ML19123A212

From kanterella
Revision as of 09:26, 2 February 2020 by StriderTol (talk | contribs) (Created page by program invented by StriderTol)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Massachusetts Institute of Technology Nuclear Reactor - Issuance of Amendment No. 42 to Renewed Facility Operating License No. R37 Regarding the Nuclear Safety System Digital Upgrade
ML19123A212
Person / Time
Site: MIT Nuclear Research Reactor
Issue date: 12/04/2019
From: Patrick Boyle
Research and Test Reactors Licensing Projects Branch
To: Foster J
Massachusetts Institute of Technology (MIT)
Boyle P
References
EPID L-2016-LLA-0003
Download: ML19123A212 (95)
v  d  e


Text

December 4, 2019 Mr. John Foster, Director of Reactor Operations Nuclear Reactor Laboratory Research Reactor Massachusetts Institute of Technology 138 Albany Street, MS NW12-116A Cambridge, MA 02139

SUBJECT:

MASSACHUSETTS INSTITUTE OF TECHNOLOGY - ISSUANCE OF AMENDMENT NO. 42 TO RENEWED FACILITY OPERATING LICENSE NO. R-37 FOR THE MASSACHUSETTS INSTITUTE OF TECHNOLOGY RESEARCH REACTOR REGARDING THE NUCLEAR SAFETY SYSTEM DIGITAL UPGRADE (EPID NO. L-2016-LLA-0003)

Dear Mr. Foster:

The U.S. Nuclear Regulatory Commission (NRC) has issued the enclosed Amendment No. 42 to Renewed Facility Operating License No. R-37 for the Massachusetts Institute of Technology Research Reactor. The amendment consists of changes to the technical specifications (TSs) in response to MITs application dated September 30, 2014, as supplemented by letters dated May 12, 2016, July 6, 2017, December 14, 2017, April 20, 2018, May 3, 2018, October 25, 2018, December 6, 2018, and February 27, 2019.

The amendment authorizes MIT to upgrade the nuclear safety system, including with digital components, and use it as an input to the reactor protection system. The amendment changes the limiting conditions for operation in TSs 3.2.3 and 3.2.7 to reflect the upgraded system and modifies the related surveillance requirements in TS 4.2.

J. Foster The NRC staffs safety evaluation supporting Amendment No. 42 is also enclosed. If you have any questions, please contact me at (301) 415-3936, or by electronic mail at Patrick.Boyle@nrc.gov.

Sincerely,

/RA/

Patrick G. Boyle, Project Manager Non-Power Production and Utilization Facility Licensing Branch Division of Advanced Reactors and Non-Power Production and Utilization Facilities Office of Nuclear Reactor Regulation Docket No. 50-20 License No. R-37

Enclosures:

1. Amendment No. 42 to Renewed Facility Operating License No. R-37
2. Safety Evaluation cc: w/enclosures: See next page

Massachusetts Institute of Technology Docket No. 50-20 cc:

City Manager City Hall Cambridge, MA 02139 Department of Environmental Protection One Winter Street Boston, MA 02108 Mr. Jack Priest, Director Radiation Control Program Department of Public Health 529 Main Street Schrafft Center, Suite 1M2A Charlestown, MA 02129 Mr. John Giarrusso, Chief Planning and Preparedness Division Massachusetts Emergency Management Agency 400 Worcester Road Framingham, MA 01702-5399 Test, Research and Training Reactor Newsletter Attention: Ms. Amber Johnson Dept of Materials Science and Engineering University of Maryland 4418 Stadium Drive College Park, MD 20742-2115 Ms. Sarah M. Don, Reactor Superintendent Massachusetts Institute of Technology Nuclear Reactor Laboratory Research Reactor 138 Albany Street, MS NW12-116B Cambridge, MA 02139

ML19123A212 *via email concurrence NRR-058 OFFICE NRR/DLP/PRLB/PM NRR/DLP/PRLB/LA* OGC/NLO*

NAME PBoyle NParker (wcomments) MYoung (wcomments)

DATE 6/12/2019 5/20/2019 12/2/2019 OFFICE NRR/DANU/UNPL/BC* NRR/DANU/UNPL/PM NAME GCasto (wcomments) PBoyle DATE 12/3/2019 12/4/2019 MASSACHUSETTS INSTITUTE OF TECHNOLOGY DOCKET NO. 50-20 MASSACHUSETTS INSTITUTE OF TECHNOLOGY RESEARCH REACTOR AMENDMENT TO RENEWED FACILITY OPERATING LICENSE Amendment No. 42 Renewed License No. R-37

1. The U.S. Nuclear Regulatory Commission (the Commission) has found that:

A. The application for amendment to Renewed Facility Operating License No. R-37 filed by the Massachusetts Institute of Technology (the licensee), dated September 30, 2014, as supplemented by letters dated May 12, 2016, July 6, 2017, December 14, 2017, April 20, 2018, May 3, 2018, October 25, 2018, December 6, 2018, and February 27, 2019, complies with the standards and requirements of the Atomic Energy Act of 1954, as amended (the Act), and the Commissions rules and regulations as set forth in Title 10 of the Code of Federal Regulations (10 CFR) Chapter I; B. The facility will operate in conformity with the application, the provisions of the Act, and the rules and regulations of the Commission; C. There is reasonable assurance (i) that the activities authorized by this amendment can be conducted without endangering the health and safety of the public, and (ii) that such activities will be conducted in compliance with the Commissions regulations set forth in 10 CFR Chapter I; D. The issuance of this amendment will not be inimical to the common defense and security or to the health and safety of the public; E. The issuance of this amendment is in accordance with 10 CFR Part 51, Environmental Protection Regulations for Domestic Licensing and Related Regulatory Functions, of the Commissions regulations and all applicable requirements have been satisfied; and F. Prior notice of this amendment was not required by 10 CFR 2.105, Notice of proposed action, and publication of notice for this amendment is not required by 10 CFR 2.106, Notice of issuance.

Enclosure 1

2. Accordingly, the license is amended by changes to the Technical Specifications as indicated in Attachment 2 to this license amendment, and paragraph 2.C.2 of Renewed Facility Operating License No. R-37 is hereby amended to read as follows:

Technical Specifications The Technical Specifications contained in Appendix A, as revised from Amendment 38 through 42, are hereby incorporated in the license. The Massachusetts Institute of Technology shall operate the facility in accordance with the Technical Specifications.

3. This license amendment is effective as of its date of issuance and shall be implemented within 180 days of issuance.

FOR THE NUCLEAR REGULATORY COMMISSION

/RA/

Greg Casto, Chief Non-Power Production and Utilization Facility Licensing Branch Division of Advanced Reactors and Non-Power Production and Utilization Facilities Office of Nuclear Reactor Regulation Attachments:

1. Changes to Renewed Facility Operating License R-37
2. Changes to Appendix A, Technical Specifications Date of Issuance: December 4, 2019

ATTACHMENT 1 TO LICENSE AMENDMENT NO. 42 RENEWED FACILITY OPERATING LICENSE NO. R-37 DOCKET NO. 50-20 Replace the following page of the Renewed Facility Operating License No. R-37 with the revised page. The revised page is identified by amendment number and contains marginal lines indicating the areas of change.

Renewed Facility Operating License Remove Insert 3 3 Attachment 1

3. Pursuant to the Act and 10 CFR Part 30, to receive, possess, and use:
a. a 150-curie antimony-beryllium sealed neutron source in connection with operation of the facility;
b. such byproduct material as may be produced by operation of the facility, which, except for byproduct material produced in non-fueled experiments, shall not be separated; and
c. byproduct materials activated in reactors other than the MIT reactor (for use in the reactor hot cells) that are in solid form and have atomic numbers 3 through 83. The total inventory of this byproduct material shall not exceed 100,000 curies at any one time. This material may be irradiated in the reactor.

C. This renewed license shall be deemed to contain and is subject to the conditions specified in Parts 20, Standards for Protection against Radiation, 30, 50, 51, 55, Operators Licenses, 70, and 73, Physical Protection of Plants and Materials, of the Commissions regulations; is subject to all applicable provisions of the Act and the rules, regulations, and orders of the Commission now or hereafter in effect; and is subject to the additional conditions specified below:

Maximum Power Level

1. The licensee is authorized to operate the reactor at steady-state power levels not to exceed 6.0 megawatts (thermal).

Technical Specifications

2. The Technical Specifications contained in Appendix A, as revised from Amendments 38 through 42, are hereby incorporated in the license. The Massachusetts Institute of Technology shall operate the facility in accordance with the Technical Specifications.

Additional Conditions

3. The licensee shall fully implement and maintain in effect all provisions of the Commission-approved physical security plan, including amendments and changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The approved physical security plan consists of a Massachusetts Institute of Technology Nuclear Reactor Laboratory document, withheld from public disclosure pursuant to 10 CFR 73.21, entitled, Physical Security Plan for the M.I.T. Research Reactor Facility, dated July 22, 2013, as revised.

Amendment No. 42 December 4, 2019

ATTACHMENT 2 TO LICENSE AMENDMENT NO. 42 RENEWED FACILITY OPERATING LICENSE NO. R-37 DOCKET NO. 50-20 Replace the following pages of Appendix A, Technical Specifications, with the revised pages.

The revised pages are identified by amendment number and contain marginal lines indicating the areas of change.

Technical Specifications Remove Insert 3-19 3-19 3-20 3-20 3-21 3-21 3-26 3-26 3-27 3-27 4-5 4-5 4-6 4-6 4-7 4-7 4-8 4-8 4-9 4-9 Attachment 2

Table 3.2.3-1 Required Safety Channels 2 Primary Pumps 1 Primary Pump 0 Primary Pump Channel / Parameter Action Limiting Min. No. Limiting Min. No. Limiting Min. No.

Setpoint Required Setpoint Required Setpoint Required

1. Period Scram > 7 sec. 3(1)(5) > 7 sec 3(1)(5) > 7 sec 3(1)(5)
2. Neutron flux level Scram < 7.4 MW 3(1)(5) < 3.2 MW 3(1)(5) < 100 kW 3(1)(5)
3. Low count rate Scram > 5 cps 3(1)(5) > 5 cps 3(1)(5) > 5 cps 3(1)(5)
4. Primary coolant outlet Scram < 60 C 2 < 60 C 2 < 60 C 2 temperature
5. Core tank level Scram 4" below 1 4" below 1 4" below 1 overflow pipe overflow pipe overflow pipe
6. Reflector tank level Scram 4" below 1 4" below 1 4" below 1(2) overflow overflow overflow
7. D2O dump valve Reflector dump N/A 1 N/A 1 N/A 1 selector switch & scram
8. Manual major scram Reflector dump, N/A 2(3) N/A 2(3) N/A 2(3) containment closure & scram
9. Manual minor scram Scram N/A 1 N/A 1 N/A 1 (4) (4)
10. Primary coolant Scram > 1800 gpm 2 > 900 gpm 2 N/A 0 flow rate
11. D2O reflector Scram > 75 gpm 1 > 75 gpm 1 N/A 0 flow rate
12. Shield coolant Scram > 50 gpm 1 > 50 gpm 1 N/A 0 flow rate
1) Nuclear safety scram logic system ensures that reactor scrams when two trips are present simultaneously from any two of the four nuclear safety channels.
2) For reflector reactivity measurement, the reflector scram can be bypassed at power levels less than 100 kW.
3) One in utility room.
4) At least one safety channel on the primary coolant flow rate scram must be by core inlet pressure sensor.
5) Within 15 minutes of declaring any nuclear safety system channel inoperable, the channel must be placed into a tripped state, which will be indicated on the Safety System Condition LED Scram Display. If any nuclear safety channel is in a tripped state, and a second nuclear safety channel is declared inoperable, then within 15 minutes at least one of the two must be returned to an operable state or the reactor must be shut down.

Amendment No. 42 3-19 December 4, 2019

Table 3.2.3-1 (Continued)

Required Safety Channels Any Number of Pumps (Two, One, or Zero)

Channel / Parameter Action Setpoint Minimum No.

Required

13. Nuclear safety channel in test or fault Scram Channel in test or fault condition 3(1)(5)
14. Building overpressure Scram < 3" water above atmospheric 1
15. Main personnel lock gaskets deflated Scram Both gaskets deflated 1
16. Basement personnel lock gaskets deflated Scram Both gaskets deflated 1
17. Hold-down grid unlatched Scram Grid unlatched 1
18. Experiment scrams (As Required by Experiment Approval)
1) Nuclear safety scram logic system ensures that reactor scrams when two trips are present simultaneously from any two of the four nuclear safety channels.
5) Within 15 minutes of declaring any nuclear safety system channel inoperable, the channel must be placed into a tripped state, which will be indicated on the Safety System Condition LED Scram Display. If any nuclear safety channel is in a tripped state, and a second nuclear safety channel is declared inoperable, then within 15 minutes at least one of the two must be returned to an operable state or the reactor must be shut down.

3-20 Amendment No. 42 December 4, 2019

Basis The nuclear safety system, consisting of four wide-range nuclear safety channels, provides protection against high power level and short reactor period. Each nuclear safety channel produces a trip signal on high power, short period, low detector count rate, channel in test, or channel fault / equipment malfunction. The scram logic system downstream will scram the reactor upon any simultaneous combination of these trips from two of the four nuclear safety channels, thereby ensuring there are three operable channels whenever the reactor is not shut down. The system is designed to allow the reactor to be critical with one channel in an inoperable state, including removal of the channel for service or maintenance; should any one of the remaining three required channels produce a trip, the scram logic system will scram the reactor.

Any nuclear safety channel declared inoperable will be placed into a tripped state as indicated on the LED Scram Display. The 15 minute time allowance is based on the time needed to make the necessary notifications.

The nuclear safety system is required at all power levels including certain subcritical operations such as refueling, absorber change-out, or other in-core work that affects reactivity.

Above 100 kW, protection is also required on primary, D2O, and shield coolant flows.

The parameters listed in Table 3.2.3-1 are monitored by the reactor protection system.

This system automatically initiates action to ensure that appropriate limiting safety system settings and limiting conditions of operation are not violated.

In practice, low power physics tests including rod reactivity worth measurements are usually performed at power levels of less than 10 kW and in the absence of forced convection primary flow. The upper limit of 100 kW for this type of operation was established on the basis of adequate natural convection cooling. The maximum plate temperature at 100 kW with natural convection cooling is estimated to be below incipient boiling, if the coolant outlet temperature is maintained below the normal scram point of 60C. Therefore, the reactor outlet temperature channel is specified in Table 3.2.3-1 as 60C for zero pump operation.

The reflector tank low D2O level scram must be bypassed during low power operation if calibration of the reactivity effect of the D2O reflector dump safety system is to be performed.

For refuelings, the reactor is in a shutdown condition, primary flow is secured, and the D2O reflector is normally dumped. Therefore, the nuclear safety channels are set to alarm within the zero primary pump limits for period and level. The capability to isolate the building is required.

This is provided by the major scram. Finally, it should be possible to dump the D2O reflector, if it is not already dumped.

3-21 Amendment No. 42 December 4, 2019

3.2.7 Control Systems and Instrumentation Requirements for Operation Applicability This specification applies to the reactor control system and to the control console display instrumentation.

Objective To ensure that the console operator has sufficient indication of power level, reactor period, primary coolant flow, primary coolant outlet temperature, core tank level, and control device position.

Specification Indication from the instrumentation listed in Table 3.2.7-1 shall be provided to the reactor console operator prior to reactor startup and during reactor operation.

Table 3.2.7-1 Required Instrumentation for Display Parameter Minimum Number Location

1. Period 1 Console
2. Neutron Flux Level a) Wide Range 1 Console b) Linear Power 1 Console
3. Core Tank Level 1 Control Room
4. Primary Coolant Flow 1 Control Room
5. Coolant Outlet Temperature 1 Control Room
6. Shim Blade Position(1) 5 Console
7. Regulating Rod Position(2) 1 Console (1) Indication required for all operable shim blades. Indication may be either numeric or analog meter or both.

(2) Indication may be either numeric or analog meter or both.

3-26 Amendment No. 42 December 4, 2019

Basis The basis of this specification is given in Section 7.4 of the SAR. The limiting safety system settings are a function of the reactor power, coolant flow, coolant temperature, and core tank level. These parameters, together with reactor period, are important to safe operation.

Indication of shim blade position is also important. There are four independent nuclear safety channels, each of which monitors wide-range reactor power level and period. The operator requires continuous indication of reactor power, reactor period, and control device position in order to perform power manipulations. Hence, these parameters are displayed on the reactor console.

The operator requires knowledge of whether or not flow, temperature, and level are within their normal ranges. Hence, they are displayed in the control room but not necessarily on console.

3-27 Amendment No. 42 December 4, 2019

reactor if the reactor has been in a secured condition or if the instrument or channel has been repaired or de-energized. Calibration of these instruments or channels (except those such as scram pushbuttons that do not require calibration) shall be done at least annually.

5. Channel Tests: Channel tests of the instruments or channels listed in Table 4.2-1 shall be performed if the channel or instrument has been modified or repaired.
6. The following instruments shall be calibrated and trip points verified when initially installed, any time a significant change in indication is noted, and at least annually:

a) Period b) Neutron Flux Level c) Primary Coolant Outlet Temperature d) Core Tank Level e) Reflector Tank Level f) Primary Coolant Flow g) D2O Reflector Flow h) Shield Coolant Flow

7. Thermal Power: The signals used to compute thermal power shall be calibrated at least annually.

4-5 Amendment No. 42 December 4, 2019

Table 4.2-1 Surveillance of Scram and Power Measuring Channels Instrument or Channel Channel Test to Verify 1 Period(1) Scram

2. Neutron Flux Level(1) Scram
3. Primary Coolant Outlet Temperature Scram
4. Core Tank Level Scram
5. Reflector Tank Level Scram
6. D2O Dump Valve Switch Scram and Reflector Dump
7. Air-Operator D2O Dump Valve Switch Reflector Dump
8. Manual Major Scram Magnet Cut-off, Reflector Dump, and Ventilation Trip
9. Manual Minor Scram Magnet Cut-Off
10. Experiment Shutdown As Specified in Experiment Approval
11. Primary Coolant Flow(2) Scram 12 D2O Reflector Flow(2) Scram
13. Shield Coolant Flow(2) Scram
14. Fission Converter As specified in Fission Converter TS 6.6.3
15. Nuclear Safety Channel Low Count Rate(1) Scram
16. Nuclear Safety Channel in Test(1) Scram
17. Nuclear Safety Channel Fault(1) Scram
18. Hold-Down Grid Unlatched Scram
19. Reactor Remote Shutdown(s) Scram from Medical Facilities and Utility Room (1) Reactor scrams when two trips in any combination are present simultaneously from any two of the four nuclear safety channels.

(2) Not required for startup in natural convection cooling mode.

4-6 Amendment No. 42 December 4, 2019

8. Heat Balance: The signal from the linear power channel shall be checked against a heat balance calculation at least monthly, for any month that the reactor is operated above 1 MW continuously for at least 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br />.
9. Control Device Inspection: Control devices shall be inspected annually as follows:

a) Shim blade absorbers shall be checked visually.

b) Shim blade electromagnets shall be checked both visually and by measuring the resistance of the coils.

c) Shim blade and regulating rod drives shall be monitored for proper operation.

10. Control System Interlocks: A channel test of the following interlocks and scram shall be performed at least annually:

a) Withdraw Permit Interlock, b) Subcritical Limit - Shim Blades Interlock, c) No Overflow Reflector Startup Interlock, and d) Low Level D2O Reflector Scram.

Basis The MITR-II has observed the criteria given in Specification 4.2.1 for determination of control device reactivity worths and found it to be adequate. Measurements of the integral and differential worths are required annually. Measurements following changeouts of absorbers and change of core configuration are desirable. However, such measurements are very time consuming.

Moreover, sufficient experience exists with such changes that their effect on integral and differential reactivity worths can be predicted with reasonable accuracy. Accordingly, 4-7 Amendment No. 42 December 4, 2019

normal MITR-II practice is to do a complete set of measurements following replacement of all absorber sections rather than to do measurements as each is replaced. (Note: It requires several days to replace one absorber and the entire process is usually done over an interval of several months.) Estimates of the change of worth are used pending the measurement. Estimates, not measurements, are normally used for changes of core configuration.

The insertion and withdrawal speed of the control devices is fixed by the motor and drive design as discussed in Section 4.2.2 of the SAR. These speeds are verified annually.

Scram time is as defined by Specifications 1.3.37 and 3.2.1. It is verified at least annually and whenever maintenance has been performed that could affect it.

The instruments and channels listed in Table 4.2-1 correspond to those in Table 3.2.3-1, "Required Safety Channels" with the exception that surveillance of the building overpressure and gasket deflated scrams is addressed elsewhere (Specification 4.4).

The thermal power indication is calibrated at least annually and the signal from the linear power channel is compared against a heat balance at least monthly for any month that the reactor is operated above 1 MW. These actions are done under conditions of thermal equilibrium which, because of the MITR-II's heat capacity (especially that of the graphite reflector), occurs after 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> of steady-state operation.

4-8 Amendment No. 42 December 4, 2019

Control devices are inspected at least annually. The inspection focuses on those components that are important to safety. Those include the absorber sections (Section 16.3.1.5 of the SAR) and electromagnets (Section 16.3.1.4(d) of the SAR). The status of the shim blade and regulating rod drives can be deduced from external observations such as the measurement of blade and regulating rod insertion/withdrawal speeds (Specification 4.2.2). Internal inspections require lowering of the core tank level and removal of the drive. These are usually done whenever an absorber is changed out. As described in Section 16.3.1.5 of the SAR, this is normally done every 125,000 MWH. A prespecified frequency for an internal inspection would involve serious ALARA issues.

4-9 Amendment No. 42 December 4, 2019

SAFETY EVALUATION BY THE OFFICE OF NUCLEAR REACTOR REGULATION RELATED TO AMENDMENT NO. 42 TO RENEWED FACILITY OPERATING LICENSE NO. R-37 MASSACHUSETTS INSTITUTE OF TECHNOLOGY REACTOR DOCKET NO. 50-20

1.0 INTRODUCTION

By application dated September 30, 2014 Reference (Ref. 1), as supplemented by letters dated May 12, 2016 (Ref. 4), July 6, 2017 (Ref. 14), December 14, 2017 (Ref. 15), April 20, 2018 (Ref. 20), May 3, 2018 (Ref. 21), October 25, 2018 (Ref. 11), December 6, 2018 (Ref. 12), and February 27, 2019 (Ref. 13), Massachusetts Institute of Technology (MIT or the licensee),

submitted a license amendment request (LAR) to upgrade the nuclear safety system (NSS) in the reactor protection system (RPS) of the MIT reactor (MITR-II). The letter dated September 30, 2014 (Ref. 1), also incorporated by reference MIT letters dated November 18, 2013 (Ref. 2), and June 6, 2014 (Ref. 3).

The proposed upgrade of the NSS will replace the current six channels (three for reactor period and three for reactor power level, any one of which will trip the reactor) with four new channels, each of which monitors both the reactor period and the neutron flux (reactor power) level (any two of which can trip the reactor). MIT is proposing to replace the existing NSS because the components in the existing system have experienced aging-related failures and replacement components are difficult to procure. Additionally, the upgraded NSS will eliminate the need for the reactor operator to switch from the fission chamber to the ion chamber for the NSS during reactor startup. The NSS will maintain the capability to automatically scram the reactor if one of the required channels fails to respond (single failure criteria). It will also increase reliability of the RPS by preventing the failure of a single channel from causing a spurious reactor scram (single fault tolerance).

As part of the proposed NSS upgrade, the licensee will install the following new components:

signal distribution module (SDM), solid-state two-out-of-four scram logic cards (SLCs), key switch module (KSM), safety system display programmable logic controller (PLC), light-emitting diode (LED) scram display panel, uninterruptible power supply (UPS), magnet power supply modules, rundown relay panel, and blade1 drop timer interface module. The upgraded NSS also interfaces with the fission chambers (detectors) and preamplifiers, which were replaced by the licensee without prior NRC approval under Title 10 of the Code of Federal Regulations (10 CFR) 50.59, Changes, tests and experiments. Since the upgraded NSS will interface with the withdrawal permit circuit (WPC) and annunciator panel, the WPC and annunciator panel will need to be modified. The upgraded NSS also interfaces with the blade drop timer, but the licensee concluded that no modifications to the timer are needed to support use of the upgraded NSS.

MIT proposed changes to the technical specifications (TSs) limiting conditions for operations 1

In the LAR and this safety evaluation (SE), the word blade is used to refer to a shim blade, which is the neutron absorber section of the six reactivity control devices located at the periphery of the MITR-II core.

Enclosure 2

(LCOs) and surveillance requirement (SR) in support of the proposed equipment changes.

The U.S. Nuclear Regulatory Commission (NRC) staff held pre-application public meetings with MIT on October 12, 2012 (Ref. 26) and on March 6, 2014 (Ref. 27). During these meetings, MIT indicated that the I&C design was not complete and agreed to provide the final design information once completed.

After the submission of a supplement to the application on July 6, 2017 (Ref. 14), which included the SLC and display console design information, the NRC staff performed a regulatory audit (Audit) at the MITR-II facility in Cambridge, Massachusetts on July 24-26, 2017 (Ref. 16).

This Audit was performed in accordance with the audit plan (Ref. 17). After the Audit, the NRC staff identified several open items that were transmitted to MIT in a request for additional information (RAI) by letter dated October 12, 2017 (Ref. 18). MIT provided its response to this letter on December 14, 2017 (Ref. 15). In addition, the NRC staff requested that MIT clarify several MIT responses on March 3, 2018 (Ref. 19), which MIT addressed in responses on April 20 and May 3, 2018 (Refs. 20 and 21). In a letter dated May 3, 2018, MIT proposed additional TSs changes. By letter dated August 30, 2018 (Ref. 9), the NRC staff sent an RAI that asked MIT to identify all the proposed TS changes and provide the safety bases supporting the revisions. MIT provided its response in letters dated October 25 and December 6, 2018, and February 27, 2019 (Refs. 11, 12, and 13).

