Text

Presentation on UFTR Licensing Presentation on UFTR Licensing Amendment Application Amendment Application (Phase 0)(Phase 0)Alireza Haghighat Alireza Haghighat FP&L Professor FP&L Professor UFTR Director UFTR Director

&&Gabriel Gabriel Ghita Ghita Research Scientist Research Scientist Project Coordinator Project Coordinator Nuclear & Radiological Engineering Department Nuclear & Radiological Engineering Department University of Florida University of Florida Gainesville, Florida Gainesville, Florida For presentation to the NRC, Washington DC, Oct. 16, 2009 2 2 Outline Outline Introduction to the reactor design Introduction to the reactor designCore, primary loop, secondary loop, reactor cell, confinementCore, primary loop, secondary loop, reactor cell, confinementAccident scenariosAccident scenariosCurrent I&C designCurrent I&C designFeatures FeaturesLicensing requirementLicensing requirement Introduction to the UF Team, their function s, and support teams Introduction to the UF Team, their function s, and support teams from AREVA &

from AREVA &

Siemens SiemensProposed TXS Protection SystemProposed TXS Protection SystemSafety System Design BasisSafety System Design BasisD3 Analysis (considering Design Basis changes)D3 Analysis (considering Design Basis changes)

Introduction to plans Introduction to plansQAP QAPV&V V&V Discussion on TXS Equipment Discussion on TXS EquipmentPossibility of installati on of a redundant Train for testing, bePossibility of installati on of a redundant Train for testing, benchmarking and trainingnchmarking and training Proposed schedule Proposed schedule 3 3 UFTR timelines UFTR timelines Established in 1959 with a power of 10 kW Established in 1959 with a power of 10 kW In 1963, its power was increased to 100 kW In 1963, its power was increased to 100 kW In 1970, its fuel was changed from LEU to HEU In 1970, its fuel was changed from LEU to HEU In Sept. 2006, its fuel was changed from HEU to In Sept. 2006, its fuel was changed from HEU to LEU LEU Schematic of UFTR (axial projection)

Core Graphite Shield Tank 5 5 Schematic of UFTR Schematic of UFTR (Horizontal projection)(Horizontal projection)

N 6 6 UFTR Core UFTR Core N 7 7 UFTR Core UFTR Core Control blade Fuel box Graphite S1 S2 S3 RG N 8 8 Fuel Plate Characteristics Fuel Plate Characteristics LEU Fuel Type U 3 Si 2-Al Fuel Meat Size Width (cm)

Thickness (cm)

Height (cm)

Fuel Plate Size Width (cm)

Thickness (cm)

Height (cm)

Cladding material 6061 Al Cladding Thickness (cm)

Fuel Enrichment (nominal) 19.75%"Meat" Composition (wt% U)

Mass of 235 U per Plate (nominal)Number of Plates per Fuel Bundle 9 9 Core at critical condition Core at critical condition

-- Fuel pattern and blade positions Fuel pattern and blade positions Safety 1, at 26.3 degrees Safety 2, at 26.3 degrees Safety 3, at 26.3 degrees Regulating, at 16.9 degrees Dummy bundle 10 fuel plates & 3 Dummy plates 10 10 Total neutron flux distribution Total neutron flux distribution 11 11 Bundle power distribution (kW)

Bundle power distribution (kW)

Schematic of the core 12 12 Core Lifetime Core Lifetime Expected end-of-life LEU core with fuel burnup of ~86.67 MWD; This is based on full-power operation time of 4 hr/day, 5 day/week, 20 years UFRT Primary Coolant Loop Design (including locations of sensing devices)-RTD- Level Indicator

- Flowmeter- Closed Valve (Normal Operation)From Demineralizer LoopCoolant Storage Tank Heat Exchanger To Demineralizer

LoopRupture Disk Dump Valve Secondary Storage Well UFTR CoreAir Bleed ValveTo Secondary Side-N IFission Chamber/BF 3Ion Chamber

- Primary Flow L L 14 14 Operating Region Operating Region 0 25 50 75100 125150175200 225250275 15 20 25 30 35 40 45 50 55True Coolant Flow Rate, gpmTrue Reactor Power, kWTin = 86 FTin = 100 FTin = 110 FOPERATING REGIONfor Max. T in = 110 o FFigure 5. 20 mil tolerance on Water Channel Spacing and 0.065" Repositioning of Each Assembly Due to CombsTrue Max. Power: 125 kWLSSS Power: 119 kWMax Operating Power: 100 kWFor Max, Inlet Temp. = 100 o FTrue Minimum Flow Rate: 39 gpmLSSS Flow Rate: 41 gpm Operating Flow Rate: 48 gpmFor Max, Inlet Temp. = 110 o FTrue Minimum Flow Rate: 43 gpmLSSS Flow Rate: 45 gpmOperating Flow Rate: 52 gpmOPERATING REGION for Max. T in = 100 o F 15 15 Parameter Parameter True True Limit Limit LSSS LSSS Operating Operating Values Values Power (Power (kW kW))125 125 119 119 100 100 Inlet Flow Rate (Inlet Flow Rate (gpm gpm))34 34 36 36 43 43 Inlet Temperature (Inlet Temperature (F F))100 100 99 99 80 80 Outlet Temperature (Outlet Temperature (F F))165 165 155 155 95 95 UFTR Control Parameters and Settings Accident Scenarios & Analysis Accident Scenarios & Analysis 17 17 Accident Scenarios Accident Scenarios A rapid insertion of 0.6%

A rapid insertion of 0.6% k/k k/k reactivity.

reactivity. This scenario represents the reactivity insertion This scenario represents the reactivity insertion resulting from the rapid ejection of the maximum resulting from the rapid ejection of the maximum worth of all moveable and non worth of all moveable and non

--secured experiments secured experiments from the reactor. Cases were analyzed both with and from the reactor. Cases were analyzed both with and without reactor SCRAM.

without reactor SCRAM.

A reactivity ramp insertion of 0.06%

A reactivity ramp insertion of 0.06% k/k/s k/k/s for 10 for 10 seconds.

seconds. This scenario represents the insertion of reactivity This scenario represents the insertion of reactivity due to control blade withdrawal at the maximum rate due to control blade withdrawal at the maximum rate allowed by the UFTR Technical Specifications. This allowed by the UFTR Technical Specifications. This accident is assumed to be terminated by reactor accident is assumed to be terminated by reactor SCRAM. SCRAM.

