pool Level Low Pool Level (hardw are)
DACWDT UIT W OT (softw are)
Softw are (softw are)
EXT 1 (not used)
EXT 2 (not used)
EXT 3 (not used) 58 Proprietary Information Withhold From Pu blic Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 1.6.4 Detailed Description of New
Reference:
T3A100E800-000, T3A300E150, T3A300E151[23]
The Reactor Protection System initiates a reactor scram in response to a trip signal being generated by one of the sensors in the scram loop, a manual scram signal from the reactor operator or a scram demand by the control system console by interrupting the current to the electromagnets that link the control rods to the control rod drives and by removing power from the transient rod air solenoid valve. The magnets release the control rods, which fall into the core by gravity. All scram conditions are automatically indicated on the console displays.
The new scram loop consists of a set of normally open relay switches wired in series. Power for both the control rod magnets and the solenoid for the air supply of the transient rod is provided by the scram loop.
Under normal conditions, i.e. no scrams in demand, the relay contacts are held closed by power applied to the coil. When a scram occurs, the power to the coil is removed and the contact opens. The scram loop is designed to be fail-safe, so that in the event of a power failure, or other such type failure, the contacts will return to their normally open state generating a scram. The relays for the scram loop are commercial Form C electromechanical relays mounted on a PWA (printed wiring assembly) board. A total of 24 relays are installed on the board, although not all are currently being used. The coils to the relays are either energized by completely analog circuits, such as the NP-1000, NPP-1000, NFT-1000, etc., or by digitally controlled circuits, such as the watchdog alarms from the control console. Also included in the scram loop are electromechanical relays ( ) that are controlled by the control console computer.
The relays control contacts for:
- 1. Software generated scrams
- 2. Power to each individual control rod
- 3. Transient air solenoid
- 4. The key reset scram
- 5. The key reset for the facility interlock system.
It is important to note that all fuel temperature and high power scrams required by the technical specifications are generated by analog circuits.
Along with the scram loop relays are the K1 and K2 relays. The K1 performs the reset and latching functions, indicates all SCRAMs clear, and completes the circuit that enables the transient rod air solenoid to be activated. The K2 relay is energized when the console key switch is in the ON position and provides the operate signal for the Facility Interlock System. The relays are identical 1.6.4.1 Functions of the Scram Loop Contacts In the event of that an unsafe or abnormal condition occurs, the reactor operator has two scram options from the control console: manual scram push button and magnet power key switch scram.
Manual Scram is a push button labeled SCRAM on the rod control panel. Pushing this button will interrupt current in both the positive and negative legs of the scram loop along with the transient rod air pressure.
This is a momentary switch.
Magnet Power Key Switch has three positions: OFF, ON, and RESET. It must be in the ON position to complete the loop and supply current to the magnets. RESET is a momentary contact. It generates a digital input to the software that is only present as long as it is activated by the operator and is used for resetting the loop via the KEY RESET relay. When the reactor is operating, moving the console key to the off or reset 59 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 position will cause a scram. It is important to note that when the key switch is in the OFF position the scram loop is mechanically broken and that this is not controlled via software.
NMP-1000 monitors percent reactor power and high voltage (HV) going to the detector. The NMP-1000 has to indicate a fault (either sees Trip 1 at 110% reactor power or NMP HV Low) before the reactor is scrammed. The NMP-1000 scrams are not required and are currently bypassed.
NP-1000 (with Pulse Bypass switch) monitors percent reactor power and HV going to the detector. The NP has to indicate a fault (either sees Trip 1 at 110% reactor power or NP HV Low) before the reactor is scrammed. Note: This contact is bypassed during pulsing reactor operation.
NPP-1000 monitors percent reactor power, HV going to the detector and high neutron flux (NVT). The NPP-1000 has to indicate a fault (either sees Trip 1 at 110% reactor power, NPP HV Low or NVT high) before the reactor is scrammed.
The power level scrams ensures the reactor can be shutdown prior to the fuel temperature safety limit being exceeded. In the steady state mode, the two channels to perform the high flux scrams are the NP-1000 and NPP-1000. In pulse mode, only the NPP performs a high-power scram, and the NP scram contacts are temporarily bypassed.
The neutron flux detectors rely on a high voltage differential to perform their measurement function. If the high voltage drops significantly, their ability to detect neutrons is inhibited and will result in an underestimation of the neutron flux within the core. Therefore, a loss of high voltage to any of the detectors for high flux safety channels will cause a reactor scram.
CCS and UIT watchdog timers monitor the Linux and Windows computers. If either of the computers fails to send a signal to their WDT at least once approximately every 7 seconds, the respective WDT will time out and a scram occurs. Communication between the system components is necessary for the transmission of information to the operator. In the event of a loss of communication, a watchdog timer will initiate a scram.
Low Pool Level is set when the pool level float switch indicates that the pool level has fallen 6 inches below normal. The reactor pool water ensures adequate radiation shielding to the reactor bay as well as cooling capacity to the reactor. In the event the coolant level drops to 14 feet above the core, a reactor scram is initiated.
NFT1 monitors the temperature for Temp 1 of the instrumented fuel element. The NFT has to indicate a fault (Temperature 1 is above the High Trip 1, 600°C) before the reactor is scrammed.
NFT2 monitors the temperature for Temp 2 of the instrumented fuel element. The NFT has to indicate a fault (Temperature 2 is above the High Trip 3, 600°C) before the reactor is scrammed.
NFT3 monitors the temperature for Temp 3 of the instrumented fuel element. The NFT has to indicate a fault (Temperature 3 is above the High Trip 5, 600°C) before the reactor is scrammed.
Note that 600°C is the maximum setpoint allowed by the technical specifications. The actual setpoint takes into account measurement uncertainties and is lower than the maximum allowed. The fuel temperature scram ensures the reactor can be shutdown prior to the fuel temperature safety limit being exceeded. In both the steady-state and pulse modes, at least two fuel temperature channels must be operable. The third channel provides redundancy and is an installed fully functional in-service spare. The NFT-1000 instrument provides independent channels for each of three thermocouple inputs. Each channel has separate contacts in the scram loop.
EXTERNAL 1 is an external scram loop input for future use. Note: This input is jumpered.
60 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 EXTERNAL 2 is an external scram loop input for future use. Note: This input is jumpered.
EXTERNAL 3 is an external scram loop input for future use. Note: This input is jumpered.
Software is an input that causes a scram when commanded to do so by the CCS computer. It deactivates when communication with any is interrupted. Note that this is a redundant feature. When the loses communication with the computer, it will put all relays in a failsafe state, thus scramming the reactor. It also deactivates when the magnet power key switch is turned to the RESET position, thus scramming the reactor.
Scram occurs when the scram timer on the left side status display has expired.
Two types of timed scrams are available to the safety system and work within the scram logic. These are used for experiments which need a predetermined exposure time and to ensure a pulse does not create excessive energy within the fuel.
Steady-state timer causes a reactor scram after a predetermined elapsed time. This value is entered on the control console during steady-state power operations. During a run, the timer may be started and stopped by the operator.
Pulse timer causes a reactor scram when in pulse mode. The timer may be set for a duration shorter than 15 seconds. However, the console will automatically initiate a scram timeout after 15 seconds.
AC Power Loss is a scram that occurs when AC input power has been lost and the UPS is supplying power to the reactor control system. In the course of normal operations, a UPS unit provides power to the console. The UPS is supplied by building AC power. A loss of supply to the UPS will initiate a scram, however the console remains on. This enables monitoring of reactor conditions and allows a graceful shutdown of the console computers.
Reactor Permissive Relay is an input from the FIS. If no emergency stops are active and all the facility interlocks are satisfied after a 30-second count down (TIME DELAY), the Reactor Permissive is satisfied.
Emergency stops are provided in each of the exposure rooms to prevent accidental radiation exposures.
Additionally, an emergency stop switch exists on the console for the operator to stop door motion and core motion. Any of these switches will initiate an immediate reactor scram and give scram indication to the operator on the console. Once the emergency stop has been activated, it must be cleared by turning the key switch to reset. If the emergency stop was initiated from one of the exposure rooms, the local switch must also be reset. The buttons are push-to-activate and must be manually pulled out to permit operation. Once the reset is activated, the horns in the exposure rooms will activate again with the associated time delay. This reset is required to initiate magnet power and begin inserting reactivity to the core.
Lead shield doors are provided to reduce radiation levels and allow entry to exposure rooms (i.e.; core in region 3, doors closed, ok to open ER1). Power for door rotation is transmitted through a set of reduction gears. Each shield door is connected to a reduction gear mounted on the side of the carriage track by a vertical shaft extending from the top of each door. Full travel path takes approximately three minutes (from fully closed to fully open). Once in a fully opened or closed position, limit switches are used to indicate status. These are located on top of the reduction gears and are part of the facility interlock system. The lead shield doors must be fully opened before the core can be relocated outside of a region.
LATCH contact is designed to permanently de-energize the loop after a scram has occurred. This contact is part of K1. The loop will stay de-energized until the operator places the Magnet Power Key Switch to the Reset position.
61 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 1.6.4.2 Function of Relay K1 62 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 The magnets are now energized.
K1 is a socketed four pole, double throw (4PDT) relay. All four of its contacts are wired:
- 1. One contact latches the coil ON after a Key Reset (HOLD)
- 2. One contact indicates ALL SCRAMS CLEAR to the computer
- 3. One contact performs the LATCH function described earlier
- 4. One completes the circuit that enables the transient rod air solenoid to be activated After the console is powered up or a scram has occurred, the coil of K1 is de-energized and all wired contacts for K1 are open. When the operator activates the Key Reset switch on the rod control panel, a digital signal is generated and read by the computer. The computer then activates the KEY RESET relay to energize the coil of K1 and all wired contacts close, assuming all scram conditions have been cleared. At this point, the coil of K1 receives power via its own HOLD contact and gets latched in the ON state.
When any of the scram loop contacts open, power to K1 is lost, and the coil is de-energized. All K1 contacts then default to the normally open position, permanently interrupting loop current until a Key Reset is initiated by the operator.
1.6.4.3 Function of Relay K2 K2 is a socketed 4PDT relay that is energized whenever the magnet power key switch is in the ON position.
It generates a signal that is used as an interlock in the FIS for satisfying the reactor permissive and shield door movement circuits.
1.6.4.4 Magnet Power and Digital Inputs Three additional relays are part of the individual magnet loops: SHIM MAG, SAF MAG, and REG MAG.
These relays are controlled by the computer and are designed to activate and deactivate magnet power to individual rods. The magnet power can only be activated when K1 has been successfully reset and indicates ALL SCRAMS CLEAR.
1.6.4.5 Ground Fault Detector The Ground Fault Detector module monitors the loop for a ground fault. If one occurs, it will give an indication to the computer for display on the screen, but it will not trigger a scram.
1.6.5 Safety Analysis The RPS is automatic and completely independent of other systems, including the reactor control system.
All overpower and fuel temperature scram circuits required by the technical specifications are hardwired and do not depend on the CSC computers or any software. The reactor I&C system and RPS are designed such that there are no means available to the reactor operator to bypass the trips so that the reactor can be operated at conditions that are beyond the limits defined by the trip set points.
The RPS, and thus the scram loop, has no known susceptibility to common cause failures other than as a possible result of some undefined internal or external hazard (e.g., fire, flooding, dropped load, earthquake exceeding the design basis, and others). As previously noted, the independence (of the safety channels), and diversity designed into the RPS provides a large measure of protection against common cause failures. However; it is important to note that even should they occur, common cause failures cannot prevent the system from performing its primary safety function (i.e., shutting down the reactor) because the system is designed to be fail-safe. A loss of power or multiple circuit damage due to a fire, explosion, dropped load, or some other cause will result in a loss of power to the electromagnets that connect the control rods and control rod drives, causing the control rods to drop into the core.
63 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 The limited actions performed by the RPS are entirely adequate to ensure that the reactor remains safe under all conditions. Once initiated, the actions initiated by the RPS cannot be impaired or prevented by manual intervention and no manual actions are necessary within a short time to supplement the RPS actions. Also, the actions initiated by the RPS are not self-resetting. The reactor operator must clear all scrams before reactor operation can be resumed.
1.6.6 Technical Specifications With the exception of the wording for the watchdog scram (refer to redline changes below), all existing technical specifications[5] remain unchanged for this replacement. The technical specifications that apply to this channel are:
3.2.2 Reactor Safety Systems Specification The reactor shall not be operated unless the safety systems described in Tables 2 and 3 are operable for the specific mode of operation.
All scrams listed in Table 2 Minimum Reactor Safety System Scrams, are included in the scram loop.
Effective Mode Channel Maximum Set Point Steady-state Pulse Fuel Temperature 600°C 2 2 Percent, High Flux 1.1 MW 2 0 Console Manual Scram Button Closure switch 1 1 High Voltage Loss to Safety 20% Loss 2 1 Channel Pulse Time 15 Seconds 0 1 Emergency Stop (1 in each exposure room, 1 on Closure switch 3 3 console) 14 feet from the Pool Water Level 1 1 top of the core Watchdog (DAC to CSC) (UIT On digital console 1 1 and CCS) 4.2.2 Reactor Safety Systems Specifications
- a. A channel test of the percent power, high flux scram function of the high-flux safety channels shall be made each day that reactor operations are planned.
- e. The emergency stop scram shall be tested annually, not to exceed 15months.
- f. The low pool water scram shall be tested weekly not to exceed 10 days whenever operations are planned.
64 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
- g. The console manual scram button shall be tested weekly not to exceed 10 days whenever operations are planned.
Technical Specification 3.2.2, Table 2, Minimum Reactor Safety System Scrams, requires a scram upon 20% or greater loss of high voltage. This specification has never had a companion surveillance specification, so one should be added to Section 4.2.2 of the Technical Specifications.
4.2.3 Fuel Temperature Specifications
- a. A channel check of the fuel temperature scrams shall be made each day that the reactor is to be operated.
The surveillance specifications and periodicities listed in TS Section 4.2.2 and TS Section 4.2.3 that pertain to the old unit are still applicable and appropriate for the updated unit.
1.6.7 Quality Assurance GA Acceptance Test Procedure (ATP), Acceptance Test Procedure, Cabinet Assembly, DAC, T3A300E100-1AT[24]
Factory Acceptance Test Procedure System Assembly, AFFRI TRIGA T3A10087371-FAT Rev A[7]
This test demonstrates that the Replacement I&C Console meets the requirements of the SOW and the Functional Requirements Specifications (FRS). GA performed separate, in-depth tests of the components, the nuclear instruments, the control system console, and the system as a whole. These tests, their traceability to the SOW and their results are provided to AFRRI in accordance with the SOW.
Armed Forces Radiobiology Research Institute TRIGA Reactor Instrumentation and Control Console Replacement Site Acceptance Test Procedure, Part 1. T3A100B7372-SAT Rev A[8]
Site Acceptance Test Part 2: Replacement of the Instrumentation and Control Console for the AFRRI TRIGA REACTOR T3A100B7373-SAT Rev A[9]
This document is the Site Acceptance Test (SAT) for the Replacement I&C Console provided by General Atomics (GA) for the AFRRI facility. This test demonstrates that the Replacement I&C Console procured by AFRRI from GA has been installed correctly for operation at AFRRI and meets the technical and functional requirements.
This SAT is not intended to be an exhaustive test of the system at the component or subassembly level.
GA has factory tested in-depth, and calibrated according to manufacturer specifications, the various components and subsystems, the individual nuclear instrument channels, the rod control system, the auxiliary plant parameter measurement systems, and has tested the integrated system to demonstrate that the Replacement I&C System performed in the factory as intended. This was demonstrated by GA and accepted by AFRRI representatives during exhaustive factory acceptance testing (FAT). The SAT demonstrates satisfactory at-reactor installation of the system, and verifies, by adequate operational demonstration, that the system can be used to operate the AFRRI TRIGA in accordance with the facility operating requirements.
