ML22096A281

From kanterella
Jump to navigation Jump to search

Uniformed Services Univ. of the Health Sciences, Armed Forces Radiobiology Research Institute (Afrri), Proposed Changes to the Technical Specifications Related to the License Amendment Request for the Upgrade of the Instrumentation and Cont
ML22096A281
Person / Time
Site: Armed Forces Radiobiology Research Institute
Issue date: 04/04/2022
From:
Uniformed Services Univ. of the Health Sciences
To:
Office of Nuclear Reactor Regulation
Shared Package
ML22096A279 List:
References
EPID L-2020-NFA-0012
Download: ML22096A281 (24)
v  d  e


Text

Proposed Changes to the Technical Specifications Related to the License Amendment Request for the Upgrade of the Instrumentation and Control System for the Armed Forces Radiobiology Research Institute TRIGA Reactor 4 April 2022

ii Contents Summary................................................................................................................................................. 3 1

Change #1 - Table 2. Minimum Reactor Safety System Scrams........................................................ 4 1.1 Safety Analysis - Technical Specification Table 2 - Watchdog Timer Circuits............................ 5 1.2 Safety Analysis - Technical Specification Table 2 - AC Power Loss............................................ 6 2

Change #2 - Table 3. Minimum Reactor Safety System Interlocks.................................................... 8 2.1 Safety Analysis - Technical Specification Table 3 - Operational Channel................................... 9 2.2 Safety Analysis - Technical Specification Table 3 - Low Source Interlock.................................. 9 3

Change #3 - Reactor Safety Systems Surveillances......................................................................... 11 3.1 Safety Analysis - Technical Specification 4.2.2........................................................................ 12 4

Change #4 - Facility Interlock System Surveillances....................................................................... 13 4.1 Safety Analysis - Technical Specification 4.2.4 - Core Dolly Interlock Override Switch............ 14 5

Update to the Safety Analysis Report............................................................................................. 19 6

Other Documents.......................................................................................................................... 19 7

Conclusion..................................................................................................................................... 19 Appendix A - Page Markups.................................................................................................................. 20

3 Summary The safety analysis presented concludes that the health and safety of the public will not be endangered by operation and that such activities are in compliance with regulations, therefore, the approval of these proposed changes will not be inimical to the common defense and security or to the health and safety of the public.

This document supersedes all previously proposed changes to the Technical Specifications that were detailed in the submittals dated November 10, 2020, February 5, 2021, February 11, 2021, and January 7, 2022.

The current NRC approved technical specifications are detailed in the Technical Specifications for the AFRRI Reactor Facility dated 30 September 2016 (ML16077A302) and as amended on August 14, 2019 (ML19058A327).

4 1

Change #1 - Table 2. Minimum Reactor Safety System Scrams TS 3.2.2 Table 2 Minimum Reactor Safety System Scrams needs to be revised to reflect that there are two watchdog timer circuits and that the names of the components have changed slightly. The last row will be amended as follows:

a. Column 1 will be amended from Watchdog (DAC to CSC) to Watchdogs (UIT and CCS).
b. Column 2 will be amended to specify the maximum time of 15 seconds for the scram to occur.
c. Columns 3 and 4 will be amended to require two watchdog timer circuits, one for each computer, for both steady-state and pulse modes of operation.
d. The last row has been added to specify a loss of AC power scram. This is consistent with Section 8.2 and Table 14.1 in U.S. Nuclear Regulatory Commission, NUREG 1537 Part 1, Guidelines for Preparing and Reviewing Applications for the Licensing of Non-Power Reactors, Format and Content, 1996.

On page 14 of the Technical Specifications:

Table 2. Minimum Reactor Safety System Scrams Channel Maximum Set Point Effective Mode Steady State Pulse Fuel Temperature 600°C 2

2 Percent Power, High Flux 1.1 MW 2

0 Console Manual Scram Button Closure switch 1

1 High Voltage Loss to Safety Channel 20% Loss 2

1 Pulse Time 15 seconds 0

1 Emergency Stop Closure switch 3

3 (1 in each exposure room, 1 on console)

Pool Water Level 14 feet from the top of the core 1

1 Watchdog (DAC to CSC)

Watchdogs (UIT and CCS)

