Text

PURDUE U N I V E R $,I T Y SCHOOL OF NUCLEAR ENGINEERING Cindy Montgomery U.S.NRC One White Flint North

• 11555 Rockville Pike Rockville, MD 20852 February 27, 2017

SUBJECT:

Submission of License Amendment Request, PUR-1, Docket 50-182

Dear Ms. Montgomery,

This letter and associated supporting documents are a request to amend the PUR-1 license, Docket 50-182, to allow for digital control and instrumentation as well as to make minor changes in the relevant Technical Specifications. The license amendment request is to be docketed with the date ofthis letter, February 27, 2017.

Purdue University, through funding in the NEUP program, has purchased a replacement instrumentation and control system for die Purdue University Reactor Number One. The new l&C extends from the Neutron Flux Monitoring detectors (Fission chamber, compensated ionization chamber, and two uncompensated ionization chambers), die associated cabling, die safety channels, equipment racks and the control console. Legacy design issues from the original Instrumentation and Control system of die PUR-1 have caused persistent noise spikes in Channel # 1. This along widi aging electronics (e.g. vacuum tube technology) has driven the Purdue Staff to replace the l&C.

The proposed new system improves facility operational up time and ensures public health and safety.

In e~ch step of the design process; the PUR-1 Instrumentation and Controls have been designed to fail safe and provide multiple levels of flux monitoring for protection at high power. The PUR-1 l&C includes three high-level trip points as well as a trip on high change rate. These constitute a defense-in-depth design strategy and protect a'gainst single point failure. Additionally, die new Programmable

• Logic Controller continually monitors the functionality of each of the four safety-related channels for proper functionality. The control console has been designed to give die operator the ability to monitor the power level and change rate of the reactor at both high and low level in a clear and concise manner. The operator is able to view current and trending facility parameters on an adjacent display, furthering the ability to make correct and timely decisions during operation.

The replacement l&C has undergone rigorous testing and has a proven history of safe operation in industrial nuclear settings. The Reactor Protection System safety-channel . equipment is manufactured by Mir.ion TedmolOgies. This equipment has been used for over 20 years in safety-School of Nuclear Engineering p[) t 0 rJ~{(_

Nuclear Engineering Building* 400 Central Drive* West Lafayette, IN 47907-2017 (765) 494-5739

• Fax: (765) 494-9570

• https://engineering.purdue.edu/NE

significant applications. The Reactor Control System's principle component is an RTP 3000 Programmable Logic Controller, which has also been used in safety applications for many years.

Together, with thorough testing and careful design, these two systems provide a very high degree of -

safety and reliability for the PUR-1. The integrated system has been tested through an exte1isive Factory Acceptance Testing and Site Acceptance Testing procedures, including in-pool, side-by-side testing with the original PUR-1 I&C. These procedures and their results may be provided at the NRC's request The License Amendment Request, herein submitted, includes three principal documents. The first of these is a replacement to Chapter 7 of the Safety Analysis Report as submitted July 7, 2008 and supplemented by letters following as listed in the Purdue University Renewed Facility Operating License No. R-87, Docket No. 50-182. This replacement Chapter details the design bases, implementation, and safety discussion of the I&C. Finally, a new set of Technical Specifications are submitted. The new Technical Specifications are, in bulk, identical to the October 31, 2016 license

,,.approval with minor changes such as using reactor "Change Rate" vs. "Period", conductivity vs.

resistivity, and corrections to TS internal references. Both a fully marked up version and a final draft have been provided. They are submitted in full due to changes in the page numbering and a change in the footer of the document The Chapter 7 rewrite closely matches the guidance as listed in the published versions of the Interim Staff Guidance to NUREG-1537. The bulk of the Chapter 7 was written directly from Part 2 of the guidance in ord~r to ensure the reviewing staff can quickly identify relevant sections. There are some significant deviations from the guidance. Firstly, tl1ere is no "square-wave" or transient operation mode for the PUR-1, therefore all of those sections have not be~n addressed. There are no experimental facilities or experiments tl1at contain interlocks, therefore they are not able to compromise the function of the RCS. There are no operating bypasses in the control system. All timing requirements (such as tl1e rod drop timing) are specified from the time of tl1e Scram condition initiating, but are not included in Maximum Hypothetical Accident Analysis as the MHA involves the mishandling of a fuel plate. Additionally, tl1e PUR-1 Safety Limit is based on fuel temperature and not on power. Therefore, the safety limit is never directly measured. Finally, there are no Engineering Safety Features. Otl1er tl1an a note indicating tl1e lack of ESF, tl1ere is no discussion on this topic.

Documentation to l>e submitted at a later date but prior to the approval of this License Amendment Request includes a Quality Assurance Program, which matches tl1e guidance as outlined in ANSI/ANS 15.8-1995. The Quality Assurance program will enable reactor staff to track and monitor all changes in tl1e facility and create a documentation trail commensurate with tl1e change to be performed. This may be submitted following the docketing of the I.AR as it does not affect the direct operations of tl1e facility altl1ough it is important to tl1e long-term reliability of equipment Purdue plans for an expeditious review of tliis application. The new I&C has been desigiied so tl1e

'new system is analogous to tl1e old at the systems level. Otl1er tl1an the sigi1al processing (analog vs.

digital), the new I&C contains the same number of channels, similar trip points, the same power level, similar rod movement methodologies, and systems indications. Additionally, to maintain consistent operations, it is imperative to replace the original 1962 Instrumentation and Controls as soon as safe and prudent Purdue is optimistic for a final approval date of August 11, 2017.

Milestone Expected Comp~etion Qate

-

Docketing of lAR February 27 Acceptance Review of lAR March20 Submission of new QA Program April 7 Mid-Review Public Meeting I April 18 Proposed NRC Staff Visit to PUR-1 May 1-4 Submission of Start-up Plan May22 PUR-1 Fuel Unloading, Rod and Fuel Inspect.ion July 10 Original I&C Demolition and Removal July 17 - July 21 New I&C Installation July 24 - August 11 License Amendment Request Decision August 11 PUR-1 Restart August 11 - August 28 The PUR-1 Reactor Operations Staff will respond in a timely manner to any questions or requests for additional information the NRC staff may have.

I declare under penalty of perjury that the foregoing is true and correct to the best of my knowledge.

Executed on February 27, 2017.

Sincerely, Clive Townsend PUR-1, Reactor Supervisor School of Nuclear Engineering

Enclosures:

I&C Replacement - Safety Review PUR-1 Proposed Chapter 7 Replacement PUR-1 Technical Specifications, Proposed No.14 PUR-1 Technical Specifications, Proposed No.14-Markup

Chapter 7 - Instrumentation and Con~ol Systems "Instrumentation and control U&C) systems comprise the sensors, electronic circuitry, displays, and actuating devices that provide the information and the means to safely control the reactor and to avoid or mitigate accidents. Instruments ae provided to monitor, indicate; and record such operating parameters as neutron flux density, coolant flow, temperature, and level, and radiation intensities in selected areas around the reactor.

Certain I&C systems will automatically shut down (scram) the reactor when any safety parameter reaches a predetermined setpoint as analyzed in the SAR." (NRC)

The PUR-1 is designed with two major subsystems: the Reactor Protection System (RPS) and the Reactor Control System (RCS). The RPS and the RCS are nearly independent of each other at the PUR-1 as well be discussed further in this document.

7.1 Summary Description The PUR-1 Instrumentation & Control system is designed with safe shutdown at the forefront. In the event

. of any system anomaly, the system is designed to initiate a prompt and safe shutdown. Four channels make up the heart of the instrumentation. The main operating channels consist of a startup range channel, a log power channel and a linear power channel. A fourth channel monitors high power values of the reactor.

The Safety Limit of the PUR-1 is not monitored directly but is rather assured through neutronic and thermal hydraulic analysis in previous chapters of this Safety Analysis Report. Multiple channels measure the Limiting Safety System Setting of 12 kW power level. Limiting Conditions for Operation are measured in a variety of means. Excess reactivity, experimental worth, and other reactivity parameters are measured through various means utilizing readouts from multiple channels. LCOs with respect to radiation levels are monitored by the various facility Radiation Area Monitors. Rod Drop timing surveillances are completed through software on the operator console. Coolant conditions, such as temperature and resistivity, are measured by in-pool and in-pipe conductivity and temperature sensors. Reactor room pressure differential is measured by magnehelic air pressure differential sensors. Finally, fuel integrity is verified through water sampling as well as visual inspection.

Table 7 Detectors, Parameters, and Range ofPUR-1 Instruments Instrument Instrument Reactor Parameter Range Measured Ch.#1 Fission Chamber Reactor Level and Change 1 cps - 1010 cps Rate -3%/s - 33%/s Ch.#2 , Compensated Ionization Reactor Level and Change 0.00001%

Chamber Rate -300%Power

-3%/s - 33%/s Ch.#3. Uncompensated Ionization Reactor Level (Linear) 0% - 300% Power Chamber Ch.#4 Uncompensated Ionization Reactor Level (linear) 30% - 150% Power Chamber Thermometer Water Conductivity and Coolant Temperature 0°C-100°C Temperature Sensor Magnehelic Air Pressure Differential Differential

, Air Pressure 0 - 0.5 H2 0 Sensor

Radiation Area Geiger-Mueller Counter Radiation Level 0-lOOmRem Monitors Continuous Air Gas Proportional Counters Airborne Radioactivity 0 - 100,000 cps Monitor Levels Rod Drive Helipot Voltage Differential Sensor Rod Height 0-100 cm Conductivity Water Conductivity and Coolant Conductivity 0-200 µS/cm Temperature Sensor (Inverse of Resistivity)

Coolant Flow Rate Flow Rate Meter Coolant Flow Rate 0-10 gpm The first three of the neutron flux monitoring detectors feed their signal into a preamplifier, which subsequently is analyzed by a Mirion Technologies measurement channel. The output range of the flux is fed to the reactor operator console using an RTP Programmable Logic Controller (PLC) and is scaled to 4 -

20 milliampers (mA). The Mirion instruments are capable of providing scram initiation through interruption of the magnet circuit The channel current is fed to two Yokogawa recorders for additional indication. The PLC monitors the value from the Mirion instrument and can provide its own scram capability.

In addition to the neutron flux channels, radiation monitors are in the magnet power circuit and are capable of interrupting the circuit if a high radiation level is detected. Similar to the Mirion instruments, the RTP monitors the functionality of the radiation monitoring equipment and will interrupt magnet power provided the radiation level exceeds the setpoint or signal quality becomes unacceptable.

Figure 7 Magnet Circuit Interrupts Magnet power is enabled in the control system provided none of the measured parameters of the neutron flux monitoring or radiation monitors indicate values which would initiate a scram and the key switch is positioned correctly. The magnet circuit is supplied by an Acopian current source.

With respect to diversity, reactor protection is achieved in a variety of means. The reactor power level is measured with all four channels although only three of them are capable of initiating a trip as the Channel 1 is the startup range detector and indicates counts per second. Each of these systems has completely independent scram capability with the exception of their electrical power source which is a Tripp Lte Uninterruptible Power Supply (UPS). These UPS units receive power from the building supply and are capable of supporting the reactor protection and control for at least thirty minutes following loss of power.

This time is sufficient for operators to shut down the reactor in a normal manner. In the event of a power supply failure by the UPS units, a loss of power to the magnet current would cause the magnets to fail and the Shim Safeties would fall into the core under the force of gravity. Reactor change rate is monitored by two of the detector systems: Channel 1 (Low Level) and Channel 2 (High Level).

Reactor power values are indicated in at least three locations for the operator. The first of these are on the Mirion Channels themselves. Operators are able to view on the front of the channel any parameter which is capable of initiating a trip in the system. Additionally, the 4 - 20 mA current is fed to two digital recorders as previously described. One recorder is traditionally dedicated to displaying reactor power values (Ch. 1, Ch.

2, & Ch. 3) while the other indicates reactor change rate (Ch. 1, Ch. 2, & Ch. 4). The operator may elect to send any other plant parameter to the fourth indication window mi the recorders. Finally, the reactor control system indicates the power and change rate at the top of the main operator screen. Note: While the Channel 4 change rate is indicated on the recorders though a PLC calculation, the Mirion DGK does not provide a change rate scram.

The reactor control system consists namely of the RTP Programmable Logic Controller (PLC) and a Dell Workstation. The RTP system monitors the signal from the four detector channels, the radiation levels, and all other plant parameters. It is capable of initiating an additional scram if any of these indications are invalid (that is the signal is outside the 4 - 20 mA range) as well as in series to the Channel Scram. The PLC additionally monitors the coolant chemistry, bulk pool temperature, reactor room pressure, status of the room's confinement, and all other facility parameters. The reactor control system has its own UPS unit which is capable of supporting the system for at least 30 minutes (although indications in system staging show this may be as long as 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />). .~

Table 7 Reactor Protection System Overview Channel or Parameter Monitored Signal Type Purpose

\

Device Digital and Channel 1 Change Rate Analog Digital and Channel 2 Power & Change Rate Analog Protect Reactor Integrity Digital and Channel 3 Power Analog Digital and Channel4 Power Analog Digital and

. RAM#l Pool Top Radiation Level Reactor Protection Analog System Operator Console Digital and RAM#2 Radiation Level Analog Protect.AgainstElevated Water Process System Digital and Radiation Levels RAM#3 Radiation Level Analog Jr Digital and .

CAM Airborne Contaminants Analog Manual Scram Operator Protection Emergency Immediate Analog Switch Functionality Shutdown Magnet Power C.onnections from Supply Analog Allow Reactor Functionality Circuitzy to Magnets Completes Magnet Power Key Switch None Analog Circuit As indicated in this table, the radiation protection function is provided by three radiation monitors (RAMs) and one Continuous Area Monitor (CAM). These measure radiation levels at locations in the facility which have been determined to be, the most likely or most significant loCa.tion for elevated radiation levels. There

'-

are no effluent radiation monitors although the effluent dose release is approximated with dosimetry placed near the exhaust of the facility.

Table 7 Reactor Control System Overview Channel or Device Signal Tvve Purpose Magnet Power Supply Digital and Analog Power Magnet Circuit UPS Units (Two Units) Digital and Analog Power Entire System Indicate Scram, Setback, Interlock, Annunciator Panel Analog and Environment Status Yokogawa Recorders Digital and Analog Indicate Power and Change Rate Reactor *Control Measure Water Temperature and Water Chemistry Monitors Digital and Analog System Conductivity Control Wiring Analog Transfer Signal to Subsystems Transfer Information Between RTP Network,Switches Digital and Workstation Dell Workstation Digital Indicate Facility Parameters Convert Facility Parameters for PLC Controller Digital and Analog Indication The shim-safety rods are driven by selecting the desired drive on the Workstation and initiating the movement The movement can be performed in three separate ways: timed movement with the PLC, height selection with the PLC, and manual movement through movement of a joystick. on the console. The PLC connects the drive system for that rod and clears any other drive circuit that may be energized. Interlocks prevent the raising of more than one control rod or the fission chamber simultaneously.

The control system contains several indications which are highlighted below.

Table 7 Rod Indication Overview Indicator Condition Rod Bottom The rod is located at the bottom of the travel distance Lower Limit The drive unit is at the lower limit of its travel.

Shim Range The drive unit is two-thirds out This point is where the shim-safety rods are set during critical (2/3 Limit) experiment fuel loading.

