ML093230647: Difference between revisions

From kanterella
Jump to navigation Jump to search
(Created page by program invented by StriderTol)
(Created page by program invented by StriderTol)
Line 15: Line 15:


=Text=
=Text=
{{#Wiki_filter:Presentation on UFTR Licensing Presentation on UFTR Licensing Amendment Application Amendment Application (Phase 0)(Phase 0)Alireza Haghighat Alireza Haghighat FP&L Professor FP&L Professor UFTR Director UFTR Director
{{#Wiki_filter:Presentation on UFTR Licensing Amendment Application (Phase 0)
&&Gabriel Gabriel Ghita Ghita Research Scientist Research Scientist Project Coordinator Project Coordinator Nuclear & Radiological Engineering Department Nuclear & Radiological Engineering Department University of Florida University of Florida Gainesville, Florida Gainesville, Florida For presentation to the NRC, Washington DC, Oct. 16, 2009 2 2 Outline Outline Introduction to the reactor design Introduction to the reactor designCore, primary loop, secondary loop, reactor cell, confinementCore, primary loop, secondary loop, reactor cell, confinementAccident scenariosAccident scenariosCurrent I&C designCurrent I&C designFeatures FeaturesLicensing requirementLicensing requirement Introduction to the UF Team, their function s, and support teams Introduction to the UF Team, their function s, and support teams from AREVA &
Alireza Haghighat FP&L Professor UFTR Director
from AREVA &
                                  &
Siemens SiemensProposed TXS Protection SystemProposed TXS Protection SystemSafety System Design BasisSafety System Design BasisD3 Analysis (considering Design Basis changes)D3 Analysis (considering Design Basis changes)
Gabriel Ghita Research Scientist Project Coordinator Nuclear & Radiological Engineering Department University of Florida Gainesville, Florida For presentation to the NRC, Washington DC, Oct. 16, 2009
Introduction to plans Introduction to plansQAP QAPV&V V&V Discussion on TXS Equipment Discussion on TXS EquipmentPossibility of installati on of a redundant Train for testing, bePossibility of installati on of a redundant Train for testing, benchmarking and trainingnchmarking and training Proposed schedule Proposed schedule 3 3 UFTR timelines UFTR timelines Established in 1959 with a power of 10 kW Established in 1959 with a power of 10 kW In 1963, its power was increased to 100 kW In 1963, its power was increased to 100 kW In 1970, its fuel was changed from LEU to HEU In 1970, its fuel was changed from LEU to HEU In Sept. 2006, its fuel was changed from HEU to In Sept. 2006, its fuel was changed from HEU to LEU LEU Schematic of UFTR (axial projection)
 
Core Graphite Shield Tank 5 5 Schematic of UFTR Schematic of UFTR (Horizontal projection)(Horizontal projection)
Introduction to the reactor design Core, primary loop, secondary loop, reactor cell, confinement Accident scenarios Current I&C design Features Licensing requirement Introduction to the UF Team, their functions, and support teams from AREVA &
N 6 6 UFTR Core UFTR Core N 7 7 UFTR Core UFTR Core Control blade Fuel box Graphite S1 S2 S3 RG N 8 8 Fuel Plate Characteristics Fuel Plate Characteristics LEU Fuel Type U 3 Si 2-Al Fuel Meat Size Width (cm)
Siemens Proposed TXS Protection System Safety System Design Basis D3 Analysis (considering Design Basis changes)
Introduction to plans QAP V&V Discussion on TXS Equipment Possibility of installation of a redundant Train for testing, benchmarking and training Proposed schedule 2
 
UFTR timelines Established in 1959 with a power of 10 kW In 1963, its power was increased to 100 kW In 1970, its fuel was changed from LEU to HEU In Sept. 2006, its fuel was changed from HEU to LEU 3
 
Schematic of UFTR (axial projection)
Shield Tank         Graphite Core
 
Schematic of UFTR N
(Horizontal projection) 5
 
UFTR Core N
6
 
UFTR Core               N S3  RG Fuel box Control blade Graphite S2  S1 7
 
Fuel Plate Characteristics LEU Fuel Type                         U3Si2-Al Fuel Meat Size Width (cm)
Thickness (cm)
Thickness (cm)
Height (cm)
Height (cm)
Fuel Plate Size Width (cm)
Fuel Plate Size Width (cm)
Thickness (cm)
Thickness (cm)
Height (cm)
Height (cm)
Cladding material 6061 Al Cladding Thickness (cm)
Cladding material               6061 Al Cladding Thickness (cm)
Fuel Enrichment (nominal) 19.75%"Meat" Composition (wt% U)
Fuel Enrichment (nominal)       19.75%
Mass of 235 U per Plate (nominal)Number of Plates per Fuel Bundle 9 9 Core at critical condition Core at critical condition  
Meat Composition (wt% U)
-- Fuel pattern and blade positions Fuel pattern and blade positions Safety 1, at 26.3 degrees Safety 2, at 26.3 degrees Safety 3, at 26.3 degrees Regulating, at 16.9 degrees Dummy bundle 10 fuel plates & 3 Dummy plates 10 10 Total neutron flux distribution Total neutron flux distribution 11 11 Bundle power distribution (kW)
Mass of 235U per Plate (nominal)
Number of Plates per Fuel Bundle 8
 
Core at critical condition -
Fuel pattern and blade positions Safety 3, at 26.3 degrees       Regulating, at 16.9 degrees Dummy bundle 10 fuel plates &
3 Dummy plates Safety 2, at 26.3 degrees      Safety 1, at 26.3 degrees 9
 
Total neutron flux distribution 10
 
Bundle power distribution (kW)
Bundle power distribution (kW)
Schematic of the core 12 12 Core Lifetime Core Lifetime Expected end-of-life LEU core with fuel burnup of ~86.67 MWD; This is based on full-power operation time of 4 hr/day, 5 day/week, 20 years UFRT Primary Coolant Loop Design (including locations of sensing devices)-RTD- Level Indicator
Schematic of the core 11
- Flowmeter- Closed Valve (Normal Operation)From Demineralizer LoopCoolant Storage Tank Heat Exchanger  To Demineralizer


LoopRupture Disk Dump Valve Secondary Storage Well UFTR CoreAir Bleed ValveTo Secondary Side-N IFission Chamber/BF 3Ion Chamber
Core Lifetime Expected end-of-life LEU core with fuel burnup of ~86.67 MWD; This is based on full-power operation time of 4 hr/day, 5 day/week, 20 years 12
- Primary Flow L L 14 14 Operating Region Operating Region 0 25 50 75100 125150175200 225250275 15 20 25 30 35 40 45 50 55True Coolant Flow Rate, gpmTrue Reactor Power, kWTin = 86 FTin = 100 FTin = 110 FOPERATING REGIONfor Max. T in = 110 o FFigure 5. 20 mil tolerance on Water Channel Spacing and 0.065" Repositioning of Each Assembly Due to CombsTrue Max. Power: 125 kWLSSS Power: 119 kWMax Operating Power: 100 kWFor Max, Inlet Temp. = 100 o FTrue Minimum Flow Rate: 39 gpmLSSS Flow Rate:                41 gpm Operating Flow Rate:        48 gpmFor Max, Inlet Temp. = 110 o FTrue Minimum Flow Rate: 43 gpmLSSS Flow Rate:                45 gpmOperating Flow Rate:        52 gpmOPERATING REGION for Max. T in = 100 o F 15 15 Parameter Parameter True True Limit Limit LSSS LSSS Operating Operating Values Values Power (Power (kW kW))125 125 119 119 100 100 Inlet Flow Rate (Inlet Flow Rate (gpm gpm))34 34 36 36 43 43 Inlet Temperature (Inlet Temperature (F F))100 100 99 99 80 80 Outlet Temperature (Outlet Temperature (F F))165 165 155 155 95 95 UFTR Control Parameters and Settings Accident Scenarios & Analysis Accident Scenarios & Analysis 17 17 Accident Scenarios Accident Scenarios A rapid insertion of 0.6%
 
A rapid insertion of 0.6% k/k k/k reactivity.
(including locations of sensing devices)
reactivity. This scenario represents the reactivity insertion This scenario represents the reactivity insertion resulting from the rapid ejection of the maximum resulting from the rapid ejection of the maximum worth of all moveable and non worth of all moveable and non
UFTR Core
--secured experiments secured experiments from the reactor. Cases were analyzed both with and from the reactor. Cases were analyzed both with and without reactor SCRAM.
    - RTD L - Level Indicator Fission Chamber/BF3
without reactor SCRAM.
    - Flowmeter Ion Chamber
A reactivity ramp insertion of 0.06%
    - Closed Valve (Normal Operation)
A reactivity ramp insertion of 0.06% k/k/s k/k/s for 10 for 10 seconds.
    - NI
seconds. This scenario represents the insertion of reactivity This scenario represents the insertion of reactivity due to control blade withdrawal at the maximum rate due to control blade withdrawal at the maximum rate allowed by the UFTR Technical Specifications. This allowed by the UFTR Technical Specifications. This accident is assumed to be terminated by reactor accident is assumed to be terminated by reactor SCRAM. SCRAM.
    - Primary Flow From Demineralizer Loop Dump Valve Rupture Disk Heat Exchanger                            Secondary Storage Well L
18 18 A rapid insertion of 0.6%
Air Bleed Valve        To Demineralizer Loop Coolant Storage Tank To Secondary Side
A rapid insertion of 0.6% k/k k/k reactivity with reactivity with scram scram (fresh fuel)(fresh fuel)
 
Power Power 100 kW 100 kW 100 kW 100 kW 100 kW 100 kW 100 kW 100 kW Steady State Condition Steady State Condition 43 43 gpm gpm , , Tin=86 Tin=86 o o F F 34 34 gpm gpm , , Tin=86 Tin=86 o o F F 34 34 gpm gpm , , Tin=109 Tin=109 o o F F 43 43 gpm gpm , , Tin=86 Tin=86 o o F F Blade Drop Time (s)
275 250        Figure 5. 20 mil tolerance on Water Channel Spacing and 0.065" Repositioning of Each Assembly Due to Combs 225 200 Tin = 86 F 175 True Reactor Power, kW Tin = 100 F True Max. Power: 125 kW 150                                                                                                                      Tin = 110 F LSSS Power: 119 kW Max Operating Power: 100 kW 125 100                                                                                                                             o OPERATING REGION for Max. Tin = 100 F 75                                            For Max, Inlet Temp. = 100 oF True Minimum Flow Rate: 39 gpm LSSS Flow Rate:          41 gpm                 OPERATING REGION 50                                            Operating Flow Rate:      48 gpm                 for Max. Tin = 110 o F For Max, Inlet Temp. = 110 oF True Minimum Flow Rate: 43 gpm 25                                            LSSS Flow Rate:          45 gpm Operating Flow Rate:      52 gpm 0
Blade Drop Time (s) 1.0 1.0 1.0 1.0 1.0 1.0 1.5 1.5 Time to Peak Power (s)
15              20            25          30              35                40          45              50                    55 True Coolant Flow Rate, gpm 14
Time to Peak Power (s) 0.14 0.14 0.14 0.14 0.14 0.14 0.14 0.14 Peak Power (kW)
 
Peak Power (kW) 316 316 316 316 316 316 318 318 T T fuel fuel (max) at Peak Power ((max) at Peak Power (o o C C))51.9 51.9 54.4 54.4 66.7 66.7 51.9 51.9 T T fuel fuel (max (max) () (o o C C))52.2 52.2 54.8 54.8 67.0 67.0 52.5 52.5 T T clad clad (max (max) () (o o C C))52.2 52.2 54.7 54.7 67.0 67.0 52.5 52.5 T T cool cool max max ((o o C C))44.6 44.6 47.6 47.6 59.9 59.9 44.6 44.6 19 19 A rapid insertion of 0.6%
UFTR Control Parameters and Settings Parameter      True LSSS Operating Limit        Values Power (kW)            125  119      100 Inlet Flow Rate (gpm)  34    36      43 Inlet Temperature (F)  100    99      80 Outlet Temperature (F) 165  155      95 15
A rapid insertion of 0.6% k/k k/k reactivity with reactivity with scram scram (depleted fuel)(depleted fuel)
 
Power Power 100 kW 100 kW 100 kW 100 kW 100 kW 100 kW 100 kW 100 kW Steady State Condition Steady State Condition 43 43 gpm gpm , , Tin=86 Tin=86 o o F F 34 34 gpm gpm , , Tin=86 Tin=86 o o F F 34 34 gpm gpm , , Tin=109 Tin=109 o o F F 43 43 gpm gpm , , Tin=86 Tin=86 o o F F Blade Drop Time (s)
Accident Scenarios & Analysis Accident Scenarios A rapid insertion of 0.6% k/k reactivity.
Blade Drop Time (s) 1 1 1 1 1 1 1.5 1.5 Time to Peak Power (s)
This scenario represents the reactivity insertion resulting from the rapid ejection of the maximum worth of all moveable and non-secured experiments from the reactor. Cases were analyzed both with and without reactor SCRAM.
Time to Peak Power (s) 0.14 0.14 0.14 0.14 0.14 0.14 0.15 0.15 Peak Power (kW)
A reactivity ramp insertion of 0.06% k/k/s for 10 seconds.
Peak Power (kW) 322 322 322 322 322 322 328 328 T T fuel fuel (max) at Peak Power ((max) at Peak Power (o o C C))52 52 54.8 54.8 67 67 52.1 52.1 T T fuel fuel (max (max) () (o o C C))52.6 52.6 55.3 55.3 67.5 67.5 52.6 52.6 T T clad clad (max (max) () (o o C C))52.6 52.6 55.3 55.3 67.5 67.5 52.5 52.5 T T cool cool max max ((o o C C))44.5 44.5 47.5 47.5 59.8 59.8 44.5 44.5 20 20 A rapid insertion of 0.6%
This scenario represents the insertion of reactivity due to control blade withdrawal at the maximum rate allowed by the UFTR Technical Specifications. This accident is assumed to be terminated by reactor SCRAM.
A rapid insertion of 0.6% k/k k/k reactivity reactivity without without scram scram (fresh fuel)(fresh fuel)
17
Power Power 100 kW 100 kW 100 kW 100 kW 100 kW 100 kW Steady State Condition Steady State Condition 43 43 gpm gpm , , Tin=86 Tin=86 o o F F 34 34 gpm gpm , , Tin=86 Tin=86 o o F F 34 34 gpm gpm , , Tin=109 Tin=109 o o F F Time to Peak Power (s)
 
Time to Peak Power (s) 2.48 2.48 2.44 2.44 2.30 2.30 Peak Power (kW)
A rapid insertion of 0.6% k/k reactivity with scram (fresh fuel)
Peak Power (kW) 1199 1199 1186 1186 1112 1112 T T fuel fuel (max) at Peak Power ((max) at Peak Power (o o C C))95 95 95 95 100 100 T T fuel fuel (max (max) () (o o C C))107 107 108 108 109 109 T T clad clad (max (max) () (o o C C))107 107 108 108 109 109 T T cool cool max max ((o o C C))101 101 101 101 102 102 After the sudden jump, power remains at 600 kW for 300 seconds, after which time, the coolant reaches the saturation temperature and boiling occurs in the uppermost nodes of the coolant channel; negative coefficient of reactivity will shutdown the reactor.
Power                            100 kW   100 kW     100 kW   100 kW Steady State Condition           43 gpm,  34 gpm,   34 gpm,    43 gpm, Tin=86o F Tin=86o F Tin=109o F Tin=86o F Blade Drop Time (s)               1.0       1.0       1.0       1.5 Time to Peak Power (s)             0.14     0.14     0.14       0.14 Peak Power (kW)                    316       316       316       318 Tfuel (max) at Peak Power (oC)     51.9      54.4     66.7       51.9 Tfuel(max) (oC)                   52.2     54.8     67.0       52.5 Tclad(max) (oC)                   52.2     54.7     67.0       52.5 Tcoolmax (oC)                     44.6     47.6     59.9       44.6 18
21 21 A rapid insertion of 0.6%
 