On digital console 15 seconds 1

2 1

2 AC Power Loss 15 seconds 1

1 Bases The fuel temperature and power level scrams provide protection to ensure that the reactor can be shut down before the fuel temperature safety limit is exceeded. The manual scram allows the operator to shut down the system at any time if an unsafe or abnormal condition occurs. In the event of failure of the power supply for the safety channels, operation of the reactor without adequate instrumentation is prevented. The preset pulse timer ensures that the reactor power level will return to a low level after pulsing. The emergency stop allows personnel trapped in a potentially hazardous exposure room, or the reactor operator, to scram the reactor through the facility interlock system. The pool water level ensures that a loss of biological shielding would result in a reactor scram. The watchdog scram ensures reliable communication between the User Interface Terminal (UIT) and the Console Computer System (CCS). Data Acquisition Computer (DAC) and the Control System Computer (CSC). The AC power loss scram ensures that a loss of AC power to the uninterruptible power supply (UPS) for the reactor control console will result in a scram.

5 1.1 Safety Analysis - Technical Specification Table 2 - Watchdog Timer Circuits The previous instrumentation and control system consisted of the Control System Console (CSC) computer and the Data Acquisition and Control (DAC) computer. The CSC was responsible for acquiring raw data from the DAC and processing it for display, performing calculations, and maintaining a number of statistics pertaining to the reactor and reactor facility, tasks similar to the new UIT and CSS computers. The CSC also continuously monitored the console switches for operator inputs, and then provided the necessary control functions by issuing commands to the DAC. For example, the rod positions were adjusted by issuing commands to the CSC which in turn transmitted these commands to the DAC via data communication networks. The DAC then reissued these commands to the rod drive mechanisms.

Both the DAC computer and CSC computer incorporated watchdog timer circuits (WDT). These circuits monitored the firmware operating system to ensure all tasks were completed in the designated time. If any of the watchdog timers were not reset by the operating system, relays on the watchdog board would de-energize. These relays were hardwired into the SCRAM loop.

The new instrumentation and control console also contains two computer systems, the control computer system (CCS) and the user interface terminal (UIT). Watchdog timer circuits have also been incorporated for each computer system to ensure detection of problems such as CPU latch-up, control system faults, wiring/cabling failure, unauthorized tampering, unanticipated software conditions, communications problems, or power failures.

The watchdog timers monitor the UIT computer and CCS computer and are wired in with the SCRAM loop.

The software must periodically send a keep-alive signal to the watchdog timers to prevent them from alarming and thus scramming the reactor. The time delay before an alarm occurs is adjustable between 5 and 15 seconds. The CCS and UIT watchdog timers monitor the computers and if either of the computers fails to send a signal to their WDT, the respective WDT will time out and a SCRAM occurs. When the watchdog timers lose power, their outputs will default to a failsafe condition, which will also scram the reactor.

Watchdog timeout occurs when the software is doing some internal processing and fails to refresh watchdog timers within a set period (usually 7-10 seconds). This can happen, for example, if the software enters an "infinite loop" or otherwise "freezes up." If the system cannot respond to reactor inputs within the specified amount of time, the system will scram the control rods via a watchdog scram. In general, it should be very rare for a watchdog timeout to occur during normal reactor operation with the software operating properly. In some cases, it could be possible for the operating system to consume so much time that a watchdog timeout occurs even though the software is otherwise operating properly; but this should be a very rare occurrence. Should a watchdog timeout occur during normal system operation and the software has not frozen up, this could be an indication that system resources need to be freed. In this case, the control console system should be shutdown and restarted.

The nuclear instrumentation that prevents the reactor from exceeding a safety limit are independent of the digital instrumentation and are completely analog, and as such do not rely on communication with the control console to initiate protective scram actions.

The worst case scenario would involve the uncontrolled withdrawal of a control rod caused by a non-responsive system resulting in a reactivity insertion event. The NLW-1000 provides the reactor period signal while the CSC enforces via software the less than 3-second period interlock protection. Automatic mode allows for the simultaneous withdrawal of all three standard control rods. Normally, the less than 3 second period interlock limits the reactivity insertion rate, however in the event that the computer fails in such a way that it is incapable of communicating this interlock to the rod drives, the 3-second period interlock is rendered non-functional and a ramp reactivity insertion accident may occur. Scenarios

6 initiating at a power level of 100 watts and 1 MW have been analyzed and are detailed in Revision 1 of the Supplemental Information for the License Amendment Request for the Upgrade of the Instrumentation and Control System for the Armed Forces Radiobiology Research Institute TRIGA Reactor.