2.0 REGULATORY EVALUATION

2.1 Background The MITR-II, as described in the application (as supplemented) for renewal of Facility Operating License No. R-37 (Ref. 7), is a heavy-water reflected, light-water cooled, and moderated nuclear research reactor owned and operated by MIT, which is a nonprofit educational institution. The operating license allows steady state full power operation at a thermal power level up to 6 megawatts (MW). The reactor is located on the MIT campus in Cambridge, MA, and is a component of the MIT Nuclear Reactor Laboratory.

2.2 Proposed Changes The proposed changes to the MITR-IIs instrumentation and control (I&C) system are described in Section 7.1 of the LAR for its Facility Operating License No. R-37 (Ref. 1). In the LAR, MIT provided modified sections of the MITR-IIs safety analysis report (SAR) and TSs (Refs. 1 and

21) to describe and evaluate the proposed upgrade to the NSS, which is part of the RPS and the console display instrumentation. MIT did not propose any changes to the RCS, ESFAS, and RMS I&C systems, the other major MITR-II I&C subsystems.

MIT proposes to replace the existing nine channel flux monitoring system with seven channel system shown in Table 1. The seven-channel system is a result of replacing the existing Channel Nos. 1 to 6 (three period channels and three flux channels) with proposed channel Nos. 1 to 4, which have detection channels that monitor both reactor flux and reactor period.

Additionally, MIT proposes to renumber existing channel nos. 7 to 9 to be channel nos. 5 to 7 (see Section 3.1 of this SE for additional information).

Table 1 - Proposed MITR Nuclear Detection Channels Channel Detector Function Change 1 extended range fission chamber reactor flux level and period - upgraded NSS RPS input 2 extended range fission chamber reactor flux level and period - upgraded NSS RPS input 3 extended range fission chamber reactor flux level and period - upgraded NSS RPS input 4 extended range fission chamber reactor flux level and period - upgraded NSS RPS input 5 compensated ion chamber linear power level indication - renumbered only display only 6 uncompensated ion chamber power level display during loss renumbered only of power event - display only 7 ion chamber automatic control channel renumbered only input - RCS input The MITR-II TSs define specific features, characteristics, and conditions governing the operation of the facility. As part of the LAR (Ref. 1), as supplemented, the licensee proposed changes to the MITR-II TSs to correspond to design and operational changes that would result from the proposed upgrade of the NSS. The licensee proposed changes to TSs 3.2.3, 3.2.7, and 4.2 because the upgraded NSS has four channels for both reactor period scrams and reactor flux level scrams. Additionally, the licensee proposed changing the RPS scram logic from one-out-of-three to two-out-of-four. As a result, MIT proposed to change the minimum number of required channels from two to three channels to ensure that a single failure within the NSS cannot prevent the RPS from providing any necessary protective action (the single failure criterion in NUREG-1537, Part 2, Section 7.4 (Ref. 5.2)). Additionally, the proposed TSs include a new note that describes the operator action required in the event one or more NSS channels are declared inoperable. Since the upgraded NSS uses a digital display instead of a meter with a scale, MIT proposed to change TS Table 3.2.3-1 Period channel level signal off-scale with a corresponding scram setpoint of Less than two period channel level signals on-scale to Low count rate with a scram setpoint of >5 counts per second (cps). The licensee also proposed editorial changes to the TSs to group the NSS scrams together and to update and reorder the associated table notes (see SE Section 3.5).

2.3 Regulatory Evaluation The NRC staff reviewed the LAR, as supplemented, to ensure that: (1) there is reasonable assurance that the health and safety of the public will not be endangered by operation in the proposed manner, (2) activities proposed will be conducted in compliance with the Commissions regulations, and (3) the issuance of the amendment will not be inimical to the common defense and security or to the health and safety of the public. The NRC staff considered the following regulations during its review of the proposed changes:

  • Part 50, Domestic Licensing of Production and Utilization Facilities, of 10 CFR, which provides the regulatory requirements for licensing of non-power reactors.
  • Section 50.34(a)(3)(i) of 10 CFR, which requires the applicant to describe the principal design criteria for the facility.
  • Section 50.34(a)(3)(ii) of 10 CFR, which requires the applicant to describe the design bases and the relation of the design bases to the principal design criteria.
  • Section 50.34(a)(4) of 10 CFR, which requires a preliminary analysis and evaluation of the design and performance of SSCs of the facility with the objective of assessing the risk to public health and safety resulting from operation of the facility and including determination of the margins of safety during normal operations and transient conditions anticipated during the life of the facility, and the adequacy of SSCs provided for the prevention of accidents and the mitigation of the consequences of accidents.
  • Section 50.34(a)(7) of 10 CFR, which requires the applicant to describe the quality assurance (QA) program for design, fabrication, construction, and testing of the structures, systems, and components of the facility and paragraph 50.34 (b)(6)(ii), which requires that a final SAR include the managerial and administrative controls to be used to assure safe operation.
  • Section 50.34(b)(2) of 10 CFR, which requires a description and analysis of the SSCs of the facility, with emphasis upon performance requirements, the bases, with technical justification therefore, upon which such requirements have been established, and the evaluations required to show that safety functions will be accomplished. The description shall be sufficient to permit understanding of the system designs and their relationship to SEs.
  • Section 50.34(b)(2)(i) of 10 CFR, which requires such items as the instrumentation and control systems and electrical systems be discussed insofar as they are pertinent.
  • Section 50.34(b)(4) of 10 CFR, which requires a final analysis and evaluation of the design and performance of SSCs with the objective stated in 50.34(a)(4) that considers any pertinent information developed since the submittal of the preliminary SAR.
  • Section 50.36(a)(1) of 10 CFR, which requires that each applicant for a license authorizing operation of a production or utilization facility include in its application proposed TSs and a summary statement of the bases or reasons for such specifications, other than those covering administrative controls, that shall not become part of the TSs.
  • Section 50.36(b) of 10 CFR, which requires that the TSs be derived from the analyses and evaluation included in the SAR.
  • Section 50.36(c) of 10 CFR, which requires the TS to include:

Safety limits upon important process variables that are found to be necessary to reasonably protect the integrity of certain of the physical barriers that guard against the uncontrolled release of radioactivity and, if any safety limit is exceeded, the reactor must be shut down (50.36(c)(1)(i)(A));

Limiting safety system settings (LSSSs) for automatic protective devices related to those variables having significant safety functions where the setting must be so chosen that automatic protective action will correct the abnormal situation before a safety limit is exceeded. (50.36(c)(1)(ii)(A));

LCOs, which are the lowest functional capability or performance levels of equipment required for safe operation of the facility and when not met, the licensee must shut down the reactor or follow any remedial action permitted by the TSs until the LCO can be met (50.36(c)(2)(i)); and, SRs relating to test, calibration, or inspection to assure that the necessary quality of systems and components is maintained, that facility operation will be within safety limits, and that the LCOs will be met (50.36(c)(3)).

NUREG-1537, Part 2, Guidelines for Preparing and Reviewing Applications for the Licensing of Non-Power Reactors, Standard Review Plan and Acceptance Criteria, (Ref. 3.2) provides guidance to the NRC staff for performing safety reviews of applications to construct, modify, or operate a nuclear non-power reactor. The NRC staff used the NUREG-1537, Part 2 guidance and acceptance criteria to review the MIT application to verify compliance with the applicable regulatory requirements listed above. Additionally, NUREG-1537, Part 2 references additional applicable guidance, including:

  • Regulatory Guide (RG) 1.152-1996, Criteria for Digital Computers in Safety Systems of Nuclear Power Plants (Ref. 30), which also contains criteria that is applicable to research reactors, and provides applicable guidance for the use of digital computers in nuclear safety systems for research reactors including computer hardware, software, firmware, and interfaces and in which the NRC staff endorses use of Institute of Electrical and Electronics Engineers (IEEE) Standard 7-4.3.2-1993 (Ref. 24).
  • Regulatory Guide 2.5, Quality Assurance Program Requirements for Research and Test Reactors, reaffirmation date of June 8, 2015 (Ref. 10), which describes a method acceptable to the NRC staff of complying with the regulations for QA program requirements for research and test reactors and in which the NRC staff endorses use of American National Standards Institute/American Nuclear Society (ANSI/ANS)-15.8-1995 (Ref. 23).
  • ANSI/ANS-15.1-1990, The Development of Technical Specifications for Research Reactors (Ref. 22), which provides guidance that identifies and establishes the content of TSs for research and test reactors.
  • ANSI/ANS-15.8-1995, Quality Assurance Program Requirements for Research Reactors, (Ref. 23), which provides the general requirements for establishing and executing a QA program for the design, construction, testing, modification, and maintenance of research and test reactors.
  • ANSI/ANS-15.15-1978, "Criteria for the Reactor Safety Systems of Research Reactors" (Ref. 29), which provides the criteria for establishing appropriate specific design requirements for the reactor safety system of an individual research reactor.
  • IEEE 7-4.3.2-1993, IEEE Standard Criteria for Digital Computers Systems in Safety Systems of Nuclear Power Generating Stations, (Ref. 24), which is also contains criteria that is applicable to research reactors and, to the extent it is applicable to research reactors, IEEE 7-4.3.2 provides guidance to establish minimum functional and design requirements for computers used as components of a research reactor nuclear safety system. IEEE 7-4.3.2-1993 references IEEE standard 603 for areas that are not unique to digital systems.
  • IEEE 603-1991, IEEE Standard Criteria for Safety Systems for Nuclear Power Generation Stations, (Ref. 25), which to the extent applicable to research reactors, provides guidance to establish minimum functional and design requirements for nuclear safety systems.

2.4 Work Completed Under 10 CFR 50.59 MIT installed four DWK 250 digital wide-range flux monitoring channels in the MITR-II control room and placed the four fission chambers, with their associated preamplifiers, in their final locations around the reactor core. Additionally, MIT connected the unprocessed preamplifier output signal from two of the new fission chambers to the existing control room electronics, consistent with a 10 CFR 50.59 evaluation. The NRC staff examined these 10 CFR 50.59 evaluations that are related to the NSS upgrade during the Audit (Ref. 16). The NRC staff assessed the licensees evaluations and determined that, in conducting the evaluation, the licensee provided sufficient detail to address the criteria in 10 CFR 50.59. These changes are discussed in this SE only to the extent that they interface with or impact the systems proposed for modification in the LAR.

3.0 TECHNICAL EVALUATION

This section of the SE documents the NRC staff review and evaluation of the design basis of the MITR-II NSS upgrade against the design acceptance criteria in Sections 3.1 and 7.3 of NUREG-1537, Part 2. As described in Sections 3.1 and 3.2 of this SE, the NRC staff compared the current MITR-II NSS I&C system to the specific components of the proposed NSS to verify that the licensee fully described the systems and components of the proposed NSS including how the NSS interfaces with other I&C subsystems. As described in Sections 3.3 and 3.4 of this SE, the NRC staff evaluated the adequacy of the design bases and design criteria of the NSS to verify that the necessary design, fabrication, construction, testing, and performance requirements for structures, systems, and components important to safety provide reasonable assurance that MITR-II can be operated without undue risk to the health and safety of the public.

3.1 MITR-II Detailed Instrumentation and Control System Description The following subsections provide a description of the I&C subsystems of the NSS upgrade proposed by the licensee.

3.1.1 Reactor Protection System The licensee describes the RPS in Chapter 7 of the MITR-II license renewal SAR (Ref. 7). The RPS consists of the NSS, which monitors reactor period and neutron flux level, and the process parameter system, which monitors core outlet temperature of the primary coolant, primary coolant flow rate, core tank level, Deuterium (D2O) reflector coolant flow rate, D2O reflector tank level, shield coolant flow rate, containment overpressure, and latching of the hold-down grid for the core fuel. The RPS promptly and automatically actuates a reactor scram and prevents further reactor operation when any of the monitored reactor parameters exceeds or falls below its corresponding set-point, as specified in Table 3.2.3-1 of the TSs. As stated by the licensee in its LAR (Ref. 1), the RPS prevents and mitigates unintended operation, risks of fuel damage, uncontrolled release of radioactive materials to the unrestricted environment, and overexposure of personnel to radiation.

In its LAR (Ref 1), the licensee proposes to replace its existing six neutron monitoring channels with four Mirion Technologies, Inc. (Mirion) measurement channels in a two-out-of-four coincidence scram logic. Additionally, the licensee proposed an identical pair of SLCs to process the two-out-of-four scram logic decision independently and in parallel. When any two of the four available channels of the NSS exceed its setpoint (or a fault or test condition is detected), the SLC will open a relay in the WPC which will initiate an automatic scram. When the RPS initiates a scram, the WPC removes electrical power from all six shim blade electromagnets. Once the power is removed, the blades will drop into the reactor by gravity and shut the reactor down.

MIT established the MITR-II LSSSs based on reactor power, primary flow, core outlet temperature of the primary coolant, and the coolant height above the top of the fuel plates.

Section 50.36(c)(1)(ii)(A) requires that the LSSSs be chosen so that automatic protective action will correct an abnormal situation before a safety limit is exceeded. MITR-II TS 3.2.1.1.b also provides assurance that the automatic protective action of the RPS will provide the functional capability required for safe operation of the facility. This LCO requires the time from initiation of an RPS trip signal to movement of each operable shim blade to its 80 percent inserted position to be less than one second (Ref. 6). The licensee verifies this LCO annually for all six shim blades per the SR, TS 4.2.3.

The MITR-II can operate in two heat-removal modes, forced convection and natural convection.

Depending on the mode and the number of primary coolant pumps in operation, the RPS will be automatically set with the corresponding LSSS values specified in Table 3.2.3-1 of the TSs.

When one or both primary coolant pumps are operating, the MITR-II is in forced convection mode. The maximum allowed reactor power LSSS is less than 7.4 MW for two-pump operation and less than 3.2 MW for one-pump operation when the reactor is in forced convection mode.

In natural convection mode, the LSSS is 100 kilowatts (kW) and the pumps are not operated.

3.1.2 Control Console Display Instruments The MITR-II console, described in Section 7.1.4 of the LAR, provides the information needed by licensed personnel to operate the reactor. The console consists of three panels. The left panel provides information on area and effluent radiation levels. The center panel provides the position of the control devices, the reactor power level, and the reactor period from various independent nuclear channels. The right panel shows the primary coolant temperature and primary coolant flow rate and has additional displays of the reactor power.

According to the licensee (Ref. 7), the existing Channel No. 7 is the principal indicator of reactor power used by the reactor operator at the console. This channel is independent of the NSS and the licensee does not propose to modify it in the LAR. In addition, the existing Channel No. 8 is configured to operate from a backup battery power supply to provide indication of reactor power level even when off-site power and other emergency power supplies have failed. The battery powered channel is independent of the NSS. The licensee proposed to renumber reactor power indicator (Channel No. 7) and the battery supplied channel (Channel No. 8) as Channel No. 5 and Channel No. 6, respectively, because after installation of the new Mirion NSS channels, there are two less channels.

In addition, the console contains a centralized alarm annunciator panel that displays individual alarms from the process equipment. Alarms are labeled with the underlying condition (e.g., low level core tank) and color-coded to indicate the severity of the condition. The licensee proposed to add several alarms to the console in support of the LAR (Ref. 1). For example, the test

condition scram bypass (TCB) alarm will be added to the left annunciator panel near all other bypass alarms and will be the characteristic yellow color. The safety system scram alarm will remain in its current location and remain red in color. All other alarms are informational in nature and will be white in color (Ref. 15 Enclosure V and Ref. 20). Section 3.3.16.2, Chanel Annunciation, of this SE provides the NRC staffs evaluation of the additional alarms.

In its LAR, MIT did not propose to modify the existing I&C system for the control console display and, therefore, the NRC staff did not review the existing I&C system for the control console display. However, as part of the NSS modifications, the licensee proposes to add an LED scram display to provide the console operator a visual indication of the status of the SLCs.

Section 3.2.4 of this SE provides the NRC staffs evaluation of the LED scram display.

In its response to RAI #18 by letter dated October 25, 2018 (Ref. 11), MIT stated that the new DWK 250 displays are designed to satisfy the display requirements in the existing TS 3.2.7.

However, the proposed NSS display is labeled as Wide Range, which is different than the current TS. Therefore, the licensee proposed a change to the information in TS Table 3.2.7-1 to reflect the labeling of the NSS (see SE Section 3.5.2). The location of the new displays will be the same as the existing displays, viewable at eye level by the reactor operator at the console.

Section 3.3.16.1 of this SE provides the NRC staffs evaluation of the placement of the proposed DWK 250 displays.

3.2 Description of proposed Nuclear Safety System According to the licensee, the NSS provides reactor protection during forced and natural convection operating modes by providing alarms and interlocks, as well as short reactor period and high reactor power trip functions.

The proposed NSS consists of the following components:

  • Neutron flux monitoring channels (DWK 250),
  • <100 kW KSM,
  • Magnet power supply modules,
  • Rundown relay panel,
  • Safety system monitoring and status display PLC,
  • DWK 250 TCB assembly,
  • WPC, and
  • Blade drop timer interface module.

The current NSS monitors both the reactor period and the reactor power level and includes associated dedicated electronics. Channels Nos. 1-3 monitor reactor period, and Channels Nos. 4-6 monitor reactor power level. All six channels provide indication to the operator console. The proposed NSS will replace the current six channels with four independent neutron flux monitoring channels that are identical to each other (new Channel Nos. 1-4). Section 3.2.1 of this SE provides additional information on the operation of the neutron channels.

The DWK 250 initiates a trip signal when any of the neutron channels reaches the trip setpoint value. Trip signals from any two different neutron channels are necessary to generate a reactor scram. This scram signal will travel from the DWK 250s through the SDM, SLCs, KSM, WPC, magnet power supply system, and rundown relay circuit. In this manner, a scram signal is processed and transmitted to remove magnet current and drop the shim blades by gravity into the reactor core, thereby shutting down the reactor. Reference 15, Enclosure D, shows all NSS components and how they are interconnected. Figure 1 (reproduced from Figure 1 of Ref. 15) contains a block diagram of the NSS and associated integrated support modules. This figure identifies the proposed new components and existing components.

Figure 1 - NSS Block Diagram The following sub-sections of this SE provide additional descriptions of the NSS components.

3.2.1 Neutron Flux Monitoring Channels The licensee proposed an NSS with four independent digital wide-range channels that monitor reactor power level and period, beginning from start-up level up to the power range. The MITR-II uses fission chambers as neutron flux detectors. The channel preamplifier and signal processing boards are designed to capture the pulse mode and current fluctuation mode (Campbell mode) signals that are provided by the installed fission chambers over a measuring range of 10 to 12 decades of reactor power.

Each proposed channel will consist of a fission chamber detector as the neutron sensing element, a preamplifier located a short distance downstream from the detector, and a Mirion

DWK 250, wide-range neutron flux monitor. Each proposed channel is capable of independently measuring and monitoring the reactor neutron flux level and its period (the time it takes the reactor power level to increase by a factor of e (natural logarithm), expressed in seconds (sec.)). The DWK 250 is designed to use the detected reactor neutron flux level to determine reactor power and reactor period and compare them to the trip setpoints. If the trip setpoint is reached, the DWK 250 will output a trip signal. The detector channels are located symmetrically about the core, two in the upper position and two in the lower position. The fission chamber detectors are placed at the perimeter of the reactor core, in the available instrument beam ports embedded within the reactor shielding and distributed around the reactor core. The detectors monitor the neutron leakage flux in the reflector region. The fission chamber detector signals are processed through the wide-range preamplifiers and transmitted over coaxial cable to the digital wide range monitors in the control room.

Channels 1-4 will have a neutron flux level (reactor power) trip setpoint of 6.6 MW (required to be <7.4 MW per Item 2 in Table 3.2.3-1 of the TSs). Each channel will also have a period trip setpoint of 10-11 sec. (required to be >7 sec. per Item 1 in Table 3.2.3-1 of the TSs). In the LAR (Ref. 1), the licensee states that the RPS setpoints are set more conservatively than the LSSS in Table 3.2.3-1 of the TSs to provide additional safety margin.

In Appendix A of the LAR (Ref. 1), MIT provided a description of the neutron flux monitor channels. The following sections of this SE describe the neutron channel components.

3.2.1.1 Fission Chamber Each fission chamber detector is a Mirion coaxial design (single cable) with an isolated 6061 aluminum outer chamber as casing, for wide-range / multi-mode operation. Each fission chamber detector is designed with set thicknesses of enriched uranium (U)-235 coating for optimum sensitivity to neutrons at their installed locations in the MITR-II. All four are capable of accurately sensing neutrons even in the presence of high gamma radiation in their respective locations. The fission chambers are designed to operate in a neutron flux range of 20 neutrons/centimeters (cm)2/sec. (nv) to 7x1010 nv. The four fission chambers are intended for use at the MITR-II in neutron fields having fluxes around 108 nv when the reactor is at full power.

The four detectors are positioned independently and separately, in well-protected positions exterior to and around the reactor core, to monitor leakage neutron flux. The locations were selected to maximize independence from each other as well as from reactor experiments, while also providing redundancy. In the LAR (Ref. 1), MIT provided illustrations of the relative locations of the detectors. Section 3.3.7 of this SE provides the NRC staffs evaluation of the positioning of the detectors.

The licensee measured thermal neutron flux distributions in these beam ports using gold foils to validate the neutron flux range for the initial installation of the detectors. The measurement results are provided in the LAR (Ref. 1). MIT stated that the fission chambers operational integrity will be validated annually and any time a notable change in indication is observed, as required by TS 4.2.6 during the calibration and trip setpoint verification of period and neutron flux level surveillance. Additionally, TS 4.2.7 requires the signals used to compute thermal power to be calibrated at least annually.

3.2.1.2 Wide-Range Preamplifier (TKV 23)

The preamplifier is a Mirion Model TKV 23 wide-range unit. The TKV 23 decouples the pulses and the alternating current (AC) signals from the fission chamber detector signal and blocks out the direct current (DC) component for start-up range and wide-range monitoring. It amplifies the pulse and AC signal in separate stages and transmits them over coaxial cable to the DWK 250s in the control room. The TKV 23 is an analog device and it does not use software.

The TKV 23 receives high voltage from the DWK 250 and passes it on to the fission chamber. It also receives command signals from the DWK 250 for test pulse-signal generation, test AC-signal generation, and fission chamber detector voltage monitoring.

3.2.1.3 Wide-Range Neutron Flux Monitor (DWK 250)

The neutron flux monitor is a Mirion Digital Measuring System pro-TK / TK 250, Model DWK 250 digital wide-range monitor. Each DWK 250 receives the amplified analog signal from the fission chamber preamplifier, which it converts to a digital signal as neutron flux level (reactor power) and reactor period. After the signal is processed the DWK 250 will send a trip signal to scram the reactor if either the calculated reactor power or period exceeds its preset limit. The DWK 250s and associated fission chambers are designed to respond from source range to at least 10 MW. All four Mirion DWK 250 neutron channels will be rack-mounted in the control room equipment cabinet.

The DWK 250 neutron flux monitors perform the squaring or Campbell algorithm from the signal coming from the wide-range preamplifier (TKV 23). The manufacturer, Mirion, described the tests performed on the DWK 250 software, integrated system, and the neutron channel in Reference 3. This reference also includes test reports and test certificates. Mirion developed the DWK 250 following its Quality Assurance in the Software Development, Software Quality Assurance Plan, Software Verification and Validation Plan, Software Configuration Management Plan, and Software Coding Rules for TK 250 Systems. These documents were included in Reference 32.

In Appendix A of the LAR (Ref. 2), MIT summarized the Technischer Überwachungs-Verein (TÜV) qualifications according to German nuclear safety standards (Kerntechnischer Ausschu)

KTA 3501, Reactor protection system and monitoring equipment of the safety system, KTA 3505, Type-testing of measuring sensors and transducers of the safety-related instrumentation and control system, KTA 3507, Factory tests for the instrumentation and controls of the safety system, and KTA 1401, General requirements regarding quality assurance. These KTA guidelines apply to the type approval tests of safety-related I&C systems that perform measurement and control functions in accordance with Category A of international standard International Electrotechnical Commission 61226, Nuclear power plants -

Instrumentation and control important to safety - Classification of instrumentation and control functions. Category A is equivalent to Class 1E equipment as defined in IEEE 3233, IEEE Standard for Qualifying Class 1E Equipment for Nuclear Power Generating Stations, and equivalent to IEEE 344, IEEE Recommended Practice for Seismic Qualification of Equipment for Nuclear Power Generating Stations. These testing certificates are part of the facility documentation for the neutron channels. NRC regulations do not require the use of Class 1E 2

These references contain proprietary information withheld from public disclosure under 10 CFR 2.390.

3 IEEE 323-1974 refers to safety-related electric equipment as "Class 1E" equipment (see 10 CFR 50.49, Environmental qualification of electric equipment important to safety for nuclear power plants.)

equipment at research reactors, such as MITR-II. These vendor qualifications are stricter and exceed the applicable non-power reactor guidance of ANSI/ANS-15.8 and NUREG-1537 with regards to RPS and monitoring equipment.

Prior to installation at MITR-II, MIT and Mirion performed factory acceptance tests and site acceptance tests on each DWK 250 (Ref. 3), including the associated preamplifier, and fission chamber detector for each channel. During the NRC staffs Audit at the MITR-II, MIT staff explained that the analog outputs from two of the four channels are already being used with the current system. MIT staff performed an evaluation per the requirements of 10 CFR 50.59, to make use of two of the four detectors. The audit report (Ref. 16) provides additional information about the replacement of the neutron channels and the tests performed.