UpoerLimit The drive unit is at the upper limit of its travel.

Engage The shim-safety roois attached to the drive electromagnet Drive The drive unit is connected to the raise-lower switch.

The control system contains several interlocks and logic structures which will be discussed in subsequent j sections. In short, the PLC controls logic which inhibits more than one rod drive from being selected simultaneously (with the exception of during a gang lower), blocks rod motion when the reactor change rate interlock. has been activated, and when Channel 1 indicates less than two counts per second (which would indicate* the startup source is missing). These would all be classified as automatic functions. There are no bypasses to the control functions.

Two principles guide the design and implementation of the reactor control system's Human Machine Interface (HMI). The first of these is that the reactor operator should be able to view critical reactor parameters at all times. This is achieved in two ways. The first is the indication on the Yokogawa recorders

J located directly to the left of the main operator screen, above the annunciator panel, and below the Manual Scram switch. The main operator screen contains the indication of the rod height and the reactor power level and change rate indications as well. As previously discussed, these come from multiple neutron flux monitoring channels. The second guiding principle was that the operator should be able to find historic information of a facility parameter (as well as its current value) in no more than three screen changes. That is to say, from the main reactor options screen, any value can be obtained readily.

Access controls to the reactor control system and the reactor protection system are done in three ways. The first is through physical protection of the system. It is completely isolated from unauthorized access by being solely located in the reactor room itself. Secondly, passwords are protected at the same level as the reactor operator key. Administrator access to the system is granted only to senior facility staff while the senior reactor operators and reactor operators are given their own respective access levels. Finally, detailed system design is only accessible to authorized, licensed personnel. These three levels of access controls ensure safe operation of the facility.

There are no experimental facilities that have control or protection functions or implications.

7.1.a- Reactor Protection Svstem vs. Reactor Control Svstem Research and Test Reactors provide a unique question when analyzing the Reactor Control System vs. the Reactor Protection System. As stated in NUREG-1537, "the RPS is designed to detect the need to place the reactor in a subcritical, safe shutdown condition when any of the mentioned parameters exceeds the limit as determined in the SAR. Upon detecting the need, the RPS should promptly and automatically place the reactor in a subcritical, safe-shutdown condition (Scram) and maintain it there." NUREG-1537 notes, "the RCS [Reactor Control System] performs several functions, such as maintaining the reactor in a shutdown state, reactor startup, changing power levels, maintaining operation at a set power level, and shutting down the reactor." At its most basic level, reactor control is performed by the rod drives. The rod drives aid the operator in maintain the power level at a level sufficient to perform the needs of the facility and not exceed those limits which would require protective action. The rods are the principal component of the RPS. Their binary location of at t;he bottom or elevated is determined by the magnet's power status.

The PUR-1 is designed such that if the power or period are determined to be at unsafe levels, the RPS performs this protective Scram action, most specifically, by removing current to the magnets, which hold the shim safety rods out of their elevated position. The reactor is returned to its shutdown condition. The position of the rod drives holds no bearing on the status of shutdown condition. Even if the Reactor Control System were to act in the most unsafe manner, by instantaneously removing the rods to their full travel height, the Reactor Protection System would intervene and scram. The maximum excess reactivity, as allowed by the PUR-1 technical specifications is 0.6 % llk/k. Analysis has shown that this will initiate a one second period.

If the reactor were to be at its maximum allowable operating power with a 50% uncertainty added, and the control rods were to instantly be placed at the top of their travel length (completely out of the core), the one second period would put the reactor power at 1

P(t = 1) = 18 [kW]eI = 48.9 [kW]

Even if the reactor trip was 600 ms late in initiating the reactor trip, the power level which the reactor reaches would be 1.6 P(t = 1.6seconds)=18 [kW]eT = 89.2 [kW]

The Onset of Nucleate Boiling does not occur at this power level for plate 1348. This very low level analysis shows the reactor protection system is capable of keeping the reactor at a safe power level even if the reactor control system was non-existent. Three independent channels are capable of initiating a high power scram.

7.1.b-RPS and RCS Overlap The Reactor Protection System and the Reactor Control System overlap in few but important areas. The first of these is the neutron flux indication. All indication of the neutron flux is done primarily on the operator console. The operator will use these values to understand the status of the reactor in most operating conditions. The value displayed on the operator console may be checked by confirming the same value is being recorded on the Yokogowa Chart Recorders as well as verifying the value on the face of the Neutron F1ux Monitoring Channels.

• The second connection between the RCS and the RPS is their connection in the magnet power circuitry. The magnet circuit runs from the magnet current source through each of the neutron flux monitoring channels, the Programmable Logic Controller, and the manual scram buttons. The relays for each of these subsystems are placed in series making the operability of each system independent of the next. See Figure 7 Magnet Circuit Interrupts for a logic diagram of this setup.

Physically, the RCS and RPS are located in the same instrument cabinets and their wiring runs amongst each other. Critical cabling, such as the magnet power, is denoted with physical tags, readily identifiable by an operator.

• Outside of the 4 - 2 0 mA current supply from the Neutron Flux Monitoring Channels to the Programmable Logic Controller, there is no communication between the RCS and the RPS. The PLC does monitor the status of binary relays which aid in notifying the operator of an anomaly in the RPS. The primary workstation does not provide any safety actuation.

7 .2 Design Criteria The design of the instrumentation and control system for the Purdue University Reactor is heavily based on previous reactor control and instrumentation design. The upgrade to digital I&C was centered on retaining the operational characteristics of the former system while expanding the reliability, safety, and capability of the facility. The original l&C for the PUR-1 was based on systems in use at such reactors as the Bulk Shielding Reactor, the Tower Shielding Reactor and the Pennsylvania State University Reactor.

The implementation of the four detectors is such that the entire range of normal reactor operations is covered and accident transients up to and exceeding 300% can be measured. The start-up channel (Channel # 1) covers from 1 cps to 1010 cps. Channel 2 has a range of eight decades while Channels 3 and 4 have ranges of 7 decades. With appropriate detector placement, these detectors more than adequately cover the expected range of variation of the monitored power during normal and transient accident scenarios.

Redundant systems measuring the power have been implemented to ensure no single failure of a system is capable of putting the reactor in an unsafe condition. In addition to the multiple channels indicating power

and change rate, the channels continuously run checks on themselves for any subsystem anomaly. These checks are enhanced with the Reactor Control System. In the event of an abnormal indication, the RTP is capable of interrupting magnet current to provide an even higher level of safe operation. All scram capability is built in series allowing for any single subsystem to initiate reactor shutdown. This eliminates the possibility of systematic, nonrandom, concurrent failures of rednndant elements ill the design of protection systems and reactivity control systems.

An annnnciator and alarm system are included to indicate facility status. These indicators are in addition to the information available to the operator on the control workstation.

The system is designed to fail safe. Any interruption of magnet circuitry or loss of power itself will initiate a Scram. The magnets are engaged by supplying power to them. Once engaged, the magnetic force between the top of the rod and the magnet is sufficient to overcome gravity. The rod drive is activated for rod motion.

H the magnet current is removed, the rods fall back into the core nnder the force of gravity. Reactor core design is such that any one- shim-safety rod inserted into the core by one third. of its full travel distance is capable of putting the reacto; at a negative period and beginning shutdown. This is a fail-safe design.

The reactor control system's PLC is programmed such that if any parameter indication falls outside of the predefined range, it recognizes the signal as invalid aiid sets the indication to the most conservative value. An example of this would be Radiations Area Monitors indication. The dose level from the monitor is scaled to be between 4- 20 mA .. That is to say, when the dose is 0 mRem/hour the RAM puts out a current of 4 mA. When the RAM indicates a maximally defined dose level, 100 mRem/hour for example, it would output a current of 20 mA. This current is continuously read by the PLC and converted from mA to the appropriate engineering unit, in this example mRem/ hour. H the radiation monitor was to put out a current of 2.5 mA or of 21 mA, the RTP would classify this as an invalid signal and set the parameter's value in the logic system to 100 mRem/hour, the most conservative value. This level would then initiate a: Scram by the PLC. A similar statement can be made about every parameter measured by the PLC. This provides an additional level of safety as the validity of the signal is continuously monitored.

Every system used in the PUR-1 Instrumentation and Control upgrade has a long history of safe use in industry applications, many of which are nuclear related. The most fundamental assurance of reliability of the system's components stem from this prolonged safe use in a multitude of safety significant industrial settings.

As the safety of these components has been time-tested, systems which are composed by them carry a similar reliability level. Perfom1ance of the integrated system has been tested through extensive parameter evaluation.

All instrument cabling is IEEE 383 certified.

Standard environmental conditions in the facility range from 15 - 2 5 °C. All equipment implemented in the I&C design are functional in this standard range and typically range from 4- 35 °C. Weather conditions as detailed in Chapter 2 - Site Characteristics are generally in the operating range without the benefit of air handling units inside the reactor room and Electrical Engineering Building.

7.2.a-- Standards Used in Evaluation of Safety Performance The standards listed below were used in the evaluation of safety performance of the Safety Significant channels.

• KTA 3501 - Reactor protection system and monitoring equipment of the safety system

• KTA 3502 Accident measuring systems

• KTA 3505 Type-testing of measuring sensors and transducers of the safety related instrumentation and controls system

• KTA 3507 - Factory tests for the instrumentation and controls of the safety system

• KTA 1401 - General requirements regarding quality assurance

• Internal Quality management manuals from Mirion Technologies (MGPI H&B) GmbH, Munich.

• IEC 60880:2006 Nuclear power plants - Instrumentation and control systems important to safety.

• Software aspects for computer-based system pe~forming category A functions IEC 60880:2006.

7.2'.b - DWK - 250 Digital Wide Range Channel The DWK 250 has successfully passed assessment according to DIN57 411 (VDE 0411) Part 1 (10.73) which involveds protective measures for electronic measuring instruments as well as being designed, built, and tested in accordance with the following guidelines: KTA 3501, KTA 3502, KTA 3505, KTA 3507, KTA 140 l, and the manufacturer's quality assurance manual. It is coupled to a fission chamber for use in the PUR-1 research reactor. The qualification submitted with this letter is datedJanuary 1, 1991. From the summary of the report:

" ...The objective of demonstrating the reliability of the reactor protection component by theoretical and application tests was achieved." .The channel is appropriate for use in reactor safety se_ttings.

7 .2.c - DAK - 250 Digital Start-up Channel The DAK 250 has successfully passed assessment according to IEC 60880, KTA 3503 and KTA 3505 standards. The digital start-up channel DAK 250 was designed to measure the neutron flux density and is coupled with an ioniz.ation chamber for use in the PUR-1 research reactor. The letter submitted with this safety analysis report dated January 26, 1995 the Institute of Nuclear Technology and Radiation Protection commissioned the Department of Instrumentation & Control and Reactor Core to perform the qualification and testing for the channel. The KTA 3503 and KTA 3505 testS ascertain whether or not the DAK 250 will be certified for use in reactor protection as outlined in KTA 3501. Technical rules used in the analysis of the system are IEEE Standard 829, DIN IEC 880, DIN IEC 65A Section 122, and DIN V VDE 0801. Systems tested included the equipment manual, reactor protection functions with input and output signals, the source code, object code, software, functions of measuring channels, and system level functionality. The processor units NZ21 (Input and output processor) and the NZ12 (main processor) are utilized in the system. Factors evaluated in the design of the software were consistency, comprehensibility, completeness, coherence of the requirements specification, structure of design, structure of programs, and structure of the requirements.

Each of these is evaluated and indicate operability for reactor safety settings.

7 .2.d - DGK 250 - Digital Direct Current Channel The DGK 250 has successfully passed assessment according to KTA 3503 and KTA 3505 standards. These tests determined whether the DGK 250 would meet necessary standards for use in reactor protection purposes pursuant to KTA 3501. The technical rules used during the tests and examinations include IEEE Standard 829, DIN IEC 880, DIN IEC 65A Section 122, and DIN V VDE 0801. Systems tested included the equipment manual, reactor protection functions with input and output signals the source code, object code, software functions of measuring channels, and system level functionality. The processor units NZ21 (Input and output processor) and the NZ12 (main processor) are utilized in the system. Factors evaluated in the design of the software were consistency, comprehensibility, completeness, coherence of the requirements specification, structure of design, structure of programs, and structure of the requirements.

Each of these is evaluated and indicate operability for reactor safety settings.

7 .2.e " Facilitv Abnormalities. Building and Site Codes As discussed in previous sections of this Safety Analysis. Report, there is little to no risk of catastrophic earthquake in the West Lafayette area. SY,stems are designed such that in abnormal conditions, the reactor fails safe. I&C systems and components specified in this document important to the safe operation or.

shutdown are designed to function reliably under anticipated environmental conditions such as temperature, pressure, and humidity for the full range of system operation, during maintenance, while testing, and under postulated accident conditions.

7.2.f - Independence of Scram Capability .1 Each of the channels herein described operate completely independently, with the exception of their power source .. Each channel has dedicated cabling to and from the measurement detector and. there is no hard wired direct connection between channels. The only commonality, the power source, is monitored continually by the .PLC. An abnormal power condition, (e.g. low input voltage, high output voltage, abnormal battery status, etc.) is indicated to the operator on the primary operator workstation. '

Scram capability by each channel is accomplished by each channel individually and for each parameteF (Change Rate and Power Level) measured. The magnet circuit is interrupted by an individual relay. The relays ai;e in series allowing for any single system to perform a complete system sci-am.

The sole Limiting Safety System Setting (LSSS) is the reactor power level of 12 kW. 'This parameter can be viewed through proper selection on the DAK 250 and DGK 250 systems.

7 .2.g - Scram Timing The PUR-1 Scram time must be less than one second. This is the time from signal initiation (via manual Scram, reactor over power, high period or high radiation levels) until the rod bottom switch is activated. In the upgraded PUR-1 Reactor system, this parameter is measured every time a Scram is initiated by the facility and an associated surveillance is included in the PUR-1 Technical Specifications. A 1 second drop time is sufficient to pr~tect the reactor from a 1 second period (3396/s change rate) which is initiated while the reactor is operating at full power plus 50% instrument uncertainty. Monitoring of facility parameters is constant with data collection rates being up to one data point every 10 milliseconds (100 Hz).

/

7.3 Reactor Control System The Reactor Control System performs several functions such as performing the system startup, changing power levels, maintaining the operation of the facility at a set power level and initiating controlled reactor shut down. The Reactor Control System iS composed of subsystems which may contain components in multiple subsystems.

I The RCS is designed for reliable operation in the normal1range of environmental conditions anticipated within the facility. Air conditioning and heating keeps the reactor room at a relatively stable temperature and humidity. The equipment in the racks remain elevated off the floor to prevent damage in the case of room flooding. There are no other credible; normal operation, events which would threaten the reactor equipment No cooling fans are necessary to protect equipment from environmental conditions and heating of equipment iS very minimal.

.. ...1111 Figure 7-2: Reactor Control System Block Diagram 7 .3.a - Nuclear Instruments The Nuclear instruments at the PUR-1 consist solely of the fission chamber (Channel #1), Compensated Ionization Chamber (Channel #2), and the Uncompensated ionization chambers (Channel #3 and Channel

1. 4). The primary purpose of these channels are to provide safety functions of automatically shutting down the reactor if an unexpected value is measured for the neutron flux or its change rate. They also output representative signal values to the PLC and reactor control system. The operators use these readings to make decisions on how the facility is operating and make power level changes. There are no fuel temperature monitors in the PUR-1.