A rapid insertion of 0.6% k/k k/k reactivity reactivity without without scram scram (depleted fuel)(depleted fuel)
A rapid insertion of 0.6% k/k reactivity with scram (depleted fuel)
Power Power 100 kW 100 kW 100 kW 100 kW 100 kW 100 kW Steady State Condition Steady State Condition 43 43 gpm gpm , , Tin=86 Tin=86 o o F F 34 34 gpm gpm , , Tin=86 Tin=86 o o F F 34 34 gpm gpm , , Tin=109 Tin=109 o o F F Time to Peak Power (s)
Power                           100 kW   100 kW     100 kW   100 kW Steady State Condition           43 gpm,  34 gpm,  34 gpm,   43 gpm, Tin=86o F Tin=86o F Tin=109o F Tin=86o F Blade Drop Time (s)                1        1          1        1.5 Time to Peak Power (s)             0.14      0.14      0.14      0.15 Peak Power (kW)                    322      322        322      328 Tfuel (max) at Peak Power (oC)     52      54.8        67      52.1 Tfuel(max) (oC)                    52.6      55.3      67.5      52.6 Tclad(max) (oC)                   52.6      55.3      67.5      52.5 Tcoolmax (oC)                     44.5      47.5      59.8       44.5 19
Time to Peak Power (s) 2.36 2.36 2.32 2.32 2.19 2.19 Peak Power (kW)
 
Peak Power (kW) 1337 1337 1321 1321 1235 1235 T T fuel fuel (max) at Peak Power ((max) at Peak Power (o o C C))96 96 96 96 101 101 T T fuel fuel (max (max) () (o o C C))108 108 109 109 110 110 T T clad clad (max (max) () (o o C C))108 108 109 109 110 110 T T cool cool max max ((o o C C))101 101 101 101 102 102 After the sudden jump, power remains at 600 kW for 300 seconds, after which time, the coolant reaches the saturation temperature and boiling occurs in the uppermost nodes of the coolant channel; negative coefficient of reactivity will shutdown the reactor.
A rapid insertion of 0.6% k/k reactivity without scram (fresh fuel)
22 22 A slow insertion of 0.06%
Power                            100 kW      100 kW        100 kW Steady State Condition            43 gpm,    34 gpm,      34 gpm, Tin=86o F  Tin=86o F    Tin=109o F Time to Peak Power (s)              2.48        2.44        2.30 Peak Power (kW)                    1199      1186          1112 Tfuel (max) at Peak Power (oC)       95          95          100 Tfuel(max) (oC)                    107        108          109 Tclad(max) (oC)                     107        108          109 Tcoolmax (oC)                       101        101          102 After the sudden jump, power remains at 600 kW for 300 seconds, after which time, the coolant reaches the saturation temperature and boiling occurs in the uppermost nodes of the coolant channel; negative coefficient of reactivity will shutdown the reactor.
A slow insertion of 0.06% k/k/s k/k/s reactivity with reactivity with scram scram (fresh fuel)(fresh fuel)
20
Power Power 100 kW 100 kW 100 kW 100 kW 100 kW 100 kW 100 kW 100 kW Steady State Condition Steady State Condition 43 43 gpm gpm , , Tin=86 Tin=86 o o F F 34 34 gpm gpm , , Tin=86 Tin=86 o o F F 34 34 gpm gpm , , Tin=109 Tin=109 o o F F 43 43 gpm gpm , , Tin=86 Tin=86 o o F F Blade Drop Time (s)
 
Blade Drop Time (s) 1.0 1.0 1.0 1.0 1.0 1.0 1.5 1.5 Time to Peak Power (s)
A rapid insertion of 0.6% k/k reactivity without scram (depleted fuel)
Time to Peak Power (s) 2.22 2.22 2.22 2.22 2.22 2.22 2.22 2.22 Peak Power (kW)
Power                             100 kW     100 kW       100 kW Steady State Condition           43 gpm,    34 gpm,       34 gpm, Tin=86o F  Tin=86o F   Tin=109o F Time to Peak Power (s)             2.36        2.32        2.19 Peak Power (kW)                     1337      1321          1235 Tfuel (max) at Peak Power (oC)      96          96          101 Tfuel(max) (oC)                     108        109          110 Tclad(max) (oC)                     108         109           110 Tcoolmax (oC)                       101        101           102 After the sudden jump, power remains at 600 kW for 300 seconds, after which time, the coolant reaches the saturation temperature and boiling occurs in the uppermost nodes of the coolant channel; negative coefficient of reactivity will shutdown the reactor.
Peak Power (kW) 127 127 127 127 127 127 127 127 T T fuel fuel (max) at Peak Power ((max) at Peak Power (o o C C))52.1 52.1 54.6 54.6 66.8 66.8 52.1 52.1 T T fuel fuel (max (max) () (o o C C))52.1 52.1 54.6 54.6 66.8 66.8 52.1 52.1 T T clad clad (max (max) () (o o C C))52.0 52.0 54.6 54.6 66.8 66.8 52.0 52.0 T T cool cool max max ((o o C C))44.6 44.6 47.6 47.6 60.0 60.0 44.6 44.6 23 23 A slow insertion of 0.06%
21
A slow insertion of 0.06% k/k/s k/k/s reactivity with reactivity with scram scram (depleted fuel)(depleted fuel)
 
Power Power 100 kW 100 kW 100 kW 100 kW 100 kW 100 kW 100 kW 100 kW Steady State Condition Steady State Condition 43 43 gpm gpm , , Tin=86 Tin=86 o o F F 34 34 gpm gpm , , Tin=86 Tin=86 o o F F 34 34 gpm gpm , , Tin=109 Tin=109 o o F F 43 43 gpm gpm , , Tin=86 Tin=86 o o F F Blade Drop Time (s)
A slow insertion of 0.06% k/k/s reactivity with scram (fresh fuel)
Blade Drop Time (s) 1 1 1 1 1 1 1.5 1.5 Time to Peak Power (s)
Power                           100 kW   100 kW     100 kW   100 kW Steady State Condition           43 gpm,  34 gpm,  34 gpm,   43 gpm, Tin=86o F Tin=86o F Tin=109o F Tin=86o F Blade Drop Time (s)               1.0      1.0        1.0      1.5 Time to Peak Power (s)             2.22      2.22      2.22      2.22 Peak Power (kW)                   127      127        127      127 Tfuel (max) at Peak Power (oC)    52.1      54.6      66.8      52.1 Tfuel(max) (oC)                   52.1      54.6      66.8      52.1 Tclad(max) (oC)                   52.0      54.6      66.8      52.0 Tcoolmax (oC)                     44.6      47.6      60.0      44.6 22
Time to Peak Power (s) 0.14 0.14 0.14 0.14 0.14 0.14 0.15 0.15 Peak Power (kW)
 
Peak Power (kW) 322 322 322 322 322 322 328 328 T T fuel fuel (max) at Peak Power ((max) at Peak Power (o o C C))52 52 54.8 54.8 67 67 52.1 52.1 T T fuel fuel (max (max) () (o o C C))52.6 52.6 55.3 55.3 67.5 67.5 52.6 52.6 T T clad clad (max (max) () (o o C C))52.6 52.6 55.3 55.3 67.5 67.5 52.5 52.5 T T cool cool max max ((o o C C))44.5 44.5 47.5 47.5 59.8 59.8 44.5 44.5 24 24 Other Accidents Other AccidentsLOCA during full power operationLOCA during full power operation The increase in fuel temperature following a LOCA results in shu The increase in fuel temperature following a LOCA results in shu tdown of the tdown of the reactor, reactor, Either by the negative void coefficient of reactivity, Either by the negative void coefficient of reactivity,Or by the insertion of cont rol blades into the reactorOr by the insertion of cont rol blades into the reactor In both cases, the fuel temperature will increase by less than 1 In both cases, the fuel temperature will increase by less than 1 7 7 o o C (30 C (30 o o F) F) Sudden insertion of maximum excess reactor of 1.4%
A slow insertion of 0.06% k/k/s reactivity with scram (depleted fuel)
Sudden insertion of maximum excess reactor of 1.4% k/k k/k results in an results in an energy release of <6.1 MW and a cladding temperature of <300 C.
Power                          100 kW    100 kW    100 kW    100 kW Steady State Condition          43 gpm,  34 gpm,   34 gpm,   43 gpm, Tin=86o F Tin=86o F Tin=109o F Tin=86o F Blade Drop Time (s)                1        1          1        1.5 Time to Peak Power (s)            0.14      0.14      0.14      0.15 Peak Power (kW)                  322      322        322      328 Tfuel (max) at Peak Power (oC)     52      54.8        67      52.1 Tfuel(max) (oC)                  52.6      55.3      67.5      52.6 Tclad(max) (oC)                  52.6      55.3      67.5      52.5 Tcoolmax (oC)                    44.5      47.5      59.8      44.5 23
energy release of <6.1 MW and a cladding temperature of <300 C.Maximum Hypothetical Accident (MHA)Maximum Hypothetical Accident (MHA)Fuel Handling Accident (FHA)
 
LOCA during full power operation The increase in fuel temperature following a LOCA results in shutdown of the
: reactor, Either by the negative void coefficient of reactivity, Or by the insertion of control blades into the reactor In both cases, the fuel temperature will increase by less than 17oC (30oF)
Sudden insertion of maximum excess reactor of 1.4% k/k results in an energy release of <6.1 MW and a cladding temperature of <300 C.
Maximum Hypothetical Accident (MHA)
Fuel Handling Accident (FHA)
Fuel Handling Accident (FHA)
It is postulated that because of severe mechanical damage, the It is postulated that because of severe mechanical damage, the aluminum cladding is stripped from one fuel plate; it is assumed aluminum cladding is stripped from one fuel plate; it is assumed that that 2.7% of the total volatile activity instantaneously escapes from 2.7% of the total volatile activity instantaneously escapes from the the fuel plate into the reactor cell.
It is postulated that because of severe mechanical damage, the aluminum cladding is stripped from one fuel plate; it is assumed that 2.7% of the total volatile activity instantaneously escapes from the fuel plate into the reactor cell.
fuel plate into the reactor cell.
Estimated occupational and public doses are smaller by several orders magnitude relative to exposure limits.
Estimated occupational and public doses are smaller by several Estimated occupational and public doses are smaller by several orders magnitude relative to exposure limits.
24
orders magnitude relative to exposure limits.
 
Current Current UFTR Analog I&C UFTR Analog I&C and and Operations Operations 26 26 Current UFTR Analog Protection & Control System Current UFTR Analog Protection & Control System ARM WLM FRM TCElectrical MonitoringOne Safety Train IndicatorsShutdown(RTS, manual) 27 27 Shutdown Mechanisms Shutdown Mechanisms Automatic AutomaticBlade Drop (BD)
Current UFTR Analog I&C and Operations
Blade Drop (BD)  
 
--Clutch current control Clutch current controlDump valve (DV)
ARM Indicators WLM FRM (RTS, manual)
Dump valve (DV)  
Shutdown TC Electrical Monitoring                One Safety Train 26
--Selonoid Selonoid current control current control Manual ManualIndicators (sirens, monitors & displays) followed by Indicators (sirens, monitors & displays) followed by operators manual actions: BD and/or DV operators manual actions: BD and/or DV Passive PassiveNEGATIVE coolant void and temperature coefficient NEGATIVE coolant void and temperature coefficient of reactivity of reactivity 28 28 Unique Features Unique Features Low power (the peak power per bundle = 5 kW)
 
Low power (the peak power per bundle = 5 kW)
Shutdown Mechanisms Automatic Blade Drop (BD) - Clutch current control Dump valve (DV) - Selonoid current control Manual Indicators (sirens, monitors & displays) followed by operators manual actions: BD and/or DV Passive NEGATIVE coolant void and temperature coefficient of reactivity 27
 
Unique Features Facts Low power (the peak power per bundle = 5 kW)
Low fuel temperature (~50 C);
Low fuel temperature (~50 C);
Low fuel temperature (~50 C);
Negative coefficients of reactivity; Example: Even for an unprotected insertion of 0.6% k/k , the peak fuel temperature is ~108C (fuel melting point is 582 C)
Negative coefficients of reactivity; Negative coefficients of reactivity;Example: Even for an unprote cted insertion of 0.6%
Results Under regular conditions, reactor can be shutdown by dumping the coolant No need for Engineering Safety Features Actuate System (ESFAS)
Example: Even for an unprote cted insertion of 0.6% k/k k/k , the peak , the peak fuel temperature is ~108C (f uel melting point is 582 C) fuel temperature is ~108C (f uel melting point is 582 C)
One train protection and control system No protection for single failure is needed 28
Under regular conditions, reactor can be shutdown by Under regular conditions, reactor can be shutdown by dumping the coolant dumping the coolant No need for Engineering Safety Features Actuate System No need for Engineering Safety Features Actuate System (ESFAS)(ESFAS)One train protection and control system One train protection and control system No protection for single failure is needed No protection for single failure is needed Facts Results Introduction of the UF Team, Introduction of the UF Team, their functions, and support their functions, and support teams from AREVA & Siemens teams from AREVA & Siemens 30 30 Project Organization UFTR Project Organization UFTRUFTR Digital Control System Upgrade Project - OrganizationUFTR Digital Control System Upgrade Project - Organization Project Manager Prof. Alireza HaghighatProject Coordinator Dr. Gabriel Ghita, RS Lead: Prof. Glenn Sjoden Co-lead: Dr. G. Ghita, RS Prof. A. Haghighat Matt Marzano, GR Jennifer Musgrave, UG Lead: Prof. Jim Baciak Co-lead: Brian Shea, RM Prof. Mark Harrison Matt Berglund, SRO Andrew Holcomb, UGCCB=Configuration Control Board, IV&V=Independent Verification &
 
Validation, GR=Graduate Student, MS=Master in Science, QA=Quality Assurance, RS=Research Scientist, RM=Reactor Mana ger, SRO=Senior Reactor Operat or, UG=Undergraduate Student Lead: Prof. A. Haghighat Dr. Gabriel Ghita, RS
Introduction of the UF Team, their functions, and support teams from AREVA & Siemens
 
Project Organization UFTR UFTR Digital Control System Upgrade Project - Organization QA                                              Management                                                IV&V Auditor:                                        Project Manager                                             Lead:
William Van                                      Prof. Alireza Haghighat                                Prof. Edward Dugan e                                                  Project Coordinator Dr. Gabriel Ghita, RS                                 Prof. Mark Harrison CCB:                                                                                               Prof. DuWayne
: f. A. Haghighat    System Design & Analysis      Software Development        Hardware & Installation  Schubring G. Ghita, RS                                                                                             George Fekete. UG
: f. Glenn Sjoden    Lead: Prof. A. Haghighat     Lead: Prof. Glenn Sjoden      Lead: Prof. Jim Baciak
: f. James Baciak    Dr. Gabriel Ghita, RS        Co-lead: Dr. G. Ghita, RS    Co-lead: Brian Shea, RM an Shea, RM          Prof. James Baciak          Prof. A. Haghighat            Prof. Mark Harrison Daniel Lago, UG              Matt Marzano, GR              Matt Berglund, SRO Steven Brown, UG            Jennifer Musgrave, UG        Andrew Holcomb, UG CCB=Configuration Control Board, IV&V=Independent Verification & Validation, GR=Graduate Student, MS=Master in Science, QA=Quality Assurance, RS=Research Scientist, RM=Reactor Manager, SRO=Senior Reactor Operator, UG=Undergraduate Student 30


Prof. James Baciak Daniel Lago, UGSteven Brown, UG Auditor: Dr. William Van Dyke CCB: Prof. A. Haghighat Dr. G. Ghita, RS Prof. Glenn Sjoden
AREVA Corporate Sponsor                  AREVA PM                              UFTR PM Mehdi Tadjalli                        Eric Wallace                    Dr. Alireza Haghighat mbH PM                          Training          AREVA PE Herbert                        Mike Fillian      Sean Kelley ussbaumer UFTR Organization mens PM    QA Manager      Licensing Support        AREVA Oldrich      Mark Milo        Mark Burzynski          Project lokocka                                                Team SW Lead Engineer                    HW Lead Engineer Jason Reed                        Ryan Nash Installation Support TBD                                            31