18 18 A rapid insertion of 0.6%

A rapid insertion of 0.6% k/k k/k reactivity with reactivity with scram scram (fresh fuel)(fresh fuel)

Power Power 100 kW 100 kW 100 kW 100 kW 100 kW 100 kW 100 kW 100 kW Steady State Condition Steady State Condition 43 43 gpm gpm , , Tin=86 Tin=86 o o F F 34 34 gpm gpm , , Tin=86 Tin=86 o o F F 34 34 gpm gpm , , Tin=109 Tin=109 o o F F 43 43 gpm gpm , , Tin=86 Tin=86 o o F F Blade Drop Time (s)

Blade Drop Time (s) 1.0 1.0 1.0 1.0 1.0 1.0 1.5 1.5 Time to Peak Power (s)

Time to Peak Power (s) 0.14 0.14 0.14 0.14 0.14 0.14 0.14 0.14 Peak Power (kW)

Peak Power (kW) 316 316 316 316 316 316 318 318 T T fuel fuel (max) at Peak Power ((max) at Peak Power (o o C C))51.9 51.9 54.4 54.4 66.7 66.7 51.9 51.9 T T fuel fuel (max (max) () (o o C C))52.2 52.2 54.8 54.8 67.0 67.0 52.5 52.5 T T clad clad (max (max) () (o o C C))52.2 52.2 54.7 54.7 67.0 67.0 52.5 52.5 T T cool cool max max ((o o C C))44.6 44.6 47.6 47.6 59.9 59.9 44.6 44.6 19 19 A rapid insertion of 0.6%

A rapid insertion of 0.6% k/k k/k reactivity with reactivity with scram scram (depleted fuel)(depleted fuel)

Power Power 100 kW 100 kW 100 kW 100 kW 100 kW 100 kW 100 kW 100 kW Steady State Condition Steady State Condition 43 43 gpm gpm , , Tin=86 Tin=86 o o F F 34 34 gpm gpm , , Tin=86 Tin=86 o o F F 34 34 gpm gpm , , Tin=109 Tin=109 o o F F 43 43 gpm gpm , , Tin=86 Tin=86 o o F F Blade Drop Time (s)

Blade Drop Time (s) 1 1 1 1 1 1 1.5 1.5 Time to Peak Power (s)

Time to Peak Power (s) 0.14 0.14 0.14 0.14 0.14 0.14 0.15 0.15 Peak Power (kW)

Peak Power (kW) 322 322 322 322 322 322 328 328 T T fuel fuel (max) at Peak Power ((max) at Peak Power (o o C C))52 52 54.8 54.8 67 67 52.1 52.1 T T fuel fuel (max (max) () (o o C C))52.6 52.6 55.3 55.3 67.5 67.5 52.6 52.6 T T clad clad (max (max) () (o o C C))52.6 52.6 55.3 55.3 67.5 67.5 52.5 52.5 T T cool cool max max ((o o C C))44.5 44.5 47.5 47.5 59.8 59.8 44.5 44.5 20 20 A rapid insertion of 0.6%

A rapid insertion of 0.6% k/k k/k reactivity reactivity without without scram scram (fresh fuel)(fresh fuel)

Power Power 100 kW 100 kW 100 kW 100 kW 100 kW 100 kW Steady State Condition Steady State Condition 43 43 gpm gpm , , Tin=86 Tin=86 o o F F 34 34 gpm gpm , , Tin=86 Tin=86 o o F F 34 34 gpm gpm , , Tin=109 Tin=109 o o F F Time to Peak Power (s)

Time to Peak Power (s) 2.48 2.48 2.44 2.44 2.30 2.30 Peak Power (kW)

Peak Power (kW) 1199 1199 1186 1186 1112 1112 T T fuel fuel (max) at Peak Power ((max) at Peak Power (o o C C))95 95 95 95 100 100 T T fuel fuel (max (max) () (o o C C))107 107 108 108 109 109 T T clad clad (max (max) () (o o C C))107 107 108 108 109 109 T T cool cool max max ((o o C C))101 101 101 101 102 102 After the sudden jump, power remains at 600 kW for 300 seconds, after which time, the coolant reaches the saturation temperature and boiling occurs in the uppermost nodes of the coolant channel; negative coefficient of reactivity will shutdown the reactor.

21 21 A rapid insertion of 0.6%

A rapid insertion of 0.6% k/k k/k reactivity reactivity without without scram scram (depleted fuel)(depleted fuel)

Power Power 100 kW 100 kW 100 kW 100 kW 100 kW 100 kW Steady State Condition Steady State Condition 43 43 gpm gpm , , Tin=86 Tin=86 o o F F 34 34 gpm gpm , , Tin=86 Tin=86 o o F F 34 34 gpm gpm , , Tin=109 Tin=109 o o F F Time to Peak Power (s)

Time to Peak Power (s) 2.36 2.36 2.32 2.32 2.19 2.19 Peak Power (kW)

Peak Power (kW) 1337 1337 1321 1321 1235 1235 T T fuel fuel (max) at Peak Power ((max) at Peak Power (o o C C))96 96 96 96 101 101 T T fuel fuel (max (max) () (o o C C))108 108 109 109 110 110 T T clad clad (max (max) () (o o C C))108 108 109 109 110 110 T T cool cool max max ((o o C C))101 101 101 101 102 102 After the sudden jump, power remains at 600 kW for 300 seconds, after which time, the coolant reaches the saturation temperature and boiling occurs in the uppermost nodes of the coolant channel; negative coefficient of reactivity will shutdown the reactor.

22 22 A slow insertion of 0.06%

A slow insertion of 0.06% k/k/s k/k/s reactivity with reactivity with scram scram (fresh fuel)(fresh fuel)

Power Power 100 kW 100 kW 100 kW 100 kW 100 kW 100 kW 100 kW 100 kW Steady State Condition Steady State Condition 43 43 gpm gpm , , Tin=86 Tin=86 o o F F 34 34 gpm gpm , , Tin=86 Tin=86 o o F F 34 34 gpm gpm , , Tin=109 Tin=109 o o F F 43 43 gpm gpm , , Tin=86 Tin=86 o o F F Blade Drop Time (s)

Blade Drop Time (s) 1.0 1.0 1.0 1.0 1.0 1.0 1.5 1.5 Time to Peak Power (s)

Time to Peak Power (s) 2.22 2.22 2.22 2.22 2.22 2.22 2.22 2.22 Peak Power (kW)

Peak Power (kW) 127 127 127 127 127 127 127 127 T T fuel fuel (max) at Peak Power ((max) at Peak Power (o o C C))52.1 52.1 54.6 54.6 66.8 66.8 52.1 52.1 T T fuel fuel (max (max) () (o o C C))52.1 52.1 54.6 54.6 66.8 66.8 52.1 52.1 T T clad clad (max (max) () (o o C C))52.0 52.0 54.6 54.6 66.8 66.8 52.0 52.0 T T cool cool max max ((o o C C))44.6 44.6 47.6 47.6 60.0 60.0 44.6 44.6 23 23 A slow insertion of 0.06%

A slow insertion of 0.06% k/k/s k/k/s reactivity with reactivity with scram scram (depleted fuel)(depleted fuel)