It is shown that the overpower scrams provided by the NP-1000 and NPP-1000 activate within approximately 2.5 seconds, well before any watchdog would time-out, and that the scenarios are well within the maximum reactivity limit of $3.50.

The design function of the watchdog timers is not to prevent transient conditions but to automatically shutdown the reactor and alert the operator that the digital portion of the control system is not functioning properly, therefore the 15 seconds maximum setpoint for the watchdog timer is more than sufficient to satisfy this function and is equal to the maximum setpoint for the Pulse Timer.

Watchdog timer lights are provided for both the CCS and UIT to indicate when a watchdog timer timeout has occurred.

Watchdog timer scram tests can either be performed one of three ways: (1) initiating the automatic reactor prestart tests on the Prestart Tests Display, (2) via checkboxes on the Test Functions Display, or (3) using the Scram and Interlock Test 2 Rotary Switch located on the Reactor Mode Control Panel. After typically 5-10 seconds, but no more than 15 seconds, the associated watchdog circuitry shall SCRAM the rods. Surveillance TS 4.2.2.b requires that these watchdog timers are tested weekly whenever operations are planned. The periodicities that pertain to the previous watchdog timer circuits are still applicable and appropriate for the new circuits and are not amended.

A malfunction of the watchdog timer circuits resulting in a failure to detect a loss of communication with the computer systems will not prevent any scram actions originating from the nuclear instrumentation, since these actions are completely analog and separate from the digital components. Therefore, it is concluded that the failure of the watchdog timers will not result in the exceeding of a safety limit and that the proposed change to Table 2 of TS 3.2.2 will continue to perform the design function required by this channel in a safe and reliable manner without imposing any undue risk to the health and safety of the public.

1.2 Safety Analysis - Technical Specification Table 2 - AC Power Loss Consistent with Section 8.2 and Table 14.1 in U.S. Nuclear Regulatory Commission, NUREG 1537 Part 1, a limiting condition for operation for a loss of AC power scram, along with a companion surveillance (refer to Section 3 of this document) has been added to the technical specifications.

AC power is supplied to the reactor instrumentation and control console via the uninterruptible power supply (UPS) located in the control room. The UPS is not required for the performance of any safety function, but it is desirable as it allows for a graceful shutdown of the console computers in the event of the loss of AC power.

The loss of AC power to the UPS will open a contact on the UPS and a scram will be generated. This ensures that the reactor will automatically scram and enter and remain in a safe shutdown condition. The time requirement for this scram to occur is no more than 15 seconds.

If AC power is lost, the primary and secondary cooling systems will lose power and shut down. The 1 MW, full power, reactor pool heat up rate is 14.8°C/hr. With a typical operating primary water temperature of 20°C, it will take approximately 2.7 hours8.101852e-5 days <br />0.00194 hours <br />1.157407e-5 weeks <br />2.6635e-6 months <br /> to reach the primary water temperature limit of 60°C, therefore a maximum 15 second response time does not result in the exceeding of a safety limit.

7 As with the coolant systems, the ventilation system will also lose power and is designed to fail-safe to the confinement condition, thus ensuring the control of any airborne radioactive material. Therefore a maximum 15 second response time does not result in the exceeding of a release limit.

In the event that AC power is lost, Reactor Procedure 004 - SCRAMS, Alarms and Abnormal Conditions requires the reactor operator to verify that the reactor has scrammed and to subsequently remove the reactor console key, which will also result in a scram.

The appropriate sections of the Safety Analysis Report will be updated to reflect this additional technical specification.

8 2

Change #2 - Table 3. Minimum Reactor Safety System Interlocks TS 3.2.2 Table 3 Minimum Reactor Safety System Interlocks needs to be revised to reflect that the terminology operational channel is no longer applicable for the new instrumentation and that the source range rod withdrawal interlock be specified in watts not cps. Column one will be amended as follows:

a. Row 3 will be amended from operational channel to Linear Power Channel.
b. Row 3 will be amended to reflect that the low source interlock setpoint is specified in watts and not counts per second.
c. Row 5 will be amended from operational channel to Log Power Channel.