The SAT involved tests to confirm proper installation and functionality of all components and subsystems of the Replacement I&C System, including the nuclear power measuring channels, reactivity control systems, and all other balance of plant systems controlled and monitored by the replacement system.
65 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 1.6.8 List of Deployments at other Facilities All 68 TRIGA reactors ever built utilize a scram loop. The contact inputs may vary slightly from facility to facility, but the concept and the basic technical design are the same for all TRIGA reactors.
66 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 1.7 Rod Control and Rod Drives - Component 1g Figure 24 - Picture of Old and New Control Rod Drive Mechanism 1.7.1 Design Function The control rod drive mechanism is an actuated linear drive equipped with a magnetic coupler and a feedback potentiometer. The design functions of the control rod drive mechanism are:
Position the reactor control rod elements as directed by the reactor operator or control system console computers.
Provide the reactor operator indication of control rod position.
1.7.2 Description of Old Control Rod Drive Mechanisms (CRDM)
NOTE: This only applies to the 3 standard control rod drives designated at AFRRI as safe, shim and reg.
The Transient drive was NOT modified during this modification/upgrade.
The original CRDMs were wall-mounted COTS control rod drives mechanisms. The maximum speed of approximately was same for all CRDMs and was set by potentiometer feedback . A variable speed Shim rod allowed speeds of less-than-max for fine automatic mode control.
The combination of the module and motor resulted in a torque vs. speed characteristic of of torque at the operating speeds of the control rod drives. The motor drove a pinion gear and a 10-turn potentiometer via a chain and pulley gear mechanism. The potentiometer was used to provide rod position information. The 67 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 pinion gear engaged a rack attached to the magnet draw tube. The electromagnet w as attached to the low er end of the draw tube w hich engaged with an iron armature attached to the upper end of the connecting rod of the control rod.
A set of three lim it sw itches provided indication of position as follow s:
- Rod DOWN - Indicated w hen the control rod w as at the low er limit of travel.
- Magnet UP- Indicated w hen the magnet w as at the upper limit position and halted the movement of the drive.
- Magnet DOWN - Indicated w hen the magnet w as at the low er limit position and halted the movement of the drive.
Posit ion of the control w as inferred by a combination of the Rod DOWN and magnet DOWN/ UP limit sw itches.
1.7.3 Comparison of Old CROM vs. New CROM 1.7.4 Detailed Description of New CROM 1.7.4.1 Rod Drive Mechanism The rod drive mechanism is an motor actuated linear drive equipped with a magnetic coupler and a feedback potentiometer. The purpose of the rod drive mechanism is to posit ion the reactor control rod elements.
The up/ dow n rod control signals, limit sw itch signals, Rod Posit ion Indication (RPI) information, and magnet pow er are interconnected betw een the DAC and control rod by a cable assembly. The rod drive motor control signals are connected to each translator via a second cable assembly.
The maximum speed is same for the CRDMs and is set by a combination of the
. All drives are variable speed to allow fine control in automatic mode. Hardw are and softw are settings for rod speeds are only available via passw ord-protected computer access or locked cabinet hardw are access.
1.7.4.2 have been replaced w ith new units. The new units are COTS units are much smaller and quieter. The new units are located in the DAC.
68 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 1.7.4.4 The factory settings are near the maximum values and exceed the requirements for this application. The factory settings are maintained as the systems passed all QA tests, including lifting ability and holding torque sufficient to hold a weight.
1.7.4.5 Potentiometer ( )
The potentiometers have been replaced with new units. The new units are the same model number,
, 10-turn wire-wound precision potentiometer/position sensor.
I 1.7.4.6 Limit Switches )
The limit switches have been replaced with new units. The new units are the same model number, limit switches.
The new limit switches work exactly how the old switches worked. A set of three limit switches provided indication of position as follows:
Rod DOWN - Indicates when the control rod is at the lower limit of travel.
Magnet UP - Indicates when the magnet is at the upper limit position and halts the movement of the drive.
Magnet DOWN - Indicates when the magnet is at the lower limit position and halts the movement of the drive.
Position of the control is inferred by a combination of the Rod DOWN and magnet DOWN/UP limit switches. The functionality of the CRDMs and limit switches remains unchanged and is as follows.
A spring-loaded pull rod extends vertically through a housing and up through the block. The lower end of this rod terminates in an adjustable foot that protrudes through a window in the side of the barrel. The foot is placed so as to be depressed by the armature when the connecting rod is fully lowered. Raising the rod releases the foot, allowing the pull rod to be driven upward by the force of the compression spring.
The top of the pull rod terminates in a fixture which engages the actuating lever on a microswitch. As a result, the microswitch reverses position according to whether or not the armature is at its bottom limit.
This microswitch is the rod DOWN switch. A push rod extends down through the block into the upper portion of the barrel. It is arranged so as to engage the top surface of the magnet assembly when the magnet draw tube is raised to its upper limit. The upper end of the push rod is fitted with an adjustment screw which engages the actuator of a second microswitch. Thus, this microswitch reverses position according to whether the magnet is at or below its full up position. This microswitch is the magnet UP switch. A bracket, fitted with an adjustment screw, is mounted on top of the magnet draw tube. A third microswitch is arranged so that its actuating lever is operated by the adjustment screw on the bracket.
The switch will thus reverse position according to whether the magnet draw tube is at or above its completely inserted position. This microswitch is the magnet DOWN switch.
1.7.5 Safety Analysis The new control rod drive mechanisms (CRDM) are similar in form to the original units. As with the original system the new system is based on limit switches, motors, drivers, and a 69 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 The new control rod drive mechanism (CRDM) uses COTS components that have been designed and manufactured to meet or exceed the requirements of the system. The CRDMs have undergone rigorous testing and quality assurance at multiple steps in the design, manufacture and installation process. Due to this, it is expected that the new CRDMs will be as dependable as the old system. Nevertheless, the failure of the CRDMs is of minimal consequence since the reactor core is monitored by at least five independent channels that monitor the power level or fuel temperature of the core during steady-state operation and at least three independent channels that monitor the power level or fuel temperature of the core during pulse operations. Due to this independence, redundancy, and diversity, the failure of the CRDMs to would not result in an increase in the consequence of any accident.
The main type of accident that is associated with the CRDMs is a malfunction that causes the simultaneous withdrawal of all three standard control rods resulting in a ramp insertion of excess reactivity. This accident was previously evaluated and is detailed in the response for the request for additional information (RAI) dated September 30, 2016 (ML16278A111)[25] and is also discussed in the Safety Evaluation Report (SER) dated November 2016 (ML16278A347)[26] prepared by the U.S. Nuclear Regulatory Commission during the most recent license renewal process.
The maximum speed of the new CRDM is hardware limited to The analysis presented in the RAI response, and discussed in the SER, remains valid since the ramp insertion of excess reactivity scenario is mitigated by the three second period interlock and not the speed of the control rods. Further analysis presented in Section 1.3.5 shows that the failure of the 3 second period interlock is of minimal consequence for ramp insertions of excess reactivity. Therefore, this type of accident scenario poses no significant challenge to the integrity of the reactor fuel.
The design basis limit for fission product barrier protection, i.e. fuel cladding, is ultimately fuel temperature. This limit of 1,000 °C remains unchanged with the upgrade of the CRDMs. The basis for the three second period interlock is to minimize the possibility of exceeding the fuel temperature safety limit.
The potentiometers mounted on the CRDMs provide the analog signal to the CSC to be converted to a digital signal. The CSC then provides the position indication to the reactor operator on the UIT. In the event that this signal becomes corrupt, thereby causing the reactor operator or the CSC computer to inadvertently withdrawal the control rods farther than required, power level is bounded by the redundant safety channels scrams. Therefore, a malfunction of the CRDMs that causes erroneous information to be provided to the reactor operator or .CSC computer is of minimal consequence.
There are no known common cause failures (CCF), other than as a possible result of some internal or external hazard (e.g., fire, flooding, dropped load, earthquake exceeding the design basis, etc.). As previously noted, the independence of the safety channels, and diversity designed into the RPS provides a large measure of protection against common cause failures. However; it is important to note that should a CCF occur, it would not prevent the system from performing its primary safety function (i.e., shutting down the reactor) because the system is designed to be fail-safe. A loss of electrical power or multiple circuit damage due to a fire, explosion, dropped load, or some other cause will result in a loss of power to the electromagnets, causing the control rods to drop into the core, safely shutdown down the reactor.
It is concluded that the new CRDMs will continue to perform the design function in a safe and reliable manner without imposing any undue risk to the health and safety of the public.
1.7.6 Technical Specifications All existing technical specifications[5] remain unchanged for this replacement. Only the control rod drive mechanisms for the standard control rods were updated. The control rods and the core configuration 70 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 remain unchanged, therefore, the excess reactivity and shutdown margin remains unchanged. This will be verified as part of the Startup Plan. The control rod drop times along with the interlocks listed in Table 3 of the technical specifications will also be verified as part of the Startup Plan.
The technical specifications that apply to this channel are:
3.1.3 Reactivity Limitations Specification
- a. The reactor shall not be operated with the maximum available excess reactivity greater than $5.00 (3.5% k/k).
- b. The shutdown margin provided by the remaining control rods with the most reactive control rod in the most reactive position shall be greater than $0.50 (0.35% k/k) with the reactor in the reference core condition, all irradiation facilities and experiments in place, and the total worth of all non-secured experiments in their most reactive state.
3.2.1 Reactor Control System Specification
- b. The reactor shall not be operated unless the four control rod drives are operable except:
- a. the reactor may be operated at a power level no greater than 250kw with no more than one control rod drive inoperable with the associated control rod drive fully inserted.
- c. The time from scram initiation to the full insertion of any control rod from a full up position shall be less than 1 second.
3.2.2 Reactor Safety Systems Specification The reactor shall not be operated unless the safety systems described in Tables 2 and 3 are operable for the specific mode of operation.
Table 2 Minimum Reactor Safety System Scrams does not have any requirements for the control rods.
Table 3 Minimum Reactor Safety System Interlocks requires an interlock for:
Effective Mode Action Prevented Steady-state Pulse Pulse initiation at power levels great than 1 kW X Withdrawal of any control rod except transient X Any rod withdrawal with power level below 1 x 10-5 X X watts as measured by the operational channel Simultaneous manual withdrawal of two standard X
rods Ant rod withdrawal if high voltage is lost to the X X operational channel 71 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Withdrawal of any control rod if reactor period is X
less than 3 seconds Application of air if the transient rod drive is not fully down. This interlock is not required in square X wave mode.
- Reactor safety system interlocks shall be tested daily whenever operations involving these functions are planned.
4.2.1 Reactor Control Systems Specifications
- b. The control rod drop times of all rods shall be measured semiannually, not to exceed 7.5 months. After work is done on any rod or its rod drive mechanical components, the drop time of that particular rod shall be verified.
The surveillance specifications and periodicities listed in TS Section 4.2.1 that pertain to the old CRDMs are still applicable and appropriate for the updated CRDMs.
1.7.7 Quality Assurance GA Acceptance Test Procedure (ATP), Acceptance Test Procedure, Cabinet Assembly, DAC, T3A300E100-1AT[24]
GA Acceptance Test Procedure (ATP), Acceptance Test Procedure, Console, AFRRI TRIGA, T3A200E100-1AT[27]
Factory Acceptance Test Procedure System Assembly, AFFRI TRIGA T3A10087371-FAT Rev A[7]
This test demonstrates that the Replacement I&C Console meets the requirements of the SOW and the Functional Requirements Specifications (FRS). GA performed separate, in-depth tests of the components, the nuclear instruments, the control system console, and the system as a whole. These tests, their traceability to the SOW and their results are provided to AFRRI in accordance with the SOW.
Armed Forces Radiobiology Research Institute TRIGA Reactor Instrumentation and Control Console Replacement Site Acceptance Test Procedure, Part 1. T3A100B7372-SAT Rev A[8]
Site Acceptance Test Part 2: Replacement of the Instrumentation and Control Console for the AFRRI TRIGA REACTOR T3A100B7373-SAT Rev A[9]
This document is the Site Acceptance Test (SAT) for the Replacement I&C Console provided by General Atomics (GA) for the AFRRI facility. This test demonstrates that the Replacement I&C Console procured by AFRRI from GA has been installed correctly for operation at AFRRI and meets the technical and functional requirements.
This SAT is not intended to be an exhaustive test of the system at the component or subassembly level.
GA has factory tested in-depth, and calibrated according to manufacturer specifications, the various components and subsystems, the individual nuclear instrument channels, the rod control system, the auxiliary plant parameter measurement systems, and has tested the integrated system to demonstrate that the Replacement I&C System performed in the factory as intended. This was demonstrated by GA and accepted by AFRRI representatives during exhaustive factory acceptance testing (FAT). The SAT demonstrates satisfactory at-reactor installation of the system, and verifies, by adequate operational demonstration, that the system can be used to operate the AFRRI TRIGA in accordance with the facility operating requirements.
72 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 The SAT involved tests to confirm proper installation and functionality of all components and subsystems of the Replacement I&C System, including the nuclear power measuring channels, reactivity control systems, and all other balance of plant systems controlled and monitored by the replacement system.
1.7.8 List of Deployments at other Facilities The NRAD reactor at the DOE Idaho National Laboratory has the same updated CRDMs installed. This system was reviewed and approved by the DOE regulatory body.
73 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 1.8 Process Instrumentation - Component 1h 1.8.1 Primary Water Temperature Measuring Channels The primary water temperature is measured at three locations:
Above the reactor core inside the core shroud Six inches below the pool surface Water monitor box of the primary water purification system The water temperature is measured by a resistance temperature sensing element (RTD) in a bridge circuit and has a range of 0 to 100°C. The sensors used are the original sensors in the original locations.
The original system used Action Pak signal conditioners and alarm modules. The new system uses Omega DRF RTD Signal Conditioners. The signal is sent to the CSC to be displayed on the reactor status display.
The CSC also uses the signal to provide a rod withdrawal interlock when the inlet water temperature to the demineralizer is greater than 60°C.
1.8.2 Pool Level Measuring Channel The level of the reactor tank water is monitored by two independent switches mounted on a common rod and actuated by a float. The first switch activates 1 inch below full pool level and triggers an interlock on the withdrawal of the control rods. The second switch is part of the scram loop and will cause an automatic reactor scram if the water level drops below 6 inches of full pool level. Along with the scram, the second switch will also cause an alarm on the reactor console as well as an audible and visual alarm on the facility hall panel during non-duty hours. The hall panel will alert the security watchman of an unusual situation so that appropriate notifications and actions may be taken.
A third float type switch is located the pool to alarm when the pool level is greater than 1 above the zero reference height. This alarm located separate from the control console is intended to alert reactor staff when the pool level is high, such as during refilling operations.
The floats and switches remain unchanged and are mounted in the original location.
1.8.3 Primary Coolant Conductivity Conductivity is measured in the pump room and is only displayed locally. It was planned to have conductivity displayed on the left-side display of the UIT but this was never implemented. The conductivity is greyed out.
74 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Figure 25 - STATUS Pane 1.8.4 Safety Analysis The process instrumentation reuses all the original sensors in conjunction with new COTS components (signal conditioners and relays) that have been designed and manufactured to meet or exceed the requirements of the old system. The channels have undergone rigorous testing and quality assurance at multiple steps in the design, manufacture and installation process. Due to this, it is expected that the new channels will be as dependable as the old channels. Nevertheless, the failure of a process channel is of minimal consequence since the water temperature and pool level are typically slowly changing parameters where the reactor operator can perform manual actions as appropriate.
75 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 It is concluded that the process instrumentation channels will continue to perform their design functions in a safe and reliable manner without imposing any undue risk to the health and safety of the public.
1.8.5 Technical Specifications All existing technical specifications[5] remain unchanged for this replacement. The technical specifications that apply to these channels are:
3.2.2 Reactor Safety Systems Specification The reactor shall not be operated unless the safety systems described in Tables 2 and 3 are operable for the specific mode of operation.
