Text

Purdue University Research Reactor PUR-1 Reactor Protection / Control System Replacement Project Functional Requirements Specification Revision 4 September 2016 Document - PUR1-FRS-001 Copyright 2015, 2016 by Curtiss-Wright. All rights reserved.

PUR1-FRS-001 - Functional Requirements Spec Rev 4

PUR-1 Functional Requirements Specification Legal Notice This document has been prepared by Scientech, a business unit of Curtiss-Wright Corporation -

Nuclear Division, in accordance with the agreement between Mirion Technologies and Purdue University. This document has been prepared under the following constraints: (1) Scientech prepared this document subject matter to the scope, budgetary, and time constraints of the client; (2) information and data provided by others may not have been independently verified by Scientech; and (3) the information and data contained in this document are time sensitive, therefore changes in the data, codes, standards, and engineering practices may invalidate portions of this document. Any use of this document by external parties shall be at their own risk.

Rev. 4 Page 2 of 43 PUR1-FRS-001

PUR-1 Functional Requirements Specification Revision Page Document Revision Author(s) Reviewer(s) Approver(s) Date Comments Number Scientech: Scientech:

Dennis Bramlette Robert Ammon Scientech:

Mirion: Laura Kinghorn January 0 Initial Revision Benjamin Schlottke Mirion: Mirion: 2016 David Brcker Benjamin Schlottke Scientech: Scientech:

Scientech:

Dennis Bramlette Robert Ammon Updated based Laura Kinghorn March 1 Mirion: on customer Mirion: Mirion: 2016 Benjamin Schlottke comments David Brcker Benjamin Schlottke Scientech: Scientech: Updated based Scientech:

Dennis Bramlette Robert Ammon on customer Laura Kinghorn 2 Mirion: June 2016 comments as Mirion: Mirion:

Benjamin Schlottke well as solution David Brcker Benjamin Schlottke modifications Scientech: Scientech:

Scientech:

Dennis Bramlette Robert Ammon Updated to as-Laura Kinghorn August 3 Mirion: built Mirion: Mirion: 2016 Benjamin Schlottke configuration David Brcker Benjamin Schlottke Scientech: Scientech:

Scientech:

Dennis Bramlette Robert Ammon Laura Kinghorn September As-built 4 Mirion:

Mirion: Mirion: 2016 clarifications Benjamin Schlottke David Brcker Benjamin Schlottke Document Approval(s)

Document Purdue University Approved By: Date:

Revision Number 1 Clive H. Townsend March 17, 2016 2 Clive H. Townsend 3 Clive H. Townsend 4

Rev. 4 Page 3 of 43 PUR1-FRS-001

PUR-1 Functional Requirements Specification TABLE OF CONTENTS 1 INTRODUCTION................................................................................................................. 7 1.1 Project Description and Background ...............................................................................................................7 1.2 Purpose................................................................................................................................................................7 1.3 Definitions, Acronyms and Abbreviations .......................................................................................................8 1.3.1 Definitions ..................................................................................................................................................8 1.3.2 Acronyms and Abbreviations .....................................................................................................................9 1.4 References ......................................................................................................................................................... 11 1.5 System Overview .............................................................................................................................................. 11 2 PUR-1 REACTOR .............................................................................................................. 13 2.1 Background ...................................................................................................................................................... 13 2.2 Reactor Design.................................................................................................................................................. 14 2.2.1 Reactor Core ............................................................................................................................................. 14 2.2.2 Fuel ........................................................................................................................................................... 16 2.2.3 Rod Drive System..................................................................................................................................... 16 3 PUR-1 SYSTEM REQUIREMENTS................................................................................ 19 3.1 Physical Requirements..................................................................................................................................... 19 3.1.1 Environmental .......................................................................................................................................... 19 3.1.2 Electrical Requirements ............................................................................................................................ 19 3.2 Reactor Protection System Requirements ..................................................................................................... 20 3.2.1 SCRAM Initiating Conditions .................................................................................................................. 20 3.2.2 Setback ..................................................................................................................................................... 23 3.2.3 Alarm Requirements ................................................................................................................................. 23 3.3 Reactor Control System Requirements .......................................................................................................... 23 3.3.1 System Functions...................................................................................................................................... 23 3.3.2 Operator Interface ..................................................................................................................................... 28 3.3.3 Alarm Requirements ................................................................................................................................. 31 3.3.4 Data Historian / Recording Requirements ................................................................................................ 31 3.4 Neutron Detection System Requirements ...................................................................................................... 32 3.4.1 Channel 1 - Startup Channel .................................................................................................................... 32 3.4.2 Channel 2 - Log N and Period Channel ................................................................................................... 33 3.4.3 Channel 3 - Linear Power ........................................................................................................................ 34 3.4.4 Channel 4 - Safety Channel ..................................................................................................................... 34 3.5 External Systems .............................................................................................................................................. 35 Rev. 4 Page 4 of 43 PUR1-FRS-001

PUR-1 Functional Requirements Specification 3.5.1 HVAC System .......................................................................................................................................... 35 3.5.2 Radiation Monitoring System ................................................................................................................... 35 3.5.3 Reactor Makeup Water System ................................................................................................................ 36 3.5.4 Power Conditioning System ..................................................................................................................... 36 3.5.5 Reactor Room Pressure Differential Monitoring System ......................................................................... 37 3.6 System Operations ........................................................................................................................................... 37 3.6.1 Human Factors Requirements................................................................................................................... 37 3.6.2 System Maintainability ............................................................................................................................. 37 3.7 System Security ................................................................................................................................................ 37 3.7.1 Cyber Security .......................................................................................................................................... 37 4 PUR-1 TESTING AND INSPECTION REQUIREMENTS ........................................... 39 4.1 System Test Capabilities .................................................................................................................................. 39 4.2 Factory Acceptance Test Requirements ......................................................................................................... 39 4.3 Software & Control Algorithm Requirements .............................................................................................. 40 4.4 Site Acceptance Test Requirements................................................................................................................ 40 5 PUR-1 CONFIGURATION MANAGEMENT REQUIREMENTS .............................. 41 6 NUCLEAR REGULATORY COMMISSION LICENSING ......................................... 41 Rev. 4 Page 5 of 43 PUR1-FRS-001

PUR-1 Functional Requirements Specification TABLE OF TABLES TABLE 2 INFORMATION

SUMMARY

FOR THE PURDUE UNIVERSITY REACTOR, PUR-1 .........................................15 TABLE 2 AUXILIARY SYSTEMS.................................................................................................................................16 TABLE 3 SCRAM INITIATING CONDITIONS .............................................................................................................22 TABLE 3 PANEL RECORDER SIGNAL DEFINITION....................................................................................................30 TABLE 3 ANNUNCIATOR PANEL ALARMS ..............................................................................................................30 TABLE 3 PANEL INDICATORS AND SWITCHES ........................................................................................................31 TABLE 3

SUMMARY

OF EXISTING NUCLEAR INSTRUMENTATION CHANNELS .......................................................32 TABLE OF FIGURES FIGURE 2 PUR-1 GRID PLATE .................................................................................................................................14 FIGURE 2 REACTOR ARRANGEMENT .....................................................................................................................15 Rev. 4 Page 6 of 43 PUR1-FRS-001

PUR-1 Functional Requirements Specification 1 Introduction 1.1 Project Description and Background The requirement for the PUR-1 console replacement is to provide a modern system that meets the NRC requirements for safety and licensing for research reactor applications. Due to the small size of the PUR-1 reactor, the Reactor Protection System (RPS) need not be independent of the Reactor Control System (RCS), and their functions may overlap or be combined. This is typical practice at many non-power reactors due to their low risk to facility staff, the public, and the environment.

There are plans to increase the licensed power rating of the PUR-1 reactor from 1 kW to 10 kW steady state power. The new control system shall be capable of supporting the higher power level with only a recalibration of the instrumentation and changing of applicable setpoints.

Because events during calibration, testing, startup, and operation may be short lived, a complete data acquisition and data storage system will be included in the proposed design. This data system shall be capable of transferring data to other computer systems in real time, or near real time, without risk to the control and protection system from digital intrusion.

1.2 Purpose The purpose of this document is to define the functional requirements for the Reactor Protection

/ Control System Replacement Project. This document will establish the functional requirements of the Reactor Protection & Control System (RPCS) and the various subsystems and components associated with it. The functional requirements will cover all equipment provided as part of the replacement RPCS and any equipment or components from the existing system that are reused in the replacement RPCS.

Rev. 4 Page 7 of 43 PUR1-FRS-001

PUR-1 Functional Requirements Specification 1.3 Definitions, Acronyms and Abbreviations 1.3.1 Definitions The following acronyms and definitions are utilized through this document.