7.3.a.i - Design Bases and Cni:eria From a Reactor Control stance with respect to the Nuclear Instruments, the values available to the reactor operator must be of high enough precision as to give a reasonable level of detail as to the true value in the core. The instruments as discussed in Chapter 7.2 give values with an expected error no greater than approximately 1%. All safety analysis completed in Chapter 13 assumes a 50 % error which is much more conservative than this value. The Nuclear Instruments used in the PUR-1 I&C system have demonstrated safe performance at industrial nuclear reactors. Redundancy ensures the failure of one Channel does not inhibit the operator from a safe shutdown or knowledge of the failure of the individual failing component Neutron flux overlap from Channel #1 to Channel #2 is expected to be up to five decades but certainly meets the 1 decade overlap criteria. Channel #1 may provide indications from start-up range (I cps) through full power (up to 1010 cps).

The detectors implemented in the Reactor Protection System give indications to the operator as to their status continuously. The implemented instrumentation overlaps by many decades. Additionally, placing the UIC for Channel #4 slightly farther from the core will allow it to measure power levels well beyond the licensed power range for postulated accidents and accident conditions. As power level is not a safety limit for the PUR-I, the measureable power level must only be at a high enough value to indicate the bases under which this Safety Analysis Report is written remain valid. See Table 7 Detectors, Parameters, and Range of PUR-1 Instruments for an ove:rview of the range of the neutron flux monitoring equipment The most significant accident, to be further discussed in Chapter 13 - Accident Analysis is a fuel cladding, breach. The Safety Llmitfor Fuel Temperature is 530 °C which is not achievable by the PUR-1 core. Reactor instrumentation and control play an auxiliary role in temperature control, as Physics takes the lead.

7.3.<Lii - RelQbi/ity and Performance The nuclear instruments have a demonstrated reliability and performance in nuclear applications across the world. See Section 7 .2 for a more complete discussion of the reliability of the Nuclear Instruments.

Channels #1 and #2 are capable of discriminating against strong gamma radiation which may be present after operation for extended amounts of time at full power. Channel #1 does this through the utilization of the

• fission chamber. Most fissions caused within the chamber are from thermal neutrons in the core. While gamma pulses are still measurable by the fission chamber, the discriminator is set such that those smaller pulses (as compared to the ones from a fission fragment) are not counted. Channel #2 utilizes a compensated ionization chamber. One of the chamber's is doped with boron which is sensitive to thermal neutrons whereas the second chamber is not By comparing the two currents (or rather sending the currents in opposite direction) the resultant value is from neutrons alone.

7.3.a.iii -Aut:orn;Jtic Action - GangLower and Setback When the reactor is to be shut down or a nuclear instrument indicates a value which exceeds defined setpoints, control rods simultaneously lower. This can also be done by selecting the gang lower button. The gang lower relay directly energizes the drive lower relays for all control rods. The gang lower relay is de-energized by selecting stop on the operator workstation.

Four setback logical points are included in the reactor control system. These values are monitored by the PLC but they are not credited in the safety analysis in Chapter 13. Actuati~n of any one of these circuits will result in the shim-safety rods and the regulating rod being driven into the core to their lower limits unless the trouble is cleared and the joystick is toggled before the lower limits are reached. The following setback conditions can be initiated.

Table 7 Setback Initiating Conditions and Descnptions r,,.,,.;__ Condition Description Low Level Period St.art-up Channel indicates a high change rate High-Level Period Log-N Channel indicates a him change rate High-Level - Linear Level The linear level channel indicates a high power level High-Level - Safety Level The Safety Channel indicates a high power level

7 .3.b - Process Instruments Several process instruments exist at the PUR-1. These include a flow rate indication to ensure adequate cooling capacity of the heat exchanger, a magnehelic to ensure adequate pressure differential from adjoining

. space, primary coolant (bulk pool water) temperature, conductivity of the coolant and a water height measurement ruler. All of these values are checked during startup. The temperature, conductivity, and air pressure differential are continually monitored by the RTP.

7.3.b.i - Design Bases and Crit:eria The two most important process instruments in the PUR-1 are the thermometer and the magnehelics. As such, these are the two instruments, which have continual indication on the operator console and are continually monitored and logged. The thermometer's importance is to ensure that the criteria under which the neutronic analyses and the thermal hydraulic analyses were completed remain valid. The criteria, which must be met, are outlined in other sections of this document As the thermometer is capable of reading values from 0 - 100 °C, the standard operating range of a nominal 20 - 30°C is reasonably covered. The accuracy of the thermometer shall be at least to the nearest tenth of a degree Celsius.

The Magnehelic's purpose is to ensure a negative pressure differential exists within the reactor room. The purpose of the negative pressure guarantees the calculated dose to the maximally exposed member of the public during the maximum hypothetical accident remains valid. The negative pressure in the room must be atleast-0.05" of water column and the instrumentis capable of covering-0.5" to O" of water. The accuracy of the magnehelic shall be to the nearest one hundredth of an inch of water.

The remaining indications are coolant flow rate, coolant conductivity and water height The coolant flow rate is important to satisfy the needs of the heat exchanger but the reactor is permitted to operate without the heat exchanger being in use. Seldom during the operation of PUR-1 is the heat exchanger needed and in the event of inoperability, the thermometer as previously discussed gives warning to the operator of an approaching facility value which is beyond expected range. This would result in the operator starting a controlled shutdown and subsequent investigation into the operation of the heat exchanger. In this sequence, the safe operation of the PUR-1 is not inhibited.

The coolant conductivity is a monthly surveillance and is to confinn long-term viability of structural components underwater. As a monthly surveillance, constant monitoring is not required although it is available. --

Lastly, the water height measurement is to quantify adequate shielding to operators during operation. In the event of inadequate water height, the radiation monitors would alarm. Therefore, constant measurement of this parameter is not needed.

7.3.b.ii -Reli;Wilitv and Perfonnance The reliability of the process instruments must be such that when parameter values are desired, they are available to reactor staff and operators. All of the instruments used in the PUR-1 have shown acceptable performance in industrial applications and are readily replaceable. A failure of an instrument would require reactor shutdown and would need to be replaced prior to restart None of the process instruments failure would immediately place the facility in an unsafe condition. Their failure would stop operations until replacement

7 .3.c - Control Instruments There are three control elements: Shim Safety # 1, Shim Safety #2, and the Regulating Rod. The two Shim-Safeties are made from borated stainless steel and the Regulating rod is a hollow pipe of stainless steel. The Shim-Safeties are attached to the rod drives through individual coupling magnets which require a constant current to overcome the force of gravity and keep the rods suspended. The Regulating Rod is rigidly attached to its drive unit and must be driven in for insertion.

7.3.ci - Design Bases and Criteria Two Shim Safeties are implemented in the PUR-1 control system to protect against the stuck rod condition during a scram. The Technical Specifications require that the reactor be subcritical with a single rod inserted one third of its total travel motion (often called shim range). The redundancy in two rods as well as continuing to analyze the rod drop timing guarantees the reactor is capable of safe shutdown. The third control rod, the Regulating Rod, does not perform safety functions, has a lower worth than the two Shim-Safeties, and has the sole purpose of performing fine neutron balancing. The ehight indication of control rod shall be at least to the nearest tenth of a centimeter.

A jam circuit is incorporated in the drive circuits to operate a jam indicator on the console in the event of a mechanical jam in the drive. This indication alerts the operator to the possibility of cable kinking drive units, or mechanical friction in the rod drives.

• 7.3.c.ii -Reliahilitvand Perfol7Ilance The two shim-safeties worth are measured as required in the Technical Specifications for drop timing as well as integral worth. Power levels and neutron fluxes in the PUR-1 core are insufficient to bum up the available boron in the rods. Structural integrity of the rods are also verified through visual inspection.

7.3.c.iii - Operation The shim-safety rod to be driven is selected by checking the desired drive box on the operator workstation.

When a motion is initiated, the drive system for that rod is activated and any other drive circuit that may be energized is cleared. Rod withdrawal inhibits prevent the raising of more than one control rod or the fission chamber simultaneously. The raise-lower actuation operates relays, which control the rod drive motors.

The following indicators are provided for the rod drives.

• Upper Limit

• Lower Limit

• Jam

• 2/3 Limit

• Rod Bottom Indication

• Magnet Engage (Shim-safeties only)

Rod speed is not variable and does not change based on "manual" and "automatic" modes of operation.

While final rod height may be selected by the operator, the time which elapses between initiation of motion and final positioning is the same for movement "by target" *and movement by manual adjustment of the operator joystick.

7 .3.d - Interlocks There are a variety of interlocks that give permissives r

and inhibits to rod withdrawal. At low level, at least 2 counts per second must be seen on Channel # 1 to allow rod withdrawal. This is to ensure the startup source is located near the core. Additionally, there are interlocks for high change rates of 6%/s. Programming of the PLC as well as the wiring of the control rods prevent more than one rod being selected to raise at once.

7.3.di - Design Bases and Cnioia.

The design requirements of the rod withdrawal permissives are to verify the startup source is in a position which will show fast changes in the neutron flux level as a function of the rod height If the start-up source were not in position, the reactor could be placed in a prompt supercritical condition with a low neutron flux.

This would then result in a very high change rate and the rod drop time would be insufficient to protect against exceeding power limits. With the source in position, the reactor's change in reactivity is immediately seen by the operator. A value of 2 counts per second indicated flux gives a reactor flux sufficient to prevent this condition.

The second rod withdrawal inhibit prevents the operator from inadvertently moving into change rates which lower the safety margin of reactor operation. The 6%/s change rate is such that the operator is notified of fast rates and may prevent the need for protective action by the RPS.

7.3.d.ii -Rehabilitvand Perfonnance The interlocks of the PUR-1 were extensively tested during the Factory Acceptance Testing of the Instrumentation and Control Systems. A change in the interlocks would need to be done through reprogramming the PLC system and would be analogous to a re-wiring of an analog control system. Any such facility change must be reviewed by the Committee on Reactor Operations as well as approved by the US NRC.

As is true with any digital system, it is conceivable of a failure* of the interlocks to function as expected. The

~trative controls on operation, in conjunction with the independent functionality of the RPS to initiate scrams, safeguard against a bypass or other failure of the interlock. functionality.

7 .3.e - Automatic Power Control When the reactor is placed in Servo Control mode or Automatic Startup mode, the main operator screen must indicate this mode through highly cor;itrasting text, readily available to the operator.

7.3.eJ - Servo Control Servo control is accomplished on the PUR-1 system in one of several steps. The first of these is that the operator must already be at some nominal power. The operator then enters in a target power for the Se~o control at which to maintain the reactor. This target power must be within 5% of the current power of the /

reactor. Once the target power has been entered and the servo is enabled, the RCS will monitor the Channel

1. 3 Linear Power Level. When the reactor's power deviates from the target power, the regulating rod is inserted or withdrawn to compensate for the changing reactor power. If the reactor power comes to a point outside of 5% of the target power, a gang lower is initiated and the reactor begins to shutdown. The Servo control does not affect the ability of the RPS to cut magnet current and scram the reactor.

7.3.e.ii -AutomaJic Stutno The PUR-1 Reactor Control System features an automatic start-up. This algorithm performs identical actions that an operator would take in normal startup. Because the RPS initiates scrams independently from the Reactor Control System, this automatic startup retains criteria for safe operation. Automatic startup is interruptible at any time by the operator or any of the other reactor systems. Administrative controls limit those operators who may access automatic startup.

Automatic startup is achieved by first raising the Regulating Rod and each Shim-Safety to shim range. The system then waits to verify the reactor is subcritical. The PLC then raising the Shim Safeties while maintaining the reactor on a slow positive change rate. As the reactor is subcritical, that change rate will continually fall to 0%/s and the PLC makes another rod pull. If the change rate falls within a nominal band, no action is taken and the power increases. As the power approaches the operator desired power, the PLC shims in a shim safety and begins to level. The final move in the automatic start-up is to insert the Shim Safety a given amount to return the reactor to sub-criticality. The operator then takes over and operates either from servo mode or manually.

Recall, the PLC is auxiliary to the RPS, and under no circumstance is the scram capability of the RPS inhibited. If the automatic start-up were to perform inappropriately, the RPS shall take action.

7 .3.f - Auxiliary Comoonents 7.3.li:(a) Power Supply \.

The Power supply has three principle components: the two UPS units and the magnet power supply. While the magnet power supply is powered from the UPS units, its function is sufficiently unique that it is classified as a standalone subsystem.

7.3.f.i(b) UPSUmts The general use of the two UPS units is separated into two separate systems. UPS #2 mainly suppliescpower to components classified as Reactor Protection. These units are the individual DGK, DWK, and DAK units as well as the radiation monitors. Conversely, the first UPS unit supplies power to rest of the system.

The UPS units installed are the Tripp Lite SMART3000CRMXL design. Each unit has a secondary battery supply as well to extend off-power time. These are 3kVA units which are mounted in the equipment racks.

Each includes network connectivity to the PLC system to provide power supply analysis for off-normal conditions. The power output is 120 Volts and corrects for brownouts and over voltages from 83 to 145 Volts.

Each unit supports loading up to 3600 watts when hard wired. Approximately half of this loading is expected to be used on each system. Operational conditions of the UPS units are from 32-104 degrees Fahrenheit The units are tested to ULl 778 Specifications.

7.3.f.i(c) Magnet Power Supply To supply current to the electromagnets used in the shim safeties, a standalone Acopian current source is used. The source can supply 0 - 100 mA with a maximum voltage of 30 V. The Acopian current source is mounted in the equipment racks. The Acopian is powered by 120 VAC by a 3-wire, 16 AWG cable terminating in a NEMA 5-15 plug. The current supplied has a minimum of 22 rnA and a maximum of 50 rnA. The resulting compliance voltage is a minimum of 12.39 V, a maximum of 28.15, and a planned

operating voltage of 16.89 V. These values are monitored by the RTP system and the reactor operator is notified of any abnormalities.

7.3.£i.(d) Signal Transmission In any reactor system, the signals from different subsystems will be moved though the wiring of the system.

All multi-conductor cable passes the IEEE-383 flame rating. All of the cabling in the PUR-1 control system clearly identifies the cable number, the location from which it.comes and the location to which it should be going. Cabling also includes network Ethernet. This cable connects different parts of the PLC together as well as the PLC to the primary workstation. Another Ethernet cable connects the secondary workstation for use as a research tool and teaching purposes. This transmission is through a data diode.

7.3.£i.(e) Parameter Indication Indication of facility parameters has been previously discussed and will be summarized in this section.

Parameters which are measured throughout the facility are displayed in several locations. The majority of parameters such as reactor power level, air pressure, and conductivity can be viewed first on the primary instrument. The conductivity sensor, for example, displays the measured value on a small display screen on the instrument's face. Secondly, critical facility parameters can be seen on the two Yokogawa recorders. The two main parameters which are always sent to the recorders are the . reactor power and change rate.

Additionally, the operator can send two other parameters to these screens. The Yokogawa's receive the power and change rate readings directly from the neutron flux measuring channels and do not interface with the PLC system. The extra parameters are sent by the PLC and are expressed in engineering units range. That is to say that the operator must specify the range over which the parameters is being measured and the recorders will output the percentage of that range. Finally, the .operator can view parameters on the main display of the workstation. The workstation is capable of plotting the parameter's value as a function of time, as well as plotting multiple parameters on the same screen. This workstation display will be the primary place an operator will go to get information on the status of a variable.