Table 2 Minimum Reactor Safety System Scrams, requires a scram for Pool Water Level at no less than 14 feet from the top of the core.
3.3 Coolant Systems Specification
- a. The reactor shall not be operated if the bulk water temperature exceeds 60°C.
- c. Both audible and visual alarms shall be provided to alert the AFRRI security guards and other personnel to any drop in reactor pool water level greater than 6 inches.
4.2.2 Reactor Safety Systems Specifications
- f. The low pool water scram shall be tested weekly not to exceed 10 days whenever operations are planned.
4.3 Coolant Systems Specifications
- a. The pool water temperature, as measured near the input to the water purification system, shall be measured daily, whenever operations are planned.
- d. The audible and visual reactor pool level alarms shall be tested quarterly, not to exceed 4 months.
The surveillance specifications and periodicities listed in TS Section 4.2.2 and TS Section 4.3 that pertain to the old system and components are still applicable and appropriate for the new systems and components.
1.8.6 Quality Assurance GA Acceptance Test Procedure (ATP), Acceptance Test Procedure, Cabinet Assembly, DAC, T3A300E100-1AT[24]
Factory Acceptance Test Procedure System Assembly, AFFRI TRIGA T3A10087371-FAT Rev A[7]
This test demonstrates that the Replacement I&C Console meets the requirements of the SOW and the Functional Requirements Specifications (FRS). GA performed separate, in-depth tests of the components, the nuclear instruments, the control system console, and the system as a whole. These tests, their traceability to the SOW and their results are provided to AFRRI in accordance with the SOW.
76 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Armed Forces Radiobiology Research Institute TRIGA Reactor Instrumentation and Control Console Replacement Site Acceptance Test Procedure, Part 1. T3A100B7372-SAT Rev A[8]
Site Acceptance Test Part 2: Replacement of the Instrumentation and Control Console for the AFRRI TRIGA REACTOR T3A100B7373-SAT Rev A[9]
This document is the Site Acceptance Test (SAT) for the Replacement I&C Console provided by General Atomics (GA) for the AFRRI facility. This test demonstrates that the Replacement I&C Console procured by AFRRI from GA has been installed correctly for operation at AFRRI and meets the technical and functional requirements.
This SAT is not intended to be an exhaustive test of the system at the component or subassembly level.
GA has factory tested in-depth, and calibrated according to manufacturer specifications, the various components and subsystems, the individual nuclear instrument channels, the rod control system, the auxiliary plant parameter measurement systems, and has tested the integrated system to demonstrate that the Replacement I&C System performed in the factory as intended. This was demonstrated by GA and accepted by AFRRI representatives during exhaustive factory acceptance testing (FAT). The SAT demonstrates satisfactory at-reactor installation of the system, and verifies, by adequate operational demonstration, that the system can be used to operate the AFRRI TRIGA in accordance with the facility operating requirements.
The SAT involved tests to confirm proper installation and functionality of all components and subsystems of the Replacement I&C System, including the nuclear power measuring channels, reactivity control systems, and all other balance of plant systems controlled and monitored by the replacement system.
77 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 2 Facility Interlock System - Component 2 Figure 26 - Picture of Old and New Facility Interlock System Cabinet 2.1 Design Function The design functions of the Facility Interlock System (FIS) is:
- Eliminate the possibility of accidental radiation exposure of personnel working in the exposure rooms.
- Prevent interference (i.e., contact or impact) between the reactor tank lead shield doors and reactor core shroud.
These design functions are achieved through the use of interlocks that prevent the rotation (i.e., opening or closing) of the reactor tank shield doors and the movement of the reactor core between different regions unless specific conditions are satisfied.
2.2 Description of Old The design and implementation of the original Facility Interlock System was to perform the interlock functions listed above. Given the status of core position, reactor tank shield doors, and the exposure room plug doors, physical movement of the reactor were either allowed or prohibited by a logic table.
Emergency stops are provided in each of the exposure rooms to prevent accidental radiation exposures.
The prior system was housed in a stand-alone cabinet. The sensor inputs, relays, indicator lights, and override switch interacted with the control console primarily through a permissive relay contact 2.3 Comparison of Old vs. New The new Facility Interlock System directly replaces the old Facility Interlock System with new COTS components and wiring.
Components that are new:
78 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Cabinet Pilot Lights Relays RC Network (capacitors)
Circuit Breakers Fuses Emergency Stop Pushbuttons Override Switch Horns Horn Bypass Switches Wiring All functionality remains unchanged. There are no changes to the overall logic of the system. The new FIS remains in a standalone cabinet installed in the same location as the original cabinet. The lights in the new cabinet are much larger for enhanced visibility. Additionally, new relays are rated for 100,000 cycles to ensure performance over a reasonable timeframe.
The exposure room control boxes and status panel have been replaced with new functionally equivalent units. The design of the status panel was updated to make it more readily apparent if it is safe to enter the exposure rooms.
The override switch allows for the movement of the core in region two (center region) while the lead door is closed. This allows for the fine tuning of the limit switches and facilitates testing of the limit switches during the performance of the facility interlock surveillance procedure. An operator is required to be present in the reactor bay while the override switch is active.
Operator bypass switches have been added to the exposure rooms. The purpose of these switches is to bypass the horns in the ER to accommodate the needs of experiments that are sensitive to noise. The horn bypass for each exposure room consists of two switches wired in parallel located inside the exposure room. Only after two operators have verified that the room is empty may the horns be bypassed The bypass switches only silence the audible horns and do not bypass any interlock function.
2.4 Detailed Description of New The FIS consists of a series of limit switches and pushbuttons that enforces a straightforward logic table to perform its function. The FIS interfaces with the control system console and DAC via relays to electrically isolate the various functions. The FIS logic and implementation remains unchanged in the console upgrade however the wiring, relays, limit switches, pushbuttons, etc., were replaced with new readily available functionally equivalent COTS components.
The FIS interfaces with the console Magnet Power Key Switch to enforce its logic and also sound a horn in the necessary exposure room(s) for 30 seconds when the reactor is about to start operation. The horn may be manually bypassed per AFRRI administrative procedures.
New Components:
79 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 2.4.1 Interlocks Certain facility interlocks must be satisfied before the Scram loop can be completed and the standard control rod magnet power circuits and the transient control rod air circuit can be energized. These interlocks include:
- 1. The Key Switch must be in the ON position.
AND
- 2. All emergency stop circuits in the exposure rooms and control system console must be energized.
AND one of the following:
3a. The tank lead shield doors must be fully closed, AND the plug door for the exposure room against which the reactor is to be operated must be closed, AND the reactor must be in the corresponding region.
OR 3b. The tank lead shield doors must be fully opened, AND both plug doors for the exposure rooms must be closed.
Once these interlocks have been satisfied, the input to the Scram loop can be satisfied and the control rod magnet and air circuits can be energized. The locations of interlock limit switches for various doors are shown in Figure 27.
2.4.2 Reactor Tank Lead Shield Door The interlocks listed below must be satisfied before the reactor tank lead shield doors can be electrically operated.
The reactor must be in Position 1 or Position 3.
- 1. The fast neutron (ER2) and thermal neutron exposure room (ER1) plug doors must be closed.
- 2. The console key switch must be turned to the ON position.
- 3. All emergency stop circuits in the exposure rooms and console must be energized.
2.4.2.1 To Open Lead Shield Door
- 1. Momentarily depress the door OPEN button on the Reactor Mode Control Panel. Relay D2MX1 will operate, applying voltage to the delay relay D2T and horn relay D2, both of which lock themselves in via D2. D2 also applies operating voltage to relay HX2 which in turn sounds an audible alarm during the 30 second startup delay period. At the end of the delay period, a normally open D2T contact will close, operating relay D2MX2 which locks itself in with a holding contact.
- 2. The tank shield doors may be closed even if the key switch is in the OFF position.
- 3. At the conclusion of the 30 second delay period, again depress the door OPEN switch on the Reactor Mode Control Panel. Relay D2MX1 and contactor D2M-0 have now been operated, thus initiating rotation of the shield doors to the open position. When the lead shield doors reach their fully open position, switch D20 will actuate, operating relay D20X. A normally closed contact on D20X releases the OPEN contactor D2M-0, stopping the door drive motor.
2.4.2.2 To Close Lead Shield Door Closing the tank lead shield doors requires that the core be in Position 1 or 3 (in this case Position 1).
80 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
- 1. Depress the door CLOSE button on the Reactor Mode Control Panel. This operates contactor D2M-C which in turn operates the door motor control in the closed direction. When the lead doors are fully closed, limit switch D2C will actuate and operate relay D2CX, whose normally closed contact releases the door contactor, stopping the door drive motor.
Ll\ Fast f DlC Plug Door Close Limit Switch:
Neutron Door Tracks Exposure Room Door
'\ D10 Plug Door Open Limit Swtich Position 1
~ RPlB Region 1 End Stop Lim it Switch
~ RPlA Entering Region 1 Limit Switch IDolly Carriage \
Tracks Lead Doors Close Limit Switch
\
j I I
)
1*
Lead FIS Door SYSTEM D2C
\
Lead Doors Open Limit Switch V Position 3
~ RP3A
~ RP3B Entering Region 3 Limit Switch Region 3 End Stop Limit Switch Plug Door Open Limit Swtich
~ D30 Thermal
\ Neutron Door Tracks Exposure Room f
Door D3C Plug Door Close Limit Switch:
Figure 27 - Facility Interlock System (FIS) Interlock Diagram 81 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Pu blic Disclosure Under 10 CFR 2.390 LIMIT SWITCHCS:
UADOOOR UAOOOOR CORE POSrtlON 1 M (ISNCRI MOTOII MOTOR CONTltOL CORf. POSITIO~ 3 (INNER*
COM POSITICIN 1 10\ITERI CAAOIAGt CAAAWlt M
MOTOII MOTOR CONTROL CORE POSITION 3 (O\JrrRI ERl DOOR QOSED ERl UUPLUG 02 OOOII ClostO M MOTOR CONTltOL OOOllMOTOtt (NOT IN SCOP£>
l£AD OOOltS OPt H l2ll)
LE.AO DOORS a05£0 E"1 Ill()
EIU DOOROPE'N O(X)lt COHTAOL UMrfSWITCH PANEL FISCABINn (IUPLUO M MOTOR CO~TROL RS STATUS OOOltMOTOlt (NOT IN SCO,CI INOICATOltS tlU HCMl~
f---+--"'-""_rus_,._D1CA_1_0RS_.
ER2 C~OOOAOPC~
OOOlt COIITM>l UMITSWJTCH PRCPAAAllON AAEA (~ HOIN UGHTBOX ER2 E*STOP . . - -* 1--- - ----1 Figure 28 - Block Diagram of Facility Interlock System (SAR Figure 7-10)
Table 9 - Cross Reference of Limit Switch Terminology SAR Figure 7-10 LAR Supplem ent Figure 25 ERl Fast Neutron Exposu re Room ER2 Therma l Neutron Exposure Room ERl Door Closed Dl C ERl Door Open DlO ER2 Door Closed D3C ER2 Door Open D3O Core Position 1 Inner RPlA Core Position 1 Outer RPlB Core Position 3 Inner RP3A Core Position 3 Outer RP3B Lead Doors Open D20 82 Proprietary Information Withhold From Pu blic Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Lead Doors Closed D2C 2.4.3 Core Support Carriage The Core Support Carriage regions are shown in Figure 25.
12:)00 120G-- -
250 J-00 500 700 750 Olgttal lnckator poSlton Figure 29 - Core Support Carriage Regions 2.4.3.1 Core Support Carriage Movement from Position 3 to Position 1 Once the 30 second startup delay has expired and the lead shield doors are open, the core support carriage can be moved from Region 3 to Region 1 by following the procedure detailed below. The procedure for moving back to Region 1 from Region 3 is similar.
- 1. Depress the Region 1 switch on the Reactor Mode Control panel or activate the Region 1 foot pedal located on the floor in front of the console. Relay RP1M operates, which in turn operates RPS (carriage motor slow contactor). The carriage will move at a slow speed (1.5 feet per minute) until it is at the inner limit of Position 3. At this point, limit-switch RP3A will actuate, releasing relay RP3AX, which will cause contactor RPS to release and contactor RPF (carriage motor fast contactor) to operate. Now, the carriage will continue to move toward Region 1 but at a faster speed (2.25 feet per minute). When the carriage reaches the inner limit of Region 1, limit-switch RP1A will actuate, operating relay RP1AX, which in turn will release motor contactor RPF. The operation of the relay RP1AX also operates the carriage motor contactor RPS, which again automatically reduces carriage speed to 1.5 feet per minute.
- 2. To stop the carriage at any point, release the Region 1 switch or foot pedal.
- 3. The carriage can be moved back and forth within Region 1 with the switch or foot pedal when two operators are present. Limit-switch RP1B determines the outermost Region 1 limit.
2.4.4 Exposure Room Plug Doors Refer to drawing T3A100E830-000[23] for the wiring diagram for the Exposure Room Plug Doors.
83 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Figure 30 - Picture of Old and New Exposure Room Doors Status Panel The Exposure Room Status Panel has been updated to make more readily apparent if it is safe to enter the exposure rooms. The original status panel, as shown in Figure 30, was difficult to read and lacked labelling.
Figure 31 - Picture of Old and New Exposure Room Plug Door Control Boxes 2.4.4.1 Opening the Thermal Neutron Exposure Room Plug Door (ER1)
Certain elements of the facility interlock system must be satisfied before the thermal neutron exposure room plug door can be opened. These elements include:
- 1. The tank lead shield doors must be closed (D2C active).
- 2. The reactor must be in Position 1 (RP1A active).
- 3. The thermal neutron exposure room door control power key switch must be in the ON position.
To open the plug door:
- 1. Connect the reel mounted power cable to the plug door.
- 2. Depress and hold the OPEN button on the plug door control panel. Motor contactor D3M-0 used in operating the door in an open direction will operate. The neutron exposure room door will continue to move in an open direction until limit switch D30 is actuated, which will release the motor contactor stopping the door drive motor.
- 3. To stop the door during its opening operation, momentarily depress the STOP button. This action releases the open contactor D3M-0 which de-energizes the drive motor.
84 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 NOTE: If the door or drive drags or jams the motor overload (OL) will energize automatically releasing motor contactor D3M-0 stopping the door movement.
2.4.4.2 Closing the Thermal Neutron Exposure Room Plug Door (ER1)
To close the thermal neutron exposure room plug door:
- 1. Momentarily depress the CLOSE button on the plug door control panel. Motor contact D3MC, used to operate the door in the closed direction will operate. This contactor electrically locks itself in. The thermal neutron exposure room plug door will continue to move in a closing direction until limit switch D3C actuates which will operate D3CX whose normally closed contact will release motor contactor D3MC stopping the door's movement.
NOTE: Final closure of either exposure room plug door involves manual operation of the door drive mechanism.
2.5 Safety Analysis The new Facility Interlock System uses COTS components that are similar in form and function to the original units. As with the original system the new system is based on analog components, i.e., limit switches, relays, and indicator lights and horns to enforce interlock requirements.
The FIS components have been designed and manufactured to meet or exceed the requirements of the original system. The FIS has undergone rigorous testing and quality assurance at multiple steps in the design, manufacture and installation process. Due to this, it is expected that the new FIS will be as dependable as the old system. Nevertheless, the failure of the FIS is of minimal consequence since the system is designed to fail-safe.
There are no known common cause failures (CCF), other than as a possible result of some internal or external hazard (e.g., fire, flooding, dropped load, earthquake exceeding the design basis, etc.). However; it is important to note that should a CCF occur, it would not prevent the system from performing its primary safety function (i.e., enforcing interlocks) because the system is designed to fail to the safe condition. A loss of electrical power or multiple circuit damage due to a fire, explosion, dropped load, or some other cause will result in an interlock condition that must be addressed before reactor operation can proceed. There are no means for the reactor operator to manually bypass any interlocks.
