ML22067A246
| ML22067A246 | |
| Person / Time | |
|---|---|
| Site: | Armed Forces Radiobiology Research Institute |
| Issue date: | 03/29/2022 |
| From: | Cindy Montgomery NRC/NRR/DANU/UNPL |
| To: | Cook A US Dept of Defense, Armed Forces Radiobiology Research Institute |
| Montgomery C; 301-415 3398 | |
| References | |
| EPID L-2020-NFA-0012 | |
| Download: ML22067A246 (32) | |
Text
Mr. Andrew Cook Interim Reactor Facility Director Armed Forces Radiobiology Research Institute 4555 South Palmer Road, Building 42 Bethesda, MD 20889-5648
SUBJECT:
U.S. DEPARTMENT OF DEFENSE ARMED FORCES RADIOBIOLOGY RESEARCH INSTITUTE - REPORT ON THE REGULATORY AUDIT CONDUCTED JANUARY 27, 2022, RE: DIGITAL INSTRUMENTATION &
CONTROL SYSTEM UPGRADE (EPID L-2020-NFA-0012)
Dear Mr. Cook:
By letter dated November 10, 2020 (Agencywide Documents Access and Management System (ADAMS) Accession No. ML20318A339), as supplemented by letters dated February 5, 2021 (ADAMS Accession No. ML21036A297), February 11, 2021 (ADAMS Accession No. ML21042B841), April 27, 2021 (ADAMS Accession No. ML21316A037), October 28, 2021 (ADAMS Accession No. ML21302A097), November 8, 2021 (ADAMS Accession No. ML21316A033), and January 7, 2022 (ADAMS Accession No. ML22007A264), Armed Forces Radiobiology Research Institute (AFRRI) applied for an amendment to Facility Operating License No. R-84 for the AFRRI TRIGA-Mark F tank-type nuclear reactor facility. The requested licensing action would replace and upgrade the instrumentation and control systems for the reactor and would amend the technical specification related to the upgrade.
Enclosed is a report on the regulatory audit conducted by U.S. Nuclear Regulatory Commission (NRC) staff of the from September 14, 2021, to January 27, 2022, in connection with its review of the application. The audit report does not make any licensing conclusions or findings, but it is part of the administrative record of the NRC staffs review of the application and may provide information supporting the NRC staffs safety evaluation. The audit followed the plan provided by letter dated September 13, 2021 (ADAMS Accession No. ML21253A001), unless otherwise noted in the enclosed report.
March 29, 2022
A. Cook If you have any questions, please contact me at (301) 415-3398, or by electronic mail at Cindy.Montgomery@nrc.gov.
Sincerely, Cindy Montgomery, Project Manager Non-Power Production and Utilization Facility Licensing Branch Division of Advanced Reactors and Non-Power Production and Utilization Facilities Office of Nuclear Reactor Regulation Docket No. 50-170 License No. R-84
Enclosure:
As stated cc: See next page Signed by Montgomery, Cynthia on 03/29/22
Armed Forces Radiobiology Research Institute Docket No 50-170 cc:
Director, Maryland Office of Planning 301 West Preston Street Baltimore, MD 21201 Montgomery County Executive 101 Monroe Street, 2nd Floor Rockville, MD 20850 Environmental Program Manager III Radiological Health Program Air & Radiation Management Adm.
Maryland Dept of the Environment 1800 Washington Blvd., Suite 750 Baltimore, MD 21230-1724 Director Air & Radiation Management Adm.
Maryland Dept of the Environment 1800 Washington Blvd., Suite 710 Baltimore, MD 21230 Test, Research and Training Reactor Newsletter Attention: Ms. Amber Johnson Dept of Materials Science and Engineering University of Maryland 4418 Stadium Drive College Park, MD 20742-2115 Manager Nuclear Programs Maryland Department of Natural Resources Tawes B-3 Annapolis, MD 21401 Colonel Mohammad Naeem, Director Armed Forces Radiobiology Research Institute 4301 Jones Bridge Road, Building 42 Bethesda, MD 20889-5648
A. Cook
SUBJECT:
U.S. DEPARTMENT OF DEFENSE ARMED FORCES RADIOBIOLOGY RESEARCH INSTITUTE - REPORT ON THE REGULATORY AUDIT CONDUCTED JANUARY 27, 2022 RE: DIGITAL INSTRUMENTATION &
CONTROL SYSTEM UPGRADE (EPID L-2020-NFA-0012)
DATED: MARCH 29, 2022 DISTRIBUTION:
PUBLIC JBorromeo, NRR CMontgomery, NRR PBoyle, NRR POBryan, NRR RAlvarado, NRR JAshcraft, NRR MWaters, NRR JHudson, NRR ADAMS Accession Number: ML22067A246 NRR-106 OFFICE NRR/DANU/UNPL/PM NRR/DANU/UNPL/LA NRR/DEX/EICB NAME CMontgomery NParker MWaters DATE 03/09/2022 03/21/2022 03/24/2022 OFFICE NRR/DANU/UNPL/BC NRR/DANU/UNPL/PM NAME JBorromeo CMontgomery DATE 03/29/2022 03/29/2022 OFFICIAL RECORD COPY
Enclosure OFFICE OF NUCLEAR REACTOR REGULATION REGULATORY AUDIT REPORT REGARDING AMENDMENT TO FACILITY OPERATING LICENSE NO. R-84 ARMED FORCES RADIOBIOLOGY RESEARCH INSTITUTE ARMED FORCES RADIOBIOLOGY RESEARCH INSTITUTE TRIGA-MARK F TANK-TYPE NUCLEAR REACTOR FACILITY DOCKET NO. 50-170 Location:
Armed Forces Radiobiology Research Institute (AFRRI) TRIGA-Mark F tank-type nuclear reactor facility, Bethesda, Maryland, for in-person meeting; and for the virtual portion of the audit: U.S. Nuclear Regulatory Commission (NRC)
Headquarters, Rockville, MD Dates:
September 9, 2021 - January 27, 2022 NRC Audit Team Members:
Rossnyev Alvarado, Electronics Engineer Joe Ashcraft, Electronics Engineer Patrick Boyle, Project Manager Cindy Montgomery, Project Manager Patrick Boyle, Project Manager Michael Takacs, Senior Security Specialist Licensee Representatives Audit Team Members:
Col. Mohammad Naeem, AFRRI Director Col. Pamela Ward-Demo, AFRRI Chief of Staff LTC Jeffrey Brown, AFRRI Deputy Chief of Staff LTC Omololu Makinde, Head, Radiation Science Department Andrew Cook, Interim Reactor Facility Director Timothy Ayers, Nuclear Engineer Mat Brener, Nuclear Engineer MSG Benjamin Knibbe, NCOIC, Radiation Sciences Department Harry Spence, Reactor Staff Jeffrey Sumlin, Radiation Safety Officer Forrest Heinrich, Health Physics Technician Jerome Gormley, General Atomics Bruno Andermatt, General Atomics (via telcon only)
CPT Santoria Francis, AFRRI Contracting Offer
Background
By letter dated November 10, 2020 (Agencywide Documents Access and Management System (ADAMS) Accession No. ML20318A339), as supplemented by letters dated February 5, 2021 (ADAMS Accession No. ML21036A297), February 11, 2021 (ADAMS Accession No. ML21042B841), April 27, 2021 (ADAMS Accession No. ML21316A037), October 28, 2021 (ADAMS Accession No. ML21302A097), November 8, 2021 (ADAMS Accession No. ML21316A033), and January 7, 2022 (ADAMS Accession No. ML22007A264), Armed Forces Radiobiology Research Institute (AFRRI) applied for an amendment to Facility Operating License No. R-84 for the AFRRI TRIGA-Mark F tank-type nuclear reactor facility. The requested licensing action would replace and upgrade the instrumentation and control (I&C) systems for the reactor and would amend the technical specification (TS) related to the upgrade.
The I&C systems for AFRRI consists of hybrid analog and digital system to monitor, protect, and control the reactor. The proposed I&C systems include a hardwired reactor protection system (RPS) with dedicated displays and controls so that safe operation and monitoring of the reactor is not affected if the digital systems become unavailable. Components of the I&C systems will be installed in the data acquisition cabinet (DAC). The reactor will be operated from the control system console (CSC) located in the control room.
This regulatory audit was intended to assist the U.S. Nuclear Regulatory Commission (NRC) staff in gaining understanding, verifying information, and/or identifying information that will require docketing to support the basis of the license amendment request (LAR). During the review of the LAR, several open items were identified and provided to AFRRI in advance; these are discussed in this audit report.
This report summarizes the regulatory audit conducted by NRC staff from September 14, 2021, to January 27, 2022, in connection with its review of the application. The regulatory audit was performed in person and electronically in accordance with the regulatory audit plan. The audit report does not make any licensing conclusions or findings, but it is part of the administrative record of the NRC staffs review of the application and provides information supporting the NRC staffs safety evaluation. The audit followed the plan dated September 13, 2021 (ADAMS Accession No. ML21253A001).
Regulatory Audit Basis The purpose of this audit is to support the NRC staffs review of the licensees proposed I&C systems described in the Chapter 7, Instrumentation and Control Systems, of the AFRRI proposed safety analysis report (SAR) in accordance with the applicable regulatory requirements of Title 10 of the Code of Federal Regulations (10 CFR) and applicable guidance provided in NUREG-1537, Guidelines for Preparing and Reviewing Applications for the Licensing of Non-Power Reactors, Part 1, Format and Content, and Part 2, Standard Review Plan and Acceptance Criteria, (ADAMS Accession Nos. ML042430055 and ML042430048, respectively).