House Alarm Site evacuation Class 0 Alarm Reactor Room Evacuation Class 1 Alarm Annunciator alarm from console Class 2 Alarm Alarm which only appears in the RCS alarm summary display screen.

Gang Lower Simultaneous insertion of Shim Safety Rod #1, Shim Safety Rod #2 and the Regulating Rod using the drive motors.

PUR-1 Purdue University Research Reactor Number One Reactor SCRAM / Reactor Insertion of Shim Safety Rod #1 and Shim Safety Trip Rod #2 by removing power to the drive coupler magnets causing the control rods to insert into the reactor core via the force of gravity.

Reactor Setback Automatic Gang Lower action initiated by the Reactor Control System when any Setback signal is sent.

Reactor Operator Individual licensed to control a nuclear reactor from a control panel within regulatory requirements.

Senior Reactor Operator Individual licensed to control a nuclear reactor from a control panel within regulatory requirements and perform fuel alterations within the reactor vessel among other duties, responsibilities, and actions.

Authorized by law to depart from regulations during emergencies.

Rev. 4 Page 8 of 43 PUR1-FRS-001

PUR-1 Functional Requirements Specification 1.3.2 Acronyms and Abbreviations The following abbreviations are utilized through this document.

ASI Analog Signal Input (also referred to as AI)

ASO Analog Signal Output (also referred to as AO)

CAM Continuous Air Monitor COS Change of State (synonym for SOE)

CR Control Rod (includes SS1, SS2 and RR)

DAS Data Acquisition System DSI Digital Signal Input (also referred to as DI)

DSO Digital Signal Output (also referred to as DO)

DOE Department of Energy EMI/RFI Electromagnetic Interference/Radio Frequency Interference EU Engineering Units FC Fission Chamber Drive FMEA Failure Modes and Effects Analysis HDD Hardware Design Document HEU Highly Enriched Uranium HMI Human-Machine Interface HVAC Heating, Ventilation, Air Conditioning ICD Instrument Configuration Documents I/O Input/Output IEEE Institute of Electrical and Electronic Engineers kW Kilowatt LEU Low Enriched Uranium LNP Lockheed Nuclear Products mA Milliampere mR/hr milliRem per hour MTR Materials Test Reactor mV Millivolt NFMS Neutron Flux Monitoring System NNSA National Nuclear Security Administration Rev. 4 Page 9 of 43 PUR1-FRS-001

PUR-1 Functional Requirements Specification NRC U.S. Nuclear Regulatory Commission NS Neutron Source Drive PCS Power Conditioning System PVC Polyvinyl Chloride RAM Radiation Area Monitor RCS Reactor Control System RDS Rod Drive System RMS Radiation Monitoring System ROC Reactor Operator Console RR Regulating Rod Drive RPS Reactor Protection System RPCS Reactor Protection / Control System RTD Resistance Temperature Detector RWMS Reactor Water & Makeup System SDD Software Design Description SNMP Simple Network Management Protocol SOE Sequence of Events (synonym for COS)

SRS Software Requirement Specification SS1 Shim Safety Rod #1 Drive SS2 Shim Safety Rod #2 Drive T/C Thermocouple VAC Volts Alternating Current VDC Volts Direct Current Rev. 4 Page 10 of 43 PUR1-FRS-001

PUR-1 Functional Requirements Specification 1.4 References 1.4.1. IEEE 1233, 1998 Edition (R2002), IEEE Guide for Developing System Requirements.

1.4.2. NUREG-1537, Guidelines for Preparing and Reviewing Applications for the Licensing of Non-Power Reactors.

1.4.3. ANSI/ANS 15.15, Criteria for the Reactor Safety Systems of Research Reactors.

1.4.4. ANSI/ANS 15.20, Criteria for the Reactor Control and Safety Systems of Research Reactors.

1.4.5. Reg. Guide 1.152, Criteria for Use of Computers in Safety Systems of Nuclear Power Plants.

1.4.6. Technical Specification for the Purdue University Reactor, May 1988.

1.4.7. Safety Analysis Report for the Conversion of the Purdue University Research Reactor from HEU to LEU Fuel, July 2006.

1.4.8. Instruction Manual for Shim-Safety Control Rod Drive, Regulating Control Rod Drive, Fission Chamber Drive, Source Drive, Diamond Power Specialty Corporation, March 1962.

1.4.9. AMS-4 Beta Particulate Monitor Manual (Rev. B), Thermo Scientific.

1.4.10. RMS-3 Technical Manual, Thermo Scientific.

1.4.11. Specifications and Technical Requirements for the Instrumentation and Control Upgrade of the Purdue University Nuclear Reactor, PUR-1, PUR1 Controls Pre-Bid Document Final.pdf, April 2015.

1.5 System Overview The Reactor Protection / Control System Replacement Project for the Purdue University Research Reactor PUR-1 will replace the neutron flux detector equipment, reactor operator console, reactor protection system and reactor control system for PUR-1.

The replacement Reactor Protection / Control System (RPCS) will be composed of or interface to the following subsystems:

• Neutron Flux Monitoring System (NFMS) - RPCS subsystem for neutron flux monitoring. Includes the Mirion detectors and electronics

• Reactor Protection System (RPS) - portion of the RPCS that is responsible for the reactor trip function. Includes:

o physical hardware interfaces to the shim-safety control rod magnets.

o reactor trip input signals from components external to the Reactor Protection System.

o Neutron Flux Monitoring System o a portion of the Reactor Control System control algorithm on the RTP 3000 TAS platform responsible for automatic SCRAM (non-safety SCRAM).

o manual SCRAM functions.

o operator console indicators.

Rev. 4 Page 11 of 43 PUR1-FRS-001

PUR-1 Functional Requirements Specification

• Reactor Control System (RCS) - portion of RPCS that is responsible for normal reactor startup, shutdown, and control. The RCS includes all operator console HMI equipment and the portion of the control algorithm on the RTP 3000 TAS platform responsible for reactor control. It also includes the R*TIME software and the computer functions (display, historian, reporting, etc.).

• Rod Drive System (RDS) - portion of the RPCS that includes the drive assemblies (Shim Safety Rod #1 (SS1), Shim Safety Rod #2 (SS2), Regulating Rod (RR), Neutron Source (NS) and Fission Chamber (FC)) and the associated cabling, electronics and power supplies.

• Radiation Monitoring System (RMS) - radiation monitoring system equipment. Includes a Continuous Air Monitor (CAM) and multiple Radiation Area Monitors (RAMs).

• HVAC System (HVAC) - HVAC system used to maintain reactor room ventilation and environmental conditions. Includes dampers and other building controls required to provide confinement by isolating the PUR-1 Reactor Room in the case of an airborne radioactive material release.

• Reactor Water & Make-up System (RWMS) - equipment used to maintain reactor water level, temperature and quality. Also includes sensors used to measure water chemistry parameters.

• Power Conditioning System (PCS) - equipment used to provide regulated, conditioned power to the RPCS components.

Rev. 4 Page 12 of 43 PUR1-FRS-001

PUR-1 Functional Requirements Specification 2 PUR-1 Reactor

2.1 Background

The Purdue University Research Reactor, PUR-1 is a Lockheed Nuclear Products (LNP)

Materials Test Reactor (MTR) designed for operation at 10 kW and currently licensed at 1 kW. It is managed and operated by the Purdue University School of Nuclear Engineering. Construction of the reactor facility began in 1961, and the Atomic Energy Commission (AEC) licensed the PUR-1 reactor in 1962 for operation at 1 kW. The primary mission of the reactor since its initial licensing has been teaching, training and education of Purdue nuclear engineering students, with the majority of its operations hours being directed toward that purpose. Reactor utilization in support of faculty and student research has varied over the lifetime of the reactor from as low as approximately 5% of the operations hours up to about 45% at its peak.

The PUR-1 reactor was initially fueled with Highly Enriched Uranium (HEU) in 1962, but as part of the effort of DOE/NNSA the reactor fuel was replaced in 2007 with Low Enriched Uranium (LEU). It is expected that the new LEU fuel will certainly last for the lifetime of the reactor (the previous HEU core experienced less than 0.01% burnup in 45 years). The non-fuel reactor structure (i.e. stainless steel pool, fuel deck, graphite reflector) is in exceptionally good shape despite its age due to careful control of pool water chemistry. The instrumentation and control systems, however, are almost entirely the original equipment (1960s vacuum tube technology), and because of the extreme difficulty in obtaining quality replacement parts, there have been a significant number of missed operations in recent years due to the failure of instrumentation and safety systems to pass pre-start tests.