On page 15 of the Technical Specifications:

Table 3. Minimum Reactor Safety System Interlocks Action Prevented Effective Mode Steady State Pulse Pulse initiation at power levels greater than 1 kW X

Withdrawal of any control rod except transient X

Any rod withdrawal with count rate below 0.5 cps power level below 1 x 10-5 watts as measured by the operational channel Linear Power Channel (NMP-1000)

X X

Simultaneous manual withdrawal of two standard rods X

Any rod withdrawal if high voltage is lost to the operational channel Log Power Channel (NLW-1000)

X X

Withdrawal of any control rod if reactor period is less than 3 seconds X

Application of air if the transient rod drive is not fully down. This interlock is not required in square wave mode.

X Reactor safety system interlocks shall be tested daily whenever operations involving these functions are planned Bases The interlock preventing the initiation of a pulse at a power level above 1 kW ensures that the pulse magnitude will not result in exceeding the fuel element temperature safety limit. The interlock that prevents movement of standard control rods in pulse mode will prevent the inadvertent increase in steady state reactor power prior to initiation of a pulse. Requiring a minimum count rate power level to be measured by the operational channel Linear Power Channel ensures sufficient source neutrons to bring the reactor critical under controlled conditions. The interlock that prevents the simultaneous manual withdrawal of two standard control rods limits the amount of reactivity added per unit time. Correct high voltage to the operational channel Log Power Channel ensures accurate power indications. Preventing the withdrawal of any control rod if the period is less than 3 seconds minimizes the possibility of exceeding the maximum permissible power level or the fuel temperature safety limit.

9 2.1 Safety Analysis - Technical Specification Table 3 - Operational Channel The previous neutron power monitor, NM-1000, was designated as the operational channel and consisted of both a multi-range linear component and the wide range log component utilizing the signal from one fission chamber covering the entire neutron flux range from source to full power, with the source range output covering the lower six decades and a linear percent power output covering the upper three decades of reactor power.

The NM-1000 has been replaced by two completely separate and independent channels, therefore the terminology of operational channel is no longer applicable. The linear portion of the NM-1000 has been replaced by the NMP-1000. The NMP-1000 is a multi-range linear channel capable of providing indication from the source range through full power. The NMP-1000 will be known as the Linear Power Channel. The logarithmic portion of the NM-1000 has been replaced by the NLW-1000. The NLW-1000 is a logarithmic channel and is also capable of providing indication from the source range through full power. The NLW-1000 will be known as the Log Power Channel. Therefore, the term Operational Channel has been changed to Linear Power Channel and Log Power Channel as appropriate.

This proposed change is to better reflect the current channels installed and the terminology used at the facility and also to remove any ambiguity as to which channel the specifications apply, therefore, it is concluded that this proposed change to Table 3 of TS 3.2.2 does not impose any undue risk to the health and safety of the public.

2.2 Safety Analysis - Technical Specification Table 3 - Low Source Interlock The NMP-1000 channel provides the Low Source Interlock. The NMP-1000 uses a compensated ion chamber, and as such, outputs a current and is designed to display in watts and not counts per second (cps), therefore the interlock setpoint needs to be specified in watts.

Neither the NLW-1000 nor NMP-1000 provides a reading in cps. The NLW-1000 displays percent full power while the NMP-1000 displays watts. Providing an equivalency from either instrument to cps would be difficult and inaccurate.

The design function of the low source interlock is to only permit rod withdrawal when there are sufficient neutrons to provide proper instrument response for bringing the reactor critical under controlled conditions. Therefore, it is only necessary to verify that the channel is capable of performing this design function. This is accomplished by using a neutron source to ensure that the channel is responding to neutrons and not just gammas. The neutron source used at AFRRI is a 3 curie (Ci) americium-beryllium (Am-Be), cylindrical-shaped, double encapsulated source. The source is located in the core, and remains there during operation, but can be removed for training, maintenance, and to verify the functionality of the source interlock.