Audit Activities Five members of the NRC audit team: Rossnyev Alvarado and Joe Ashcraft from the Instrumentation and Control Branch, Joshua Borromeo, Cindy Montgomery and Patrick Boyle from the Non-Power Production and Utilization Facilities Licensing Branch, visited the AFRRI reactor on September 14, 2021, to observe operation of the proposed I&C systems. In addition, the NRC staff performed an electronic regulatory audit.
The following activities were performed during this audit:
1.
ENTRANCE MEETING At the entrance meeting, NRC staff explained the goals and objectives for the audit, as well as the process to be followed to conduct it. Facility logistics and a proposed audit schedule goals and objectives for the in-person meeting. The NRC staff also discussed the approach for continuing the virtual audit.
The following is a list of participants:
Col. Mohammad Naeem, AFRRI Director Col. Pamela Ward-Demo, AFRRI Chief of Staff LTC. Jeffrey Brown, AFRRI Deputy Chief of Staff LTC. Omololu Makinde, Head, Radiation Science Department Andrew Cook, Interim Reactor Facility Director Timothy Ayers, Nuclear Engineer Mat Brener, Nuclear Engineer MSG. Benjamin Knibbe, NCOIC, Radiation Sciences Department Harry Spence, Reactor Staff Jeffrey Sumlin, Radiation Safety Officer Forrest Heinrich, Health Physics Technician Jerome Gormley, General Atomics Bruno Andermatt, General Atomics (via telcon only)
CPT. Santoria Francis, AFRRI Contracting Offer Rossnyev Alvarado, NRC Electronics Engineer Joe Ashcraft, NRC Electronics Engineer Patrick Boyle, NRC Project Manager Cindy Montgomery, NRC Project Manager 2.
AFRRI TOUR AND DEMONSTRATIONS After the entrance meeting, the AFRRI gave a tour of their nuclear research reactor, which included the control console, and lab facilities. In the control room, AFRRI simulated operation of the reactor and the new control systems.
3.
TECHNICAL EVALUATION
System Description
AFFRI has a Training, Research, Isotopes, General Atomics (TRIGA) reactor licensed for at steady-state thermal power levels up to and including 1.1 megawatts thermal and short-duration power pulses with reactivity insertions up to $3.50 (2.45 percent delta k/k (% k/k, excess reactivity in percent)). The AFRRI TRIGA Mark F is a heterogeneous pool-type reactor cooled by the natural convection of light water. The AFRRI reactor serves as a source of both gamma and neutron radiation for research and radioisotope production.
The proposed I&C systems for the AFRRI TRIGA reactor consist of a combination of both analog and digital equipment to monitor, control, and protect. The I&C systems measure the power level and the fuel temperature and thereby protect the fuel from exceeding the safety limit. The proposed replacement I&C systems have been designed to replicate the previous control console and nuclear instrumentation (NI) channels, in order to minimize the changes to the facilitys license and TS. The new console systems will be installed in the existing console frame located in the control room.
The I&C system includes the following systems:
Reactor Instrumentation, which includes the neutron monitoring system
Reactor Control System, which includes control rod drives, automatic control, and reactor interlocks
Facility Interlock System (FIS), which prevents inadvertent operation of the facility when a set of conditions have not been met
Reactor Protection System, which includes the scram logic circuitry, rod withdrawal prevention, facility interlocks, and lead shield door control
Control System Console (CSC), which includes indicators, annunciators, and monitors to monitor and control the reactor
Data Acquisition Cabinet (DAC), which houses the nuclear instrument modules, the drivers for the control rod drives, and equipment to process analog and digital inputs.
Process instrumentation, which includes pool water level, primary water temperature and primary water resistivity
Radiation monitoring system, which includes radiation air monitors (RAMs), continuous air monitors (CAMs), and gas stack monitor
Auxiliary Panel, which includes paper chart recorders for the radiation monitors and continuous air monitors, and provides indication for pool temperature, pool level, exposure room (ER) temperatures, and ventilation dampers Reactor Instrumentation NP-1000 Linear Power Channel During the audit, the NRC staff reviewed several documents for the NP-1000 module:
- 1. NP-1000, Nuclear Power Module User Manual, T3271000-1UM, Revision A. This document describes the general overview, major subassemblies, specifications, control, operating, and maintenance instructions. AFRRI explained that the isolation between the analog and digital portions is done by isolating diodes as part of the manual, Schematic Diagram, Trip / Alarm, T3301131, Revision A, Sheets 2, 3, and 4, reflects the one-way diodes that isolates the analog portion (safety) from the digital portion (non-safety) for the individual trip functions.
- 2. TRIGA NP/NPP-1000 Software Requirements Specification, T3287960-SRS, Revision X8.
This document defines the software requirements for the NP/NPP-1000 Digital Interface board and the local touchscreen liquid crystal display (LCD) display that are part of the General Atomics Electromagnetic System Inc. TRIGA radiation monitoring channel. The NI Software (commercial-off-the-shelf (COTS) microcontroller for the NP/NPP-1000) and the Touchscreen LCD Display Software (HTML code) is determined by this specification. The NP-1000 percent power monitoring channel is physically similar to the NPP-1000 except that the NP-100 doesnt have the circuitry applicable only to pulse monitoring. The communication protocol is described in the General Atomics-Electronic Systems Inc, (GA-ESI) TRIGA Nuclear Channel Software Communications Protocol Document, T9S900D970-SRS.
- 3. Summary Report, Temperature Test, NP-1000, T3278001-1TR, Revision A. This document provides a summary of the temperature tests performed on the NP-1000 instrument. The tests were performed at room temperature, 35 degrees Celsius, and 50 degrees Celsius. The test confirmed that the NP-1000 will function correctly and perform its intended safety functions up to a temperature of 50 degrees Celsius. The test also confirmed that a temperature coefficient of (0.1 percent of span)/degree Celsius can be met for the stated range of operation.
NPP-1000 Linear Power Pulsing Channel During the audit, the NRC staff reviewed the several documents for the NPP-1000 module.
- 1. NPP-1000, Nuclear Power Module User Manual, T3281000-1UM, Revision A. This document describes the general overview, major subassemblies, specifications, control, operating, and maintenance instructions. AFRRI explained that the isolation between the analog and digital portions is done by isolating diodes. This is described in the manual, Schematic Diagram, Trip / Alarm, T3301131, Revision A, Sheets 2, 3, and 4, as a set of one-way diodes that isolates the analog portion (safety) from the digital portion (non-safety) for the individual trip functions.
- 2. Summary Report, Temperature Test, NPP-1000, T3288001-1TR, Revision A. This document provides a summary of the temperature tests performed on the NPP-1000 instrument.
The tests were performed at room temperature, 35 degrees Celsius, and 50 degrees Celsius.
The test confirmed that the NPP-1000 will function correctly and perform its intended safety functions up to a temperature of 50 degrees Celsius and has shown a temperature coefficient of (0.1 percent of span)/degree Celsius can be met for stated range of operation.
NLW-1000 Log Power Channel During the audit, the NRC staff reviewed the several documents for the NLW-1000 module.
- 1. NLW-1000, Wide Range Log Power Module User Manual, T3322000-1UM, Revision B.
This document describes the general overview, major subassemblies, specifications, control, operating, and maintenance instructions. AFRRI explained that the isolation between the analog and digital portions is done by isolating diodes. This is described in the manual, Schematic Diagram, Trip / Alarm, T3301131, Revision A, Sheets 2, 3, and 4, as a set of one-way diodes that isolates the analog portion (safety) from the digital portion (non-safety) for the individual trip functions.
- 2. NLX-1000 System Requirements Specification, T9S900D950-SYR, Revision A. This document defines the system requirements for the NLW-1000 platform module. The NLW-1000 module is a wide range monitoring, logarithmic power monitoring channel designed to operate with a fission chamber, and the module measures 10 decades of neutron flux. The NLW-1000 communicates to the reactor console computer. The communication protocol is described in the GA-ESI TRIGA Nuclear Channel Software Communications Protocol Document, T9S900D970-SRS.
- 3. NLX-1000 Software Requirements Specification, T9S900D951-SRS, Revision A. This document defines the software requirements for the NLW-1000 platform digital Interface board and the local touchscreen LCD display which are part of the General Atomics Electromagnetic System Inc. TRIGA radiation monitoring channel.
- 4. Summary Report, Temperature Test, NLW-1000 Multi-Range Linear Channel, T3328001-1TR, Revision A. This document provides a summary of the temperature tests performed on the NLW-1000 instrument. The tests ensured that no components inside the module exceeded their rated temperatures. The tests also determined measurement errors due to the change in temperature. The tests were performed at room temperature, 40 degrees Celsius, and 50 degrees Celsius. The tests confirmed that the NLW-1000 will function correctly up to a temperature of 55 degrees Celsius and demonstrated that a temperature coefficient of 0.15 percent/degree Celsius can be met for the stated range of operation.
NMP-1000 Multi-Range Linear Channel During the on-site/virtual part of the audit, the NRC staff reviewed several documents for the NMP-1000 module.