Prof. James Baciak Brian Shea, RM Lead: Prof. Edward Dugan Prof. Mark Harrison Prof. DuWayne Schubring George Fekete. UG QAManagement IV&VHardware & InstallationSoftware Development System Design & Analysis 31 31 Project Organization AREVA + UFTR Project Organization AREVA + UFTR AREVA Corporate Sponsor Mehdi Tadjalli AREVA PM Eric Wallace AREVA PE Sean Kelley AREVA Project Team Installation Support TBD HW Lead Engineer Ryan Nash SW Lead Engineer Jason Reed Training Mike FillianLicensing SupportMark Burzynski QA ManagerMark Milo Siemens PM Oldrich Klokocka GmbH PM Herbert Nussbaumer UFTR PM Dr. Alireza Haghighat UFTR Organization Proposed TXS Protection System The TXS system block consists of hardware and software that provide for the protection, control, indication, and monitoring.
Proposed TXS Protection System The TXS system block consists of hardware and software that provide for the protection, control, indication, and monitoring.
Current licensed UFTR protection and control system utilizes one train, which contains two sets of nuclear instrumentation that have to be operational simultaneously for a complete coverage of reactor power.
Current licensed UFTR protection and control system utilizes one train, which contains two sets of nuclear instrumentation that have to be operational simultaneously for a complete coverage of reactor power.
Similar to the current UFTR protection and control system, we propose a one-train system which includes signal divers ity; it is capable of identifying invalid signals and their diverse signals.
Similar to the current UFTR protection and control system, we propose a one-train system which includes signal diversity; it is capable of identifying invalid signals and their diverse signals.
It is worth noting we are also considering a two-train design (i.e., with two levels of redundancy) for training, education and research purposes.
It is worth noting we are also considering a two-train design (i.e., with two levels of redundancy) for training, education and research purposes.
Figure below depicts the TXS system (with two trains), which is comprised of the following components:Acquisition and Processing (AQP) Voter -Voting and Actuation (VT) (needed for the two-train design)Main Control Room (MCR)Monitoring Service Interface (MSI)
Figure below depicts the TXS system (with two trains), which is comprised of the following components:
Proposed TXS Protection SystemAQP: Acquisition and Processing VT: Voter MSI: Monitoring and Service Interface QDS: Qualified Display System
Acquisition and Processing (AQP)
Voter - Voting and Actuation (VT) (needed for the two-train design)
Main Control Room (MCR)
Monitoring Service Interface (MSI)


SU: Service Unit
Proposed TXS Protection System AQP: Acquisition and Processing VT: Voter MSI: Monitoring and Service Interface T-3000 control QDS: Qualified Display System system SU: Service Unit GW: Gateway RTS: Reactor Trip System


GW: Gateway
Safety System Design Basis Here, we discuss the changes to be considered for the UFTR Design Basis due to the digital protection system upgrade.
To facilitate this discussion, we will utilize the IEEE-603 Design Basis clauses.
 
ause #                                  Clause                                  Comment 4-1  The design basis events applicable to each mode of operation of the      no change generating station along with the initial conditions and allowable limits of plant conditions for each such event.
4-2  The safety functions and corresponding protective actions of the          no change execute features for each design basis event.
4-3  The permissive conditions for each operating bypass capability that is      N/A to be provided.
4-4  The variables or combinations of variables, or both, that are to be        change monitored to manually or automatically, or both, control each protective action; the analytical limit associated with each variable, the ranges (normal, abnormal, and accident conditions); and the rates of change of these variables to be accommodated until proper completion of the protective action is ensured.
4-5  The protective actions identified in clause 4-2 that may be controlled    no change by manual means initially or subsequently to initiation.
4-6  For those variables in clause 4-4 that have a spatial dependence (i.e.,    change where the variable varies as a function of position in a particular region), the minimum number and locations of sensors required for protective purposes.
35
 
lause #                                  Clause                                  Comment 4-7  The range of transient and steady-state conditions of both motive          change and control power and the environment (e.g., voltage, frequency, radiation, temperature, humidity, pressure, vibration, and electromagnetic interference) during normal, abnormal, and accident conditions throughout which the safety system shall perform.
4-8  The conditions having the potential for functional degradation of            N/A safety system performance and for which provisions shall be incorporated to retain the capability for performing the safety functions (e.g., missiles, pipe breaks, fires, loss of ventilation, spurious operation of fire suppression systems, operator error, failure in non-safety-related systems).
4-9  The methods to be used to determine that the reliability of the safety      N/A system design is appropriate for each safety system design and any qualitative or quantitative reliability goals that may be imposed on the system design.
4-10  The critical points in time or the plant conditions, after the onset of a  change design basis event.
4-11  The equipment protective provisions that prevent the safety systems      no change from accomplishing their safety functions.
4-12  Any other special design basis that may be imposed on the system          change design (e.g., diversity, interlocks, regulatory agency criteria).
36
 
Clause 4.1 of IEEE Std. 603 The design basis events applicable to each mode of operation of the generating station along with the initial conditions and allowable limits of plant conditions for each such event (IEEE-603) he proposed protection system has two modes of operation, automatic and manual.
elow, for each Design Basis Event, the mode of system operation is provided:
Loss-of-Coolant Accident (LOCA) during the full power operation (automatic)
Slow Insertion of 0.06% k/k/s for 10 seconds (automatic)
Sudden Insertion of the Maximum Allowed Excess Reactivity of 1.4% k/k (automatic)
Sudden Insertion of the Maximum Allowed Reactivity of 0.6% k/k (automatic)
Control Blade System Malfunction (manual)
Loss of Power (manual) 37 Clauses
 
38 Clauses


RTS: Reactor Trip System T-3000 control system Safety System Design Basis Safety System Design Basis Here, we discuss the changes to be considered for the UFTR Design Basis due to the digital protection system upgrade.
To facilitate this discussion, we will utilize the IEEE-603 Design Basis clauses.
35 35 Clause #Clause Comment 4-1 The design basis events applicable to each mode of op eration of the generating station along with the initial conditions and allowable limits of plant conditions for each such event.
no change 4-2 The safety functions and corresp onding protective actions of the execute features for each design basis event.
no change 4-3The permissive conditions for each operating bypass capability that is to be provided.N/A 4-4The variables or combinations of variables, or both, that are to be monitored to manually or automatically, or both, control each protective action; the analytical limit associated with each variable, the ranges (normal, abnormal, and accident conditions); and the rates of change of these variables to be accommodated until proper completion of the protective action is ensured.
change 4-5 The protective actions identified in clause 4-2 that may be controlled by manual means initially or subsequently to initiation.
no change 4-6 For those variables in clause 4-4 that have a spatial dependence (i.e., where the variable varies as a function of position in a particular region), the minimum number and locations of sensors required for protective purposes.
change 36 36 Clause #Clause Comment 4-7 The range of transient and steady-state conditions of both motive and control power and the environment (e.g., voltage, frequency, radiation, temperature, humidi ty, pressure, vibration, and electromagnetic interference) during normal, abnormal, and accident conditions throughout which the safety system shall perform.
change 4-8 The conditions having the potential for functional degradation of safety system performance and for which provisions shall be incorporated to retain the capability for performing the safety functions (e.g., missiles, pipe brea ks, fires, loss of ventilation, spurious operation of fire suppression systems, operator error, failure in non-safety-related systems).N/A 4-9 The methods to be used to determine that the re liability of the safety system design is appropriate for each safety system design and any qualitative or quantitative reliabili ty goals that may be imposed on the system design.N/A 4-10The critical points in time or the plant conditions, after the onset of a design basis event.
change 4-11The equipment protective provisions that prevent the safety systems from accomplishing their safety functions.
no change 4-12Any other special design basis t hat may be imposed on the system design (e.g., diversity, interloc ks, regulatory agency criteria).
change Clause 4.1 of IEEE Std. 603 Clause 4.1 of IEEE Std. 603
""The design basis events applicable to each mode of operation of The design basis events applicable to each mode of operation of the the generating station along with th e initial conditions and allowab generating station along with th e initial conditions and allowab le limits of le limits of plant conditions for each such event plant conditions for each such event
"" (IEEE (IEEE--603)603)The proposed protection system has two modes of operation, automatic and manual.
Below, for each Design Basis Event, the mode of system operation is provided:Loss-of-Coolant Accident (LOCA) during the full power operation (automatic)Slow Insertion of 0.06% k/k/sfor 10 seconds (automatic) Sudden Insertion of the Maximum Allo wed Excess Reactivity of 1.4% k/k(automatic)Sudden Insertion of the Maximum Allowed Reactivity of 0.6% k/k(automatic)Control Blade System Malfunction (manual)Loss of Power (manual) 37 37 Clauses Clause 4.2 of IEEE Std. 603 Clause 4.2 of IEEE Std. 603 38 38 Clauses Clause 4.2 of IEEE Std. 603 (cont Clause 4.2 of IEEE Std. 603 (cont
''d)d)List of Design Basis Events (Accidents)
List of Design Basis Events (Accidents)
List of Design Basis Events (Accidents)
Loss Loss--of of--Coolant Accident (LOCA)
Loss-of-Coolant Accident (LOCA)
Coolant Accident (LOCA)
LOCA will cause the loss of the valid flow rate meter (FRM) signal in the primary coolant loop, which will cause automatic initiation of BDT via TXS. Loss of coolant in the core due to the LOCA will also contribute to the safe shutdown of the UFTR as a result of the negative void coefficient of reactivity.
LOCA will cause the loss of the valid flow rate meter (FRM) sign LOCA will cause the loss of the valid flow rate meter (FRM) sign al in the al in the primary coolant loop, which will cause automatic initiation of B primary coolant loop, which will cause automatic initiation of B DT via TXS. Loss DT via TXS. Loss of coolant in the core due to the LOCA will also contribute to t of coolant in the core due to the LOCA will also contribute to t he safe shutdown he safe shutdown of the UFTR as a result of the negative void coefficient of reac of the UFTR as a result of the negative void coefficient of reac tivity.tivity.Reactivity insertion events Reactivity insertion eventsSlow insertion of 0.06% Slow insertion of 0.06% k/k/s k/k/s without scram without scramSudden Insertion of the Maximum Allowed Excess Re activity (1.4% Sudden Insertion of the Maximum A llowed Excess Reac tivity (1.4% k/k k/k))Sudden Insertion of the Maximu m Allowed Reactivity (0.6% Sudden Insertion of the Maximu m Allowed Reactivity (0.6% k/k k/k))The above reactivity events shall cause automatic initiation of The above reactivity events shall cause automatic initiation of FT via TXS when FT via TXS when any NI signal becomes invalid due to high reactor power.
Reactivity insertion events Slow insertion of 0.06% k/k/s without scram Sudden Insertion of the Maximum Allowed Excess Reactivity (1.4% k/k)
any NI signal becomes invalid due to high reactor power.
Sudden Insertion of the Maximum Allowed Reactivity (0.6% k/k)
Control Blade System Malfunction Control Blade System Malfunction This anticipated operational occurrence shall be mitigated by op This anticipated operational occurrence shall be mitigated by op ening the Dump ening the Dump Valve initiated by the MRS.
The above reactivity events shall cause automatic initiation of FT via TXS when any NI signal becomes invalid due to high reactor power.
Valve initiated by the MRS.
Control Blade System Malfunction This anticipated operational occurrence shall be mitigated by opening the Dump Valve initiated by the MRS.
Loss of Power Loss of Power Loss of Power directly causes BDT, thus no execute feature must Loss of Power directly causes BDT, thus no execute feature must be initiated be initiated during this event.
Loss of Power Loss of Power directly causes BDT, thus no execute feature must be initiated during this event.
during this event.
39 Clauses
39 39 Clauses Clause 4.3 of IEEE Std. 603 Clause 4.3 of IEEE Std. 603
 
""The permissive conditions for each operating bypass capability t The permissive conditions for each operating bypass capability t hat is to hat is to be provided be provided
Clause 4.3 of IEEE Std. 603 The permissive conditions for each operating bypass capability that is to be provided (IEEE 603)
"" (IEEE 603)(IEEE 603)
There is no need for an operating bypass for UFTR, thus there are no permissive conditions for this type of bypass.
There is no need for an operating bypass for UFTR, thus there ar There is no need for an operating bypass for UFTR, thus there ar e no e no permissive conditions for this type of bypass.
40 Clauses
permissive conditions for this type of bypass.
 
40 40 Clauses 41 41 Clause 4.4 of IEEE Std. 603 Clause 4.4 of IEEE Std. 603"The variables or combinations of variables, or both, that are to be monitored to manually or automatica lly, or both, control each protective action; the analytical limit associ ated with each variable, the ranges (normal, abnormal, and accident conditions); and the rates of change of these variables to be accommodated until proper completion of the protective action is ensured" (IEEE 603)
Clause 4.4 of IEEE Std. 603 The variables or combinations of variables, or both, that are to be monitored to manually or automatically, or both, control each protective action; the analytical limit associated with each variable, the ranges (normal, abnormal, and accident conditions); and the rates of change of these variables to be accommodated until proper completion of the protective action is ensured (IEEE 603)
The existing analog protection system has four levels of protection for the design basis events:
The existing analog protection system has four levels of protection for the design basis events:
- pre-operation check, - monitoring, - interlocks, and  
  - pre-operation check,
- trip system.
  - monitoring,
For the new digital protection system, besides the aforementioned levels, we  
  - interlocks, and
  - trip system.
For the new digital protection system, besides the aforementioned levels, we are considering signal diversity in order to protect the system against the Common Cause Failure.
41 Clauses
 
Clause 4.4 of IEEE Std. 603 (contd)
Table 1 - List of components checked prior to reactor startup em                Component            Item                        Component 1 Core Vent                            14  Primary Coolant Resistivity Determinations 2 Diluting Fan System                  15  Blade Withdrawal Time Measurement 3 Blade Gear Box                      16  Primary Coolant 4 Manometers and Magnetic Gage        17  Magnet Power Key 5 Portal Monitor                      18  Log/linear recorder 6 Core Vent and Diluting Fan Systems  19  Equipment Pit Checkout and Gamma Radiation Levels 7 Shield Water                        20  Water Sample Analysis 8 Demineralizer Pump                  21  Air Particulate Detectors 9 Magnet Power Key                    22  Radiation Monitor Console 10 Exterior lights                      23  Secondary Water and Strainer 11 Neutron recorder                    24  Security System Monitors 12 Primary Coolant Pump                25  Complete Records 13 Source Alarm 42 Clauses
 
Table 2 - Description of Monitoring parameters during operations Item                                Parameter 1      Main AC power line 2      Primary and secondary coolant pump power 3      Console power 4      Core ventilation fan power 5      Stack dilution fan 6      Area radiation monitor 7      Stack/vent monitor 8      Air particulate Table 3 - Description of Interlocks ID                                          Description 1    Inhibits attempt of simultaneous withdrawal of 2 or more safety blades (mode 2*)
2    Inhibits attempt of withdrawal of regulating blade with a period (T) < 30 s (mode 2) 3    Inhibits withdrawal of blades if the source count rate is < 2 cps (mode 1**)
4    Inhibits withdrawal of blades if period (T) <10 s (mode 1) 5    Inhibits reactor operation if safety channels 1 & 2 are not operable (mode 1)
*Mode 2: Automatic control
**Mode 1: Manual Protection and Control 43 Clauses


are considering signal diversity in order to protect the system against the Common Cause Failure.
Table 4 List of conditions for trip Condition              Type of Trip Automatic
Clauses Item Component Item Component 1 Core Vent 14Primary Coolant Resistivity Determinations 2 Diluting Fan System 15 Blade Withdrawal Time Measurement 3 Blade Gear Box 16Primary Coolant 4 Manometers and Magnetic Gage 17 Magnet Power Key 5Portal Monitor 18 Log/linear recorder 6 Core Vent and Dilu ting Fan Systems 19 Equipment Pit Checkout and Gamma Radiation Levels 7 Shield Water 20 Water Sample Analysis 8 Demineralizer Pump 21Air Particulate Detectors 9 Magnet Power Key 22Radiation Monitor Console 10 Exterior lights 23 Secondary Water and Strainer 11 Neutron recorder 24 Security System Monitors 12Primary Coolant Pump 25 Complete Records 13 Source Alarm 42 42 Table 1 - List of components checked prior to reactor startup Clause 4.4 of IEEE Std. 603 (cont Clause 4.4 of IEEE Std. 603 (cont
* Period  3 sec                                                        FT*
''d)d)Clauses 43 43 Table 2 - Description of Monitoring parameters during operations Clause 4.4 of IEEE Std. 603 (cont Clause 4.4 of IEEE Std. 603 (cont
* Power  119 kW                                                          FT
''d)d)Item Parameter 1 2 3 4 5 6 7
* Loss of chamber high voltage (90%)                                    FT
8 Main AC power line Primary and secondary coolant pump power Console power Core ventilation fan powerStack dilution fanArea radiation monitor Stack/vent monitor
* Loss of electrical power to control console                            FT
* Primary cooling system                                                BDT**
o Loss of pump power o Low-water level in core ( 42.5")
o No outlet flow o Low inlet water flow  41 gpm
* Secondary cooling system (at power levels > 1 kW)                     BDT o    Loss of flow (well water  60 gpm,)
o    Loss of pump power BDT
* High primary coolant inlet temperature  99&deg; F BDT
* High primary coolant outlet temperature ( 155&deg; F)
BDT
* Shield tank - Low water level (6" below established normal level)
BDT
* Ventilation system o    Loss of power to dilution fan o    Loss of power to core vent system Manual
* Manual scram bar                                                      BDT
* Console key-switch OFF (two blades off bottom)                          FT
*FT: Full Trip (including Dump Valve Trip and BDT)
** BDT: Blade drop Trip 44 Clauses