The rod heights are primarily indicated on the primary screen of the operator workstation. The four rod position indicators continuously monitor the positions of the two shim safety rods, the regulating rod and the fission chamber. The resolution of the movement is approximately 0.1 millimeter. The rod position indicator measures a voltage across a potentiometer connected to the drive unit. The reference voltage for all drive unit potentiometers is supplied by a 10-volt power supply. '-

Fission Chamber Drive System The fission chamber drive system is activated by checking the fission chamber drive box on the operator workstation. When motion is initiated, the drive system for the fission chamber clears any other drive circuit that may be energized. Interlocks prohibit raising the fission chamber while the control rods are being driven.

The following indicators are provided for the fission chamber:

• 'Upper Limit

• Lower Limit

• Drive Activation 7.3.Li: (g) Source Drive System J

The source drive system is activated by checking the source drive box on the operator workstation. The following indicators are provided for the source drive:

• Upper Limit

• Drive Indication

• Lower Limit 7.3.f.i. (h) Rod Drop Timing The rods of the PUR-1 are required to be able to be moved from full withdrawal to full insertion in less than one second. This timing also includes the time to initiate the signal. Software is included in the PLC which continually marks the beginning of events within the system also known as sequence of events (SOEs). Reports are available to the operator which include the start time of any Scam initiation by any subsystem (manual Scram, NFMS Scram, etc.) as well as the time at which the rod bottom light is illuminated for both SS 1 and SS2. If either of these are outside of 1 second, the operator is immediately notified.

7.3.g- RCS Failure Modes The RCS failure modes do not affect the ability of the RCS to perform safety functions. In every parameter that is monitored be the PLC, the response of any parameter to have a bad quality or unexpected reading is *

• to set the parameter's value to the most conservative or high point of the range and to initiate a Scram.

Additionally, the Mirion Neutron Fltix Monitoring Channels operate independently of the PLC. In the event that all facility parameter indication was removed on the RCS, the measured values are still accessible on the face of the neutron flux channels. Finally, the manual Scram button is depressed during facility anomalous conditions, which cuts magnet power and drops the Shim Safeties into the core.

The Maximum Hypothetical Accident as discussed in Chapter 13 does not rely on the operation of the Reactor Control System. The operability of the rooftop fan is used to maintain the negative pressure in the room but its loss of power in conjunction with the Maximum Hypothetical Acci~ent would include a multi-point failure.

• 7 .3.h - Surveillances and Calibration The surveillances of the Reactor Control System are such that the operation of the individual instrument is as expected and there is reasonable certainty that the operator will be notified of anomalous conditions. See 7.10 System and Facility Surveillances.

7-.4 Reactor Protection System The Reactor Protection System performs its protective action through interruption of the magnet power circuit which runs from the Acopian power supply through each of the measurem~nt channels, radiation monitors, manual scrams, PLC and the key switch in series as verified by Drawing PUR-1-HDD-001-16. Any one of these subsystems are capable of interrupting the circuit and thereby initiate the protective action of Scramming the reactor. Setbacks are also initiated by the system but need not be credited in the Safety analysis as the Scram capability is sufficient to provide protective action.

Ultimately, the Reactor Protection System's purpose is to maintain a radiation level below the limits set forth in this document and to limit the achievable activity of the fuel plates. The Maximum Hypothetical Accident, as analyzed in Chapter 13, does not involve an operational scenario but rather a fuel handling accident. In

the fuel handling scenario, the reactor protection system plays no role. While the radiation area monitors aid in indicating elevation radiation field, they do not provide protective action in the MHA. Therefore, system timing, performance, and functionality are not relevant in the bounding scenario.

The Safety limit is not directly measured by the RPS. The limiting Safety System Setting is measureable on multiple channels. The limiting Conditions for Operation which can be directly measured are outlined through the Reactor Control System Section. Other limiting Conditions for Operation may be measured by the I&C system through experimentation such as rod worth measurement During normal operation, when a scram or setback condition occurs, or when other trouble arises, an alarm sounds, and indicators show on the annunciator panel as well as the operator workstation. These indicate the source of the trouble. An annunciator acknowledge button is used to turn off (or acknowledge) the alarm. It will remain off until another alarm initiator is detected or a value which has already been acknowledged goes into a safe level followed by a return to an unsafe level. If the trouble results in a Scram, the annunciator acknowledge switch must be held in for approximately two seconds to allow re-enabling magnet power. For the magnets to engage with the rods, the drives must be returned to their lower limit (as that is the position of the rods following a scram) . If a trouble is not corrected, the annunciator will not clear until the relevant parameter has been returned to non-alarm levels. An annunciator test functionality is present in the workstation to check the operability of the panel. An evacuation alarm horn is also installed in the reactor instrument racks. The horn is activated by pushing the alarm button on the reactor console. System testing can be done in a variety of ways including sending simulated signals to any protective subsystem. The figure below shows a schematic of the annunciator panel.

Figure 7-3: Annunciator Panel Showing a RAM Scram 7.4.a- RPS Channels Required For Ooeration and Setooints "Table I - Safety Channels required for Operation" in the Technical Specifications details the setpoints that are implemented in the Reactor Protection System for the PUR-1. These values have been determined in the historic operation of the PUR-1 as well as the relevant sections of this document to provide safe operation of the facility. The table is included below for reference.

Table 7-6: Channels Required for Operation Minimum '

Number Channel Required Setpoint (c)(d) Function 2 cps or greater 2 cps rod withdrawal inhibit Channel #1 le.) 8 %/s or less Setback Log count rate 14 %/s or less Scram 6.6 %/s sec. or less Rod withdrawal inhibit 8 %/s or less Setback 14 %/s or less Scram Channel #2 l(b) 6.6 %/s or less 12kW, Rod withdrawal inhibit l..ogN 12096 Operating power Scram level, or less 0% Selected Range, or Setback greater Channel #3 11096 Selected Range or Setback 1

Linear less 12096 Selected Range or Scram less 11 kW, 11096 Operating Setback power level, or less Channel #4 l(b) ,

12 kW, 12096 Operating Safety power level, or less Scram Manual Scram (console) 1 Scram (hallway) 1 Scram (a) Not required after Channel #2 comes on scale.  ;

(b) Required to be operable but not on scale at startup.

(c) All l>ercentage based set:points shall be nipped when the measured value is greater than or equal to the specified value. Counts per second (cps) set:points are at values less than or equal to the specified value. Exception: Trip point for 0% shall happen as the value goes from the positive to negative value.

(d) Setbacks shall be set such that they will be initiated prior to a Scram Additionally, the radiation area monitors must be functional for operation of the PUR-1. They are listed below and their setpoints as well.

Table 7-7: Radiation Momi:ors Required for Opera.tion Minimum Number Channel Required.,. Setpoint Function Pool top monitor 1 50 mR/hr, 2x full power Scram backgronnd, or less than either Water process 1 7 1h mR/hr or less Scram Console Monitor 1 7 1h mR/hr or less Scram Continuous air sampler 1 Stated on sampler Air sampling (e) For periods of one week or for the dwation of a reactor run, a radiation monitor may be replaced by a gamma sensitive instrument which has its own alarm and is observable by the reactor operator.

The setpoints herein noted are such that if the instrumentation was operating with up to 50% uncertainty, as assumed in Chapter 13, and the most conservative values for analyzing safety conditions were used, Reactor Integrity and Public Health and Safety is ensured. 50% is exceedingly conservative and true error is expected to be with 1%.

While the setpoints may be changed in the system, that capability rests solely with the Reactor Supervisor and the delegated authority. Such persons must have SRO licensing. Setpoints may be adjusted to values lower than those outlined above but never higher. Key switches, which are restricted to SRO licensees are the only means of changing these setpoint values. Three is no byPass capability for interlocks.

7.4.a.i - ChMmel 1 - Stut-Up Chmnel The startup channel is used to monitor the neutron flux. The channel consists of a fission chamber, a preamplifier, the DWK 250 Mirion Channel, a Yokogawa Recorder, and indications on the operator workstation. The range of this equipment is from 1 cps -10 10 cps. It will indicate change rates from

-3 %/s to 3 3 %/s. The complete reactor power range may be monitored by this instrument by appropriate repositioning of the detector by means of the fission chamber drive mechanism. Historic measurements with similar fission chambers have indicated 5 - 10 cps with rods and the startup source fully inserted. The fission chamber may be raised into a cadmium shield by means of a drive mechanism similar to the control rod drive units. The controls and position indication for this drive are located on the console workstation. Two set points, specified in the Technical Specifications and based on the reactor change rate, provide for a reactor setback and trip in the event of a fast reactor change rate (14 %/ s).

The first activity in the reactor is indicated by means of the counting rate channel. At start-up, the fission chamber is placed near the reactor core Oower limit). Neutron-produced pulses from the fission chamber are amplified and counted. Smaller pulses produced by any agency other than neutrons, such as gamma radiation or alphas, are rejected by a discriminator. Interlocks supplied by the PLC prohibit rod withdrawal with insufficient neutron flux measurement(< 2 cps).

When the control rod has been pulled out far enough to produce an effective reproduction constant greater than unity, the. reactor power level increases exponentially and a straight line is drawn on a logarithmic plot.

The reactor change rate is displayed on the Yokogawa recorder, face of the Channel DWK 250, and operator console.

When the counting rate channel is near the limit of its counting range, the log-N Change Rate and linear channels become the principal means of controlling the reactor, and the fission chamber may be withdrawn to a region of lower neutron flux.

With Channel 1, the WL-6276A fission chamber is designed to detect thermal neutrons in the range of 1.4 -

(1.4 X 10 5 )--;- when operated as a counter and up to 1.4 X 1010 -;-when operated as a chamber. The ems ems detector is extremely rugged in construction, meeting MILS-901 for shock and MILSTD-167 (Type 1) for vibration and may be operated in any position at temperatures up to 150 °C. -

7.4.a.ii - Cluumel 2 - LogNand Charym &le Cluumel The log N channel indicates the reactor power level over the range from 0.0001 to 150 percent power level.

The channel consists of a compensated ionization chamber current to frequency converter, the DAK 250G and an indication as with Channel 1. This channel may not be 'on scale' at startup, but will be indicating before the range of the fission chamber range is exceeded. The overlap shall be at least one decade.

The Channel #2 detector is the Wlr23084 compensated ion chamber (CIC). It is designed to detect thermal neutrons in the range of 1.3 x 10 2 to 5.0 x 10 10 n/cm 2 s. The chamber is a guard ring design to minimize the effect of intra-electrode leakage currents and has HN connectors. The chamber may be operated in any

\ orientations and up to 204 °C. The full power neutron flux of the PUR-1isapproximately1011 n/cm2 s at the fuel region and any appreciable distance from the c.ore will give a neutron flux which is measureable by this detector. The detector will be placed approximately 30 cm from the. core. This detector has one chamber that is sensitive to both neutrons and gamma rays (due to Boron doping) while the other is sensitive to gammas alone. The current in both of these chambers are sent in opposite directions, thereby "compensating" for the gamma induced current and yielding the measurement of neutrons. This allows for sensitivity to neutrons even in the presence of intense high gamma radiation. This Channel's Response times are in the tens of millisecond range when the reactor is at power. Inaccuracy is in the single digit percent range, but all safety analysis has been performed assuming a 50% instrument uncertainty window.

A reactor trip will be initiated if this channel indicates power levels in excess of 120% of the operating power.

Two set points, specified in the Technical Specifications and based on the change rate, provide for a reactor setback or trip in the event of a short reactor change rate. In the event of the loss of high voltage to t;he compensated ion chamber, a trip will be initiated. I 7.4.a.iii - Channel 3 - linear Power The channel consists of an uncompensated ionization chamber current to frequency converter, the DAG 250-G, and indication as with Channel 1. The linear level channel is capable of measuring neutron flux in the reactor operating range from shutdown to > 100 kilowatts. The Channel #3 and #4 detectors are WL-8075 guard-ring ionization chambers designed to detect thermal neutrons up to 2.5 x 1010 n/cm 2 s. The detector is operable up to 150°C. This detector is especially made for Safety and Power range reactor instrumentation. '

. I The sensing element is BF, ionization chamber coupled to an amplifier and indicating systems. The range of the instrument is adjustable by means of an automatic range switch located within the instrument Detector characteristics, however, limit its maximum output to milli-ampere levels. This charniel will thus read from startup to full power by adjustment of the range.

This channel has two set points that will initiate a reactor setback at either zero or 110% range. These set points ensure that the instrument is kept on range at all times during reactor operation. There is also a 12096 range set paint that will initiate a reactor scram.

This channel's response times are in the tens of millisecond range when the reactor is at power. Inaccuracy is in the single digit percent range, but all safety analysis has been performed assuming a 50% instrument uncertainty window. Because this channel is the most precise channel in measuring neutron flux level, it is used as the means to obtain uniform neutron flux density.

The Mirion DAK provides a DC current which is proportional to the neutron flux at the chamber. In Servo mode, the RTP evaluates the signal and operates the servo control unit which, through a motored drive, moves the regulating rod the necessary amount in the correct direction to maintain the power level at the control point set on the workstation. Whenever the power level exceeds the control point setting the regulating rod is inserted into the reactor the amount necessary to decrease the reactivity and restore the power level to the control point setting. Conversely, whenever the power level drops below the control point setting, the regulating rod is withdrawn the amount necessary to increase the reactivity and restore the power level to the control point setting.

7.4.a.iv- Channel 4 - Safety Channel This channel consists of an uncompensated io~on chamber, feeds directly into the DGK 250, and indicates as with Channel 1. The sensitive range of this instiilment is from a.few percent to at least 150 percent of power, linearly. Its output is indicated on the operator workstation and Yokogawa Recorders. The purpose of this channel is solely to provide a scram at the measured value as specified in the Technical Specifications.

This channel's response times are in the tens of millisecond range when the reactor is at power. Inaccuracy a

is in the single digit percent range, but all safety analysis has been*performed assuming 50% instrument uncertainty window. In the level safety channel, the Mirion DGK provides a d-c current proportional to the reactor power level to the RTP. As the current produced by neutron flux at high levels of operation is much greater than that produced by ganuna radiation or other sources, this chamber is not compensated.

7.4.a. v- ManWJl Scram The two manual scram buttons in the PUR-1 RPS are readily available to an operator as well as during an evacuation scenario. These switches directly interrupt the magnet circuit and have no other function. An operator or the second person in the room during operation iS able to instantly use either of these buttons upon an unsafe condition being met and the failure of all other RPS systems.

7 .4.b - SensitiVi.ty and Accuracy of Instrumentation All safety analysis in this Safety *Analysis Report, specifically Chapter 13, assumes a 5096 instrumentation uncertainty. This is conservative to the expected sensitivity each sensor requires commensurate with the precision and accuracy to which knowledge of the variable measured is required for control of the reactor.

l

True uncertainty has been measured historically at the facility to within several percent of true values. New instrumentation and control will have similar accuracy.