Power Power 100 kW 100 kW 100 kW 100 kW 100 kW 100 kW 100 kW 100 kW Steady State Condition Steady State Condition 43 43 gpm gpm , , Tin=86 Tin=86 o o F F 34 34 gpm gpm , , Tin=86 Tin=86 o o F F 34 34 gpm gpm , , Tin=109 Tin=109 o o F F 43 43 gpm gpm , , Tin=86 Tin=86 o o F F Blade Drop Time (s)

Blade Drop Time (s) 1 1 1 1 1 1 1.5 1.5 Time to Peak Power (s)

Time to Peak Power (s) 0.14 0.14 0.14 0.14 0.14 0.14 0.15 0.15 Peak Power (kW)

Peak Power (kW) 322 322 322 322 322 322 328 328 T T fuel fuel (max) at Peak Power ((max) at Peak Power (o o C C))52 52 54.8 54.8 67 67 52.1 52.1 T T fuel fuel (max (max) () (o o C C))52.6 52.6 55.3 55.3 67.5 67.5 52.6 52.6 T T clad clad (max (max) () (o o C C))52.6 52.6 55.3 55.3 67.5 67.5 52.5 52.5 T T cool cool max max ((o o C C))44.5 44.5 47.5 47.5 59.8 59.8 44.5 44.5 24 24 Other Accidents Other AccidentsLOCA during full power operationLOCA during full power operation The increase in fuel temperature following a LOCA results in shu The increase in fuel temperature following a LOCA results in shu tdown of the tdown of the reactor, reactor, Either by the negative void coefficient of reactivity, Either by the negative void coefficient of reactivity,Or by the insertion of cont rol blades into the reactorOr by the insertion of cont rol blades into the reactor In both cases, the fuel temperature will increase by less than 1 In both cases, the fuel temperature will increase by less than 1 7 7 o o C (30 C (30 o o F) F) Sudden insertion of maximum excess reactor of 1.4%

Sudden insertion of maximum excess reactor of 1.4% k/k k/k results in an results in an energy release of <6.1 MW and a cladding temperature of <300 C.

energy release of <6.1 MW and a cladding temperature of <300 C.Maximum Hypothetical Accident (MHA)Maximum Hypothetical Accident (MHA)Fuel Handling Accident (FHA)

Fuel Handling Accident (FHA)

It is postulated that because of severe mechanical damage, the It is postulated that because of severe mechanical damage, the aluminum cladding is stripped from one fuel plate; it is assumed aluminum cladding is stripped from one fuel plate; it is assumed that that 2.7% of the total volatile activity instantaneously escapes from 2.7% of the total volatile activity instantaneously escapes from the the fuel plate into the reactor cell.

fuel plate into the reactor cell.

Estimated occupational and public doses are smaller by several Estimated occupational and public doses are smaller by several orders magnitude relative to exposure limits.

orders magnitude relative to exposure limits.

Current Current UFTR Analog I&C UFTR Analog I&C and and Operations Operations 26 26 Current UFTR Analog Protection & Control System Current UFTR Analog Protection & Control System ARM WLM FRM TCElectrical MonitoringOne Safety Train IndicatorsShutdown(RTS, manual) 27 27 Shutdown Mechanisms Shutdown Mechanisms Automatic AutomaticBlade Drop (BD)

Blade Drop (BD)

--Clutch current control Clutch current controlDump valve (DV)

Dump valve (DV)

--Selonoid Selonoid current control current control Manual ManualIndicators (sirens, monitors & displays) followed by Indicators (sirens, monitors & displays) followed by operators manual actions: BD and/or DV operators manual actions: BD and/or DV Passive PassiveNEGATIVE coolant void and temperature coefficient NEGATIVE coolant void and temperature coefficient of reactivity of reactivity 28 28 Unique Features Unique Features Low power (the peak power per bundle = 5 kW)

Low power (the peak power per bundle = 5 kW)

Low fuel temperature (~50 C);

Low fuel temperature (~50 C);

Negative coefficients of reactivity; Negative coefficients of reactivity;Example: Even for an unprote cted insertion of 0.6%

Example: Even for an unprote cted insertion of 0.6% k/k k/k , the peak , the peak fuel temperature is ~108C (f uel melting point is 582 C) fuel temperature is ~108C (f uel melting point is 582 C)

Under regular conditions, reactor can be shutdown by Under regular conditions, reactor can be shutdown by dumping the coolant dumping the coolant No need for Engineering Safety Features Actuate System No need for Engineering Safety Features Actuate System (ESFAS)(ESFAS)One train protection and control system One train protection and control system No protection for single failure is needed No protection for single failure is needed Facts Results Introduction of the UF Team, Introduction of the UF Team, their functions, and support their functions, and support teams from AREVA & Siemens teams from AREVA & Siemens 30 30 Project Organization UFTR Project Organization UFTRUFTR Digital Control System Upgrade Project - OrganizationUFTR Digital Control System Upgrade Project - Organization Project Manager Prof. Alireza HaghighatProject Coordinator Dr. Gabriel Ghita, RS Lead: Prof. Glenn Sjoden Co-lead: Dr. G. Ghita, RS Prof. A. Haghighat Matt Marzano, GR Jennifer Musgrave, UG Lead: Prof. Jim Baciak Co-lead: Brian Shea, RM Prof. Mark Harrison Matt Berglund, SRO Andrew Holcomb, UGCCB=Configuration Control Board, IV&V=Independent Verification &

Validation, GR=Graduate Student, MS=Master in Science, QA=Quality Assurance, RS=Research Scientist, RM=Reactor Mana ger, SRO=Senior Reactor Operat or, UG=Undergraduate Student Lead: Prof. A. Haghighat Dr. Gabriel Ghita, RS

Prof. James Baciak Daniel Lago, UGSteven Brown, UG Auditor: Dr. William Van Dyke CCB: Prof. A. Haghighat Dr. G. Ghita, RS Prof. Glenn Sjoden

Prof. James Baciak Brian Shea, RM Lead: Prof. Edward Dugan Prof. Mark Harrison Prof. DuWayne Schubring George Fekete. UG QAManagement IV&VHardware & InstallationSoftware Development System Design & Analysis 31 31 Project Organization AREVA + UFTR Project Organization AREVA + UFTR AREVA Corporate Sponsor Mehdi Tadjalli AREVA PM Eric Wallace AREVA PE Sean Kelley AREVA Project Team Installation Support TBD HW Lead Engineer Ryan Nash SW Lead Engineer Jason Reed Training Mike FillianLicensing SupportMark Burzynski QA ManagerMark Milo Siemens PM Oldrich Klokocka GmbH PM Herbert Nussbaumer UFTR PM Dr. Alireza Haghighat UFTR Organization Proposed TXS Protection System The TXS system block consists of hardware and software that provide for the protection, control, indication, and monitoring.