During the functionality test, the source is removed from its normal in core location and the power monitoring instrument, NMP-1000, is allowed to drop below the interlock setpoint which trips the rod withdraw interlock and prohibits the withdrawal of control rods. This test ensures that the interlock is set properly.

From Figure 2-1, it is shown that a setpoint of 1x10-5 watts is well above the level when the source is removed which provides assurance that channel is operating correctly by detecting sufficient source neutron prior to startup. Therefore, it is concluded that the proposed change to Table 3 of TS 3.2.2 for the source range interlock will continue to perform the design function required by this channel.

In the unlikely event that the NMP-1000 fails to provide the proper response and the operator attempts to start the reactor with little or no source neutrons, this could result in a reactivity insertion event. This

10 event would be bounded by the analysis presented in the Chapter 13 of the SAR and in Section 1.3.5 of the Supplement to the LAR, therefore, the consequences would be minimal.

Figure 2 Ranges of Operation for the NMP-1000 1MW 100 kW 10 kW 1 kW 100 W 10 W 1 W 0.1 W 0.01 W 0.001 W 0.0001 W Source Level with Am-Be Source Installed 0.00001 W Low Source Interlock Setpoint Source Level with Am-Be Source Removed 0.000001 W

11 3

Change #3 - Reactor Safety Systems Surveillances TS 4.2.2.b has two revisions, the first to correct a typographical error and delete the repeated words of each. The second, to explicitly state that the channels to be tested are the reactor safety system channels as specified in TS 3.2.2 Table 2 and Table 3 with the exception of the exposure room emergency stop scrams.

TS 4.2.2.c also contains two revisions. The first is an addition that specifies that the setpoints for the high voltage loss to the safety channel scrams have been verified as part of the channel calibrations. The second, is the removal of the reference to the NM1000 since this channel is obsolete and has been replaced with the NLW and NMP channels, which are already included in the specification.

TS 4.2.2.e has been revised to explicitly state the exposure room emergency stop scrams shall be tested annually, and a specification for the testing of the AC power loss scram has also been added.

On page 28 of the Technical Specifications:

4.2.2. REACTOR SAFETY SYSTEMS Applicability These specifications apply to the surveillance requirements for measurement, test, and calibration of the reactor safety systems.

Objective The objective is to verify the performance and operability of the systems and components that are directly related to reactor safety.

Specifications

a. A channel test of the scram function of the high-flux safety channels shall be made each day that reactor operations are planned.
b. A channel test of each of each of the reactor safety system channels in Table 2 and Table 3 with the exception of the exposure room emergency stop and AC power loss scrams for the intended mode of operation shall be performed weekly, whenever operations are planned.
c. Channel calibration, including verification of the setpoints for the high voltage loss to safety channel scrams, shall be made of the NP, NPP, NM1000, NLW, NMP or any other console instrumentation designated to provide direct power level information to the operator, annually not to exceed 15 months.
d. A thermal power calibration shall be completed annually not to exceed 15 months.
e. The exposure room emergency stop and AC power loss scrams shall be tested annually, not to exceed 15 months.
f.

The low pool water scram shall be tested weekly not to exceed 10 days whenever operations are planned.

g. The console manual scram button shall be tested weekly not to exceed 10 days whenever operations are planned.

Bases TRIGA system components have proven operational reliability. Daily tests ensure reliable scram functions and ensure the detection of channel drift or other possible deterioration of operating characteristics. The

12 channel checks ensure that the safety system channel scrams are operable on a daily basis or prior to an extended run. The power level channel calibration will ensure that the reactor is operated within the authorized power levels.

3.1 Safety Analysis - Technical Specification 4.2.2 Specification 4.2.2b The first change to 4.2.2.b is to correct a typographical error and delete the repeated words of each.

This proposed change is purely editorial in nature, therefore it is concluded that this changes does not impose any undue risk to the health and safety of the public.

This second change to 4.2.2.b is an addition to explicitly state that the channels listed in Table 2 and Table 3 are the channels that are required to undergo a weekly channel test for the intended mode of operation whenever operations are planned. The previous specification stated reactor safety system channels which is ambiguous with regard to what is defined as a reactor safety system channel. The proposed change removes this ambiguity. Since all requirements and setpoints remain unchanged it is concluded that this changes does not impose any undue risk to the health and safety of the public.