The initial license, granted in 1962 for 1 kW operations, was renewed in 1968 and 1988. A timely renewal application of the PUR-1 operations license was submitted to the NRC in 2008, which included an uprate beyond the full design power of 10 kW to 12 kW. That license renewal is expected to be granted in 2016, and will allow for increased capability in fulfilling the mission of the PUR-1 reactor in support of the education, training and research mission it has carried out over its lifetime. Particularly it would allow for the expansion of the research function. The PUR-1 is a significant component of the success of the School of Nuclear Engineering at Purdue in educating the next generation nuclear experts around the world. The PUR-1 also helps in educating nuclear engineering students of other neighboring universities without reactors, with recent visits by students from the University of Illinois to perform the same experiments done by Purdue students.

This specification describes the functional requirements of the existing PUR-1 control console and nuclear instrumentation channels which will need to be replicated by the new system in order to minimize changes to the facilitys license and Technical Specifications. The new console will be installed in the existing reactor room. Obsolete components of the safety and control system will be replaced, while leaving unchanged the neutron absorber rods, extensions, gearing and drive mechanisms. The replacement reactor protection and control system is required to operate at either the initial 1 kW power level or the uprated 10 kW power level.

Rev. 4 Page 13 of 43 PUR1-FRS-001

PUR-1 Functional Requirements Specification 2.2 Reactor Design 2.2.1 Reactor Core The PUR-1 core layout is a of heterogeneous, light-water moderated, light-water and graphite reflected, water cooled reactor fueled with LEU plate-type fuel. The core layout is shown in Figure 2-1. Each of the standard fuel assemblies in the core can hold up to fuel plates, or a mixture of fuel and dummy plates. The three control elements each hold up to fueled plates. Twenty graphite reflector assemblies surround the core, 6 of which contain a cylindrical aluminum tube normally filled with graphite. These 6 elements comprise the irradiation facility. The graphite can be removed from these tubes and replaced with experiment capsules which can then be irradiated with normal reactor operation.

Figure 2 PUR-1 Grid Plate The reactor is controlled by three control rods located in the core region of the reactor. There are two shim-safety rods made of solid borated 304 stainless steel, utilizing a magnet clutch between the blades and the lead screw operated drive mechanisms, and a regulating rod, which is a screw-operated direct drive and made of hollow stainless steel. Each control blade is protected by an aluminum guide plate on each side within the control fuel assemblies.

Each of the standard assemblies and the control assemblies are contained in a 6061 aluminum container. The standard graphite assemblies and the irradiation facility graphite assemblies are contained in similar 1100 aluminum containers. The startup neutron source is located outside the core in a similar 6061 aluminum container.

Rev. 4 Page 14 of 43 PUR1-FRS-001

PUR-1 Functional Requirements Specification Figure 2 Reactor Arrangement Table 2 Information Summary for the Purdue University Reactor, PUR-1 TYPE Swimming Pool, Materials Test Reactor (MTR)

DESIGN POWER LEVEL 1 kW continuous (Nf); pending NRC review and approval to 12 kW MAXIMUM THERMAL FLUX IN 2.1 x 1010 n/cm2*sec at 1 kW FUEL REGION (~1011 n/cm2*sec at 10 kW)

AVERAGE THERMAL FLUX IN FUEL 1.2 x 1010 n/cm2*sec at 1 kW REGION (~ 1011 n/cm2*sec at 10 kW)

FUEL ELEMENTS Type - Flat Plate Number of Plates Standard Element:

Control Element:

Dimensions -

Fuel Material -

Enrichment (Nominal) - U-235 Mass of U-235 per plate (Nominal) - grams Cladding - 0.381 mm (0.015 in) type 6061-T6 aluminum Number of Standard Elements -

Maximum U-235 Per Std. Element - grams Number of Control Elements - 3 Maximum U-235 Per Control Element - grams MODERATOR Light water REFLECTOR Light water and graphite CORE PHYSICS Thermal Neutron Lifetime - 5.4 x 10-5 sec Excess k eff (max) - 0.6% k/k Operating Mass of U-235 - or as adjusted on critical loading.

Temperature Coefficient - -1.9 x 10-4 k/k per °C at 20°C Rev. 4 Page 15 of 43 PUR1-FRS-001

PUR-1 Functional Requirements Specification Regulating Rod - -0.47% (calculated)

Shim Safety Rods - -5.8 % for 2 (calculated)

CONTROL RODS Number of Regulating Rods 304 stainless steel Number of Shim Safety Rods Boron-stainless steel Operating Rates Regulating Rod - 43.5 cm/min Shim Safety Rod - 11 cm/min Scram - Required to be less than 1000 msec.

Table 2 Auxiliary Systems SHIELDING Type Water, Portland concrete, magnetite sand and earth Maximum Dose Rates Surface of Concrete < 0.1 mrem/hr at 1 kW Surface of water 2.5 mr/hr <1 mrem/hr at 1 kW WATER PURIFICATION SYSTEM Water Capacity Reactor Pool 6,400 gal.

Pump Centrifugal Capacity At 100°F and 110 ft Head 30 gpm Ion Exchanger Mixed bed (replaceable Rated Capacity 15,000 grains as CaCO3 cartridge type) Flow Rate 0-20 gpm Design Pressure 100 psi Heat Exchanger Shell and tube (water Cooling Capacity 36,000 Btu/hr chiller) Design Pressure Tube 150 psi Shell 225 psi Pool Temperature Control 18.3-23.9°C Filter Cartridge Type Maximum Flow 80 gpm Pressure Drop 2 psi 2.2.2 Fuel PUR-1 uses a flat plate type fuel from BWXT Technologies. The fuel material is which is enriched to U-235.

Each standard fuel element assembly has up to fuel elements per assembly and the core is composed of 16 total fuel assemblies.

2.2.3 Rod Drive System The PUR-1 reactor includes 5 drives in the reactor: 3 control rod drives, 1 source drive and 1 fission chamber drive.

The Rod Control System (RCS) shall indicate on the HMI the current position of all of the rod drives and the fission chamber. The source drive need not have location indication. This output should be in exact numerical form (i.e. 45.34 cm) as well as a visual representation of range of the drive.

2.2.3.1 Control Rod Drives The reactor has 3 control rods consisting of a regulating rod and 2 shim-safety rods. The 2 shim rods and 1 regulating rod have identical control and drive systems. The Reactor Control System Rev. 4 Page 16 of 43 PUR1-FRS-001

PUR-1 Functional Requirements Specification (RCS) provides the capability for an individual rod to be controlled when being withdrawn and shall electrically limit withdrawal to only one rod at a time. All control rods can be inserted into the core simultaneously by a gang lower function to reduce reactivity. The gang movement function does not allow the rods to all be raised under any circumstances. Additionally, rod interlocks will be engaged if Channel 1 indicates a count rate of less than 2 cps. This is most significant during startup, when the neutron source provides the initial neutrons, which are multiplied by the fuel in the reactor, to ensure a prompt critical state is not achieved. During all periods of operation, Channel 1 must remain above 2 cps for any CR withdrawal.

The shim-safety rods can be driven into the core using the drive assembly motor or dropped by the removal of current from the magnets on a scram signal. A key switch on the left reactor operator console panel needs to be engaged to power the magnets. The regulating rod can only be driven into the core using the drive assembly motor. After a SCRAM, a physical reset of the control rods is required to return to normal conditions.

A gang lower (setback) will cause all three control rods to drive downward into the core while magnet current is maintained. In the condition where the setback trigger has returned to normal, the gang lower may be halted by the operator by actuating any control rod movement.

The existing control rod, source and fission chamber drive mechanisms will remain, so the new console and RCS shall interface with those. The details of the rod drive mechanisms are provided in Reference 1.4.8.

A jam circuit is incorporated in the drive circuits to operate a jam indication on the operator console in the event of a mechanical jam. This indication alerts the operator to the possibility of cable kinking in the source drive unit, or mechanical friction in the control rod drives.

2.2.3.1.1 Shim Safety Rod Drive The shim-safety rod to be driven is selected by the Reactor Control System (RCS). This connects the drive system for that rod and clears any other drive circuit that may be energized. Interlocks shall prevent the raising of more than one control rod or the fission chamber simultaneously.

The reactor operator controls the rod with the raise-lower switch on the control console or the control rod drive HMI display screen. The raise-lower operation operates relays which apply power to the rod drive motor to move the control rod.

In the event of a SCRAM, both Shim-Safety Rods must be fully inserted into the reactor core within a technical specification time period of one second. Whenever there is a reactor SCRAM, the RCS will compute the SCRAM time for each Shim-Safety Rod and save the computed SCRAM time as part of the RCS historical data along with the height from which the rod was dropped. This timing begins at the initiation of the SCRAM signal and ends when the RCS indicates the SSR has reached its lower limit. If the computed SCRAM time for either Shim-Safety Rod exceeds the technical specification requirement, a local RCS computer alarm (Class

2) will be activated. The RCS shall provide the ability to trend SCRAM times for both Shim-Safety Rods as a function of control rod height and show historical performance over time.