Current licensed UFTR protection and control system utilizes one train, which contains two sets of nuclear instrumentation that have to be operational simultaneously for a complete coverage of reactor power.

Similar to the current UFTR protection and control system, we propose a one-train system which includes signal divers ity; it is capable of identifying invalid signals and their diverse signals.

It is worth noting we are also considering a two-train design (i.e., with two levels of redundancy) for training, education and research purposes.

Figure below depicts the TXS system (with two trains), which is comprised of the following components:Acquisition and Processing (AQP) Voter -Voting and Actuation (VT) (needed for the two-train design)Main Control Room (MCR)Monitoring Service Interface (MSI)

Proposed TXS Protection SystemAQP: Acquisition and Processing VT: Voter MSI: Monitoring and Service Interface QDS: Qualified Display System

SU: Service Unit

GW: Gateway

RTS: Reactor Trip System T-3000 control system Safety System Design Basis Safety System Design Basis Here, we discuss the changes to be considered for the UFTR Design Basis due to the digital protection system upgrade.

To facilitate this discussion, we will utilize the IEEE-603 Design Basis clauses.

35 35 Clause #Clause Comment 4-1 The design basis events applicable to each mode of op eration of the generating station along with the initial conditions and allowable limits of plant conditions for each such event.

no change 4-2 The safety functions and corresp onding protective actions of the execute features for each design basis event.

no change 4-3The permissive conditions for each operating bypass capability that is to be provided.N/A 4-4The variables or combinations of variables, or both, that are to be monitored to manually or automatically, or both, control each protective action; the analytical limit associated with each variable, the ranges (normal, abnormal, and accident conditions); and the rates of change of these variables to be accommodated until proper completion of the protective action is ensured.

change 4-5 The protective actions identified in clause 4-2 that may be controlled by manual means initially or subsequently to initiation.

no change 4-6 For those variables in clause 4-4 that have a spatial dependence (i.e., where the variable varies as a function of position in a particular region), the minimum number and locations of sensors required for protective purposes.

change 36 36 Clause #Clause Comment 4-7 The range of transient and steady-state conditions of both motive and control power and the environment (e.g., voltage, frequency, radiation, temperature, humidi ty, pressure, vibration, and electromagnetic interference) during normal, abnormal, and accident conditions throughout which the safety system shall perform.

change 4-8 The conditions having the potential for functional degradation of safety system performance and for which provisions shall be incorporated to retain the capability for performing the safety functions (e.g., missiles, pipe brea ks, fires, loss of ventilation, spurious operation of fire suppression systems, operator error, failure in non-safety-related systems).N/A 4-9 The methods to be used to determine that the re liability of the safety system design is appropriate for each safety system design and any qualitative or quantitative reliabili ty goals that may be imposed on the system design.N/A 4-10The critical points in time or the plant conditions, after the onset of a design basis event.

change 4-11The equipment protective provisions that prevent the safety systems from accomplishing their safety functions.

no change 4-12Any other special design basis t hat may be imposed on the system design (e.g., diversity, interloc ks, regulatory agency criteria).

change Clause 4.1 of IEEE Std. 603 Clause 4.1 of IEEE Std. 603

""The design basis events applicable to each mode of operation of The design basis events applicable to each mode of operation of the the generating station along with th e initial conditions and allowab generating station along with th e initial conditions and allowab le limits of le limits of plant conditions for each such event plant conditions for each such event

"" (IEEE (IEEE--603)603)The proposed protection system has two modes of operation, automatic and manual.

Below, for each Design Basis Event, the mode of system operation is provided:Loss-of-Coolant Accident (LOCA) during the full power operation (automatic)Slow Insertion of 0.06% k/k/sfor 10 seconds (automatic) Sudden Insertion of the Maximum Allo wed Excess Reactivity of 1.4% k/k(automatic)Sudden Insertion of the Maximum Allowed Reactivity of 0.6% k/k(automatic)Control Blade System Malfunction (manual)Loss of Power (manual) 37 37 Clauses Clause 4.2 of IEEE Std. 603 Clause 4.2 of IEEE Std. 603 38 38 Clauses Clause 4.2 of IEEE Std. 603(cont Clause 4.2 of IEEE Std. 603(cont

d)d)List of Design Basis Events (Accidents)

List of Design Basis Events (Accidents)

Loss Loss--of of--Coolant Accident (LOCA)

Coolant Accident (LOCA)

LOCA will cause the loss of the valid flow rate meter (FRM) sign LOCA will cause the loss of the valid flow rate meter (FRM) sign al in the al in the primary coolant loop, which will cause automatic initiation of B primary coolant loop, which will cause automatic initiation of B DT via TXS. Loss DT via TXS. Loss of coolant in the core due to the LOCA will also contribute to t of coolant in the core due to the LOCA will also contribute to t he safe shutdown he safe shutdown of the UFTR as a result of the negative void coefficient of reac of the UFTR as a result of the negative void coefficient of reac tivity.tivity.Reactivity insertion events Reactivity insertion eventsSlow insertion of 0.06% Slow insertion of 0.06% k/k/s k/k/s without scram without scramSudden Insertion of the Maximum Allowed Excess Re activity (1.4% Sudden Insertion of the Maximum A llowed Excess Reac tivity (1.4% k/k k/k))Sudden Insertion of the Maximu m Allowed Reactivity (0.6% Sudden Insertion of the Maximu m Allowed Reactivity (0.6% k/k k/k))The above reactivity events shall cause automatic initiation of The above reactivity events shall cause automatic initiation of FT via TXS when FT via TXS when any NI signal becomes invalid due to high reactor power.

any NI signal becomes invalid due to high reactor power.

Control Blade System Malfunction Control Blade System Malfunction This anticipated operational occurrence shall be mitigated by op This anticipated operational occurrence shall be mitigated by op ening the Dump ening the Dump Valve initiated by the MRS.

Valve initiated by the MRS.

Loss of Power Loss of Power Loss of Power directly causes BDT, thus no execute feature must Loss of Power directly causes BDT, thus no execute feature must be initiated be initiated during this event.

during this event.

39 39 Clauses Clause 4.3 of IEEE Std. 603 Clause 4.3 of IEEE Std. 603

""The permissive conditions for each operating bypass capability t The permissive conditions for each operating bypass capability t hat is to hat is to be provided be provided

"" (IEEE 603)(IEEE 603)

There is no need for an operating bypass for UFTR, thus there ar There is no need for an operating bypass for UFTR, thus there ar e no e no permissive conditions for this type of bypass.

permissive conditions for this type of bypass.