Air particulate Table 3 - Description of Interlocks IDDescription 1
Table 5. List of signals for each train of the proposed UFTR TXS system Reactor Feature          Primary Mode of Detection             AIc          DId                    Segment of UFTR h Power Level           *FCa, ICb                                  2           -                             Core ctor Period, Low
2 3 4 5Inhibits attempt of simultaneous withdrawal of 2 or more safety blades (mode 2*)Inhibits attempt of withdrawal of regula ting blade with a period (T) < 30 s (mode 2)
                        *BF3, IC                                   2           -                             Core er Level perature                *Resistive TD                             10           -                   core, primary, secondary w Rate                   Flow Rate Monitor (FRM)                   2          2                     primary, secondary er Level                Water Level Monitor* (WLM)                 2           1               Core, storage tank*, shield tank a Radiation Level        Area Radiation Monitor (ARM)               4           4                   east, north, south, west*
Inhibits withdrawal of blades if th e source count rate is < 2 cps (mode 1**)Inhibits withdrawal of blades if period (T) <10 s (mode 1)
Availability            Fan Monitor (FM)                           1           2    Core ventilation, stack dilution, stack dilution RPM Fission Chamber; bIon Chamber; cAI, Analog Input; dDI, Digital Input ndicates a new monitoring device and/or location that shall be added in the proposed system Table 6. Signal diversity within each train Sensor/Monitor         Core           Primary         Secondary      Reactor Cell   Confinement FC+BF3                 9 -
Inhibits reactor operation if safety channels 1 & 2  are not operable (mode 1)*Mode 2: Automatic control**Mode 1: Manual Protection and Control Clauses 44 44 Clause 4.4 of IEEE Std. 603 (cont Clause 4.4 of IEEE Std. 603 (cont
IC                     9 -
''d)d)ConditionType of TripAutomatic Period  3 sec Power  119 kW Loss of chamber high voltage (90%) Loss of electrical power to control console Primary cooling system o Loss of pump power o Low-water level in core (  42.5")o No outlet flow o Low inlet water flow  41 gpm Secondary cooling system (at power levels > 1 kW) o Loss of flow (well water  60 gpm,)o Loss of pump power High primary coolant inlet temperature  99&deg; F High primary coolant outlet temperature (  155&deg; F) Shield tank -
RTD                     9 -             9    -         9    -
Low water level (6" below established normal level) Ventilation system o Loss of power to dilution fan o Loss of power to core vent system FT*FT FT FT BDT**BDT BDT BDT BDT BDTManual Manual scram bar Console key-switch OFF (two blades off bottom)
FRM                     9 -             9    -         9    -
BDT FT Table 4 List of conditions for trip*FT: Full Trip (including Dump Valve Trip and BDT)** BDT: Blade drop Trip Clauses Clause 4.4 of IEEE Std. 603 (cont Clause 4.4 of IEEE Std. 603 (cont
WLM                     9 -             9    -
''d)d)45 45Reactor FeaturePrimary Mode of Detection AI c DI d Segment of UFTR High Power Level
ARM                                                                     9    -           9    -
*FC a , IC b 2-CoreReactor Period, Low Power Level
FM                                                                       9    -           9    -
*BF3, IC 2-CoreTemperature
45 Clauses
*Resistive TD 10-core, primary, secondary Flow Rate Flow Rate Monitor (FRM) 2 2primary, secondaryWater LevelWater Level Monitor* (WLM) 2 1 Core, storage tank
*, shield tankArea Radiation LevelArea Radiation Monitor (ARM) 4 4 east, north, south, west
*Fan AvailabilityFan Monitor (FM) 1 2Core ventilation, stack dilution, stack dilution RPM Table 5. List of signals for each train of the proposed UFTR TXS Table 5. List of signals for each train of the proposed UFTR TXS system system aFission Chamber; bIon Chamber; cAI, Analog Input; d DI, Digital Input*Indicates a new monitoring device and/or location that shall be added in the proposed system Sensor/Monitor Core Primary SecondaryReactor Cell Confinement FC+BF3-IC-RTD---FRM---WLM--ARM--FM--Table 6. Signal diversity within each train Clauses Clause 4.5 of IEEE Std. 603 Clause 4.5 of IEEE Std. 603 46 46 Manual reactor scram (MRS) is available in the event that TXS fails to initiate RTS. Depression of the MRS button causes the control blade drive (clutch current control) to shut off, which allows the blades to drop into the core due to gravity.


Clause 4.5 of IEEE Std. 603 The protective actions identified in Clause 4-2 that may be controlled by manual means initially or subsequently to initiation (IEEE 603)
Manual reactor scram (MRS) is available in the event that TXS fails to initiate RTS. Depression of the MRS button causes the control blade drive (clutch current control) to shut off, which allows the blades to drop into the core due to gravity.
The MRS button will also provide a HW and SW interrupt for the TXS system.
The MRS button will also provide a HW and SW interrupt for the TXS system.
This event is referred to as a blade-drop trip (BDT). If the control blades do not function properly and the core overh eats, the negative void and temperature coefficients will cause the core to go subcritical and shut down even without insertion of the control blades. Therefor e, instrumentation is not an absolute necessity for shutting the UFTR down because of its inherent safety features.
This event is referred to as a blade-drop trip (BDT). If the control blades do not function properly and the core overheats, the negative void and temperature coefficients will cause the core to go subcritical and shut down even without insertion of the control blades. Therefore, instrumentation is not an absolute necessity for shutting the UFTR down because of its inherent safety features.
"The protective actions identified in Clause 4-2 that may be controlled by manual means initially or subsequently to initiation" (IEEE 603)
Clause 4.5.1 of IEEE Std. 603 The points in time and the plant conditions during which manual control is allowed (IEEE 603)
Clauses Clause 4.5.1 of IEEE Std. 603 "The points in time and the plant conditions during which manual control is allowed" (IEEE 603)
Protective action may be initiated by manual means at any time during reactor operation.
Protective action may be initiated by manual means at any time during reactor operation.
Clause 4.5 of IEEE Std. 603 (cont Clause 4.5 of IEEE Std. 603 (cont
46 Clauses
''d)d)47 47Clause 4.5.2 of IEEE Std. 603 "The justification for permi tting initiation or control subs equent to initiation solely by manual means" (IEEE 603)Justification for permitting init iation by manual means lies in the fact that no action or inaction of the operator duri ng a design basis event can NOT result in the uncontrolled release of radioactivity.Clause 4.5.3 of IEEE Std. 603 "The range of environmental conditions imposed upon the operator during normal, abnormal, and accident conditions throughout which the manual operations shall be performed" (IEEE 603)


Environmental conditions imposed upon the operator during normal, abnormal, and accident conditions shall not be of concern, since the wors t-case accident scenario does not result in the rele ase of radioactivity. It is also important to note that the new main control room (MCR) will be isolated from the reactor cell.Clause 4.5.4 of IEEE Std. 603"The variables in clause 4.4 that shall be displayed for the operator to use in taking manual action" (IEEE 603)
Clause 4.5.2 of IEEE Std. 603 The justification for permitting initiation or control subsequent to initiation solely by manual means (IEEE 603)
All variables listed in Table 1 shall be displayed for the operator on the Qualified Display System (QDS) of the TXS protection system and the display of the T3000 control system. The new system has an added qualified display, i.e., QDS.
Justification for permitting initiation by manual means lies in the fact that no action or inaction of the operator during a design basis event can NOT result in the uncontrolled release of radioactivity.
Clauses Clause 4.6 of IEEE Std. 603 Clause 4.6 of IEEE Std. 603 48 48"For those variables in item d) that have a spatial dependence (i.e., where the variable varies as a function of position in a particular region), the minimum number and locations of sensors required for protective purposes" (IEEE 603)
Clause 4.5.3 of IEEE Std. 603 The range of environmental conditions imposed upon the operator during normal, abnormal, and accident conditions throughout which the manual operations shall be performed (IEEE 603)
The number and locations of sensors required for protective purposes is
Environmental conditions imposed upon the operator during normal, abnormal, and accident conditions shall not be of concern, since the worst-case accident scenario does not result in the release of radioactivity.
It is also important to note that the new main control room (MCR) will be isolated from the reactor cell.
Clause 4.5.4 of IEEE Std. 603 The variables in clause 4.4 that shall be displayed for the operator to use in taking manual action (IEEE 603)
All variables listed in Table 1 shall be displayed for the operator on the Qualified Display System (QDS) of the TXS protection system and the display of the T3000 control system.
The new system has an added qualified display, i.e., QDS.
47 Clauses


provided in Table 1. Loss of all valid signals from any one of the five segments of the UFTR listed in Table 3 shall result in the safe shutdown of the UFTR via BDT.Clauses Clause 4.7 of IEEE Std. 603 Clause 4.7 of IEEE Std. 603 49 49"The range of transient and steady-state conditions of both motive and control power and the environment (e.g., voltage, frequency, radiation, temperature, humidity, pressure, vibration, and electromagnetic interference) during normal, abnormal, and accident conditions throughout which the safety system shall perform" (IEEE 603)
Clause 4.6 of IEEE Std. 603 For those variables in item d) that have a spatial dependence (i.e., where the variable varies as a function of position in a particular region), the minimum number and locations of sensors required for protective purposes (IEEE 603)
The existing UFTR control room is locat ed within the reactor cell, which uses the same energy supply and environmental control.
The number and locations of sensors required for protective purposes is provided in Table 1. Loss of all valid signals from any one of the five segments of the UFTR listed in Table 3 shall result in the safe shutdown of the UFTR via BDT.
The new TXS system components are located in the MCR, which is isolated from the reactor cell. The MCR receives power and air-conditioning that is independent from the reactor cell. Prevention of electromagnetic interference is achieved by the shielding effect of metallic front plates in each TXS cabinet. Thus, conditions within the MCR are not subject to change due the UFTR transient or steady-state conditions
48 Clauses
.Clauses 50 50 Clause 4.8 of IEEE Std. 603 Clause 4.8 of IEEE Std. 603 "The conditions having the potential for functional degradation of safety system performance and for which provisions shall be incorporated to retain the capability for performing the safety functions (e.g., missiles, pipe breaks, fires, loss of ventilation, spurious operation of fire suppression systems, operator error, failure in non-safety-related systems)" (IEEE 603)
Conditions having the potential for f unctional degradation of protection system performance are not of concern since the loss of the protection system does not


result in affecting the integrity of the fuel, and therefore there is no uncontrolled release of radiation.
Clause 4.7 of IEEE Std. 603 The range of transient and steady-state conditions of both motive and control power and the environment (e.g., voltage, frequency, radiation, temperature, humidity, pressure, vibration, and electromagnetic interference) during normal, abnormal, and accident conditions throughout which the safety system shall perform (IEEE 603)
Clauses Clause 4.9 of IEEE Std. 603 Clause 4.9 of IEEE Std. 603 51 51"The methods to be used to determine that the reliability of the safety system design is appropriate for each safety system design and any qualitative or quantitative reliability goals that may be imposed on the system design" (IEEE 603)
The existing UFTR control room is located within the reactor cell, which uses the same energy supply and environmental control.
The new TXS system components are located in the MCR, which is isolated from he reactor cell. The MCR receives power and air-conditioning that is independent rom the reactor cell. Prevention of electromagnetic interference is achieved by the hielding effect of metallic front plates in each TXS cabinet. Thus, conditions within he MCR are not subject to change due the UFTR transient or steady-state onditions.
49 Clauses
 
Clause 4.8 of IEEE Std. 603 The conditions having the potential for functional degradation of safety system performance and for which provisions shall be incorporated to retain the capability for performing the safety functions (e.g., missiles, pipe breaks, fires, loss of ventilation, spurious operation of fire suppression systems, operator error, failure in non-safety-related systems) (IEEE 603)
Conditions having the potential for functional degradation of protection system performance are not of concern since the loss of the protection system does not result in affecting the integrity of the fuel, and therefore there is no uncontrolled release of radiation.
50 Clauses
 
Clause 4.9 of IEEE Std. 603 The methods to be used to determine that the reliability of the safety system design is appropriate for each safety system design and any qualitative or quantitative reliability goals that may be imposed on the system design (IEEE 603)
Reliability analysis is not required for safety assessments because of the inherent safety features of the UFTR.
Reliability analysis is not required for safety assessments because of the inherent safety features of the UFTR.
Clauses 52 52 Clause 4.10 of IEEE Std. 603 Clause 4.10 of IEEE Std. 603 "The critical points in time or the plan t conditions, after the onset of a design basis event" (IEEE 603)
51 Clauses
Conditions having the potential for functional degradation of protection system performance are not of concern since the loss of the protection system does not result in the unc ontrolled release of radiation.
Clause 4.10.1 of IEEE Std. 603 "The point in time or plant conditions for which the protective actions of the safety system shall be initiated" Table 5 and 6 show the conditions for interlocks, and automatic and manual initiation of the reactor trips, respectively.
Clause 4.10.2 of IEEE Std. 603


"The point in time or plant conditions that define the proper completion of the safety function" (IEEE 603)
The critical points in time or the plant conditions, after the onset of a design basis event (IEEE 603)
Protective action is complete when either BDT or FT has been initiated. It is  
Conditions having the potential for functional degradation of protection system performance are not of concern since the loss of the protection system does not result in the uncontrolled release of radiation.
Clause 4.10.1 of IEEE Std. 603 The point in time or plant conditions for which the protective actions of the safety system shall be initiated Table 5 and 6 show the conditions for interlocks, and automatic and manual initiation of the reactor trips, respectively.
Clause 4.10.2 of IEEE Std. 603 The point in time or plant conditions that define the proper completion of the safety function (IEEE 603)
Protective action is complete when either BDT or FT has been initiated. It is important to note that physical failure of the RTS does not cause an uncontrolled release of radiation. Indication of initiation shall be provided in the main control room (MCR).
52 Clauses


important to note that physical failure of the RTS does not cause an uncontrolled release of radiation. Indication of initia tion shall be provided in the main control room (MCR).
Clause 4.10 of IEEE Std. 603 (contd)
Clauses Clause 4.10 of IEEE Std. 603 (cont Clause 4.10 of IEEE Std. 603 (cont
Clause 4.10.3 of IEEE Std. 603 The point in time or the plant conditions that require automatic control of protective actions (IEEE 603)
''d)d)Clause 4.10.3 of IEEE Std. 603 "The point in time or the plant conditions that require automatic control of protective actions" (IEEE 603)
No automatic control is required following the RTS initiation.
No automatic control is requir ed following the RTS initiation.
Clause 4.10.4 of IEEE Std. 603 The point in time or the plant conditions that allow returning a safety system to normal (IEEE 603)
Clause 4.10.4 of IEEE Std. 603 "The point in time or the plant conditions that allow returning a safety system to normal" (IEEE 603)
Plant conditions return to normal once enough valid signals are available to continue operation of the UFTR. Signals that their values are within the LSSS ranges are considered valid and are provided in Clause 4.4.
Plant conditions return to normal once enough valid signals are available to continue operation of the UFTR. Signals that their values are within the LSSS ranges are considered valid and are provided in Clause 4.4.
Clauses Clause 4.11 of IEEE Std. 603 Clause 4.11 of IEEE Std. 603 "The equipment protective provisions that prevent the safety systems from accomplishing their safety functions" (IEEE 603)
Clauses
No safety functions shall be disabled as a means for protective provisions Clause 4.12 of IEEE Std. 603 Clause 4.12 of IEEE Std. 603 "Any other special design basis that may be imposed on the system design (e.g., diversity, interlocks, regulatory agency criteria)" (IEEE 603)
 
Clause 4.11 of IEEE Std. 603 The equipment protective provisions that prevent the safety systems from accomplishing their safety functions (IEEE 603)
No safety functions shall be disabled as a means for protective provisions Clause 4.12 of IEEE Std. 603 Any other special design basis that may be imposed on the system design (e.g., diversity, interlocks, regulatory agency criteria) (IEEE 603)
Because the proposed system contains digital instrumentation and controls, D3 among system components is analyzed. The issue of SWCCF amongst digital equipment is addressed.
Because the proposed system contains digital instrumentation and controls, D3 among system components is analyzed. The issue of SWCCF amongst digital equipment is addressed.
The proposed monitoring train offers signal diversity, and the protection system includes system diversity.
The proposed monitoring train offers signal diversity, and the protection system ncludes system diversity.
Clauses D3 Analysis D3 Analysis 56 56 Echelon of Defense Echelon of Defense Because of the aforementioned unique features Because of the aforementioned unique features of the UFTR, the four echelons of defense of the UFTR, the four echelons of defense (NUREG/CR (NUREG/CR--6303) reduces to three as follows:
Clauses
6303) reduces to three as follows:
 
Control System Control System Reactor Trip System (RTS)
D3 Analysis Echelon of Defense Because of the aforementioned unique features of the UFTR, the four echelons of defense (NUREG/CR-6303) reduces to three as follows:
Reactor Trip System (RTS)
Control System Reactor Trip System (RTS)
Monitoring and Indicator System (MIS)
Monitoring and Indicator System (MIS)
Monitoring and Indicator System (MIS)
Echelons of defense provide multiple barriers to radiation release for a reactor.
Echelons of defense provide multiple barriers to Echelons of defense provide multiple barriers to radiation release for a reactor.
56
radiation release for a reactor.
 