Each DWK 250 has eight binary output relays. Two of the outputs are used to warn the reactor operator of a high reactor power or short reactor period condition. These outputs do not have trip functions.

The other six outputs are for the following trip functions:

(1) forced flow high power level 6 MW operation, (2) short reactor period, (3) natural convection high power level 100 kW operation, (4) low count rate, (5) test status, and (6) fault/equipment malfunction.

The eight output relays have a 24-volt (V) DC (VDC) source applied across them, from a redundant external source (discussed in Section 3.2.12 of this SE), rather than from the DWK 250 chassis. The six trip signals are connected to the SDM before being routed to the two SLCs. Each SLC performs a coincidence comparison, providing a scram signal if there are any trip signals from two or more DWK 250s simultaneously. The outputs from the SLC will open contacts in the WPC, which will then interrupt power to the shim blade electromagnets and drop the shim blades by gravity, thereby scramming the reactor. The outputs from the SLCs also independently disrupt the main power to the magnet power supply system, which will also scram the reactor.

The DWK 250 includes two analog outputs in linear or logarithmic form to provide data for meters or recorders in the control room. The MITR-II uses these analog output signals for display of reactor power (in % power) and reactor period (in units of sec.) on edgewise analog meters. The range of reactor period from 100 sec. to 50 sec. is colored orange, and from 50 to 30 sec. is colored red. When reactor period shortens to 30 sec., the DWK 250 triggers a short period warning. The range of reactor period from 30 sec. to 10 sec. is colored white. When reactor period shortens to 10-11 sec. or less, the DWK 250 triggers a short period trip.

The control console and display panel on the central processor's front panel is the only built-in user interface on the DWK 250. The front panel has a two-line alphanumeric liquid-crystal display. This panel shows measured values, parameter settings, and status message text. It also has eight function keys on its front panel to allow control of its operation, such as setting parameters and launching built-in test and simulation (test signal generation) procedures, which are initiated by the users only when the appropriate key switch is enabled. Reference 3 includes the Mirion instruction and operation manual for the DWK 250s.

Each DWK 250 has two enable key switches. The upper key switch S1 enables initiation of

test signals. The lower key switch S2 enables changes to the DWK 250 parameter settings by the operator. Per the licensee (Ref. 1), the enable keys are kept in locked storage accessible only by authorized senior members of Reactor Operations and the Instrumentation Supervisor.

Only authorized personnel will have access to the keys for the performance of written calibration procedures when the DWK 250 is taken off-line or when the reactor is shut down. Each key switch is normally in the off position (9 oclock), which allows the key to be removed. The key is required to turn any switch to the on position (12 oclock), which then prevents removal of the key. The key switches may be used together or separately. The changes in parameter settings do not become effective until the user pushes the Store function key on the DWK 250.

After that, continuous signal processing will use the new parameters.

3.2.2 Signal Distribution Module The SDM is a passive interface circuit between the DWK 250s and all components downstream necessary to protect the reactor. The SDM is made only of solid-state components (e.g., the auctioneering diodes for the two 24 VDC power supplies) and does not contain software.

Drawing R3W-268-2, Nuclear Safety System Global Connection Diagram, and circuit board diagram R3W-274-3, Signal Distribution Module Board Wiring Diagram, (Ref. 15, Enclosure D), show all components connected or wired to the SDM. In Enclosures B and D to letter dated December 14, 2017 (Ref. 15), MIT also provided a description and evaluation of the SDM. In response to RAI #2, MIT updated the description for the SDM (Ref. 20).

Each DWK 250 channel sends trip signals and warning signals to the SDM. The trip signals are distributed to the SLCs, LED scram displays, and the safety system monitoring and status display PLC. The warning signals from the DWK 250s are sent to the PLC. The SDM also transmits signals to and from the KSM, the Test signal to the drop timer interface module, and analog signals from the DWK 250s to the existing console recorders and meters.

In addition, the SDM passes power from the two 24 VDC power supplies to the SLCs and KSM, and to energize the output (scram/alarm) relays of the four DWK 250 channels. The SDM board does not use the power for its own functions. Section 3.2.12 of this SE describes the power supply configuration for the NSS.

3.2.3 Scram Logic Cards The proposed NSS upgrade includes two identical SLCs with logic circuits built from non-programmable, discrete solid-state components. Either SLC can independently scram the reactor. The SLCs compare the trip signals coming from the DWK 250s. The SLC will initiate a scram when two or more DWK 250s generate a trip signal. The trips coming from each DWK 250 do not need to be the same type (power level, period, fault, etc.) and do not need to occur at the same instant, since each reactor trip is retained by the SLC until reset by the operator using the pushbuttons on the LED display described in Section 3.2.4 of this SE. MIT designed the SLC card (see Ref. 15) and contracted with an International Organization for Standardization (ISO-)9001-2008 certified electronics, and hardware manufacturer for fabrication and assembly.

All the signals into and out of the SLC pass through the SDM discussed in Section 3.2.2 of this SE. When trips from at least two of the four DWK 250s are detected by the SLC, the SLC de-energizes a relay in the WPC causing the rod drive magnet to de-energize and allow the

control blade to insert into the core via gravity. The SLC also de-energizes a relay in the magnet power supply modules as a secondary means to de-energize the rod drive magnets.

Each SLC also outputs a signal to the independent LED scram display and indicator lights on the front of the SLC module. The LED scram display provides information on the source of the scram and the initiating conditions, even when the trip condition no longer exists until manually reset by the operator. Additionally, this display sends a signal to the reactor's main annunciator alarm panel for redundancy. To restart the reactor after a trip, the initiating condition must be cleared, and the operator must reset the alarm on the LED scram display for the corresponding channel and the main annunciator panel. The channel reset button on the LED scram display also resets the SLCs.

The SLCs receive a signal from the KSM. When the key switch is turned to Full Power Operation, the <100 kW local indicator, the <100 kW annunciator alarm light, and the PLC message will all clear, and the three primary flow scram bypasses are automatically removed.

The SLCs will also cause the Loop A Scram and/or the Loop B Scram LEDs to illuminate on the KSM when scrams are present. Section 3.2.5 of this SE provides a description of the KSM.

Two auctioneered power supplies provide the required voltages (5 VDC and 24 VDC) to the SLCs. If power is lost to the SLCs, the scram relays de-energize, which results in a reactor scram. Section 3.2.12 of this SE describes the power supply configuration for the NSS.

3.2.4 LED Scram Display The LED scram display provides a visual indication of the status of the SLCs for the console operator and buttons to manually reset the SLCs. This display does not produce any scram signals. The LED scram display is in nuclear instrument module (NIM) Bin #1. Enclosure F to MITs letter dated December 14, 2017 (Ref. 15), included the schematics, block diagram, description, and evaluation of the LED scram display. In the enclosure, MIT also noted that the module is labeled Safety System Condition.

The LED scram display consists of two arrays of LED indicator lights for each DWK 250 channel and for each SLC. The LEDs indicate trip signals or failure for each neutron channel. If a trip is transitory, such as a momentary high power, the indicator light on the DWK 250 will go out as soon as the trip condition clears. However, the trip signal will be retained (or latched) in the SLCs, which send it to the LED scram display module.

The LED scram display module contains reset buttons, one corresponding to each DWK 250 channel. The console operator must manually push the Channel Reset button for the corresponding channel to clear and rest the alarm for that channel latched in both SLCs. This will also turn off the lights on the LED scram display. As indicated before, the neutron channels must be reset prior to starting the reactor. The LED scram display also includes a Lamp Test" pushbutton to test operation of the LED indicator lights.

The LED scram display draws 24 VDC power from the NIM Bin. Section 3.2.12 of this SE describes the power supply configuration for the NSS.

3.2.5 Key Switch Module The <100 kW KSM is constructed entirely of analog components. The KSM allows the reactor operator to select either natural convection mode (<100 kW) or forced flow mode. The KSM is

mounted in NIM Bin #2 (Ref. 20), and it is labeled Reactor Operating Mode. The KSM is mechanically spring loaded for positive detent (i.e., remain in one of the two positions). The KSM sends a signal to the SLCs via the SDM specifying the key switch position. Reference 16 describes internal operation of the key switch. Reference 15, Enclosure G, includes MIT schematics, description, and evaluation of the KSM.

When the KSM is in the <100 kW Operation (natural circulation mode), a local <100 kW Operation indicator LED light will illuminate, an alarm will illuminate on the control room's main annunciator panel. and the KSM transmits a signal to the SLC bypassing the primary system low coolant flow scram and the low core inlet pressure scrams. Additionally, the KSM sends a signal to the SLCs which removes the bypass for the High Power 100 kW Operation trips, enabling the trip from the DWKs if power exceeds the setpoint.

When the KSM is turned to Full Power Operation (forced circulation), a local Full Power Operation indicator LED will illuminate and the <100 kW local indicator and the <100 kW annunciator alarm light on the annunciator panel will turn off. The three primary system scram bypasses are also removed, enabling the low flow and low-pressure trips. Although, the DWK 250s will still generate high power trips when power is greater than the <100 kW setpoint (nominally set at 80 kW), the KSM sends a signal to the SLCs to bypass the High Power 100 kW Operation, trip signals from the DWK 250s.

The front of the KSM chassis has two LED lights that indicate Loop A Scram and Loop B Scram. A scram condition in the WPC loop A and/or B will cause the respective LED lights on the KSM chassis to illuminate. A trip signal from the SLC (after the two-out-of-four coincidence is satisfied) is distributed to both the KSM and the magnet power supply modules.

Section 3.2.6 of this SE describes operation of the magnet power supply. The KSM shares power with the SLC, from the 24 VDC power supplies. Section 3.2.12 of this SE describes the power supply configuration for the NSS.

3.2.6 Magnet Power Supply System The magnet power supply system, which is constructed only with non-programmable solid-state and discrete passive devices, consists of three modules that provide current to the electromagnets for all six shim blades. In the existing system, power for the magnets come from the six nuclear safety amplifiers. In the proposed NSS, MIT will replace the six nuclear safety amplifiers with three modules, installed in NIM Bin #2. Enclosure H of Reference 15 includes schematics, description, and evaluation of the magnet power supply.

The magnet power supply system includes six relays, installed in pairs in each of the three modules. Each module provides current to the electromagnets for two shim blades (combination of blades 1 & 2, blades 3 & 4, and blades 5 & 6). The magnet current flows in series from the magnet power supply module through its corresponding rundown relay circuit to the electromagnet. Each magnet holds the weight of its shim blade, attaching it to its drive mechanism via the magnet.

Each module includes an adjustment knob to maintain the magnet current at 80 milliamps. The adjusted magnet current is displayed on a meter above the potentiometer, one for each shim blade. LEDs on the front panel of the modules indicate if the module is Available or On. The Available light illuminates when power is adequate, and the On light illuminates when the circuit board in the module is sending adequate current to the shim blade magnet (Ref. 20).

When a scram signal reaches the magnet power supply modules, the signal will open the six relays in the magnet power supply modules. Opening any one of the six relays in the magnet power supply modules will interrupt electrical power to the shim blade magnets directly. When current to the magnet is interrupted, the shim blade will decouple from its magnet and drive, and travel vertically by gravity into the reactor core, scramming the reactor in less than one second, as required by TS 3.2.1.

Each magnet power supply module is a stand-alone electronic device, made of discrete components, with its own 24 VDC power supply. Section 3.2.12 of this SE describes the power supply configuration for the NSS.

3.2.7 Rundown Relay Circuit The analog rundown relay circuit causes each shim blade's drive mechanism to drive to its full in position at its normal speed whenever current to the corresponding electromagnet is interrupted. These relays are all installed in the rundown relay panel. In Enclosure H, to letter dated December 14, 2017 (Ref. 15), MIT provided schematics, a description, and an evaluation of the rundown relay circuit.

When the magnet power supplies are energized, current goes through the rundown relay panel via three relay contacts connected in series. When the blades magnet current is interrupted, the blade will drop by gravity into the core.

The rundown relay panel includes LED indicator lights to show the status of the rundown relay circuit for its corresponding shim blade. The indicator light is off whenever the magnet current is at normal operating level. When the WPC is open (i.e., scram), the indicator lights will illuminate and stay on, indicating the control overrides which prevent any shim blade drive from being moved outward.

After a scram condition or shutdown has been cleared, the rundown relays need to be reset by the reactor operator. Each rundown relay can be individually reset or simultaneously reset by using the master reset pushbutton. When the rundown relays are reset, its indicator light goes out. The rundown relays cannot be reset if the magnet current is below a pre-determined value.

The reset push buttons cannot reset the NSS trip signals.

The panel uses its own pair of 24 VDC power supplies to energize the controlling circuits for all six shim blades. These 24 VDC power supplies are set up in parallel, but connected via auctioneering diodes, so that if one fails, the other will take over seamlessly. Section 3.2.12 of this SE describes the power supply configuration for the NSS.

3.2.8 Withdraw Permit Circuit Reference 15, Enclosure I, includes schematics, a description, and an evaluation of the WPC.

The WPC is a circuit that consists of a string of analog relays and contacts in series, corresponding to either a startup requirement or reactor scram condition. All the relays and contacts in this circuit are designed to fail open. If no scram conditions exist and the startup conditions are all met, all relay contacts are energized, and electric power is supplied to both the protection and control systems, which means the startup interlocks and the process, and instrumentation scrams are satisfied.

Table 7-1 in the license renewal SAR (Ref. 7) lists the relays and contacts that are in the WPC.

In the LAR (Ref. 1), MIT provided a revised table identifying the proposed modifications to the WPC, and in Reference 4, MIT described the proposed modifications and the reasoning for such modifications. The proposed modifications to the WPC include:

  • Removal of the existing relays for the two-out-of-three logic (needed for the current period channel level signal off-scale scram).
  • Addition of three relays to bypass the primary flow scrams when the <100 kW operating mode is selected. These relays are: RY1 (for the Core Inlet Pressure MP-6A scram),

RY2 (for the Low Flow Primary Coolant scram), and RY3 (for the Core Inlet Pressure MP-6 scram).

  • Addition of three relays that operate through the rundown relay panel. These relays are:

B2A (interrupts magnet current to shim blades 1 and 2), B2B (interrupts magnet current to shim blades 3 and 4), and B2C interrupts magnet current to shim blades 5 and 6.

These relays were added to provide redundancy to existing relays B1A, B1B, and B1C, respectively.

  • Addition of a redundant contact to open the WPC when a scram is issued by either SLC.

The redundant relay is B4-1 (Safety System Scram (loop B).

  • Addition of relay RY4 to interrupt electrical current from all three 24 VDC magnet power supplies when the WPC is open.

The WPC interrupts current to the magnets through the relays in the rundown relay panel, which is described in Section 3.2.7 of this SE. For redundancy, when the WPC is open, the 120-volt alternating current (VAC) power from the reactor electrical circuit (L21) will be interrupted, thereby simultaneously de-energizing all three 24-VDC power supplies for the three magnet power supply modules. Relay RY4 de-energizes the three magnet power supplies. The independent interruption of the magnet power supplies via the SLC and the WPC provides redundancy and mitigates common-mode failure.

Opening of the WPC activates the WPC annunciator alarm. In Reference 20, MIT explained that the WPC does not connect to the PLC directly. Instead, when the WPC is open, a signal goes to the PLC via relay RY4, which is physically located in the KSM. This signal to the PLC allows data logging showing when the WPC is de-energized, for determining the time sequence of alarms for system troubleshooting.

3.2.9 DWK 250 Test Condition Scram Bypass Assembly The TCB assembly is a simple analog circuit that consists of an On-Off key switch and a yellow indicator light that illuminates when the switch is on. As discussed above, the proposed NSS includes a TCB assembly to enable surveillance testing of the DWK 250s coincidence logic. To simulate a high power or short period trip condition, the DWK 250 must be placed in Test mode.

However, placing the DWK 250 in test also generates a Test trip signal that is sent to the SLC, satisfying half the logic for a scram signal. So, if another DWK 250 generates a trip (test, fault, or setpoint exceedance), this additional signal satisfies the two-out-of-four logic in the SLC and the SLC generates an SLC scram signal resulting in a reactor scram. To test the coincidence logic using a simulated High Power or Short Period, the reactor operator turns the TCB assembly key switch to "On", which maintains the "Test" signal circuit path energized for all four DWK 250 chassis and overrides the Test trip signal to the SLC. This allows the operator to place the DWK 250s in test mode without generating a SLC scram. In this manner, MIT staff

can then fully test the coincidence logic for each channel (i.e., allowing performance of scram tests of other trip conditions (high power, short period, low count rate, or fault)). In Enclosure J to letter dated December 14, 2017 (Ref. 15), MIT included the schematic, description, and evaluation of the TCB assembly.

According to the licensee, the TCB assembly will only be used when the reactor is shut down, and the TCB assembly is needed for the conduct of routine surveillance scram testing (Ref. 15).

Per the reactor startup checklist, the TCB assembly is turned off prior to any reactor startup and remains off for as long as the reactor is critical. Per Item No. 13 of TS Table 3.2.3-1, at least three of the Test scrams shall be operable prior to making the reactor critical. Therefore, making the reactor critical with the TCB assembly in the On position is prohibited by the TSs.

Additionally, the act of turning the TCB assembly switch to the On position while the reactor is at power will immediately result in a reactor scram since the intermediate state of the key switch in the TCB assembly temporarily interrupts the Test signal path line voltage on all four channels, satisfying the SLCs voting logic to output a scram signal. Therefore, any time the key switch is turned from Off to On or vice versa, it results in a reactor scram. In this case, the console operator will have to reset the Test trips by pressing the Channel Reset buttons for all four channels on the safety system condition LED display panel. The licensee has affixed a caution label on the front of the TCB assembly to alert operators to the scram potential of this switch.

The TCB assembly includes an indicator light, which will illuminate when the key switch is On.

Also, the DWK 250 Test Scram Bypass alarm on the Console Annunciator Panel will illuminate. The console operator will have to silence the annunciator alarm by pressing the annunciator acknowledge button. This console alarm remains active while the key switch stays in the On position.

In Enclosure J to letter dated December 14, 2017 (Ref. 15), MIT stated that the TCB assembly only affects the test signal from the DWK 250s. The trip signal paths for high power, short period, low count rate, or fault are not affected. If an actual trip signal is generated while the DWK 250 is in test mode, and the TCB assembly is turned to On the fault signal or trip signal will be indicated in the LED scram display panel and a trip signal for that DWK 250 will be generated and input to the SLC.

3.2.10 Blade Drop Timer Interface Module In its LAR (Ref. 1), the licensee describes the blade drop timer interface module as a non-safety related part of the NSS since its only purpose is provide a test signal to start the existing blade drop timer. The blade drop timer interface module is a hybrid digital and analog circuit consisting of discrete microcircuits, logic gates, and transistors. MIT proposed the blade drop timer interface module to support surveillance testing to measure blade drop times. TS 3.2.1.1 requires that the time from initiation of a trip signal and movement of the shim blade from its current position to its 80 percent inserted position is less than one second for each blade.

Reference 15, Enclosure K, includes a schematic, description, and evaluation for this module.

The interface module includes a toggle switch to power the module and a guarded Start Signal Source toggle switch. The Start Signal Source switch selects between the DWK 250s and the Minor Scram Switch on the operator console as the method of testing the blade drop time.

When the DWK 250 position of the Start Signal Source switch is selected, the blade drop timer interface module passes the Test trip signals from the proposed DWK 250s to the

existing blade drop timer. The interface module also reduces the DWK test signal voltage (24 VDC) to be compatible with the operating voltage of the existing blade drop timer (12 VDC) and provides optical isolation between the DWK 250s and the blade drop timer. The blade drop timer interface module includes a two-out-four logic to transmit the scram signal to the blade drop timer. The logic will be satisfied when two test signals from the DWK 250s are present.

The Test trip signal from each DWK 250 is passed via the SDM to the SLCs and the blade drop timer interface module. The other signals (high power, short period, low count rate, or fault) from the DWK 250s will not initiate the timer.

When the Minor Scram Switch position of the Start Signal Source switch is selected, the coincidence logic circuit of the interface module is bypassed, and a timer test can be performed without placing the DWK 250s in Test mode. To perform the blade drop timer test, the reactor operator will press the Minor Scram pushbutton on the operator console. Pressing the minor scram pushbutton opens the WPC, interrupting power to all six shim blade electromagnets. The corresponding signal path within the interface module opens, which transmits a start signal to the blade drop timer. The consoles Minor Scram pushbutton is an existing component and MIT did not propose to modify it as part of the LAR.

In its LAR, the licensee stated that the blade drop timer interface module is normally switched off and is switched on only when performing blade drop time tests with the reactor shut down.

The reactor operator uses the power switch on the interface module to energize it when needed to measure the blade drop time. The interface module is powered via the SDM from the same pair of auctioneered 24 VDC power supplies that power the SLCs.

3.2.11 Safety System Monitoring and Status Display Programmable Logic Controller In the LAR (Ref. 1), MIT proposed adding a PLC to display information to the operator from the NSS. The PLC will register and display the date and time of alarms and trip events. The PLC transmits the warning alarms (high power, short reactor period, and trouble) to the control room console annunciator panel. In enclosure L to its letter dated December 14, 2017 (Ref. 15), and in its letter dated April 20, 2018 (Ref. 20), MIT provided a description and evaluation of the PLC.

MIT proposes to use a CLICK Micro PLC, manufactured by Koyo Electronics, for its safety system monitoring and status display. In the LAR (Ref. 4), MIT stated that they do not consider the PLC monitoring and display system to be safety-related4 since it does not provide any automatic protective function (e.g., scram) required for the safe operation or safe shutdown of the reactor. The PLC includes the following components: central processing unit, power supply, digital input/output (I/O), analog outputs, and a touch screen. The PLC uses secure digital (SD) memory cards to store data. The SD cards are normally installed in the PLCs card reader in the back of the PLC. According to the licensee, authorized personnel must complete and submit a wire removal form prior to removing an SD card. Even if the SD cards are erroneously removed or tampered with, this will not cause a malfunction of the NSS because the PLC does not transmit information or control components in the NSS.

The PLC receives its signals through the SDM, so whenever a scram signal is produced, it will be indicated (date and time) on its touch screen and logged in the PLC, including which SLC generated the scram. The PLC receives DWK 250s digital outputs, SLC signals, 24 VDC 4

Safety-related refers to those physical structures, systems, and components whose intended functions are to prevent accidents that could cause undue risk to the health and safety of workers and the public, or to the research reactors programs; and to control or mitigate the consequences of such accidents (Ref. 23).

status signal. The PLC includes logic to group the signals from the DWK 250s into the following alarms: High Power Warning, Short Period Warning, and Safety System Trouble. These three alarms are also sent to the console annunciator panel in the control room. In addition, the PLC will display and log an alarm if the cable connecting the SDM to the PLC is disconnected, a signal to indicate Safety System Power Supply Fault to indicate when the 24 VDC power generates a bad signal status. As described in Section 3.2.8 of this SE, the PLC also receives a signal when the WPC is open.

The PLC includes a Timer Reset pushbutton and the Enable/Disable Hourly Reminder signals (Ref. 20). The timer is used to provide an audible alert to the operator as a reminder when the operator is required to perform procedures or actions. The Enable/Disable Hourly Reminder is used to activate or deactivate this function. In the LAR (Ref. 4), the licensee stated that these signals are part of the logic in the PLC and they do not affect the safety functions performed by the NSS.

3.2.12 Power Supply Power to all neutron channels is supplied from 120 VAC via Panel 1, which feeds two 24 VDC power supplies. The 24 VDC power supplies are set up in parallel and connected via an auctioneering diode array inside the SDM. If one 24 VDC power supply fails, the other will provide all needed power without interruption. From the SDM, power is transmitted to the SLCs and the KSM. The SDM also passes the 24 VDC power to energize the output relays of the four DWK 250 channels.

The 24 VDC power supplies have an internal fuse that will protect against overcurrent conditions. They also have an output overload that will trip at no more than 35 VDC. In the unlikely event of an excessive line voltage surge, both power supplies are designed to trip to protect themselves, resulting in interruption of power to the two SLCs and a reactor scram.

The WPC uses 120 VAC from the MITs main power source to the building. The three magnet power supply modules have their own independent 24 VDC power supplies. Likewise, the rundown relay panel has its own 24 VDC power supplies, which are connected via an auctioneering diode array.

MIT proposed to add a UPS to the NSS to allow all 7 neutron channels to continue functioning in the case of a loss of offsite power. The proposed UPS would have the capability to provide uninterrupted power for at least 15 sec., which is the approximate time needed to transfer from normal off-site power to on-site emergency battery power. If the on-site emergency battery power fails, the UPS will provide backup power for at least one hour. The new Channel No. 6 (formerly known as Channel No. 8) is battery operated, and it will continue to provide flux (reactor power level) indication during a loss of power. Although the proposed UPS would provide adequate power to the seven neutron channels, MIT retained the existing battery-powered Channel No. 6 as part of the system design.

3.3 NSS Design Basis and Design Criteria This section of the SE documents the NRC staffs evaluation of the of the proposed NSS upgrades to perform its safety functions based on the 10 CFR 50.34(a)(3) and 50.34(b) design requirements using the design acceptance criteria in Section 7.4 of NUREG-1537, Part 2, including acceptance criteria from the guidance and industry standards referenced by Section 7.4 of NUREG-1537, as listed in Section 2.4 of this SE.

The regulation, 10 CFR 50.34(a)(3), requires the applicant to describe the design bases and the relation of the design bases to the principal design criteria. Section 50.34(b) requires updating the information to consider any pertinent information developed since the submittal of the preliminary SAR. In the LAR (Ref. 1), the licensee proposed a revised Chapter 7 of the MITR-II SAR, which describes the design criteria (Section 7.2.1) and design basis (Section 7.2.2) for the MITR-II I&C System. These MITR-II requirements establish the necessary design, fabrication, construction, testing, and performance requirements for SSCs important to safety that provide reasonable assurance that MITR-II can be operated without undue risk to the health and safety of the public.