Verbiage was added to provide an exception from this specification for the exposure room emergency stop scrams. AFRRI has always interpreted that the exposure room emergency stop scrams are only tested annually as required in Specification 4.2.2.e. The periodicity for the emergency stop scrams is has proven to be more than adequate. The emergency stops are industry standard turn-to-reset pushbuttons that are wired to be normally closed (i.e., opening the circuit causes a scram), therefore any break in or malfunction of the circuit would cause a scram. The contact block for the emergency stop has an electrical life rating of 1,000,000 operations, so a failure is unlikely, therefore this change does not impose any undue risk to the health and safety of personnel or to the public.

Specification 4.2.2.c The first change to 4.2.2.c is the addition to explicitly state that a verification of the setpoints for the High Voltage Loss to the Safety Channel scrams shall be performed as part of the annual channel calibration. An annual periodicity for this specification is consistent with Section 4.2.5.b of ANSI/ANS 15.1-2007 The Development of Technical Specifications for Research Reactors. Therefore it is concluded that this change does not impose any undue risk to the health and safety of the public.

The second change to 4.2.2.c is to remove the reference to the NM1000 channel. The NM1000 channel is obsolete and is no longer installed.

Specification 4.2.2.e The change to 4.2.2.e is to explicitly state that it is the exposure room emergency stop scrams are tested annually and is discussed above. The console emergency stop scram is tested on a weekly basis as required by 4.2.2.b and remains unchanged, therefore it is concluded that this changes does not impose any undue risk to the health and safety of the public.

The annual periodicity for the testing of the AC power loss scram was chosen to minimize the unnecessary cycling of power to the UPS. In the event that the automatic scram fails to occur the reactor operator is procedurally required to scram the reactor by removing the reactor console key as discussed above, therefore is concluded that this periodicity does not impose any undue risk to the health and safety of the public.

13 4

Change #4 - Facility Interlock System Surveillances TS 4.2.4 needs to be revised to reflect the installation of the core dolly override switch. The core dolly interlock override switch is inconsistent with the current technical specifications since it is possible, using and installed switch, to move the core dolly in region 2 while the lead shield doors are closed. Therefore, verbiage was added to specification 4.2.4.b to allow for the movement of the core dolly in region 2 while the lead doors are closed with the use of the core dolly interlock override switch. The use of the override switch is administratively controlled such that trained reactor personnel are directly supervising the core movement while the switch is engaged.

On page 30 of the Technical Specifications:

4.2.4. FACILITY INTERLOCK SYSTEM Applicability This specification applies to the surveillance requirements that ensure the integrity of the facility interlock system.

Objective The objective is to ensure performance and operability of the facility interlock system.

Specifications Functional checks shall be made annually, not to exceed 15 months, to ensure the following:

a. With the lead shield doors open, neither exposure room plug door can be electrically opened.
b. The core dolly cannot be moved into in region 2 with the lead shield doors closed except during the use of the core dolly interlock override switch.
c. The lead shield doors cannot be opened to allow movement into the exposure room projection unless a warning horn has sounded in that exposure room, or unless two licensed reactor operators have visually inspected the room to ensure that no personnel remain in the room prior to securing the plug door.

Bases These functional checks will verify operation of the interlock system. Experience at AFRRI indicates that this is adequate to ensure operability.

14 4.1 Safety Analysis - Technical Specification 4.2.4 - Core Dolly Interlock Override Switch As part of the digital instrumentation and control upgrade, a core dolly override switch was added to the front of the Facility Interlock Cabinet (FIS). The O&M Manual briefly describes the override switch as toggle switch RP2. Refer to Page 3-28 of the O&M Manual and Drawing T3A100E840 Rev B. Figure 4-1 shows a close up of the switch, while Figure 4-4 shows that location of the switch on the FIS cabinet.

The switch has the following positions shown in Figure 4-1.

Left - Region 1 Center - OFF Right - Region 3 Figure 4 Core Dolly Override Switch The switch is momentary, i.e., it will spring return to the center or OFF position when not actively held to the left or right positions. It is important to note that the override switch does not actually move the core dolly, it only permits the core dolly to be moved. The actual movement of the core dolly is still controlled with pushbuttons on the Reactor Mode Control Panel (or foot pedals) in the control room.