40 40 Clauses 41 41 Clause 4.4 of IEEE Std. 603 Clause 4.4 of IEEE Std. 603"The variables or combinations of variables, or both, that are to be monitored to manually or automatica lly, or both, control each protective action; the analytical limit associ ated with each variable, the ranges (normal, abnormal, and accident conditions); and the rates of change of these variables to be accommodated until proper completion of the protective action is ensured" (IEEE 603)

The existing analog protection system has four levels of protection for the design basis events:

- pre-operation check, - monitoring, - interlocks, and

- trip system.

For the new digital protection system, besides the aforementioned levels, we

are considering signal diversity in order to protect the system against the Common Cause Failure.

Clauses Item Component Item Component 1 Core Vent 14Primary Coolant Resistivity Determinations 2 Diluting Fan System 15 Blade Withdrawal Time Measurement 3 Blade Gear Box 16Primary Coolant 4 Manometers and Magnetic Gage 17 Magnet Power Key 5Portal Monitor 18 Log/linear recorder 6 Core Vent and Dilu ting Fan Systems 19 Equipment Pit Checkout and Gamma Radiation Levels 7 Shield Water 20 Water Sample Analysis 8 Demineralizer Pump 21Air Particulate Detectors 9 Magnet Power Key 22Radiation Monitor Console 10 Exterior lights 23 Secondary Water and Strainer 11 Neutron recorder 24 Security System Monitors 12Primary Coolant Pump 25 Complete Records 13 Source Alarm 42 42 Table 1 - List of components checked prior to reactor startup Clause 4.4 of IEEE Std. 603(cont Clause 4.4 of IEEE Std. 603(cont

d)d)Clauses 43 43 Table 2 - Description of Monitoring parameters during operations Clause 4.4 of IEEE Std. 603(cont Clause 4.4 of IEEE Std. 603(cont

d)d)Item Parameter 1 2 3 4 5 6 7

8 Main AC power line Primary and secondary coolant pump power Console power Core ventilation fan powerStack dilution fanArea radiation monitor Stack/vent monitor

Air particulate Table 3 - Description of Interlocks IDDescription 1

2 3 4 5Inhibits attempt of simultaneous withdrawal of 2 or more safety blades (mode 2*)Inhibits attempt of withdrawal of regula ting blade with a period (T) < 30 s (mode 2)

Inhibits withdrawal of blades if th e source count rate is < 2 cps (mode 1**)Inhibits withdrawal of blades if period (T) <10 s (mode 1)

Inhibits reactor operation if safety channels 1 & 2 are not operable (mode 1)*Mode 2: Automatic control**Mode 1: Manual Protection and Control Clauses 44 44 Clause 4.4 of IEEE Std. 603(cont Clause 4.4 of IEEE Std. 603(cont

d)d)ConditionType of TripAutomatic Period 3 sec Power 119 kW Loss of chamber high voltage (90%) Loss of electrical power to control console Primary cooling system o Loss of pump power o Low-water level in core ( 42.5")o No outlet flow o Low inlet water flow 41 gpm Secondary cooling system (at power levels > 1 kW) o Loss of flow (well water 60 gpm,)o Loss of pump power High primary coolant inlet temperature 99° F High primary coolant outlet temperature ( 155° F) Shield tank -

Low water level (6" below established normal level) Ventilation system o Loss of power to dilution fan o Loss of power to core vent system FT*FT FT FT BDT**BDT BDT BDT BDT BDTManual Manual scram bar Console key-switch OFF (two blades off bottom)

BDT FT Table 4 List of conditions for trip*FT: Full Trip (including Dump Valve Trip and BDT)** BDT: Blade drop Trip Clauses Clause 4.4 of IEEE Std. 603(cont Clause 4.4 of IEEE Std. 603(cont

d)d)45 45Reactor FeaturePrimary Mode of Detection AI c DI d Segment of UFTR High Power Level

• FC a , IC b 2-CoreReactor Period, Low Power Level

• BF3, IC 2-CoreTemperature

• Resistive TD 10-core, primary, secondary Flow Rate Flow Rate Monitor (FRM) 2 2primary, secondaryWater LevelWater Level Monitor* (WLM) 2 1 Core, storage tank

• , shield tankArea Radiation LevelArea Radiation Monitor (ARM) 4 4 east, north, south, west

• Fan AvailabilityFan Monitor (FM) 1 2Core ventilation, stack dilution, stack dilution RPM Table 5. List of signals for each train of the proposed UFTR TXS Table 5. List of signals for each train of the proposed UFTR TXS system system aFission Chamber; bIon Chamber; cAI, Analog Input; d DI, Digital Input*Indicates a new monitoring device and/or location that shall be added in the proposed system Sensor/Monitor Core Primary SecondaryReactor Cell Confinement FC+BF3-IC-RTD---FRM---WLM--ARM--FM--Table 6. Signal diversity within each train Clauses Clause 4.5 of IEEE Std. 603 Clause 4.5 of IEEE Std. 603 46 46 Manual reactor scram (MRS) is available in the event that TXS fails to initiate RTS. Depression of the MRS button causes the control blade drive (clutch current control) to shut off, which allows the blades to drop into the core due to gravity.

The MRS button will also provide a HW and SW interrupt for the TXS system.

This event is referred to as a blade-drop trip (BDT). If the control blades do not function properly and the core overh eats, the negative void and temperature coefficients will cause the core to go subcritical and shut down even without insertion of the control blades. Therefor e, instrumentation is not an absolute necessity for shutting the UFTR down because of its inherent safety features.

"The protective actions identified in Clause 4-2 that may be controlled by manual means initially or subsequently to initiation" (IEEE 603)

Clauses Clause 4.5.1 of IEEE Std. 603"The points in time and the plant conditions during which manual control is allowed" (IEEE 603)

Protective action may be initiated by manual means at any time during reactor operation.

Clause 4.5 of IEEE Std. 603(cont Clause 4.5 of IEEE Std. 603(cont

d)d)47 47Clause 4.5.2 of IEEE Std. 603"The justification for permi tting initiation or control subs equent to initiation solely by manual means" (IEEE 603)Justification for permitting init iation by manual means lies in the fact that no action or inaction of the operator duri ng a design basis event can NOT result in the uncontrolled release of radioactivity.Clause 4.5.3 of IEEE Std. 603"The range of environmental conditions imposed upon the operator during normal, abnormal, and accident conditions throughout which the manual operations shall be performed" (IEEE 603)

Environmental conditions imposed upon the operator during normal, abnormal, and accident conditions shall not be of concern, since the wors t-case accident scenario does not result in the rele ase of radioactivity. It is also important to note that the new main control room (MCR) will be isolated from the reactor cell.Clause 4.5.4 of IEEE Std. 603"The variables in clause 4.4 that shall be displayed for the operator to use in taking manual action" (IEEE 603)

All variables listed in Table 1 shall be displayed for the operator on the Qualified Display System (QDS) of the TXS protection system and the display of the T3000 control system. The new system has an added qualified display, i.e., QDS.