7 .4.c - Reactor Operations Affecting Functionality of RPS Svstem Flux tilt and perturbation achieved by the reactor does not significantly change the calibration of the safety channels or rod worths. Additionally, there are no mechanical forces which adversely affect shielding or confinement arising from mechanical forces on fuel cladding from the manipulation of experimental components, experiment flooding, buoyancy, from tools used for manipulation, thermal stress, vibration or shock waves, or missiles arising from the functioning or malfunctioning experiments. Irradiations are done in the ports which are located several centimeters from the reactor. Fuel movements are done only under the direct supervision by a Senior Reactor Operator and only with the specially designed and controlled fuel handling tool.

Limits on the radioactivity of experiments are in the technical specifications and are such that they will not mask the performance of an operational monitoring system intended for the detection of fission product releases at early stages. The primary device for the detection of the release of fission products is the Continuous Air Monitor. This is housed away from the work benches which hold experiments.

There are no credible physical or electrical interference scenarios where experimental or other components would interfere with reactor systems. There is no communication between any of the Safety Channels with the exception of the 4 - 20 mA signal output to the RCS. This is an analog signal through which data cannot be received, only transmitted in a representative form.

The RPS was designed such that it is capable of performing its entire functionality without interaction from the operator. While Human Factors were carefully considered throughout the design of the RCS, the RPS is such that there shall be no need for operator intervention.

7 .4.d - Scram Initiation As previously discussed, when a Scram is initiated by the Reactor Protection System, the current in the magnet power circuit is cut This causes the magnets, which are suspending the control rods, to lose power and the rods fall to their lower limit Once magnet power is lost, there is no mechanism to prevent the rods from falling all the way into the core and the Scram is done to completion. Following a Scram, in order to restart the reactor, the rod drives must be driven to their lower limits, magnets re-engaged, and the rods lifted again.

Without moving the drives to their lower limits, there is no method of reactor restart and the fallen rods will maintain reactor shutdown without operator action. The shutdown margin is maintained as it is calculated with the least reactive Shim-Safety. If one of the rods is stuck, supposing it to be the more reactive rod, the Shutdown margin requirement is maintained as the least reactive rod has fallen.

In the event of a loss of power, the magnets would also de-energize and the Shim-Safeties would fall into the core. This is a fail safe approach.

7 .4.e - Surveillances and Testing The Reactor Protection System can be tested in several ways. Simurated current at the detector input can be fed into the Neutron Flux Monitoring system channels to ensure that proper read out is obtained through current supply. Additionally, the channels can be placed in test mode whereby the parameters can be forced.

The Mirion Channels are capable of internally producing test currents as weel. Binaries and relays which

. r

-100-

depend on parameters will then be activated to indicate proper operation. These tests and swveillances shall be performed every 12 months not to exceed 15 months. Reference the Neutron Flux Monitoring Channels documentation for further information on testing, calibration and inspection.

7 .4.f - Other Technical Specification Items The RCS must be capable of initiating a scram and moving the rods from full removal to full insertion in less than one second. This requirement is met through a direct measurement of the rod drop by the Reactor Control System. See 7 .2.g - Scram Timing for more information.

7.S Engineered Safety Features Actuation Systems None of the engineered safety features are actuated by the RCS or RPS.

7 .6 Control Console and Display Instruments Control console and display instrument systems and equipment include displays for the reactor operator to view such operating information as current values of operating parameters and the status of systems and equipment The reactor console is designed to provide maximum visibility of the instruments and accessibility to the controls and indicators. All indicators and controls necessary for startup and shutdown operations are located in front of the operator.

Figure 7-4: Site Acceptmce Testing Staging ofReactor Control Console and Display Instruments The display system has no capability of propagating signal back to the RPS systems causing faults in the RPS actuation systems. Additionally, diverse indications of reactor power and change rate are available to the operator in the event the indicated parameters are called into question. Indications are monitored by the PLC system to ensure they remain in the expected range. Indications are fed directly to the Yokogawa recorders to provide indication to the operator without processing by the PLC. Additionally, there are redundant indications of power and change rate from multiple channels removing the single point failure possibility. As previously analyzed, even if all indications are incorrectly shown and the operator were to instantaneously move all rods to their most reactive positions, the Scram capability still initiates a shutdown before the onset of nucleate boiling. As the control console is not credited in the RPS, there is no necessity for prioritization of safety functions or communication isolation between priority modules.

- 101 -

The operator may observe the instantaneous values of reactor power and change rate on the main display screen and the Yokogawa Recorders. Both of these instruments additionally provide historical data. For the display workstation, the operator is capable of seeing up to 180 days of operational history while on the Yokogawa's, the operator may see up to 15 minutes of operational history. The indications can be plotted vs.

time and are readily available to the operator.

7.6.a - Primary Operator Workstation Indications The PUR-1 implements a highly integrated control console. (fraditionally, this term is control room but the PUR-1 facility does not feature a separated reactor room and control room.) The primary means for providing information to the operator is by way of computer driven display screens mounted on consoles or on the control room walls. The means for the operator to command the facility is by way of keyboards, and pointing devices.

At the PUR-1, the control system is not safety significant The Reactor Protection System is safety significant and the parameters from the RPS are read by the RCS but may not be transmitted backwards. A control console instrument system failure or malfunction does not prevent the RPS from performing its safety function and does not prevent the reactor from performing a safe shutdown. There is no data communication between safety channels or between safety and non-safety systems. The most significant failure mode of the display and control instrumentation would be a loss of power. In the event of any abnormal system behavior, PUR-1 operators are trained to follow this with the activation of the manual scram button on the operator console and visually verify rods drop into the core.

Below is the main operator screen which is generally displayed. The left of this screen shows the rod drives which may be selected.

- 102-

Figure 7-5: Main Operator Screen. Administrative controls require this screen to be open at all times.

The height for each drive is shown as well as the status of each switch for the associated drive. When the rod is located at the bottom of its travel path, the "Rod Bottom Light" is activated. When the rod is at 2/3 of its travel length the 2/3 Limit switch is activated. Similar statements may be said for each of the drives and all switches. Color indications on these lights show whether the switch is activated or not. A dark color shows the switch is not activated while a bright neon color shows that it is. When a drive is activated, text appears that indicates to the operator that the drive is energized and is in motion (provided it is not jammed). Reactor power and change rate is also indicated on this main screen. In the event of any "alarm", an indication flashes on the main operator screen. An alarm may mean any change in a facility parameter status. An example of an alarm which may not require operator action is an elevated alert setpoint The reactor pool radiation level alert limit may be 30 mRem whereby the operator is informed that the value is approaching a point which may cause protective action. This main screen should not be navigated away from.

On the second screen of the primary workstation, the operator is capable of plotting any system parameter or set of parameters. For example, the operator may choose to plot the height of each control rod against the reactor power level as indicated by Channels 1, 2 and 3. This proves very useful during normal startup. In the event of a Scram, or setback, the secondary screen automatically switches to the digital annnnciator board which gives more detail to the cause of the scram or setback. The status of any switch, setpoint, parameter

-103 ..

value, or bi-stable relay may be seen on the secondary screen. The parameters with similar functionality and the system functions with similar functionality have been grouped on the main summary screen of the secondary display. This screen is shown below.

Figure 7-6: Summary Screen ofReactor Control System Colors for the indicator lights on the console show the operator the status of the reactor at a glance. All trip and warning indicators are red or yellow. Operating procedure prohibits the operator from withdrawing the control rods when a warning indicator is showing.

- 104 -

Figure 7-7: DigitJ../ Annunciator Screen showing a Makeup Water RAM Scram 7 .6.b - Control Overview The controls in the reactor are done under three principle methods. The first of these are by manual control.

The operator may select the drive which is desired to be moved. A joystick can then be lifted or depressed indicating upward or downward motion of the rod. As long as the joystick is down and a rod withdrawal inhibit is not induced, the rod will continue to drive. The secondary method is to select "fine withdraw" on the main screen. A fine withdraw removes the selected rod by activating the drive for a short time C0.1 seconds).

Similarly course withdraw will remove the rod for more time, on the order of seconds. Lastly, the operator may select a desired height for a given rod. The rod desired is selected, the desired height entered, and motion starts on operator approval. The operator may stop rod motion at anytime through toggling the joystick or selecting stop on the operator screen. This movement will primarily be used when taking the Shim-Safeties to shim range, which usually takes approximately 5 minutes of motion.

Rod position indication is always on the left hand screen of the operator. The neon or dull coloring of the labels near the rods show the switch activation, or lack thereof.

- 105 -

7.6.c - Trends and Display Graphs The designed range of operation for all trends and display graphs is such that they may display any parameter value. Each of the graphs is auto-scaling (which may be stopped at the operator's discretion) and may access historic facility data. There is no limit on display range with respect to the actual values of the parameters measured. If a signal quality bad, as previously discussed, the color of the plot line will become magenta. This indicates to the operator that the value must not be taken as an absolute and the operator should question its validity immediately.

Figure 7-8: Example Trend Showing Channels 1-3 Level and Channel 1 Change Rate for an example run 7.6.d - RPS and ESF Actuation The display screen is not credited in the Reactor Protection System or the ESF actuation and therefore need to perform these actions. The signals associated with the control of the RCS do not initiate or defeat control of the RPS. There is no method to prevent a safety function from the primary display screen.

7.6.e - Parameter Update Rate All system parameters are updated at a frequency not to exceed one second on the workstation. The system parameters are recorded with resolutions of 10 ms and all control system logic is performed at an interval

- 106 -

not to exceed 250 ms. A watchdog timer is implemented on the PLC to ensure the operator workstation remains responsive. This function is performed every 30 seconds. This speed is sufficient to provide operators with the information needed to place and maintain the facility in a shutdown condition and identify any abnormal condition or transient. The time response is sufficiently fast to perform safety functions and is consistent with Human System Interlace response expectations. The time which it takes an operator to interpret a significant facility parameter, such as reactor ppwer level, and take manual protective action, is on the order of 5- 10 seconds. The display uprate is 10-20% of that value and this is adequate time to peiform corrective action. Even with an update speed of every five seconds of the displays and facility parameters, there is no effect on the near instantaneous monitoring of the Neutron Flux Monitoring Channels which provide independent and unique protective action.

7 .6.f - Manual Scram, Shutdown, and Confinement Actuations A manual scram button is located on the reactor operator console to allow for interruption of the magnet circuitry and shutdown the reactor without the action of the RPS, RCS, or any subsystem. This is the simplest and direct means provided for the manual initiation of a protective action. The. button is easily accessible to the operator so that the action can be taken in an expeditious manner at the point in time or under the facility's conditions for which the protective actions of the safety system should be initiated. A manual scram is indicated on the annunciator panel as well as the workstation screen. ff the main manual Scram button were to fail, a method to activate the Scram includes turning of the key switch on the console. This manual initiation of a protective action depends on the operation of a minimum amount of equipment. Once any Scram is initiated, the rods fall completely into the core. This action is designed so that once initiated, the action will continue to completion.

There is no containment in the PUR-1 facility but the confinement may be isolated through the use of the confinement Isolation button on the console.

7 .6.g - Calibrations and Periodic Maintenance Calibrations and periodic maintenance will be required to account for drift in certain measurement devices

• used by the Control Console. Examples of these are the voltage measurement helipots which indicate the rod height. Over time, these helipots have historically shown nominal variation over time. Facility procedures are used to peiform this and similar work. This work is peiformed as part of the annual electronic calibrations.

Reference 7.10 System and Facility Surveillances for more information on Surveillances.

7 .6.h - Alarms and Annunciators7 .6.h -

There are several sets of audible and visual indications an operator may receive during normal operation.

"Figure 7-3: Annunciator Panel Showing a RAM Scram" and "Figure 7-7: Digital Annunciator Screen showing a Makeup Water RAM Scram" show two examples of an aiinunciator indication. The digital annunciator screen automatically is displayed in the event of "Scram-Level" alarm. Each of the annunciators may be clicked by the operator to navigate to a screen with more information. Additionally, the physical annunciator panel gives an indication of the subsystem which may have caused the Scram. An annunciator test function is provided by the control algorithm to test the functionality of all annunciators.

There are three sets of horns implemented in the PUR-1 Facility. The first horn is the annunciator alarm and gives audible indication to the operator of a setback or scram. The annunciator acknowledge button allows the operator to tum off the horn following its activation. ff another event occurs which would have set off the alarm (example: a setback condition progresses into a Scram condition), the annunciator alarm will re-activate.

-107 -

\.

The second class of horn is the room alarm. This is a manually activated alarm by an operator or facility personnel and indicates the need to evacuate the room. Finally, a Facility or House Alarm is also accessible to the operator and indicates the need to evacuate the entire reactor facility. This horn sounds throughout the Duncan Annex, in which the reactor is housed.

7 .6.i - Configuration Management Any change in the configuration of the PUR-1 Control Console and Display Instruments is treated as a facility design change, analogous to a re-wiring of an analog system. Any such change must undergo 10 CFR 50.59 review, be approved by the Corrunittee On Reactor Operations Chairman (or entire corrunittee based on his review), and documented by the Reactor Supervisor. Software changes must be reviewed by all licensed operators prior to reactor use.

Current configuration of the software will be maintained and documented as Appendix Il to the Reactor Characteristics and Operations Manual, an internal facility document. To ensure the correct version of the software is eurrently installed, as part of the prestart checklist, operators will verify the software version listed at the top of the displays on the console match the current release as listed in the Reactor Characteristics and Operations Manual. Both of these numbers are updated and listed as part of a procedure from the Quality Assurance Program.

7 .6.j - Secondary Workstation and Public Site Server A secondary workstation is present in the Reactor Facility. This Secondary Workstation (SWS) mimics the operator console (with a single screen rather than two) and serves several roles. The primary role of the SWS is to allow facility or visiting personnel to view reactor data or status without having tO interrupt the operators.

The information may be displayed on the screen of the SWS or mirrored to a larger screen viewable by more people. The SWS also serves as a Public Site Server (PSS) which may be accessed by any IP address on the West Lafayette Campus. This allows for facility personnel not physically located within the reactor room to view current facility status. Because the data can be seen on other stations through the SWS, this greatly enhances the teaching capabilities.

Data and cyber security are maintained through the use of a data diode. The data diode is a common piece of equipment used in high security applications and has been implemented at safety significant facilities such as nuclear power plants.

7.7 Radiation Monitoring Systems The radiation monitoring instrument system is designed to perform several important functions at the PUR-

1. These monitors indicated radiation intensity at important locations and indicate to the operator the

• potential need to perform actions such as isolate confinement or primary coolant levels. The radiation monitors have displays at the instrument's main unit location. Three of the PUR-1 radiation monitors measure the intensity of gamma radiation while one is a Continuous Air Monitor which measures the activity of airborne particulates. Additionally, portable radiation monitors and personal dosimetry systems are available to help assess exposure and prevent overexposure of workers and other personnel. These are discussed as well in Chapter 11. The present section concentrates on the Instrumentation and Control aspects of the Radiation Monitoring System (RMS).

The RMS is principally cQmprised of three radiation area monitors (RAMs) and one Continuous Air Monitor (CAM). The three radiation area monitors all include trip capability and can initiate a scram independent of

- 108 -

the functionality of any other system. The RAMs are stationed at the top of the reactor pool, behind the water process system, and behind the operator console. The RAMs are Thermo Electron RMS-3 Radiation Monitors with DAl-X series detectors. In the event of an alarm the RAMs contain a speaker rated to 70 ~

at 60 cm. They have an operating temperature of -40°C to +50°C. The CAM is an AMS-4 Beta Particulate Monitor. A main processing unit examines outputs and inputs to the system for signal validity and self-checks.