It is concluded that the new FIS will continue to perform the design function in a safe and reliable manner without imposing any undue risk to the health and safety of the public.
2.6 Technical Specifications All existing technical specifications[5] remain unchanged for this replacement. The technical specifications that apply to these channels are:
3.2.3 Facility Interlock System Specification Facility interlocks shall be provided so that:
- a. The reactor cannot be operated unless the lead shield doors within the reactor pool are either fully opened or fully closed;
- b. The reactor cannot be operated unless the exposure room plug door adjacent to the reactor core position is fully closed and the lead shield doors are fully closed; or if the lead shield doors are fully opened, both exposure rooms plug doors must be fully closed; and 85 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
- c. The lead shield doors cannot be opened to allow movement into the exposure room projection unless a warning horn has sounded in that exposure room, or unless two licensed reactor operators have visually inspected the room to ensure that no personnel remain in the room prior to securing the plug door.
4.2.4 Facility Interlock System Specifications Functional checks shall be made annually, not to exceed 15 months, to ensure the following:
- a. With the lead shield doors open, neither exposure room plug door can be electrically opened.
- b. The core dolly cannot be moved into region 2 with the lead shield doors closed.
- c. The lead shield doors cannot be opened to allow movement into the exposure room projection unless a warning horn has sounded in that exposure room, or unless two licensed reactor operators have visually inspected the room to ensure that no personnel remain in the room prior to securing the plug door.
The surveillance specifications and periodicities listed in TS Section 4.2.4 that pertain to the old system and components are still applicable and appropriate for the new systems and components.
2.7 Quality Assurance GA Acceptance Test Procedure (ATP), Acceptance Test Procedure, FIS, T3A400E100-1AT[28]
Factory Acceptance Test Procedure System Assembly, AFFRI TRIGA T3A10087371-FAT Rev A[7]
This test demonstrates that the Replacement I&C Console meets the requirements of the SOW and the Functional Requirements Specifications (FRS). GA performed separate, in-depth tests of the components, the nuclear instruments, the control system console, and the system as a whole. These tests, their traceability to the SOW and their results are provided to AFRRI in accordance with the SOW.
Armed Forces Radiobiology Research Institute TRIGA Reactor Instrumentation and Control Console Replacement Site Acceptance Test Procedure, Part 1. T3A100B7372-SAT Rev A[8]
Site Acceptance Test Part 2: Replacement of the Instrumentation and Control Console for the AFRRI TRIGA REACTOR T3A100B7373-SAT Rev A[9]
This document is the Site Acceptance Test (SAT) for the Replacement I&C Console provided by General Atomics (GA) for the AFRRI facility. This test demonstrates that the Replacement I&C Console procured by AFRRI from GA has been installed correctly for operation at AFRRI and meets the technical and functional requirements.
This SAT is not intended to be an exhaustive test of the system at the component or subassembly level.
GA has factory tested in-depth, and calibrated according to manufacturer specifications, the various components and subsystems, the individual nuclear instrument channels, the rod control system, the auxiliary plant parameter measurement systems, and has tested the integrated system to demonstrate that the Replacement I&C System performed in the factory as intended. This was demonstrated by GA and accepted by AFRRI representatives during exhaustive factory acceptance testing (FAT). The SAT demonstrates satisfactory at-reactor installation of the system, and verifies, by adequate operational demonstration, that the system can be used to operate the AFRRI TRIGA in accordance with the facility operating requirements.
86 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 The SAT involved tests to confirm proper installation and functionality of all components and subsystems of the Replacement I&C System, including the nuclear power measuring channels, reactivity control systems, and all other balance of plant systems controlled and monitored by the replacement system.
87 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 3 Control System Console - Digital - Component 3 Figure 32 - Picture of Old and New Control System Console Figure 33 - Block Diagram of New Control System 88 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 The Control System Console (CSC) contains the computers (User Interface Terminal (UIT) and Console Computer System (CCS)), display monitors, control panels, modularized draw ers, indicators, meters and recorders to present the data to the operator in meaningful engineering units. The CSC Operator Interface provides the necessary controls and interfaces for the operator to safely startup, manipulate reactor parameters, monitor the various operating parameters in its various modes of operation, and safely shutdow n the reactor.
The AC pow er distribution for the CSC is show n in Figure 34 below. AC pow er is supplied via a UPS unit that has been selected to provide approximately 15 minutes of runtime. Since the reactor safety systems are designed to fai l to a safe condition, the UPS is not required for the performance of any safety function, but it is desirable as it allow s for a graceful shutdow n of the console computers in the event of the loss of offsite pow er. When pow er is lost to the UPS an AC Pow er Loss scram is generated.
Figure 34 - Control System Console (CSC) AC Power Distribution Reference - GA Operation and Maintenance Manual, Ell 7-1006, 19891191 The previous console contained a single computer w ith multiple digita l and analog input/ output plug-in cards and a dual-video driver to allow display on t wo term inals. It monitored the pushbuttons on the control rod panel and drove the indicator lights on the console. It also displayed reactor pow er, control rod position, and other operating parameters on the monitors, and accepted user input.
The COTS electromechanical count-dow n/ count-up scram t imer in the old console has been replaced with a softw are version in the new console; no functional or operational change. The COTS maximum pulse t imer in the old console has been replaced w ith a softw are version in the new console; no functional or operational change. In the o ld console, the History Playback softw are module ran simultaneously with the reactor operating softw are; in the new console, the softw are architecture prevents this, so the reactor operating softw are must be shutdow n prior to starting up the History Play back module. In the o ld console, rod bank selections w ere made w ith physical switches, w hich w ere then read by the computer, and enforced by softw are; in the new console, the rod bank selections are made on-screen directly in softw are.
89 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 The old console computer ran real-time operating system first released in 1982; used custom GA Configurator softw are to drive the display, and of the system. The new console features t w o computers.
for input and output operations, programmed protocol for communications to the rest of the system. A second computer runs and is used as a display driver for the GU I.
Reference T3Al0087911-1OM Rev.Al23 J The new console contains t w o computers, each with its ow n monitor. The CCS uses a and hand les input and output data, monitors the pushbuttons on the contr i dicator lights on the console. The CCS code is written in Table 10 - Console System Console - Comparison of Old vs. New Power Supplies and UPS Function: Supplies Vdc pow er for the components located in the Control System Console.
Safety Analysis: The new pow er supplies are COTS components and have been manufactured to meet or exceed the requirements of the previous units. The pow er supplies receive 120 Vac primary side pow er from the CSC AC pow er distribution system which originates from the console UPS. The pow er supplies are of the sw itching type and provide input-to-output isolation with internal overvoltage and overcurrent protection. There are three pow er supplies. There is no necessit y for redundancy in the design criteria of the pow er supplies. A failure of a pow er supply will more than likely result in a scram thereby placing the reactor in a safe shutdown condit ion.
It is concluded that the new pow er supplies will continue to perform the design function required in a safe and reliable manner without imposing any undue risk to the health and safety of the public OLD NEW PSl +S Vdc Power Supply provides pow er the secondary side of the digital isolator modules on the digital input draw er.
PS2 +24 Vdc Utility Power Supply -
- ) is a SOW pow er supply that is used to pow er digital switch contacts in the control console. Input to output isolation is 3,000V.
I)
PS3 +12 Vdc Power Supply (
90 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Digital Input/Output Function: The purpose of the digital input/ output draw er is to isolate all digital inputs and outputs located in the Control System Console and send them to the Control System Computer.
Safety Analysis: The new digital input boards and isolators are COTS components and have been manufactured to meet or exceed the requirements of the previous units. The new digita l input boards and isolators have undergone rigorous testing and qua lity assurance at mult iple steps in the design, manufacture and installation phases. Due to this, it is expected that the digita l input boards and isolators will be as dependable as the old unit.
Nevertheless, the failure of either the digital input board or one or more of the digital isolators is of minima l consequence since the components do not perform any safety related functions. A failure will not prevent the automatic protective actions from other independent channels (e.g. NP-1000 or NPP-1000) from being performed. In addition the interlock functions that are being performed by the digital inputs (e.g., FIS limit switches) will still be performed in the event of a fai lure of the digital 1/0 components since the interlocks are designed to be fail-safe.
It is concluded that CSC Digital 1/0 will continue to perform the design function in a safe and reliable manner without imposing any undue risk to the hea lth and safety of the public.
OLD NEW DC digital input/output. Digital input scanner The purpose of the digital input draw er is to board (DIS064) that monitors al l CSC digital inputs, isolate all digital inputs from the computer. The e.g., pushbuttons and thumbw heel switches and digital input draw er houses t w o identical printed transmit the data to the CSC computer. circuit board assemblies (PWA) populated with digital isolators.
Mounted on the Digital Input Draw er Components:
Rod Control Panel Function: To provide pushbutton for the manual control of the control rods, a key switch for the application of magnet pow er, a manual scram pushbutton and a pushbutton to acknow ledge alarms and messages.
Safety Analysis: The safety analysis for the Rod Control Panel is discussed in detail in Section 3.1.
91 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 OLD NEW Located below the t w o color displays and Located below the t w o color displays and contained reactor key sw itch and al l the contained reactor key sw itch and all the pushbutton switches necessary to control the pushbutton sw itches necessary to control the movement of the control rod drive mechanisms. movement of the control rod drive mechanisms.
Reactor Mode Control Panel Function: Provide indication for the status of faci lit y components along w ith scram and interlock selection test sw itches.
Safety Analysis: The safety analysis for the Reactor Mode Control Panel is discussed in detail in Section 3.1.
OLD NEW Located on the left side of the CSC. Contained the Located on the left side of the CSC. Contained the instrument pow er ON pushbutton sw itch, along instrument pow er ON pushbutton switch, along with the reactor operating mode pushbuttons, with the reactor operating mode pushbuttons, scram and interlock test rotary select switch and scram and interlock test rotary select sw itch and addit ional sw itches w ith regard to the Facility addit ional sw itches with regard to the Facility Interlock System . Interlock System.
Console Computers - CCS and UIT Function: To monitor all input and output channels, provide reactivity control of the reactor (via control rod movements) and to provide a graphical user interface for the reactor operator.
Safety Analysis: The safety ana lysis for the Console Computers are discussed in detail in Section 3.3 and Section 3.4 OLD NEW Components:
Bargraphs and Recorders Panel Function: Provide pow er indication along w ith trending and recording capabilit ies that is independent of the control system computers.
Safety Analysis: The safety ana lysis for the Bargraphs and Recorders Panel are discussed in detail in Section 3.5 and Section 3 .6.
OLD NEW Panel containing eight vertical LED bargraph Panel containing eight vertical LED bargraph meters and t w o paper strip chart recorders. The meters and t w o videographic chart recorders. The components receive an analog signal from the NP- components receive an analog signa l from the NP-1000, NPP-1000, NM-1000 and the Fuel 1000, NPP-1000, NLW-1000, NMP-1000 and the Temperature Channels. NFT-1000 Fuel Temperature Channels.
92 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 93 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 3.1 Rod Control Panel - Component 3a Figure 35 - Picture of Old and New Rod Control Panel 3.1.1 Design Function The design functions of the Rod Control Panel are:
- Provide for manual control of the control rod drives.
- Application of magnet power via a key switch
- Fire the transient rod.
- Manually scram the reactor.
- Acknowledge alarms and messages.
3.1.2 Description of Old The original Rod Control Panel was used to manually control the control rod drives, apply magnet power, fire the transient rod, manually scram the system and acknowledge alarms and messages.
3.1.3 Comparison of Old vs. New The new panel is functionally equivalent to the original panel with an interface that is designed to be as close to the original as possible. The magnet power key switch and pushbuttons on the new panel are the same model numbers as the original panel.
3.1.4 Detailed Description of New Figure 36 - Rod Control Panel 94 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 The Rod Control Panel is located beneath the Right Side Graphics Display and the UIT computer. This panel is used to manually control the control rod drives, apply magnet power, fire the transient rod, manually scram the system and acknowledge messages in the Annunciator Pane of the Right Side Graphics display.
The Rod Control Panel performs the same functions, in the same way as the original panel. A description of the functions for the components is detailed here for convenience.
3.1.4.1 Magnet Power Key Switch In the upper left corner is the MAGNET POWER key switch. The key switch has three positions: OFF (maintained), ON (maintained) and RESET (momentary). If the switch is OFF, then all power is removed from the rod magnets. The ON position is wired in with the Scram Loop. The switch has to be in the ON position to complete the loop. The switch is momentarily turned to the RESET position to initiate the time delay in the FIS prior to activating the reactor permissive relay (ROX). After the time delay, and if the ROX and the rest of the Scram Loop inputs are satisfied, the switch is momentarily turned to the RESET position again to apply magnet power. The switch will remain in the ON position during reactor operation. If at any time during reactor operation the switch is turned to the RESET position, the reactor will scram. Turning the key switch to RESET is also the only way to remotely reset trips on the nuclear instruments in the DAC, assuming the trip condition has cleared.
3.1.4.2 FIRE Pushbutton In the bottom left corner is the FIRE button. When all conditions to fire the transient rod are met, pushing the Fire button will apply air pressure to the rod for pulsed reactor operation.
3.1.4.3 Rod Control Pushbuttons In the middle of the panel is the Rod Control section which includes the AIR button, MAGNET buttons, UP buttons and DOWN buttons. The AIR is used to remove air from the Transient Rod. The MAGNET buttons are used to remove the magnet power for the Shim, Safety and Regulating rods. Pressing the MAGNET button turns off magnet power and therefore drops the rod into the reactor core. Pressing the UP or DOWN buttons generates a digital input to the CCS computer to move the control rods.
3.1.4.4 SCRAM Pushbutton In the upper right corner is the reactor SCRAM pushbutton. It is hardwired into the Scram Loop. If this button is depressed, the switch breaks the Scram loop in both upper and lower legs, and all rods will drop to shutdown the reactor.
3.1.4.5 ACKNOWLEDGE Pushbutton The ACKNOWLEDGE button is used to acknowledge messages in the Annunciator Pane of the right side display. It generates a digital input to the CCS computer to indicate an operator has acknowledged a visual or audible alert.
3.1.5 Safety Analysis The new Rod Control Panel is an updated version that uses the same model pushbuttons and magnet power key switch as the original panel. As with the original panel, the new Rod Control Panel does not directly control the control rods but provides the digital inputs to the CCS Computer which in turn provides the control logic for the control rods. Also as with the original panel, the manual scram pushbutton provides a direct input to the Scram Loop, without relying on software to perform the TS required scram action.
95 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Since the new components are the same models and perform the same functions, and in the same way as the original, it is expected that the new Rod Control Panel will be as dependable as the original unit.
Nevertheless, the failure of the Rod Control Panel, such as a shorted manual scram pushbutton, is of minimal consequence since there is a redundant emergency stop pushbutton installed on the Reactor Mode Control Panel.
A stuck rod control pushbutton could potentially cause a ramp insertion of excess reactivity accident.
Since there in an interlock preventing the manual control of more than one control rod, the reactivity inserted due to a single control rod is bounded by the three control rod insertion event as detailed in Section 1.7.5, therefore, it is of minimal consequence.
It is concluded that the new Rod Control Panel will continue to perform the design function in a safe and reliable manner without imposing any undue risk to the health and safety of the public.
3.1.6 Technical Specifications All existing technical specifications[5] remain unchanged for this replacement. The technical specifications that apply to this channel are:
3.2.2 Reactor Safety Systems Specification The reactor shall not be operated unless the safety systems described in Tables 2 and 3 are operable for the specific mode of operation.
The Console Manual Scram Button as listed in Table 2 Minimum Reactor Safety System Scrams, is located on this panel.
4.2.2 Reactor Safety Systems Specifications
- g. The console manual scram button shall be tested weekly not to exceed 10 days whenever operations are planned.