3.3.1 Protection Capability and Operating Modes MIT did not propose any changes to the physical characteristics of the MITR-II, its fuel, the reactor operating modes, the parameters being monitored, or the types of required protective capability (e.g., over-power, or short period) in this LAR. The licensee proposed to replace the period off-scale interlock with an equivalent low count rate scram. The licensee also proposed to replace the startup display, with an equivalent wide-range display, located in the same position as the existing startup display. However, the licensee proposed changes to the operation of the NSS protection capability to integrate the Mirion DWK 250 neutron flux monitors into the RPS. The current nuclear safety scram logic has three neutron flux channels and three period channels and the trip from any of these channels will result in a scram (one-of-three scram logic). The proposed system will operate based on a two-of-four coincidence. There are four DWK 250s and each channel monitors both neutron flux and reactor period. According to the licensee (Ref. 1), six of the eight trip outputs from each of the four DWK 250s are routed to two parallel scram logic circuits, which perform simultaneous logic comparisons for redundancy.

Each logic circuit performs a coincidence comparison, providing a scram signal if there are any trip signals from two or more DWK 250s simultaneously. In Section 7.4.1.3 of its LAR, the licensee states, The two-out-of-four coincidence logic for the four nuclear safety channels is considered equivalent or superior to the one-out-of-three logic of the previous nuclear safety system because with the fourth channel of the proposed system reliability and redundancy

[of the RPS] are enhanced. The two-out-of-four logic improves reliability of the RPS since the NSS initiates a reactor scram when two channels initiate a trip, thus a single NSS channel malfunction will not result in a spurious reactor scram. The licensee also proposed to add the nuclear safety channel in fault trip, which occurs when a self-check within the DWK 250 detects a malfunction of its circuit. The licensee also states that [w]hen the [proposed] fourth nuclear safety channel is placed in test mode or otherwise taken out of service, the logic equation reverts to one-out-of-three.

The LAR describes the following trip functions of the DWK 250s: high neutron flux level, short reactor period, high power 100 kW operation, low count rate, nuclear safety channel in test, and nuclear safety channel fault. In Enclosure Q of its letter dated December 14, 2017 (Ref. 15),

MIT provided summaries of some of the NSS tests performed to demonstrate operation of the DWK 250s scram signals and alarms. Table 3.2.3-1 of the TSs specifies the minimum performance level of the RPS, and TS 4.2 and TS Table 4.2-1 provide the frequency and scope of the surveillance requirements to demonstrate continued operability of the safety system.

Section 3.5 of this SE provides the NRC staffs evaluation of the proposed changes to these TSs for the DWK 250.

During reactor operations, the relays in the DWK 250 are energized, which provides electrical current to the downstream signal paths. If a scram setpoint is reached, the neutron flux monitor will output a trip signal (i.e., de-energizes the output relay). This trip signal is sent to the two

SLCs. If two or more DWK 250s generate trip signals, the two-out-of-four voting logic will be satisfied, and the SLC will output a scram signal de-energizing relays in the WPC and the magnet power supply modules. These protective setpoints change based on the heat removal mode of the reactor. Sections 7.2.2.2 and 7.4.1 of the LAR (Ref. 1) provided descriptions of the two heat-removal modes (forced convection using one or two primary coolant pumps and natural convection using no primary coolant pumps) of reactor operation.

Natural Circulation During natural convection, the reactor power LSSS is limited to less than 100 kW by TS 3.2.3.1.

To operate in this mode, the KSM is selected to be in in the <100 kW Operation position, which will bypass the primary low flow and low-pressure scrams. In this case, the NSS high power 100 kW operation signal trip will scram the reactor when power reaches the trip setpoint (Ref. 15, Enclosure C). In Reference 15, Enclosure N, the licensee describes how it established the nominal trip setpoint at 80 kW for natural convection mode.

Forced Convection The highest allowable scram setpoint at which RPS is set to activate is well below the forced convection LSSS of 7.4 MW for neutron flux level (as stated in Section 7.2.2.2 of the LAR) and is nominally set at 6.6 MW. During forced convection (maximum operating power), if reactor power reaches the reactor trip setpoint of 6.6 MW, the DWK 250 will issue a high-power level trip. In this operation mode the low flow primary coolant scrams are not bypassed, and the trip setpoint for <100 kW setpoint will not generate a scram (Ref. 15, Enclosure C).

For either mode of RPS operation, the reactor short period scram LSSS remains the same, at greater than 7 sec. with a nominal trip setpoint of 10-11 sec. The automatic scram value provides protection during startup and redundant protection for the scram on high power, as described in the license renewal SAR (Ref. 7). Each DWK 250 channel (detector and associated electronics) is designed to function over the full range of normal reactor operation from source range to at least 10 MW, as described in Section 7.4.1 of the LAR (Ref. 1).

The NRC staff reviewed the information provided in the LAR and finds that the proposed NSS includes the means to protect the reactor with any number of primary pumps operating through the full range of reactor power levels including refueling, startup, normal operation at power, and shutdown operations. The NRC staff also finds that the licensees nominal trip setpoints for both natural and forced convection are consistent with the analysis provided in the licensees renewal SAR (Ref. 7) and more conservative than the value allowed by TS 3.2.3.1. Based on its review of the LAR, the staff finds that the DWK 250 design is consistent with the NUREG-1537, Section 7.4 guidance that the NSS be capable of operating over the complete range of reactor power level and has operable protection capability in all operating modes (forced and natural convection) and operating conditions (e.g., refueling, shutdown, low power, and full power operation), as analyzed in the SAR. Accordingly, the NRC staff concludes that the proposed DWK 250s provide the required protection capability in all operating modes and are acceptable.

3.3.2 Range of Operation of Detector Channels As discussed in Section 3.2.1 of this SE, the licensee states that each DWK 250 channel is designed to function properly in the normal, accident, and transient ranges of reactor power levels. In the LAR, the enclosed Chapter 7 for the revised SAR, Section 7.2.2.2 (Ref. 1)

identifies the variables that are monitored to provide protective action at MITR-II. The principal parameters of concern are the reactor period, the reactor power, the primary coolant flow, the primary coolant outlet temperature, and the core tank level. The neutron channels measure the neutron flux density, from the start-up level to the full power range, and will generate a scram signal if the power level or period reaches the defined setpoint for each mode of operation. The neutron channels will generate the following trip signals: High Power Trip, Short Period Trip, High Power 100 kW Operation Trip, Low Count Rate Trip, Test Status, and Fault Trip.

The neutron channels also generate High Power Warning and Short Period Warning to alert the reactor operator that power or period are outside the normal operating range (approaching the scram setpoint), but do not scram the reactor.

During the Audit (Ref. 16), NRC staff reviewed the test procedures and test results of the Mirion DWK 250 neutron channels. The test results document that the DWK 250s passed the required tests, with the associated detectors in the target radiation environment, after they were delivered to MIT. Additionally, the NRC staffs review confirmed that the proposed equipment range is consistent with the required range of neutron flux level and rate of change during normal and transient reactor conditions that the staff previously evaluated and found acceptable in the NRC safety evaluation report issued with the MIT license renewal (Ref. 8). Based on the information provided by the licensee and reviewed by the NRC staff, the NRC staff finds that the range of the proposed neutron channels is sufficient to cover the monitored variables during the expected range of operation. Therefore, the NRC staff concludes that the NSS design is consistent with the NUREG 1537 guidance that recommends the range of the sensor (detector) channels be sufficient to cover the expected range of variation of the monitored variables and function properly over the expected range of operation for normal and transient reactor conditions.

3.3.3 Protection Setpoints and Protection of the Safety Limit The NRC staff reviewed and approved the SL, LSSSs, and other protective system setpoints during license renewal (Ref. 8). These values are not impacted by the modification proposed by the licensee in its LAR.

Section 7.2.2.2 of the LAR (Ref. 1), states that the setpoint at which RPS action activates is well below the LSSS for both forced circulation and natural convections operation. MITs maximum steady state licensed power level is 6.0 MW in normal operating, forced convection mode with two primary coolant pumps. The corresponding LSSS specified in TS Table 2.2-1 is 7.4 MW, and the analyzed safety limit in the SAR is 9.1 MW. To ensure the TS LSSS value is not exceeded and that the safety limit is protected, the licensee set the high neutron flux trip setpoint at 6.6 MW, which is less than the TS Table 3.2.3-1 limiting setpoint of < 7.4 MW.

During natural convection mode, the safety limit in the SAR is 250 kW, the LSSS value in TS Table 2.2-1 is 100 kW, and the high neutron flux trip setpoint is 80 kW, which is less than the Table 3.2.3-1 limiting setpoint of <100 kW. The setpoints are established for both operating modes by the licensee per its calibration and testing procedures. In either flow mode of operation, the reactor period scram requirement in TS Table 3.2.3-1 is the same, a short period setpoint of greater than 7 sec. to provide protection at low power and diverse protection for the scram on high power, as determined in the analysis in the SAR. MIT did not propose to change the reactor power or period limiting setpoint values in TS 3.2.3-1, Table 3.2.3-1, which are required by TS 3.2.3.3 to be set more conservatively than the corresponding LSSS.

The licensee did not propose to change the safety limit or LSSS TS values derived from the analysis in the SAR, which maintains the safety margin previously approved by the NRC during

license renewal (Ref. 8). However, the LAR, proposes to replace the channels that monitor and process the measured flux value and initiate the scram at the TS setpoint. The LAR proposes to replace the six existing nuclear channels; three channels monitoring the reactor power and the other three monitoring reactor period, with four Mirion DWK 250 neutron channels. Each of the proposed channels independently measures and monitors reactor power (i.e., neutron flux level) and reactor period and provides a scram output if the setpoint for high power or short period is exceeded.

During the Audit (Ref. 16), NRC staff reviewed the test procedures and satisfactory test results for the factory acceptance testing (FAT) of the Mirion DWK 250 neutron channels. The NRC staff also reviewed the post-delivery test procedures and satisfactory test results with the detectors in the target radiation environment (Ref. 16) that document the testing conducted after the Mirion DWK 250 neutron channels were delivered. As discussed in Section 2.4 of this SE, two of the neutron fission chamber detectors and the preamplifiers were installed without prior NRC approval, under 10 CFR 50.59.

The Mirion neutron channels are designed to function for the full range of reactor operation, and they can respond from source range (low power reactor startup condition with 2 cps minimum sensitivity (Ref. 11)) to at least 10 MW (which is more than the 6MW licensed full power) without intervention by the operator. Section 3.2.1 of this SE describes operation of the Mirion DWK 250 neutron channels. All four channels are independent and capable of accurately sensing neutrons even in the presence of high gamma radiation in their respective locations. Based on the selected setpoints, each neutron channel will independently generate trip signals (e.g., high neutron flux level trip) to shut down the reactor when required. In this manner, the upgraded NSS will protect the reactor and ensure operation below the LSSS.

In Reference 21, MIT proposed to revise Table 3.2.3-1 of the TSs, changing the minimum number of required safety channels for the NSS related channels from two to three. In addition, MIT proposed to add a footnote 5, which would require that any channel found to be inoperable (when required to be operable) must be placed into a trip condition within 15 minutes of declaring the channel inoperable. In addition, if any channel is in a tripped state, and a second channel is declared inoperable then, within 15 minutes, at least one of the two must be returned to an operable state or the reactor must be shut down. This TS change is evaluated and found acceptable by the NRC staff in Section 3.5.2 of this SE.

The guidance in NUREG-1537 (Ref. 9) states that the LSSS is the calculated setpoint for a protective action which provides the minimum acceptable safety margin and includes measurement uncertainty. In Reference 15, Enclosure N, MIT stated that it measured uncertainty and drift on all four DWK 250s at an equilibrium reactor power of 5.7 MW for a time span of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. MIT provided graphs and plots from these measurements in Reference 15, Enclosure N1. The figures demonstrate 0.32 percent magnitude of the uncertainty and drift, which is equivalent to 18 kW.

The NRC staff finds that the licensees uncertainty analysis is consistent with the guidance in Section 7.4 of NUREG-1537, Part 2, that recommends the proposed system account for uncertainties and that the combined instrument error is within the assumptions for the licensees accident analyses. Based on review of the information provided by the licensee, the NRC staff concludes that the four proposed DWK 250s meet the 10 CFR 50.36(c)(1)(ii)(A) requirement for automatic protective devices having significant safety function to help ensure the reactor will operate within the LSSSs and initiate the scram at the established TS setpoint to protect the safety limit.

3.3.4 RPS System Requirements The SAR submitted for the renewal of Facility Operating License No. R-37 (Ref. 7) discusses the accident analyses for MITR-II, and states that the maximum hypothetical accident is postulated to be a coolant flow blockage in a fuel element. In the SAR, the NSS is not credited for prevention or mitigation of this accident. In the SAR, the NSS neutron flux level and period scrams mitigate the consequences of other accidents, including the reactivity insertion accidents (step and ramp) and experiment malfunction accidents. The LAR (as supplemented) (Ref. 1) did not modify the accidents analyzed in Chapter 13 of the SAR.

In response to NRC staff RAI #6 (Ref. 18), MIT proposed to modify TS Table 3.2.3-1 (Ref. 21).

Specifically, the licensee proposed changing the minimum number of required NSS channels from two channels to three channels to improve reliability and because the proposed changes to the scram logic system to use two-of-four coincidence logic, which requires two concurrent trips from any two of the four redundant NSS channels. Also, MIT added footnote 5 to the table, requiring that within 15 minutes of declaring a DWK 250 channel inoperable, the inoperable channel must be placed in a trip condition. In this manner, half of the SLC logic to scram the reactor is satisfied (i.e., one of the two trips required for the two-out-of-four scram logic are present). Footnote 5 also provides an action statement that requires a reactor shut down if a second NSS channel is declared inoperable, unless the operator restores at least one of the two channels to an operable state within 15 minutes. The acceptability of these proposed TS changes is evaluated in Section 3.5.2 of this SE.

As described in Section 3.3.2 of this SE, the NSS monitors specific parameters to protect the reactor, and the RPS also monitors certain process system parameters that will scram the reactor.

Section 7.2.1 in the LAR (Ref. 1) identifies the overall I&C system design criteria and Section 7.2.2.2 of the LAR describes the overall I&C system design basis requirements for the MITR II. The NRC staff reviewed this information and finds that the design criteria and basis requirements for the proposed NSS are clearly stated and are consistent with the operating analyses in Chapter 4 Reactor Description, and the accident analysis in Chapter 13 of the SAR for renewal of Facility Operating License No. R 37 (Ref. 7). The system performance analysis topics recommended by NUREG-1537, Part 1, Section 7.24 include accuracy, reliability, adequacy, timeliness, setpoint drift, quality, redundancy, independence, single-failure, and the associated SRs for operability, channel checks, calibration, and system response time.

The NRC staffs review of the licensees information on each of these topics is discussed throughout SE Section 3.3.

To confirm that the above design criteria were implemented during the design and testing of the NSS components, the NRC staff selected a design requirement to trace its implementation and testing. The NRC staff selected the TS 3.2.1.1.b) requirement that the time from initiation of a scram signal and movement of each operable blade from its current position to its 80% inserted position be less than one second for each blade, which analyses in the renewal SAR (Ref. 7) show will not result in any damage to the fuel. The SAR Chapter 13 accident analyses use a 2.0 second overall scram delay, or twice the TS 3.2.1.1.b) limit, as a conservative value to show that the safety limit is not exceeded and that the fuel is not damaged. The NRC staff reviewed the LAR to confirm if that requirement was captured. In the LAR (Ref. 1), MIT stated that the response time of the DWK 250 to the high reactor power test signal and the short reactor period test signal is measured to be less than 500 milliseconds (ms). MIT provided Mirions description, verification, and documentation of the neutron channels response time in

Reference 3. The NRC staff reviewed the information provided for the neutron channels to verify that the neutron channels response was within the one second time requirement. To confirm that the scram response time requirement was properly implemented, MIT measured the overall response time, and found it to be 446 ms (Ref. 15, Enclosure P), which is within the margins of the scram delays considered in the accident analyses and will not impede any protective action. Further, in this enclosure, MIT stated that the completion of a scram condition, for the purposes of system response timing occurs when a proximity switch is tripped at 80 percent insertion of a shim blade. This time was measured and reported to be approximately 620 ms, which is less than the one second requirement of TS 3.2.1.1.b). In the LAR (Ref. 1), MIT stated that the system response time is verified annually or when maintenance is performed on the NSS, as required by TS 4.2.3. The NRC staff reviewed the information provided in Enclosure P (Ref. 15) and finds that the determination of the system response time meets the guidance in Section 7.4 of NUREG-1537 to consider time delays, accuracy requirements, and actuated equipment response to verify that they are consistent with the SAR safety limits, LSSSs, and LCOs, and that this information is adequately included in TS 3.2.1.1.b) and TS 4.2.3 and is acceptable.

The NRC staff also finds that the NSS performance analysis is consistent with the guidance in Section 7.2.4 of NUREG-1537, Part 1 (Ref. 5.1) and 7.2 of NUREG-1537, Part 2 (Ref. 5.2), to perform a NSS system performance analysis to ensure the design criteria and design bases are met and the license requirements for the performance of the system are specified. Based on the information provided and reviewed, the NRC staff concludes that the NSS analysis, including uncertainties and response delays meets the guidance of NUREG-1537, Part 2, Chapter 13 that the NSS perform its design function to ensure safe shutdown of the reactor when necessary and is acceptable.

3.3.5 Scram Fail-Safe Design Section 7.2.1 of the LAR (Ref. 1), describes the design criteria for I&C system, including fail-safe criteria. MIT stated that the NSS is designed to fail-safe whenever possible. The proposed two-out-of-four logic for the SLCs will cause a shutdown (scram) if any two nuclear safety channels simultaneously generate a scram signal, test signal, or fault condition, or any combination of these signals.

As described in Section 3.2 of this SE, once the actuating logic has caused a trip, the WPC will open, electrical power will be interrupted via relays in the rundown relay panel to all six shim blade electromagnets, which will release the blades, so that they drop into the reactor and shut it down. For redundancy, as described in Section 3.2.8 of this SE, MIT designed the system to interrupt the 120 VAC line power from reactor electrical circuit when the WPC is open, thereby simultaneously de-energizing all three 24-VDC power supplies for the three magnet power supply modules.

Electrical power failure produces the same result as a signal trip (i.e., removal of power to the magnets). Specifically, upon power interruption, the magnet power supply system activates the rundown relay circuit, which operates all the shim blade drives in the insertion direction until they reach their full-in positions. When the current to the blade's magnet is interrupted, the blade drops by gravity into the core. The scram goes to completion once initiated because the reactor operator cannot manually prevent the blades from falling all the way into the core after the motion has started. The automatic insertion of the drives ensures that all six shim blades and the regulating rod are physically at the bottom of the reactor core following a scram.

Therefore, a trip due to a power failure is passive and goes to completion once initiated.

Table 7-1, in Section 7.3.1.1 of the LAR (Ref. 1), identifies the requirements that must be satisfied within the WPC to permit rod withdrawal to restart the reactor, including reset of the WPC and electrical checks to ensure the shim blades and the drives are in their full-in positions.

In this manner, the circuit provides a "seal-in" feature to assure that a protective action goes to completion once it is initiated (See Section 3.2.8 of this SE).

The NRC staff reviewed the information provided in References 2, 4, 14, and 15 and verified that the NSS components provided the startup interlocks described in Section 7.3.1.1 of the LAR. During the Audit (Ref. 16), the NRC staff reviewed logic schematics and diagrams to confirm that the scram signals go through the SLCs to the magnet power supply modules and deenergize the relays to remove the electrical power to the magnet power supplies.

Based on its review of the information provided by the licensee and Audit observations, the NRC staff finds that the proposed design meets the guidance of NUREG-1537, Part 2, Section 7.4 that the design be fail-safe against malfunction and loss of electrical power, and that a scram will go to completion once Initiated. Accordingly, the NRC staff concludes that the proposed NSS design satisfies the guidance in Section 7.4 of NUREG-1537, Part 2 (Ref. 5.2) for a fail-safe design that trips the reactor following a scram signal, electrical power interruption, or failure of the neutron channels.

3.3.6 Operation of Low Count Rate Interlock Functions A low count rate interlock prevents withdrawal of the control rods (i.e., shim blades) if there are insufficient neutrons present in the core to ensure that the detectors (i.e., fission chambers) can measure a change in positive reactivity. The proposed NSS includes a low count rate scram.

The proposed automatic scram will provide the low count rate interlock function for the NSS because when a scram is present, the control rods cannot be withdrawn, thereby providing an interlock preventing rod withdrawal. The proposed low count rate on the DWK 250 provides the same interlock function as the existing period channel level off-scale (low).

In the current NSS, MIT uses three period channels, linear power, and log power to monitor the startup with two of them requiring manual switching by the operator from source-range (fission chamber) to power-range (ion chamber) operation. MIT proposes to replace the three period channels and three neutron flux level channels with four independent and redundant wide range channels (utilizing fission chamber detectors). Each channel is capable of monitoring both reactor period and neutron flux level. The scram input for the new period channels is two-out-of-four logic (the impact of the scram logic change is discussed in Section 3.3.1 of this SE). The DWK 250 switches from source range (pulse mode operation) to power range (Campbell mode operation) automatically, as opposed to the manual switching by the reactor operator required for the current NSS. The DWK 250 measures the neutron flux density, beginning from start-up level up to at least 10 MW, which is beyond the licensed maximum power level. Further, the detector itself is continuously monitored for low count rate condition by the DWK 250, which produces a trip if signal is below 5 cps or a system fault condition is detected per Table 3.2.3-1 of the proposed TSs. Section 3.2.1 of this SE describes the neutron channel.

In its letter dated October 25, 2018, in response to RAI #5 (Ref. 11), MIT stated that the minimum detectible flux for the fission chambers is 20 nv, which corresponds to 2 cps using the NY-10887 fission chamber sensitivity information, provided by MIT from the vendor. The licensee stated that the higher trip set point value of 5 cps for low count rate was selected to provide margin to the lower sensitivity limit for the minimum count rate and is more conservative.

In Section 7.2.1 of the LAR, Item (e)(ii) (Ref. 1), MIT states that the fission chamber detectors are capable of accurately sensing neutrons even in the presence of high gamma radiation in their respective locations. The LAR, Chapter 7, Section 3.1.2, (Ref. 1) describes how the Mirion preamplifier TKV 23 amplifies the fission chamber detector output at different power levels and discriminates against the smaller pulses caused by beta and gamma radiation. As described in Section 3.3.2 of this SE, MIT and Mirion successfully tested the Mirion neutron channels.

Based on its review of the information provided, the NRC staff concludes that the new detectors and the associated count rate interlock are consistent with the guidance in Section 7.3 and 7.4 of NUREG-1537, Part 2, that the detectors will function properly in a high-gamma field. The NRC staff also concludes that changes in neutron flux density are reliably measured and will prevent reactor startup (i.e., withdrawal of control devices and insertion of positive reactivity) without enough neutrons in the core. The NRC staff also concludes that the 5 cps trip setpoint provides sufficient margin to the lower sensitivity limit of the detector. Therefore, the NRC staff finds that the proposed Low count rate interlock is acceptable.

3.3.7 Spatial Dependency of Detectors In Sections 7.2.3 and 7.2.6 of the LAR (Ref. 1), MIT proposes four independent and redundant nuclear safety channels. Each channel has a DWK 250, preamplifier, and a fission chamber detector. As described in the LAR (Ref. 1), these channels provide the operator four separate indications of reactor power and period within the core. Each detector senses the neutron flux based on its independent location relative to the reactor core and each of the four channels also provides automatic reactor protection against short reactor period and high reactor power level.

Appendix A and Section 7.4.1 of the LAR describe the installation of the fission chamber detectors for Channels 1 through 4. Each fission chamber is installed in a physically separated instrument port or thimble, embedded within the reactor shielding in a distributed arrangement around the reactor core. MIT selected these locations to maximize independence from each other and reactor experiments, optimize spatial symmetry, allow accessibility, and provide redundancy. The fission chambers do not interfere with each other and are positioned to have minimum interference from reactor experiments. Location of the channels is illustrated in Appendix A of the LAR. In addition, Appendix A describes the results of measurements for the neutron flux distribution for each port (channel). See Figures 2 and 3 below for a drawing of the locations of the fission chambers.

Figure 2: Fission Chamber Horizontal Orientation Figure 3: Fission Chamber Vertical Orientation

Based on its review of the information provided, the NRC staff finds that the proposed detector placement and number of NSS channels meets the guidance of ANS/ANSI 15.15 (Ref. 29) to provide the minimum number and locations of detectors sufficient to provide the spatial independence required for continuous and independent indication of the neutron flux from subcritical source multiplication level through the licensed maximum power. The NRC staff finds that the NSS should give reliable reactor power level and rate-of-change information from the detectors and channels that directly monitor the neutron flux consistent with the guidance of IEEE standard 603 (Ref. 25), for those monitored parameters that have a spatial dependence (that is, where the parameter varies as a function of position in a particular region), to provide the minimum number and locations of detectors required for the TS 3.2.3 period and neutron flux protective actions. Therefore, the NRC staff concludes the location of the fission chamber detectors as identified are adequate for protection of the reactor.

3.3.8 RPS Testing of Function and Time Scale Section 3.3.4 of this SE describes the system response requirements and the value measured with the proposed NSS. The licensee stated that the response time of the system is less than 500 ms (Ref. 15, Enclosure P), which is within the margins of the scram delays considered in the MITR-II accident analyses in the license renewal SAR (Ref. 7) and will not impede any protective action.