- 1. NMP-1000, Multi-Range Linear Module User Manual, T3401000-1UM, Revision C. This document describes the general overview, major subassemblies, specifications, control, operating, and maintenance instructions. AFRRI explained that the isolation between the analog and digital portions is done by isolating diodes. This is described in the manual, Schematic Diagram, Trip / Alarm, T3301131, Revision A, Sheets 2, 3, and 4, as a set of one-way diodes that isolates the analog portions (safety) from the digital portions (non-safety) for the individual trip functions.
- 2. NMP-1000 System Requirements Specification, T9S900D940-SYR, Revision A. This document defines the system requirements for the NMP-1000 module. The NMP-1000 module is a wide range linear power channel module which provides reactor power level output to the reactor console for fine control and input signal to the flux regulator for automatic control. The system is a dc-measuring instrument designed to work with a compensated ionization chamber detector. The NMP-1000 communicates to a reactor console and a maintenance computer.
The communication protocol is described in the GA-ESI TRIGA Nuclear Channel Software Communications Protocol Document, T9S900D970-SRS.
- 3. NMP-1000 Software Requirements Specification, T9S900D941-SRS, Revision A. This document defines the software requirements for the NMP-1000 Digital Interface board and the local touchscreen LCD display that are part of the General Atomics Electromagnetic System Inc.
TRIGA radiation monitoring channel. The NMP-1000 monitoring channel is a wide-range linear manual and automatic range switching current-to-voltage signal conditioning device.
- 4. Summary Report, Temperature Test, NMP-1000 Multi-Range Linear Channel, T3408001-1TR, Revision A. This document provides a summary of the temperature tests performed on the NMP-1000 instrument. The tests ensured that no components inside the module exceeded their rated temperatures and determined the measurement errors due to change in temperature. The tests were performed at room temperature, 40 degrees Celsius, and 50 degrees Celsius. The tests confirmed that the NLW-1000 will function correctly up to a temperature of 55 degrees Celsius and demonstrated that a temperature coefficient of 0.15 percent/degree Celsius can be met for the stated range of operation.
NFT-1000 Fuel Temperature Channel During the audit, the NRC staff reviewed the several documents for the NFT-1000 module.
- 1. NFT-1000, Nuclear Fuel Temperature Module User Manual, T3291000-1UM, Revision A.
This document describes the general overview, major subassemblies, specifications, control, operating, and maintenance instructions. AFRRI explained that the isolation between the analog and digital portions is done by isolating diodes. This is described in the manual, Schematic Diagram, Trip / Alarm, T3301131, Revision A, Sheets 2, 3, and 4, as a set of one-way diodes that isolates the analog portions (safety) from the digital portions (non-safety) for the individual trip functions.
- 2. NFT-1000 Software Requirements Specification, T3297960-SRS, Revision Draft X3. This document defines the software requirements for the NFT-1000 Digital Interface board and the local touchscreen LCD display that are part of the General Atomics Electromagnetic System Inc.
TRIGA radiation monitoring channel.
- 3. Summary Report, Temperature Test, NFT-1000, T3298001-1TR, Revision A. This document provides a summary of the temperature tests performed on the NFT-1000 instrument.
The tests confirmed that the NFT-1000 will function correctly and perform its intended safety functions up to a temperature of 50 degrees Celsius and demonstrated that it will meet a temperature coefficient of (0.04 percent of span)/degree Celsius for the stated range of operation.
Reactor Control System The reactor control system monitors and controls operation of the reactor. Power is controlled for three control rods that are suspended from electromagnets. A fourth rod is controlled by the transient rod air circuit. Using the control console, the operator can also manually withdraw or insert the control rods. During a pulse, the control system will activate the transient rod to insert reactivity into the reactor core to produce high power pulses.
AFRRI did not have licensed operators at the facility during the on-site portion of the audit, so AFRRI was not allowed to make reactivity changes. To ensure changes to reactivity did not occur, AFRRI removed the K1 relay, which prevented the ability to clear the scram and apply magnet power to the control rods. Consequently, AFRRI was not able to demonstrate operation of the control system during the audit.
During the audit, AFRRI showed the NRC staff the wiring for the rod control system and the rod drive assembly, which are installed on the reactor bridge. AFRRI staff explained that all cables from the DAC to the connecting rod assembly were replaced, but wires from the assembly to the control rod drive were not replaced. The NRC staff observed the new wires but noticed that the cables were not labeled, and the connections included cables that were no longer in use.
AFFRI staff noted that there were no requirements to remove the cables and that testing ensured that the correct cables were connected.
Facility Interlock System The proposed FIS will prevent accidental radiation exposure of personnel working in the ERs or the preparation area. It will also prevent interference (i.e., contact or impact) between the reactor tank lead shield doors and reactor core shroud.
During the audit, the NRC staff observed the location of the ERs, the plug doors and the ER control boxes for ERs #1 and 2. The NRC staff observed that each plug door has a limit switch for the open position and one for the close position. The AFRRI personnel explained that each limit switch is wired to its respective ER control box; and from it, the signal is transmitted to the reactor mode control panel, as shown in the wiring diagram for the plug door interlock, Drawing No. T3A100E830, Revision A. This wiring diagram is included in the General Atomics, TRIGA Operation & Maintenance (O&M) Manual. If the wires from any limit switches are damaged, the signal is interrupted, the signal in the FIS logic will open, interrupting the scram loop circuit and consequently the reactor will scram. The NRC staff confirmed this in the wiring diagrams for the scram loop, Drawing No. T3A100E820, Revision A.
The lead doors can be closed whenever the core is in position 1 or 3. To open the lead doors,
- 1) the core must be in position 1 or 3,
- 2) the magnet power key switch must be in the operate position,
- 3) both ER doors must be closed, and
- 4) no emergency stops can be active.
AFRRI demonstrated operation of the lead doors to enter ER #1 (fast neutron) on the facility floor. This required the core to be in position #3 (opposite to the ER) and the tank lead doors to be closed. Two AFRRI staff visually inspected the room to ensure that no personnel remained in the room prior to securing the plug door, as required by AFRRI TS 3.2.3. Once these permissives were satisfied, AFRRI personnel proceeded to power the ER #1 control box and open the door. The NRC staff observed operation of the ER control box (Figure 38 in the LAR supplement (ADAMS Accession No. ML21036A297)), opening of the door, and local indications in the ER status panel (Figure 40 in the LAR supplement (ADAMS Accession No. ML21036A297)). The status panel has lights to indicate the location of the core, whether the lead shield door is open or closed, and whether it is permitted to open the ER plug door.
The AFRRI operator receives indication of the status of the plug doors on the Left Side Status Display of the control console, as well as on the Reactor Mode Control Panel.
An NRC staff member entered ER #1 to confirm the location of the local panel. This panel includes the emergency stop pushbutton, a horn, and the horn bypass switch. Subsequently, AFRRI followed the procedure to close the lead shield door.
The NRC staff observed the AFRRI Maintenance Procedure, M033 - Facility Interlock Checklist, to require verification of interlocks, horns, horn bypass switches, and status lights for the ER. In addition, the NRC staff looked at the GA TRIGA Operations and Maintenance Manual, Connection Diagram, Facility Interlock System, drawing T3A400E103, Revision D, Sheet 4, DAC I/O, Reactor & First Floor Limit Switches, and Sheet 6, Inside ER & I/O From, To Console/DAC, to observe the signals transmitted to the DAC and wire diagrams for the core dolly and ER switches. The NRC staff also looked at engineering drawings TA3400E800 to TA3400E840 which were included in the AFRRI O&M Manual. These drawings show that when either horn bypass is active, a digital signal will be generated and sent to the FIS for indication.
The NRC staff reviewed the following documents:
FIS Interlock Truth Table AFRRI prepared the FIS Interlock Truth Table document to address open item 27 regarding group allocation of the interlocks. The truth table for the FIS interlock, shows all possible combinations to test the validity of the logic. The interlocks are grouped based on the function to be performed. The rows of the table represent the position of the lead doors, core, and plug doors for reactor operation, lead shield door, core movement, and plug door operation. The NRC staff also found a copy of this table in the General Atomics USUHS/AFRRI TRIGA Control System Console System Requirements Specification, Document No. T3A100B7101-SYR, Revision A.
During the audit, the NRC and AFRRI staff selected the logic and positions to open the lead shield door when the core is in position #1. The NRC staff used this table; wiring diagram for the scram loop interlock (Drawing No. T3A100E820, Revision A); AFRRI Site Acceptance Test (SAT) Procedure, Part 1, (Document No. T3A100B7372-SAT, Revision A); and Figure 46 of the LAR supplement dated February 5, 2021 (ADAMS Accession No. ML21036A297). The NRC staff observed that the logic was consistent with the table and the test procedure. The SAT test procedure was performed on December 27, 2018, and test results were recorded as Pass.
AFRRI Maintenance Procedure, M033, includes a facility interlock checklist. This checklist would verify operation of the FIS semiannually to ensure the requirements in AFRRI TSs 3.2.3 and 4.2.4 are met. The lights in the FIS cabinet are checked as part of this checklist. This procedure was last performed on February 27, 2018. Also, the document T3A100B7372-SAT, Armed Forces Radiobiology Research Institute TRIGA Reactor Instrumentation and Control Console Replacement Site Acceptance Test Procedure, Revision A, Section 2.11, shows the results of the SAT performed for the FIS. The test was successfully completed on February 27, 2018.