Rev. 4 Page 17 of 43 PUR1-FRS-001

PUR-1 Functional Requirements Specification 2.2.3.1.2 Regulating Rod Drive The regulating rod drive system is activated by the Reactor Control System. This connects the drive system for that rod and clears any other drive circuit that may be energized. Interlocks shall prevent raising more than one control rod or the fission chamber simultaneously.

The reactor operator controls the regulating rod with the raise-lower switch on the control console or from the control rod drive HMI display screen. The raise-lower function operates relays which apply power to the rod drive motor to move the regulating rod. The regulating rod may be automatically controlled by the RCS to a specified power level if the reactor operator enables automatic level control.

If enabled by the operator, the RCS provides automatic level control once the reactor has reached the desired power level. The RCS senses deviations from an operator specified power level and automatically adjusts the position of the regulating rod to maintain the reactor at a constant power level. These power deviations shall be calculated from the Channel 3 input signal.

2.2.3.2 Source Drive The source drive system is activated by the Reactor Control System. This connects the drive system for the source drive and clears any other drive circuit that may be energized.

The reactor operator controls the source drive with the raise-lower switch on the control console or the source drive HMI display screen. The raise-lower operation operates relays which apply power to the drive motors to move the source.

2.2.3.3 Fission Chamber Drive The fission chamber drive system is activated by the Reactor Control System. This connects the drive system for the fission chamber drive and clears any other drive circuit that may be energized. Interlocks shall prevent raising more than one control rod or the fission chamber simultaneously.

The reactor operator controls the fission chamber drive with the raise-lower switch on the control console or the source drive HMI display screen. The raise-lower operation operates relays which apply power to the drive motors to move the fission chamber.

Rev. 4 Page 18 of 43 PUR1-FRS-001

PUR-1 Functional Requirements Specification 3 PUR-1 System Requirements 3.1 Physical Requirements All RPCS electronics, including power supplies and preamplifiers for each channel, shall be contained in the existing 19-inch wide auxiliary instrument racks. All reactor operator controls and indicators shall be installed in the existing 3 sided reactor operator console.

3.1.1 Environmental All components of the replacement system will be installed in the reactor room. The reactor room should be considered a mild environment (temperature controlled and pressure controlled).

• All components will operate without any adverse effects with ambient temperature between

• All components will operate without any adverse effects with relative humidity between (non-condensing).

3.1.2 Seismic The PUR-1 license and Tech Specs do not require seismic ratings.

3.1.3 Electrical Requirements The following requirements pertain to the entire RPCS system and operator console.

3.1.3.1 General

• All wiring and wiring accessories (terminal blocks, labels, etc.) furnished with the replacement system shall be made of non-combustible materials.

• All conductors shall be stranded copper.

• All conductors shall have 600V rated insulation.

• All electrical components shall be FCC Class A or Class B certified or verified.

• There are no special EMI/RFI ratings or testing requirements for this system outside of verifying installed operability.

3.1.3.2 Input Power Requirements

• All equipment shall be powered by standard 110-120 volt AC power.

• System components requiring voltages other than 120VAC (e.g. 24VDC, 5VDC, etc.)

will have the voltage supplied by conversion equipment. The conversion equipment shall be powered by 120VAC.

Rev. 4 Page 19 of 43 PUR1-FRS-001

PUR-1 Functional Requirements Specification 3.2 Reactor Protection System Requirements The Reactor Protection System (RPS) monitors operation of the reactor and affects the shutdown of the reactor in the event of emergency conditions or a technical specification is exceeded.

3.2.1 SCRAM Initiating Conditions The RPS system provides two types of SCRAM initiations, a Manual SCRAM (see 3.2.1.1) and an Automatic SCRAM (see 3.2.1.2).

When a SCRAM initiating condition occurs, the reactor console annunciator alarm will sound.

The appropriate annunciator tile shall engage. An alarm will be indicated on the operator console display to provide details of why the SCRAM was initiated.

After a SCRAM condition, a SCRAM reset must be performed before the rod magnet power can be reapplied by the RPS.

The Reactor Control System (RCS) also provides a setback function to insert the control rods into the reactor without producing a scram (see Section 3.2.2 for a description of the setback function). When a setback is initiated, the RCS shall also sound the annunciator alarm.

In order to operate, all SCRAM initiating conditions must be in a normal state. In addition, the key switch must be engaged.

3.2.1.1 Manual SCRAM A Manual SCRAM is initiated by the Reactor Operator using one (or more than one) of the following methods:

• Press the Manual SCRAM Button on the Reactor Operator Console (ROC).

• Turn the Master Key Switch on the ROC to the open position.

• Press the Manual SCRAM button in the Hallway.

• Turn off the Magnet Power Supply to remove power to the control rod magnets.

• Open the output power breaker on the Power Conditioning System (PCS) to remove power to the RPS.

3.2.1.2 Automatic SCRAM An Automatic SCRAM shall be initiated by the RPS when a short period signal or a high power-level signal is detected by the Neutron Flux Monitoring System (NFMS). A SCRAM can also be initiated by the Radiation Monitoring System (RMS) for a high radiation level or the Reactor Control System (RCS) (non-safety) for any of these conditions.

Detected equipment failures of any RPCS component will also initiate an Automatic SCRAM by the RCS.

The RPS or RCS initiates a SCRAM by opening the input power line to the shim-safety control rod magnets removing power from the magnets, causing the shim-safety control rods to be Rev. 4 Page 20 of 43 PUR1-FRS-001

PUR-1 Functional Requirements Specification reinserted into the reactor core by gravity. For the NFMS, the magnet current is removed by opening relays in the NFMS equipment. In the case of the RMS or the RCS, the magnet power is removed by external relays controlled by the RMS and RCS equipment.

Table 3-1 shows the initiating conditions that result in an Automatic SCRAM by the RPS.

Rev. 4 Page 21 of 43 PUR1-FRS-001

PUR-1 Functional Requirements Specification Table 3 SCRAM Initiating Conditions Condition Detected By RPS Action Reactor Period < 7 1) NFMS Channel 1 Trip Signal (NFMS), or Initiate SCRAM

2) NFMS Channel 2 Trip Signal (NFMS), or

3) NFMS Channel 1 Period (RCS), or

4) NFMS Channel 2 Period (RCS)

Channel 2 Loss of High Voltage 1) NFMS Channel 2 Trip Signal (NFMS), or Initiate SCRAM

2) NFMS Channel 2 Period (RCS)

Reactor Power > 120% 1) NFMS Channel 2 Trip Signal (NFMS), or Initiate SCRAM

2) NFMS Channel 3 Trip Signal (NFMS), or

3) NFMS Channel 2 Power Level (RCS)

4) NFMS Channel 3 Power Level (RCS)

5) NFMS Channel 4 Trip Signal (NFMS), or

6) NFMS Channel 4 Power Level (RCS)

High Radiation 1) Process Monitor Trip Signal (RMS), or Initiate SCRAM, and

2) Console Monitor Trip Signal (RMS), or Shutdown ventilation system

3) Top of Pool Monitor Trip Signal (RMS), or

4) Continuous Area Monitor Trip Signal (RMS), or

5) RMS Process Monitor Radiation Level (RCS), or

6) RMS Console Monitor Radiation Level (RCS), or

7) RMS Top of Pool Monitor Radiation Level (RCS), or

8) RMS Continuous Area Monitor Radiation Level (RCS)

NFMS Equipment Failure 1) NFMS Channel 1 Monitor (NFMS), or Initiate SCRAM

2) NFMS Channel 2 Monitor (NFMS), or

3) NFMS Channel 3 Monitor (NFMS), or

4) NFMS Channel 4 Monitor (NFMS), or

5) NFMS Channel 1 Monitor (RCS), or

6) NFMS Channel 2 Monitor (RCS), or

7) NFMS Channel 3 Monitor (RCS), or

8) NFMS Channel 4 Monitor (RCS)

RCS Equipment Failure 1) RCS I/O Equipment Failure (RCS) Initiate SCRAM

2) RCS Computer Failure (RCS)

3) RCS Power Supply Failure (RCS)

Rev. 4 Page 22 of 43 PUR1-FRS-001

PUR-1 Functional Requirements Specification 3.2.2 Setback Four conditions can initiate a setback. When any of the four conditions are met, the resulting condition is the gang lowering of the shim-safety rods and the regulating rod into the core until they reach their lower limits by the Reactor Control System (RCS). The setback can be halted by the reactor operator if the trouble clears and the setback is reset before the rods reach their lower limits. The four setback conditions are as follows:

• Low-Power Period - Log count rate meter indicates a short period

• High-Power Period - Log-N period amplifier indicates a short period

• Over Power - Linear level channel indicates high power level

• Safety Over Power - Safety amplifier indicates high power level Any setback will illuminate the Setback tile on the annunciator panel. The corresponding Class 1 alarm condition will also be set, engaging the annunciator alarm and displaying it on the RCS alarm summary display screen.