Clauses Clause 4.6 of IEEE Std. 603 Clause 4.6 of IEEE Std. 603 48 48"For those variables in item d) that have a spatial dependence (i.e., where the variable varies as a function of position in a particular region), the minimum number and locations of sensors required for protective purposes" (IEEE 603)

The number and locations of sensors required for protective purposes is

provided in Table 1. Loss of all valid signals from any one of the five segments of the UFTR listed in Table 3 shall result in the safe shutdown of the UFTR via BDT.Clauses Clause 4.7 of IEEE Std. 603 Clause 4.7 of IEEE Std. 603 49 49"The range of transient and steady-state conditions of both motive and control power and the environment (e.g., voltage, frequency, radiation, temperature, humidity, pressure, vibration, and electromagnetic interference) during normal, abnormal, and accident conditions throughout which the safety system shall perform" (IEEE 603)

The existing UFTR control room is locat ed within the reactor cell, which uses the same energy supply and environmental control.

The new TXS system components are located in the MCR, which is isolated from the reactor cell. The MCR receives power and air-conditioning that is independent from the reactor cell. Prevention of electromagnetic interference is achieved by the shielding effect of metallic front plates in each TXS cabinet. Thus, conditions within the MCR are not subject to change due the UFTR transient or steady-state conditions

.Clauses 50 50 Clause 4.8 of IEEE Std. 603 Clause 4.8 of IEEE Std. 603"The conditions having the potential for functional degradation of safety system performance and for which provisions shall be incorporated to retain the capability for performing the safety functions (e.g., missiles, pipe breaks, fires, loss of ventilation, spurious operation of fire suppression systems, operator error, failure in non-safety-related systems)" (IEEE 603)

Conditions having the potential for f unctional degradation of protection system performance are not of concern since the loss of the protection system does not

result in affecting the integrity of the fuel, and therefore there is no uncontrolled release of radiation.

Clauses Clause 4.9 of IEEE Std. 603 Clause 4.9 of IEEE Std. 603 51 51"The methods to be used to determine that the reliability of the safety system design is appropriate for each safety system design and any qualitative or quantitative reliability goals that may be imposed on the system design" (IEEE 603)

Reliability analysis is not required for safety assessments because of the inherent safety features of the UFTR.

Clauses 52 52 Clause 4.10 of IEEE Std. 603 Clause 4.10 of IEEE Std. 603"The critical points in time or the plan t conditions, after the onset of a design basis event" (IEEE 603)

Conditions having the potential for functional degradation of protection system performance are not of concern since the loss of the protection system does not result in the unc ontrolled release of radiation.

Clause 4.10.1 of IEEE Std. 603"The point in time or plant conditions for which the protective actions of the safety system shall be initiated" Table 5 and 6 show the conditions for interlocks, and automatic and manual initiation of the reactor trips, respectively.

Clause 4.10.2 of IEEE Std. 603

"The point in time or plant conditions that define the proper completion of the safety function" (IEEE 603)

Protective action is complete when either BDT or FT has been initiated. It is

important to note that physical failure of the RTS does not cause an uncontrolled release of radiation. Indication of initia tion shall be provided in the main control room (MCR).

Clauses Clause 4.10 of IEEE Std. 603(cont Clause 4.10 of IEEE Std. 603(cont

d)d)Clause 4.10.3 of IEEE Std. 603"The point in time or the plant conditions that require automatic control of protective actions" (IEEE 603)

No automatic control is requir ed following the RTS initiation.

Clause 4.10.4 of IEEE Std. 603"The point in time or the plant conditions that allow returning a safety system to normal" (IEEE 603)

Plant conditions return to normal once enough valid signals are available to continue operation of the UFTR. Signals that their values are within the LSSS ranges are considered valid and are provided in Clause 4.4.

Clauses Clause 4.11 of IEEE Std. 603 Clause 4.11 of IEEE Std. 603"The equipment protective provisions that prevent the safety systems from accomplishing their safety functions" (IEEE 603)

No safety functions shall be disabled as a means for protective provisions Clause 4.12 of IEEE Std. 603 Clause 4.12 of IEEE Std. 603"Any other special design basis that may be imposed on the system design (e.g., diversity, interlocks, regulatory agency criteria)" (IEEE 603)

Because the proposed system contains digital instrumentation and controls, D3 among system components is analyzed. The issue of SWCCF amongst digital equipment is addressed.

The proposed monitoring train offers signal diversity, and the protection system includes system diversity.

Clauses D3 Analysis D3 Analysis 56 56 Echelon of Defense Echelon of Defense Because of the aforementioned unique features Because of the aforementioned unique features of the UFTR, the four echelons of defense of the UFTR, the four echelons of defense (NUREG/CR (NUREG/CR--6303) reduces to three as follows:

6303) reduces to three as follows:

Control System Control System Reactor Trip System (RTS)

Reactor Trip System (RTS)

Monitoring and Indicator System (MIS)

Monitoring and Indicator System (MIS)

Echelons of defense provide multiple barriers to Echelons of defense provide multiple barriers to radiation release for a reactor.

radiation release for a reactor.

57 57 Design of the Protection System Design of the Protection System The proposed system is divided into several blocks. It The proposed system is divided into several blocks. It shall be credibly assumed that internal failure within shall be credibly assumed that internal failure within these blocks will be contained.

these blocks will be contained.

TXS : Teleperm X-window Safety; T-3000: control system; and, MRS: Manual Reactor Scram 58 58 System block functions System block functions System blocks address different combinations of System blocks address different combinations of the three echelons of defense the three echelons of defenseBlock Control System RTS MIS MRS TXS T-3000 59 59 Interactions between blocks Interactions between blocks All the signals within a train are input to both the All the signals within a train are input to both the TXS and T TXS and T--3000 systems; this is important 3000 systems; this is important because, because,In case of failure of the TXS system (not known to the In case of failure of the TXS system (not known to the operator), the operator can identify the situation operator), the operator can identify the situation through the T through the T

--3000 displays, and 3000 displays, andInitiate the MRS Initiate the MRS TXS maintains a unidirectional communication TXS maintains a unidirectional communication with T with T--3000 through its Gateway (GW) 3000 through its Gateway (GW) 60 60 Diversity among system blocks Diversity among system blocks TXS TXS vs vs T T--3000 3000These systems, which are computer These systems, which are computer

--based, based, have different hardware and software, have different hardware and software, resulting in monitoring diversity resulting in monitoring diversity Manual Reactor Scram (MRS)

Manual Reactor Scram (MRS)This block has an inherent diversity from the This block has an inherent diversity from the TXS TXS 61 61 Diversity Diversity

-- Echelons of Defense Echelons of Defense Failure of MRS block Failure of MRS blockNo impact on echelons of defense: TXS will initiate No impact on echelons of defense: TXS will initiate RTS. T RTS. T--3000 and TXS will remain functioning as a 3000 and TXS will remain functioning as a MIS.MIS.Failure of TXS block Failure of TXS blockNo impact on echelons of defense: MIS echelon will No impact on echelons of defense: MIS echelon will only contain indication of failed TXS system (via T only contain indication of failed TXS system (via T

--3000) and therefore MRS will initiate RTS echelon 3000) and therefore MRS will initiate RTS echelon Failure of T Failure of T

--3000 block 3000 blockNo impact on echelons of defense: RTS initiated via No impact on echelons of defense: RTS initiated via MRS.MRS.