The surveillance specification and periodicity listed in TS Section 4.2.2 that pertains to the manual scram pushbutton is still applicable and appropriate for the updated unit.
3.1.7 Quality Assurance GA Acceptance Test Procedure (ATP), Acceptance Test Procedure, Console, AFRRI TRIGA, T3A200E100-1AT[27]
Factory Acceptance Test Procedure System Assembly, AFFRI TRIGA T3A10087371-FAT Rev A[7]
This test demonstrates that the Replacement I&C Console meets the requirements of the SOW and the Functional Requirements Specifications (FRS). GA performed separate, in-depth tests of the components, the nuclear instruments, the control system console, and the system as a whole. These tests, their traceability to the SOW and their results are provided to AFRRI in accordance with the SOW.
Armed Forces Radiobiology Research Institute TRIGA Reactor Instrumentation and Control Console Replacement Site Acceptance Test Procedure, Part 1. T3A100B7372-SAT Rev A[8]
Site Acceptance Test Part 2: Replacement of the Instrumentation and Control Console for the AFRRI TRIGA REACTOR T3A100B7373-SAT Rev A[9]
96 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 This document is the Site Acceptance Test (SAT) for the Replacement I&C Console provided by General Atomics (GA) for the AFRRI facility. This test demonstrates that the Replacement I&C Console procured by AFRRI from GA has been installed correctly for operation at AFRRI and meets the technical and functional requirements.
This SAT is not intended to be an exhaustive test of the system at the component or subassembly level.
GA has factory tested in-depth, and calibrated according to manufacturer specifications, the various components and subsystems, the individual nuclear instrument channels, the rod control system, the auxiliary plant parameter measurement systems, and has tested the integrated system to demonstrate that the Replacement I&C System performed in the factory as intended. This was demonstrated by GA and accepted by AFRRI representatives during exhaustive factory acceptance testing (FAT). The SAT demonstrates satisfactory at-reactor installation of the system, and verifies, by adequate operational demonstration, that the system can be used to operate the AFRRI TRIGA in accordance with the facility operating requirements.
The SAT involved tests to confirm proper installation and functionality of all components and subsystems of the Replacement I&C System, including the nuclear power measuring channels, reactivity control systems, and all other balance of plant systems controlled and monitored by the replacement system.
97 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 3.2 Reactor Mode Control Panel - Component 3b Figure 37 - Picture of Old and New Reactor Mode Control Panel 3.2.1 Design Function The design functions of the Reactor Mode Control Panel are:
- Provide indication for the status of facility components.
- Provide Scram and Interlock selection test switches
- Instrument Power ON pushbutton 3.2.2 Description of Old The original Reactor Mode Control Panel was located on the right side of the CSC. The panel provided pushbuttons and switches to apply instrument power, to select operating mode, and to select the power level for automatic mode. Also located on the panel the core position status, lead shield door position and exposure room plug door status. The scram and interlock test rotary switch was also located on the panel.
3.2.3 Comparison of Old vs. New The new Reactor Mode Control Panel is similar to the original. Some of the original functions have been moved entirely to software, such as the steady-state timer and reactor mode selection, and can be accessed via the UIT display interface.
In both the new and original panels, with the exception the emergency stop pushbutton, all other pushbutton and switches provide a digital input to the CSC, which then provides the logic in performing the required function.
98 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 3.2.4 Detailed Description of New Figure 38 - Reactor Mode Control Panel The Reactor Mode Control Panel is located in the right side of the console. This panel contains the status indicators for Core Position, Door Position, Indicators, Pulse Detector Selection, Lamp Test, Emergency Stop, Instrument Power ON, and Watchdog timers for the CCS and UIT computers. Two rotary test switches for the scrams and interlocks are also located on the new panel.
3.2.4.1 Reactor Core and Shield Door Position The Reactor Mode Control Panel provides two switches with backlights, an indicator and a digital readout to indicate core position. The two switches, Region 1 and Region 3, can be used to move the reactor core.
Backlights will be illuminated when the door limit switch is activated. The foot pedals can also be used to move the reactor core. The Region 2 indicator will be lit whenever the core is not in Region 1 or Region 3.
Also, there is a digital readout for the core position. Refer to Figure 29 for a drawing of the core regions and the associated digital readout values.
Three door position switches with backlights are provided: Lead Door Open, Lead Door Stop and Lead Door Close. The switches can be used to open, stop and close the lead door. When the switch is active, the backlight is illuminated.
99 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 3.2.4.2 Indicators Three other indicators are provided: Reactor Operate, Time Delay and Exposure Room Open. The Reactor Operate indicator is illuminated when all interlocks have been satisfied and magnet power can be applied.
The Time Delay indicator is illuminated while the 30 second reactor interlock delay is active. The Exposure Room Open is used to indicate that the Exposure Room door is open.
The Pulse Detector button selects which type of detector is connected to the NPP-1000 instrument. In steady state operation, a Fission Chamber detector is connected to the NPP-1000 and none of the button lights are lit. The detector selection is performed per the following:
Pushing the detector select button once selects detector 1 (currently Uncompensated Ion Chamber detector) and the Detector 1 backlight will illuminate, or Pushing the detector select button again selects detector 2 (currently Cerenkov detector) for pulsed reactor operation and the Detector 2 backlight will illuminate.
A Lamp Test button is provided to test the lamps on the Reactor Mode Control Panel. The lamp Test button itself does not light up.
An Emergency Stop button is provided to scram the reactor in an emergency. It ties in with the FIS and upon pressing it, deactivates the reactor permissive (ROX) relay that is an input to the Scram loop. The Emergency Stop is a latching switch; the first push activates it, the second push deactivates it.
An Instrument Power ON button and indicator light are provided. The instrument power on switch has a backlight that will be illuminated when console power is on. Pushing the button activates or deactivates the UPS. Because the UPS input is heavily filtered to protect against spurious inputs, the UPS turn on or shutdown occurs 2 to 3 seconds after the button has been pushed.
Watchdog timer lights are provided for both the CCS and UIT to indicate when a watchdog timer timeout has occurred.
3.2.4.3 Scram and Interlock Test Switches SCRAM and Interlock Test 1 Rotary Switch is used to select the test. A test button is used to run the test.
The rotary test switches are independent of each other and may be activated simultaneously so that the system will respond accordingly as if both events actually occurred. The following tests are provided for selection on the Test 1 switch:
- 1. NLW: 1 KW, Low Source, Period, NLW HV Lo
- 2. NMP: NMP HV LO, NMP Pwr Hi (Note the scrams are bypassed but the tests will still generate a warning on the WARNINGS Pane).
- 3. NP: NP HV Lo, NP Pwr Hi
- 4. NPP: NPP HV Lo, NPP Pwr Hi SCRAM and Interlock Test 2 Rotary Switch is used to select the test. A test button is used to run the test.
The following tests are provided for selection on the Test 2 switch:
- 1. Watchdogs: CCS WDT, UIT WDT
- 2. Pool Level: Pool Lo
- 3. NFT Temperatures: FT 1, FT 2, FT 3
- 4. Pool Temperature: Pool Temp 100 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 3.2.5 Safety Analysis The new Reactor Mode Control Panel is an updated version that uses the same model pushbuttons and similar rotary switches as the original panel. As with the original panel, the new Reactor Mode Control Panel provides the digital inputs to the CCS Computer which in turn provides the control logic for the pushbuttons and test switches. Also as with the original panel, the emergency stop pushbutton provides an indirect input to the Scram Loop via the Facility Interlock System, without relying on software to perform the TS required action.
Since the new components are the mostly the same models and perform the same functions, and in the same way as the original, it is expected that the new Reactor Mode Control Panel will be as dependable as the original unit. Nevertheless, the failure of the Reactor Mode Control Panel, such as a shorted emergency stop pushbutton, is of minimal consequence since there is a redundant manual scram pushbutton installed on the Rod Control Panel.
It is concluded that the new Rod Control Panel will continue to perform the design function in a safe and reliable manner without imposing any undue risk to the health and safety of the public.
3.2.6 Technical Specifications All existing technical specifications[5] remain unchanged for this replacement. The technical specifications that apply to this channel are:
3.2.2 Reactor Safety Systems Specification The reactor shall not be operated unless the safety systems described in Tables 2 and 3 are operable for the specific mode of operation.
The Console Emergency Stop as listed in Table 2 Minimum Reactor Safety System Scrams, is located on this panel.
4.2.2 Reactor Safety Systems Specifications
- e. The emergency stop scram shall be tested annually, not to exceed 15 months.
The surveillance specification and periodicity listed in TS Section 4.2.2 that pertains to the manual scram pushbutton is still applicable and appropriate for the updated unit.
3.2.7 Quality Assurance GA Acceptance Test Procedure (ATP), Acceptance Test Procedure, Console, AFRRI TRIGA, T3A200E100-1AT[27]
Factory Acceptance Test Procedure System Assembly, AFFRI TRIGA T3A10087371-FAT Rev A[7]
This test demonstrates that the Replacement I&C Console meets the requirements of the SOW and the Functional Requirements Specifications (FRS). GA performed separate, in-depth tests of the components, the nuclear instruments, the control system console, and the system as a whole. These tests, their traceability to the SOW and their results are provided to AFRRI in accordance with the SOW.
Armed Forces Radiobiology Research Institute TRIGA Reactor Instrumentation and Control Console Replacement Site Acceptance Test Procedure, Part 1. T3A100B7372-SAT Rev A[8]
101 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Site Acceptance Test Part 2: Replacement of the Instrumentation and Control Console for the AFRRI TRIGA REACTOR T3A100B7373-SAT Rev A[9]
This document is the Site Acceptance Test (SAT) for the Replacement I&C Console provided by General Atomics (GA) for the AFRRI facility. This test demonstrates that the Replacement I&C Console procured by AFRRI from GA has been installed correctly for operation at AFRRI and meets the technical and functional requirements.
This SAT is not intended to be an exhaustive test of the system at the component or subassembly level.
GA has factory tested in-depth, and calibrated according to manufacturer specifications, the various components and subsystems, the individual nuclear instrument channels, the rod control system, the auxiliary plant parameter measurement systems, and has tested the integrated system to demonstrate that the Replacement I&C System performed in the factory as intended. This was demonstrated by GA and accepted by AFRRI representatives during exhaustive factory acceptance testing (FAT). The SAT demonstrates satisfactory at-reactor installation of the system, and verifies, by adequate operational demonstration, that the system can be used to operate the AFRRI TRIGA in accordance with the facility operating requirements.
The SAT involved tests to confirm proper installation and functionality of all components and subsystems of the Replacement I&C System, including the nuclear power measuring channels, reactivity control systems, and all other balance of plant systems controlled and monitored by the replacement system.
102 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 3.3 CCS Computer - Component 3c 3.3.1 Design Function The design functions of the CCS Computer are:
- Process all Digital Inputs and Outputs.
- Process all control rod drive movements.
- Monitors all inputs and outputs
- Control the reactor 3.3.2 Description of Old The old CSC computer ran along with a custom GA software to drive the display, and for communications to the rest of the system.
The CSC computer received digital signals from the console input scanner board along with the signals from the DAC. The CSC computer then made this information available to the reactor operator on the two console displays.
3.3.3 Comparison of Old vs. New The two units perform the same functionality with the exception that the Pulse Timer and Steady-state Scram Timer functions are now performed entirely in software. The functionality of all other physical switches remain unchanged where the selections are read by the computer as a digital input and enforced by software.
3.3.4 Detailed Description of New Reference T3A100B7911-1OM Rev.A[23]
The CCS uses a and handles input and output data, monitors the pushbuttons on the control rod panel and drives the indicator lights on the console. The CCS code is written in The CCS computer system in the console has a display associated with it. This display is not normally needed during the operation of the reactor; it exists mainly for startup, shutdown, and console debugging purposes. Other than determining that the CCS has come up and is operating properly, there is no reason for having this display present on the console. During normal operation of the software, it displays the digital and analog inputs/outputs on the screen. Having this screen handy is useful to determine whether the CCS has locked up if the system freezes (the numbers are constantly changing if the CCS computer is operating properly). The display is also useful for shutting down the CCS system (though this can also be done from the UIT computer).
3.3.5 Safety Analysis The new CCS computer has been designed and manufactured to meet or exceed the requirements of the previous unit computer. The new computer and associated software has undergone rigorous testing and quality assurance at multiple steps in the design, manufacture and installation phases. Due to this, it is expected that the new computer will be as dependable as the original unit.
103 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 In the event that the CCS computer malfunctions, i.e. becomes unresponsive, the CCS Watchdog Timer will initiate a scram. If the timer fails, then reactor operator can always manually scram the reactor via the hardwired manual scram pushbutton.
There are no accident scenarios associated with the CCS computer and the failure of the computer is of minimal consequence since the computer does not provide any safety functions that are intended to prevent the fuel temperature safety limit of 1000 °C from being exceeded.
It is concluded that the CCS Computer will continue to perform the design function required by this channel in a safe and reliable manner without imposing any undue risk to the health and safety of the public.
3.3.6 Technical Specifications With the exception of the wording for the watchdog scram (refer to redline changes below), all existing technical specifications[5] remain unchanged for this replacement. The technical specifications that apply to this channel are:
3.2.2 Reactor Safety Systems Specification The reactor shall not be operated unless the safety systems described in Tables 2 and 3 are operable for the specific mode of operation.
The pulse timer scram is generated from the CCS computer.
The Watchdog listed in Table 2 Minimum Reactor Safety System Scrams, needs to be revised to Watchdog (DAC to CSC) (UIT and CCS).
3.3.7 Quality Assurance Significant software QA was performed on all GA developed software. Extensive test documentation is available for review and is summarized below.
Software Development Plan, AFRRI TRIGA Version 1.0 Software Development Plan, T3S900D905-DOC Rev A[29]
The Software Development Plan (SDP) applies to the software development and release of the TRIGA Console and Channels subsystems to support replacement of the existing TRIGA Mark F Research Reactor Instrumentation and Control System Console (CSC) at Armed Forces Radiobiology Research Institute (AFRRI). The Instrumentation that are housed in the new Data Acquisition Cabinet (DAC) located in the reactor room includes the nuclear channels, power supplies, rod drive control, signal processing, analog I/O and Ethernet interface. The CSC includes the two computer systems, User Interface Terminal (UIT) which runs on one computer that operates to display reactor activities. The other is the Console Computer System (CCS) which operates to display reactor functions and conditions. This SDP describes the development process, organization, management structure, activities performed and resources used in the development of the AFRRI TRIGA software.
Furthermore, the SDP describes the planning of management, process, procedures, organization, staffing, scheduling, methods, resources, tasks, products, and reviews that are used to develop the AFRRI TRIGA software.
In addition to providing traditional project planning information, this SDP is also used to tailor the standard Software Engineering activities to fit the needs and constraints of this project. Separate documents, such as the TRIGA Software Configuration Management Plan (SCMP) and the Software Quality Assurance (SQA) 104 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Plan (SQP) will be used to describe how software configuration and software quality processes are applied to this project. This SDP is the prevailing document for software development activities. In the event of conflict between this SDP and other planning document, this SDP shall take precedence in matters related to software development.
Software Quality Plan, USUHS/AFRRI Software Quality Assurance Verification and Validation Plan, T3S99001-SQAP Rev X3[30]
The purpose of this Software Quality Assurance Verification and Validation Plan is to define:
- The Software Quality organization for the AFRRI TRIGA Replacement Console Project at General Atomics Electromagnetics Systems (GA-EMS)
- The Software Quality tasks, Verification & Validation (V&V) tasks and responsibilities
- The standards, practices, and conventions used to perform Software Quality and V&V activities
- The tools, techniques, and methods that will be used to support Software Quality and V&V activities and reporting.
The AFRRI TRIGA project will be a replacement and upgrade effort where GA-ESI will provide replacement Console hardware and software, as well as installation services, for support of the existing monitoring, control and safety systems of the Mark F Research Reactor.