Facility Interlock Panel The Facility Interlock Panel document includes a photo of the pilot lights for the facility interlock.
This photo is similar to Figure 46 included in the LAR supplement dated February 5, 2021 (ADAMS Accession No. ML21036A297). The lights are combined in functional groups to provide a visual indication to the operator in the control room of the FIS status. Some lights are duplicated to facilitate visualization. The lights would illuminate when the logic necessary is satisfied, as listed in the table below. AFRRI staff noted that the status of the lights is sent to the DAC and then transmitted for display on one of the console screens.
Group Switches Function Interlock position switches Power On Door No. D1 closed Door No. D2 closed Door No. D2 open Door No. D3 closed Reactor position, fast neutron room Reactor position, thermal neutron room Indicate status of the limit switches Group Switches Function Reactor operating circuits Power On Door No. D2 closed Door No. D1 closed Door No. D3 closed Reactor positioned Operate the reactor Reactor lead shield Door No. 2 Power On Door No. D1 closed Door No. D3 closed Reactor positioned Operate the lead shield door in the pool Fast neutron room Door No. 1 Power ON Door No. D2 closed Reactor positioned Operate ER #1 plug door (fast neutron)
Thermal neutron room Door No. 3 Power ON Door No. D2 closed Reactor positioned Operate ER #2 plug door (thermal neutron)
Override switch Region 1 Region 3 Allow movement of the core when not in region #1 or #3 AFRRI stated that the override switch is used to move the core when it gets stuck between region 1 and 3. Use of this switch requires the presence of two operators. By pressing this switch, the core would return to either region 1 or 3. The engineering drawings for the FIS, T3A400E100, T3A400E103, T3A400E110, and T3A400E111, show the wiring diagram for this switch, as well as the logic.
This document describes the logic and status of each signal to perform these functions. To operate the reactor, the following must be true:
- 1. The Key Switch must be in the ON position.
AND
- 2. All emergency stop circuits in the exposure rooms and control system console must be energized.
AND one of the following:
3a. The tank lead shield doors must be fully closed, AND the plug door for the exposure room against which the reactor is to be operated must be closed, AND the reactor must be in the corresponding region.
OR 3b. The tank lead shield doors must be fully opened, AND both plug doors for the exposure rooms must be closed.
This logic is also included in the General Atomics USUHS/AFRRI TRIGA Control System Console System Requirements Specification, Document No. T3A100B7101-SYR, Revision A, which was available during the audit. The reactor operation diagram in Appendix B of that document shows these signals. This figure shows the signal from the Magnet Key Switch going from the rod control panel and a signal from the Emergency Stop Pushbutton on the Reactor Mode Control Panel to the FIS. These signals are identified in Figure 1 of the LAR.
The facility interlock panel document also provides the Cross Reference Table for terminology regarding FIS limit switches that were used in the interlocks described in Section 2.4.1 of the LAR. This cross reference is also included in the AFRRI TRIGA O&M Manual.
Fast Neutron Exposure Room = ER1
Thermal Neutron Exposure Room = ER2
ER1 Door Closed = D1C
ER1 Door Open = D1O
ER2 Door Closed = D3C
ER2 Door Open = D3O
Core Position 1 Inner = RP1A
Core Position 1 Outer = RP1B
Core Position 3 Inner = RP3A
Core Position 3 Outer = RP3B
Lead Doors Open = D2O
Lead Doors Closed = D2C
TRIGA Reactor Instrumentation and Control System Operation & Maintenance Manual, Revision A.
Section 2.3 describes the FIS and Section 3.5 describes its operation. These sections state that the FIS was designed to reduce the possibility of accidents by either 1) providing warning and interlocks to prevent movement of the reactor core to the ER in which someone may be working, or 2) preventing the inadvertent contact between the core and the lead shield doors.
These signals are also shown on schematic TA3400E103 Sheet 3 included in the TRIGA O&M Manual Part 5.3.
Schematic TA3200E110 Sheet 1 shows of the layout of the Reactor Mode Control Panel. Using this panel, the operator could open/close the lead shield doors using the pushbuttons in the panel. In addition, this panel includes a pushbutton to stop movement of the lead door. AFRRI indicated that these switches will illuminate when active.
Operation of the key magnet switch During the audit, AFRRI and General Atomics staff explained the operation of the key magnet switch using the engineering drawings T3A100800 to T3A100830 in the TRIGA O&M Manual, and AFRRI walked through the logic to operate this switch. These drawings show the permissives necessary for the scram loop to be completed, including the interrelationship between the magnet power key switch, FIS logic, and the scram loop. When the FIS logic is satisfied the reactor permissive ROX will energize, closing the contact in the relay scram loop.
AFRRI demonstrated the operation of the magnet key switch located on the rod control panel.
The process to perform this operation is described in Section 3.5.1.2 of the AFRRI TRIGA O&M Manual and in Section 3.1.4.1 of the LAR supplement. The switch was in the Off position at the beginning of the demonstration, thus there was no power provided to the rod magnets. AFRRI staff used the key to place the switch in the Reset position, which started a 30 second delay and an audible alarm in the control console. During this time, the time delay light illuminated on the reactor mode control panel. Once this timer elapsed, the time delay light turned off and the reactor power indicator illuminated, indicating the reactor permissives are satisfied. Then the AFRRI staff turned the key switch to Reset again to power the magnet and the transient rod air circuit. The key would remain in the On position during reactor operation. AFRRI staff explained that if the key is placed in the Off position, power would be removed from the control rod magnets and the transient rod air circuit, thereby scramming the reactor.
Reactor Protection System The proposed RPS will shut down the reactor when sensors detect abnormal parameters or if manual actuation devices are activated. The signals that generate a reactor scram are connected to relay contacts in the scram loop.
AFRRI staff explained that the NMP-1000, HV Lo and Hi Power trips are transmitted to CSC and indicated to the operator on the WARNINGS pane. Although these trips are part of the scram loop, they are jumpered out in the current design, these trips are part of the scram logic, but are jumpered out. AFRRI staff showed the relays in the DAC that are jumpered out. AFRRI staff also showed the following engineering drawings to illustrate the wiring and confirm they are not connected to the scram loop.
Scram loop diagram, T3A100E800, Revision C
Wiring diagram, lead door interlock, T3A100E810 Revision B
Wiring diagram, scram loop interlock, T3A100E820 Revision A
Wiring diagram, plug door interlock, T3A100E830 Revision A In addition, during the audit, AFRRI staff confirmed that signals from the radiation monitoring system (RMS) are not part of the scram loop. Using the wiring diagram for the scram loop in the AFRRI TRIGA O&M Manual, AFRRI staff showed that signals from the RMS were not wired to the scram loop.
During the audit, AFRRI staff explained how NIs trips are wired and configured in the scram loop. Using the trip circuit included in the AFRRI TRIGA O&M Manual, AFRRI staff explained NIs trips. When the monitored variable reaches the trip setpoint, the associated trip relay is de-energized, power to the circuit is interrupted, and the reactor scrams.
Control System Console As part of the audit, the NRC staff observed the proposed control console in the control room, which includes the computers (User Interface Terminal (UIT) and console computer system (CCS)), display monitors, control panels, modularized drawers, indicators, meters and recorders, and printer. AFRRI explained that the control console and system are powered by depressing the instrument power On pushbutton located on the reactor mode control panel, even if the magnet power switch is in the Off position. When the NRC staff observed the demonstrations described below, the instrument power On pushbutton was illuminated, which indicated that the system was energized.
The control console includes an Emergency Stop button to scram the reactor in an emergency.
The signal from this button is part of the FIS logic. So, if the operator presses it, this will deactivate the reactor permissive (ROX) relay that is an input to the Scram loop. These buttons are latching but push to activate and twist to deactivate.
AFRRI control room includes an auxiliary console, which was not modified in the LAR. This console includes paper chart recorders for the radiation monitors and continuous air monitors, and provides indication for pool temperature, pool level, ER temperatures, and ventilation dampers. This panel also includes an indication for when the pool level is high. AFRRI explained that the high-level switch is independent from the switch and the signal transmitted to the control console to indicate high pool level.
CSC System Requirement Specification During the audit, the NRC staff observed the GA-ESI USUHS/AFRRI TRIGA Control System Console System Requirements Specification, Document No. T3A100B7101-SYR, Revision A.
This document describes the purpose of the CSC, scope of replacement, and proposed system operation. This document also identifies the functional, physical, system performance, and interface requirements.
During the audit, AFRRI staff explained the purpose of the TRIGA basic program installed in the CSC. TRIGA basic is a development environment that includes all software necessary to program the software necessary to operate the TRIGA reactor, including the software that interacts with the COTS I/O Boards. AFRRI staff will administratively control access to the TRIGA program. Further, AFRRI staff noted that operators cannot change anything that impacts the safety of the system because the reactor trips are all analog and can only be changed at the respective NI modules located outside the control room.
AFRRI staff showed the information that describe operation of the TRIGA in the O&M Manual and the data collected during the site acceptance test (SAT). The SAT test record shows the following:
UIT version V.04.01.01
OS Windows 7, Ultimate SP1
CCS V04.01.01
OS Open SUSE 12.3
NMP 01.02.00
NPP 01.01.01
NP 01.01.00
NLW 01.01.01
NFT 01.01.00
Test completed on February 28, 2018 Displays During the audit, AFRRI staff presented all displays configured in the control console, including the displays not shown during normal operation. The control console has two displays, one left and the other right. During normal operation, the operator will see five display panes in the left side status display, as described in the proposed SAR. The right-side display will show the reactor displays for normal reactor operation. When the system is in pulsing mode, the right-side display will show the Pulse Display. When magnet power is not provided, the right-side display will show the Reactor Prestart Tests screen. Lastly, when the system administrator logs in, the right-side display will show the Administration and Test Functions screen.