After completion of the NSS design, MIT performed preinstallation testing of its components. In Reference 15, MIT provided a summary of the testing performed. In addition, MIT performed pre-installation testing of the NSS to verify and validate the design and operation of the NSS. In Reference 20, MIT confirmed that all pre-operational tests for all components developed by MIT had been completed. A test summary report is provided as Enclosure Q 1, to Reference 15 recording the satisfactory completion of pre-operational testing of all MIT-developed components, and the satisfactory completion of a preinstallation integrated system test. In addition, MIT performed the DWK 250 test procedures provided in Reference 15, Enclosure Q satisfactorily when the neutron channels were installed. The licensee stated that these post-installations tests provide confirmation and documentation that the NSS meets the final NSS design criteria following integration into the RPS. Additionally, Section 4 of the MITR-II TS requires that the licensee perform surveillances to demonstrate operability of the RPS prior to reactor operations. TS 4.2.5 requires that a channel test be performed if the channel has been modified. TS 4.2.6 requires calibration and trip point verification when a channel is initially installed.

Based on the information reviewed, the NRC staff finds that the licensee and its vendors defined plans and procedures to test the replacement NSS and provided test reports that summarized test activities, acceptance criteria, and results. Therefore, the NRC staff finds that the design implementation and testing of the replacement NSSS meets the design acceptance criteria in IEEE Standard 7-4.3.2 (Ref. 5.2) to ensure the requirements for the NSS are complete and correct and to demonstrate by system testing that the NSS conforms with the MITR-II design bases and criteria. Additionally, the surveillance TSs provide assurance that the channel will perform its intended safety function when required.

Therefore, NRC staff concludes that the proposed NSS was designed and satisfactorily tested in accordance with the vendor QA program and plans, and that the system will perform according to its intended use. Accordingly, the proposed NSS satisfies the design acceptance criterion in Section 7.4 of NUREG-1537. Part 2 (Ref. 5.2), which provides that the RPS function and time scale should be designed to be readily tested to ensure operability and is acceptable.

3.3.9 Access Control This section documents the NRC staff review to confirm the access control features of the NSS are adequate to protect the NSS from unauthorized access.

As discussed in the LAR (Ref. 1), Table 7.1, Withdrawal Permit Circuit Relays and Contacts, and Table 7.2, List of Reactor Scrams, MIT lists the reactor key as a part of the WPC. Also discussed in the current TS 1.3.25 and TS 1.3.28, insertion of the console key is one of the conditions that could place the MITR-II in a Reactor Operating condition; removal of the console key is one of the conditions required to place the MITR-II in a Reactor Secured condition. The NRC staff reviewed the LAR to verify that the LAR did not propose changes to the TS or design that would remove or no longer require the use of the reactor console key.

According to the licensee (Ref. 1), the enable keys for the DWK 250s are kept in locked storage with access to each key controlled and limited to authorized senior members of Reactor Operations and the Instrumentation Supervisor. Only a specific subset of authorized personnel that have undergone background investigations and have unescorted facility access to the MIT controlled access areas in accordance with 10 CFR 73.67(d)(4) and 10 CFR 73.57, Requirements for criminal history records checks of individuals granted unescorted access to a nuclear power facility, a non-power reactor, or access to Safeguards Information. will have access to the keys for the performance of written calibration procedures.

In the LAR, Section 7.4.1.9, MIT noted that the Mirion DWK 250s include a Recommended Standard (RS)-232 communication port and a terminal block on the rear of the chassis to adjust parameters, such as calibration settings. This port and terminal block can be used during testing to connect a dedicated, password-protected, non-network computer. However, in Reference 15, MIT stated that the communication port and the terminal block will not be used for calibration of the neutron channels. MIT physically blocked this communication port with a capture device held in place by tamper-resistant, security screws. The capture device also disables the terminal strip. The tool to remove the security screws is kept in the MITR-II Operations Office, with access limited to only authorized MITR-II personnel. During the audit (Ref. 16), the NRC staff observed the access control to the RS-232 port, the terminal block, and the front panel access to the DWK 250s.

Based on its review of the information provided and its Audit observations, the NRC staff finds that the console key to operate the reactor and the enable keys that allow for configuration changes to be made to the NSS are maintained by storing them in a locked cabinet, with access to each key controlled and limited to a specific subset of qualified and authorized individuals.

The NRC staff finds that the NSS is designed so that reactor operation is prevented and not authorized without use of a key at the control console consistent with the existing MITR-II design requirements. As described in the LAR (Ref. 1) and confirmed by the NRC staff observations during the Audit (Ref. 5), unauthorized reactor operation is prevented through physical barriers, the use of key control measures, and electronic authentication. The NRC staffs Audit observations also confirmed information provided in the LAR on controls that govern physical and electronic access to safety system software and data during and after installation, including: installation, testing, operations, maintenance, and retirement.

Therefore, the NRC staff concludes that the MITR-II design adequately incorporates the previous reactor key protection and that unauthorized reactor operation continues to be prevented by requiring use of a key at the control console consistent with the guidance in ANS/ANSI 15.15 (Ref. 29) to include physical provisions, such as a key switch, to prevent the

unauthorized use of the reactor controls. Additionally, enable keys prevents access to or control of the DWK 250 operating parameters to help ensure configuration changes are restricted to authorized personnel consistent with the ANS/ANSI 15.15 guidance to include physical means, to limit access to setpoint and calibration adjustments to the extent necessary to prevent unauthorized adjustments.

In Section 7.4.1.8 of the LAR (Ref. 1), MIT provided information on the software development phase. During the Audit (Ref. 16), the NRC staff interviewed MIT staff regarding implementing computer access control during the developmental process, including requirements, design, integration and testing to confirm the information in the LAR. In Section 7.4.1.9 of the LAR (Ref. 1) and in its response to RAI (Ref. 15), MIT provided information on physical and electronic access to the upgraded NSS. In its response, the licensee described how the proposed design addresses the potential for electronic access via network connections, maintenance equipment, portal media, and access ports. Additionally, the licensee stated that physical access control is provided through the physical security controls of the facility and NRC-approved physical security plan. During the Audit, the NRC staff also confirmed that the MITR-II access controls described in the LAR prevent unauthorized physical and electronic access and mitigate potential security vulnerabilities (physical and electronic) in the developmental phases of the software.

Based on the information reviewed and its Audit observations, the NRC staff finds that the NSS design and development environment and licensee controls are consistent with the guidance of Regulatory Guide (RG) 1.152 (Ref. 30) to protect digital computer-based systems throughout the development life cycle of the system to prevent unauthorized, unintended, and unsafe modifications. Additionally, the NRC staff finds that there is no access through network connections or maintenance equipment and no electronic path by which a person can make unauthorized changes to the NSS or display erroneous facility status information to the operators. Accordingly, the NRC staff concludes the access control features of the NSS meets the guidance in NUREG-1537, Part 2, Section 7.4 and are adequate to protect the NSS from unauthorized access and are acceptable.

3.3.10 Single Failure Criteria This section documents the NRC staff review of the application as supplemented to ensure the proposed NSS is designed to protect the reactor, and that any single failure in the NSS will not prevent reactor shutdown. The NSS should be designed to perform its protective function after experiencing a single random active failure within the NSS system.

Section 7.2.1, Design Criteria, of the LAR (Ref. 1) states that a single failure will not prevent a safe shutdown because of the redundancy and diversity. The NSS is designed to operate after experiencing a single failure. The LAR, Section 7.2.1, describes the design criteria for the proposed NSS. Item (e) in Section 7.2.1 of the LAR included both redundancy and diversity in the design of the proposed NSS to minimize the risks of a single failure. As described in Sections 3.2 and 3.3 of this SE, the proposed NSS is composed of four identical, but independent, nuclear safety channels, each monitoring reactor period and reactor power level.

Each channel has a fission chamber detector, a preamplifier immediately downstream from the detector, and a wide-range neutron flux monitor (DWK 250). All four independent and redundant neutron channels can measure power from startup to at least 10 MW, which exceeds the licensed range of operation for MITR-II. Section 3.2.1 of this SE describes operation of the Mirion channels. If one of the neutron channels becomes inoperable, the others will continue to monitor reactor power. MIT stated in Section 7.2.1 of the proposed SAR, provided as part of the

LAR, that the NSS will have four independent and redundant channels that monitor reactor period and reactor power level and that a single failure will not prevent a safe shutdown because of the available redundancy. The single failure criterion assumes when one of the operable channels fails to respond to a condition which requires a scram the system will still generate a scram. That means if one of the three required operable channels of the NSS fails to respond to an actual scram condition (e.g., over power), there are still two operable channels remaining to initiate the required reactor scram. Therefore, a single failure of the neutron channels will not prevent safe shutdown of the reactor since the redundancy provided by the remaining two channels assure that loss of NSS protective action is not credible.

Figure 4 provides a simplified illustration of the connection of the DWK 250s to the SLC. In the figure the designation of CH 1, CH 2, CH 3, and CH 4, represents each of the four DWK 250 channels in the upgraded NSS. The SDM distributes signals between the DWK 250 and the SLC with no signal processing.

Figure 4: Simplified Connection Line Drawing for DWK 250 Logic The scram signal from any one of the four DWK 250s goes to both SLCs. The SLCs operate independently, such that, if either of the SLCs detects a scram from at least two of the DWK 250s, the SLC will generate a scram signal to relays that deenergize the WPC and magnet power supply, which will in turn scram the reactor by deenergizing the shim blade magnets. The WPC and magnet power supplies require both input signals to be energized for the output to be energized.

The two SLCs are identical logic circuits, built entirely of non-programmable, discrete solid-state components, that provide redundancy for the NSS. Specifically, the trip signals from each of the four DWK 250s are routed to both SLCs, which perform identical logic comparisons for redundancy. Each SLC performs a two-out-of-four logic comparison of the DWK 250 input signals to shut down the reactor. If only one of the four DWK 250 chassis outputs a trip or failure signal, the SLC will not initiate a scram signal, since two are required by the SLC. This prevents a reactor scram due to a false DWK 250 indication from only one channel, and therefore improves system reliability. However, if a second DWK 250 chassis also outputs a trip or failure signal to the SLC (2-of-4), the coincidence logic will complete, and a scram signal is generated by the SLC. Either SLC creating a scram signal will result in an automatic scram (1-of-2 SLCs). If one of the SLCs fails, this will result in a (fail-safe) scram signal. Therefore, two redundant SLCs ensures that a single failure of an SLC will not prevent scramming the reactor.

Two outputs from the SLCs are connected to two relay contacts that de-energize the WPC and the magnet power supply modules, relay B3-1 loop A and the newly added relay B4-1 loop B.

The SLCs function independently of each other and activate both relays. A scram signal from SLC-1 will de-energize relays B3 and B4 in loop A and loop B, respectively. Likewise, a scram signal from SLC-2 will also de-energize relays B3 and B4 in loop A and loop B, respectively. In the existing system, the safety-system scram opens only one contact (B3-1). When a scram signal is issued, power is removed from the relays, ensuring the reactor is scrammed. In this manner, any system failure will cause interruption of power, and consequently shutdown the reactor by removing power from normally energized relays in the magnet power supplies and the WPC.

The NSS also provides redundancy in de-energizing the electromagnets that hold the shim blades. Specifically, if one of the SLC fails, this will result in a scram signal to the RPS (Ref. 15, Enclosure E). The SLC scram signal is sent to both the magnet power supply system and the KSM. Interrupting power to the magnet power supply will directly interrupt power to the shim blade magnets. Also, interrupting power to the KSM will de-energize existing circuits scram loop A and scram loop B in the WPC, which in turn also results in interruption of shim blade electromagnet current, shutting down the reactor. In this manner, if one of them fails, the other will shut down the reactor.

The proposed NSS is designed to protect the reactor even if a failure affected multiple DWK 250 components. The signal path is interrupted and the magnet power supply deenergized if any of the components along the scram signal path fail, thereby resulting in safe shut down of the reactor. A failure of two or more DWK 250s will also result in a scram. Further, a failure of one DWK 250 results in one of the four trip signals to satisfy the two-of-four coincidence logic. If a second DWK 250 fails, is placed in test, or if the DWK 250 exceeds a trip setpoint, a scram will occur. Failure of components not relied upon for shutting down the reactor (e.g., PLC) will not affect the operation of the SLCs and will not interfere with trip propagation or scram signal processing. Based on this information, the NRC staff finds that the NSS design provides sufficient features and mechanisms to shut down the reactor if multiple NSS DWK 250 components are affected by software.

In Section 7.2.3 of the LAR, MIT described the design aspects of I&C systems for the MITR-II.

MIT also described the four layers of protection for the reactor. The RPS represent the first layer of protection, and it can always override operation and control commands. The second layer is comprised of the RCS. The RCS generates signals that energize relays in the WPC.

For example, the all-rods-in pushbutton is part of the relay circuit. This pushbutton is used whenever it is desired to shut down the reactor and a scram action is not warranted. In the LAR, MIT did not modify the system, relays, and contacts associated with the RCS (and listed in Table 7-1 of the LAR). The third layer is made by the control console display system. Displays in the console will provide sufficient information for the operator to control reactivity or shutdown the reactor. These mechanisms are described in the LAR in Section 7.3.2.4. For example, the normal means to shut down the reactor is using the all-rods-in pushbutton. MIT did not propose to modify these mechanisms in the LAR, and therefore they are identical to those described in Section 7.3.2.4 of the current SAR (Ref. 8). MIT made several modifications to the console annunciator panel to include alarm signals associated with the proposed NSS. The console annunciator panel alarm modifications are described in Reference 15, Enclosure V.

The fourth layer is formed by the radiation monitoring system, which is described in Section 7.2.2.2.5 of the SAR (Ref. 8). If the RMS senses high effluent gaseous or particulate airborne activity, it will close the building ventilation penetrations, and isolate the reactor building

atmosphere from the environment. MIT did not propose to modify these reactor protection mechanisms as part of the LAR.

Furthermore, in the LAR, MIT explained that MITR-II includes other protective functions that will provide an automatic scram of the reactor based on the primary coolant flow, the primary coolant temperature, and the core tank level. The WPC causes the reactor scram to occur.

The WPC includes relays corresponding to scram condition for each required reactor channel/parameter. If any relay is open, electric power is interrupted to the shim blade electromagnets, which scrams the reactor. All scram relays fail open, including when power is interrupted.

Based on the information provided and reviewed, NRC staff finds that the NSS will perform its protective action by de-energizing relays in the RPS resulting in an automatic reactor scram.

Also, the NRC staff finds that the presence of multiple NSS channels, each capable of generating a scram signal, and two independent SLCs ensures that the failure of any one component in the proposed NSS would not prevent a reactor scram. Therefore, the NRC staff concludes that the proposed NSS upgrade meets the NUREG-1537, Part 2, Section 7.4 (Ref. 5.2) guidance that the system provide redundancy and diversity such that the NSS can, as a minimum, perform its required protective actions in the presence of any single failure or malfunction within the NSS.

3.3.11 Independence of RPS from Other Systems This section documents the NRC staff review of the LAR to verify the proposed NSS has physical, electrical and communication independence from other systems.

3.3.11.1 Independence between RPS Channels and Non-Safety-Related Systems NUREG-1537, Part 2, Section 7.4 states in its acceptance criteria section that: The SAR should address the separation and independence of the RCS and RPS with consideration of the radiological risk of reactor operation.

Section 7.4.1.6 in the LAR describes how the MIT design considered independence in the design of the proposed NSS. The four new fission chamber detectors of the NSS are installed in existing instrument ports exterior to the core tank, but within the concrete biological shield and the graphite reflector. One fission chamber detector is installed in each port. All fission chamber detectors are secured within their own custom-made beam port plugs, well separated from each other. MIT described the location of the fission chamber detectors in Appendix A of the LAR (Ref. 1). Figure 3-11 in Appendix A shows that the cables for the fission chamber detectors are separately routed to their corresponding preamplifiers and DWK 250s in the control room. These cables run within steel conduits, many of which are embedded in existing building structural concrete. All cables are within the containment building but outside the control room. Figure 3-11 also shows that the routing paths are different to avoid a single physical mishap from disabling more than one neutron monitor.

In Appendix A of the LAR, MIT described the location of the fission chamber neutron detectors.

The fission chamber detectors are in physically separated instrument ports or thimbles, embedded within the reactor shielding and distributed around the reactor core. Figure 3-8 in Appendix A shows that the two horizontal instrument ports (4IH1 and 4IH3) and two vertical instrument ports (3GV2 and 3GV5) were selected to optimize spatial symmetry and accessibility of the detectors. MIT selected these locations to maximize independence from each other, as

well as from reactor experiments optimize spatial symmetry, and accessibility, while also providing redundancy. Appendix A includes the thermal neutron flux measured to evaluate the locations selected for the neutron detectors.

The NRC staff reviewed the drawings provided in the LAR and concludes that the four fission chamber detectors are in physically separated ports around the reactor, and that their cables are separately routed to the control room, demonstrating that the devices are physically independent.

Each fission chamber detector is independently connected to its DWK 250 and neutron monitor signals are not shared among DWK 250 neutron monitors. Furthermore, each DWK 250 independently generates its outputs without receiving information from the other channels. The trips and warnings from the individual channels (i.e., each DWK 250) pass through the SDM to both SLCs 1 and 2, which are independent and perform identical logic functions (e.g., 2 out of 4 coincidence). Each of the SLCs has independent relays to deenergize the magnet power supplies and the WPC, resulting in a reactor scram.

The SLCs also send signals to the LED scram display, which indicates the status of each neutron channels trip signal. To restart the reactor, the initiating condition must be cleared, and the operator must reset the alarm on the LED scram display for the corresponding channel and the main annunciator panel. The channel reset button on the LED scram display also resets the SLCs, providing bi-directional communication between the SLC and the LED scram display.

The KSM and the SLCs also exchange information through separate means (for inputs and outputs). The KSM sends a signal to the SLCs via the SDM specifying the key switch position, and when operating in full mode, a signal to ignore the High Power 100 kW Operation trip signals from the DWK 250s. MIT used optical-isolators and optical-couplers to isolate the I/O signals to ensure the signal path is one-way to protect the SLCs.

The PLC receives signals from the DWK 250s, SLC signals, and 24 VDC power supply status signal through the SDM for alarm indication and recording. The PLC has a built-in optical isolator on each of its signal input connections from the SDM, ensuring the signal flow is unidirectional into the PLC. Therefore, the PLC cannot send signals to other NSS components.

If this isolation fails, the PLC will be left disconnected from the SDM. In that case, none of the trip alarms generated by the DWK 250 units will reach or be registered by the PLC.

The NRC staff reviewed the schematics, logic diagrams, and the results of the pre-operational tests the licensee provided in the enclosures to Reference 15 that were performed to validate transmission of signals among NSS components. Based on the information provided and reviewed, the NRC staff finds that the proposed NSS design is consistent with Section 7.4 of NUREG-1537, Part 2, to provide separation and independence of the RPS including communication independence from other reactor subsystems and is acceptable.

3.3.11.2 Communication Independence NUREG-1537, Part 2, Section 7.4 states that, logic, schematic and circuit diagrams ... should show [communication] independence of detector channels and trip circuits. IEEE 7-4.3.2-1993, Annex G (Ref. 24), states, For proper independence of the safety computer from non-safety equipment, both electrical and communication isolation need to be ensured.

The DWK 250s are independent and each generate their outputs without receiving information from the other DWK 250s. In addition, during operation, the detectors and preamplifiers communicate only with the respective DWK 250, and each DWK 250s communicates directly to the SDM and will not communicate with other MITR-II equipment or with a public network.

In the proposed NSS, the PLC and the drop timer interface module are non-safety related components. The PLC receives signals from the DWK 250s, SLC signals, and 24 VDC status signal through the SDM for alarm, indication, and recording. As stated in Section 3.3.11, the PLC has a built-in optical isolator on each of its signal input connections from the SDM, ensuring the signal flow is unidirectional into the PLC; that is, communication of the RPS to other systems is one way; therefore, the communication with the other system cannot adversely affect the RPS. The drop timer interface module receives the "Test" trip signal from each DWK 250 via the SDM. Reference 15, Enclosure K, states that "Test" trip signals are input to the logic chips via unidirectional optical isolators mounted on the interface module's circuit board, thereby both protecting the logic chips and preventing any feedback to the DWK 250 chassis. Similarly, when the logic is satisfied, the logic chips output their signal to the blade drop timer downstream via another unidirectional optical isolator.

The NRC staff reviewed the schematics provided in the LAR (Ref. 1) and RAI response (Ref. 15) and verified that there is no communication among the neutron channels, and therefore there are no adverse effects from communication among the neutron channels. The NRC staffs review also verified that there is only unidirectional communication between safety components and non-safety components in the proposed NSS.

Based on the information provided and reviewed, the NRC staff finds, consistent with the guidance in NUREG-1537, Part 2, Section 7.4, that the upgraded NSS design is sufficient to provide for all isolation and independence from other reactor systems required by the SAR analysis to avoid malfunctions or failures caused by the NSS system.

3.3.11.3 Communication Protocols NUREG-1537, Part 2, Section 7.4 states in the acceptance criteria section that, logic, schematic and circuit diagrams... should show [communication] independence of detector channels and trip circuits. IEEE 7-4.3.2-1993, Annex G (Ref. 24), states, Communication between computers in different safety channels may be desired for such purposes as voter logic or time stamp synchronization. Upon a failure of the communication, the preferred failure state should be set if one has been identified.

In the proposed NSS, the neutron channels are the only components that include data communications and use a communication protocol. In the LAR, Appendix A, Mirion described the communication protocol for the DWK 250s. Specifically, the DWK 250s use a proprietary communication protocol to transfer data among internal components. However, the neutron channels do not exchange information among them. The trip signals generated in each DWK 250 are binary signals, via binary output relays. The DWK 250 includes two analog outputs (i.e., 4-20 milliamperes (mA)) to provide data for displays or recorders in the control room. Also, as described in Section 3.3.9 of this SE, the DWK 250 includes an RS-232 port to transmit data to an external computer, but MIT decided not to use this port and provided a robust barrier (cover) to prevent the use of the port (Ref. 15).

The trip signals from the DWK 250s transferred to SDM, SLC, and other components, are analog electrical signals (energized or deenergized states). Therefore, the NRC staff concludes that system communications protocols are not applicable.

The NRC verified that the NSS components do not exchange data using communication protocols. Based on the information provided and reviewed, the NRC finds, consistent with the guidance in NUREG-1537, Part, Section 7.4 and IEEE 7-4.3.2-1993, Annex G (Ref. 24), that the upgraded NSS design shows adequate independence and communication protocols for the proposed use of the system.

3.3.12 Equipment Qualification and Environmental Conditions Section 7.2.1, Design Criteria, of the LAR (Ref. 1) states that, because MITR-II is a research reactor, operation can be suspended during adverse location conditions such as severe weather, a seismic event, flooding, or fire.

In the application for renewal of Facility Operating License No. R-37 (Ref. 7), MIT discusses how the facility and equipment is protected against external events, such as, lightning, floods, meteorological disturbances, seismic events, mechanical impacts, pipe vibrations, and explosions or toxic releases. The proposed NSS components will be mounted within the same protective metal instrumentation cabinets of the control room as the current system components. As such, the proposed NSS will have the same physical protection as that of the current NSS, which the NRC staff reviewed and approved during license renewal (Ref. 8).

Accordingly, the NRC staff finds that the proposed NSS components also meet the equipment qualification and environmental conditions and are acceptable.

Temperature and Humidity In the LAR, Sections 7.2.1 (e)(i) and 7.4.1.5 (Ref. 1), MIT stated that the proposed NSS is designed for reliable operation under all anticipated reactor environmental conditions for the full range of reactor operation, maintenance, and testing. The MIT containment building is controlled for both temperature and humidity. The control room and all instrumentation for the NSS is housed in the containment building, which has an integral heating, ventilating, and air conditioning (HVAC) system.

References 4, 14, and 15, describe the NSS components and identify the environmental conditions in which these components are designed to operate. Specifically, the NSS components, except for the detectors, will be installed in metal instrumentation cabinets located in the air-conditioned control room. Whenever the control room is occupied, a written procedure specifies that the temperature in the control room be maintained at approximately 68 degrees Fahrenheit (F) by the reactor operator. If the control room temperature reaches 78 degrees F, the operator will follow an administrative procedure to reduce the elevated temperature in the control room. The HVAC system controls the temperature, humidity, and air movement in the control room. Additionally, during the Audit, the NRC staff observed that the reactor room is below the surface of the ground that surrounds it (below grade), there are no exterior windows, and only 1 door, which exits to an air-conditioned corridor that is part of the containment. The process of conditioning the air in the control room and the limited exchange of the air in containment with outside air allows the HVAC system to maintain a temperature-humidity relationship that meets the temperature and non-condensing conditions specified by the manufacturers data sheets for the NSS components of the I&C systems.

The Mirion documentation provided by the licensee for the wide range monitoring system identifies the environmental conditions in which the DWK 250 can operate reliably (Ref. 3). This document also provides copies of the KTA certifications for the DWK 250s. For the components developed in-house, the licensee states in the LAR that MIT did not perform environmental qualifications. Instead, MIT confirmed (through the vendor data sheets) that the components are suitably rated for the environmental (normal anticipated range of temperature and non-condensing humidity) conditions maintained in the MITR-II control room. During the Audit, the NRC staff reviewed the data sheets and confirmed that the components are rated to operate in the control room environment.