The plan articulates the Software Quality activities, including software quality engineering, software quality assurance, V&V, and software testing, performed throughout the software development life cycle of the AFRRI TRIGA Replacement Console Project.
The plan will define Software Quality and V&V support functions for this project and specify the reporting activities of Software Quality to Quality management, with communication links to the AFFRI TRIGA Project Manager and the project Software Engineering Manager.
A key goal of the Software Quality function is to verify that all software and documentation to be delivered meet all technical requirements and to ensure compliance to contractual requirements, and GA-ESI processes and procedures for software development.
The Software Quality and V&V tasks defined herein shall be used to examine deliverable software and project work products, assess conformance of planned tasks and activities to processes and procedures, and to determine compliance with technical and regulatory compliance requirements.
The Software Quality Assurance plan is written to comply with all contractual Quality Assurance Requirements and recognizes ANSI/ANS 15.8 Quality Assurance Program Requirements for Research Reactors, ANS/ANSI 10.4 Guidelines for the Verification and Validation of Scientific and Engineering Computer Programs for the Nuclear Industry, NRC Regulation 1.152 and the applicable sections of IEEE 7-4.3.2 for non-power research reactors.
The plan also complies with GA-ESIs Quality Management System, Quality Manual & procedures, and RMS Engineering Operating procedures.
The plan aligns with GA-ESI Procedure EP-021 which describes the standard product development process and GA-ESI Quality procedure QAP 03-03 Software Quality Assurance Planning that supports the lifecycle phases listed below for a waterfall software development model:
- Concept/Planning
- Requirements
- Design
- Implementation & Coding 105 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
- Testing
- Installation and Checkout Software Configuration Management, TRIGA AFRRI Software Configuration Management Plan, T3S900D906-DOC Rev X1[31))
The Software Configuration Management (SCM) Plan (SCMP) provides the guidelines to be used to manage changes to the TRIGA software at General Atomics Electronic Systems, Inc. (GA-ESI). The intended audience for the document includes and is not limited to Project Management, Software Quality Assurance, and Software Engineering personnel.
This SCMP will be used to ensure compliance to the SCM requirements as listed in the Armed Forces Radiobiology Research Institute (AFRRI) Statement of Work (SOW)[32].
Software Configuration Management functions will be performed as described in the document throughout the Software Development Life Cycle (SDLC). This SCMP will be used to track and control changes in project documentation, software source code, software build artifacts, test tools, and test artifacts as described the document. The SCMP is used in conjunction with GA-ESI Configuration Management (CM) operating procedures. There are no known limitations to this plan and assumptions have been made with respects to this plan.
Software Configuration Management is the discipline of controlling and tracking changes made to a software system throughout the SDLC. SCM is applicable and not limited to software requirements, design, source code, and project documentation. The following describes the activities involved with SCM, including:
- Configuration identification A Configuration Item (CI) is any component of a system, including documentation, which will be under the control of CM. These items are identified, recorded and managed within a Configuration Management System (CMS) and maintained throughout the lifecycle of the project.
Configuration Items for a software system consist of software process plans, specification documentation, software source code, test documentation, technical manuals and version description documentation.
- Configuration control Configuration control defines the process for requesting, evaluating, approving or disapproving, and implementing changes to baselined CIs. Changes can include but are not limited to defect, enhancements and new requirements.
A baseline provides a static reference point to a grouping of CIs that make up a system at a given point in time. Baselines establish a version of the software configuration which serves as the basis for further development. After a baseline has been established, changes scope can only be performed through a formal change request process as identified in the SCMP.
- Configuration status accounting The SCM engineer is responsible for the recording and reporting of software configuration status.
For software product builds performed by the SCM engineer, a configuration status report will be generated identifying the built software version, included issues, known software limitations, and additional developer notes associated with each issue.
106 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Configuration status reports will be controlled as release notes and stored on the projects SharePoint site. A copy of the release notes will be provided with each build in the designated build area located on the GA-ESI network. Refer to the SCMP for the base location of where builds are stored on the GA-ESI network.
- Configuration evaluations and reviews Configuration evaluations and reviews will be used as the mechanism to evaluate a baseline. The SCM engineer along with the SQA engineer will schedule audits, on an as needed basis, to determine the extent to which the physical and functional characteristics of a CI are met. At a minimum, configuration reviews should take place upon definition and completion of the Requirements and Product Baselines.
- Release management and deliveries The standard software release management and delivery process will be used.
107 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 3.4 UIT Computer - Component 3d 3.4.1 Design Function The design functions of the UIT Computer are:
- Provide the graphical user interface (GUI) for the reactor operator.
- Provide status of reactor parameters.
- Provide alarms and messages.
3.4.2 Description of Old The original CSC computer was an computer located in the lower right hand compartment of the console. The CSC computer displayed reactor operational information on two color CRT monitors.
The left side display contained information in text form on the status of the reactor facility. The three windows associated with the text monitor were, STATUS, WARNING and SCRAM windows.
The right side display terminal was located directly above the Rod Control Panel and displayed reactor information, including reactor power, control rod positions, and temperatures. This display used simulated bargraphs and an animated representation of the reactor core to provide the operator with a near real-time graphic display of the operating parameters of the reactor.
3.4.3 Comparison of Old vs. New The new displays were designed to replicate the original displays to the maximum extent possible. The terminology that was used on the original display, e.g. STATUS pane, WARNING pane, SCRAM pane, etc.,
was maintained in the new displays.
3.4.4 Detailed Description of New Reference T3A100B7911-1OM Rev.A[23]
The User Interface Terminal (UIT) uses a system to display parameters and accept user input. The UIT code is written in The UIT consists of two display screens. The Left Side Status Display and the Right Side Graphics Display.
108 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 3.4.4.1 Left Side Status Display Figure 39 - Left Side Status Display The Left Side Status Display screen is used to display operating information about the reactor. There are five display panes:
3.4.4.1.1 STATUS Pane The STATUS pane presents current information about the status of the system including power readings, period, temperatures and pool level. The core position and shielding door positions are also displayed.
Also, the remote/local state of each channel is displayed. During a pulsing operation, an additional Inhibited field will be shown for the NLW and NMP and an additional Bypassed field will be shown for the NP. These fields are displayed to the right of the remote/local field. These fields are shown to indicate when the devices are inhibited or bypassed during a pulsing operation.
3.4.4.1.2 SCRAM Pane The SCRAM pane displays scram conditions. If a scram were to occur in the reactor, an operator would reference the Status Display to quickly identify the cause of the scram. The SCRAM pane also provides buttons to conduct operational tests of the scram system. For the buttons to be enabled, a check box must be selected which reads, Enable Scram Tests.
NOTE: All scram/alarm messages displayed on the SCRAM and WARNINGS panes are first displayed on the left STATUS display, as opposed to the information panes on the graphic display.
3.4.4.1.3 WARNINGS Pane The WARNINGS pane displays warnings of which the operator should be aware. An alarm disable checkbox is provided for each warning. If the checkbox is not checked and a trip occurs, the horn will sound, an ANNUNCIATOR Pane message will be displayed and a yellow box will be displayed for the warning. If the checkbox is checked and a trip occurs, the yellow box will still be displayed for the warning, but the horn 109 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 will not sound and an ANNUNCIATOR Pane message will not be displayed. The primary purpose of this audible inhibit functionality is to minimize distractions during system setup and testing or prolonged warning situations.
3.4.4.1.4 MODE SELECTION Pane The MODE SELECTION pane allows the operator to select the mode in which to operate the reactor. These modes are:
- 1. Manual Mode (Steady-state)
- 2. Automatic Mode (AUTO)
- 3. Square Wave
- 4. Pulse.
Figure 40 - MODE Selection Pane This pane also contains checkboxes for the operator to select which rods are operated in banked mode.
The options are:
- REG ONLY
- REG and SHIM
- REG, SHIM, SAFE 110 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 This pane also contains a text box and a button that allows the operator to enter the demand power setting. Once set, Demand is selected for the input power (in watts); this will update the Demand Power as shown on the upper left corner of the Reactor Display. When the demand power setting is selected and the reactor is in Automatic Mode, those rods selected in the banked movement will adjust their position to insert or remove reactivity to maintain power at the demand setting.
The MODE SELECTION pane also contains text boxes with checkboxes that allow the operator to manually select NMP-1000 Range and to indicate the current range selection for the NMP-1000. As an automatic ranging device, in normal operations, the NMP-1000 would change its scale based on the reactor power.
By manually selecting a range, the operator will prevent that action by the NMP-1000. The NMP-1000 is an operational channel and is not credited in the minimum reactor safety system scrams.
This pane also allows the operator to set timed actuations. The Set Pulse Time button allows the operator to set the length of time before an automatic scram after a reactor pulse. The time is entered into a text box and actuated with a button. The reactor power pulse is a function of core physics and typically lasts a few hundred milliseconds. Normally, the operator will manually scram the reactor after a few seconds, but as required by the Technical Specifications, the system will automatically scram if the Set Pulse Time limit is reached. The Set Scram Time button is used to set the time of a scram from steady-state mode.
There are buttons to start, stop, and reset this timer. It may be directed to count up or count down.
3.4.4.1.5 INTERLOCKS Pane The INTERLOCKS pane displays interlock conditions. An alarm disable checkbox is provided for each interlock. If the checkbox is not checked and an interlock occurs, the horn will sound, an ANNUNCIATOR Pane message will be displayed and a yellow box for the interlock will be displayed. If the checkbox is checked and a trip occurs, the yellow box will be displayed for the interlock. The horn will not sound and an ANNUNCIATOR Pane message will not be displayed.
3.4.4.2 Right Side Graphics Display While the Left Side Status Display shows the current facility mode and operational settings, the Right Side Graphics Display is the primary means by which the operator monitors and controls the reactor.
At the top of the Right Side Graphics Display the system menu bar displays the following menu items:
- 1. RUN: Exit to Windows or Restart UIT.
- 2. OPERATOR: Provides the ability to log in, log out, and display selected operator statistics.
- 3. HISTORY: System must be scrammed, then starts the execution of the history playback program.
- 4. DISPLAY: Refreshes the graphics displays (this option is rarely used).
Where the Left Side Status Display is divided into several different panes, all of which are simultaneously visible, the Right Side Graphics Display has six different screens which must be selected to be visible to the operator. The six screens are as follows:
111 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 3.4.4.2.1 Reactor Display #1 Figure 41 - Right Side Graphics Display - Reactor Display #1 Reactor Display #1 is for normal reactor operation. On the left portion of the Reactor Display #1 there are scales for the following:
- 1. LINEAR POWER: This bargraph shows the current reactor power level in watts on a linear scale.
This information is obtained from the NMP-1000 Nuclear Multi-range Power Channel.
- 2. LOG POWER: This bargraph shows the current reactor power level as a percentage of maximum power, on a logarithmic scale. This information is obtained from the NLW-1000 nuclear channel.
- 3. NP % POWER: This bargraph shows the current reactor power. This graph uses a linear scale and is redundant because it displays the information derived from the NP-1000 which is independent of the NPP-1000. This channel is denoted as Safety Channel 1.
- 4. NPP % POWER: This bargraph shows the current reactor power. This graph uses a linear scale and is redundant because it displays the information derived from the NPP-1000 which is independent of the NP-1000. This channel is denoted as Safety Channel 2.
The central portion of Reactor Display #1 shows a graphical representation of the reactor cross section with information about the status of the control rods. For the shim rod, the safety rod and the regulator rod, the small square box at the top of the control rod indicates the status of the control rod magnet power. For the transient rod, the small square box at the top of the control rod indicates the status of the air. The operator is able to quickly understand if a control rod is at its lower limit, the status of the magnet or air, the height of the control rods, and the measured drop time (if a drop is initiated from full height).
When the magnet or air is activated, a representative box changes from black to yellow. Additionally, when the control rod bottom limit switch is not activated, the control rod color changes from black to green. Therefore, anytime the control rod is off the bottom of its travel path, the box should be yellow and the rod green. Once the control rod has been lifted to its upper limit and activated the control rod upper limit switch, the control rod color will turn magenta.
112 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Above each control rod position in the display, the individual control rod drop times are displayed.
Below each control rod position in the display is a small box that indicates the current position of the control rod drive mechanism. The scale for the position readout ranges from 0 to 999. The position is 0 if the control rod drive is all the way down and the position is 999 if the control rod drive is all the way up.
If the control rod is all the way down and the magnets are energized, its color will be gray. When the control rod down limit switch is activated, the position indicator is forced to zero units. If it is all the way up (and the control rod up limit switch is actuated), the color will be magenta and the position indicator is forced to 999 units. The control rod color will be green between the magnet and the bottom of the control rod when positioned anywhere between fully down or fully up.
At the bottom of the graphical display screen, several rectangles representing the physical rod control buttons on the Rod Control Panel are displayed. When a button is pressed on the Rod Control Panel, the system will highlight the button on the graphics display. This portion is particularly useful in automatic mode, for when a control rod drive is in motion, as dictated by the automatic control PID algorithm, the operator is able to verify proper control rod movement.
The ACKNOWLEDGE button on the Rod Control Panel provides a method to acknowledge trips, scrams, warnings, etc. that are displayed on the Annunciator Pane of the main graphics window. Pressing the ACKNOWLEDGE button will clear the top message in the annunciator window.
The SCRAM button on the rod control panel is hard-wired directly into the system scram loop (i.e., this signal is not processed by software, but status is provided to the software so the program can determine when the operator presses the SCRAM button). The SCRAM box indicates when the operator presses this SCRAM button.
On the right portion of the Reactor Display #1 there are scales for the following:
- 1. PERIOD: This bargraph shows the rate of change of the reactor power although somewhat indirectly. Period is inversely proportional to the rate of change. If reactor power is steady, the rate of change is equal to zero and the period is infinity. The greater the rate of change becomes, the less the period becomes. This information is obtained from the NLW channel.
- 2. NFT1 TEMP: This bargraph shows the NFT1 fuel temperature in °C on a linear scale. This information is obtained from the NFT channel.
- 3. NFT2 TEMP: This bargraph shows the NFT2 fuel temperature in °C on a linear scale. This information is obtained from the NFT channel.
- 4. POOL TEMP: This bargraph shows the pool temperature in °C on a linear scale. This information is obtained from pool temperature RTD.
The bottom left portion of Reactor Display #1 shows the core position in the reactor pool. Because the AFRRI Reactor features a movable reactor core, this provides additional information to the operator and may be verified through visual inspection. This simple graphic has indication of the lateral location of the core, as well as the shield door position and the exposure room door positions.
3.4.4.2.2 Reactor Display #2 The Reactor Display #2 shows the same bargraphs as Reactor Display #1 but the central portion of the screen is replaced with a strip recorder display with the four parameters: linear power, log power, period, and coolant temperatures.
113 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 3.4.4.2.3 Reactor Prestart Tests When the reactor is scrammed and magnet power is not applied, the Right Side Graphics Display will include two additional tabs: Reactor Prestarts Tests and Pulse Display. When the operator presses the Prestarts tab on the Right Side Graphics Display, the system shows the prestart tests that are available.
NOTE: This prestart mode is not available when conducting operational (manual) prestart tests from the Status Display using the Test Enable function, which requires that magnet power be applied to withdraw the control rods. While magnet power is applied, the Prestart Tests tab will not be displayed.
This Prestart Tests tab is used for the software generated prestart tests, and is not available when the reactor is operating. While running these prestart tests, the remaining tabs are disabled. A RUN button is provided to start the prestart tests. As each prestart test is completed, Passed or Failed will be displayed (along with a reason for a failure if the test fails). If a particular test fails, then the user must press the DONE or CONTINUE button on the display (using the mouse). Pressing the DONE button aborts the testing process. Pressing CONTINUE causes the system to continue with the next prestart test in the sequence.
At the end of all the tests, pressing DONE clears the prestart and returns control to the main reactor display tab. At any time while the system is waiting for the operator to press the CONTINUE or DONE button, the operator can press the PRINT button to send a copy of the prestart report to the system printer.