If a Setback originating condition clears (returns to a level within normal operating conditions),

the operator may halt the gang lower function of the setback by pressing the STOP button on any drive control screen, moving the joystick, or interacting with the raise or lower functions of a selected drive system.

3.2.3 Alarm Requirements The annunciator alarm (Class 1 Alarm) will sound on all reactor trips (including manual trips) and reactor setbacks.

All reactor trips and setbacks will be captured in the data historian and will be annunciated on the Annunciator Panel (see section 3.3.2.3).

3.3 Reactor Control System Requirements This section defines the components and functions of the Reactor Control System (RCS). The RCS includes those system components that are required to operate the reactor. This includes all normal control rod movement (non-SCRAM) and all data acquisition and display functions, including a data historian capability.

The RCS also provides a reactor SCRAM input to the Reactor Protection System (RPS) for those SCRAM conditions monitored by the RCS.

3.3.1 System Functions 3.3.1.1 Reactor Drive Control Four control channels are incorporated into the reactor control system to raise or lower the two shim-safety rods, the regulating rod and the fission chamber. A fifth control channel is provided to raise and lower the neutron source.

Rev. 4 Page 23 of 43 PUR1-FRS-001

PUR-1 Functional Requirements Specification 3.3.1.1.1 Drive Control Conditions The control rods may always be lowered. However, permissive circuits are included in the raise circuits of the control rods and fission chamber to prevent raising the rods under the following circumstances:

• Source Missing - Channel 1 must indicate the presence of a source of neutrons by indicating a count rate of at least two counts per second. A withdraw interlock indicator shows when this condition is not fulfilled.

• Period < 15s - Channel 1 and Channel 2 period must remain above fifteen seconds. If the period drops below 15s, withdraw interlock will be enabled.

• DAS Hardware Trouble - If the DAS hardware is not fully operational, there will be an indicator illuminated on the annunciator panel. In this condition, the system will not have the ability to raise any rods.

• Workstation On - If the workstation driving the control panel displays is down for any reason, the system will not allow the rods to be raised.

• Source Drive in Operation - Interlock logic on the source drive prevents raising the control rods or fission chamber when the source is being raised or lowered.

• Drives Selected > 1 - If more than one drive system is selected for movement, withdraw interlock will be set. While more than one drive can be inserted, only one drive can be withdrawn at once.

Each of these interlock conditions will be sensed by the RCS and a local Class 2 alarm generated in the RCS. The local alarm is presented to the reactor operator as an indication on the RCS display screens.

3.3.1.1.2 Jam Indication A jam circuit is incorporated in the drive circuits to operate a jam indicator on the console in the event of a mechanical jam in the drive. This indication alerts the operator to the possibility of cable kinking in the source and fission chamber drive units, or mechanical friction in the rod drives. The jam indication is sensed by each rod drive assembly and provided as an input to the RCS. For the Shim Safety Rods, this does not prevent SCRAM insertions from the RPS.

A jam indication will be sensed by the RCS and a local Class 2 alarm generated in the RCS. The local alarm is presented to the reactor operator as an indication on the RCS display screens.

3.3.1.1.3 Shim Safety Rod Drive System The shim-safety rod to be driven is selected by selecting the desired drive on the appropriate operator console display screen. This connects the drive system for that rod and clears any other drive circuit that may be energized. Electrical interlocks shall prevent the raising of more than one control rod or the fission chamber simultaneously. The reactor operator controls the selected rod by one of the following methods:

• Using the operator console display screen, entering the desired target position value numerically on the display screen and selecting the GO button on the display screen.

After pressing the GO button, the automatic control rod movement can be stopped before reaching the target position by selecting the STOP button on the display screen or moving Rev. 4 Page 24 of 43 PUR1-FRS-001

PUR-1 Functional Requirements Specification the joystick. Once the target position has been reached, the RCS automatically terminates rod movement.

o Upon setting STOP signal or joystick returning to OFF position, the drive system may not move more than three (3) centimeters from the point when the STOP initiation signal was sent. Movement exceeding three (3) centimeters will initiate a Setback function.

• Using the operator console display screen, adjusting the current position value (up or down) with a coarse adjustment arrow. Rod movement using the coarse adjustment arrow is a one-time movement and requires the operator to select the adjustment arrow for each adjustment.

o Coarse and fine adjustments shall have a user configurable distance setting.

o Coarse adjustments will initially be set to 2cm.

o Fine adjustments will initially be set to .2cm.

• Using the operator console display screen, adjusting the position value (up or down) with a fine adjustment arrow. Rod movement using the fine adjustment arrow is a one-time movement and requires the operator to select the adjustment arrow for each adjustment.

• Using the physical raise/lower switch. The physical raise/lower switch provides a momentary input to the RCS to initiate the rod movement. The switch must be manually held in the raise or lower position to cause continuous rod movement.

The shim safety rod drive system display screen(s) shall provide indications for the following conditions:

• Upper Limit - The drive unit is at the upper limit of its travel.

• 2/3 Limit - The drive unit is two-thirds out.

• Engage - The shim-safety rod is attached to the drive electromagnet.

• Lower Limit - The drive unit is at the lower limit of its travel.

• Drive - The drive unit is connected to the raise-lower switch.

• Rod location - The numerical location of the rod within the core.

3.3.1.1.4 Regulating Rod Drive System The regulating rod drive system is activated by selecting the regulating rod drive on the appropriate operator console display screen. This connects the regulating rod system to the raise-lower switch and clears any other drive circuit that may be energized. Electrical interlocks shall prevent raising more than one control rod or the fission chamber simultaneously. The reactor operator controls the selected rod by one of the following methods:

• Using the operator console display screen, entering the desired target position value numerically on the display screen and selecting the GO button on the display screen.

After pressing the GO button, the automatic control rod movement can be stopped before reaching the target position by selecting the STOP button on the display screen or moving the joystick. Once the target position has been reached, the RCS automatically terminates rod movement.

o Upon setting STOP signal or joystick returning to OFF position, the drive system may not move more than three (3) centimeters from the point when the STOP initiation signal was sent. Movement exceeding three (3) centimeters will initiate a Setback function.

Rev. 4 Page 25 of 43 PUR1-FRS-001

PUR-1 Functional Requirements Specification

• Using the operator console display screen, adjusting the current position value (up or down) with a coarse adjustment arrow. Rod movement using the coarse adjustment arrow is a one-time movement and requires the operator to select the adjustment arrow for each adjustment.

o Coarse and fine adjustments shall have a user configurable distance setting.

o Coarse adjustments will initially be set to 2.0 cm.

o Fine adjustments will initially be set to 0.2 cm.

• Using the operator console display screen, adjusting the position value (up or down) with a fine adjustment arrow. Rod movement using the fine adjustment arrow is a one-time movement and requires the operator to select the adjustment arrow for each adjustment.

• Using the physical raise/lower switch. The physical raise/lower switch provides a momentary input to the RCS to initiate the rod movement. The switch must be manually held in the raise or lower position to cause continuous rod movement.

The regulating rod may also be controlled using the automatic servo control. Automatic servo control can be activated and deactivated by the reactor operator using the appropriate operator console display screen. While in automatic servo control, the RCS will automatically insert and withdraw the regulating rod to maintain the operator selected power level. While in automatic servo control, the RCS shall actuate a Class 1 alarm if the reactor power deviates by greater than 5% from the setpoint, indicating a malfunction of the system.

The regulating rod drive system display screen(s) shall provide indications for the following conditions:

• Upper Limit - The drive unit is at the upper limit of its travel.

• Servo - Display whether the servo control is enabled or disabled.

• Lower Limit - The drive unit is at the lower limit of its travel.

• Drive - The drive unit is connected to the raise-lower switch.

• Rod location - The numerical location of the rod within the core.

3.3.1.1.5 Fission Chamber Drive System The fission chamber drive system is activated by selecting the fission chamber drive on the appropriate operator console display screen. This connects the fission chamber drive system to the raise-lower switch and clears any other drive circuit that may be energized. Interlocks shall prohibit raising the fission chamber while the control rods are being driven. The reactor operator controls the fission chamber drive by one of the following methods:

• Using the operator console display screen, entering the desired target position value numerically on the display screen and selecting the GO button on the display screen.

After pressing the GO button, the automatic fission chamber drive movement can be stopped before reaching the target position by selecting the STOP button on the display screen or moving the joystick. Once the target position has been reached, the RCS automatically terminates fission chamber movement.

o Upon setting STOP signal or joystick returning to OFF position, the drive system may not move more than three (3) centimeters from the point when the STOP initiation signal was sent. Movement exceeding three (3) centimeters will initiate a Setback function.