According to the licensee, if the air conditioning is off for an extended period while the reactor is operating, the instrument cabinet temperature rise could potentially cause a component to malfunction. However, the system is fail-safe since any failure of an NSS component (even if due to temperature or humidity) will result in a reactor scram. The control room containing the instrument cabinets is continuously attended by a licensed operator whenever the reactor is operating. The licensee also stated that a portable air conditioner is available near the control room as a backup if the main air conditioning system fails. The operators have written administrative procedures to respond to room temperature alarms, which, if deemed necessary, will result in the decision to shut down the reactor. Additionally, the HVAC system was found acceptable by the NRC staff during license renewal to ensure that temperature, relative humidity (non-condensing), and air exchange rate (ventilation) are acceptable for personnel and equipment reliability (Ref. 8).

Based on the information provided and reviewed and its Audit observations, the NRC staff considers the MITR-II containment building to be classified as a mild environment5. The NRC staff finds that the NSS design meets the guidance in NUREG-1537, Part 2, Section 7.4 that the system be designed for reliable operation in the normal range of environmental conditions anticipated within the facility, and the guidance in NUREG-1537, Section 9.1 that temperature and relative humidity, are maintained within the vendor design limits specified for the I&C equipment.

Electromagnetic Compatibility and Susceptibility In the LAR, Section 7.4.1.5, MIT described the control room as an environment where electromagnetic interference/radio frequency interference (EMI/RFI) is low and power supplies are surge-protected. In the LAR, Appendix A, Mirion documented the qualification of the DWK 250 to EMI/RFI. This document lists all tests performed to qualify the detectors, preamplifier, and modules. The licensee provided copies of the Mirion KTA certifications for these tests (Ref. 15). This Appendix also includes a certificate of acceptance of the Mirion neutron channels signed by MIT. In the LAR, MIT also noted that the TKV 23 preamplifiers are enclosed in a standard industrial electrical box to provide noise shielding, and that they used the shortest cable run practical, to minimize electrical noise pickup and signal attenuation prior to amplification.

In the Enclosures included with Reference 15, MIT stated that, except for the PLC, all the modules downstream of the DWK 250 chassis use low voltages and are built with discrete components that do not use microprocessors. In addition, in References 4, 14, and 15, MIT stated that it uses mechanical relays that fail open, thereby minimizing the impact from EMI/RFI 5

A mild environment is an environment in which its environmental conditions following an accident or other transient event remain practically the same as during normal operation.

on their function. Further, the SLC includes surge suppression diodes to protect the circuit card from electrostatic discharge (ESD). Therefore, MIT concluded that because of the low voltage nature of these components, EMI/RFI production is minimized and electrical hazards to personnel are reduced. The PLC is a microprocessor-based system that is potentially susceptible to EMI/RFI. However, the PLC is a non-safety related system that is not part of the scram signal path and it is not relied upon for shutting down the reactor. It is also electrically isolated from the NSS and it cannot send signals to the safety-related components of the proposed NSS. Failure of the PLC would only result in failure of the remote alarm, remote indication, and recording associated with the DWK 250 channels. Local indication is unaffected.

The NRC staff reviewed the SLC schematic and observed that sub-circuits were identified to provide ESD and surge protection. Based on its review, the NRC staff finds the NSS is in a low EMI/RFI environment, the design contains circuits to mitigate inductive coupling, and utilizes low voltage signals, which is consistent with the design acceptance criteria for equipment qualification in Section 7.4 of NUREG 1537, Part 2 (Ref. 5.2) and IEEE 7-4.3.2-1993 (Ref. 24)

Annex C, Electromagnetic compatibility for the design to consider the electromagnetic environment.

Electrical and Surge Protection In Reference 4, MIT noted that each 24 VDC power supply for the three magnet power supply modules and the rundown relay panel is protected against surges in line voltage by its own fuse.

In line with each shim blade magnet, a fuse downstream of the magnet power supply and rundown relay circuits prevents any power surge from damaging the magnet. Each fuse is rated for no more than 0.25 amp. Therefore, the magnet power supply system and the rundown relay circuits are adequately protected from power surges in their operating environment.

Based on its review of the information provided by the licensee on equipment qualification and facility environmental conditions, and the NRC staffs Audit observations discussed above, the NRC staff finds the proposed NSS design is consistent with the guidance in NUREG-1537, Part 2, Section 7.4 because it is designed for reliable operation in the normal range of environmental conditions. Accordingly, the NRC staff concludes that proposed NSS design will perform its intended function over the range of environmental conditions expected in the control room and at the facility.

3.3.13 Setpoint Administrative Controls As described in Section 3.1.1 of this SE, the reactor can operate in either natural or forced convection. Further, when in forced convection, the reactor can operate with one or two pumps.

The administrative controls to modify the number of pumps when operating in convection mode was not modified in the LAR, and consequently was not reviewed in this SE.

With the proposed system, MIT noted that there are three ways that NSS setpoints (i.e., reactor period and power trip values) can be changed:

(1) Using the KSM (2) Manual adjustments of the setting in the DWK 250 equipment (3) DWK 250s RS-232 communication port and terminal block

Section 3.2.5 of this SE describes operation of the KSM. This key switch can be used to select natural convection mode (<100 kW) or forced convection mode (Full Power). Changes of the operation mode will be performed in accordance with MITR-IIs operation procedures.

Adjustable parameters (in the DWK 250 equipment), such as calibration settings, trip setpoints, alarm setpoints, voltage monitoring ranges, and discriminator threshold, can be changed using the keypad on the front of the monitor. Appendix A of the LAR provides the user manual for the Mirion channels, which describes how to perform these changes. To make any adjustments of the settings, the operator must use the key switch in the front panel. As mentioned in Section 3.2.1.3 of this SE, each neutron channel includes two key switches, one for enabling testing (black key) and the other for parameter set-up (red key). Each key switch is normally in the off position (9 oclock), which allows the key to be removed. The key is required to turn any switch to the on position (12 oclock). Only authorized senior personnel will have access to the keys for the performance of written calibration procedures when the DWK 250 is taken off-line or when the reactor is shut down. In the LAR, MIT stated that the keys will be kept in a monitored, high-security key cabinet and will be accessible only by authorized senior members of Reactor Operations, and the Instrumentation Supervisor. MIT established administrative controls for modifications of the DWK 250s setpoints by controlling access to the keys.

In Reference 2.2, MIT stated that In all cases, the official record of the parameter settings will be kept on written procedures that govern the change of the parameters by authorized individuals and will be checked independently by an operator viewing the settings on the DWK 250's keypad display. Completed procedures will be filed as part of the reactor startup checklists whenever they are performed. During operation, the DWK 250 settings will be inspected on the keypad display and recorded by the console operator at least daily. The licensee also indicated that, consistent with the TS 7.8.1.d) requirement, records of completed surveillances will be retained for five years or the life of the component if less than five years.

Each DWK 250 includes a RS-232 communication port and a terminal strip on the rear of the chassis to adjust parameters, such as calibration settings. However, in Reference 15, MIT stated that the communication port and the terminal block will not be used for calibration of the neutron channels. Section 3.3.9 of this SE provides more detail.

In References 4 and 15, MIT stated that routine maintenance and inspection will be performed only by licensed reactor staff or under the supervision of licensed reactor staff. The control room is attended whenever the reactor is operating. At all other times when the building is unoccupied, it is protected as part of the physical security plan (also see Ref. 16).

During the Audit, the NRC staff observed the high-security cabinet, in which the keys are maintained and logged by the operators. Since MIT has established controls for changing the parameters and includes the parameter information in the daily logs, the NRC staff finds that MIT has established administrative controls or automatic means are provided for changing setpoints. The NRC staff concludes that MITs setpoint administrative controls are consistent with the guidance in NUREG-1537, Part 2, Section 7.4 because they ensure that system setpoints remain consistent with applicable analyses in Section 7.2.2.2 of the SAR and the TS LCOs that were approved during license renewal.

3.3.14 Bypasses, Permissives, and Interlocks The NRC staff evaluated the proposed NSS to confirm that the bypasses, permissives, and interlocks have been properly documented and implemented in the design of the NSS. The

NRC staff utilized NUREG-1537, Part 2 (Ref. 5.2), Section 7.4 which includes acceptance criteria stating that the hardware and software for computerized systems should meet the guidelines of IEEE 7-4.3.2. IEEE 7-4.3.2-1993 (Ref. 24) references IEEE standard 603 (Ref. 25) for areas that are not unique to digital systems.

3.3.14.1 Bypasses The two types of bypasses applicable to the NSS design are operating bypass and maintenance bypass.

(1) Operating Bypass: As defined in IEEE Standard 603 (Ref. 25), an operating bypass is the deliberate inhibition of the capability to provide a protective action. Operating bypasses are used to permit mode changes (for example, prevention of initiation of the low flow scram during natural circulation mode).

In the LAR (Ref. 1), the licensee stated that KSM is the only operational bypass associated with the proposed NSS. Reference 15, Enclosure G, MIT explained that MITR-II can operate either in natural convection or force flow modes. As described in Section 3.2.5 of this SE, MIT operators will use the KSM to select the operating mode. If the KSM is turned from its normal full power position to its 100 kW position, the NSS will use the 100 kW binary trips from the DWK 250s as high-power trips and bypass all three of the low flow primary coolant scrams.

Low-range amplifiers are installed in the current system to bypass the primary system pressure scrams (Section 7.4.1.3 in the SAR). With the proposed KSM, operators do not need to install additional components to modify the mode of operation. Reference 15, Enclosure G, describes operation of the KSM and provides the logic schematic for its operation. In addition, in Reference 15, Enclosure Q, MIT provided a copy of the pre-operation test for the KSM and a copy of the pre-operation test result, which demonstrated correct operation of the KSM.

As described in the LAR, although the KSM operational bypass inhibits the primary low flow and low-pressure scrams, at the same time the NSS will enable use of the 100 kW binary trips from the DWK 250s. The 100 kW binary trips reduce the scram trip points for the low flow, low-pressure condition to the setpoints established in the SAR analysis for natural circulation.

Also, if the KSM is positioned incorrectly for the actual flow configuration (e.g., in Full power operation when no primary pumps are running), the reactor will scram.

Based on the information provided and reviewed, the NRC staff finds the MIT design properly documents the use of the KSM, which is the only component in the proposed NSS that includes bypass capability. The NRC staff also finds that proposed NSS follows the guidance of Section 7.4 of IEEE standard 603 1991 (Ref. 25) to automatically prevent the activation of an operating bypass or initiate the appropriate safety function(s) unless the applicable bypass condition (e.g.,

primary flow) is met. Additionally, the NRC staff finds that, if the applicable permissive condition changes such that an activated operating bypass is no longer permissible, the NSS will automatically remove the appropriate active operating bypass or initiate an automatic scram.

Accordingly, the NRC staff concludes that the licensees implementation of the KSM is acceptable.

(2) Maintenance Bypass: As defined in IEEE Standard 603 (Ref. 25), a maintenance bypass is the deliberate inhibition of the capability to provide a protective action; for example, to perform a test of a safety channel or when there is an equipment malfunction to remove equipment from

service without putting that equipment in trip. A maintenance bypass may reduce the degree of redundancy of equipment, but it does not result in the inhibition of a safety function.

Initially, MIT proposed using a dummy cable plug to take the place of a DWK 250 chassis during maintenance/repair of a chassis while in operation. Later, in Reference 15, MIT decided instead to use the TCB assembly to test the DWK 250s during surveillance testing. Section 3.2.9 of this SE describes how the TCB assembly operates. The proposed NSS has no other maintenance bypass features.

MIT will use the TCB assembly to test the trip signals (e.g., neutron flux level). In addition, MIT will use the TCB assembly to test the SLC by placing two neutron channels in Test mode and forcing their trip signals, which will generate a scram signal. The TCB assembly provides for surveillance testing of all the scram-related trip inputs to the SLCs.

During the Audit (Ref. 16), MIT demonstrated use of the TCB assembly to test the neutron channels and the SLCs. Reference 15, Enclosure Q, is a copy of the pre-operational tests performed on the upgraded NSS, which includes the tests results to demonstrate satisfactory operation of the TCB assembly. During testing, the operators verified that the console annunciator panel alarm comes On when the key switch is turned on. Additionally, the licensee stated the reactor startup checklist will require a visual check of the console annunciator panel and the bypass indicator lights prior to reactor startup. Also, as discussed in SE Section 3.2.9, the licensee requires that the reactor not be made critical with the TCB assembly in the On position.

Based on the information provided and reviewed and its audit observations, the NRC staff finds that the TCB assembly maintenance bypass is consistent with the Section 6.7 IEEE 603 (Ref. 25) guidance that the safety function is retained while the sense and command features of the equipment are in maintenance bypass. The NRC also finds that the NSS is designed with redundancy such that when a portion is placed in maintenance bypass, the remaining portions provide acceptable reliability to accomplish required protective actions. Accordingly, the NRC staff concludes that the licensees implementation of the TCB assembly is acceptable.

3.3.14.2 Bypass Annunciation When the <100 kW Operation is selected, a local LED light will be illuminated on the KSM and an alarm will illuminate on the control rooms annunciator panel. When an alarm is energized, a bell sounds and a light behind the translucent <100 kW Operation name plate flashes brightly on and off thereby indicating which alarm module is annunciating. When the operator depresses the annunciator acknowledge pushbutton the bell is silenced, and the alarm module's name plate is illuminated brightly and no longer flashes. When the alarm condition has been corrected, the bell again sounds and the alarm plate flashes dimly. The operator then depresses the annunciator reset pushbutton to silence the bell and extinguish the light. The annunciator alarm system is located directly over the console in the control room to provide the reactor operator with easy access to the status of the alarm system.

In a similar manner, the TCB assembly includes an indicator light, which will illuminate when the key switch is On. Also, the TCB assembly alarm will illuminate on the console annunciator panel. If the TCB assembly should fail to activate the console annunciator panel alarm, the TCB assembly panel's yellow Bypass On indicator light will still illuminate. The console operator will have to silence the annunciator alarm by pressing the annunciator acknowledge button. This

console alarm remains active while the key switch stays in the On position (see SE Section 3.2.9).

The NRC staff reviewed the logic provided in Reference 15 for visual indication of these bypass alarms. Also, during the Audit, the NRC staff observed simulated operation of these devices and their alarms. Based on information provided and reviewed and its audit observations, the NRC staff finds that the proposed NSS follows the Section 5.8.3 of IEEE standard 603 1991 (Ref. 25) guidance that bypasses include automatically activated alarms to annunciate bypass operation in the annunciator alarm system. The NRC staff concludes that the alarms give assurance of the operability of systems important to safe reactor operation and are acceptable.

3.3.14.3 Permissive Conditions As defined in IEE-603 (Ref 25), permissive conditions are the requirement(s) and any related special precautions associated with the use of each provided bypass capability. Whenever the applicable permissive conditions are not met, the safety system will automatically prevent the activation of a bypass or initiate the appropriate safety function(s). If facility conditions change so that an activated bypass is no longer permissible, the safety system will automatically accomplish one of the following actions:

1. Remove the appropriate active operating bypass(es).
2. Restore facility conditions so that permissive condition(s) are reinstated.
3. Initiate the appropriate safety function(s) (e.g., scram).

As discussed in SE Section 3.2.9, the licensee will verify by procedure that the TCB assembly is off prior to reactor startup. Additionally, as described in 3.3.14.1 above, the KSM and TCB assembly either prevent activation of the associated bypass feature or automatically initiate a scram if the conditions for bypass are not met when a bypass is activated.

Based on its review and audit observations, the NRC staff concludes that the NSS meets the guidance for permissive conditions in IEEE 603 to automatically prevent the activation of a bypass if the permissive conditions are not met, or to initiate an automatic scram if the permissive conditions are not met or facility conditions change so that an activated bypass is no longer permissible.

3.3.14.4 Interlocks ANS/ANSI-15.15 (Ref. 29) categorizes control interlocks as part of the control system, which inhibit parameters or conditions that could lead to the reactor exceeding an LCO. As described in the LAR, the RCS has five control interlocks:

1. Startup interlocks
2. Subcritical interlocks
3. Automatic controls
4. Automatic rundown
5. Low count rate (proposed)

In its LAR, MIT did not propose to modify the startup, subcritical, automatic control, or automatic rundown interlocks. Therefore, these interlocks and bypasses remain as described in the MIT license renewal SAR (Ref. 7). The proposed low count rate interlock would replace the existing period channel level off-scale (low) interlock. The low count rate interlock inhibits rod

withdrawal by generating a scram as discussed in SE Section 3.3.6, which prevents reactor startup (increase in reactivity). Thus, the ability to energize the scram magnets is dependent upon there being a sufficient indication of neutrons in the core. In Enclosure J of the LAR (Ref. 15), MIT stated that the signal paths for low count rate are not affected by operation of the TCB assembly or KSM and cannot be overridden or bypassed.

Based on its review of the information provided, the NRC staff finds that the low count rate interlock will inhibit rod motion and restrict operation of the reactor consistent with NUREG-1537, Part 2, Section 7.3 guidance that interlocks prohibit control rod motion unless the neutron flux in the core produces a neutron count rate enough to help ensure that nuclear instruments are responding to neutrons. Additionally, the NRC staff finds that the count rate interlock meets the NUREG-1537 guidance that an interlock be under the direct control of the reactor operator and should be indicated in the control room. Therefore, the NRC staff concludes the proposed count rate interlock is acceptable.

3.3.15 Surveillance (NSS Operability Testing and Calibration)

The guidance in Section 7.4 of NUREG-1537, Part 2 (Ref. 5.2) recommends that the design reasonably ensure that the system can be readily tested and maintained in the designed operating condition. The guidance in ANSI/ANS-15.15 (Ref. 29) recommends that the system design include capability for periodic checks, tests and calibrations and, if on-line periodic testing is necessary, such testing should not reduce the capability of the system to perform its safety function. Section 6.5 of IEEE 603-1991 (Ref. 25) recommends that a means be provided for checking the operational availability for each input sensor.

In the LAR, Appendix A, MIT stated that each DWK 250 channel performs continuous functional checks on its internal functions and operation. Each DWK 250 also continuously monitors the signal from its fission chamber detector for a low count rate condition and, if the signal is lost or is below a preset minimum count rate value (5 cps per proposed revisions to Table 3.2.3-1), the system will produce a trip. In this manner, the system test path covers everything from the detector to the preamplifier to the DWK 250, verifying continuity of the signal cable and connectivity of all the components in the nuclear safety channel, as well as system response.

The design of the continuous self-test in the Mirion DWK 250 includes hardware watchdogs, checksum routines, and mutual monitoring timers among microprocessors. For example, the NZ 12.21 I/O processor cyclically calculates a checksum of its program code. The NZ 12.21 central processor compares this result to a set value and monitors the I/O processor's program sequence. If there is a mismatch, or an error is detected, the NZ 12.21 central processor generates a fault message, and a trip signal is transmitted to the NSS logic system SLCs for the affected neutron channel. If another channel generates a trip, the two-of-four logic in the SLCs will be satisfied, which issues a scram signal to shut down the reactor. The self-test program runs continuously without interfering with the normal operation of the DWK 250.

In the LAR (Ref. 1), MIT stated that testing and calibration of the neutron channels is performed using the front panel and key switch of the DWK 250. Appendix A describes the periodic operator testing of the NSS channels that is triggered manually by the reactor operator from the corresponding DWK 250 in the control room. The test command generates a test signal from a dedicated signal generator circuit within the TKV 23.11 preamplifier. The DWK 250 design also self-tests the status of the nuclear safety channel to check if it is in test, or in fault. The Nuclear Safety Channel in Test, occurs when the maintenance mode is entered for testing of the scram output relays. The Nuclear Safety Channel in Fault, occurs when an internal self-check determines the channel is not functioning correctly. This design feature provides a periodic test

of the DWK 250 status and provides automatic detection, indication, and protective action if it senses a channel in test or fault.

The site acceptance test (Ref. 3.2) documents how the discriminator plateau curve test (a plot of the detector current response vs. detector voltage) was used to verify the operational response of the fission chamber detectors and to set the high voltage for each detector. This calibration procedure ensures that the detector discriminator voltage is set at a level that minimizes the unwanted effects of alpha, gamma, and noise currents in the detector output signal while maximizing the desired current from neutron pulses that indicate the true reactor flux. In RAI #1 response (Ref. 15), MIT provided the test procedure to perform the DWK 250 Detector Pulse Height Discriminator Calibration and indicated that the keypad panel for the DWK 250 channel and the red Test key are required to perform the test (see SE Section 3.3.13).

MIT also stated that the proposed TCB assembly is used to perform testing of the neutron channel scram relays and the SLCs. The proposed TCB assembly is designed to allow the operator to manually perform TS 4.2 required surveillance testing of the DWK 250 coincidence logic. Placing the DWK 250 in test generates a Test trip signal that is sent to the SLC (satisfying half the logic for a scram signal). If another DWK 250 generates a trip signal, this additional signal satisfies the two-out-of-four logic in the SLC and the SLC generates an SLC scram signal resulting in a reactor scram. This aspect of the design precludes the ability to test the coincidence logic using a simulated High Power or Short Period. Reference 15 describes the TCB Assembly that MIT designed to override the Test trip signal to the SLC and allow the operator to place more than one DWK 250 in test mode without generating the SLC scram.

MIT staff can then test the coincidence logic for each channel (i.e., allowing performance of scram tests of other trip conditions (high power, short period, low count rate, or fault)) see SE Section 3.2.9.

The proposed NSS design described in the LAR (Ref. 1) also includes the blade drop timer interface module as a non-safety related part of the NSS. The purpose of the blade drop timer interface module is to allow outputs from the DWK 250 to provide a test signal to start the existing blade drop timer as an alternate means to the Minor Scram switch (See SE Section 3.2.10). MIT proposed the blade drop timer interface module to support TS 4.2.3 surveillance testing to measure Scram Times.

The NRC staff reviewed the design information provided in the LAR (Refs. 1 and 15), including the logic diagrams and test procedures. Based on the information provided and reviewed, the NRC staff finds that the NSS design meets the guidance of ANSI/ANS-15.15 (Ref. 29) because it provides the capability for periodic checks, tests and calibrations, and finds that the DWK 250 on-line periodic self-testing does not reduce the capability of the system to perform its safety function. The NRC staff also finds that the design meets the Section 6.5 of IEEE 603-1991 (Ref. 25) guidance that a means be provided for checking the operational availability for each fission chamber detector. Accordingly, the NRC staff concludes that the proposed NSS design meets the guidance in Section 7.4 of NUREG-1537, Part 2 (Ref. 5.2) because the NSS is designed to be readily testable to reasonably ensure that the instruments and equipment will be operable and reliably perform their safety functions.

3.3.16 Human Factors The NRC staff evaluation of the human factors engineering (HFE) principles and criteria that should be applied to a section of the proposed NSS design is set forth below.

3.3.16.1 Human Factors Design Process NUREG-1537, Part 2, Section 7.4, states that guidelines from IEEE 7-4.3.2-1993 should be met.

IEEE 7-4.3.2-1993 (Ref. 24) Section 5.14, Human factor considerations, states that the IEEE standard 603-1991 requirements are adequate for digital systems. IEEE standard 603-1991 (Ref. 25) Section 5.14, Human Factors Considerations, states, Human factors shall be considered at the initial stages and throughout the design process to assure that the functions allocated ... to the human operator(s) ... can be successfully accomplished to meet the safety system design goals .

In the LAR (Ref. 1), MIT stated that they used human factors engineering principles and criteria for the design of the console display to provide an adequate human-system interface. For example, the setpoints for high power level and short period are prominently displayed as digits.

The operator will no longer need to interpolate the setpoints between marks on small edgewise analog meters, as required by the current system. Also, the proposed NSS system displays power in percentage, while the current system shows a microamp value from which the operator interprets the reactor power level. This will improve the presentation of data and should improve the overall ability of the operator to perform his duties.

The NSS modules include LED lights to indicate the status of the module and/or circuit. For example, the LED scram display module includes indicator for each neutron channels trip signals. It also includes a lamp test pushbutton to verify operation of the LEDs prior to reactor startup (Ref. 15). In addition, trip signals and scrams will be displayed and logged in the PLC and will be transmitted and annunciated in the control room console annunciator panel.

During the Audit, the NRC staff observed the proposed NSS components installed in temporary racks for testing and confirmed the human factors engineering features described in the LAR. If the NRC approves the amendment, MIT will move the NSS components to their selected location. In Reference 15, Enclosure V, and Reference 20, Enclosure V, MIT provided existing and proposed console layouts for the NSS, including annunciator panels. These enclosures also identify the human factors considerations for the proposed layout.

Based on the information reviewed and its Audit observations, the NRC staff finds that MITs human factors design process for the NSS is consistent with IEEE standard 603-1991, Section 5.14 (Ref. 25) guidance that human factors be considered at the initial stages and throughout the design process to assure that the safety system design considers the human operator(s) in the safety system design goals. As such, the NRC staff concludes that MITs human factors design process, including the location and layout of the proposed NSS in the control room, is acceptable.

3.3.16.2 Channel Annunciation The NUREG-1537, Part 2, Section 7.4, acceptance criteria section states, The scram system should be designed to annunciate the channel initiating the action, and to require resetting to resume operation.

In the LAR (Ref. 1), MIT explained that the NSS analog outputs (four for reactor power (in

% power) and four for reactor period (in units of sec.)) are continuously displayed in an unambiguous format on the main console, near the absorber drive controls, and are readily visible to the operator during manual control actions without requiring the operator to change her location.

MIT stated in the LAR, that the current system uses an indicator light in the reset button of each channel's scram amplifier to seal in a trip indication. Because of this, the indicator does not differentiate between an actual scram condition (input signal greater than the trip setpoint value) and a malfunction of the amplifier and gives no warning of a setpoint being approached or if the input counts dropped to zero. In the proposed NSS, the NSS logic system also outputs a signal to an independent latching indicator panel for operator interface. The panel provides information on the source of the scram and the initiating conditions, even when the trip condition no longer exists. However, the operator must clear the trip condition and then reset the latching alarm on this panel prior to any reactor restart operation. Additionally, this indicator panel sends a signal to the console's main annunciator alarm panel. The operator must also clear and reset any scram conditions sealed in by the withdraw permit circuit, as indicated on the console's main annunciator alarm panel, to allow a reactor start.