I/O Drawers During the audit, the NRC staff looked at the description of the I/O drawers and COTS I/O provided in the AFRRI TRIGA O&M Manual. This document states the control console includes:
digital input drawer - provide isolation of all digital inputs from the computer
console utility drawer - contain the CCS and UIT watchdog timers, I/O module, and digital outputs The COTS I/O board modules provide the power supply, acquire data, perform communication, and house the system relays. These board modules include a heartbeat light emitting diode
[LED] that flashes at regular intervals during normal operation.
The NRC staff observed wiring connections and assembly of these drawers in the following engineering drawings, which are included in the AFRRI TRIGA O&M Manual. The NRC staff also observed where these drawers are located inside the back panel of the control console.
Wiring diagram, console assembly, T3A200E101, Revision C
Drawer assembly, digital input, T3A200E150, Revision A Watchdog timers The CCS and UIT computers include watchdog timers to monitor the operation of these computers. During the audit, the NRC staff looked at the description of these watchdog timers provided in the AFRRI TRIGA O&M Manual. These timers are housed in the console utility drawer. The signals from the timeouts are wired to relays in the scram loop. The software in the UIT and CCS computers continuously send a signal to its respective WDT; if the signal is not received within a predefined time period, the signal to the relay would be interrupted, scramming the reactor. Also, if the WDT lose power, the reactor scrams. The reactor mode control panel include status lights for each watchdog timer to indicate when each has timeout.
The watchdog timers can be tested manually (with the rotary switch) or by software during the prestart tests. On the Reactor Control Mode Panel there is a rotary selection dial SCRAM AND INTERLOCK TEST 2 that can be used to manually test the UIT and CCS Watchdog. Using the computer, testing is done by instructing the computer to stop sending refresh signals and then counting off the seconds and making sure a watchdog timeout occurs after some time period (e.g., 10 seconds).
The NRC staff also looked at the information in the GA-ESI USUHS/AFRRI TRIGA Control System Console System Requirements Specification, Document No. T3A100B7101-SYR, Revision A. This document describes initiation of a scram caused by the WDTs, as well as the requirements for the CSC to perform such function. This document requires abilities for testing the operation of the WDTs and functions to scram the reactor. It specifies how the CCS and UIT should communicate with their respective WDT.
Audit Demonstrations During the audit, AFRRI performed several demonstrations of the operation of the control console. Every time a command demonstration was performed, AFRRI personnel logged it in the reactor logs.
AFRRI staff demonstrated opening and closing the tank lead shield doors from the control console. This process is described in Section 3.5.2.3 of the AFRRI TRIGA O&M Manual, which was reviewed during the audit. Because AFRRI cannot manipulate the controls of the reactor if it directly affects reactivity, AFRRI staff pulled out the K1 relay, which performs the reset and latching functions and indicates all SCRAMS clear for the scram loop. The core support carriages would move the core between regions 1 and 3. The carriage is bidirectional and can only move the core when the lead doors are open, or when the reactor is in region 1 or region 3 and the lead doors are closed. The core was located in position 3 for this demonstration. The first step was to energize the magnet power circuit and power the transient rod air circuit. The next step was to open the shield doors using the buttons on the reactor mode control panel.
AFRRI staff depressed the Open button on the reactor mode control panel, which started the 3-minute time delay and activated an alarm in the control console (the operator used the acknowledge button to silence the alarm). Once the timer elapsed, AFRRI again depressed the Open button to initiate the rotation of the shield doors. The NRC staff observed that the button illuminated on the reactor model control panel. The NRC staff also observed the openings of the shield doors from the top of the pool. After this demonstration, AFRRI proceeded to close the doors by depressing the Close button on the reactor mode control panel. The NRC staff confirmed that the shield door closed.
AFRRI also demonstrated movement of the reactor core. In an effort to educate the Audit Team, AFRRI staff utilized the engineering drawing T3A100E840, Revision B, included in the AFRRI TRIGA O&M Manual, to describe the logic, before they began preparations to move the reactor core. AFRRI staff explained that in order to move the core, the lead shield door should be opened. After explaining the process to the Audit Team, AFRRI staff opened the shield doors. After opening the doors, AFRRI depressed the region 1 switch on the reactor mode control panel to move the core from region 3 to 1. To move the core the operator needs to maintain the switch depressed or activate the region 1 foot pedal located under the console.
This process is described in Section 3.5.2.4 of the AFRRI TRIGA O&M Manual, which was available during the audit. The NRC staff observed that the carriage moved from region 3 at a low speed until it reached the position 3 limit switch, then the carriage speed increased slightly to move toward region 1, which is consistent with the description in the AFRRI TRIGA O&M Manual. The AFRRI staff stopped the movement by depressing the door Close button on the reactor mode control panel. The NRC staff also observed the location of the core in the core position indicator on the reactor mode control panel. At the beginning of the demonstration, this indicator showed the location to be about 720, which corresponds to region 3 in accordance with Figure 36 in the LAR. During the movement of the core, the number decreased indicating the movement of the carriage towards region 1. When the core stopped moving, the indication did not change, and when the core was returned to region 3, the indication started indicating movement towards region 3.
AFRRI staff described how the scram and interlock test rotary switches on the reactor mode control panel and demonstrated its operation by placing the rotary switch in the period test position. The NRC staff observed indication in the control panel. AFRRI also explained that both rotary switches can be used simultaneously to run two different tests.
Power Supply During the audit, the NRC staff discussed the information in the LAR and SAR regarding external power and power supply to I&C systems. The General Atomics USUHS/AFRRI TRIGA Control System Console System Requirements Specification, Document No. T3A100B7101-SYR, Revision A, includes the following requirements:
The uninterruptable power supply (UPS) be powered from the facility 120 voltage alternating current (VAC) power source
The console and DAC be connected to the UPS, so the system is powered for 15 minutes during a power loss
The reactor protective system is powered from the UPS The AFRRI TRIGA O&M Manual describes power supply to AFRRI I&C systems and its distribution. This document explains that an external 120 VAC power supply is connected to the UPS, located in the control console, and to components that are not identified as essential (e.g.,
printer). The UPS can be controlled through the control console by depressing the instrument power switch to turn on the UPS, or to turn it off. When AFRRI performed the demonstrations described above, the NRC staff observed the AC power distribution cables in the control console and UPS, as well as the instrument power switch. The UPS provides power to all equipment in the control console that require uninterruptable power (e.g., CCS and UIT computers, displays, etc.). The UPS also provides power to the DAC.
The NRC staff observed power distribution for the proposed system rendered in the following engineering drawings, which were reviewed as part of the review of the AFRRI TRIGA O&M Manual, Parts 5.1, 5.2, and 5.3. The titles, drawing numbers, and revisions are:
wiring drawing, DAC cabinet assembly, T3A300E101, Revision D
wiring drawing, power supply, DAC, T3A300E111, Revision A
wiring diagrams, console assembly T3A200E101, Revision C
drawer assembly, power supply, console, T3A200E-140, Revision A
wiring diagram, central cabinet, T3A400E111, Revision F Environmental Qualifications The GA-ESI USUHS/AFRRI TRIGA Control System Console System Requirements Specification, Document No. T3A100B7101-SYR, Revision A, identifies the requirements associated with environmental conditions, including temperature and electromagnetic compatibility (EMC) and surge.
Data Acquisition Cabinet The DAC collects reactor data and transmits it to the RCS and CSC. Section 2.2 of the AFRRI TRIGA O&M Manual describes the DAC. The DAC consists of seven drawers housing the following components:
1-Power supply. This drawer includes the power strip receiving power from the UPS in the console; from there, power is distributed to other power strips to supply AC power where required. Figure 2-27 shows how power is distributed to the different I&C components.
2-Digital input. This drawer houses the optical isolator to isolate digital inputs from the CSC.
3-Analog input. This drawer houses the signal conditioning modules to isolate analog signals.
4-Rod control. This drawer includes the voltage/frequency exciter module and stepper driver modules.
5-Relay. This drawer houses the relays associated with the scram loop and magnet power. It also includes the socketed relays K1 and K2. K1 performs the reset and latching functions for all scrams. K2 is related to the magnet power switch when it is in the ON position.
6-Linear power. This drawer includes the NFT-1000 and NMP-1000 nuclear instruments.
7-Log power. This drawer includes the NP-1000, NPP-1000, and NLW-1000 nuclear instruments.
The DAC also includes a field termination panel to connect the control rod drives to the control console, and terminal block panel assembly to connect all field wiring.
During the audit, AFRRI staff showed the DAC cabinet and its drawers, components, and connections. Also, AFRRI staff showed the wiring diagrams for the DAC and their connections to other I&C systems. The NRC staff observed that the wires were color coded to identify the safety (white and red stripes) and non-safety (white) signals, as well as the labels to identify each relay in the scram loop.
Process Instrumentation During the audit, AFRRI showed a diagram to illustrate the pool level measurement and signals.
This drawing shows the full pool is approximately 15 6 from the top of the upper grid plate.