62 62 Effect of Common Effect of Common

--Cause Failure Cause Failure Since the CCF is confined within a block, there Since the CCF is confined within a block, there is no impact on the echelons of defense is no impact on the echelons of defense Software errors and CCF are possible within the Software errors and CCF are possible within the TXS block, but because of system diversity, TXS block, but because of system diversity, these errors are not possible within the MRS these errors are not possible within the MRS block.block.CCF amongst sensing equipments is possible CCF amongst sensing equipments is possible across different sensors within the same train.

across different sensors within the same train.

TXS processor has the necessary logic to TXS processor has the necessary logic to identify the problem and initiate RTS.

identify the problem and initiate RTS.

63 63 CCF of different types CCF of different types Type 1 Type 1This will not result in the loss of protection due to the signal This will not result in the loss of protection due to the signal diversity diversity between sensing equipment.

between sensing equipment.

Type 2 Type 2Signal diversity may mitigate this type of failure. However, bec Signal diversity may mitigate this type of failure. However, bec ause of ause of unique design features of the UFTR, there is no need for ESFAS.

unique design features of the UFTR, there is no need for ESFAS.

Type 3 Type 3Signal diversity may mitigate this type of failure. However, bec Signal diversity may mitigate this type of failure. However, bec ause of ause of unique design features of the UFTR, there is no need for ESFAS.

unique design features of the UFTR, there is no need for ESFAS.

Software CCF Software CCFExistence of the MRS, and the diversities between the TXS and T Existence of the MRS, and the diversities between the TXS and T

--3000 3000 blocks are adequate for preventing a SWCCF across the protection blocks are adequate for preventing a SWCCF across the protection system. In addition, loss of all protective functions does not c system. In addition, loss of all protective functions does not c ause any ause any fuel failure and therefore no possibility of uncontrolled releas fuel failure and therefore no possibility of uncontrolled releas e of e of radioactivity.

radioactivity.

64 64 Concluding Remarks on D3 Concluding Remarks on D3 The proposed system exhibits adequate D3 to address The proposed system exhibits adequate D3 to address all reasonable vulnerabilities to system failure.

all reasonable vulnerabilities to system failure.

Vulnerability to CCF is adequately addressed by the Vulnerability to CCF is adequately addressed by the proposed strategy primarily because of the design proposed strategy primarily because of the design diversity that exists between the analog and digital diversity that exists between the analog and digital means for initiating RTS.

means for initiating RTS.

The TXS system will also have improved reliability due to The TXS system will also have improved reliability due to extensive signal diversity and possible redundancy of extensive signal diversity and possible redundancy of inputs. inputs. As a final note, the analysis found that no failure of As a final note, the analysis found that no failure of equipment or operator action/i naction can result in fuel equipment or operator action/i naction can result in fuel failure and therefore uncontrolled release of radioactivity.

failure and therefore uncontrolled release of radioactivity.

Planning & related documentationsThe UFTR is using a previously-approved (under NRC evaluation) digital system, with appropriate modifications due to particular characteristics of the research reac tor. According to ISG-6, the UFTR falls under Tier 2 application approach.

66 66 List of UFTR Documents List of UFTR Documents Ref: QA1 Ref: QA1--QAPP Attachment #4 List of UFTR DocumentsQAPP Attachment #4 List of UFTR Documents

1. Document ID UFTR Documents 1 UFTR-QAPUFTR QA Program 2 UFTR-QAP-01-P Conduct of Quality Assurance 3 UFTR-QA1-QAPPQuality Assurance Project Plan (QAPP) 4 UFTR-QA1-01Software Quality Assurance Plan (SQAP) 5 UFTR-QA1-02 Software Configuration Management Plan (SCMP) 6 UFTR-QA1-03 Software Verification a nd Validation Plan (SVVP) 8 UFTR-QA1-05 Software Safety Plan (SSP) 9 UFTR-QA1-06.1 Software Test Plan -

SIVAT Plan 10 UFTR-QA1-06.2Factory Acceptance Test (FAT) Plan 11 UFTR-QA1-14Safety System Design Basis 12 UFTR-QA1-100 Functional Requirement s Specification (FRS) 13 UFTR-QA1-101.1List of I/Os 14 UFTR-QA1-102.3 ID Coding 15 UFTR-QA1-103 Diversity and Defense-in-Depth (D3) Analysis 16 UFTR-QA1-104 Failure Modes Effect Analysis (FMEA) 17 UFTR-QA1-105TELEPERM XS Cyber Security 18 UFTR-QA1-106Reliability Analysis 19 UFTR-QA1-107 Safety Analysis 20 UFTR-QA1-108Requirement Traceability MatrixReviewed by AREVA Draft documents not reviewed 67 67 Quality Assurance Program Quality Assurance Program Ref: UFTR Ref: UFTR--QAP Quality Assurance Program for UFTR QAP Quality Assurance Program for UFTRForward to ANS Quality Assurance Program Requirements for Forward to ANS Quality Assurance Program Requirements for Research Reactors, ANSI/ANSResearch Reactors, ANSI/ANS

--15.8 15.8--1995 (reaffirmed 2005):

1995 (reaffirmed 2005):

""It must be noted that research reactors have two characteristics It must be noted that research reactors have two characteristics which which affect the type of quality assu rance program that should be appl affect the type of quality assu rance program that should be appl ied to ied to them, when compared to power reactors:

them, when compared to power reactors:

i) Reliability of most of the components of a research reactor i) Reliability of most of the components of a research reactor does not affect the health and safe ty of the public since failur does not affect the health and safe ty of the public since failur e of e of the component generally shuts the system down and little else the component generally shuts the system down and little else occurs. occurs. ii) A typical research reactor operates on a limited budget withii) A typical research reactor operates on a limited budget with its its continued existence dependent upon maintaining a low continued existence dependent upon maintaining a low

--cost, cost, reliable operation.

reliable operation.

Because of these inherent charac teristics, the quality assurance Because of these inherent charac teristics, the quality assurance program for research reactors is applied primarily to safety program for research reactors is applied primarily to safety

--related and related and important items and should be graded appropriately to be economi important items and should be graded appropriately to be economi cally cally feasible feasible"". .