Rev. 4 Page 26 of 43 PUR1-FRS-001

PUR-1 Functional Requirements Specification

• Using the operator console display screen, adjusting the current position value (up or down) with a coarse adjustment arrow. Fission chamber movement using the coarse adjustment arrow is a one-time movement and requires the operator to select the adjustment arrow for each adjustment.

o Coarse and fine adjustments shall have a user configurable distance setting.

o Coarse adjustments will initially be set to 2.0 cm.

o Fine adjustments will initially be set to 0.2 cm.

• Using the operator console display screen, adjusting the position value (up or down) with a fine adjustment arrow. Fission chamber movement using the fine adjustment arrow is a one-time movement and requires the operator to select the adjustment arrow for each adjustment.

• Using the physical raise/lower switch. The physical raise/lower switch provides a momentary input to the RCS to initiate the fission chamber movement. The switch must be manually held in the raise or lower position to cause continuous movement.

The fission chamber drive system display screen(s) shall provide indications for the following conditions:

• Upper Limit - The drive unit is at the upper limit of its travel.

• Lower Limit - The drive unit is at the lower limit of its travel.

• Drive - The drive unit is connected to the raise-lower switch.

• Location - The numerical location of the Fission Chamber within the core.

3.3.1.1.6 Source Drive System The source drive system is activated by selecting the source drive on the appropriate operator console display screen. This connects the source drive system to its raise-lower switch. The reactor operator controls the source drive by one of the following methods:

• Using the operator console display screen, adjusting the current position with an Up adjustment arrow. Source movement using the Up adjustment arrow locks in upward movement until the Up arrow is pressed again (deselecting it), the Down arrow is pressed, or the STOP button is pressed.

• Using the operator console display screen, adjusting the current position with a Down adjustment arrow. The source movement using the Down adjustment arrow must be continually depressed as positive reactivity is being added to the core.

The source drive system display screen(s) shall provide indications for the following conditions:

• Upper Limit - The drive unit is at the upper limit of its travel.

• Source Raise - Indicates the source is being raised.

• Source Lower - Indicates the source is being lowered.

• Lower Limit - The drive unit is at the lower limit of its travel.

3.3.1.1.7 Gang Lower System When the reactor is to be shut down, a Gang Lower function must be available to simultaneously lower the control rods. This function energizes the lower drive relays for the control rods. This function can be started and stopped by enabling or disabling a button on the appropriate operator Rev. 4 Page 27 of 43 PUR1-FRS-001

PUR-1 Functional Requirements Specification console display screen. The Gang Lower function will be automatically enabled by the Setback function described in Section 3.2.2.

3.3.1.1.8 Rod Position Indicating System Three rod position indicators will be provided on operator console display screen(s) as well as the fission chamber. These indicators will provide a position indication with a resolution of 0.1 millimeters. The rod position indicator will measure a voltage signal across the drive control potentiometers to obtain the position.

3.3.1.2 Servo Control Servo control will be provided and will allow the reactor operator to set the servo control to maintain current power level percent.

A servo display screen will be provided which will display the current difference between the power level value at which the servo was activated and the current power level. The display will also indicate the servo status (active or inactive).

The data historian will capture servo control activation and deactivation and power level while operating.

3.3.2 Operator Interface The reactor operator console will maintain utilization of a key-switch for engaging the rod magnet current.

A large, clearly visible SCRAM button will be included on the left most panel of the console.

This will trip the SCRAM circuit and shut down the reactor. An identical button is installed in the hallway outside the reactor room. This button will provide identical function to the button on the control panel. Reuse of the existing buttons is acceptable.

Three other emergency switches must also be included in the panel. These must be separated from other indicators and controls. One will activate the control room alarm, one will activate the house alarm, and one will act to isolate the confinement space. To isolate the confinement space, the switch will shut down the exhaust fan, air conditioner, air conditioning condensate drain valve, as well as closing the inlet and outlet dampers.

Auxiliary power control switches must also be provided for the water process pump and chiller.

These switches shall provide the ability to turn on or turn off either device from the operator console.

The left most panel will contain the annunciator panel. Any annunciator alarm associated with a trip or setback (Class 1 alarm) will also activate an audible alarm that can be easily heard anywhere in the reactor room.

All indicators and controls necessary for startup and shutdown operations must be grouped in front of the operator.

Rev. 4 Page 28 of 43 PUR1-FRS-001

PUR-1 Functional Requirements Specification All trip indicators will be displayed in red. All warning indicators will be displayed in yellow.

Display screen(s) shall be provided for the reactor power and period, and rod positions.

Display screen(s) will be provided for the three area radiation monitors and the continuous air monitor.

Display screen(s) will be provided to indicate the status of the HVAC and water makeup systems.

A current time display screen will be provided.

A timer which can count up or down for a user-defined duration shall be provided.

A reactor runtime odometer which tracks the number of hours the shim rod magnets are powered will be provided. The odometer is to start logging time when keyswitch is enabled and will stop logging when keyswitch is disabled. In addition to the physical odometer, this function may be emulated in a computer display screen.

3.3.2.1 Operator Console Display Workstation The main reactor operator interface to the RCS and RPS shall be a workstation mounted in the operator console. The workstation shall drive two display screens. The screens shall be panel mounted within the center and right most panels of the operator console. The interface to the workstation will be through a keyboard and mouse located on the operator console workspace.

The workstation will provide the capability to display process indication data and provide control function for the system. The workstation shall also provide the ability to export data to removable media without risk to the system.

In order to operate the reactor, the workstation must be online. Magnet power will not engage without the workstation in operation.

3.3.2.1.1 Workstation HMI Requirements The workstation shall contain at a minimum displays that contain or perform the following:

• Reactor Status

• Startup Condition Summary (displays all information needed to verify system is ready for startup)

• Reactor Drive Control

• Alarm Summary

• Tabular Display

• Trend Displays

• System Monitoring Displays (includes monitoring of HVAC, RAM, RWMS, etc.)

• View, Create, Manage Data Historian Archive

• Generate Reports Rev. 4 Page 29 of 43 PUR1-FRS-001

PUR-1 Functional Requirements Specification 3.3.2.2 Panel Recorders Two reactor operator console mounted trend recorders will be supplied with the replacement system. These recorders will monitor the signals defined in Table 3-2:

Table 3 Panel Recorder Signal Definition Recorder 1 Recorder 2 Channel 1 - Counts per Second Channel 1 Change Rate Channel 2 - Power Level Channel 2 Change Rate Channel 4 - Power Level Channel 3 Power Level User Configurable User Configurable All signals, except User Configurable signals, will be monitored directly from the NFMS interface signals by the trend recorders and shall not require operation of the RCS I/O equipment of the reactor operator console workstation.

The system will have two (2) User Configurable signals on the panel recorders. These signals shall be selected by the operator through the display workstation.

3.3.2.3 Annunciator Panel The annunciator panel shall contain two types of lighted tiles. The first will be display only and the second will have push button functionality. There will be enough tiles included in the annunciator panel to accommodate all the alarms shown in Table 3-3. The descriptions on the annunciator tiles are the type of alarm that occurred. The Reactor Control System shall provide means for the operator to determine the actual cause of the alarm, through the use of alarm summary and/or system monitoring computer display screens.

Table 3 Annunciator Panel Alarms Lighted Indicator Only Period Setback Power Setback Withdrawal Interlock Period SCRAM Power SCRAM RAM SCRAM CAM SCRAM RCS DAS Trouble Workstation Trouble Channel Fault Manual Scram Servo Trouble SPARE SPARE Rev. 4 Page 30 of 43 PUR1-FRS-001

PUR-1 Functional Requirements Specification All alarms on annunciator panel will also be annunciated using the annunciator alarm.

3.3.2.4 Panel Indicators and Indicator Switches The operator console will also contain several LED indicators and pushbutton switches with LED indicators. The switches and indicators are defined in table below.

Table 3 Panel Indicators and Switches Lighted Indicator Only Lighted Indicator with Push Button Switch Environmental Health Control Room Alarm Chiller On House Alarm Isolate Confinement Annunciator Acknowledge Magnet Power Water Process Pump Power Chiller Power 3.3.3 Alarm Requirements The reactor control system will contain four types of alarms: House, Class 0, Class 1, and Class

2. A House Alarm initiates a site evacuation. A Class 0 alarm initiates a reactor room evacuation. Class 1 alarms will engage the console annunciator alarm and will appear in the alarm summary display screen. Class 2 alarms will only appear in the alarm summary display screens.

There shall be an alarm acknowledgment capability which will allow determination of first in alarms when multiple alarms are present.

All digital input alarms shall be Sequence of Event (SOE) type inputs. The timestamp of each input will be logged in the system to the nearest millisecond.

Alarms will be captured in the Data Historian.