57 57 Design of the Protection System Design of the Protection System The proposed system is divided into several blocks. It The proposed system is divided into several blocks. It shall be credibly assumed that internal failure within shall be credibly assumed that internal failure within these blocks will be contained.
Design of the Protection System The proposed system is divided into several blocks. It shall be credibly assumed that internal failure within these blocks will be contained.
these blocks will be contained.
TXS : Teleperm X-window Safety; T-3000: control system; and, MRS: Manual Reactor Scram 57
TXS : Teleperm X-window Safety; T-3000: control system; and, MRS: Manual Reactor Scram 58 58 System block functions System block functions System blocks address different combinations of System blocks address different combinations of the three echelons of defense the three echelons of defenseBlock Control System RTS MIS MRS     TXS      T-3000 59 59 Interactions between blocks Interactions between blocks All the signals within a train are input to both the All the signals within a train are input to both the TXS and T TXS and T--3000 systems; this is important 3000 systems; this is important because, because,In case of failure of the TXS system (not known to the In case of failure of the TXS system (not known to the operator), the operator can identify the situation operator), the operator can identify the situation through the T through the T
 
--3000 displays, and 3000 displays, andInitiate the MRS Initiate the MRS TXS maintains a unidirectional communication TXS maintains a unidirectional communication with T with T--3000 through its Gateway (GW) 3000 through its Gateway (GW) 60 60 Diversity among system blocks Diversity among system blocks TXS TXS vs vs T T--3000 3000These systems, which are computer These systems, which are computer
System block functions System blocks address different combinations of the three echelons of defense Block    Control System RTS   MIS MRS                     9 TXS           9        9       9 T-3000         9                9 58
--based, based, have different hardware and software, have different hardware and software, resulting in monitoring diversity resulting in monitoring diversity Manual Reactor Scram (MRS)
 
Manual Reactor Scram (MRS)This block has an inherent diversity from the This block has an inherent diversity from the TXS TXS 61 61 Diversity Diversity  
Interactions between blocks All the signals within a train are input to both the TXS and T-3000 systems; this is important
-- Echelons of Defense Echelons of Defense Failure of MRS block Failure of MRS blockNo impact on echelons of defense: TXS will initiate No impact on echelons of defense: TXS will initiate RTS. T RTS. T--3000 and TXS will remain functioning as a 3000 and TXS will remain functioning as a MIS.MIS.Failure of TXS block Failure of TXS blockNo impact on echelons of defense: MIS echelon will No impact on echelons of defense: MIS echelon will only contain indication of failed TXS system (via T only contain indication of failed TXS system (via T
: because, In case of failure of the TXS system (not known to the operator), the operator can identify the situation through the T-3000 displays, and Initiate the MRS TXS maintains a unidirectional communication with T-3000 through its Gateway (GW) 59
--3000) and therefore MRS will initiate RTS echelon 3000) and therefore MRS will initiate RTS echelon Failure of T Failure of T
 
--3000 block 3000 blockNo impact on echelons of defense: RTS initiated via No impact on echelons of defense: RTS initiated via MRS.MRS.
Diversity among system blocks TXS vs T-3000 These systems, which are computer-based, have different hardware and software, resulting in monitoring diversity Manual Reactor Scram (MRS)
62 62 Effect of Common Effect of Common
This block has an inherent diversity from the TXS 60
--Cause Failure Cause Failure Since the CCF is confined within a block, there Since the CCF is confined within a block, there is no impact on the echelons of defense is no impact on the echelons of defense Software errors and CCF are possible within the Software errors and CCF are possible within the TXS block, but because of system diversity, TXS block, but because of system diversity, these errors are not possible within the MRS these errors are not possible within the MRS block.block.CCF amongst sensing equipments is possible CCF amongst sensing equipments is possible across different sensors within the same train.
 
across different sensors within the same train.
Diversity - Echelons of Defense Failure of MRS block No impact on echelons of defense: TXS will initiate RTS. T-3000 and TXS will remain functioning as a MIS.
TXS processor has the necessary logic to TXS processor has the necessary logic to identify the problem and initiate RTS.
Failure of TXS block No impact on echelons of defense: MIS echelon will only contain indication of failed TXS system (via T-3000) and therefore MRS will initiate RTS echelon Failure of T-3000 block No impact on echelons of defense: RTS initiated via MRS.
identify the problem and initiate RTS.
61
63 63 CCF of different types CCF of different types Type 1 Type 1This will not result in the loss of protection due to the signal This will not result in the loss of protection due to the signal diversity diversity between sensing equipment.
 
between sensing equipment.
Effect of Common-Cause Failure Since the CCF is confined within a block, there is no impact on the echelons of defense Software errors and CCF are possible within the TXS block, but because of system diversity, these errors are not possible within the MRS block.
Type 2 Type 2Signal diversity may mitigate this type of failure. However, bec Signal diversity may mitigate this type of failure. However, bec ause of ause of unique design features of the UFTR, there is no need for ESFAS.
CCF amongst sensing equipments is possible across different sensors within the same train.
unique design features of the UFTR, there is no need for ESFAS.
TXS processor has the necessary logic to identify the problem and initiate RTS.
Type 3 Type 3Signal diversity may mitigate this type of failure. However, bec Signal diversity may mitigate this type of failure. However, bec ause of ause of unique design features of the UFTR, there is no need for ESFAS.
62
unique design features of the UFTR, there is no need for ESFAS.
 
Software CCF Software CCFExistence of the MRS, and the diversities between the TXS and T Existence of the MRS, and the diversities between the TXS and T
CCF of different types Type 1 This will not result in the loss of protection due to the signal diversity between sensing equipment.
--3000 3000 blocks are adequate for preventing a SWCCF across the protection blocks are adequate for preventing a SWCCF across the protection system. In addition, loss of all protective functions does not c system. In addition, loss of all protective functions does not c ause any ause any fuel failure and therefore no possibility of uncontrolled releas fuel failure and therefore no possibility of uncontrolled releas e of e of radioactivity.
Type 2 Signal diversity may mitigate this type of failure. However, because of unique design features of the UFTR, there is no need for ESFAS.
radioactivity.
Type 3 Signal diversity may mitigate this type of failure. However, because of unique design features of the UFTR, there is no need for ESFAS.
64 64 Concluding Remarks on D3 Concluding Remarks on D3 The proposed system exhibits adequate D3 to address The proposed system exhibits adequate D3 to address all reasonable vulnerabilities to system failure.
Software CCF Existence of the MRS, and the diversities between the TXS and T-3000 blocks are adequate for preventing a SWCCF across the protection system. In addition, loss of all protective functions does not cause any fuel failure and therefore no possibility of uncontrolled release of radioactivity.
all reasonable vulnerabilities to system failure.
63
Vulnerability to CCF is adequately addressed by the Vulnerability to CCF is adequately addressed by the proposed strategy primarily because of the design proposed strategy primarily because of the design diversity that exists between the analog and digital diversity that exists between the analog and digital means for initiating RTS.
 
means for initiating RTS.
Concluding Remarks on D3 The proposed system exhibits adequate D3 to address all reasonable vulnerabilities to system failure.
The TXS system will also have improved reliability due to The TXS system will also have improved reliability due to extensive signal diversity and possible redundancy of extensive signal diversity and possible redundancy of inputs. inputs. As a final note, the analysis found that no failure of As a final note, the analysis found that no failure of equipment or operator action/i naction can result in fuel equipment or operator action/i naction can result in fuel failure and therefore uncontrolled release of radioactivity.
Vulnerability to CCF is adequately addressed by the proposed strategy primarily because of the design diversity that exists between the analog and digital means for initiating RTS.
failure and therefore uncontrolled release of radioactivity.
The TXS system will also have improved reliability due to extensive signal diversity and possible redundancy of inputs.
Planning & related documentationsThe UFTR is using a previously-approved (under NRC evaluation) digital system, with appropriate modifications due to particular characteristics of the research reac tor. According to ISG-6, the UFTR falls under Tier 2 application approach.
As a final note, the analysis found that no failure of equipment or operator action/inaction can result in fuel failure and therefore uncontrolled release of radioactivity.
66 66 List of UFTR Documents List of UFTR Documents Ref: QA1 Ref: QA1--QAPP Attachment #4 List of UFTR DocumentsQAPP Attachment #4 List of UFTR Documents
64
#Document ID UFTR Documents 1 UFTR-QAPUFTR QA Program 2 UFTR-QAP-01-P Conduct of Quality Assurance 3 UFTR-QA1-QAPPQuality Assurance Project Plan (QAPP) 4 UFTR-QA1-01Software Quality Assurance Plan (SQAP) 5 UFTR-QA1-02 Software Configuration Management Plan (SCMP) 6 UFTR-QA1-03 Software Verification a nd Validation Plan (SVVP) 8 UFTR-QA1-05 Software Safety Plan (SSP) 9 UFTR-QA1-06.1 Software Test Plan -
 
SIVAT Plan 10 UFTR-QA1-06.2Factory Acceptance Test (FAT) Plan 11 UFTR-QA1-14Safety System Design Basis 12 UFTR-QA1-100 Functional Requirement s Specification (FRS) 13 UFTR-QA1-101.1List of I/Os 14 UFTR-QA1-102.3 ID Coding 15 UFTR-QA1-103 Diversity and Defense-in-Depth (D3) Analysis 16 UFTR-QA1-104 Failure Modes Effect Analysis (FMEA) 17 UFTR-QA1-105TELEPERM XS Cyber Security 18 UFTR-QA1-106Reliability Analysis 19 UFTR-QA1-107 Safety Analysis 20 UFTR-QA1-108Requirement Traceability MatrixReviewed by AREVA Draft documents not reviewed 67 67 Quality Assurance Program Quality Assurance Program Ref: UFTR Ref: UFTR--QAP Quality Assurance Program for UFTR QAP Quality Assurance Program for UFTRForward to ANS Quality Assurance Program Requirements for Forward to ANS Quality Assurance Program Requirements for Research Reactors, ANSI/ANSResearch Reactors, ANSI/ANS
Planning & related documentations The UFTR is using a previously-approved (under NRC evaluation) digital system, with appropriate modifications due to particular characteristics of the research reactor. According to ISG-6, the UFTR falls under Tier 2 application approach.
--15.8 15.8--1995 (reaffirmed 2005):
 
1995 (reaffirmed 2005):
Ref: QA1-QAPP Attachment #4 List of UFTR Documents
""It must be noted that research reactors have two characteristics It must be noted that research reactors have two characteristics which which affect the type of quality assu rance program that should be appl affect the type of quality assu rance program that should be appl ied to ied to them, when compared to power reactors:
#  Document ID    UFTR Documents 1  UFTR-QAP      UFTR QA Program 2  UFTR-QAP-01-P  Conduct of Quality Assurance 3  UFTR-QA1-QAPP  Quality Assurance Project Plan (QAPP) 4  UFTR-QA1-01    Software Quality Assurance Plan (SQAP) 5  UFTR-QA1-02    Software Configuration Management Plan (SCMP) 6  UFTR-QA1-03    Software Verification and Validation Plan (SVVP) 8  UFTR-QA1-05    Software Safety Plan (SSP) 9  UFTR-QA1-06.1  Software Test Plan - SIVAT Plan 10  UFTR-QA1-06.2  Factory Acceptance Test (FAT) Plan 11  UFTR-QA1-14    Safety System Design Basis 12  UFTR-QA1-100  Functional Requirements Specification (FRS) 13  UFTR-QA1-101.1 List of I/Os 14  UFTR-QA1-102.3 ID Coding 15  UFTR-QA1-103  Diversity and Defense-in-Depth (D3) Analysis 16  UFTR-QA1-104  Failure Modes Effect Analysis (FMEA) 17  UFTR-QA1-105  TELEPERM XS Cyber Security 18  UFTR-QA1-106  Reliability Analysis 19  UFTR-QA1-107  Safety Analysis 20  UFTR-QA1-108  Requirement Traceability Matrix Reviewed by AREVA            Draft documents not reviewed      66
them, when compared to power reactors:
 
i) Reliability of most of the components of a research reactor i) Reliability of most of the components of a research reactor does not affect the health and safe ty of the public since failur does not affect the health and safe ty of the public since failur e of e of the component generally shuts the system down and little else the component generally shuts the system down and little else occurs. occurs. ii) A typical research reactor operates on a limited budget withii) A typical research reactor operates on a limited budget with its its continued existence dependent upon maintaining a low continued existence dependent upon maintaining a low
Quality Assurance Program Ref: UFTR-QAP Quality Assurance Program for UFTR Forward to ANS Quality Assurance Program Requirements for Research Reactors, ANSI/ANS-15.8-1995 (reaffirmed 2005):
--cost, cost, reliable operation.
It must be noted that research reactors have two characteristics which affect the type of quality assurance program that should be applied to them, when compared to power reactors:
reliable operation.
i) Reliability of most of the components of a research reactor does not affect the health and safety of the public since failure of the component generally shuts the system down and little else occurs.
Because of these inherent charac teristics, the quality assurance Because of these inherent charac teristics, the quality assurance program for research reactors is applied primarily to safety program for research reactors is applied primarily to safety
ii) A typical research reactor operates on a limited budget with its continued existence dependent upon maintaining a low-cost, reliable operation.
--related and related and important items and should be graded appropriately to be economi important items and should be graded appropriately to be economi cally cally feasible feasible"". .
Because of these inherent characteristics, the quality assurance program for research reactors is applied primarily to safety-related and important items and should be graded appropriately to be economically feasible.
68 68 Quality Assurance Program Quality Assurance Program Ref: UFTR Ref: UFTR--QAP Quality Assurance Program for UFTR QAP Quality Assurance Program for UFTR Quality Assurance Program Requir ements for Research Reactors, Quality Assurance Program Requir ements for Research Reactors, ANSI/ANS ANSI/ANS--15.8 15.8--1995 (reaffirmed 2005):
67
1995 (reaffirmed 2005):
 