68 68 Quality Assurance Program Quality Assurance Program Ref: UFTR Ref: UFTR--QAP Quality Assurance Program for UFTR QAP Quality Assurance Program for UFTR Quality Assurance Program Requir ements for Research Reactors, Quality Assurance Program Requir ements for Research Reactors, ANSI/ANS ANSI/ANS--15.8 15.8--1995 (reaffirmed 2005):

1995 (reaffirmed 2005):

2.1 Organization

2.1 Organization

""It is recognized that for most re search reactor facilities, the It is recognized that for most re search reactor facilities, the organization organization is small, with its personnel performing multiple functions.

is small, with its personnel performing multiple functions.

""""(a) quality is achieved and ma intained by those who have been (a) quality is achieved and ma intained by those who have been assigned responsibility for performing the work;assigned responsibility for performing the work;(b) quality achievement is verifi ed by persons not directly perf (b) quality achievement is verifi ed by persons not directly perf orming orming the work the work""2.3.3 Design verification

2.3.3 Design

verification

""Design verification shall be perfo rmed by competent individuals Design verification shall be perfo rmed by competent individuals or or groups other than those who perform ed the design, but who may begroups other than those who perform ed the design, but who may be from from the same organization the same organization

""..

69 69 Verification and Validation (V&V)

Verification and Validation (V&V)

Ref: Ref: UFTR UFTR--QA1 QA1--03, Software Verification and Validation Plan03, Software Verification and Validation PlanUFTR Digital Control System Upgrade Project - OrganizationUFTR Digital Control System Upgrade Project - Organization Project Manager Prof. Alireza HaghighatProject Coordinator Dr. Gabriel Ghita, RS Lead: Prof. Glenn Sjoden Co-lead: Dr. G. Ghita, RS Prof. A. HaghighatMatt Marzano, GR Jennifer Musgrave, UG Lead: Prof. Jim Baciak Co-lead: Brian Shea, RM Prof. Mark HarrisonMatt Berglund, SRO Andrew Holcomb, UGCCB=Configuration Control Board, IV&V=Independent Verification &

Validation, GR=Graduate Student, MS=Master in Science, QA=Quality Assurance, RS=Research Scientist, RM=Reactor Mana ger, SRO=Senior Reactor Operat or, UG=Undergraduate Student Lead: Prof. A. Haghighat Dr. Gabriel Ghita, RS

Prof. James Baciak Daniel Lago, UG Steven Brown, UG Auditor: Dr. William Van Dyke CCB: Prof. A. Haghighat Dr. G. Ghita, RSProf. Glenn Sjoden Prof. James Baciak Brian Shea, RM Lead: Prof. Edward Dugan Prof. Mark Harrison Prof. DuWayne Schubring

George Fekete. UG QAManagement IV&VHardware & InstallationSoftware Development System Design & Analysis Based on our organization size and limited resources, we have se Based on our organization size and limited resources, we have se lected the third lected the third (i.e., Internal IV&V) form of independence as described in (i.e., Internal IV&V) form of independence as described in IEEE IEEE--1012 1012--1998 1998. In this . In this form of independence, the developm ent and IV&V personnel are fro form of independence, the developm ent and IV&V personnel are fro m the same m the same organization.

organization.

In our project, the IV&V personnel are not involved in the devel In our project, the IV&V personnel are not involved in the devel opment, they have opment, they have managerial independence, and the major portion of their budget i managerial independence, and the major portion of their budget i s independent of s independent of the developer the developer

s budget s budget..1.1. Independence of the V&V organization (Independence of the V&V organization (management, schedule, and finance) management, schedule, and finance) 70 70 2. The number of the V&V personnelQuality Assurance Program Requirements for Research Reactors, Quality Assurance Program Requirements for Research Reactors, ANSI/ANS ANSI/ANS--15.8 15.8--1995 (reaffirmed 2005):1995 (reaffirmed 2005):2.1 Organization2.1 Organization

""It is recognized that for most research reactor facilities, the It is recognized that for most research reactor facilities, the organization is organization is small, with its personnel performing multiple functions.small, with its personnel performing multiple functions.

""Verification and Validation Verification and Validation Ref: Ref: UFTR UFTR--QA1 QA1--03, Software Verification and Validation Plan03, Software Verification and Validation Plan

3. The results of the V&V effort are to be fully and carefully documented, and that each of the discrepancies be documented in a report that includes how they were resolved, tested, and accepted by the V&V organization.

4. Software Integrity Level (SIL)

The unique safety features of the UFTR allow the use of the V&V

software integrity level 1 as described in IEEE 1012-1998. Following table provides the required tasks for different SI levels.

75 75 TXS Equipment changes TXS Equipment changes The new generation of the TXS equipment The new generation of the TXS equipment is very similar to the previous generation.

is very similar to the previous generation.SVE2 processor has not changed SVE2 processor has not changedAnalog and digital I/O modules have the same Analog and digital I/O modules have the same functionality and they will be used in functionality and they will be used in compatibility mode compatibility modeCommunication lines have improved and Communication lines have improved and have larger data throughput have larger data throughputQDS, SU, and GW are the same as previous QDS, SU, and GW are the same as previous generation generation Discussion on the two-train option The proposed UFTR protection and control system includes three main components:TXS digital protection systemT-3000 digital system for monitoring and indication, and controlManual Reactor Scram (MRS) system which is invoked by the operator for initiating of RTS Similar to the current UFTR license, we intend to apply for a one-train safety system. This train, however, includes various signals (from NIs and sensors) which provide an added benefit of signal diversity. (The old system includes only NIs with no diversity.)

We are exploring the possibility of adding a redundant

train for the purpose of testing and training of hardware

and software 77 77 Proposed Schedule Date Task Phase Sept 2008

- Oct 2009 Preparation of QA and planning documentations Preliminary design and analysis; Training of personnel on TXS and T-3000 systems; Design, analysis and manufacturing of a new piping system Oct. 16, 2009Presentation of the preliminary design and analysis and related documentations to the NRC 0 Oct 16 - Dec. 2009NRC decision on the proposed design and planning; Installation of the new piping system, testing and analysis of the system; Initiate installation of new Nuclear Instrumenta tions (NIs) and sensors January 2010Submittal of preliminary documentations to the NRC 1Jan - March 2010 Review and preparation of Request for Additional Information (RAI) by the NRC; Installation and testing of NIs and sensorsMarch -June 2010 Resolution of the NRC RAIs; Installati on, testing and benchmarking of NIs and sensors July 2010Completion and submittal of documen tations for the detailed design 2 July - Sept 2010Review and preparation of RAIs by the NRC; Initiate preparation of training documentations Sept - Dec 2010Resolution of the NRC RAIs, Initiate ManufacturingJan -March 2011Manufacturing March - April 2011 Factory Testing April - May 2011 InstallationMay - June 2011 Integration testing and preparation of final documentations on FAT, post-installation, operations and training 3