It has an operating temperature from 0°C to 50°C The RAMs are principally operated off of Geiger-Mueller tubes. Each has its own power supply. A solenoid operated check source is included. They are sensitive from 0.01 mR/hr to 100 mR/h.

The RAMs and CAM additionally are continually monitored by the PLC. The PLC will provide additional alarm if the signal quality is bad or if the RMS is finding radiation levels beyond the allowable values. The RAMs also provide Scram capability through interruption of the magnet power circuit Each RAM has values stored on the system which will trip a relay if the system finds an elevated radiation field. This is in addition to the trip provided by the PLC. All communication done with the PLC is done via relay binary monitoring or through a 4 - 20 mA current The RMS components also have an on unit screen displaying the radiation level.

7.8 Quality Assurance A Quality Assurance (QA) program shall be developed, maintained and utilized in accordance with the guidance of ANSI/ANS 15.8-1995. The QA program shall be evaluated every 24 months not to exceed 30 months. A member of the Committee On Reactor Operations, or a committee delegate, shall perform the audit which includes an evaluation of the accuracy, utilization, and recommend improvements to the QA program.

7.9 Cyber Security Several significant actions and controls are put in place to ensure the cyber security of the PUR-1 Reactor Control and Reactor Protection Systems. The first and foremost actiqn is the physical barrier between the two systems and the outside world. In order to make hard wired facility changes, an adversary would be required to enter the facility. Through the implementation of the Physical Security Plan, the facility remains in a secure condition anytime authorized personnel are not present From a digital intrusion standpoint there are also multiple safeguards in place. There is no connection to any exterior netWork for the RCS outside of a single Ethernet cable which connects to the Secondary workstation.

The cable is routed through a data diode which only permits information to be transmitted in a single direction. Secondly, only approved facility staff are permitted to insert removable memory devices into the PUR-1 primary operator workstation. Prior to the insertion of a memory device, it is re-formatted on the secondary workstation. The data from the primary workstation is then placed on the device. It is removed to the exterior machine and finally formatted again. A physical protection exists to prevent the inadvertent insertion of a memory device. All ports on the primary workstation are either under use or are locked with USB port blockers. A USB key is required to remove the blocker. This key is protected at the same level as the console key and is only accessible to approved personnel.

Recall that the RCS is designed such that even in the most nefarious operation, the RPS would still be capable of interrupting unsafe operation and shutting down the facility. The RPS is physically protected by the reactor room barrier. There are no ports to change or plugin outside media to the RPS. Any change would require

-109-

the physical removal of a component which is prevented both by the physical security plan as well as the requirement to have a key to re-program any piece of the Mirion Neutron Flux Monitoring equipment.

7.9.a - Security In Development 7.9.a.i - Physic;U Security The RPCS system equipment was staged in Scientech's locked and limited access Idaho Falls, ID facility.

The equipment was staged in the Plant Performance Division (PPD) locked and _controlled access staging area located Within that facility.

Access to the RPCS system equipment by Scientech ~ersonnel was limited to the minimum Scientech personnel required. The Scientech personnel granted access were individually authorized by the Scientech Project Manager or the Scientech Project Engineer.

7.9.a.ii - Removable Mec/i;J Devices Because the RPCS system is not interconnected, removable media devices (RMDs) are used to transfer data between the RPCS system and non-RPCS systems. The RMD devices used to transfer data to I from the RPCS system are limited to a dedicated set of devices that are limi~d to that purpose. These RMDs are not used or connected to any other systems, except for a Cyber Security Scanning Station and external development systems in the case of the Windows Update Media Qevice. The RMD devices used were uniquely identified as dedicated to the RPCS project.

1.9.a.iii - Cyber SecuritvScanning Stltion The Scientech Idaho Falls, ID staging facility is utilized to st.age multiple customer projects. Because all projects have requirements to maintain cyber security, Scientech has installed multiple Cyber Security Scanning Stations in the staging facility. These Cyber Security Scanning Stations are stand-alone systems that are not connected to any customer systems. The Cyber Security Scanning Stations are dedicated devices used exclusively to scan RMDs for malware. The Cyber Security Scanning Stations have commercial anti-malware software installed for the purpose of scanning RMDs. The Cyber Security Scanning Stations have a protected connection to the Internet for the purpose of downloading anti-malware definition and software updates.

RMDs utilized for the RPCS system will be scanned using a designated Cyber Security Scanning Station for the RPCS system. H that Cyber Security Scanning Station was not available, one of the alternate Cyber Security Scanning Stations in the Idaho Falls, ID staging area was utilized.

7.9.a.iv- Workstation Password Protection The workstations used in the RPCS are configured for different levels of operation. There are Operator level accounts and Administrator level accounts. The Operator account allows the use of RPCS software, but does not allow RMD connections or operating system modifications. Administrator level accounts have access to all workstation functions. The passwords used are dediCated to the Purdue RPCS project and are only give to personnel granted access to the RPCS system by the Scientech Project Manager or Project Engineer.

7.9.a. v - Control Srst.em Protection Access to the RTP NetArrays control system software is password protected. The RTP NetArrays software requires a password to access the control program software for viewing. Separate passwords are required to download the control program software to the RTP 3000 T AS system and to modify control program values

'* -110-

I in debug mode. The passwords used are dedicated to the Purdue RPCS project and a.re only give to personnel granted access to the RPCS system by the Scientech Project Manager or Project Engineer.

7.9.b - Contingmcies Responding to Attacks r In the event of any outside media or unauthorized connection to any of the RPS or RCS components, the entire primary workstation would be wiped clean. A system image disk of the final install is kept in a secured location and would be used to re-install all control features. Complete system testing as completed in the Factory Acceptance Test and the Site Acceptance test from the original install would be re-performed to ensure the system is working as expected.

• 7.10 System and Facility Swveillances A table of surveillances which are performed in the facility and/or required by the PUR-1 Technical Specifications is below. Where applicable, the procedure number or Technical Specification Reference is listed. This table is an example of a facility level schedule and may by revised per manufacture guidelines. In the table "W" - Weekly, "M" - Monthly, "Q" - Quarterly, "S" - Semiannual, "A" - Annual, and "C" -

greater than annual, ex. Biennial, special situation or circumstance.

,,..

\

-111-

Table 7-8: Swveillance Schedule for the PUR-1 Facihi.y including I&C Swveillances System I Admin Task PM Description Security System Surveillance - W-1 Perform an Alann Test coordinating with Purdue Police Dispatch Security System Surveillance - M-1 Perform a Security System Inspection and Test coordinating with Purdue Electronics Shop personnel and the Purdue Police Dispatch Confinement Surveillance - W-1 The negative pressure of the reactor room shall be Reactor Room Negative Pressure recorded weekly. Required per TS 4.4.a Confinement Surveillance - S-1 Check the operation of the inlet and outlet dampers.

Inlet & Outlet Damper Operation Required per TS 4.4.b Confinement Surveillance - S-2 Check the operation of the air conditioner (including Air Conditioner Operation the closure of the condensate drain valve). Required per TS 4.4.c Primary Coolant System Surveillance - M-1 The conductivity of the primary coolant shall be recorded monthly. During reactor shutdown, the primary coolant level or radiation level shall be monitored monthly. Required per TS 4.3.a and 4.3.c Primary Coolant System Surveillance - M-2 The primary coolant shall be sampled monthly, not to exceed 6 weeks, and analyzed for gross alpha and beta activity. Required per TS 4.3.b Primary Coolant System Surveillance - Q-1 Perform an inspection of the Process Cooling Pump and lubricate the motor bearings.

Reactivity Limits Surveillance - C-1 The shim-safety rods shall be visually inspected Inspect Shim-Safety Control Rods (Biennial) biennially. Required per TS 4.1.b Reactivity Limits Surveillance - C-2 The shim-safety rod worths shall be measured and Shim-Safety Rod Reactivity Worth (Biennial) the shutdown margm calculated biennially.

Measurements. Calculate the Shutdown Required per TS 4.1.a.

Margin.

Reactor Safety System Surveillance - NFMS S-1 Perform - Include a test of the Source Missing Chl Wide Range Channel (DWK 250) Interlock (ex. SMP-4), a test of the setpoint trips (ex.

SMP-3 function),

Reactor Safety System Surveillance - NFMS S-2 Perform - Include a test of setpoint trips (ex. SMP-Ch2 Log N & Period Channel (DAK 250-g) 3 function),

Reactor Safety System Surveillance - NFMS S-3 Perform - Include a test of the setpoint trips (ex.

Ch3 Linear Power (DAK 250-g) SMP-3 function),

Reactor Safety System Surveillance - NFMS S-4 Perform - Include a test of the setpoint trips (ex.

Ch4 Safety Channel (DGK 250) SMP-3 and SMP-5 function),

Reactor Safety System Surveillance - S-5 Perform a channel check of the pool top radiation Pool Top Radiation Monitoring equipment's monitoring equipment's off-site alann capability.

off-site alann Required per Tech Spec para 4.2.e Reactor Safety System Surveillance - A-1 Required per Tech Spec para 4.2.a.2 Gold Foil Power Calibration Reactor Safety System Surveillance - A-2 Required per Tech Spec para 4.2.a.l Electronic Calibration of Reactor Safety Channels

-112-

Reactor Safety System Swveillance - Magnet A-3 Find minimum current needed to suspend magnets.

Current - (was SMP-5) Add30%.

Functional test to determine settings for the Acopian Current Source to deliver the proper value of current to SSl & SS2 electromagnets Reactor Safety System Swveillance - A-4 Required per Tech Spec para 4.2.c Shim-Safety Rod Drop Times measurement Reactor Safety-Related Channels Swveillance - A-1 Perform calibration of all three Radiation Area RAM Calibration Monitors (RAMs) per the RMS-3 Manual. Required per TS 4.2.b Reactor Safety-Related Channels Swveillance - A-2 Coordinating with Health Physicist from REM CAM Calibration perform a calibration of the Continuous Air Monitor (CAM) per the AMS-4 Manual. Required per TS 4.2.b Reactor Safety-Related Channels Swveillance - A-3 REM performs a calibration of all hand held Radiation Swvey Meter Calibration radiation swvey instruments. Required per TS 4.2.b Test Equipment Swveillance - A-1 Calibrate test equipment required for Reactor Safety Digital Volt Meter (DVM) and Current Source System Electronic Calibration annually by any calibration available means allowing for traceability back to NIST.

Instrumentation System Swveillance -Check Q-1 Test operation of Evacuation Alarms (Console &

Alarms, Console and House House).

Air Filters & Supply Air Screen Check - Inspect A-1 Purdue Maintenance Zone 3 shall inspect & replace

& replace filters as needed ventilation system HEPA & Dust filters as needed.

PUR-1 Staff will inspect & clean (as necessary) the Building Air Inlet screen.

Dosimeter Calibration S-1 REM performs calibration of dosimeters in the Radiation Detection Labs Emergency Dosimeter Calibration S-1 REM performs calibration of emergency dosimeters stored in the Emergency Cabinet Fuel Parameters Surveillance - A-1 Representative fuel plates shall be inspected Inspect Representative Fuel Plates annually. Required per TS 4.6 License Renewal requirements - obtain 4hrs/qtr Q-1 Complete requirements per Requalification Program Instruction; Instruction, Biennial Proficiency o.rr. Annual o.rr. and Biennial Casualty Tmg OJf.

Fire Extinguisher Checks S-1 Purdue Fire Safety performs extinguisher inspections CORO Meeting A-1 The CORO shall meet annually.

Required per TS 6.2.b.1 CORO Audit of facility operations, including A-1 An audit is conducted under the cognizance of the radiation protection, for conformance to CORO per TS 6.2.d.1 Technical Specifications, applicable license conditions, and standard operating procedures.

CORO Audit the results of action taken to A-2 An audit is conducted under the cognizance of the correct those deficiencies that may occur in the CORO per TS 6.2.d.2 reactor facility equipment systems, structures, or methods of operations that affect reactor safety NRC Annual Report (due by 31Mar) A-1 Submit an Annual Report to the NRC - due by 31March

-113-

Inventory Emergency Supplies A-1 Perform an inventory of the Emergency Supplies locker in the hallway CORO Audit of the retraining and C-1 An audit is conducted under the cognizance of the requalification program for the operating staff (biennial) CORO per Tech Specs para 6.2.d.3 CORO Audit of the reactor facility emergency C-2 (even) An audit lS conducted biennially under the plan cognizance of the CORO per TS 6.2.d.4 CORO Audit of the reactor facility security plan C-3 (odd) An audit lS conducted biennially under the cognizance of the CORO per TS 6.2.d.5 Radiation Health Physical C-1 (odd) Each licensed Operator is required to obtain a radiation health physical every other year QA Progam Audit C-1 (even) Perform audit of QA program.

- 114-

SAFETY REVIEW PUR-1 INSTRUMENT A TI ON & CONTROL REPLACEMENT Purdue University is ;i.pplying to license a replacement Instrumentation and Control (I&C) system. The system has been re-built with modem components but is nearly the same in operability with respect to individual subsystems. There are slight modifications to be made to the technical specifications which are similar in nature, simply using a different units. The new I&C will be housed and located in the same location as the old I&C. The changes are principally in the actual implementation of subsystems, the technical specifications and ~e re-written Chapter 7 of the Safety Analysis Report. The discussion that follows is a near replica of the Safety Analysis Report for the PUR-1 as submitted on July 7, 2008. It includes additions to discuss how the new Instrumentation and Control differs from that of the old. All references to the current (or former) I&C are noted as such, and the future I&C is noted as proposed, new or replacement

_ A History of the PUR-1 I&C The original instrumentation and control put in place at the PUR-1 was built and designed by Lockheed Nuclear Corporation. Noise spikes in the start-up channel noted at the first use of the integrated system have persisted throughout the lifetime of the system. The issues became so onerous that the reactor was declared inoperable in its current condition. This, in conjunction with facility staff change over, resulted in the reactor being unlised until a thorough refurbishment effort was launched in the Fall of 2014. This effort included a rebuild of some of the indications and dials on the console as well as a thorough cleaning of the rod drive mechanisms. While the reactor did return to an operational status, noise issues persist In late 2015, a replacement I&C system was contracted to be built by Mirion Technologies. This system was staged at Purdue in the Fall of 2016 and is ready for full integration with the reactor.

Safety Approach at the PUR-1 In the event of any safety anomaly, the Reactor Protection System's standard response is to drop the rods and shutdown the reactor: Because the rod drop times are short and reactor power is relatively low (only requiring natural circulation), this response is adequate to protect the facility. The Maximum Hypothetical Accident is that of having the cladding of the face of a fuel plate stripped from the face of the entirety of one side of the fuel plate. This MHA is most likely to occur during fuel handling and the limiting case is when the fuel plate is exposed to the air. This MHA is not protected against by the Instrumentation and Controls, the Reactor Protection System. lri fact the response to this accident in order to achieve the minimal dose to the nearest continually occupied unrestricted space by a member of the public is to take no action and maintain the reactor room's negative air pressure by venting the contaminated air to the atmosphere. All other accidents are subsets of this occurrence.

C~ to Safety Ailalysis Report There are no other changes which need to be made in the Safety Analysis Report other than the re-written Chapter 7, which deals specifically with Instrumentation & Control.