2.1 Organization 2.1 Organization
Quality Assurance Program Ref: UFTR-QAP Quality Assurance Program for UFTR Quality Assurance Program Requirements for Research Reactors, ANSI/ANS-15.8-1995 (reaffirmed 2005):
""It is recognized that for most re search reactor facilities, the It is recognized that for most re search reactor facilities, the organization organization is small, with its personnel performing multiple functions.
2.1 Organization It is recognized that for most research reactor facilities, the organization is small, with its personnel performing multiple functions.
is small, with its personnel performing multiple functions.
(a) quality is achieved and maintained by those who have been assigned responsibility for performing the work; (b) quality achievement is verified by persons not directly performing the work 2.3.3 Design verification Design verification shall be performed by competent individuals or groups other than those who performed the design, but who may be from the same organization.
""""(a) quality is achieved and ma intained by those who have been (a) quality is achieved and ma intained by those who have been assigned responsibility for performing the work;assigned responsibility for performing the work;(b) quality achievement is verifi ed by persons not directly perf (b) quality achievement is verifi ed by persons not directly perf orming orming the work the work""2.3.3 Design verification 2.3.3 Design verification
68
""Design verification shall be perfo rmed by competent individuals Design verification shall be perfo rmed by competent individuals or or groups other than those who perform ed the design, but who may begroups other than those who perform ed the design, but who may be from from the same organization the same organization
""..
69 69 Verification and Validation (V&V)
Verification and Validation (V&V)
Ref: Ref: UFTR UFTR--QA1 QA1--03, Software Verification and Validation Plan03, Software Verification and Validation PlanUFTR Digital Control System Upgrade Project - OrganizationUFTR Digital Control System Upgrade Project - Organization Project Manager Prof. Alireza HaghighatProject Coordinator Dr. Gabriel Ghita, RS Lead: Prof. Glenn Sjoden Co-lead: Dr. G. Ghita, RS Prof. A. HaghighatMatt Marzano, GR Jennifer Musgrave, UG Lead: Prof. Jim Baciak Co-lead: Brian Shea, RM Prof. Mark HarrisonMatt Berglund,  SRO Andrew Holcomb, UGCCB=Configuration Control Board, IV&V=Independent Verification &
Validation, GR=Graduate Student, MS=Master in Science, QA=Quality Assurance, RS=Research Scientist, RM=Reactor Mana ger, SRO=Senior Reactor Operat or, UG=Undergraduate Student Lead: Prof. A. Haghighat Dr. Gabriel Ghita, RS


Prof. James Baciak Daniel Lago, UG Steven Brown, UG Auditor: Dr. William Van Dyke CCB: Prof. A. Haghighat Dr. G. Ghita, RSProf. Glenn Sjoden Prof. James Baciak Brian Shea, RM Lead: Prof. Edward Dugan Prof. Mark Harrison Prof. DuWayne Schubring
Ref: UFTR-QA1-03, Software Verification and Validation Plan
. Independence of the V&V organization (management, schedule, and finance)
Based on our organization size and limited resources, we have selected the third (i.e., Internal IV&V) form of independence as described in IEEE-1012-1998. In this form of independence, the development and IV&V personnel are from the same organization.
In our project, the IV&V personnel are not involved in the development, they have managerial independence, and the major portion of their budget is independent of the developers budget.
UFTR Digital Control System Upgrade Project - Organization QA                                              Management                                                IV&V Auditor:                                                                                                       Lead:
Project Manager William Van                                                                                              Prof. Edward Dugan Prof. Alireza Haghighat ke                                                  Project Coordinator Prof. Mark Harrison Dr. Gabriel Ghita, RS CCB:                                                                                               Prof. DuWayne
: f. A. Haghighat     System Design & Analysis      Software Development        Hardware & Installation  Schubring G. Ghita, RS                                                                                            George Fekete. UG
: f. Glenn Sjoden     Lead: Prof. A. Haghighat    Lead: Prof. Glenn Sjoden      Lead: Prof. Jim Baciak
: f. James Baciak     Dr. Gabriel Ghita, RS        Co-lead: Dr. G. Ghita, RS    Co-lead: Brian Shea, RM an Shea, RM          Prof. James Baciak          Prof. A. Haghighat            Prof. Mark Harrison Daniel Lago, UG              Matt Marzano, GR              Matt Berglund, SRO Steven Brown, UG            Jennifer Musgrave, UG        Andrew Holcomb, UG CB=Configuration Control Board, IV&V=Independent Verification & Validation, GR=Graduate Student, MS=Master in Science, A=Quality Assurance, RS=Research Scientist, RM=Reactor Manager, SRO=Senior Reactor Operator, UG=Undergraduate Student 69


George Fekete. UG QAManagement IV&VHardware & InstallationSoftware Development System Design & Analysis Based on our organization size and limited resources, we have se Based on our organization size and limited resources, we have se lected the third lected the third (i.e., Internal IV&V) form of independence as described in (i.e., Internal IV&V) form of independence as described in IEEE IEEE--1012 1012--1998 1998. In this . In this form of independence, the developm ent and IV&V personnel are fro form of independence, the developm ent and IV&V personnel are fro m the same m the same organization.
Ref: UFTR-QA1-03, Software Verification and Validation Plan
organization.
: 2. The number of the V&V personnel Quality Assurance Program Requirements for Research Reactors, ANSI/ANS-15.8-1995 (reaffirmed 2005):
In our project, the IV&V personnel are not involved in the devel In our project, the IV&V personnel are not involved in the devel opment, they have opment, they have managerial independence, and the major portion of their budget i managerial independence, and the major portion of their budget i s independent of s independent of the developer the developer
2.1 Organization It is recognized that for most research reactor facilities, the organization is small, with its personnel performing multiple functions.
''s budget s budget..1.1. Independence of the V&V organization (Independence of the V&V organization (management, schedule, and finance) management, schedule, and finance) 70 70 2. The number of the V&V personnelQuality Assurance Program Requirements for Research Reactors, Quality Assurance Program Requirements for Research Reactors, ANSI/ANS ANSI/ANS--15.8 15.8--1995 (reaffirmed 2005):1995 (reaffirmed 2005):2.1 Organization2.1 Organization
""It is recognized that for most research reactor facilities, the It is recognized that for most research reactor facilities, the organization is organization is small, with its personnel performing multiple functions.small, with its personnel performing multiple functions.
""Verification and Validation Verification and Validation Ref: Ref: UFTR UFTR--QA1 QA1--03, Software Verification and Validation Plan03, Software Verification and Validation Plan
: 3. The results of the V&V effort are to be fully and carefully documented, and that each of the discrepancies be documented in a report that includes how they were resolved, tested, and accepted by the V&V organization.
: 3. The results of the V&V effort are to be fully and carefully documented, and that each of the discrepancies be documented in a report that includes how they were resolved, tested, and accepted by the V&V organization.
: 4. Software Integrity Level (SIL)
: 4. Software Integrity Level (SIL)
The unique safety features of the UFTR allow the use of the V&V  
The unique safety features of the UFTR allow the use of the V&V software integrity level 1 as described in IEEE 1012-1998. Following table provides the required tasks for different SI levels.
 
70
software integrity level 1 as described in IEEE 1012-1998. Following table provides the required tasks for different SI levels.  


75 75 TXS Equipment changes TXS Equipment changes The new generation of the TXS equipment The new generation of the TXS equipment is very similar to the previous generation.
TXS Equipment changes The new generation of the TXS equipment is very similar to the previous generation.
is very similar to the previous generation.SVE2 processor has not changed SVE2 processor has not changedAnalog and digital I/O modules have the same Analog and digital I/O modules have the same functionality and they will be used in functionality and they will be used in compatibility mode compatibility modeCommunication lines have improved and Communication lines have improved and have larger data throughput have larger data throughputQDS, SU, and GW are the same as previous QDS, SU, and GW are the same as previous generation generation Discussion on the two-train option The proposed UFTR protection and control system includes three main components:TXS digital protection systemT-3000 digital system for monitoring and indication, and controlManual Reactor Scram (MRS) system which is invoked by the operator for initiating of RTS Similar to the current UFTR license, we intend to apply for a one-train safety system. This train, however, includes various signals (from NIs and sensors) which provide an added benefit of signal diversity.  (The old system includes only NIs with no diversity.)
SVE2 processor has not changed Analog and digital I/O modules have the same functionality and they will be used in compatibility mode Communication lines have improved and have larger data throughput QDS, SU, and GW are the same as previous generation 75
We are exploring the possibility of adding a redundant


train for the purpose of testing and training of hardware  
Discussion on the two-train option The proposed UFTR protection and control system includes three main components:
TXS digital protection system T-3000 digital system for monitoring and indication, and control Manual Reactor Scram (MRS) system which is invoked by the operator for initiating of RTS Similar to the current UFTR license, we intend to apply for a one-train safety system. This train, however, includes various signals (from NIs and sensors) which provide an added benefit of signal diversity. (The old system includes only NIs with no diversity.)
We are exploring the possibility of adding a redundant train for the purpose of testing and training of hardware and software


and software 77 77 Proposed Schedule Date Task Phase Sept 2008  
Date                                             Task                                       Phase Sept 2008 - Oct 2009   Preparation of QA and planning documentations Preliminary design and analysis; Training of personnel on TXS and T-3000 systems; Design, analysis and manufacturing of a new piping system Oct. 16, 2009          Presentation of the preliminary design and analysis and related             0 documentations to the NRC Oct 16 - Dec. 2009  NRC decision on the proposed design and planning; Installation of the new piping system, testing and analysis of the system; Initiate installation of new Nuclear Instrumentations (NIs) and sensors January 2010                Submittal of preliminary documentations to the NRC                     1 Jan - March 2010   Review and preparation of Request for Additional Information (RAI) by the NRC; Installation and testing of NIs and sensors March -June 2010   Resolution of the NRC RAIs; Installation, testing and benchmarking of NIs and sensors July 2010          Completion and submittal of documentations for the detailed design             2 July - Sept 2010  Review and preparation of RAIs by the NRC; Initiate preparation of training documentations Sept - Dec 2010                Resolution of the NRC RAIs, Initiate Manufacturing Jan -March 2011                                    Manufacturing March - April 2011                                 Factory Testing April - May 2011                                     Installation May - June 2011     Integration testing and preparation of final documentations on FAT, post-         3 installation, operations and training                       77}}
- Oct 2009 Preparation of QA and planning documentations Preliminary design and analysis; Training of personnel on TXS and T-3000 systems; Design, analysis and manufacturing of a new piping system Oct. 16, 2009Presentation of the preliminary design and analysis and related documentations to the NRC 0 Oct 16 - Dec. 2009NRC decision on the proposed design and planning; Installation of the new piping system, testing and analysis of the system; Initiate installation of new Nuclear Instrumenta tions (NIs) and sensors January 2010Submittal of preliminary documentations to the NRC 1Jan - March 2010 Review and preparation of Request for Additional Information (RAI) by the NRC; Installation and testing of NIs and sensorsMarch -June 2010 Resolution of the NRC RAIs; Installati on, testing and benchmarking of NIs and sensors July 2010Completion and submittal of documen tations for the detailed design 2 July - Sept 2010Review and preparation of RAIs by the NRC; Initiate preparation of training documentations Sept - Dec 2010Resolution of the NRC RAIs, Initiate ManufacturingJan -March 2011Manufacturing March - April 2011 Factory Testing April - May 2011 InstallationMay - June 2011 Integration testing and preparation of final documentations on FAT, post-installation, operations and training 3}}

Revision as of 00:15, 14 November 2019

10/16/2009 University of Florida Phase 0 Presentation
ML093230647
Person / Time
Site: 05000083
Issue date: 12/22/2009
From: Ghita G, Haghighat A
Univ of Florida
To:
NRC/NRR Adams Working Group
Hardesty, D NRC/NRR/DPR/PRTA 415-3724
References
Download: ML093230647 (77)


Text

Presentation on UFTR Licensing Amendment Application (Phase 0)

Alireza Haghighat FP&L Professor UFTR Director

&

Gabriel Ghita Research Scientist Project Coordinator Nuclear & Radiological Engineering Department University of Florida Gainesville, Florida For presentation to the NRC, Washington DC, Oct. 16, 2009

Introduction to the reactor design Core, primary loop, secondary loop, reactor cell, confinement Accident scenarios Current I&C design Features Licensing requirement Introduction to the UF Team, their functions, and support teams from AREVA &

Siemens Proposed TXS Protection System Safety System Design Basis D3 Analysis (considering Design Basis changes)

Introduction to plans QAP V&V Discussion on TXS Equipment Possibility of installation of a redundant Train for testing, benchmarking and training Proposed schedule 2

UFTR timelines Established in 1959 with a power of 10 kW In 1963, its power was increased to 100 kW In 1970, its fuel was changed from LEU to HEU In Sept. 2006, its fuel was changed from HEU to LEU 3

Schematic of UFTR (axial projection)

Shield Tank Graphite Core

Schematic of UFTR N

(Horizontal projection) 5

UFTR Core N

6

UFTR Core N S3 RG Fuel box Control blade Graphite S2 S1 7

Fuel Plate Characteristics LEU Fuel Type U3Si2-Al Fuel Meat Size Width (cm)

Thickness (cm)

Height (cm)

Fuel Plate Size Width (cm)

Thickness (cm)

Height (cm)

Cladding material 6061 Al Cladding Thickness (cm)

Fuel Enrichment (nominal) 19.75%

Meat Composition (wt% U)

Mass of 235U per Plate (nominal)

Number of Plates per Fuel Bundle 8

Core at critical condition -

Fuel pattern and blade positions Safety 3, at 26.3 degrees Regulating, at 16.9 degrees Dummy bundle 10 fuel plates &

3 Dummy plates Safety 2, at 26.3 degrees Safety 1, at 26.3 degrees 9

Total neutron flux distribution 10

Bundle power distribution (kW)

Schematic of the core 11

Core Lifetime Expected end-of-life LEU core with fuel burnup of ~86.67 MWD; This is based on full-power operation time of 4 hr/day, 5 day/week, 20 years 12

(including locations of sensing devices)

UFTR Core

- RTD L - Level Indicator Fission Chamber/BF3

- Flowmeter Ion Chamber

- Closed Valve (Normal Operation)

- NI

- Primary Flow From Demineralizer Loop Dump Valve Rupture Disk Heat Exchanger Secondary Storage Well L

Air Bleed Valve To Demineralizer Loop Coolant Storage Tank To Secondary Side

275 250 Figure 5. 20 mil tolerance on Water Channel Spacing and 0.065" Repositioning of Each Assembly Due to Combs 225 200 Tin = 86 F 175 True Reactor Power, kW Tin = 100 F True Max. Power: 125 kW 150 Tin = 110 F LSSS Power: 119 kW Max Operating Power: 100 kW 125 100 o OPERATING REGION for Max. Tin = 100 F 75 For Max, Inlet Temp. = 100 oF True Minimum Flow Rate: 39 gpm LSSS Flow Rate: 41 gpm OPERATING REGION 50 Operating Flow Rate: 48 gpm for Max. Tin = 110 o F For Max, Inlet Temp. = 110 oF True Minimum Flow Rate: 43 gpm 25 LSSS Flow Rate: 45 gpm Operating Flow Rate: 52 gpm 0

15 20 25 30 35 40 45 50 55 True Coolant Flow Rate, gpm 14

UFTR Control Parameters and Settings Parameter True LSSS Operating Limit Values Power (kW) 125 119 100 Inlet Flow Rate (gpm) 34 36 43 Inlet Temperature (F) 100 99 80 Outlet Temperature (F) 165 155 95 15

Accident Scenarios & Analysis Accident Scenarios A rapid insertion of 0.6% k/k reactivity.

This scenario represents the reactivity insertion resulting from the rapid ejection of the maximum worth of all moveable and non-secured experiments from the reactor. Cases were analyzed both with and without reactor SCRAM.

A reactivity ramp insertion of 0.06% k/k/s for 10 seconds.

This scenario represents the insertion of reactivity due to control blade withdrawal at the maximum rate allowed by the UFTR Technical Specifications. This accident is assumed to be terminated by reactor SCRAM.