For each region there are two limit switches that will stop core dolly movement - the inner and outer limit switches. Refer to Figure 4-2 for a diagram of the switches. The outer limit switch stops the core dolly when it reaches the far end of the travel to prevent contacting the pool liner. The outer switches cannot be overridden. To prevent contact with the lead shield doors, the inner limit switch stops the core dolly from further movement if the lead shield doors are not fully opened.

Figure 4 Core Dolly Limit Switch Diagram

15 For example, take the scenario of the operator moving the core dolly toward region 3 with the lead door closed. Once the core dolly comes off of the inner limit switch (switch is now open) the core dolly will stop and further movement of the core dolly is prohibited, this includes movement back toward region

1. Originally, the only way to recover from this scenario was to manually actuate the switch. This was accomplished by inserting a finger through a cutout in the core dolly rail and pushing down on the lever arm of the switch. Refer to Figure 4-3 below.

Figure 4 Core Dolly Limit Switch Access Point This introduced a potential pinch/crush hazard to personnel who performed this task. This scenario would occur (twice, Steps 3 and 69) during the performance of M033 Facility Interlock Checklist procedure. To eliminate the hazard, the previous FIS was modified and an override switch was added to the inside of the cabinet. Refer to Figure 4-6. The new FIS cabinet maintains this functionality.

The use of the override switch is administratively controlled such that trained reactor personnel are required to be directly supervising the core movement while the switch is engaged. This requirement is inherently enforced since the override switch is momentary and has to be actively held in place to permit movement of the core dolly. In the event of operator error or equipment malfunction the torque generated by core dolly drive mechanism is limited by a slip clutch. The slip clutch is set to prevent damage if the core shroud or any other part of the core dolly comes into contact with an obstruction, such as the core shroud contacting the lead shield doors. As such, a failure resulting in inadvertent contact between the core shroud and an obstruction has minimal consequences. Therefore, movement of the core dolly in region 2 while the lead shield doors are closed during maintenance activities does not impose any undue risk to the health and safety of the reactor, reactor personnel or to the public.

16 Figure 4 Core Dolly Override Switch Core Dolly Override Switch

17 Figure 4 Core Dolly Wiring Schematic T3A100E840

18 Figure 4 Previous Core Dolly Override Switch Previous Core Dolly Override Switch

19 5

Update to the Safety Analysis Report Upon approval of these proposed changes the TRIGA Reactor Safety Analysis Report will be updated as required.

6 Other Documents Facility procedures may need minor revisions and will be performed as required and pursuant to 10 CFR Part 50.59. The Emergency Plan does not require any revisions upon approval of these proposed changes.

The Physical Security Plan does not require any revisions upon approval of these proposed changes.

7 Conclusion The safety analysis presented concludes that the health and safety of the public will not be endangered by operation in the proposed request and that such activities are in compliance with regulations, therefore, the issuance of the amendment will not be inimical to the common defense and security or to the health and safety of the public.

20 Appendix A - Page Markups

14 Table 2. Minimum Reactor Safety System Scrams Channel Maximum Set Point Effective Mode Steady State Pulse Fuel Temperature 600°C 2

2 Percent Power, High Flux 1.1 MW 2

0 Console Manual Scram Button Closure switch 1

1 High Voltage Loss to Safety Channel 20% Loss 2

1 Pulse Time 15 seconds 0

1 Emergency Stop Closure switch 3

3 (1 in each exposure room, 1 on console)

Pool Water Level 14 feet from the top of the core 1

1 Watchdogs (UIT and CCS) 15 seconds 2

2 AC Power Loss 15 seconds 1

1 Bases The fuel temperature and power level scrams provide protection to ensure that the reactor can be shut down before the fuel temperature safety limit is exceeded. The manual scram allows the operator to shut down the system at any time if an unsafe or abnormal condition occurs. In the event of failure of the power supply for the safety channels, operation of the reactor without adequate instrumentation is prevented. The preset pulse timer ensures that the reactor power level will return to a low level after pulsing. The emergency stop allows personnel trapped in a potentially hazardous exposure room, or the reactor operator, to scram the reactor through the facility interlock system. The pool water level ensures that a loss of biological shielding would result in a reactor scram. The watchdog scram ensures reliable communication between the User Interface Terminal (UIT) and the Console Computer System (CCS). The AC power loss scram ensures that a loss of AC power to the uninterruptible power supply (UPS) for the reactor control console will result in a scram.