Introduction to PUR-1 I&C The cible below details the current instrumentation at the PUR-1 as well as the proposed changes. Both systems consist of four operating channels. Traditionally, the first three channels have been referred to as the operating channels, and the fourth referred to as the safety channel. This naming convention is removed in

the PUR-1 I&C replacement as it tends to be slightly misleading. The channels are the startup range channel, a log power channel, a linear power channel, and a final linear power channel.

Instrumentation Detail Newl&C Startup Channel Fission chamber ranging Detector Fission chamber from 1cpsto1010 cps Range Source level to 10.. Nr on a log scale. Change Indicators Log count rate meter Rate Scale from -3 %/s Range Decade Scaler to 33 %/s l..og-N Period Channel Compensated Ionization Detector CIC Chamber ranging from Range 104 to 10'0 n/cm' -sec 0.00001%-

Indicators l..og-N meter 300% Power and a Range 10.. to 300 Nr change rate of Indicators Period Meter -3%/s - 33%/s Range -30 to +3 sec Power Channel Uncompensated ~

Detector BF. Ion Chamber Ionization Chamber Range 10' to 10'0 n/cm'-sec ranging from 0%-300%

Indicator Linear Level Meter of full power.

Range 0to100 N, Safety Channels Uncompensated Detector (period) CIC Ionization Chamber Range 10' to 10'0 n/cm' sec ranging from -<>%-300%

Detector Oevel) BF. Ion Chamber of full power.

Range W'to ISON, Rod Position Indicators Detectors 10-tum precision potentiometer No Change. Values will Regulating 0-2500 ohms be monitored by a PLC Range 10-turn precision potentiometer and displayed on digital Shim Safety 0-2500 ohms* operator workstation.

Range *Voltmeters Indicators 0-70CM Coarse Range 0-70 CM Digital Voltmeter Fine Range Area Monitors (3) Geiger-Mueller Detectors Scintillation Detectors Counters ranging from Range 0.05 to 50 mr/hr 0-100 mRem. Local and Indicators Local & Remote Meters remote display.

Design of Instrumentation and Control Systems As noted in the PUR-1 Safety Analysis Report as submitted in July of 2008, the I&C of the PUR-1 is based on systems in use at such reactors as the Bulk Shielding Reactor, the Tower Shielding Reactor, and the

Pennsylvania State University Reactor. One notable difference is the lack of a Composite Safety Amplifier (CSA) in the replacement I&C. The pmpose of the CSAs (Period from Channel 2 and Power Level from Channel 4) was to provide a faster scram initiation. Scram times at the PUR-1 are typically in the 500-600 millisecond range (See Annual Reports as submitted to the US NRC). The new system expects to see scram times which are slightly faster than the older I&C system. This change in application does not change 'any safety analysis as all safety analyses are done for drop times of one second. This is a Technical Specification which must be met and measured annually. The new I&C measures this drop time after every scram and alerts the operator of a measurement which is out of specification. (Note: an annual special test will still be performed per the Technical Specifications, attached as amended). Annunciators and alarms are included to indicate specific trouble. ,,-

Channel 1 - Start-Up Channel The startup channel is used to monitor the neutron flux. The former channel consisted of a fission chamber, a preamplifier, a pulse amplifier, a scaler for accurate counting, a log count rate and period amplifier, a log count rate recorder, and shared a period recorder with Channel #2. The replacement l&C consists of a fission chamber, a preamplifier, a Mirion DWK.-250 instrument, Yokogowa recorder, Programmable Logic Controller, anci display workstation. The range of the former equipment is from 1 to 1o* counts/second with periods. from -30 to +3 seconds. The range of the new equipment is from 1 to 1010 cps with an analogous change rate of -3%/s to 33 %/s. Formerly, in addition to the outputs shown on the recorders, readout was also provided by a log count rate meter and a period meter shared with Channel #2 on the console and instrument panel. The new I&C has dedicated change rate and log count rate indications on the console. This represents a simplification of the system. The complete reactor power range was able to be monitored by this instrument by appropriate repositioning of the detector by means of the fission chamber drive mechanism. The fission chamber could be raised into a cadmium shield by means of a drive mechanism similar to the control rod drive units. While this functionality remains in the new I&C, the range of the new Channel 1 is such that it should be able to indicate to near full power. Table I in the Technical Specification requires that either Channel 1 or Channel 2 be on range at all times. The controls and position indication for this drive are located on the console for both the old and new system. Two set points, specified in the Technical Specification and based on the reactor period (change rate in the new system), provide for a reactor setback and trip in the event of a short reactor period (or ch'ange rate).

The first activity in the reactor is indicated by means of the counting rate channel. At start-up, the fission chamber is placed near the reactor core Oower limit). Neutron-produced pulses from the fission chamber were amplified and counted on the scaler, an electronic high-speed counting device with a mechanical register.

The new channel indicates the count rate on the face of the Mirion DWK-250, the Yokogowa recorder, and the operator control workstation. (Smaller pulses produced by any agency other than neutrons, such as gamma radiation, are rejected by a pulse height discriminator circuit in both systems.) These amplified pulses were also fed into the log count rate meter where they are integrated and the average counting rate displayed on a logarithmic indication meter calibrated for four decades (1 to 10,000 counts per second). This integration functionality is provided by the Mirion DWK.-250.

The average counting rate was also displayed on a remote indicating meter and recorded on a 10 millivolt Speedomax recorder provided with four-cycle logarithmic paper. When the control rod has been pulled out far enough to produce an effective reproduction constant greater than one (1.0), the reactor power level increases exponentially (at low power levels) and a straight line is drawn on the logarithmic recorder chart The slope of this line is the pile period, or the time required (in seconds) for the power level to change by a factor of e (approximately 2.718). As noted above, this functionality remains in the new I&C with a slightly different display method. "

The reactor period was ,displayed on a pile period meter located on the log count rate meter and was record,ed on the period recorder nntil the lower limit of the log-N period channel range is reached. The new I&C allows for historic data to be read on both the Yokogowa recorder as well as at least 180 days of 2 second resolution data on the operator workstation.

When the counting rate channel was near the limit of its counting range, the log-N period and linear seivo channels became the principal means of controlling the reactor, and the fission chamber was withdrawn to a region of lower neutron flux (to keep the recorder on scale). While this operating principal remains true for the new system, withdrawal of the fission chamber may not be necessary to keep the channel on scale.

Channel 2 - Log N and Period (Change Rate) Channel The log N channel indicates the reactor power level over the range from very low power to 300 percent power level. The detector for this channel was a compensated ionization chamber (CIC) followed by a l.og-N and Period amplifier. The outputs of which went to a log-N level recorder and a period recorder (shared with Channel 1). These were inst:runlented on the amplifier face and the console. There was additional indication on the auxiliary scram meter panel. This channel was not "on scale" at startup, but would be indicating before the range of the fission chamber was exceeded. Similarly, the new l&C features a Compensated Ionization Chamber followed by a preamplifier and the Mirion DAK-250g, the Yokogowa recorder, Programmable Logic Controller and operator display workstation.

A reactor trip will be initiated if this channel indicates power levels in excess of 120% of the licensed power in both instrumentation applications. Two set points, specified in the Technical Specifications and based on the period (change rate), provide for a reactor setback or trip in the event of a short reactor period (high positive change rate). In the event of the loss of high voltage to the compensated ion chamber, a trip will be initiated for both systems.

Channel 3 - linear Power The linear level channel was and will be capable of measuring neutron flux in reactor operating ranges from shutdown to high powers well beyond the Limiting Safety System Setting as prescribed in the Technical Specifications. The sensing element was a BFa ionization chamber coupled to a micro-microammeter. The new sensing instrument is a BFa ionization chamber with a preamplifier and a Mirion DAK-250g. The range of the instrument was adjustable by means of a range switch located on the instrument (instrument panel) from 0-10.0xlO*" to 0-10.0xlO.. arµperes. Detector characteristics, however, limited its maximum output to 10.. amperes. The DAK-250g features automatic range switching. This channel will thus read from startup to full power by adjustment of the range switch. The output was recorded on the linear power recorder on the instrument panel and indicated on meters on the console and on the instrument panel. Just as with Channels 1 and 2, the new I&C features indications on the instrument face, Yokogowa recorder, and the operator display workstation.

This channel has two set points that will initiate a reactor set back at either zero or 110% r.i.nge on both the old and new I&C. These set points 1ensure that the instrument is kept on range at all times during reactor operation. There is also a 120% range set point that will initiate a reactor trip in both I&Cs.

This Channel also features the Servo mode which can hold the reactor at steady power level. This consisted of a power supply, a micro-microampere amplifier, a Speedomax recording controller with a position-adjusting type control unit, and the regulating rod drive unit The new Seivo functionality is provided by the

/ Programmable.Logic Controller and moves the regulating rod drive unit Because this channel is the most precise channel in measuring neutron flux level, it has been and will be used as the means to obtain uniform neutron flux density.

\

The BF. ionization chamber provided a DC current which was proportional to the neutron flux at the chamber. This current was amplified by the micro-microampere amplifier which provided a 0-10 millivolt input signal to the recording controller. The controller provided a signal to the servo control unit which, through a drive unit, drives the control rod the necessary amount in the correct direction to maintain the power level at the control point set on the controller. Whenever the power level exceeded the control point setting the control rod was inserted into the reactor the amount necessary to decrease the reactivity and restore the power level to the control point setting. Conversely, whenever the power level drops below the control point setting, the control rod was withdrawn the amount necessary to increase the reactivity and restore the power level to the control point setting. An algorithm that perlorms the same task is included in the PLC which is operator selectable. In both implementations, the selected power level must be within 5% of the currently indicated power.

In practice, the operator set the red control pointer to the desired power level and selected the range on the micro-microampere amplifier which provided a reading on the linear recorder equivalent to the power level reading desired on the log-N recorder. The rods are then withdrawn until the black indicating pointer coincides with the red control pointer at which time the power is leveled off manually and the control unit placed on automatic operation. In the new system, the operator is responsible for getting the reactor to the desired power level, and optionally initiating the Servo mode.

log N Period Channel The log-N period channel included the compensated ionization chamber (whose . output current is proportional to neutron flux only) and its power supply; a log-N amplifier and a Speedomax recorder which records log-N; and a composite safety amplifit:r whose components are a period safety p~eamplifier, sigma amplifier and magnet amplifier.

The compensated ionization chamber supplied a d-c current (proportional to the neutron flux at the chamber) which was amplified by the log-N amplifier. One output of the log-N amplifier was the logarithm of the power level which was indicated on the power level meter and recorded on the log-N recorder. This output was also differentiated and indicated on the pile period meter. (fhe pile period is the number of seconds necessary for the power level to increase or decrease by a factor of e.) Positive periods from infinity to three seconds, and negative periods from infinity to thirty seconds were indicated.

In essence, the old Channel 2 fed its power level output to the Composite Safety Amplifier which then processed this current into a value for the reactor period. The new I&C handles the period (change rate) within the DAK-250g itself and provides unique period (change rate) scram capability.

The magnet power damping functionality is not required in the new I&C. The purpose, as noted above, was to ensure aging electronics would be continually capable of reaching the 1 second Technical Specification for Rod Drop Timing. The new I&C exceeds the speed of the previous I&C's slow scram. The Technical Specification for Rod Drop Timing is maintained and no new safety an3lysis required.

Channel 4 - Safety Channel This channel utilized a BFa ion chamber and fed directly into the safety amplifiers. The sensitive range of this instrument was from a few percent to at least 150 percent of power, linearly. Its output was indicated on the instrument chassis (instrument panel). The purpose of this channel was solely to provide a trip at the measured value as specified in the Technical Soecifications, Limiting Safety System Setting. The new Channel 4 also uses an uncompensated BFa ionization chamber and feeds directly into the Mirion DGK-250. The new Channel 4 is expected to be on range at start-up but is only required to be operable, and not on range, per the Technical Specifications Table I.

The level safety channel, in conjunction with the safety circuit of the log-N period channel, functioned to shut down the reactor immediately by dropping-both safety rods whenever the power level increases above 120%

Nrand/or an abnormally short period occurred . (Set for a period of 7 seconds.) '.fhe new level safety channel also shuts down the reactor immediately by initiating a scram and dropping both safety rods when power level increases above 120%. As discussed above, period (change ra~) protection is provided by Channel 2.

In the level safety channel a BF. ionization chamber supplied a d-c current proportional to the reactor power level to the composite safety amplifier. Since the current produced by neutron flux at high levels of operation is much greater than that produced by gamma radiation or other sources, this chamber was not coinpensated and* remains an uncompensated ionization chamber (UIC) in the proposed I&C. Each magnet amplifier supplied current to an electromagnet which held safety rods. The output of each sigma amplifier was connected to the sigma bus which was connected to the input of each magnet amplifier. When there was no signal from the ionization chamber, the sigma amplifiers maintained the potential of the sigma bus' at 37 volts.

However, if the positive period became abnormally short (7 seconds) or if the neutron flux (power) level should become dangerously high, the sigma bus potential was increased which causes the magnet current in both magnet amplifiers to be quickly reduced to zero, thus dropping both safety rods into the reactor core.

This is what is meant by a "fast scram." The fast scram capability remains in the new I&C. A magnet power supply unit provides the current which passes through each of the Mirion Channels, the PLC, the Radiation Monitoring System, and manual scram switches. Any of these units can interrupt magnet turrent and cause the rods to drop into the core. Testing of the new I&C has given positive indications that the drop time of the new system may improve this timing. Integral testing of the system, with a defueled core, will be done to prove this design principle prior to startup. .

The same result was also achieved if the sigma bus potential would increase for any other reasons, as the sigma bus was connected to the input of each magnet amplifier. (Note that a fast scram would have been initiated automatically by a short period or a high power level.) Indicator lamps in the annunciator system located on *the control console indicate whether a fast scram is due to high level or to period. The new annunciator system indicates similar information which the operator may follow-up with through visual inspection of the operator workstation which gives amplifying information.

Reactor Coti'trol System Four control channels were and will be incorporated into the reactor control system to raise or lower the two shim-safety rods, the regulating rod and the fission chamber. A fifth control channel was and will be provided to raise and lower the source. The control rods could always be lowered with a jam circuit being the only

. restriction. This functionality remains with the redesigned I&C. Permissive circuits are included in the raise circuits of the control rods and fission chamber to prevent raising the rods under circumstances shown below.

In the new I&C, these permissives are provided independently of the Reactor Protection System by the PLC.

Indicator Condition Source Missing The log count rate recorder must have indicated the presence of a source of

\

neutrons by indicating a count rate of at least two counts per second. The new Channel 1 must also indicate at least two counts per second. A source missing indicator showed when this condition is not fulfilled. The new I&C shows "Withdrawal Interlock" indication on the primary panel and "Source Missing" on the operator workstation.

Log Count Rate A relay in the log count rate recorder prevented raising of the control rods or Recorder On the fission chamber when the log count rate recorder power was turned off,

thus prohibiting the disabling of the source missing circuit. The log count rate recorder could have been turned off after the log-N recorder came on scale.

This was accomplished by a relay in the log-N recorder circuit. Because the data display cannot physically be turned off without shutting down the entire RCS, this functionality is not required in the new system. Administrative controls ensure the,Yokogowa recorders are on during reactor operation.

Source Drive in Interlock circuits on the source drive switches prevented raising the control Operation rods or fission chamber when the source ~ being raised or lowered. This functionality remains in the new I&C.