17

A rapid insertion of 0.6% k/k reactivity with scram (fresh fuel)

Power 100 kW 100 kW 100 kW 100 kW Steady State Condition 43 gpm, 34 gpm, 34 gpm, 43 gpm, Tin=86o F Tin=86o F Tin=109o F Tin=86o F Blade Drop Time (s) 1.0 1.0 1.0 1.5 Time to Peak Power (s) 0.14 0.14 0.14 0.14 Peak Power (kW) 316 316 316 318 Tfuel (max) at Peak Power (oC) 51.9 54.4 66.7 51.9 Tfuel(max) (oC) 52.2 54.8 67.0 52.5 Tclad(max) (oC) 52.2 54.7 67.0 52.5 Tcoolmax (oC) 44.6 47.6 59.9 44.6 18

A rapid insertion of 0.6% k/k reactivity with scram (depleted fuel)

Power 100 kW 100 kW 100 kW 100 kW Steady State Condition 43 gpm, 34 gpm, 34 gpm, 43 gpm, Tin=86o F Tin=86o F Tin=109o F Tin=86o F Blade Drop Time (s) 1 1 1 1.5 Time to Peak Power (s) 0.14 0.14 0.14 0.15 Peak Power (kW) 322 322 322 328 Tfuel (max) at Peak Power (oC) 52 54.8 67 52.1 Tfuel(max) (oC) 52.6 55.3 67.5 52.6 Tclad(max) (oC) 52.6 55.3 67.5 52.5 Tcoolmax (oC) 44.5 47.5 59.8 44.5 19

A rapid insertion of 0.6% k/k reactivity without scram (fresh fuel)

Power 100 kW 100 kW 100 kW Steady State Condition 43 gpm, 34 gpm, 34 gpm, Tin=86o F Tin=86o F Tin=109o F Time to Peak Power (s) 2.48 2.44 2.30 Peak Power (kW) 1199 1186 1112 Tfuel (max) at Peak Power (oC) 95 95 100 Tfuel(max) (oC) 107 108 109 Tclad(max) (oC) 107 108 109 Tcoolmax (oC) 101 101 102 After the sudden jump, power remains at 600 kW for 300 seconds, after which time, the coolant reaches the saturation temperature and boiling occurs in the uppermost nodes of the coolant channel; negative coefficient of reactivity will shutdown the reactor.

20

A rapid insertion of 0.6% k/k reactivity without scram (depleted fuel)

Power 100 kW 100 kW 100 kW Steady State Condition 43 gpm, 34 gpm, 34 gpm, Tin=86o F Tin=86o F Tin=109o F Time to Peak Power (s) 2.36 2.32 2.19 Peak Power (kW) 1337 1321 1235 Tfuel (max) at Peak Power (oC) 96 96 101 Tfuel(max) (oC) 108 109 110 Tclad(max) (oC) 108 109 110 Tcoolmax (oC) 101 101 102 After the sudden jump, power remains at 600 kW for 300 seconds, after which time, the coolant reaches the saturation temperature and boiling occurs in the uppermost nodes of the coolant channel; negative coefficient of reactivity will shutdown the reactor.

21

A slow insertion of 0.06% k/k/s reactivity with scram (fresh fuel)

Power 100 kW 100 kW 100 kW 100 kW Steady State Condition 43 gpm, 34 gpm, 34 gpm, 43 gpm, Tin=86o F Tin=86o F Tin=109o F Tin=86o F Blade Drop Time (s) 1.0 1.0 1.0 1.5 Time to Peak Power (s) 2.22 2.22 2.22 2.22 Peak Power (kW) 127 127 127 127 Tfuel (max) at Peak Power (oC) 52.1 54.6 66.8 52.1 Tfuel(max) (oC) 52.1 54.6 66.8 52.1 Tclad(max) (oC) 52.0 54.6 66.8 52.0 Tcoolmax (oC) 44.6 47.6 60.0 44.6 22

A slow insertion of 0.06% k/k/s reactivity with scram (depleted fuel)

Power 100 kW 100 kW 100 kW 100 kW Steady State Condition 43 gpm, 34 gpm, 34 gpm, 43 gpm, Tin=86o F Tin=86o F Tin=109o F Tin=86o F Blade Drop Time (s) 1 1 1 1.5 Time to Peak Power (s) 0.14 0.14 0.14 0.15 Peak Power (kW) 322 322 322 328 Tfuel (max) at Peak Power (oC) 52 54.8 67 52.1 Tfuel(max) (oC) 52.6 55.3 67.5 52.6 Tclad(max) (oC) 52.6 55.3 67.5 52.5 Tcoolmax (oC) 44.5 47.5 59.8 44.5 23

LOCA during full power operation The increase in fuel temperature following a LOCA results in shutdown of the

reactor, Either by the negative void coefficient of reactivity, Or by the insertion of control blades into the reactor In both cases, the fuel temperature will increase by less than 17oC (30oF)

Sudden insertion of maximum excess reactor of 1.4% k/k results in an energy release of <6.1 MW and a cladding temperature of <300 C.

Maximum Hypothetical Accident (MHA)

Fuel Handling Accident (FHA)

It is postulated that because of severe mechanical damage, the aluminum cladding is stripped from one fuel plate; it is assumed that 2.7% of the total volatile activity instantaneously escapes from the fuel plate into the reactor cell.

Estimated occupational and public doses are smaller by several orders magnitude relative to exposure limits.

24

Current UFTR Analog I&C and Operations

ARM Indicators WLM FRM (RTS, manual)

Shutdown TC Electrical Monitoring One Safety Train 26

Shutdown Mechanisms Automatic Blade Drop (BD) - Clutch current control Dump valve (DV) - Selonoid current control Manual Indicators (sirens, monitors & displays) followed by operators manual actions: BD and/or DV Passive NEGATIVE coolant void and temperature coefficient of reactivity 27

Unique Features Facts Low power (the peak power per bundle = 5 kW)

Low fuel temperature (~50 C);

Negative coefficients of reactivity; Example: Even for an unprotected insertion of 0.6% k/k , the peak fuel temperature is ~108C (fuel melting point is 582 C)

Results Under regular conditions, reactor can be shutdown by dumping the coolant No need for Engineering Safety Features Actuate System (ESFAS)

One train protection and control system No protection for single failure is needed 28

Introduction of the UF Team, their functions, and support teams from AREVA & Siemens

Project Organization UFTR UFTR Digital Control System Upgrade Project - Organization QA Management IV&V Auditor: Project Manager Lead:

William Van Prof. Alireza Haghighat Prof. Edward Dugan e Project Coordinator Dr. Gabriel Ghita, RS Prof. Mark Harrison CCB: Prof. DuWayne

f. A. Haghighat System Design & Analysis Software Development Hardware & Installation Schubring G. Ghita, RS George Fekete. UG
f. Glenn Sjoden Lead: Prof. A. Haghighat Lead: Prof. Glenn Sjoden Lead: Prof. Jim Baciak
f. James Baciak Dr. Gabriel Ghita, RS Co-lead: Dr. G. Ghita, RS Co-lead: Brian Shea, RM an Shea, RM Prof. James Baciak Prof. A. Haghighat Prof. Mark Harrison Daniel Lago, UG Matt Marzano, GR Matt Berglund, SRO Steven Brown, UG Jennifer Musgrave, UG Andrew Holcomb, UG CCB=Configuration Control Board, IV&V=Independent Verification & Validation, GR=Graduate Student, MS=Master in Science, QA=Quality Assurance, RS=Research Scientist, RM=Reactor Manager, SRO=Senior Reactor Operator, UG=Undergraduate Student 30

AREVA Corporate Sponsor AREVA PM UFTR PM Mehdi Tadjalli Eric Wallace Dr. Alireza Haghighat mbH PM Training AREVA PE Herbert Mike Fillian Sean Kelley ussbaumer UFTR Organization mens PM QA Manager Licensing Support AREVA Oldrich Mark Milo Mark Burzynski Project lokocka Team SW Lead Engineer HW Lead Engineer Jason Reed Ryan Nash Installation Support TBD 31

Proposed TXS Protection System The TXS system block consists of hardware and software that provide for the protection, control, indication, and monitoring.

Current licensed UFTR protection and control system utilizes one train, which contains two sets of nuclear instrumentation that have to be operational simultaneously for a complete coverage of reactor power.

Similar to the current UFTR protection and control system, we propose a one-train system which includes signal diversity; it is capable of identifying invalid signals and their diverse signals.

It is worth noting we are also considering a two-train design (i.e., with two levels of redundancy) for training, education and research purposes.

Figure below depicts the TXS system (with two trains), which is comprised of the following components:

Acquisition and Processing (AQP)

Voter - Voting and Actuation (VT) (needed for the two-train design)

Main Control Room (MCR)

Monitoring Service Interface (MSI)

Proposed TXS Protection System AQP: Acquisition and Processing VT: Voter MSI: Monitoring and Service Interface T-3000 control QDS: Qualified Display System system SU: Service Unit GW: Gateway RTS: Reactor Trip System

Safety System Design Basis Here, we discuss the changes to be considered for the UFTR Design Basis due to the digital protection system upgrade.

To facilitate this discussion, we will utilize the IEEE-603 Design Basis clauses.

ause # Clause Comment 4-1 The design basis events applicable to each mode of operation of the no change generating station along with the initial conditions and allowable limits of plant conditions for each such event.

4-2 The safety functions and corresponding protective actions of the no change execute features for each design basis event.

4-3 The permissive conditions for each operating bypass capability that is N/A to be provided.

4-4 The variables or combinations of variables, or both, that are to be change monitored to manually or automatically, or both, control each protective action; the analytical limit associated with each variable, the ranges (normal, abnormal, and accident conditions); and the rates of change of these variables to be accommodated until proper completion of the protective action is ensured.

4-5 The protective actions identified in clause 4-2 that may be controlled no change by manual means initially or subsequently to initiation.

4-6 For those variables in clause 4-4 that have a spatial dependence (i.e., change where the variable varies as a function of position in a particular region), the minimum number and locations of sensors required for protective purposes.

35

lause # Clause Comment 4-7 The range of transient and steady-state conditions of both motive change and control power and the environment (e.g., voltage, frequency, radiation, temperature, humidity, pressure, vibration, and electromagnetic interference) during normal, abnormal, and accident conditions throughout which the safety system shall perform.

4-8 The conditions having the potential for functional degradation of N/A safety system performance and for which provisions shall be incorporated to retain the capability for performing the safety functions (e.g., missiles, pipe breaks, fires, loss of ventilation, spurious operation of fire suppression systems, operator error, failure in non-safety-related systems).

4-9 The methods to be used to determine that the reliability of the safety N/A system design is appropriate for each safety system design and any qualitative or quantitative reliability goals that may be imposed on the system design.

4-10 The critical points in time or the plant conditions, after the onset of a change design basis event.

4-11 The equipment protective provisions that prevent the safety systems no change from accomplishing their safety functions.

4-12 Any other special design basis that may be imposed on the system change design (e.g., diversity, interlocks, regulatory agency criteria).

36

Clause 4.1 of IEEE Std. 603 The design basis events applicable to each mode of operation of the generating station along with the initial conditions and allowable limits of plant conditions for each such event (IEEE-603) he proposed protection system has two modes of operation, automatic and manual.

elow, for each Design Basis Event, the mode of system operation is provided:

Loss-of-Coolant Accident (LOCA) during the full power operation (automatic)

Slow Insertion of 0.06% k/k/s for 10 seconds (automatic)

Sudden Insertion of the Maximum Allowed Excess Reactivity of 1.4% k/k (automatic)

Sudden Insertion of the Maximum Allowed Reactivity of 0.6% k/k (automatic)

Control Blade System Malfunction (manual)

Loss of Power (manual) 37 Clauses

38 Clauses

List of Design Basis Events (Accidents)

Loss-of-Coolant Accident (LOCA)

LOCA will cause the loss of the valid flow rate meter (FRM) signal in the primary coolant loop, which will cause automatic initiation of BDT via TXS. Loss of coolant in the core due to the LOCA will also contribute to the safe shutdown of the UFTR as a result of the negative void coefficient of reactivity.

Reactivity insertion events Slow insertion of 0.06% k/k/s without scram Sudden Insertion of the Maximum Allowed Excess Reactivity (1.4% k/k)

Sudden Insertion of the Maximum Allowed Reactivity (0.6% k/k)

The above reactivity events shall cause automatic initiation of FT via TXS when any NI signal becomes invalid due to high reactor power.

Control Blade System Malfunction This anticipated operational occurrence shall be mitigated by opening the Dump Valve initiated by the MRS.

Loss of Power Loss of Power directly causes BDT, thus no execute feature must be initiated during this event.

39 Clauses

Clause 4.3 of IEEE Std. 603 The permissive conditions for each operating bypass capability that is to be provided (IEEE 603)

There is no need for an operating bypass for UFTR, thus there are no permissive conditions for this type of bypass.

40 Clauses

Clause 4.4 of IEEE Std. 603 The variables or combinations of variables, or both, that are to be monitored to manually or automatically, or both, control each protective action; the analytical limit associated with each variable, the ranges (normal, abnormal, and accident conditions); and the rates of change of these variables to be accommodated until proper completion of the protective action is ensured (IEEE 603)

The existing analog protection system has four levels of protection for the design basis events:

- pre-operation check,

- monitoring,

- interlocks, and

- trip system.

For the new digital protection system, besides the aforementioned levels, we are considering signal diversity in order to protect the system against the Common Cause Failure.

41 Clauses

Clause 4.4 of IEEE Std. 603(contd)

Table 1 - List of components checked prior to reactor startup em Component Item Component 1 Core Vent 14 Primary Coolant Resistivity Determinations 2 Diluting Fan System 15 Blade Withdrawal Time Measurement 3 Blade Gear Box 16 Primary Coolant 4 Manometers and Magnetic Gage 17 Magnet Power Key 5 Portal Monitor 18 Log/linear recorder 6 Core Vent and Diluting Fan Systems 19 Equipment Pit Checkout and Gamma Radiation Levels 7 Shield Water 20 Water Sample Analysis 8 Demineralizer Pump 21 Air Particulate Detectors 9 Magnet Power Key 22 Radiation Monitor Console 10 Exterior lights 23 Secondary Water and Strainer 11 Neutron recorder 24 Security System Monitors 12 Primary Coolant Pump 25 Complete Records 13 Source Alarm 42 Clauses

Table 2 - Description of Monitoring parameters during operations Item Parameter 1 Main AC power line 2 Primary and secondary coolant pump power 3 Console power 4 Core ventilation fan power 5 Stack dilution fan 6 Area radiation monitor 7 Stack/vent monitor 8 Air particulate Table 3 - Description of Interlocks ID Description 1 Inhibits attempt of simultaneous withdrawal of 2 or more safety blades (mode 2*)

2 Inhibits attempt of withdrawal of regulating blade with a period (T) < 30 s (mode 2) 3 Inhibits withdrawal of blades if the source count rate is < 2 cps (mode 1**)

4 Inhibits withdrawal of blades if period (T) <10 s (mode 1) 5 Inhibits reactor operation if safety channels 1 & 2 are not operable (mode 1)

  • Mode 2: Automatic control
    • Mode 1: Manual Protection and Control 43 Clauses

Table 4 List of conditions for trip Condition Type of Trip Automatic

  • Period 3 sec FT*
  • Power 119 kW FT
  • Loss of chamber high voltage (90%) FT
  • Loss of electrical power to control console FT
  • Primary cooling system BDT**

o Loss of pump power o Low-water level in core ( 42.5")

o No outlet flow o Low inlet water flow 41 gpm

  • Secondary cooling system (at power levels > 1 kW) BDT o Loss of flow (well water 60 gpm,)

o Loss of pump power BDT

  • High primary coolant inlet temperature 99° F BDT
  • High primary coolant outlet temperature ( 155° F)

BDT

  • Shield tank - Low water level (6" below established normal level)

BDT

  • Ventilation system o Loss of power to dilution fan o Loss of power to core vent system Manual
  • Console key-switch OFF (two blades off bottom) FT
  • FT: Full Trip (including Dump Valve Trip and BDT)
    • BDT: Blade drop Trip 44 Clauses

Table 5. List of signals for each train of the proposed UFTR TXS system Reactor Feature Primary Mode of Detection AIc DId Segment of UFTR h Power Level *FCa, ICb 2 - Core ctor Period, Low

  • BF3, IC 2 - Core er Level perature *Resistive TD 10 - core, primary, secondary w Rate Flow Rate Monitor (FRM) 2 2 primary, secondary er Level Water Level Monitor* (WLM) 2 1 Core, storage tank*, shield tank a Radiation Level Area Radiation Monitor (ARM) 4 4 east, north, south, west*

Availability Fan Monitor (FM) 1 2 Core ventilation, stack dilution, stack dilution RPM Fission Chamber; bIon Chamber; cAI, Analog Input; dDI, Digital Input ndicates a new monitoring device and/or location that shall be added in the proposed system Table 6. Signal diversity within each train Sensor/Monitor Core Primary Secondary Reactor Cell Confinement FC+BF3 9 -

IC 9 -

RTD 9 - 9 - 9 -

FRM 9 - 9 - 9 -

WLM 9 - 9 -

ARM 9 - 9 -

FM 9 - 9 -

45 Clauses

Clause 4.5 of IEEE Std. 603 The protective actions identified in Clause 4-2 that may be controlled by manual means initially or subsequently to initiation (IEEE 603)

Manual reactor scram (MRS) is available in the event that TXS fails to initiate RTS. Depression of the MRS button causes the control blade drive (clutch current control) to shut off, which allows the blades to drop into the core due to gravity.