Further, each DWK 250 is set up to produce a high-power warning and a short period warning prior to these values reaching their reactor scram setpoints. Any one of the four nuclear safety channels detecting high power or short period will alarm on the main console annunciator panel, via the PLC. The annunciator panel produces a visual indicator showing the warning signal and an audible alarm for the console operator. The operator checks the indicator lights on the individual DWK 250 monitors to determine which ones are producing the warning. The operator can then acknowledge and silence the alarms but cannot reset them unless the trip conditions are corrected. Additionally, trip signals from each of the four DWK 250s are displayed in the LED scram display. These signals are latched and will stay present even after the trip condition no longer exists. The signals can be reset only by manually pushing a reset channel button on the LED scram display. Thus, this panel serves as a means for the operator to visually assess the status of the four nuclear safety channels. After the alarms are rest in the LED scram display, the operator can clear the alarms in the main console annunciator panel.

In Reference 4, MIT explained how NSS components will annunciate a scram, specifically:

  • The KSM includes LED indicators to indicate the operation mode. Also, the front of the KSM chassis has two LED lights that indicate "Loop A Scram" and "Loop B Scram. A scram condition in the WPC's scram loop A or B, will turn on the respective light. If the KSM is damaged or fails, the 24-VDC LED power indicator light and any other LED indicator light on the front of the chassis will turn off.
  • The rundown relay system: (1) controls an indicator light that shows the status of the rundown relay circuit for its corresponding shim blade, and (2) overrides normal control of the shim blade's drive motor. The indicator light is off whenever the magnet current is at normal operating level. The light turns on when the magnet current is low or near zero; the corresponding shim blade drive continues to insert, or until it reaches its full-in position. Whenever the WPC is open, the indicator lights will stay on, identifying the control overrides which prevent any shim blade drive from being withdrawn. Even after the WPC is reset and reenergized, this override condition will remain in effect until the rundown relay circuits themselves are reset by the reactor operator. Additionally, the rundown relay circuits cannot be reset if the magnet current is below a predetermined value. When the circuit is reset, the indicator lights turn off.
  • The LED Scram Display provides a visual indication for the console operator of the status of the neutron channels and the SLCs. This module also includes the reset pushbutton for each neutron channel.
  • The PLC will display information to the operator from the NSS, logging the time and date of each safety system event for later diagnostics, and routing annunciator warnings to the control room Console Annunciator Panel.

To restart the reactor, several pre-requisites must be met. Among those are reset of the withdraw permit circuit, and placement of the shim blades and their drivers in their full-in positions and reset of the neutron channels. Section 3.2.3 of this SE and Section 3.3.5 of this SE describe the conditions and process to restart the reactor.

The NRC staff reviewed descriptions, logic and schematics for the proposed NSS provided in Reference 15. In addition, during the Audit (Ref. 16), the NRC staff observed operation of the indications available to annunciate a reactor scram. Based on the information reviewed and its audit observations, the NRC staff finds that the NSS design is consistent with NUREG-1537, Part 2, Section 7.4 guidance that the NSS be designed to annunciate the channel initiating the action, and to require an operator reset to resume operation and is acceptable.

3.3.17 Quality NUREG-1537, Part 2, Section 3.1, Design Criteria, acceptance criteria section states, Design criteria should include references to applicable up-to-date ... quality standards commensurate with the safety function and potential risks.

Regulatory Guide (RG) 2.5, Quality Assurance Program Requirements for Research and Test Reactors, (Ref. 10) recommends that the guidance of ANSI/ANS-15.8-1995 (Ref. 23), as endorsed by RG 2.5, be used in developing a QA program for complying with the program requirements of 10 CFR 50.34, subsections (a)(7) and (b)(6)(ii).

The MIT designed modules in the proposed NSS were chosen to be of industrial quality standards used for the automotive or the medical electronics, such as conformance to the intent of the Automotive Electronics Council (AEC) Q200 Stress Test Qualification for Passive Components standard from the AEC (Refs. 1, 4, 14, and 15).

During the Audit (Ref. 16), the NRC staff reviewed MITs QA program and the checklist created to identify all documents required for the modification and replacement of the NSS. During the Audit review, the NRC staff verified that MIT followed its QA program for NSS components procured from vendors but did not identify information that showed MIT followed its QA program related to the components developed and constructed in-house by MIT.

The NRC staff requested additional information about the implementation of the QA program (Ref. 16), to verify that the quality of the NSS components is commensurate with their safety importance. In its RAI response (Ref. 15), MIT provided additional information about its QA program and described how its QA program was applied to the NSS. MIT also provided examples of how the QA program was applied to the SLC, SDM, and magnet power supply modules, which were developed in-house by MIT staff (Ref. 15, Enclosures A and B). In addition, MIT described the process followed for the design and development process for the SLC (Ref. 15, Enclosure D).

NRC staff reviewed the QA information and examples provided in Reference 15 and determined that MIT implemented its QA program for the design and development of the NSS, including the components developed in-house (e.g., Reference 15 included a copy of the QA checklist prepared for the SLC). The NRC staff noted that the dates in this checklist were not in

chronological order. In Reference 20, MIT explained that the dates were not in order because some activities or items were signed or completed at different times depending on document editing and administrative needs.

During the review of the final drawings and logic schematics provided (Ref. 15), NRC staff noted that these drawings did not include revision numbers (Ref. 18). MIT responded to this RAI and explained that the revision numbers were removed because the numbers referenced design iterations. Now that the design is complete, all final drawings do not have version designations because they are the final design.

In Reference 3 and Appendix A of the LAR (Ref. 1), MIT provided the qualification and certifications from Mirion for the proposed DWK 250. These documents included the list of the TKA Standards followed by Mirion. Mirion is ISO 9001:2008 and German nuclear regulatory guideline KTA 1401 certified. MIT stated that Mirion implemented a QA program that meets the requirements of 10 CFR Part 50, Appendix B, which are stricter and exceed the applicable non-power reactor guidance of ANSI/ANS-15.8 and NUREG-1537 applicable to MIT with regards to QA. In addition, Mirion followed a software quality control program that includes a Software Development Quality Assurance Plan, a Verification and Validation Plan, a Configuration Management Plan, and Coding Rules, to provide a high-quality software life cycle process. MIT provided copies of these plans in material incorporated by reference by in the LAR (Refs. 1, 2 and 3).

The NRC staff reviewed the qualification and software development documentation for the DWK 250 and found that Mirion followed the German certification process (i.e., KTA 3501(1985-06) and 3505 (1984-11)) to develop its technology. In addition, the NRC staff finds that Mirion performed testing of the final integrated hardware, software, firmware, and interfaces. This testing was performed and certified by TÜV Rheinland as meeting German KTA 3503 (1986-11) and 3505 (1984-11). These KTA processes apply to the type approval tests of safety related I&C systems that perform measurement and control functions in accordance with Category A of international standard IEC 61226, Nuclear power plants -

Instrumentation and control important to safety - Classification of instrumentation and control functions. Category A is equivalent to IEEE 323, Qualifying Class 1E Equipment for Nuclear Power Generating Stations Classification, and to IEEE 344, Seismic Qualification of Equipment for Nuclear Power Generating Stations. Because NRC regulations do not require the use of Classification 1E equipment at research reactors, these vendor qualifications are stricter and exceed the applicable non-power reactor guidance of ANSI/ANS-15.8 and NUREG-1537 with regards to QA.

The NRC staff reviewed the information provided and determined that the quality process, standards design process were adequate for the design and testing of the proposed NSS and determined that demonstrated it followed a QA program for all components of the NSS, including those developed in-house. Therefore, based on the information provided, MIT followed its QA program for the procurement of the Mirion DWK 250s, and the quality of the modules developed and constructed by MIT for the proposed NSS is commensurate with the guidance of ANSI/ANS-15.8 to develop a QA program for complying with the program requirements of 10 CFR 50.34(a)(7) and the QA provisions for the design, development and test of the NSS meet the 50.34(b)(6)(ii) requirement that managerial and administrative controls be used to assure safe operation. Accordingly, the NRC staff finds the NSS QA program acceptable.

3.3.18 Conclusion and Evaluation of Design Basis and Design Criteria The NRC staff reviewed the NSS system design bases and criteria using the design acceptance criteria identified in NUREG-1537, Part 2 (Ref. 5.2) including the industry standards referenced by Chapter 7 of NUREG-1537, as listed in Section 2.3 of this SE.

Based on the review of the information provided in the LAR, as supplemented, and supported by its observations during the Audit, the NRC staff finds that the design of the NSS follows the design acceptance criteria to produce a redundant, fail-safe, and testable NSS, built with high quality components, which will ensure operation of the reactor without exceeding the safety limits established in the TS. The NRC staff also determined that the NSS input to the RPS includes the necessary means to trip the reactor when a scram condition exists, and that the operators will receive adequate indications of the status of the reactor.

Specifically, the NRC staff concludes:

Design criteria supporting the design bases is specified for the portions of the RPS that are assumed in the SAR to perform an operational or safety function The licensee included design criteria and provided references to relevant up-to-date, standards, guides, and codes, which includes information on the design.

The reactor has operable protection capability in all operating modes and conditions, as analyzed in the SAR for the complete range of normal reactor operating conditions and to cope with anticipated transients and potential accidents.

The range of operation of sensor (detector) channels is sufficient to cover the expected range of variation of monitored variables required during normal reactor operating conditions and to cope with anticipated transients and potential accidents.

The count rate interlock functions properly in a high-gamma field and that all reactivity changes can be properly monitored.

The RPS is designed for reliable operation in the normal range of environmental conditions anticipated within the facility.

The RPS design provides sufficient redundancy to protect against unsafe conditions in case of single failures within the reactor protection/control system.

The RPS is designed to facilitate inspection, testing, and maintenance.

3.4 Conclusion of the Technical Evaluation The NRC staff reviewed the LAR, as supplemented, for the proposed MIT modification to the reactors NSS. The NRC staff finds that MIT submitted enough information for NRC staff to evaluate the LAR in accordance with the NRCs regulations using the applicable guidance provided in Chapter 7 of NUREG-1537, Part 2 (Ref. 5.2) including the industry standards referenced by Chapter 7 of NUREG-1537, as listed in Section 2.3 of this SE. The NRC staff reviewed the safety analyses submitted, which included the description of the design, testing, and operation of the proposed NSS, and conducted a regulatory audit to gain a better understanding of the information in the LAR, facility status, and the NSS upgrade.

The NRC staff finds that the proposed revisions to Chapter 7 of the SAR, as supplemented, are appropriate and the amendment authorizes the licensee to incorporate the revisions in its SAR.

The NRC staff concludes that the licensee appropriately justified the technical bases for proposed upgrades to the NSS and that the NSS design is derived from the MIT-IIs design basis and design criteria, will allow the MITR-II to safely operate as analyzed in the LAR, as supplemented.

On this basis, the NRC staff concludes that:

  • The protection channels and protective responses are sufficient to ensure that no SL, LSSS, or RPS-related limiting condition of operation discussed and analyzed in the SAR will be exceeded.
  • The NSS design reasonably ensures that the design bases can be achieved, the NSS will be built of high-quality components using accepted engineering and industrial practices, and the NSS can be readily tested and maintained in the designed operating condition.
  • The NSS design is sufficient to provide for all isolation and independence from other reactor subsystems required by SAR analyses to avoid malfunctions or failures caused by the other systems.
  • All nuclear and process parameters of the NSS upgrade that are important to safe and effective operation of the MITR-II reactor will be displayed at the control console. The display devices for these parameters are easily understood and readily observable by an operator positioned at the reactor controls. The control console design and operator interface are sufficient to promote safe reactor operation.
  • The output instruments and the controls in the control console have been designed to provide for checking operability, inserting test signals, performing calibrations, and verifying trip settings. The availability and use of these features will ensure that the console devices and subsystems will operate as designed.
  • The annunciator and alarm panels on the control console give assurance of the operability of systems important to adequate and safe reactor operation.

3.5 Evaluation of Technical Specifications The MITR-II TSs provide the definitions, safety limits, limiting safety system settings, limiting conditions for operation, surveillance requirements, design features, and administrative controls required to operate the facility. As part of the LAR (Ref. 1), as supplemented, MIT proposed changes to the MITR-II TSs due to the design and operational changes resulting from the upgrade of the NSS. The licensee also proposed TS changes that reorder the listing of Required Safety Channels in Table 3.2.3-1 and add automatic scrams for the proposed NSS.

The licensee proposed changes to TS 3.2.7 Control System and Instrumentation Requirements for Operation, Table 3.2.7-1 Required Instrumentation for Display, TS 4.2 Reactor Control and Safety Systems, and Table 4.2-1 Surveillance of Scram and Power Measuring Channels.

The NRC staff reviewed the format and content of the proposed TSs for consistency with the guidance in NUREG-1537, Part 1, Chapter 14, and Appendix 14.1, and ANSI/ANS-15.1-20076 (Refs. 5.1 and 22). Consistent with NUREG-1537, Part 2, Chapter 14 (Ref. 5.2), the NRC staff also evaluated the proposed TS revisions to determine if the proposed MIT TSs meet the requirements in 10 CFR 50.36, Technical specifications. Each of the proposed revisions is described below.

3.5.1 Existing TS for Reactor Protection System The NRC staff reviewed the existing TS to determine their acceptability of the upgraded NSS.

TS 3.2.1.1.b) requires that the allowed scram time from initiation of a scram signal to 80%

insertion be less than one second for each blade. The shim blades remain unchanged during the NSS upgrade, which means the blades will insert with the same speed. Because the DWK 250 will activate the blade movement within the required response time, the TS remains valid for the proposed NSS upgrade.

TS 3.2.3.1 requires that the reactor not be made critical unless the RPS, which provides automatic protective action (i.e., scram), is operable in accordance with Table 3.2.3-1. The RPS will initiate the required protective action but uses a different scram logic and number of minimum channels and uses a low count rate trip setpoint. TS 3.2.3.1 remains valid, provided Table 3.2.3-1 is revised to include appropriate requirements for the upgraded NSS.

TS 3.2.3.2 prohibits fuel movement and work involving reactivity in the core unless the period and neutron flux level channels are set to alarm with the zero primary pump limits in Table 3.2.3-1. The RPS will initiate the required protective action with the same, previously acceptable trip set points for zero pump flow mode but uses a different scram logic and number of minimum channels. TS 3.2.3 remains valid provided Table 3.2.3-1 is revised to include appropriate requirements for the upgraded NSS.

TS 3.2.7 Control Systems and Instrumentation Requirements for Operations, ensures that the console operator has sufficient indication of power level and reactor period. LCO TS 3.2.7 requires that the indication from the instruments listed in Table 3.2.7-1 be provided to the reactor control console operator prior to reactor startup and during reactor operations. As discussed in Section 2.2 of this SE, the upgraded NSS replaces the Period and Startup Flux Level console displays. The linear power neutron flux level required for display is unchanged by the proposed NSS upgrade. The NSS provides indication of Period and Startup Neutron Flux Levels, however the startup neutron flux level display is a wide range indication, which is similar to the Startup Neutron Flux Level during reactor operations. TS 3.2.7 remains valid provided Table 3.2.7-1 is revised to include appropriate requirements for the upgraded NSS.

TS 4.2 Reactor Control and Safety System, ensures the reliability of the RPS by channel by requiring calibration, testing, and trip point verification. TS 4.2.4 requires that the channels listed in Table 4.2-1 be tested at least quarterly and each time before startup of the reactor if the reactor has been in a secured condition or if the channel has been repaired or de-energized.

TS 4.2.4 also requires that the channels be calibrated at least annually. Annual calibration of the channels provides sufficient assurance that the responses will be accurate since the 6

Since the issuance of NUREG-1537 in 1996, ANSI/ANS-15.1-1990 has been revised. The current version is ANSI/ANS-15.1-2007 (reaffirmed April 24, 2013) and Section 3.2, item (4), which recommends specification of the minimum number of scram channels, was not changed.

upgraded NSS is a digital system, which is less subject to drift than the analog system it replaces. TS 4.2.5 requires that the channels listed in Table 4.2-1 be tested if the channel has been modified or repaired. Testing of RPS channels following maintenance or repair provides assurance that the RPS channel will provide the required protective action. TS 4.2.4 and TS 4.2.5 remain valid provided Table 4.2-1 is revised to include the appropriate requirements for the upgraded NSS.

TS 4.2.3 requires that the scram time of each shim blade be verified annually. The scram time as defined by TS 1.3.37, is the time elapsed between the initiation of a scram signal and movement of the shim blade to its 80% inserted position. The proposed NSS does not change any of the characteristics of the shim blades or the shim blade drives that must deenergize to allow the rod to insert by gravity. As discussed in Section 3.3.4 of this SE, the proposed NSS processes the scram signal in less time than the existing NSS ensuring the scram time can be met by the proposed NSS. Because the shim blades and associated control system is not changed and the proposed NSS responds quicker than the existing NSS, TS 4.2.3 remains valid.

3.5.2 Proposed Changes to TS 3.2.3 Reactor Protection System, Table 3.2.3-1 TS 3.2.3 sets forth the requirements to ensure that automatic protection action is provided as required by the reactor protection system. TS 3.2.3.1, states, The reactor shall not be made critical unless the reactor protection system is operable in accordance with Table 3.2.3-1.

Table 3.2.1 and Table 3.2.3-1 (Continued) are both entitled, Required Safety Channels, and identify the channel or parameter, the required action, setpoint, and number of channels/parameters Table 3.2.3-1 (Continued), which also applies to all the coolant flow modes (0, 1, or 2 pump operation7), has fewer columns because it identifies the required number of channels/parameters in a single column.

To support the NSS upgrade, MIT proposed the following changes to Table 3.2.3-1 and Table 3.2.3-1 (Continued):

  • Change the Table 3.2.3-1 column heading from Channel to Channel/Parameter
  • Change the Table 3.2.3-1 (Continued) column heading from Parameter to Channel/Parameter
  • Add item 3 to Table 3.2.3-1, Low count rate, with the action of Scram, a limiting setpoint of > 5 cps, and the minimum number of required channel/parameter of 3 for each flow mode
  • Replace Table 3.2.3-1 (Continued), item 13, Period channel level signal off-scale, with Nuclear safety channel in test or fault, replace the setpoint of less than two period channel level signals on-scale with Channel is in test or fault condition, and change the minimum number of required channels from 1 to 3 for each flow mode
  • Change Footnote 1) in Table 3.2.3-1 from On-scale neutron flux level indication required to permit shim blade magnet current on. to Nuclear safety scram logic system 7

The reference in TS Table 3.2.3-1 to 2, 1, or 0 Primary Pumps and Any number of Pumps (Two, One, or Zero refers to the flow mode of the MITR-II reactor based on the number of running primary coolant pumps, which directly impacts the safety limit and LSSS.

ensures that reactor scrams when two trips are present simultaneously from any two of the four nuclear safety channels. Retain the footnote superscript next to each Min. No.

Required parameter/channel value the Period and insert the footnote superscript next to the Min. No. Required values for Neutron flux level, and Low count rate in Table 3.2.3-1

  • Add to Table 3.2.3-1, Footnote 5), which states: Within 15 minutes of declaring any nuclear safety system channel inoperable, the channel must be placed into a tripped state, which will be indicated on the Safety System Condition LED Scram Display. If any nuclear safety channel is in a tripped state, and a second nuclear safety channel is declared inoperable, then within 15 minutes at least one of the two must be returned to an operable state or the reactor must be shutdown. Add the footnote superscript next to the Min. No. Required channel/parameters values for Period, Neutron flux level, and Low count rate in Table 3.2.3-1
  • Add Footnotes 1) and 5), discussed above, to the bottom of Table 3.2.3-1(Continued) and insert the footnotes superscripts next to the Minimum No. Required value for Nuclear safety channel in test or fault in Table 3.2.3-1 (Continued)
  • Change the minimum number of required channels for Table 3.2.3-1, Period and neutron flux level from 2 to 3 in each of the minimum number required column
  • Delete superscript (1) next to the Neutron flux level in the current Channel column
  • Renumber Table 3.2.3-1, items 3 through 8 as 4 through 9, respectively
  • Renumber Table 3.2.3-1, item 9, Experiment scrams, as 18 and relocate it to Table 3.2.3-1 (Continued)

The revised entries that result from the licensees proposed changed to TS 3.2.3, Table 3.2.3-1, discussed above, are in bold typeface in Table 3.2.3-1 Required Safety Channels and Table 3.2.3-1 (Continued) Required Safety Channels, below.

Table 3.2.3-1 Required Safety Channels 2 Primary Pumps 1 Primary Pump 0 Primary Pump Channel / Parameter Action Limiting Min. No. Limiting Min. No. Limiting Min. No.

Setpoint Required Setpoint Required Setpoint Required

1. Period Scram > 7 sec. 3(1)(5) > 7 sec 3(1)(5) > 7 sec 3(1)(5)
2. Neutron flux level Scram < 7.4 MW 3(1)(5) < 3.2 MW 3(1)(5) < 100 kW 3(1)(5)
3. Low count rate Scram > 5 cps 3(1)(5) > 5 cps 3(1)(5) > 5 cps 3(1)(5)
4. Primary coolant outlet Scram < 60 C 2 < 60 C 2 < 60 C 2 temperature
5. Core tank level Scram 4" below 1 4" below 1 4" below 1 overflow pipe overflow pipe overflow pipe
6. Reflector tank level Scram 4" below 1 4" below 1 4" below 1(2) overflow overflow overflow
7. D2O dump valve Reflector dump N/A 1 N/A 1 N/A 1 selector switch & scram
8. Manual major scram Reflector dump, N/A 2(3) N/A 2(3) N/A 2(3) containment closure & scram
9. Manual minor scram Scram N/A 1 N/A 1 N/A 1
10. Primary coolant Scram > 1800 gpm 2(4) > 900 gpm 2(4) N/A 0 flow rate
11. D2O reflector Scram > 75 gpm 1 > 75 gpm 1 N/A 0 flow rate
12. Shield coolant Scram > 50 gpm 1 > 50 gpm 1 N/A 0 flow rate
1) Nuclear safety scram logic system ensures that reactor scrams when two trips are present simultaneously from any two of the four nuclear safety channels.
2) For reflector reactivity measurement, the reflector scram can be bypassed at power levels less than 100 kW.
3) One in utility room.
4) At least one safety channel on the primary coolant flow rate scram must be by core inlet pressure sensor.
5) Within 15 minutes of declaring any nuclear safety system channel inoperable, the channel must be placed into a tripped state, which will be indicated on the Safety System Condition LED Scram Display. If any nuclear safety channel is in a tripped state, and a second nuclear safety channel is declared inoperable, then within 15 minutes at least one of the two must be returned to an operable state or the reactor must be shut down.

The licensees proposed changed to TS 3.2.3, Table 3.2.3-1 (Continued), discussed above, are annotated by bold typeface in Table 3.2.3-1 (Continued) Required Safety Channels, below.

Table 3.2.3-1 (Continued)

Required Safety Channels Any Number of Pumps (Two, One, or Zero)

Channel / Parameter Action Setpoint Minimum No.

Required

13. Nuclear safety channel in test or fault Scram Channel in test or fault condition 3(1)(5)
14. Building overpressure Scram < 3" water above atmospheric 1
15. Main personnel lock gaskets deflated Scram Both gaskets deflated 1
16. Basement personnel lock gaskets deflated Scram Both gaskets deflated 1
17. Hold-down grid unlatched Scram Grid unlatched 1
18. Experiment scrams (As Required by Experiment Approval)
1) Nuclear safety scram logic system ensures that reactor scrams when two trips are present simultaneously from any two of the four nuclear safety channels.
5) Within 15 minutes of declaring any nuclear safety system channel inoperable, the channel must be placed into a tripped state, which will be indicated on the Safety System Condition LED Scram Display. If any nuclear safety channel is in a tripped state, and a second nuclear safety channel is declared inoperable, then within 15 minutes at least one of the two must be returned to an operable state or the reactor must be shut down.

Revised Column Headings MIT proposed changing the title of the second column in Table 3.2.3-1 from Channel to Channel / Parameter and changing the title of the second column in Table 3.2.3-1 (Continued) from Parameter to Channel / Parameter. The licensee proposed the title change for the column because a single channel (e.g., DWK 250) provides an automatic scram for more than one parameter and each parameter has a separate trip setpoint. Additionally, the licensee stated that Channel / Parameter more precisely identifies the information in the column.

The NRC staff finds that labeling the column as Channel / Parameter reflects that items 1 through 3 and item 13 are Channels (e.g., Nuclear safety channel in test or fault is a two-of-four channel-based coincidence logic scram initiated from the proposed DWK 250 channels) and items 4 through 12 and item 18 are Parameter scrams (e.g., the core tank level is a single parameter-based scram). Based on the above, the NRC staff finds the licensees proposed change from Channel to Channel / Parameter is acceptable.

Low Count Rate MIT proposed changing Required Safety Channel 13, Period channel level signal off scale in TS Table 3.2.3 1 to Required Safety Channel 3, Low count rate. MIT proposed changing the minimum required operable channels from two to three when zero, one, or two primary pumps are operating. Also, MIT proposed a trip Low count rate setpoint of 5 cps when zero, one, or two primary pumps are operating.