On the right side of the display, buttons are provided to run each of the prestart tests individually. A Test Off button is provided to stop the tests.
The available prestart tests include:
- 1. NMP: Low Current, High Current, High Voltage (Low), Low Count
- 2. NLW: Low Current, High Current, High Count, High Voltage (Low), Period
- 3. Watchdog: CCS Watch, UIT Watch
- 4. NP: Ramp, High Power, High Voltage (Low)
- 5. NPP: Ramp, High Power, High Voltage (Low)
- 6. NFT: 1 Low Temp, 1 High Temp, 2 Low Temp, 2 High Temp, 3 Low Temp, 3 High Temp 3.4.4.2.4 Pulse Display The Pulse Display tab is automatically displayed after a successful pulse operation. It will display the results of the last pulse in graphic form. The pulse data file, stored on the computer as a CSV formatted file, will have the date, time, width at half power, pulse time, number of entries, period, total energy, peak pulse power, peak fuel temperature, and the pulse reactivity. The user can scroll horizontally along the time of the pulse and can scale the y-axis of the selected parameter. Prior pulses may be loaded to viewing when the reactor is in a non-operational mode.
3.4.4.2.5 Administration Display When an operator is logged in as a system administrator and the system is scrammed, the Administration tab will be added to the display tab list. This screen displays all the operators by name and operator number; as well as their logged in times, magnet on time (their run times/time spent in an operational mode), and their cumulative Megawatt (MW) Hours (operator time when reactor produced MW). This information is kept in plain text form on the CCS LINUX machine as well, so that a system administrator can reset values to zero by editing this file (or resetting all statistics by deleting the file). This is a useful feature for when a new reactor operator requalification cycle starts.
114 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 3.4.4.2.6 Test Functions Display When an operator is logged in as a system administrator and the system is scrammed, the Tests Functions tab will be added to the display tab list. The test display is intended for diagnostic, testing, and informative purposes. There are four major sections: Digital Outputs, Digital Inputs, Analog Outputs and Analog Inputs.
In the Digital Outputs section, there is a checkbox on many buttons on the test screen. Checking one of these checkboxes will turn on that particular output; clearing the checkbox will turn off that particular output. However; the test functions only work while in scrammed mode, therefore attempting to turn on the magnet power outputs will not actually supply power to the magnets since the hardwired scram loop prevents that from occurring. When checking one of the magnet power output checkboxes, the system will write the output to the hardware port (on the Sensory 2653 board), and the user can verify that the output is present by the corresponding LED on that board and magnet power is cut off after that point.
Note that the transient rod is controlled by digital outputs which are located in this section. You can move the cylinder up and down using the test functions, but you cannot fire the rod from the test screen. Many other buttons are provided to initiate the test modes and trip reset for all of the channels.
In the Digital Inputs section, the input data in displayed in two forms. First, all of the digital inputs are displayed in a binary string (ones and zeros) with each bit of that string corresponding to one of the hardware inputs (0=off, 1=on). Second, the test display also shows the digital inputs using signal names.
The name is white text when the signal is zero (off), and with red text when the signal is one (on). Also, the trips, Local/Remote status, Comm status and range (NMP-1000 Only) are shown as signal names. The name is blue text when the signal is zero (off), and red text when the signal is one (on).
In the Analog Outputs (rod control) section, the Tests Functions provides text edit boxes into which the operator can type a value between -10.0 and +10.0. This voltage is written to the corresponding D/A converter that drives the regulating, shim, safety and transient rod control drives. Note that because both magnet power and air pressure cannot be applied in scrammed mode, only the control rod drives and magnets will move and not the actual control rods.
In the Analog Inputs sections, the Tests Functions displays the raw 16-bit numeric value and the converted value for each of the analog inputs.
3.4.4.2.7 Data Recording and Playback Display The system captures all events written to the UIT displays and records them to a file on the UIT computer for future playback. These filenames are coded so a reactor administrator or operator can locate the run history for a particular reactor run and playback those files.
115 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 3.4.5 Safety Analysis The new UIT computer has been designed and manufactured to meet or exceed the requirements of the previous unit computer. The new computer and associated software has undergone rigorous testing and quality assurance at multiple steps in the design, manufacture and installation phases. Due to this, it is expected that the new computer will be as dependable as the original unit.
Consideration of human factors and man-machine interfaces has been included in developing the design of the display. The operator controls have been designed so that operators can perform their tasks easily and correctly. The choice of controls used in the system takes into account the needs of the operator to optimize performance under all conditions.
In the event that the UIT computer malfunctions, i.e. becomes unresponsive, the UIT Watchdog Timer will initiate a scram. If the timer fails, then reactor operator can always manually scram the reactor via the hardwired manual scram pushbutton.
The NP-1000, NPP-1000, NLW-1000 power channels and the NFT-1000 fuel measuring channels provide, independently, both an analog signal and digital signal to the control console for display by the bargraphs, by the chart recorder and by the UIT computer display interface. The reactor operator can use these independent signals as a means to cross-check the validity of the indicated power level or fuel temperature. Therefore, in the case that the UIT computer malfunctions and provides erroneous information, there are other redundant and diverse channels that the operator can use to verify power level or fuel temperature.
There are no accident scenarios associated with the UIT computer and the failure of the computer is of minimal consequence since the computer does not provide any safety functions that are intended to prevent the fuel temperature safety limit of 1000 °C from being exceeded.
It is concluded that the UIT Computer will continue to perform the design function required by this channel in a safe and reliable manner without imposing any undue risk to the health and safety of the public.
3.4.6 Technical Specifications With the exception of the wording for the watchdog scram (refer to redline changes below), all existing technical specifications[5] remain unchanged for this replacement. The technical specifications that apply to this channel are:
3.2.2 Reactor Safety Systems Specification 116 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 The reactor shall not be operated unless the safety systems described in Tables 2 and 3 are operable for the specific mode of operation.
The Watchdog listed in Table 2 Minimum Reactor Safety System Scrams, needs to be revised to Watchdog (DAC to CSC) (UIT and CCS).
3.4.7 Quality Assurance Significant software QA was performed on all GA developed software. Extensive test documentation is available for review and is summarized below.
Software Development Plan, AFRRI TRIGA Version 1.0 Software Development Plan, T3S900D905-DOC Rev A[29]
The Software Development Plan (SDP) applies to the software development and release of the TRIGA Console and Channels subsystems to support replacement of the existing TRIGA Mark F Research Reactor Instrumentation and Control System Console (CSC) at Armed Forces Radiobiology Research Institute (AFRRI). The Instrumentation that are housed in the new Data Acquisition Cabinet (DAC) located in the reactor room includes the nuclear channels, power supplies, rod drive control, signal processing, analog I/O and Ethernet interface. The CSC includes the two computer systems, User Interface Terminal (UIT) which runs on one computer that operates on Windows to display reactor activities. The other is the Console Computer System (CCS) which operates on Linux to display reactor functions and conditions. This SDP describes the development process, organization, management structure, activities performed and resources used in the development of the AFRRI TRIGA software.
Furthermore, the SDP describes the planning of management, process, procedures, organization, staffing, scheduling, methods, resources, tasks, products, and reviews that are used to develop the AFRRI TRIGA software.
In addition to providing traditional project planning information, this SDP is also used to tailor the standard Software Engineering activities to fit the needs and constraints of this project. Separate documents, such as the TRIGA Software Configuration Management Plan (SCMP) and the Software Quality Assurance (SQA)
Plan (SQP) will be used to describe how software configuration and software quality processes are applied to this project. This SDP is the prevailing document for software development activities. In the event of conflict between this SDP and other planning document, this SDP shall take precedence in matters related to software development.
Software Quality Plan, USUHS/AFRRI Software Quality Assurance Verification and Validation Plan, T3S99001-SQAP Rev X3[30]
The purpose of this Software Quality Assurance Verification and Validation Plan is to define:
- The Software Quality organization for the AFRRI TRIGA Replacement Console Project at General Atomics Electromagnetics Systems (GA-EMS)
- The Software Quality tasks, Verification & Validation (V&V) tasks and responsibilities
- The standards, practices, and conventions used to perform Software Quality and V&V activities
- The tools, techniques, and methods that will be used to support Software Quality and V&V activities and reporting.
The AFRRI TRIGA project will be a replacement and upgrade effort where GA-ESI will provide replacement Console hardware and software, as well as installation services, for support of the existing monitoring, control and safety systems of the Mark F Research Reactor.
117 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 The plan articulates the Software Quality activities, including software quality engineering, software quality assurance, V&V, and software testing, performed throughout the software development life cycle of the AFRRI TRIGA Replacement Console Project.
The plan will define Software Quality and V&V support functions for this project and specify the reporting activities of Software Quality to Quality management, with communication links to the AFFRI TRIGA Project Manager and the project Software Engineering Manager.
A key goal of the Software Quality function is to verify that all software and documentation to be delivered meet all technical requirements and to ensure compliance to contractual requirements, and GA-ESI processes and procedures for software development.
The Software Quality and V&V tasks defined herein shall be used to examine deliverable software and project work products, assess conformance of planned tasks and activities to processes and procedures, and to determine compliance with technical and regulatory compliance requirements.
The Software Quality Assurance plan is written to comply with all contractual Quality Assurance Requirements and recognizes ANSI/ANS 15.8 Quality Assurance Program Requirements for Research Reactors[33], ANS/ANSI 10.4 Guidelines for the Verification and Validation of Scientific and Engineering Computer Programs for the Nuclear Industry[34], NRC Regulation 1.152[35] and the applicable sections of IEEE 7-4.3.2[36] for non-power research reactors.
The plan also complies with GA-ESIs Quality Management System, Quality Manual & procedures, and RMS Engineering Operating procedures.
The plan aligns with GA-ESI Procedure EP-021 which describes the standard product development process and GA-ESI Quality procedure QAP 03-03 Software Quality Assurance Planning that supports the lifecycle phases listed below for a waterfall software development model:
- Concept/Planning
- Requirements
- Design
- Implementation & Coding
- Testing
- Installation and Checkout Software Configuration Management, TRIGA AFRRI Software Configuration Management Plan, T3S900D906-DOC Rev X1[28]
The Software Configuration Management (SCM) Plan (SCMP) provides the guidelines to be used to manage changes to the TRIGA software at General Atomics Electronic Systems, Inc. (GA-ESI). The intended audience for the document includes and is not limited to Project Management, Software Quality Assurance, and Software Engineering personnel.
This SCMP will be used to ensure compliance to the SCM requirements as listed in the Armed Forces Radiobiology Research Institute (AFRRI) Statement of Work (SOW).
Software Configuration Management functions will be performed as described in the document throughout the Software Development Life Cycle (SDLC). This SCMP will be used to track and control changes in project documentation, software source code, software build artifacts, test tools, and test artifacts as described the document. The SCMP is used in conjunction with GA-ESI Configuration Management (CM) operating procedures. There are no known limitations to this plan and assumptions have been made with respects to this plan.
118 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Software Configuration Management is the discipline of controlling and tracking changes made to a software system throughout the SDLC. SCM is applicable and not limited to software requirements, design, source code, and project documentation. The following describes the activities involved with SCM, including:
- Configuration identification A Configuration Item (CI) is any component of a system, including documentation, which will be under the control of CM. These items are identified, recorded and managed within a Configuration Management System (CMS) and maintained throughout the lifecycle of the project.
Configuration Items for a software system consist of software process plans, specification documentation, software source code, test documentation, technical manuals and version description documentation.
- Configuration control Configuration control defines the process for requesting, evaluating, approving or disapproving, and implementing changes to baselined CIs. Changes can include but are not limited to defect, enhancements and new requirements.
A baseline provides a static reference point to a grouping of CIs that make up a system at a given point in time. Baselines establish a version of the software configuration which serves as the basis for further development. After a baseline has been established, changes scope can only be performed through a formal change request process as identified in the SCMP.
- Configuration status accounting The SCM engineer is responsible for the recording and reporting of software configuration status.
For software product builds performed by the SCM engineer, a configuration status report will be generated identifying the built software version, included issues, known software limitations, and additional developer notes associated with each issue.
Configuration status reports will be controlled as release notes and stored on the projects SharePoint site. A copy of the release notes will be provided with each build in the designated build area located on the GA-ESI network. Refer to the SCMP for the base location of where builds are stored on the GA-ESI network.
- Configuration evaluations and reviews Configuration evaluations and reviews will be used as the mechanism to evaluate a baseline. The SCM engineer along with the SQA engineer will schedule audits, on an as needed basis, to determine the extent to which the physical and functional characteristics of a CI are met. At a minimum, configuration reviews should take place upon definition and completion of the Requirements and Product Baselines.
- Release management and deliveries The standard software release management and delivery process will be used.
119 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 3.5 Bargraphs - Component 3e Figure 42 - Picture of Old and New Bargraphs 3.5.1 Design Function The design functions of the Bargraphs are:
- Provide power indication that is available to the reactor operator.
- Be independent of the control system computers.
- Provides redundancy and diversity in the event of the computer system failure.
3.5.2 Description of Old The bargraphs were located to the left of the graphics displays. The panel contained eight vertical LED bargraph meters. The bargraphs meters received 4-20 mA signals from the DAC, NP/NPP-1000, NM-1000 channels and fuel temperature channel signal conditioners. The parameters displayed by the bargraph meters were:
Safety 1 (%) (NP-1000)
Safety 2 (%) (NPP-1000)
Log Power (%) (NM-1000)
Period (sec) (NM-1000)
Fuel Temp 1 (°C)
Fuel Temp 2 (°C)
NVT (MW sec) (NPP-1000)
NV Peak (MW) (NPP-1000)
The bargraphs were .
3.5.3 Comparison of Old vs. New The bargraphs are functional equivalents. Both are microprocessor based LED meters that accept an analog 4 -20 mA signal. The new panel has a ninth bargraph to display the additional fuel temperature channel.
120 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 3.5.4 Detailed Description of New The bargraphs are located on the left side of the console, in about the same position as the old bargraphs.
These bargraphs are hardwired to the modules and are independent of the console computer system. The bargraphs are which the manufacturer recommends as a direct replacement for the previous model .The input to the NPP-1000 NV Peak bargraph is wired to one of the relays on the utility drawer in the CSC. The relay is controlled by the CCS computer and active only during pulsed reactor operation. During steady state reactor operation, the input to the bargraph is disconnected. This is done because the NPP-1000 peak detect circuit produces an output at all times but only relevant and needs to be displayed while the reactor is pulsed.
The panel includes nine bargraphs:
Safety 1 (%) (NP-1000)
Safety 2 (%) (NPP-1000)
Log Power (%) (NLW-1000)
Period (sec) (NLW-1000)
Fuel Temp 1 (°C) (NFT-1000)
Fuel Temp 2 (°C) (NFT-1000)
Fuel Temp 3 (°C) (NFT-1000)
NVT (MW sec) (NPP-1000)
NV Peak (MW) (NPP-1000) 3.5.5 Safety Analysis The new bargraphs maintain independence from the CSC display. The bargraphs are directly wired from the analog outputs of the associated channel and provide an independent means to provide the reactor operator with information pertaining to reactor power level or fuel temperature.
The new bargraphs have been designed and manufactured to meet or exceed the requirements of the previous units. The new bargraphs have undergone rigorous testing and quality assurance at multiple steps in the design, manufacture and installation phases. Due to this, it is expected that the new bargraphs will be as dependable as the old unit.
The NP-1000, NPP-1000, NLW-1000 power channels and the NFT-1000 fuel measuring channels provide, independently, both an analog signal and digital signal to the control console for display by the bargraphs, by the chart recorder and by the console computer display interface. The reactor operator can use these independent signals as a means to cross-check the validity of the indicated power level or fuel temperature. Therefore, in the case that a bargraph fails or malfunctions and provides erroneous information, there are other redundant and diverse channels that the operator can use to verify power level or fuel temperature.