The RCS shall have an Alarm Summary display screen on the computer. This display or set of displays shall have the capability to display the alarms, as well as an option to filter and sort the alarms. The option could be disabled.

3.3.4 Data Historian / Recording Requirements The data historian shall be capable of recording information for each process parameter interfacing with the system. User shall be able to configure data points to be retained, sampling rate, and length of data retention.

The default sampling interval shall be 1 second.

At least 5 years of data shall be retained in the archive files on the display workstation.

Rev. 4 Page 31 of 43 PUR1-FRS-001

PUR-1 Functional Requirements Specification Archive shall be capable of logging setpoint triggering and actuation of components.

Archive data shall have backup capability to allow data recording for the life of the facility.

3.4 Neutron Detection System Requirements A summary of the functionality of the four neutron instrumentation channels to be provided is shown in Table 3-5.

Table 3 Summary of Existing Nuclear Instrumentation Channels Channel Detector Type Channel Description Detector Location 1 Fission Chamber Startup Channel monitors the neutron Mounted in G5 flux to provide the log count rate and (See Figure 2-1) or period. Range: 1 to 1010 counts/sec. similar location.

Period: -30 to + 3 seconds 2 Compensated Log N and Period Channel. Indicates Reactor back plane Ion Chamber reactor power level over the range from 0.00001 to 300%. Period range is -30 to +

3 seconds 3 Uncompensated Linear Power Channel measures neutron Reactor back plane Ion Chamber flux in the reactor operating range from shutdown to full power 4 Uncompensated Safety Channel Linearly measures from a Reactor back plane Ion Chamber few percent to at least 150% power.

3.4.1 Channel 1 - Startup Channel The startup channel is used to monitor the neutron flux. The channel consists of a fission chamber, a pulse preamplifier, and a measurement channel providing a logarithmic count rate and a change rate signal. A readout is provided on the LCD display of the measurement channel and via isolated 4-20 mA analog outputs on the RTP 3000 HMI. The full reactor power range may be monitored by this instrument by appropriate repositioning of the detector by means of the fission chamber drive mechanism. The fission chamber may be raised into a cadmium shield by means of a drive mechanism similar to the control rod drive units. The controls and position indication for this drive are located on the center console. There is a reactor period setback.

There is also a reactor trip in the event of a short period.

3.4.1.1 Channel 1 - Monitored Parameters The drawer shall monitor the output of the fission chamber detector.

• Source Range Level > 1.0 to 105 counts/second.

• The Reactor Period will be calculated in the -30 to +3 seconds range.

Rev. 4 Page 32 of 43 PUR1-FRS-001

PUR-1 Functional Requirements Specification 3.4.1.2 Channel 1 -Displayed Parameters The following parameters shall be displayed: on the front panel of the instrument:

• Counts per second

• Change rate in s1 (inverse period)

The following parameters from the NFMS shall be displayed on the Panel Recorders:

• Log Count Rate

• Change Rate 3.4.1.3 Channel 1 - Setpoints

• Withdrawal Interlock alarm when counts less than 2/sec.

• Rod Setback when reactor period is 12 sec or less.

• Trip when reactor period is 7 sec or less.

• Rod withdrawal interlock engages when the reactor period is 15 sec or less.

3.4.2 Channel 2 - Log N and Period Channel The log N and Period channel indicates the reactor power level over the range from 0.00001 to 300 percent power. The detector for this channel is a compensated ionization chamber. A Current-to-Frequency Converter NV 102 plus Digital Channel DAK 250-g process the detector signal and provide log power and change rate as isolated analog 4-20 mA signals. The output is fed to the panel recorders (see Table 3-2 for panel recorder signal definitions). The LCD on the measurement channel displays log N and change rate values. The channel is not on scale at startup (<0.00001%), but will be indicating before the range of the fission chamber is exceeded.

A reactor trip will be initiated if this channel indicates power levels in excess of 120% of the licensed power.

3.4.2.1 Channel 2 - Monitored Parameters

• Output from CIC for 0.00001 to 300 percent power level.

• The change rate (inverse Reactor Period) will be calculated in the -3.33/s to 33.3/s range (corresponding to -30 to +3 seconds period range).

3.4.2.2 Channel 2 - Displayed Parameters The following parameters shall be displayed: on the front panel of the instrument:

• log N of reactor power in percent full power

• Change rate (inverse period)

The following parameters shall be displayed on the Panel Recorders:

• Change rate (inverse period)

• Log N of reactor power in percent full power 3.4.2.3 Channel 2 - Setpoints

• Trip when power level is equal or greater than 120%

• Rod Setback when period is 12 sec or less

• Trip when period is 7 sec or less Rev. 4 Page 33 of 43 PUR1-FRS-001

PUR-1 Functional Requirements Specification

• Trip on Loss of high voltage to detector

• Rod withdrawal interlock when the reactor period is 15 sec or less 3.4.3 Channel 3 - Linear Power The linear level channel measures neutron flux in a reactor operating range from shutdown to full power. The sensing element is an uncompensated Ion Chamber coupled to a NV 102 Current-to-Frequency Converter and a DAK 250-g digital measurement channel. This channel will evaluate the relative reactor power from startup to full power and deliver a linear multi-range analog output signal in 16 ranges and a 1-out-of-16 binary range signal. The channel is calibrated to %FP (percent full power). The measured value is indicated on the instrument panel and indicated on meters on the console and on the instrument panel. This channel has two set points that will initiate a reactor setback at either 3.3%FS (zero) or 73.3%FS (110% range).

There is also a 120% (80%FS) range set point that will initiate a reactor trip.

3.4.3.1 Channel 3 - Monitored Parameters

• Output from UIC from zero to full power level.

3.4.3.2 Channel 3 - Display Parameters The following parameters shall be displayed: on the front panel of the instrument:

• Percentage of Channel 3 currently selected range.

The following parameters shall be displayed on the Panel Recorders

• Percentage of Channel 3 currently selected range.

3.4.3.3 Channel 3 - Setpoints

• Setback at 110% currently selected range. This makes sure instrument range switch is set correctly.

• Setback at 5% currently selected range. This makes sure instrument range switch is set correctly.

• Trip at 120% currently selected range.

Note: Due to the automatic range switching, in normal operation, the 5% setback can only occur in the lowest range and the upper setback and trip can only occur in the highest range provided normal automatic switching occurs. In the event of a failure of the automatic range switching, the 110%, 120% or 5% setpoints will be activated.

3.4.4 Channel 4 - Safety Channel The Safety Channel utilizes an uncompensated Ion Chamber. The sensitive range of this instrument is from a few percent to at least 150 percent power, linearly. The output is indicated on the instrument chassis. The purpose of this channel is to provide a high power level trip and setback.

Rev. 4 Page 34 of 43 PUR1-FRS-001

PUR-1 Functional Requirements Specification 3.4.4.1 Channel 4 - Monitored Parameters This detector provides the reactor power signal for the Safety Channel high power level trip and setback.

3.4.4.2 Channel 4 - Displayed Parameters The following parameters shall be displayed on the front panel of the instrument:

• Calibrated reactor power.

The following parameters shall be displayed on the Panel Recorders

• Calibrated reactor power.

3.4.4.3 Channel 4 - Setpoints

• High power level trip (120%)

• High power level setback (110%)

3.5 External Systems This section defines how the existing external systems will interface with the new RCS and RPS systems.

3.5.1 HVAC System Indication of on/off status of the HVAC system shall be provided. Status actuation shall be logged.

Control of HVAC system shall be provided, through one of the switches on the operator console.

Engaging this switch will act to isolate confinement as well as setting the corresponding system alarm (Class 1). A RAM or CAM alarm will actuate this switch as well.

3.5.2 Radiation Monitoring System 3.5.2.1 Radiation Area Monitors Three gamma area radiation monitors (RAM) are required for the reactor room, all of which should have their meter readings replicated on the operators console. The locations of the RAMs detector heads will be one (1) at the pool top near the control rod drives, one (1) on the wall next to the water process system, and one (1) near the operators console.

The RCS shall have a readout for each RAM dose or counts, provide coincident audible and visible alarms, and cause a reactor scram on high level (Class 1 alarm). The RAMs will provide an analog output signal to the RCS for the dose or count rate and a digital contact to the RPS for high level SCRAM. The RCS shall monitor the RAM dose or count rate signal and shall provide a SCRAM signal to the RPS if the dose or count rate exceeds the high level setpoint. The RPS shall initiate a SCRAM when the RAM high level contact is set.

Details are listed below:

Rev. 4 Page 35 of 43 PUR1-FRS-001

PUR-1 Functional Requirements Specification Radiation Area Monitors (3)

• Detectors - Scintillation Detectors

• Range - 0.05 to 60 mr/hr

• Indicators - Local & Remote Meters 3.5.2.2 Continuous Air Monitor One continuous air monitor (CAM) is required for the reactor room of which shall have its local meter readings replicated on the operators console. The location of the CAM will be within the reactor room.