15 Table 3. Minimum Reactor Safety System Interlocks Action Prevented Effective Mode Steady State Pulse Pulse initiation at power levels greater than 1 kW X

Withdrawal of any control rod except transient X

Any rod withdrawal with power level below 1 x 10-5 watts as measured by the Linear Power Channel (NMP-1000)

X X

Simultaneous manual withdrawal of two standard rods X

Any rod withdrawal if high voltage is lost to the Log Power Channel (NLW-1000)

X X

Withdrawal of any control rod if reactor period is less than 3 seconds X

Application of air if the transient rod drive is not fully down.

This interlock is not required in square wave mode.

X Reactor safety system interlocks shall be tested daily whenever operations involving these functions are planned Bases The interlock preventing the initiation of a pulse at a power level above 1 kW ensures that the pulse magnitude will not allow the fuel element temperature to exceed the safety limit. The interlock that prevents movement of standard control rods in pulse mode will prevent the inadvertent increase in steady state reactor power prior to initiation of a pulse. Requiring a minimum power level to be measured by the Linear Power Channel ensures sufficient source neutrons to bring the reactor critical under controlled conditions. The interlock that prevents the simultaneous manual withdrawal of two standard control rods limits the amount of reactivity added per unit time. Correct high voltage to the Log Power Channel ensures accurate power indications. Preventing the withdrawal of any control rod if the period is less than 3 seconds minimizes the possibility of exceeding the maximum permissible power level or the fuel temperature safety limit.

28 4.2.2. REACTOR SAFETY SYSTEMS Applicability These specifications apply to the surveillance requirements for measurement, test, and calibration of the reactor safety systems.

Objective The objective is to verify the performance and operability of the systems and components that are directly related to reactor safety.

Specifications

a. A channel test of the scram function of the high-flux safety channels shall be made each day that reactor operations are planned.
b. A channel test of each of the reactor safety system channels in Table 2 and Table 3 with the exception of the exposure room emergency stop and AC power loss scrams for the intended mode of operation shall be performed weekly, whenever operations are planned.
c. Channel calibration, including verification of the setpoints for the high voltage loss to safety channel scrams, shall be made of the NP, NPP, NLW, NMP or any other console instrumentation designated to provide direct power level information to the operator, annually not to exceed 15 months.
d. A thermal power calibration shall be completed annually not to exceed 15 months.
e. The exposure room emergency stop and AC power loss scrams shall be tested annually, not to exceed 15 months.
f. The low pool water scram shall be tested weekly not to exceed 10 days whenever operations are planned.
g. The console manual scram button shall be tested weekly not to exceed 10 days whenever operations are planned.

Bases TRIGA system components have proven operational reliability. Daily tests ensure reliable scram functions and ensure the detection of channel drift or other possible deterioration of operating characteristics. The channel checks ensure that the safety system channel scrams are operable on a daily basis or prior to an extended run. The power level channel calibration will ensure that the reactor is operated within the authorized power levels.

30 4.2.4. FACILITY INTERLOCK SYSTEM Applicability This specification applies to the surveillance requirements that ensure the integrity of the facility interlock system.

Objective The objective is to ensure performance and operability of the facility interlock system.

Specifications Functional checks shall be made annually, not to exceed 15 months, to ensure the following:

a. With the lead shield doors open, neither exposure room plug door can be electrically opened.
b. The core dolly cannot be moved in region 2 with the lead shield doors closed except during the use of the core dolly interlock override switch.
c. The lead shield doors cannot be opened to allow movement into the exposure room projection unless a warning horn has sounded in that exposure room, or unless two licensed reactor operators have visually inspected the room to ensure that no personnel remain in the room prior to securing the plug door.

Bases These functional checks will verify operation of the interlock system.

Experience at AFRRI indicates that this is adequate to ensure operability.

Retrieved from "https://kanterella.com/w/index.php?title=ML22096A281&oldid=3798313"