There are no accident scenarios associated with the bargraphs and the failure of a bargraph is of minimal consequence since the bargraphs do not provide any automatic protective actions.
It is concluded that the upgraded bargraphs will continue to perform the design function required by this channel in a safe and reliable manner without imposing any undue risk to the health and safety of the public.
3.5.6 Technical Specifications There are no technical specifications[5] associated with the bargraphs.
121 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 3.5.7 Quality Assurance GA Acceptance Test Procedure (ATP), Acceptance Test Procedure, Console, AFRRI TRIGA, T3A200E100-1AT[27]
Factory Acceptance Test Procedure System Assembly, AFFRI TRIGA T3A10087371-FAT Rev A[7]
This test demonstrates that the Replacement I&C Console meets the requirements of the SOW and the Functional Requirements Specifications (FRS). GA performed separate, in-depth tests of the components, the nuclear instruments, the control system console, and the system as a whole. These tests, their traceability to the SOW and their results are provided to AFRRI in accordance with the SOW.
Armed Forces Radiobiology Research Institute TRIGA Reactor Instrumentation and Control Console Replacement Site Acceptance Test Procedure, Part 1. T3A100B7372-SAT Rev A[8]
Site Acceptance Test Part 2: Replacement of the Instrumentation and Control Console for the AFRRI TRIGA REACTOR T3A100B7373-SAT Rev A[9]
This document is the Site Acceptance Test (SAT) for the Replacement I&C Console provided by General Atomics (GA) for the AFRRI facility. This test demonstrates that the Replacement I&C Console procured by AFRRI from GA has been installed correctly for operation at AFRRI and meets the technical and functional requirements.
This SAT is not intended to be an exhaustive test of the system at the component or subassembly level.
GA has factory tested in-depth, and calibrated according to manufacturer specifications, the various components and subsystems, the individual nuclear instrument channels, the rod control system, the auxiliary plant parameter measurement systems, and has tested the integrated system to demonstrate that the Replacement I&C System performed in the factory as intended. This was demonstrated by GA and accepted by AFRRI representatives during exhaustive factory acceptance testing (FAT). The SAT demonstrates satisfactory at-reactor installation of the system, and verifies, by adequate operational demonstration, that the system can be used to operate the AFRRI TRIGA in accordance with the facility operating requirements.
The SAT involved tests to confirm proper installation and functionality of all components and subsystems of the Replacement I&C System, including the nuclear power measuring channels, reactivity control systems, and all other balance of plant systems controlled and monitored by the replacement system.
122 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 3.6 Recorders - Component 3f Figure 43 - Picture of Old and New Chart Recorders 3.6.1 Design Function The design functions of the Recorders are:
- Provide power indication and trending that is available to the reactor operator.
- Provide a permanent record of reactor power.
- Be independent of the control system computers.
- Provides redundancy and diversity in the event of the computer system failure.
3.6.2 Description of Old The chart recorders were located to the left of the graphics displays. The panel had two paper chart recorders. The chart recorder received 4-20 mA signals from the NM-1000 and fuel temperature channel signal conditioners.
The paper chart recorders ( ) provided a record of the multi-range linear output of the NM-1000 and the fuel temperature channel signal conditioners. All recorder inputs were hardwired to their respective signal sources and therefore did not depend upon the computer for their input signals.
3.6.3 Comparison of Old vs. New The new recorders are videographic compared to the old paper and pen style recorders. The recorders are for indication only and provide no protective actions.
3.6.4 Detailed Description of New The chart recorders ( ) are located on the left side of the console and are hardwired to the modules and are independent of console computer system.
The recorders use a high resolution digital LCD display (5.7 inches) that provides clear, bright images and a wider viewing angle than other display types. The touch-screen interface and graphical icons make them easy to use, while the display can be customized to access the best representation of process data. They record data in a secure digital format, eliminating interpolation errors that can arise from transposing data from a chart to a spreadsheet for analysis. Each supports up to 12 analog and 16 digital inputs. They can store data to a secure digital (SD) card and/or USB memory stick. As a minimum, the chart recorder on the left records Log Power (NLW-1000), the chart recorder on the right records Linear 123 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Pow er (NP-1000). How ever, all analog signa ls from the nuclear instruments are hardw ired into the chart recorders and are avai lable for display and storage. The user has the option to enable additional inputs to be view ed and recorded. The ana log signals connected to the recorders are listed in Table 10.
Table 11 - List of Recorder Inputs Left Recorder Right Recorder NLW-1000 Log Pow er NP-1000 Safety 1 Linear Pow er NPP-1000 Safety 2 Pow er (optional) NFT-1000 Fuel Temp 2 (optional)
NLW-1000 Period (optiona l) NFT-1000 Fuel Temp 3 (optional)
NPP-1000 NVT (optional) NMP-1000 Multi-Range Pow er (optional)
NPP-1000 NV (optional)
NFT-1000 Fuel Temp 1 (optiona l) 3.6.5 Safety Analysis The new recorders maintain independence from the CSC display. The recorders are directly w ired from the analog outputs of the associated channel and provide an independent means to provide the reactor operator with information pertaining to reactor pow er level or fuel temperature.
The new recorders have been designed and manufactured to meet or exceed the requirements of the previous units. The new recorders have undergone rigorous testing and qualit y assurance at mult iple steps in the design, manufacture and installation phases. Due to this, it is expected that the new recorders will be as dependable as the old unit.
The NP-1000, NPP-1000, NLW-1000, and NMP-1000 power channels and the NFT-1000 fuel measuring channels provide, independently, both an analog signal and digital signa l to the control console for display by the bargraphs, by the chart recorder(s) and by the console computer display interface. The reactor operator can use these independent signals as a means to cross-check the validity of the indicated pow er level or fuel temperature. Therefore, in the case that a recorder fails or malfunctions and prov ides erroneous information, there are other redundant and diverse channels that the operator can use to verify pow er level or fuel temperature.
There are no accident scenarios associated with the recorders and the failure of a recorder is of minimal consequence since the recorders do not provide any automatic protective actions.
It is concluded that the upgraded recorders w ill continue to perform the design function required by this channel in a safe and reliable manner w ithout imposing any undue risk to the health and safety of the public.
3.6.6 Technical Specifications There are no technical specifications151associated with the chart recorders.
3.6.7 Quality Assurance GA Acceptance Test Procedure (ATP), Acceptance Test Procedure, Console, AFRRI TRIGA, T3A200E100-1ATl211 124 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Factory Acceptance Test Procedure System Assembly, AFFRI TRIGA T3A10087371-FAT Rev A[7]
This test demonstrates that the Replacement I&C Console meets the requirements of the SOW and the Functional Requirements Specifications (FRS). GA performed separate, in-depth tests of the components, the nuclear instruments, the control system console, and the system as a whole. These tests, their traceability to the SOW and their results are provided to AFRRI in accordance with the SOW.
Armed Forces Radiobiology Research Institute TRIGA Reactor Instrumentation and Control Console Replacement Site Acceptance Test Procedure, Part 1. T3A100B7372-SAT Rev A[8]
Site Acceptance Test Part 2: Replacement of the Instrumentation and Control Console for the AFRRI TRIGA REACTOR T3A100B7373-SAT Rev A[9]
This document is the Site Acceptance Test (SAT) for the Replacement I&C Console provided by General Atomics (GA) for the AFRRI facility. This test demonstrates that the Replacement I&C Console procured by AFRRI from GA has been installed correctly for operation at AFRRI and meets the technical and functional requirements.
This SAT is not intended to be an exhaustive test of the system at the component or subassembly level.
GA has factory tested in-depth, and calibrated according to manufacturer specifications, the various components and subsystems, the individual nuclear instrument channels, the rod control system, the auxiliary plant parameter measurement systems, and has tested the integrated system to demonstrate that the Replacement I&C System performed in the factory as intended. This was demonstrated by GA and accepted by AFRRI representatives during exhaustive factory acceptance testing (FAT). The SAT demonstrates satisfactory at-reactor installation of the system, and verifies, by adequate operational demonstration, that the system can be used to operate the AFRRI TRIGA in accordance with the facility operating requirements.
The SAT involved tests to confirm proper installation and functionality of all components and subsystems of the Replacement I&C System, including the nuclear power measuring channels, reactivity control systems, and all other balance of plant systems controlled and monitored by the replacement system.
125 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 4 References 1 GA Operation and Maintenance Manual NP-1000/NPP-1000 Percent Power Channel, E117-1010 Revision 2, 1991 2 NP-1000, Nuclear Power Module, User Manual, Document T3271000-1UM, Rev A, December 2018 3 GA Document, T9S900D970-SRS, GA TRIGA Nuclear Module Software Communications Protocol Document 4 TRIGA NP/NPP-1000 Software Requirements Specification T3287960-SRS 5 Technical Specifications for the AFRRI Facility Rev 25, Aug 14, 2019 6 GA Acceptance Test Procedure (ATP), NP-1000, Nuclear Power Instrument, T3271000-1AT 7 Factory Acceptance Test Procedure System Assembly, AFFRI TRIGA T3A10087371-FAT Rev A 8 Armed Forces Radiobiology Research Institute TRIGA Reactor Instrumentation and Control Console Replacement Site Acceptance Test Procedure, Part 1. T3A100B7372-SAT Rev A 9 Site Acceptance Test Part 2: Replacement of the Instrumentation and Control Console for the AFRRI TRIGA REACTOR T3A100B7373-SAT Rev A 10 NPP-1000, Nuclear Power Module, User Manual, Document T3281000-1UM, Rev A, January 2018 11 GA Acceptance Test Procedure (ATP), NPP-1000, Nuclear Power Instrument, T3281000-1AT 12 GA Operation and Maintenance Manual NM-1000 Neutron Monitoring System, E117-1000, 1989 13 NLW-1000, Wide Range Log Power Module, User Manual, Document T3322000-1UM, Rev B, June 2015 14 Acceptance Test Procedure (ATP), Wide-Range Log Module NLW-1000, T3322000-1AT 15 NMP-1000, Multi-range Linear Module, User Manual, Document T3401000-1UM, Rev C, January 2018 16 ANS/ASME NQA-1-2000, Quality Assurance Requirements for Nuclear Facility Applications 17 NMP-1000 Software Requirements Specification T9S900D941-SRS Rev A 18 GA Acceptance Test Procedure (ATP), NMP-1000, Nuclear Power Instrument, T3401000-1AT 19 GA Operation and Maintenance Manual, E117-1006, 1989 20 NFT-1000, Nuclear Fuel Temperature Module, User Manual, Document T3291000-1UM, Rev A, January 2018 21 NFT-1000 Software Requirements Specification T3297960-SRS Rev A 22 GA Acceptance Test Procedure (ATP), NFT-1000, Nuclear Power Instrument, T3291000-1AT 23 TRIGA Reactor Instrumentation & Control System, Operation and Maintenance Manual, Document T3A100B7911-1OM, Rev A, January 2018 126 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 24 GA Acceptance Test Procedure (ATP), Acceptance Test Procedure, Cabinet Assembly, DAC, T3A300E100-1AT 25 Response for the Request for Additional Information (RAI), September 30, 2016 (ML16278A111) 26 Safety Evaluation Report (SER), November 2016 (ML16278A347) 27 GA Acceptance Test Procedure (ATP), Acceptance Test Procedure, Console, AFRRI TRIGA, T3A200E100-1AT 28 GA Acceptance Test Procedure (ATP), Acceptance Test Procedure, FIS, T3A400E100-1AT 29 AFRRI TRIGA Version 1.0 Software Development Plan, T3S900D905-DOC 30 USUHS/AFRRI Software Quality Assurance Verification and Validation, T3S99001-SQAP Plan 31 TRIGA AFRRI Software Configuration Management Plan, T3S900D906-DOC 32 Vendor Award/Contract HT940412C0006 33 ANSI/ANS 15.8 Quality Assurance Program Requirements for Research Reactors, 1995 34 ANS/ANSI 10.4 Guidelines for the Verification and Validation of Scientific and Engineering Computer Programs for the Nuclear Industry, 1987 (R1998) 35 U.S. Nuclear Regulatory Commission, Regulatory Guide 1.152, Criteria for Use of Computers in Safety Systems of Nuclear Power Plants, Rev 3, July 2011 36 IEEE 7-4.3.2 Standard Criteria for Programmable Digital Devices in Safety Systems of Nuclear Power Generating Stations 127 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.3 90 Appendix A- Summary Table WAS/IS Old NP-1000 NP- 1000 (item la) Safety Analysis - no change NPP-1000 NPP- 1000 (item lb) Safety Analysis - no change NM-1000 NLW - 1000 (item l e) Safety Analysis NM-1000 NMP- 1000 (item ld) with new Compensated Safety Analysis Ion Chambe r (item ld)
Action Pak modules NFT-1000 Iitem le) Safety Analysis - no change Scram loop Scram loop (item l f) Safety Analysis - no change Control rod drive Control rod drive (item lg) Safety Analysis - no change NOTE: This only applies to t he 3 standard control rod drives designated as SAFE, SHIM and REG. The Transient Rod drive was not modified during th is upgrade and is original.
Action Pak modules Process Instrumentation (it em lh) Safety Analysis - no change Facility Interlock System Facility Interlock System (item 2) Safety Analysis - no change Control System Console Control Syst em Console (item 3) Safety Analysis Rod Control Panel Rod Control Panel (item3a) Safety Analysis Reactor Mode Control Panel Reactor Mode Control Panel ( item3b) Safety Analysis CCS Computer (item 3c) - The new console No change - no functional or contains two computers, each with its own operational change .
monitor. The CCS uses a -
All software was subj ected to custom GA Configurator software to - and handles i nput and output extensive quality assurance using drive the disp lay, and - data, monitors the pushbuttons on the GA procedures.
for communications to the rest of control rod panel and drives the indicator the system. lights on the console.
128 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.3 90
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 UIT Computer (item 3d) No change - All software was subjected to extensive quality The User Interface Terminal (UIT) uses a assurance using GA procedures.
to display parameters and accept user input.
Bargraphs Bargraphs (item 3e) Safety Analysis Chart recorders Chart recorders (item 3f) Safety Analysis 129 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Appendix B - Photos of Components Appendix B.1 - Data Acquisition Cabinet Figure 44 - Data Acquisition Cabinet 130 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Figure 45 - Data Acquisition Cabinet- Power Supplies 131 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Figure 46 - Data Acquisition Cabinet - Digital Input/Output 132 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Figure 47 - Data Acquisition Cabinet - Analog Input/Output 133 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Figure 48 - Data Acquisition Cabinet - Nuclear Instruments 134 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 135 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Figure 50 - Scram Loop 136 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Appendix B.2 - Facility Interlock System Figure 51 - Facility Interlock System - Cabinet Outside 137 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Figure 52 - Facility Interlock System - Cabinet Inside 138 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Figure 53 - Facility Interlock System - Exposure Room Control Box 139 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Figure 54 - Facility Interlock System - Exposure Room Status Panel 140 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Appendix B.3 - Control System Console Figure 55 - Control System Console - Front Figure 56 - Control System Console - Rear 141 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 142 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Figure 58 - Control System Console - UPS 143 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Figure 59 - Control System Console - Digital Input 144 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Figure 60 - Control System Console - Digital Output 145 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Figure 61 - Control System Console - Rod Control Panel - Front 146 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Figure 62 - Control System Console - Reactor Mode Control Panel - Front 147 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Figure 63 - Control System Console - Reactor Mode Control Panel - Back 148 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Figure 64 - Control System Console - Computers - Left Side Display 149 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Figure 65 - Control System Console - Computers - Right Side Display 150 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Figure 66 - Control System Console - Bargraphs and Recorders 151 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Figure 67 - Control System Console - Bargraphs - Front 152 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Figure 68 - Control System Console - Recorders - Front 153 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390
Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390 Figure 69 - Control System Console - Bargraphs and Recorders Panel - Back 154 Proprietary Information Withhold From Public Disclosure Under 10 CFR 2.390