Ajam circuit is incorporated in the drive circuits to operate ajam indicator light on the console in the event of a mechanical jam in the drive in both systems. This indication alerts the operator to the possibility of cable kinking in the source and fission chamber drive units, or mechanical friction in the rod drives.

Shim Safety Rod Drive System The shim-safety rod to be driven was selected by pushing the desired drive indicator lamp. This connected the drive system for that rod and cleared any other drive circuit that may have been energized. In he new I&C, the operator selects the rod drive to be moved which connects the drive system for that rod and clears any other drive circuit that may have been energized. Electrical interlocks prevented the raising of more than one control rod or the fission chamber simultaneously. The PLC prevents the selection of more than one rod drive unit, except during a gang lower.

The reactor operator controlled the rod with the raise-lowef switch on, the control console. The raise-lower switch operated mercury relays, which control the rod drive motors. The operator now will have the option of moving the rods by a raise-lower switch on the control console, selecting the final height via data entry, or course and fine movements as selected on the Rod Drive Positioning Screen in the new I&C system.

The indicators of upper limit, shim range, engage, fower limit, and rod drive selected remain in the new system as well as the old as shown below..

Indicator Condition Upper Limit The drive unit is at the upper limit of its travel.

Shim The drive unit is. two-thirds out This point is where the shim-safety rods are set during critical experiment fuel loading.

Engage The shim-safety rod is attached to the drive electromagnet.

Lower Limit The drive unit is at the lower limit of its travel.

Drive The drive unit is connected to the raise-lower switch.

The Regulating Rod, Fission Chamber, and Source Drives work in a very similar manner. The Source Drive does not have engage, rod bottom light, or shim range as they are not necessary. The fission chamber does not have the shim-range, engage or rod bottom light. The regulating rod does not have engage or rod bottom lights. This is true for the old and new I&C.

1 Gang Lower System

When the reactor is to be shut down, it was pennissible to lower all control rods simultaneously by pushing the "Gang Lower" indicator light and thus activating the gang lower switch and relay. The same functionality is accessible to the new I&C through selecting the "Gang Lower" button on the operator work station. The gang lower relay directly energizes the lower drive relays for the control rods in both systems. The gang lower relay was de-energized by momentarily placing the raise-lower switch into either its raise or lower position.

The new I&C "Gang Lower" is de-energized through any operator movement of a control rod. In addition, the gang lower relay may be energized by the setback system.

ROd Position Indicating System Four coarse rod position indicators were provided which continuously monitored the positions of the two shim safety rods, the regulating rod and the fission chamber with a resolution of 2 centimeters. A ratiometer was used as a fine position indicator which could be switched to any one of the control rods or fission chamber to provide a position indication with a resolution of 0.1 millimeter. The new I&C features simultaneous indication of the fine position value of each rod at all times without the need of a second ratiometer. This is a design improvement The rod position indicator measured a voltage across a potentiometer connected to the drive unit This voltage measurement via potentiometer is sensed by the new I&C in an identical fashion.

The reference voltage for all drive unit potentiometers was supplied by a 68 volt power supply. This reference voltage is now 10 volts. The new I&C is designed to reference this voltage rather than the former 68 volt power supply with the same indication accuracy.

Reactor Protection System Two types of scrams were included in the control system to effect shutdown of the reactor in the event of emergency conditions. A fast scram was accomplished when a short period signal or a high power-level-signal removed magnet current The fast scram operation was described above.

A slow scram was initiated by various safety circuits located in the reactor system. The slow scram circuit opened the input power line to the magnet amplifier power supplies located in the composite safety amplifiers.

The removal of this functionality is discussed above and is not needed as the new system provides faster scram initiation and will continue to be verified through Technical Specification compliance.

A setback system was included in the reactor control system to insert the control rods into the reactor without producing a scram. This minimized the necessity of repeating the startup procedure. A setback and analogous setpoints are provided in the new system.

When a scram or setback condition occurred, or when other trouble arose, a buzzer alarm sounded, and a lamp or lamps were lit on the control console, indicating the source of the trouble. The annunciator alarm is maintained in the new I&C. An annunciator acknowledge button was used to turn off the buzzer. This functionality remains in the new I&C. If the trouble resulted in a scram, a scram reset switch must be actuated before magnet power can be reapplied. The scram reset is now activated through a two second depression of the annunciator acknowledge switch. The "Scram Reset" indicator is preserved in an identical fashion as with the former l&C. In the event of trouble other than a scram, the corresponding switch-lamp was pushed to extinguish the lamp and reset the annunciator system aft.er the trouble has been corrected. In the new I&C, all annunciators are visual indication only, and the reset is done through the aforementio.ned "annunciator acknowledge" button. If the trouble was not corrected, the indicator light would remain lighted. This functionality remains in the new I&C. An annunciator test switch was provided for checking the lamps and the buzzer. This annunciator test is now included and actuated from the operator workstation. An evacuation alarm horn was installed in the reactor instrument racks. This horn was activated by pushing the alarm button on the reactor console. This functionality remains in the new I&C.

Slow Scram System Opening of a fault switch actuated a slow scram channel which caused primary power to be removed from the two magnet amplifiers located in the composite safety amplifiers, thus resulting in the shim-safety rods dropping into the core. This functionality remains in the new I&C by cutting the magnet power circuit in any one of the I&C subsystems. The following conditions result in a slow scram (now simply called a scram).

(Slow) Scram Type Condition Scram - Console Manual pushbutton on console depressed.

High Level - Console Monitor High radiation level at the console radiation monitor.

High Level - Process System Monitor High radiation level at the process system radiation monitor.

High Level - Pool Top Area Monitor High radiation level at the Pool Top area radiation monitor.

CIC Power Supply Trouble (Former I&C Failure of the high voltage power supply for the Only) compensated ion chamber.

Composite Safety Amplifier Trouble (Former Failure of one or more of the circuits lil either I&COnly) composite safety amplifier.

Mirian Channel Self Checks (New l&C Only} Failure of any voltage input, anomalous parameter, or other trouble. Analogous to the CIC Power Supply Trouble, or Composite Safety Amplifier Trouble

-

Note that each of the Mirion Neutron Flux Monitoring Channels continually provide self-checks for their operation. Addi~onally, the PLC monitors the output currents and voltages of all facility parameters. The PLC can independently scram the reactor if any of these are anomalous. The following scram conditions were initiated by relay type meters located on the auxiliary scram panel. The scram set points were determined and set by the reactor operator prior to operation. The new scram conditions are stored in the Mirion Neutron Flux Monitoring Systems (NFMS). Access controls to the keys which are required to change these values are done through administrative controls and may only be changed by the electronics technician and Level 3 personnel and above who are licensed SROs. Note that these set:points were potentially changeable by anyone in the facility formerly but verified correct by each prestart. The correctness will be verified in the new prestart checklist as well.

Scrams Conditions Low-Level Period (Change Period circuit in the log count rate meter indicated a Rate) short period. New system will show change rate in multiple locations.

High-Level Period (Change_ Period circuit in the log-N period amplifier indicates Rate) a short period. New system will show change rate in multiple locations.

High-Level Log-N The log-N channel indicates a high power level.

High-Level - Linear Level The linear level channel indicates a high power level.

The following permissive circuits were located in the slow scram circuit and must have been in operation before the shim-safety rods could be raised:

1. The log-N selector switch must be in the operate position.

2. The log-count-rate meter switch must be in the use position.

3. The key switch must be on.

4. The scram resetrbutton must be pushed and the magnet power lamp energized.

The new I&C will require the Mirion NFMS to not be in test mode (keys removed and stored), key switch must be turned on, and the annunciator reset button depressed (former scram reset button functionality) to energize magnet current Setback System Four setback conditions were and are included ill the reactor control system. Actuation of any one of these circuits would have and will result in the shim-safety rods and the regulating rod being driven into the core to their lower limits unless the trouble is cleared and the circuit reset before the lower limits are reached. The setback set points were determined by the reactor supervisor and set by the reactor operator prior to operation. The following setback conditions were initiated by relay type meters located on the auxiliary scram panel. The new setback conditions can be activated by binaries in the Mirion NFMS or by the PLC. The rod motion is performed by the PLC.

Setback Parameter Performing Function Low Level Period (Change Rate) Period circuit in the log count rate meter indicated a short period (Former I&C)

Change Rate parameter moves beyond set:point (New I&C)

'

High-Level Period (Change Rate) Period circuit lil the log-N period amplifier indicates a short period.

(Former I&C)

\

Change Rate parameter moves beyond set:point (New I&C)

• High-Level - Linear Level The linear level channel indicates a high power level.

High-Level - Safety Amplifier (Former I&C) The level safety amplifier indicates a high

) power level.

High-Level - Channel 4 Power (New I&C) The level value moves beyond setpoint (New I&C)

Control Console & Display Instruments The reactor console was designed to provide maximum visibility of the instruments and accessibility to the controls and indicators. All indicators and controls necessary for startup and shutdown operations were located in one group in front of the operator. The same design principles were applied in the new I&C control console and display instruments. Additional, high fidelity indications of all plant parameters are now available without leaving the operator console post. Secondary and tertiary indications are available for some parameters throughout the reactor room.

Colors for the indicator lights on the console showed the operator the status of the reactor at a glance. This operational characteristic is maintained and enhanced in the new l&C. All trip and warning indicators are red or yellow in both the new and old I&C. Operating procedures, as well as interlocks, kept the operator from withdrawing the control rods wh~n a warning indicator was showing. This functionality is maintained and enhanced in the new I&C.

Radiation Monitoring Systems Three scintillation type area monitors were installed in the reactor area to monitor the radiation level at the top of the pool, in the pool water flowing through the process system, and at the reactor console. Each area monitor was connected into the slow scram circuit and was equipped with a local lamp and alarm that was activated if the radiation level exceeded the set point. Three remote area monitor meters were mounted on the reactor instrument racks to provide the operator with an indication of the radiation level at the area monitor sites.

In the new I&C, the area monitors are three Geiger-Mueller type monitors which measure radiation levels at the same locations as the former system. Each monitor is also in the scram circuit and equipped with a local lamp and alarm that may be activated if the radiation level exceeds the set point. The three remote area monitors indicated radiation level is available to the reactor operator from the reactor operator console as well as on the face of the meter itself. In the new l&C, functionality is enhanced by having the PLC continually monitor the performance of the radiation area monitors. This is a safety enhancement over the former system.

Notes on Change Rate vs. Period Consider a population which is increasing by a certain constant A. per unit of time dN dt= AN(t)

Solving for the population as a function of time yields dN = A.N(t)dt N(t) = N0 eAt where A. is the rate constant and N(t) is the population through time. In reactor power, A. is the inverse of the reactor period T.

• 1

.il =-T This gives Consider now a population which is increasing by a percentage per unit time.

% Increase = 1 + a where <1 is the percentage above or below 100%. The population at time zero would be Nt=O =No At time t *= 1, the population would increase by the factor (1.. + a).

Nt=l = Nt.;,.~ * (1 +a)

Nt=l = No(1 +a)

At time t = 2, the population again increases by the factor of (1 +a) from the population at t = 1.

Nt=2 = Nt=l * (1 +a)

Nt=2 = No(1 +a)* (1 +a)

Nt=2 = No(1 + a) 2 At time t = 3, the population again increases by the factor of (1 + <1) from the population at t = 2.

Nt=3 '= Nt=2 * (1 +a)

Nt= 3 = N0 (1 + a) 2 * (1 +a)

Nt=3 = N0 (1 + a) 3 It is clear that the population as a functibn of time is N(t) = N0 (1 + a)t For reactor Power, I

Equating the two boxed terms yields P(t) = P0 et/T = P0 (1 + a)t P~et/T = P0 (1 + a)t Dividing out the initial power Taking the natural logarithm of both sides ln[et/T] = ln[(l + a)t]

t

- = t

• ln[l +a]

T Dividing out the time I~= ln[l +a] I or O' = e1/r - 1 The series expansion of the natural 'log illustrates

'

0'2 0'3 . .

ln[l +a]= a - -+-

2 3

- *** + ***

For percentage change rates which are sufficiently low, less than SO %/s, which are required by PUR-1 Operations, the last terms of the expansion are much less than the first yielding ln[l +a] =a Therefore Technical Specification Changes The Technical Specifications have changed in several small but important locations. The first of these is the numbering of the Technical Specification from 13 to 14. Following discussion with NRC personnel, the former naming convention of "Amendment #".was removed in the most recent licensing action. It 'was replaced by a "No. #"convention. The purpose of the numbering of the Technical Specificitions, is to ensure the reactor operator and facility staff are assured they are reading the correct version of the Technical Specifications. Following approval of this License Amendment Request, the Technical Specifications will be renumbered from 13 to 14.

The second change is an addition to Technical Specification 1.32, the definition of "Reactor Secured".

Because of the nature of digital instrumentation and control, it is important to ensure the control rods cannot be moved when the facility is secured. While magnet power is cannot be enabled while conditions 1.32. (2) and 1.32.(3) have been met, the addition of condition 1.32.(6) provides additional assurance of the secured status of the reactor. .

The replacement Instrumentation and Control measures and display~ the Change Rate rather than the Reactor Period. While these two parameters indicate similar values, their units are different and therefore the setpoints differ as well. The discussion above outlines the derivation of the Change Rate and how it can be converted to or from Period. Using,

• I J

I~= ln[l +a]

the Reactor Period values have been converted to Change Rate. The new values are listed in Table I as before.

With the approval of Technical Specification No. 13, language was added to include the ability of the facility

to place the setpoints at a more conservative value than those prescribed in Table I. This was done with directional descriptions such as "or less" and "or greater". A benefit of using Change Rate over Period is that this are more clear given the linear nature of a Change Rate scale compared to the Period scale which has a discontinuity going from positive infinity to negative infinity. PUR-1 staff expect to use setpoints which are the floor of the listed values in Table I. For greater educational and operation clarity, setpoints will likely be placed, for example, at 8 96/s rather than 8.69 96/s.

Table I also includes the renaming of the Channels to again, provide greater clarity. Channel 4 had historically

\

be referred to as the "Safety Channel" when in actuality, all Channels provide safety functions and the title of Table I is "Safety Channels Required for Operation". Table I was also changed to rename the Rod Interlocks to a more descriptive name of "Rod Withdrawal Inhibit" This was done to provide additional clarity. Finally in Table I, the "Slow" and "Fast" scram descriptors have been removed as that functionality does not remain with the replacement PUR-1 l&C.

Table II was changed to better match the format of Table I. This was done by adding the directional language to the radiation area monitors. Pending approval of the revised Technical Specifications, they would be capable of being set at the previously prescribed setpoints, or a more conservative value. Additionally, the

~Slow" scram language has been removed.

In Section 3.3.a, the primary coolant is measured through resistivity rather than conductivity XX. These are simply the inverse of each other. The value has been changed and appropriate unit added.

TS 4.2.b has been updated to better match the naming of Table I and II to indicate the calibration of the "Safety-Related" channels.

TS 4.4 Bases have been upd~d to remove discussion of specification d which was removed in the transition from TS No. 12 to TS No. 13.

TS 4.6 now provides more description of the method by which the fuel shall be inspected following discussion with the NRC staff. Because the PUR-1 MHA is that which would most ~ly occur during a fuel handling accident, this change removes some of the fuel handling requirements. Lessening the actual handling of fuel improves the safety margin as well as helping achieve the AIARA principle.