The scram is at 6 below full pool height which means there is approximately 15 of water above the top of the core. TS 3.2.2 Table 3 requires a scram for pool water level (14 feet from the top of the core). The NRC staff observed that the SCRAM annunciator on the Left Side Display is labelled as: Low Pool SCRAM.
AFRRI explained that measurement of cooling water conductivity is performed locally and there is no indication nor alarm in the control room. AFRRI also explained that temperature and radiation of the primary coolant are performed locally in the pump room.
Software Development Plan During the virtual part of the audit, the NRC staff reviewed the GA-ESI AFRRI TRIGA Version 1.0 Software Development Plan, T3S900D905-Doc, Revision A. This document applies to the development of the software for the TRIGA control console and nuclear channels, which includes power monitors (NP-1000 and NPP-1000) and temperature monitors (NFT-1000). In this plan, GA-ESI explained that they reused the software developed for Idaho National Laboratory for the power monitors NLW-1000 and NMP-1000. Also, GA-ESI would upgrade the TRIGA TINA reactor emulation, testing, and training tool to facilitate development and testing after the software is delivered.
The software development plan (SDP) describes planning, organization, roles and responsibilities, process and procedures, methods, tasks, products, and reviews used to develop the AFRRI TRIGA software. The SDP also identifies training and qualification requirements for GA-ESI staff assigned to the project. The SDP notes that a system failure mode and effects analysis is not required for the software.
The software development would translate the software requirements into software design, source codes, and required software documents. The SDP identifies the lifecycle model to use for the system development, as well as its phases, activities, and deliverables.
The plan describes how the project was controlled, as well as the internal reviews that were required. GA-ESI measured task completions and required frequent meetings to discuss status, tasks, and issues observed. Also, GA-ESI required that software quality be implemented in accordance with the USUHS/AFRRI Software Quality Assurance Verification and Validation Plan (SQAP) for the AFRRI TRIGA reactor.
The plan required the use of a tracking tool to record, track, and disposition of issues and failures throughout the development lifecycle. Further, in circumstances requiring changes to the established software baseline, disposition of these changes required approval by the project cross functional team or the change control board.
Software Configuration Management Plan During the virtual part of the audit, the NRC staff reviewed the TRIGA AFRRI Software Configuration Management Plan, T3S900D906-DOC, Revision X1. This document describes guidelines to manage changes to the TRIGA software in accordance with the requirements identified by AFRRI. The software configuration management plan (SCMP) was used to identify, track, and control changes made to project documentation, software source code, software build artifacts, test tools, and test artifacts. This SCMP was applied to the control console and nuclear instruments proposed for AFRRI TRIGA reactor.
The SCMP identifies roles and responsibilities assigned to GA, as well as the management of software configuration process. This document also describes activities associated and required as part of software configuration management, including configuration identification, configuration control, configuration evaluations and reviews, and release management and deliveries. The SCMP describes the resources used to support configuration management during the software development.
For configuration identification, the SCMP describes naming convention and tools utilized to maintain and store configuration items (e.g., the server data where the software source code is kept).
For configuration control, the SCMP describes the creation of a baseline to provide a reference point for each configuration item. This document also describes the process to request, evaluate, and approve changes after a baseline is established.
Note: because the revision number for the reviewed document is not conventional, during the audit, the NRC staff reviewed the GA Operating Procedure for Design Control, Document Number: OP 4.0-140, Revision R. This document describes the process to control design documents. The NRC staff also reviewed the GA Operating Procedure for Standard Configuration Identification, Revision D. This document identifies policies and procedures to assign numbers to drawings and documents.
Software Quality Assurance and Verification and Validation Plan During the audit, the NRC staff reviewed the General Atomics-Electronics Systems Inc.
(GA-ESI) USUHS/AFRRI Software Quality Assurance Verification and Validation Plan, T3S99001-SQAP, Revision X3. This document defines the software quality organization; roles and responsibilities; software quality tasks, verification and validation tasks and responsibilities; standards, practices and conventions used; and tools, techniques, and methods used.
This document describes the reporting activities to maintain software quality and ensure that the software and documentation issued meet technical and contractual requirements and GA-ESI software processes and procedures, and quality assurance manual and procedures. This plan was prepared in accordance with American National Standards Institute/American Nuclear Society (ANSI/ANS)-15.8-1995 - Quality Assurance Program Requirements, ANS/ANSI-10.4-2008, Verification and Validations of Non-Safety-related scientific and engineering computer programs for the nuclear industry, Regulatory Guide 1.152, Revision 3, Criteria for Use of Computers in Safety Systems of Nuclear Power Plants and the applicable section of Institute of Electrical and Electronics Engineers 7-4.3.2-2016, IEEE Standard Criteria for Programmable Digital Devices in Safety Systems of Nuclear Power Generating Stations applicable for non-power research reactors.
This plan describes software quality and verification and validation tasks and activities performed throughout all phases of the software development process and products. This plan defines activities and requirements for: the preparation and evaluation of the system design process, creation of software requirements and its verification, review of software products, evaluation of the software components testing process, evaluation of the software integration testing, evaluation of system testing, final acceptance testing process, media certification, evaluation of storage and handling of media, and verification of the proper use of a software configuration management process. This plan also identifies the documentation to be prepared for this project. Software quality records and reports would be prepared throughout the development process and maintained in the software quality assurance directory maintained by GA-ESI.
The plan requires identification of errors, faults, and failures to record both the software product metrics and software process metrics. This plan describes the requirements and process for problem reporting and corrective action. General Atomics required the use of Atlassians JIRA to record and track software defects and issues discovered during the system lifecycle.
Corrective actions would be performed, recorded, and tracked in accordance with GA-ESI procedures.
This plan describes the software design operational environment for the TRIGA control system project. This plan requires the project be operated in a network development environment established by GA-ESI. This plan requires that the environment include the necessary software tools and applications for the system development process. In addition, this plan defines how media and suppliers should be controlled. The AFRRI project software would be located in a Perforce repository controlled by software configuration management to ensure proper backups and storage.
Software Communication Protocol During the on-site/virtual part of the audit, the NRC staff reviewed the GA-ESI TRIGA Nuclear Channel Software Communications Protocol Document, T9S900D970-SRS, Revision X7.
This document describes the software protocol for the nuclear channels (NP-1000, NPP-1000, NLW-1000, NMP-1000, and NFT-1000) to use Ethernet-based communication to send analog and digital signals to the reactor console. The document describes the hardware descriptions, channel hardware connections, dipswitches, ethernet communication and protocols, test modes, maintenance operations, remote/local operation, and references. It also provides channel specific appendices for each module type.
AFRRI Quality Assurance Program During the audit, the NRC staff reviewed the Quality Assurance Program for the Armed Forces Radiobiology Research Institute TRIGA Reactor, dated October 29, 2021. The quality assurance program (QAP) was developed in accordance with the guidance of ANSI/ANS-15.8-1995.
This QAP identifies requirements to establish and maintain quality control over the design, construction, and modifications to the AFRRI reactor facility. The program defines the organization, roles, and responsibilities associated with the QAP.
The QAP also identifies requirements for document control, control of purchased items, special processes, inspections, tests, handling and storage, control of nonconforming items and services and corrective actions.
In addition, NRC reviewed the AFRRI-prepared memorandum of record summarizing that the I&C upgrade was performed under the General Atomics QAP as allowed by ANSI/ANS-15.8-1995. AFRRI developed its QAP to enable personnel to track all changes to the facility and create a documentation process commensurate with the change to be performed. This memorandum for record, with subject Quality Assurance Program for the Digital Instrumentation and control Upgrade for the AFRRI TRIGA Reactor, is dated November 18, 2021.
Test Documents Control Console During the virtual part of the audit, the NRC staff reviewed the GA-ESI, Acceptance Test Procedure, Console Assembly, AFRRI TRIGA, T3A200E100-1AT, Revision A. This document identifies activities to perform a functional hardware test of the control console.
The procedure identifies the engineering drawings and documents required, test equipment, test setup, tasks, and activities to test the control console, and acceptance criteria for each test.
This test included functional testing of the following:
Power supplies
Digital inputs
Digital outputs
Bargraphs
Chart Recorders
Scram contacts to DAC DAC signals
Relay drivers to FIS
Power down The document includes the complete test data sheet and record of the test equipment used.
This test was successfully performed and signed on May 6, 2016.
Data Acquisition Cabinet During the virtual part of the audit, the NRC staff reviewed the GA-ESI, Acceptance Test Procedure, DAC Assembly, AFRRI TRIGA, T3A3000E100-1AT, Revision B. This document identifies activities to perform a functional hardware test of the DAC cabinet assembly.
The procedure identifies the engineering drawings and documents required, test equipment, test setup, tasks and activities, and acceptance criteria for each test. This test included functional testing of the following:
Power supplies
Digital inputs
Digital outputs
Nuclear instruments
Analog inputs
Rod control, stepper motors
Rod control, transient
Scram loop
Power down The document includes the complete test data sheet and record of the test equipment used.
This test was successfully performed and signed on July 15, 2016.
Facility Interlock System During the virtual part of the audit, the NRC staff reviewed the GA-ESI Acceptance Test Procedure, Facility Interlock System, AFRRI TRIGA, T3A4000E100-1AT, Revision B. This document identifies activities to perform a functional hardware test of the facility interlock.