The MRS button will also provide a HW and SW interrupt for the TXS system.

This event is referred to as a blade-drop trip (BDT). If the control blades do not function properly and the core overheats, the negative void and temperature coefficients will cause the core to go subcritical and shut down even without insertion of the control blades. Therefore, instrumentation is not an absolute necessity for shutting the UFTR down because of its inherent safety features.

Clause 4.5.1 of IEEE Std. 603 The points in time and the plant conditions during which manual control is allowed (IEEE 603)

Protective action may be initiated by manual means at any time during reactor operation.

46 Clauses

Clause 4.5.2 of IEEE Std. 603 The justification for permitting initiation or control subsequent to initiation solely by manual means (IEEE 603)

Justification for permitting initiation by manual means lies in the fact that no action or inaction of the operator during a design basis event can NOT result in the uncontrolled release of radioactivity.

Clause 4.5.3 of IEEE Std. 603 The range of environmental conditions imposed upon the operator during normal, abnormal, and accident conditions throughout which the manual operations shall be performed (IEEE 603)

Environmental conditions imposed upon the operator during normal, abnormal, and accident conditions shall not be of concern, since the worst-case accident scenario does not result in the release of radioactivity.

It is also important to note that the new main control room (MCR) will be isolated from the reactor cell.

Clause 4.5.4 of IEEE Std. 603 The variables in clause 4.4 that shall be displayed for the operator to use in taking manual action (IEEE 603)

All variables listed in Table 1 shall be displayed for the operator on the Qualified Display System (QDS) of the TXS protection system and the display of the T3000 control system.

The new system has an added qualified display, i.e., QDS.

47 Clauses

Clause 4.6 of IEEE Std. 603 For those variables in item d) that have a spatial dependence (i.e., where the variable varies as a function of position in a particular region), the minimum number and locations of sensors required for protective purposes (IEEE 603)

The number and locations of sensors required for protective purposes is provided in Table 1. Loss of all valid signals from any one of the five segments of the UFTR listed in Table 3 shall result in the safe shutdown of the UFTR via BDT.

48 Clauses

Clause 4.7 of IEEE Std. 603 The range of transient and steady-state conditions of both motive and control power and the environment (e.g., voltage, frequency, radiation, temperature, humidity, pressure, vibration, and electromagnetic interference) during normal, abnormal, and accident conditions throughout which the safety system shall perform (IEEE 603)

The existing UFTR control room is located within the reactor cell, which uses the same energy supply and environmental control.

The new TXS system components are located in the MCR, which is isolated from he reactor cell. The MCR receives power and air-conditioning that is independent rom the reactor cell. Prevention of electromagnetic interference is achieved by the hielding effect of metallic front plates in each TXS cabinet. Thus, conditions within he MCR are not subject to change due the UFTR transient or steady-state onditions.

49 Clauses

Clause 4.8 of IEEE Std. 603 The conditions having the potential for functional degradation of safety system performance and for which provisions shall be incorporated to retain the capability for performing the safety functions (e.g., missiles, pipe breaks, fires, loss of ventilation, spurious operation of fire suppression systems, operator error, failure in non-safety-related systems) (IEEE 603)

Conditions having the potential for functional degradation of protection system performance are not of concern since the loss of the protection system does not result in affecting the integrity of the fuel, and therefore there is no uncontrolled release of radiation.

50 Clauses

Clause 4.9 of IEEE Std. 603 The methods to be used to determine that the reliability of the safety system design is appropriate for each safety system design and any qualitative or quantitative reliability goals that may be imposed on the system design (IEEE 603)

Reliability analysis is not required for safety assessments because of the inherent safety features of the UFTR.

51 Clauses

The critical points in time or the plant conditions, after the onset of a design basis event (IEEE 603)

Conditions having the potential for functional degradation of protection system performance are not of concern since the loss of the protection system does not result in the uncontrolled release of radiation.

Clause 4.10.1 of IEEE Std. 603 The point in time or plant conditions for which the protective actions of the safety system shall be initiated Table 5 and 6 show the conditions for interlocks, and automatic and manual initiation of the reactor trips, respectively.

Clause 4.10.2 of IEEE Std. 603 The point in time or plant conditions that define the proper completion of the safety function (IEEE 603)

Protective action is complete when either BDT or FT has been initiated. It is important to note that physical failure of the RTS does not cause an uncontrolled release of radiation. Indication of initiation shall be provided in the main control room (MCR).

52 Clauses

Clause 4.10 of IEEE Std. 603(contd)

Clause 4.10.3 of IEEE Std. 603 The point in time or the plant conditions that require automatic control of protective actions (IEEE 603)

No automatic control is required following the RTS initiation.

Clause 4.10.4 of IEEE Std. 603 The point in time or the plant conditions that allow returning a safety system to normal (IEEE 603)

Plant conditions return to normal once enough valid signals are available to continue operation of the UFTR. Signals that their values are within the LSSS ranges are considered valid and are provided in Clause 4.4.

Clauses

Clause 4.11 of IEEE Std. 603 The equipment protective provisions that prevent the safety systems from accomplishing their safety functions (IEEE 603)

No safety functions shall be disabled as a means for protective provisions Clause 4.12 of IEEE Std. 603 Any other special design basis that may be imposed on the system design (e.g., diversity, interlocks, regulatory agency criteria) (IEEE 603)

Because the proposed system contains digital instrumentation and controls, D3 among system components is analyzed. The issue of SWCCF amongst digital equipment is addressed.

The proposed monitoring train offers signal diversity, and the protection system ncludes system diversity.

Clauses

D3 Analysis Echelon of Defense Because of the aforementioned unique features of the UFTR, the four echelons of defense (NUREG/CR-6303) reduces to three as follows:

Control System Reactor Trip System (RTS)

Monitoring and Indicator System (MIS)

Echelons of defense provide multiple barriers to radiation release for a reactor.

56

Design of the Protection System The proposed system is divided into several blocks. It shall be credibly assumed that internal failure within these blocks will be contained.

TXS : Teleperm X-window Safety; T-3000: control system; and, MRS: Manual Reactor Scram 57

System block functions System blocks address different combinations of the three echelons of defense Block Control System RTS MIS MRS 9 TXS 9 9 9 T-3000 9 9 58

Interactions between blocks All the signals within a train are input to both the TXS and T-3000 systems; this is important

because, In case of failure of the TXS system (not known to the operator), the operator can identify the situation through the T-3000 displays, and Initiate the MRS TXS maintains a unidirectional communication with T-3000 through its Gateway (GW) 59

Diversity among system blocks TXS vs T-3000 These systems, which are computer-based, have different hardware and software, resulting in monitoring diversity Manual Reactor Scram (MRS)

This block has an inherent diversity from the TXS 60

Diversity - Echelons of Defense Failure of MRS block No impact on echelons of defense: TXS will initiate RTS. T-3000 and TXS will remain functioning as a MIS.

Failure of TXS block No impact on echelons of defense: MIS echelon will only contain indication of failed TXS system (via T-3000) and therefore MRS will initiate RTS echelon Failure of T-3000 block No impact on echelons of defense: RTS initiated via MRS.

61

Effect of Common-Cause Failure Since the CCF is confined within a block, there is no impact on the echelons of defense Software errors and CCF are possible within the TXS block, but because of system diversity, these errors are not possible within the MRS block.

CCF amongst sensing equipments is possible across different sensors within the same train.

TXS processor has the necessary logic to identify the problem and initiate RTS.

62

CCF of different types Type 1 This will not result in the loss of protection due to the signal diversity between sensing equipment.

Type 2 Signal diversity may mitigate this type of failure. However, because of unique design features of the UFTR, there is no need for ESFAS.

Type 3 Signal diversity may mitigate this type of failure. However, because of unique design features of the UFTR, there is no need for ESFAS.

Software CCF Existence of the MRS, and the diversities between the TXS and T-3000 blocks are adequate for preventing a SWCCF across the protection system. In addition, loss of all protective functions does not cause any fuel failure and therefore no possibility of uncontrolled release of radioactivity.

63

Concluding Remarks on D3 The proposed system exhibits adequate D3 to address all reasonable vulnerabilities to system failure.

Vulnerability to CCF is adequately addressed by the proposed strategy primarily because of the design diversity that exists between the analog and digital means for initiating RTS.

The TXS system will also have improved reliability due to extensive signal diversity and possible redundancy of inputs.

As a final note, the analysis found that no failure of equipment or operator action/inaction can result in fuel failure and therefore uncontrolled release of radioactivity.

64

Planning & related documentations The UFTR is using a previously-approved (under NRC evaluation) digital system, with appropriate modifications due to particular characteristics of the research reactor. According to ISG-6, the UFTR falls under Tier 2 application approach.

Ref: QA1-QAPP Attachment #4 List of UFTR Documents

  1. Document ID UFTR Documents 1 UFTR-QAP UFTR QA Program 2 UFTR-QAP-01-P Conduct of Quality Assurance 3 UFTR-QA1-QAPP Quality Assurance Project Plan (QAPP) 4 UFTR-QA1-01 Software Quality Assurance Plan (SQAP) 5 UFTR-QA1-02 Software Configuration Management Plan (SCMP) 6 UFTR-QA1-03 Software Verification and Validation Plan (SVVP) 8 UFTR-QA1-05 Software Safety Plan (SSP) 9 UFTR-QA1-06.1 Software Test Plan - SIVAT Plan 10 UFTR-QA1-06.2 Factory Acceptance Test (FAT) Plan 11 UFTR-QA1-14 Safety System Design Basis 12 UFTR-QA1-100 Functional Requirements Specification (FRS) 13 UFTR-QA1-101.1 List of I/Os 14 UFTR-QA1-102.3 ID Coding 15 UFTR-QA1-103 Diversity and Defense-in-Depth (D3) Analysis 16 UFTR-QA1-104 Failure Modes Effect Analysis (FMEA) 17 UFTR-QA1-105 TELEPERM XS Cyber Security 18 UFTR-QA1-106 Reliability Analysis 19 UFTR-QA1-107 Safety Analysis 20 UFTR-QA1-108 Requirement Traceability Matrix Reviewed by AREVA Draft documents not reviewed 66

Quality Assurance Program Ref: UFTR-QAP Quality Assurance Program for UFTR Forward to ANS Quality Assurance Program Requirements for Research Reactors, ANSI/ANS-15.8-1995 (reaffirmed 2005):

It must be noted that research reactors have two characteristics which affect the type of quality assurance program that should be applied to them, when compared to power reactors:

i) Reliability of most of the components of a research reactor does not affect the health and safety of the public since failure of the component generally shuts the system down and little else occurs.

ii) A typical research reactor operates on a limited budget with its continued existence dependent upon maintaining a low-cost, reliable operation.

Because of these inherent characteristics, the quality assurance program for research reactors is applied primarily to safety-related and important items and should be graded appropriately to be economically feasible.

67

Quality Assurance Program Ref: UFTR-QAP Quality Assurance Program for UFTR Quality Assurance Program Requirements for Research Reactors, ANSI/ANS-15.8-1995 (reaffirmed 2005):

2.1 Organization It is recognized that for most research reactor facilities, the organization is small, with its personnel performing multiple functions.

(a) quality is achieved and maintained by those who have been assigned responsibility for performing the work; (b) quality achievement is verified by persons not directly performing the work 2.3.3 Design verification Design verification shall be performed by competent individuals or groups other than those who performed the design, but who may be from the same organization.

68

Ref: UFTR-QA1-03, Software Verification and Validation Plan

. Independence of the V&V organization (management, schedule, and finance)

Based on our organization size and limited resources, we have selected the third (i.e., Internal IV&V) form of independence as described in IEEE-1012-1998. In this form of independence, the development and IV&V personnel are from the same organization.

In our project, the IV&V personnel are not involved in the development, they have managerial independence, and the major portion of their budget is independent of the developers budget.

UFTR Digital Control System Upgrade Project - Organization QA Management IV&V Auditor: Lead:

Project Manager William Van Prof. Edward Dugan Prof. Alireza Haghighat ke Project Coordinator Prof. Mark Harrison Dr. Gabriel Ghita, RS CCB: Prof. DuWayne

f. A. Haghighat System Design & Analysis Software Development Hardware & Installation Schubring G. Ghita, RS George Fekete. UG
f. Glenn Sjoden Lead: Prof. A. Haghighat Lead: Prof. Glenn Sjoden Lead: Prof. Jim Baciak
f. James Baciak Dr. Gabriel Ghita, RS Co-lead: Dr. G. Ghita, RS Co-lead: Brian Shea, RM an Shea, RM Prof. James Baciak Prof. A. Haghighat Prof. Mark Harrison Daniel Lago, UG Matt Marzano, GR Matt Berglund, SRO Steven Brown, UG Jennifer Musgrave, UG Andrew Holcomb, UG CB=Configuration Control Board, IV&V=Independent Verification & Validation, GR=Graduate Student, MS=Master in Science, A=Quality Assurance, RS=Research Scientist, RM=Reactor Manager, SRO=Senior Reactor Operator, UG=Undergraduate Student 69

Ref: UFTR-QA1-03, Software Verification and Validation Plan

2. The number of the V&V personnel Quality Assurance Program Requirements for Research Reactors, ANSI/ANS-15.8-1995 (reaffirmed 2005):

2.1 Organization It is recognized that for most research reactor facilities, the organization is small, with its personnel performing multiple functions.

3. The results of the V&V effort are to be fully and carefully documented, and that each of the discrepancies be documented in a report that includes how they were resolved, tested, and accepted by the V&V organization.
4. Software Integrity Level (SIL)

The unique safety features of the UFTR allow the use of the V&V software integrity level 1 as described in IEEE 1012-1998. Following table provides the required tasks for different SI levels.

70

TXS Equipment changes The new generation of the TXS equipment is very similar to the previous generation.

SVE2 processor has not changed Analog and digital I/O modules have the same functionality and they will be used in compatibility mode Communication lines have improved and have larger data throughput QDS, SU, and GW are the same as previous generation 75

Discussion on the two-train option The proposed UFTR protection and control system includes three main components:

TXS digital protection system T-3000 digital system for monitoring and indication, and control Manual Reactor Scram (MRS) system which is invoked by the operator for initiating of RTS Similar to the current UFTR license, we intend to apply for a one-train safety system. This train, however, includes various signals (from NIs and sensors) which provide an added benefit of signal diversity. (The old system includes only NIs with no diversity.)

We are exploring the possibility of adding a redundant train for the purpose of testing and training of hardware and software

Date Task Phase Sept 2008 - Oct 2009 Preparation of QA and planning documentations Preliminary design and analysis; Training of personnel on TXS and T-3000 systems; Design, analysis and manufacturing of a new piping system Oct. 16, 2009 Presentation of the preliminary design and analysis and related 0 documentations to the NRC Oct 16 - Dec. 2009 NRC decision on the proposed design and planning; Installation of the new piping system, testing and analysis of the system; Initiate installation of new Nuclear Instrumentations (NIs) and sensors January 2010 Submittal of preliminary documentations to the NRC 1 Jan - March 2010 Review and preparation of Request for Additional Information (RAI) by the NRC; Installation and testing of NIs and sensors March -June 2010 Resolution of the NRC RAIs; Installation, testing and benchmarking of NIs and sensors July 2010 Completion and submittal of documentations for the detailed design 2 July - Sept 2010 Review and preparation of RAIs by the NRC; Initiate preparation of training documentations Sept - Dec 2010 Resolution of the NRC RAIs, Initiate Manufacturing Jan -March 2011 Manufacturing March - April 2011 Factory Testing April - May 2011 Installation May - June 2011 Integration testing and preparation of final documentations on FAT, post- 3 installation, operations and training 77