The RCS shall have a readout for the CAM dose or counts, provide coincident audible and visible alarms, and cause a reactor scram on high level (Class 1 alarm). The CAM will provide an analog output signal to the RCS for the dose or count rate and a digital contact to the RPS for high level SCRAM. The RCS shall monitor the CAM dose or count rate signal and shall provide a SCRAM signal to the RPS if the dose or count rate exceeds the high level setpoint. The RPS shall initiate a SCRAM when the CAM high level contact is set.

Details are listed below:

Continuous Air Monitor (1)

• Range - TBD

• Flow Rate - 0.4 to 4.0 ft3 / min

• Indicators Local & Remote Meters 3.5.3 Reactor Makeup Water System It is desired that these other process variables be measured, and indicated on the operators console.

1. Water process system monitoring with two separate probes, one at the pool and one downstream of the demineralizer. The probes will each provide a 4-20 mA output signal representing temperature and conductivity.

A Class 2 alarm shall be shown if the water temperature rises above 29.7 °C.

A Class 2 alarm shall be shown if the water conductivity rises above 3 µ/cm.

3.5.4 Power Conditioning System The power conditioning system (PCS) will be provided by Purdue. There will be two power conditioning units, one providing power for the RPS and a second providing power to the RCS The RCS will monitor the state of each power conditioning system through a network connection from the RCS display workstation to the UPS unit. Each UPS unit will provide an SNMP agent that provides the ability for the RCS to query the status of the UPS.

Rev. 4 Page 36 of 43 PUR1-FRS-001

PUR-1 Functional Requirements Specification A Class 2 alarm will be initiated on the loss of power to the PCS to which the operator will respond manually by initiating a gang lower shutdown or Scram.

3.5.5 Reactor Room Pressure Differential Monitoring System A negative air pressure monitor shall be interfaced with the new RCS. The RCS will receive an input and display the readout of the air pressure differential between the reactor room and atmosphere. It will have an indicating alarm when the differential reaches its lower limit.

The RCS will monitor the state of the lower limit through a dry contact digital input. This alarm state shall be considered Class 2. The operator will respond to the pressure differential alarm manually.

3.6 System Operations 3.6.1 Human Factors Requirements The fonts used will be clearly legible for all system displays.

The arrangement of control and navigation elements on the screen shall facilitate manipulation of these elements and minimize the potential for unintended operation.

Parameter readings shall clearly indicate the appropriate units for the subject variable. Each reading shall have a tag or point name associated with it, which will also be displayed.

3.6.2 System Maintainability The replacement system vendor shall provide a list of recommended spare parts to maintain the system long term. The owner will use this list to determine what spare parts are ordered for storage on-site.

3.7 System Security The replacement system vendor shall employ a security scheme to protect the replacement system from accidental or malicious access, use, modification and/or destruction.

3.7.1 Cyber Security

• All USB ports shall have .

• Workstation:

o Shall have individual user accounts, where each account is limited to functions required by the specific user.

Rev. 4 Page 37 of 43 PUR1-FRS-001

PUR-1 Functional Requirements Specification Rev. 4 Page 38 of 43 PUR1-FRS-001

PUR-1 Functional Requirements Specification 4 PUR-1 Testing and Inspection Requirements 4.1 System Test Capabilities The system design requirements for testing are as follows:

• Design shall provide the capability for periodic testing that simulates, as closely as practicable, the required functional performance of the supplied system. Testing provisions shall be designed to demonstrate the functional capability of the items under test during normal environmental conditions.

• Where practical, test devices, such as test blocks, shall be utilized to eliminate the application and removal of wires in order to perform periodic surveillance testing. These devices shall not interfere with the operability or safety function of the component or system under test. Existing test points/jacks/switches shall be utilized where practicable.

• The supplied equipment shall have a mechanism to verify functionality of inputs. This can be accomplished during self-test intervals or during a periodic manual test. Inputs should be cycled for testing as long as other functions connected to the input are not adversely impacted.

• The supplied equipment shall have a mechanism to verify functionality of digital outputs.

This can be accomplished during self-test intervals or during a periodic manual test.

4.2 Factory Acceptance Test Requirements A Factory Acceptance Test (FAT) shall be performed to demonstrate the functionality of the new Research Reactor Protection / Control System (RPCS) and to demonstrate conformance of the system equipment to the design performance requirements specified in this report.

The vendor shall prepare detailed test procedures for conducting tests, recording data and determining the acceptability of the test results.

All FAT procedures shall be reviewed by the owner (or owners designated agent) prior to execution of the FAT. A copy of all test results shall be provided to the owner upon completion of the FAT.

The FAT shall be conducted in a controlled test environment.

The factory acceptance testing will demonstrate hardware functionality by exercising each device at the module level. Testing will also demonstrate failure detection and failure response.

Any test exceptions will be documented, as well as any changes performed to pass factory acceptance testing. Changes that are necessary for acceptance will be made in a permanent manner and retested before the completion of factory acceptance testing.

Rev. 4 Page 39 of 43 PUR1-FRS-001

PUR-1 Functional Requirements Specification In addition, the vendor may recommend any additional tests required to compile an exhaustive factory acceptance test of the hardware and hardware configuration of the RRCS.

4.3 Software & Control Algorithm Requirements The vendor shall validate all control algorithms, software commands and software functions specified for the RPCS.

The vendor shall perform the following tests to validate the software control and demonstrate the hardware and software functioning properly together. If required, inputs to the system will be simulated for testing purposes.

• I/O and logic functional testing.

• Component failure simulation.

• Normal system operating conditions and maneuvers.

• Abnormal operating conditions In addition, the vendor may recommend any additional tests required to compile an exhaustive factory acceptance test of the software and software configuration of the RPCS. Purdue will be invited to review, test, and inspect all software and control algorithms prior to final implementation.

4.4 Site Acceptance Test Requirements A Site Acceptance Test (SAT) shall be performed to demonstrate the functionality of the installed RCS and RPS systems at the owners facility. The SAT procedures will be based on the FAT procedures and stakeholder input to verify the hardware and software function as stated in this document.

The vendor shall prepare detailed test procedures for conducting tests, recording data and determining the acceptability of the test results.

All SAT procedures shall be reviewed by the owner (or owners designated agent) prior to execution of the SAT.

The SAT testing shall be conducted in the Research Reactor Protection / Control Systems fully installed configuration.

Rev. 4 Page 40 of 43 PUR1-FRS-001

PUR-1 Functional Requirements Specification 5 PUR-1 Configuration Management Requirements Configuration management procedures must be created and utilized during the development of the software being supplied. The configuration management process should be transferable for use at Purdue University. The vendor developed process shall be approved by Purdue University personnel prior to the start of Factory Acceptance Testing.

The selected controls vendor will provide configuration control on the technical documentation that accompanies the as-shipped equipment. This includes, but is not limited to, the hardware design document (HDD), system design description (SDD), drawings, manuals, and other vendor documentation.

A restore image will be provided for all workstations and/or servers delivered with the system.

The restore image(s) will be created at the completion of Factory Acceptance Testing and prior to shipment.

6 Nuclear Regulatory Commission Licensing It is understood that this system must be licensed to operate by the Nuclear Regulatory Commission and some changes may be required following the submission of the License Amendment Request (LAR) corresponding to the system install. The vendor will work with Purdue University to address those issues that may arise during the licensing process especially those which arise as a result of Requests for Additional Information (RAIs) which are frequently sent.

Rev. 4 Page 41 of 43 PUR1-FRS-001

PUR-1 Functional Requirements Specification Mirion Detector - Control System Interface Appendix A contains a document and drawings of the interfaces between the Mirion Detector hardware, the RCS and the RPS.

(See File Mirion Detector - Control System Interface Rev <current revision>.docx)

This document defines the signals between the RCS, the RPS and the Mirion Detector hardware.

(See File Mirion Detector - Control System Interface Rev <current revision>.vsdx)

This document contains drawings providing visual representation of the signals between the RCS, the RPS and the Mirion Detector hardware.

Rev. 4 Page 42 of 43 PUR1-FRS-001

PUR-1 Functional Requirements Specification RPCS Interface to External Systems Appendix B contains a document and drawings of the interfaces between the Purdue Research Reactor External systems, the RCS and the RPS.

(See File RPCS Interface to External Systems Rev <current revision>.docx)

This document defines the signals between the RCS, the RPS and the reactor external systems.

(See File RPCS Interface to External Systems Rev <current revision>.vsdx)

This document contains drawings providing visual representation of the signals between the RCS, the RPS and the reactor external systems.

Rev. 4 Page 43 of 43 PUR1-FRS-001