The FIS controls the reactor operate permissive relay ROX in the scram loop. Consequently, there are combinations of the reactor position and door that would allow the ROX to close.
These combinations are: (1) core in position 1, lead doors closed, and ER1 door closed; (2) core in position 3, lead doors closed, and ER2 door closed; and (3) core in any position, lead door open, ER1 door closed, and ER2 door closed. This procedure tested all these three combinations.
The procedure identifies the engineering drawings and documents required, test equipment, test setup, tasks and activities, and acceptance criteria for each test. This test included functional testing of the following:
Scram loop interlock for each possible reactor position and door combinations
Lead door interlocks and motor
Core support carriage Plug door interlocks
Front panel indicators
Remote indicator panels 1, 2, 3, and 4
ROX digital output
Power down The document includes the complete test data sheet and record of the test equipment used.
This test was successfully performed and signed on July 15, 2016.
System Test Procedure During the audit, the NRC staff reviewed the GA-ESI AFRRI Console System Test Procedure Specification, T3A100B7363-STP, Revision A. This document identifies the procedures to test the proposed control console for the AFRRI TRIGA reactor.
The system test procedure identifies general test requirements, environmental qualifications, document conventions, and test procedure specifications, including steps and acceptance criteria, for each item to be tested.
Console System Summary Report During the audit, the NRC staff reviewed the GA-ESI AFRRI TRIGA Console System Test Summary Report, T3A100B7369-TST, Revision A.
This document summarizes tests performed to demonstrate operation of the AFRRI TRIGA console. This report includes testing activities, procedures, and references. GA-ESI performed these tests to verify the system requirements identified in AFRRI TRIGA System Requirements Specification, T3A100B7101-SYR.
Testing activities were performed between June 7 and June 29, 2016, and the version tested was 04.01.00. The report shows that the system passed all tests and defects were properly dispositioned, except for two issues. The licensee explained that these issues did not affect the operation of the software, and therefore were left unresolved.
Nuclear Instrumentation Acceptance Tests During the on-site/virtual part of the audit, the NRC staff reviewed the Functional Acceptance Test (FAT) documents for the NP-1000, NPP-1000, NLW-1000, NMP-1000, and NFT-1000 modules.
Acceptance Test Procedure, NP-1000, Nuclear Power Instrument, T3271000-1AT, Revision B, Acceptance Test Procedure, NPP-1000, Nuclear Pulse Power Instrument, T3281000-1AT, Revision B, Acceptance Test Procedure, NLW-1000, Wide Range Log Power Channel, T3322000-1AT, Revision B, Acceptance Test Procedure, NMP-1000, Multi-Range Linear Channel, T3401000-1AT, Revision C, and Acceptance Test Procedure, NFT-1000, Nuclear Fuel Temperature Instrument, T3291000-1AT, Revision B.
These documents specify the steps require to perform a functional test and calibration on its respective module. The procedure identifies the reference drawings, test equipment, test setup, functional test procedures, test data sheets recordings, and document references. The NI were calibrated and successfully tested as follows:
NMP-1000, T3401000-1AT, Revision B, signed on August 12, 2015
NFT-1000, T3291000-1AT, Revision B, signed on March 16, 2016
NP-1000, T3271000-1AT, Revision B, signed on March 15, 2016
NPP-1000, T3281000-1AT, Revision B, signed on March 24, 2016
NLW-1000, T3322000-1AT, Revision B, signed on August 31, 2016 Factory Acceptance Test During the virtual part of the audit, the NRC staff reviewed the GA-ESI Factory Acceptance Test Procedure - System Assembly, AFRRI TRIGA, T3A1000B7371-FAT, Revision A. This document identifies tests to demonstrate the replacement I&C system meets the system requirements specified in the scope of work and the functional requirement specifications. The FAT also demonstrates the features, operation, and safety aspects of the control console to show proper behaviors and responses of the software and hardware.
The procedure identifies the engineering drawings and documents required, test documentation, test equipment, test setup, procedures, process to address anomalies, system configuration and installation, test equipment recording, normal test conditions, acceptance criteria, and chronological test log.
Before performing this test, GA-ESI required acceptance test procedures for the console, DAC assembly, and FIS. The system test procedures were successfully performed and completed; computers were configured, software was loaded; and the system was powered down. This requirement was satisfied and signed on July 19, 2016.
This test identifies the steps to apply magnet power. The document included the following test procedures and its corresponding completion date and signature. These tests were successfully completed on July 19 and 20, 2016.
System startup - demonstrate the system is properly connected and ready for operation.
This procedure included software verification of the following equipment:
o UIT, Version 04.01.00 o
NFT-1000, Version 01.01.00 o
NP-1000, Version 01.01.00 o
NPP-1000, Version 01.01.00 o
NMP-1000, Version 01.01.00 o
NLW-1000, Version 01.01.00
NLW channel test - demonstrate proper operation of the NLW channel and its log power and period functions
NMP channel test - demonstrate proper operation of the NMP and auto range power functions from the control console
NP channel test - demonstrate proper operation of the NP
NPP channel test - demonstrate proper operation of the NPP
NFT channel test - demonstrate proper operation of the NFT 1, NFT 2, and NFT 3.
UIT display - verify UIT displays the correct information Reactor graphics displays - verify the reactor graphics display the correct information
Administration display - demonstrate proper operation of the Admin display
Test functions display - demonstrate proper operation of the display
Reactor mode control panel - demonstrate proper operation of the switches and pushbuttons on this panel
System startup including prestart - demonstrate successful performance of prestart tests and correct startup
Warning tests (digital inputs) - demonstrate proper operation of all digital inputs and correct indication in the warning panel when changes occur
Scram tests - demonstrate proper operation of the scram functions
Steady state (Manual) mode - demonstrate proper operation of the system when in manual mode. This included testing the operation of the control rods and transient rod.
It also included measuring the drop timer for all rods
Auto mode - demonstrate proper operation of the system when in auto mode. This included testing bank selections: Reg only; Reg and Shim; Reg, Shim and Safety
Square wave power - demonstrate proper operation of the system when in square wave mode
Pulse power - demonstrate proper operation of the system when in pulse mode
Miscellaneous - demonstrate proper operation of all readings and statuses in both the right and side status displays
Run time statistics - demonstrate proper collection of the run time statistics for each operator
History recording and playback - demonstrate proper operation of the history recording and playback function when the system is in manual mode
UPS verification test - demonstrate the UPS can power the system for 15 minutes The FAT includes a test completion page confirming that all tests were performed, reviewed, and successfully passed. This page was signed on July 20, 2016, by the tester and on August 2, 2016, by Quality Assurance [QA].
The FAT also includes one Inprocess Nonconformance Report, to record editorial errors in the document. This report shows that the issue was identified and resolved before continuing with the tests.
Site Acceptance Test During the virtual part of the audit, the NRC staff reviewed the GA-ESI Armed Forces Radiobiology Research Institute TRIGA Reactor Instrumentation and Control Console Replacement Site Acceptance Test Procedure, Part 1, T3A1000B7372-SAT, Revision A, and Site Acceptance Test Part 2: Replacement of the Instrumentation and Control Console for the AFRRI TRIGA Reactor, T3A1000B7373-SAT, Revision A. These documents identify tests to demonstrate that the replacement I&C system is properly installed for operation at AFRRI and meets the technical, functional, and operational requirements. Part 1 of this test focused on demonstrating proper installation operation of the system, and Part 2 on demonstrating that the system can be used to operate the AFRRI TRIGA reactor.
Both parts of the SAT identify the engineering drawings and documents required, test documentation, test equipment, test setup, procedures, process to address anomalies, system configuration and installation, test equipment recording, normal test conditions, acceptance criteria, chronological test log. These documents also identify the steps to apply magnet power.
The SAT requires that necessary corrections to the documents be redlined, authorized, and signed by authorized personnel. It also requires that all defects and failures be documented in the test log and resolution should be resolved by AFRRI and GA-ESI staff. The documents describe the steps to address if a hardware or software change is required to correct a defect or failure identified while executing the SAT. It also describes how to address possible communication failures (i.e., Ethernet).
SAT Part 1 The SAT Part 1 lists the software configuration of the system before starting the test. It also lists prerequisites to be verified before the tests, such as successful completion of the FAT.
This step in the process was signed on July 26, 2018, by AFRRI and GA representatives.
Part 1 included the following test procedures and its corresponding completion date and signature. These tests were successfully completed, signed, and dated between July 26 and March 2, 2018.
System startup - demonstrate the system is properly connected and ready for operation.
Nuclear channels functional test - demonstrate proper operation of the NP, NPP, NFT, NMP, and NLW without the reactor going critical
NMP channel tests - verify operation of the NMP, including applicable trips, alarms, and warnings, as well as verify indication at the control console
NP channel tests - verify operation of the NP, including applicable trips, alarms, and warnings, as well as verify indication at the control console
NPP channel tests - verify operation of the NPP, including applicable trips, alarms, and warnings, as well as verify indication at the control console
NFT channels tests - verify operation of the three NFT, including applicable trips, alarms, and warnings, as well as verify indication at the control console
NLW channel tests - verify operation of the NLW, including applicable trips, alarms, and warnings, as well as verify indication at the control console
Control rod operation tests - demonstrate proper operation of the control rods and the transient rod using the rod control panel and verify proper indication at the control console
Facility interlock system - verify operation of the FIS meets the existing AFRRI Maintenance Procedure, M033. A copy of the completed checklist is included in this document
Reactor mode control panel - demonstrate operation of the switches and pushbuttons on this panel
Warning tests (digital inputs) - demonstrate proper wiring and operation of the warning, interlock, and trip digital inputs
Scram tests - demonstrate proper operation of the scram functions and verify proper indication at the control console. During this test, AFRRI and GA staff measured the rod drop time, which successfully met the acceptance criteria on March 1, 2018
Reactor graphics displays - verify the reactor graphics display the correct information for the NMP power, NLW log and period, and tank (pool) temperature
Steady state (Manual) mode - demonstrate proper operation of the system when in manual mode. This includes testing the operation of the control rods and transient rod.
It also includes measuring the drop timer for all rods
Auto mode - demonstrate proper operation of the system when in auto mode. This includes testing rod speed and bank selections Square wave power - demonstrate proper operation of the system when in square wave mode
Pulse power - demonstrate proper operation of the system when in pulse mode
History recording and playback - demonstrate proper operation of the history recording and playback function when the system is in manual mode
Auxiliary panel and chart recorder test, Revision A - demonstrate operation of the chart recorder and switches on the auxiliary panel
UPS verification test - demonstrate the UPS can power the system for 15 minutes after alternating current [AC] power is removed
RWP source selection and period minimum power tests - demonstrate that when the NLW reaches the minimum power level this causes a period trip RWP. Also, demonstrate NMP-1000 low source selection produces a trip Part 1 includes a test completion page confirming that all tests were performed, reviewed, and successfully passed. This page also identifies comments or issues found during the test. The SAT Part 1 was signed on March 2, 2018, by GA and AFRRI, and testing was performed on June 7, 2018, by QA.
Part 1 includes Quality Notice (QN) to record redlines and comments in the procedures. This report shows that issues identified were resolved.
SAT Part 2 The Part 2 demonstrates adequate operation of the system that can be used to operate the AFRRI TRIGA in accordance with AFRRI operating requirements.
The SAT Part 2 lists the software configuration of the tested equipment. It also lists prerequisites to be verified before the tests, such as successful completion of the SAT Part 1, core fully reloaded, and completion of all steady-state instrument calibrations. This step in the process was signed on May 9, 2018, by AFRRI and GA.
Part 2 includes the following test procedures and its corresponding completion date and signature. These tests were successfully completed on May 9-10, 2018, as shown in the SAT test log.
Steady state power operations and full power run - verify proper operation of the I&C system at various reactor power levels, including a full power run
Auto mode testing - verify operation of the system when in Auto mode
Pulse mode testing - verify operation of the system when in Pulse mode, including variation of reactivity insertions. Also, verify record, storage, and recall of saved pulse
Square wave testing - verify operation of the system when in Wave mode, including varying reactivity insertions Part 2 includes a test completion page confirming that tests were successfully passed. The SAT Part 2 was signed on May 10, 2018, by GA and AFRRI test performers and on June 7, 2018, by QA.
4.
ACCESS CONTROL AND CYBER SECURITY As part of the audit, the NRC staff observed the process that AFRRI uses to control access to the control room, control console, DAC cabinet, FIS cabinet, and ER control boxes.
To access the control room, there is a locked door to access a restricted area, where the reactor, offices, and control room are located. This door can only be operated by AFRRI personnel. Then AFRRI staff uses a key to unlock the control room door. Security to the control console relies on access to the console key switch and physical access to the console.
The control console and display are password protected, as described in the AFRRI TRIGA Control System Console System Requirements Specification and the AFRRI TRIGA O&M Manual, which were reviewed during the audit. However, AFRRI staff explained that this protection is only provided for accounting purposes and not for security. AFRRI explained that they control access to the computer using a login/password scheme. The system currently includes two access levels, one for operators and the other for the system administrator, but others could be created. Each operator would have a login and password assign. In this manner, AFRRI can record operator statistics, such as power, login time, operation time, etc.
AFRRI staff noted that only admin level can create new login and passwords. The AFRRI TRIGA Control System Console System Requirements Specification explains that the UIT creates a file to record usernames and passwords, with capacity for up to 30 operators. This document also identifies the credentials for the administrator account and for the GA account which allows access to the system.
During the audit, AFRRI staff logged in as the system administrator to show how the display shows operator statistics. To log in, the AFRRI staff selected Operator from the display menu of the UIT to open the login dialog box. AFRRI staff entered the admin login and password to log in. After successfully logged in, the control console would display the Administration tab if the system is scrammed. Selecting this tab would open a window showing all operator names, operator number, logged in time, run times, and cumulative power levels. AFRRI staff noted that this information is recorded in the computer and could be retrieved through the computers ports, if necessary.
The CSC computers include Universal Serial Bus (USB) ports and Compact Disc (CD) recorder.
AFRRI explained that these would be used by operators to record history data when the reactor is shut down. These ports include port locks. The AFRRI TRIGA O&M Manual, Section 2.1.1.2, states that remote computers should not be connected to these computers because these would allow remote access and control the reactor. AFRRI staff stated that they rely on the restriction to access the control room for preventing access to these ports.
The control console includes digital chart recorder on the left side of the console. These recorders include ports for obtaining data using a secure digital card and/or USB memory stick.
These ports include port locks. AFRRI explained that these recorders receive analog data from the nuclear instruments, so access is limited to these data and cannot affect operation of the nuclear instruments.
The engineering drawings T3A200E100, Console assembly, TRIGA, AFRRI, Revision B, included in the AFRRI TRIGA O&M Manual show the control console configuration. After looking at these drawings, the NRC staff visually confirmed the cabinets for the control console.
The NRC staff observed that the control console includes a printer for operators to print trends and historical data. The printer is within the console cabinet and can be accessed through the backdoors. These doors are locked. Also, through the cabinets backdoors, the operators could access cables and wiring to and from the control console. These backdoors are also locked.
The DAC, FIS cabinet, and the motor control center are located in the reactor room. To access the reactor room, one needs to access the restricted area where the control room is located.
All keys are kept by the AFRRI Interim Reactor Facility Director. Thus, AFRRI does not have a procedure to manage and control access to the key. Further, AFRRI does not have a log to record use of these keys.
The NRC staff performed a review to confirm the cyber security access control of the new AFRRI reactor I&C system to determine that adequate preventative methods are in place to protect information and property from attacks. This system provides the basic monitoring, protection, and control functions for the reactor. The NRC staff verified whether reactor operation would be prevented and not authorized without use of a key or combination input at the control console.
The NRC staff verified that the design or administrative controls prevent/limit unauthorized physical and electronic access to the hardware and software. The NRC staff reviewed whether the computers used in the digital I&C console came with wireless capability and whether wireless-based attacks are prevented by the absence of wireless technology components in the CSC.
5.
EXIT MEETING At the conclusion of the in-person meeting, the NRC staff met with AFRRI staff and discussed the activities performed during the in-person meeting. The NRC staff addressed each of the planned audit activities outlined in the audit plan (ADAMS Accession No. ML17220A243). In addition, AFRRI was provided with a summary of (1) new open items that were opened during the in-person meeting and (2) items that were closed during the in-person meeting. At the end of the meeting, AFRRI and NRC staff discussed the schedule for completion of LAR. The NRC staff explained that the current schedule for the safety evaluation report is dependent on a successful audit and prompt and complete request for additional information (RAI) responses.
Requests for Additional Information There are no RAIs. All questions were answered during the audit.
Open Items All open items were closed during the audit. There is no further follow-up information required.
Deviations from the Audit Plan There were no deviations from the Audit Plan.
Document List (References)
The audit team used the following documents as previously described and referenced by number in this report. Inclusion in the list does not imply a comprehensive review by the audit team.
1.
AFRRI LAR for Digital I&C Upgrade, dated November 10, 2020 (ADAMS Accession Nos. ML20318A339, ML20318A340, ML20318A343, ML20318A346, ML20318A347, ML20318A348, and ML20318A349).
2.
Response to NRC 01/08/2021 Letter re License Amendment Request for Facility Operating License No. R-84 for the AFRRI TRIGA Reactor Docket No. 50-170, dated February 5, 2021 (ADAMS Accession Nos. ML21036A297, and ML21036A300), and dated February 4, 2021 (ADAMS Accession No. ML21036A301) (affidavit).
3.
Transmittal of Proposed changes to the technical specifications in support of the license amendment request for the digital instrumentation and control upgrade for the AFRRI TRIGA Reactor, dated February 11, 2021 (ADAMS Accession Nos. ML21042B841 and ML21042B842).
4.
AFRRI LAR for the Digital Instrumentation and Control Upgrade Revision 1, dated October 28, 2021 (ADAMS Accession No. ML21302A097) and dated October 15, 2021 (ADAMS Accession No. ML21302A107).
5.
AFRRI - LAR - Digital IC - Functional Requirement Specification, dated November 8, 2021 (ADAMS Accession Nos. ML21316A033, ML21316A036, ML21316A038).
6.
US Dept. of Defense, Uniformed Services Univ. of the Health Sciences - The Armed Forces Radiobiology Research Institute (AFRRI) is Submitting a Supplement to the License Amendment Request for the Digital Instrumentation and Control Upgrade, dated January 7, 2022 (ADAMS Accession Nos. ML22007A264, ML22007A266).
- 7. - Affidavit for Proprietary Information, dated April 27, 2021 (ADAMS Accession No. ML21316A037).