As discussed in Section 3.3.6 of this SE, the proposed Low count rate automatic scram for the DWK 250 is equivalent to the Period channel level signal off scale and the trip setpoint of 5 cps ensures the minimal conditions under which the channel can respond to changes in reactivity measured as the period. The low count rate scram ensures that the reactor cannot be started unless enough neutrons are present to observe changes in reactivity based on the minimum sensitivity of the detector. The NRC staff found the proposed setpoint provides sufficient margin to the lower sensitivity limit of the detector and is consistent with the guidance in Section 7.3 of NUREG-1537 to provide a low count rate interlock to prevent reactor startup without sufficient neutrons in the core and is acceptable. As discussed in Section 3.3.10 of this SE, the staff found that the proposed minimum number of three operable channels for each flow mode is acceptable because it ensures that the single failure criteria can be met with redundancy since two separate channel trips are required to generate a reactor scram.

Accordingly, The NRC staff finds the proposed change to TS Table 3.2.3-1 is consistent with the guidance in NUREG-1537, Chapter 14, Appendix 14.1 and ANSI/ANS-15.1-2007 that the TSs for reactor safety systems specify a minimum number of scram channels to ensure a single failure or malfunction cannot disable the protective function (see Section 3.3.10 of this SE). The NRC staff also finds that the requirement for three Low count rate channels replacing one Period channel level signal off-scale channel and the proposed 5 cps setpoint for low count rate meet the 10 CFR 50.36(c)(2)(i) requirement to establish the lowest functional capability or performance levels of equipment required for safe operation of the facility consistent with the updated SAR Section 7.4. Accordingly, the NRC staff concludes that the proposed changes to TS Table 3.2.3-1 are acceptable.

Nuclear safety channel in test or fault As discussed in Section 3.3.15 of this SE, the DWK 250 can be placed in its test condition for calibration and trip testing and the fault trip signal is generated when any one of the DWK250s detects an error during its internal self-check routine. This trip signal is sent to the SLC and the scram logic will scram the reactor upon any simultaneous combination of trips from two or more of the four nuclear safety channels. MIT proposed to add a new Required Safety Channel, 13, Nuclear safety channel in test or fault to Table 3.2.3-1 (Continued), an LCO which would require that a trip signal be generated when any NSS channel is in its test or fault condition.

MIT also proposed that TS Table 3.2.3-1 require this trip signal to occur when Any Number of Pumps (Two, One, or Zero) are running and require three minimum channels.

Based on its review of the information provided, the NRC staff finds the proposed change is consistent with the design of the DWK channel in test or fault to ensure a reactor scram upon any simultaneous combination of trips from two of the four nuclear safety channels. The NRC staff also finds that the requirement for three minimum channels meets the guidance in NUREG-1537, Chapter 14, Appendix 14.1 and ANSI/ANS-15.1-2007 to ensure a single failure or malfunction cannot disable the protective function. Accordingly, the NRC staff finds that required scram for Nuclear safety channel in test or fault meets the 10 CFR 50.36(c)(2)(i) requirement to establish the lowest functional capability or performance levels of equipment required for safe operation of the facility consistent with the updated SAR Section 7.4 and is acceptable.

Addition of Footnotes to TS Table 3.2.3-1 and TS Table 3.2.3-1 (Continued)

MIT proposes to change footnote 1) to Table 3.2.3-1 from On-scale neutron flux level indication required to permit shim blade magnet current on. to Nuclear safety scram logic system ensures that reactor scrams when two trips are present simultaneously from any two of the four nuclear safety channels. MIT explained that the previous note, which discussed the permission for the shim blade magnet, is no longer required since the on-scale indication has been replaced by the 5 cps Low count rate scram. The proposed note refers to the "two out of four" scram logic of the proposed NSS. The revised footnote 1) would apply to the minimum number of channels required for Period, and via insertion of a superscript (1), to the minimum number of required channels for Neutron flux level and Low count rate for each flow mode.

The NRC staff finds that footnote 1), accurately describes the scram logic for these NSS trip functions (i.e., Period, Neutron flux level, and Low count rate) that two separate channels must concurrently generate a trip condition for a reactor scram to occur, consistent with the information provided in the proposed SAR Section 7.4. The NRC staff also finds that placing the superscript next to the number of minimum channels required keeps the information about the number of operable channels and their scram logic together for ease of the reactor operator.

MIT also proposed to add the revised footnote 1) to Table 3.2.3-1 (Continued) and insert the associated superscript (1) next to the Minimum No. Required value for item 13, Nuclear safety channel in test or fault. The NRC staff finds that footnote 1) adequately describes that two separate channels must concurrently generate a trip condition for a reactor scram to occur, consistent with the information provided in the proposed SAR Section 7.4. The NRC staff concludes that the proposed placement of the proposed superscript (1) next to the Min. No.

Required provides relevant information to the reactor operator in an acceptable location.

Based on the above, the NRC staff concludes that proposed footnote 1) to TS Table 3.2.3-1 and TS Table 3.2.3-1 (Continued) specifies the Period, Neutron flux level, Low count rate,

and Nuclear safety system in test or fault scrams use coincidence logic, which establishes the lowest functional capability or performance levels of equipment required for safe operation of the facility consistent with the SAR. Therefore, the proposed footnote meets the 10 CFR 50.36(c)(2) requirement for an LCO and inclusion in both tables is acceptable.

MIT also proposed to add footnote 5) to Table 3.2.3-1 and Table 3.2.3-1 (Continued) which would apply by insertion of the superscript (5) to the Min. No. Required value for Period, Neutron Flux level, and Low count rate in Table 3.2.3-1, for all flow modes and to the Minimum No. Required value for Nuclear safety channel in test or fault in Table 3.2.3-1 (Continued). Footnote 5) requires that: Within 15 minutes of declaring any nuclear safety system channel inoperable, the channel must be placed into a tripped state, which will be indicated on the Safety System Condition LED Scram Display. If any nuclear safety channel is in a tripped state, and a second nuclear safety channel is declared inoperable, then within 15 minutes at least one of the two must be returned to an operable state or the reactor must be shut down. This note requires that actions be performed within two separate 15-minute periods. First, the reactor operator must place the declared inoperable channel in a tripped state within 15 minutes. Second, within 15 minutes of declaring a second channel inoperable, the operator must restore the first tripped channel or shutdown the reactor.

In a letter dated October 25, 2018 (Ref. 11), MIT stated in response to RAI #11 that the 15-minute response time allows time for the console operator to notify the shift supervisor, for the shift supervisor to respond to the control room to review recorded data and other console parameters, and for confirmation of the necessary response or corrective actions. MIT further states that during the 15 minutes other automatic scrams, including the two operable NSS channels remaining, continue to ensure the reactor remains protected. MIT also stated (Ref. 11) that, if a second channel is manually placed in a tripped state, the reactor scrams immediately because the two-out-of-four scram logic is met.

The NRC staff reviewed the proposed addition of footnote 5) and finds that is consistent with the guidance in ANSI/ANS-15.1-2007 regarding an action statement that allows deviation from an LCO under specified conditions. The NRC staff finds that, once a channel is declared to be inoperable, the first 15-minute period is a reasonable amount of time to allow the operator to place the inoperable channel in a tripped state. Since, only one additional channel is needed to cause a reactor scram, the single failure criterion continues to be met by the redundancy provided by the three remaining operable channels. Also, the non-NSS related scrams provide diverse protection to ensure adequate protection of reactor safety.

The NRC staff also finds that the second 15-minute action statement period is acceptable because, with one channel in a tripped state, a reactor scram would occur if the second channel is placed in a tripped state. The 15 minutes allows the reactor operator time to restore the first inoperable channel to operable and remove its associated trip or to shutdown the reactor.

Since, only one additional channel is needed to cause a reactor scram, the single failure criterion continues to be met by the redundancy provided by the two remaining operable channels.

Based on the above, the NRC staff finds that the two distinct 15-minute action statements allowed by footnote 5) provide operational flexibility to address malfunctions while satisfying the single failure design criterion and limiting the time that more than one of the DWK 250 channels are inoperable but not tripped. The NRC staff concludes that proposed footnote 5) to TS Table 3.2.3-1 and TS Table 3.2.3-1 (Continued) meets the 10 CFR 50.36(c)(2)(i) requirement that LCOs provide the lowest functional capability or performance levels of

equipment required for safe operation of the facility consistent with the SAR. Therefore, the NRC staff concludes addition of footnote 5) is acceptable.

Minimum Number of Required Channels Changed for Period and Neutron Flux Level MIT proposed changing the minimum number of required Period channels in TS Table 3.2.3-1 from two period channels to three period channels when two, one, or zero primary [coolant]

pumps are running. Similarly, MIT proposed changing the minimum number of required Neutron flux level channels from two neutron flux level channels to three neutron flux level channels when two, one, or zero primary [coolant] pumps are running. The NRC staff finds the proposed changes to TS Table 3.2.3-1 are consistent with the guidance in NUREG-1537, Chapter 14, Appendix 14.1 and ANSI/ANS-15.1-2007 that redundant safety channels be provided to ensure that a single failure or malfunction cannot disable the protective function (see Section 3.3.10 of this SE). The NRC staff also finds that the requirement for three Period and three Neutron flux level channels meets the 10 CFR 50.36(c)(2)(i) requirement to establish the lowest functional capability or performance levels of equipment required for safe operation of the facility consistent with the SAR. Accordingly, the NRC staff concludes that the change to the minimum number of required Period channels and the minimum number of required Neutron flux level channels is acceptable.

Renumbered Items MIT proposed inserting a new row in Table 3.2.3-1 and renumbering items 3 through 8 as items 4 through 9. No other changes were proposed to existing items Nos. 3 through 8. Similarly, MIT proposed renumbering Required Safety Channel 9, Experiment scrams, as item No. 18, which would move it to the last row of Table 3.2.3-1 (Continued). The action of (As Required by Experiment Approval) would remain unchanged for the renumbered item. The NRC staff reviewed the proposed TS change and finds that the proposed change is editorial in nature and does not alter the technical meaning or intent of the LCOs. Therefore, the NRC staff finds the proposed change to TS Table 3.2.3-1 acceptable.

Based on its review of the information of the proposed changes to Table 3.2.3-1 Required Safety Channels, and Table 3.2.3-1 (Continued) Required Safety Channels, the NRC staff finds that the changes reflect the upgraded NSS channels for the RPS as described in the LAR (Ref. 1). The proposed changes are consistent with the guidance in Section 7.4 of NUREG-1537, Part 1, Appendix 14.1, that a table be provided to specify all required scram channels and setpoints, the minimum number of channels, other functions performed by the channels; and reactor operating mode, such as forced- or natural-convection coolant flow. The proposed changes also meet 10 CFR 50.36(c)(2)(i) requirement that LCOs provide the lowest functional capability or performance levels of equipment required for safe operation of the facility consistent with the SAR. Therefore, the NRC staff concludes that the proposed changes to TS 3.2.3, Table 3.2.3-1 and Table 3.2.3-1 (Continued) are acceptable.

3.5.3 Proposed Changes to TS 3.2.7 Control System and Instrumentation Requirements for Operation, Table 3.2.7-1 TS 3.2.7 states, Indication from the instrumentation listed in Table 3.2.7-1 shall be provided to the reactor console operator prior to reactor startup and during reactor operation. MIT proposed to move TS 3.2.7, Table 3.2.7-1 to before the Basis Section of TS 3.2.7 to group TS 3.2.7 with Table 3.2.7-1. MIT also proposed changing Table 3.2.7-1 Parameter 2.a) under Neutron Flux Level from Startup to Wide Range. The licensee stated that the proposed

NSS channel upgrade replaces the existing nuclear instrumentation parameter for monitoring the neutron flux when the reactor is started (source range) and that the proposed TS change would reflect that the upgraded NSS display is labeled by the manufacturer as Wide Range.

The licensees proposed changed to TS 3.2.7, Table 3.2.7-1, discussed above, is in bold typeface in Table 3.2.7-1 Required Instrumentation for Display, below.

Table 3.2.7-1 Required Instrumentation for Display Parameter Minimum Number Location

1. Period 1 Console
2. Neutron Flux Level a) Wide Range 1 Console b) Linear Power 1 Console Based on the information provided by the licensee, the NRC staff finds that the licensees proposed change to move TS Table 3.2.7-1 from after the Basis section of the TS to the specification section of TS 3.2.7 is an editorial change that improves the readability of the TS without altering the technical requirements of the TS. The NRC staff also finds that the proposed relocation of the TS Table 3.2.7-1 is consistent with ANS/ANSI 15.1 (Ref. 22) guidance that TSs provide the specific data, conditions, or limitations that bound a system or operation within the specification section. Table 3.2.7-1 identifies the DWK 250 parameters that are monitored when the reactor is operating consistent with the automatic scram functions identified in Table 3.2.3-1.

The NRC staff also finds that the proposed change to the parameter name from Startup to Wide Range is consistent with the digital upgrade to the facility as described in the proposed SAR and consistent with the guidance in NUREG-1537, Chapter 14, Appendix 14.1 and ANSI/ANS-15.1-2007 that TSs identify the equipment that will be relied upon by the operator to take actions to mitigate a transient that has the potential to challenge the integrity of a fission product barrier (the fuel cladding). As a result, the proposed TS meets the 10 CFR 50.36(c)(2)(i) requirement that LCOs establish the lowest functional capability or performance levels of equipment required for safe operation of the facility consistent with the SAR, Section 7.4 and is acceptable. Therefore, the NRC staff concludes the proposed changes to TS 3.2.7 and TS Table 3.2.7-1 are acceptable.

3.5.4 Proposed Change to TS 4.2.6 TS 4.2 identifies the SRs to ensure the reliability of the of the reactor control and safety systems and TS 4.2.6 requires that the listed instruments be calibrated, and trip points verified when initially installed, any time a significant change in indication is noted, and at least annually.

MIT proposed to delete TS 4.2.6.i) Period Channel Level Signal Off-Scale, which is the SR to calibrate the Period Channel Level Signal Off-Scale scram and verify its trip point. MIT also proposed to replace the Period Channel Level Signal Off Scale with Nuclear Safety Channel Low Count Rate, in TS Table 4.2-1. In its RAI response (Ref. 11), MIT stated that the proposed

software determined 5 cps scram setpoint for the NSS is equivalent to the existing NSS period channel level signal off-scale [low] setpoint. MIT also stated that the low count rate trip point for each DWK 250 unit is set electronically at or above 5 cps, that the set point value is a numerical input for which no calibration is possible, that the digital setpoint is not subject to drift, and that the setpoint is secured via key control after being input. Additionally, the Low count rate trip setpoint is verified on the reactor startup checklist by the testing required by TS 4.2.4 Scram and Power Measuring Channels and TS Table 4.2-1, proposed item 15, Nuclear Safety Channel Low Count Rate, at least quarterly and each time before startup of the reactor if the reactor has been in a secured condition or if the instrument or channel has been repaired or de-energized.

The NRC staff reviewed the deletion of TS 4.2.6.i), which is the surveillance for LCO 3.2.3, and finds that Period Channel Level Signal Off-Scale is replaced by the functionally equivalent Low count rate scram. The software-based Low count rate setpoint is not subject to drift (i.e., an undesired change in the setpoint over time) because it is a binary value and does not require calibration. The proposed deletion is also consistent with the proposed revision to Table 4.2-1 Surveillance of Scram and Power Measuring Channels, which would add item 15 Nuclear Safety Channel Low Count Rate. TS 4.2.4 requires a test of the channels listed in Table 4.2-1 at least quarterly and each time before startup of the reactor if the reactor has been in a secured condition or if the channel has been repaired or de-energized. The channel test would include verification of the 5 cps scram trip point required by TS 3.2.3, Table 3.2.3-1.

Therefore, the NRC staff concludes that the deletion of 4.2.6.i) Period Channel Level Signal Off-Scale is acceptable because the low count rate trip point is verified during the channel test of items listed in Table 4.2-1 as required by TS 4.2.4. The NRC staff also reviewed proposed SRs for the proposed NSS and finds that the frequency and scope of Nuclear Safety Channel Low Count Rate SR is consistent with the guidance in ANSI/ANS-15.1 (Ref. 22) and provides an adequate testing frequency suitable for digital instrumentation to assure the performance level required for safe operation of the facility and meets the 10 CFR 50.36(c)(3) requirement that SRs relating to test, calibration, or inspection assure that the necessary quality of systems and components is maintained. The NRC staff finds that, since the channel is not subject to drift and will be tested and calibrated as required by TS 4.2.4, a separate TS requirement for calibration and trip point verification is not necessary to assure the channel operability required by TS 3.2.3. Therefore, the NRC staff concludes that the proposed deletion of TS 4.2.6.i) is acceptable.

3.5.5 Proposed Changes to TS Table 4.2-1, Surveillance of Scram and Power Measuring Channels The licensee proposes changes to the corresponding SRs in TS Table 4.2-1 to include SRs for the NSS scram and power measuring channels and to reflect that the proposed NSS design has four flux monitoring channels that monitor the period of the reactor, the neutron flux, and the Low count rate; and that of these NSS Instruments or Channels uses two-of-four coincidence logic to initiate a scram. Also, corresponding to the LCO additions to TS Table 3.2.3-1, the licensee proposes to add SRs to TS Table 4.2-1 for the Nuclear Safety Channel in Test and the Nuclear Safety Channel in Fault. TS 4.2.4 requires that the scram and power measuring channels listed in Table 4.2-1 be tested at least quarterly and each time before startup of the reactor if the reactor has been in a secured condition or if the instrument or channel has been repaired or de-energized and requires calibration of the instruments or channels be done at least annually. TS 4.2.5 requires a test of the channels in Table 4.2.-1 if the channel or instrument has been modified or repaired. TS 4.2.6 a) requires that instruments for Period and

TS 4.2.6 b) Neutron flux level be calibrated and that the trip points are verified when initially installed, any time a significant change in indication is noted, and at least annually.

TS Table 4.2-1, Surveillance of Scram and Power Measuring Channels, which is referenced by TS 4.2.4, Scram and Power Measuring Channels, and TS 4.2.5, Channel Tests," lists the instruments and channels from TS Table 3.2.3-1, "Required Safety Channels," that require surveillance. In the LAR, as supplemented, the licensee proposed to move TS Table 4.2-1 from after the Basis Section of TS 4.2, to immediately after TS 4.2.7 Thermal Power. Additionally, MIT proposed to revise TS 4.2, Table 4.2-1 as follows:

  • Change item 15, Period Channel Level Signal Off Scale, to Nuclear Safety Channel Low Count Rate
  • Add a new item 16 Nuclear Safety Channel in Test with the test requirement to verify a Scram
  • Add a new item 17, Nuclear Safety Channel Fault with the test requirement to verify a Scram
  • Renumber Table 4.2-1 items 16 and 17 as items 18 and 19, respectively
  • Add to Table 4.2-1, footnote (1), which states: Reactor scrams when two trips in any combination are present simultaneously from any two of the four nuclear safety channels. Add the footnote superscript next to the Instrument or Channel for Period, Neutron Flux Level, Nuclear Safety Channel Low Count Rate, Nuclear Safety Channel in Test, and Nuclear Safety Channel Fault in Table 4.2-1
  • Change the
  • footnote to footnote (2) for Table 4.2-1 and Replace the
  • superscript next to Primary Coolant Flow, D2O Reflector Flow, and Shield Coolant Flow with a superscript (2).
  • Relocate Table 4.2-1 from after the Basis section to after TS 4.2.7 The revised entries that result from the licensees proposed changes to TS 4.2, Table 4.2-1, are identified in bold typeface in Table 4.2-1 Surveillance of Scram and Power Measuring Channels, below Table 4.2-1 Surveillance of Scram and Power Measuring Channels Instrument or Channel Channel Test to Verify 1 Period(1) Scram
2. Neutron Flux Level(1) Scram
3. Primary Coolant Outlet Temperature Scram
4. Core Tank Level Scram
5. Reflector Tank Level Scram
6. D2O Dump Valve Switch Scram and Reflector Dump
7. Air-Operator D2O Dump Valve Switch Reflector Dump

Magnet Cut-off, Reflector

8. Manual Major Scram Dump, and Ventilation Trip
9. Manual Minor Scram Magnet Cut-Off As Specified in
10. Experiment Shutdown Experiment Approval
11. Primary Coolant Flow (2) Scram (2) Scram 12 D2O Reflector Flow
13. Shield Coolant Flow (2) Scram As specified in Fission
14. Fission Converter Converter TS 6.6.3
15. Nuclear Safety Channel Low Count Rate (1) Scram
16. Nuclear Safety Channel in Test (1) Scram
17. Nuclear Safety Channel Fault (1) Scram
18. Hold-Down Grid Unlatched Scram
19. Reactor Remote Shutdown(s) Scram from Medical Facilities and Utility Room (1) Reactor scrams when two trips in any combination are present simultaneously from any two of the four nuclear safety channels.

(2) Not required for startup in natural convection cooling mode.

MIT proposed changing item 15 Period Channel Level Signal Off Scale in Table 4.2-1 to Nuclear Safety Channel Low Count Rate. As discussed in Section 3.3.6 of this SE, the proposed Low count rate automatic scram for the DWK 250 is equivalent to the Period channel level signal off scale. MIT stated that surveillance testing of this scram ensures the quality of the RPS to provide its required protective action. The NRC staff finds that the proposed low count rate testing requirement is consistent with ANSI/ANS 15.1-2007, which states that scram channels should be tested following a reactor shutdown and calibrated annually. The NRC staff also finds that the new item 15, Nuclear Safety Channel Low Count Rate in Table 4.2.-1 reflects the addition of the low count rate channel in LCO TS Table 3.2.3-1 and meets the 10 CFR 50.36(c)(3) requirement to have a SR relating to a test, calibration, or inspection to assure that the necessary quality of systems and components is maintained, that facility operation will be within safety limits, and that the limiting conditions for operation will be met.

MIT proposed adding item 16 Nuclear Safety Channel in Test and item 17 Nuclear Safety Channel Fault, to TS Table 4.2-1 to ensure the quality of upgraded NSS to provide its required protective action of a reactor scram by the RPS. The NRC staff finds that the proposed testing requirements for the Nuclear Safety Channel in Test and Nuclear Safety Channel Fault, are consistent with ANSI/ANS 15.1-2007, which states that scram channels should be tested following a reactor shutdown and calibrated annually. The NRC staff also finds that adding Nuclear Safety Channel in Test and Nuclear Safety Channel Fault in Table 4.2-1 reflects the addition of the Nuclear safety channel in test or fault in LCO TS Table 3.2.3-1 and would require, per TS 4.2.4, that these scram channels be tested consistent with the period identified in the ANSI standard. Therefore, the proposed TS meets the 10 CFR 50.36(c)(3) requirement to have a SR relating to a test, calibration, or inspection to assure that the necessary quality of

systems and components is maintained, that facility operation will be within safety limits, and that the limiting conditions for operation will be met.

MIT proposed to renumber Table 4.2-1 items 16 and 17 to 18 and 19, respectively. The NRC staff reviewed the proposed TS change finds that the proposed editorial change does not alter the technical meaning or intent of the SRs. Therefore, the NRC staff finds the proposed change reflects the additional SRs in TS Table 4.2-1 and is acceptable.

MIT proposed to add footnote (1) to Table 4.2.1 which would apply by the insertion of superscript (1) after Period, Neutron Flux Level, Nuclear Safety Channel Low Count Rate, Nuclear Safety Channel in Test, and Nuclear Safety Channel Fault. Footnote (1) requires that the [r]eactor scrams when two trips in any combination are present simultaneously from any two of the four nuclear safety channels. MIT proposed that the footnote identify the testing requirement to ensure quality of the upgraded NSS to provide its required protective action of a reactor scram. The NRC staff finds that footnote (1) is consistent with the information in proposed SAR Section 7.4 and would require that scram logic testing of these NSS trip functions (i.e., Period, Neutron Flux Level, Low Count Rate, Channel in Test, or Channel Fault) verify that a concurrent trip of two separate channels generates a reactor scram and corresponds to TS 3.2.3. The NRC staff finds that placing the superscript next to the channel name describes the required NSS scram logic for ease of operator use. Thus, the NRC staff finds that addition of footnote (1) meets the 10 CFR 50.36(c)(3) requirement that the TSs include SRs relating to test, calibration, or inspection to assure that the necessary quality of systems and components is maintained, that facility operation will be within safety limits, and that the limiting conditions for operation will be met.

MIT proposed to change the Table 4.2-1, footnote *to footnote (2) replace the corresponding

  • superscripts with superscript (2) after Primary Coolant Flow, D2O Reflector Flow, and Shield Coolant Flow. The NRC staff reviewed the proposed TS change and finds that the new footnote number is editorial in nature and does not alter the technical meaning or intent of the SRs. The NRC staff finds the proposed change to TS Table 4.2-1 acceptable.

MIT proposed to relocate Table 4.2-1 from after the basis section to immediately after TS 4.2.7 to improve readability of the TS. The NRC staff finds that the relocation of the Table 4.2-1 from after the basis section, to within the specification section, is consistent with ANS/ANSI 15.1 (Ref. 22) guidance that TSs provide the specific data, conditions, or limitations that bound a system or operation within the specification section and enhances the clarity of the SR and is therefore acceptable.

The NRC staff compared the proposed TS 4.2, Table 4.2-1 SRs to the changes and additions made to the corresponding LCOs and finds that the changes to Table 4.2-1 reflect the changes to the MITR-II LCOs based on the upgraded NSS and that the proposed revisions would require testing and calibration at adequate intervals to ensure the channel operability as required per TS 3.2.3-1. The NRC staff finds that the proposed revised TS Table 4.2-1 is consistent with the guidance provided in Appendix 14.1 of NUREG-1537, Part 1 (Ref. 5.1) that a TS be unambiguous and clearly identify the parameter or function to be tested or calibrated. The NRC staff also finds that the changes and additions to the Table 4.2-1 SRs meet the 10 CFR 50.36(c)(3) requirement to assure that the necessary quality of components will be maintained to ensure the facility operations will be within the safety limits and that the LCOs will be met. Therefore, the NRC staff concludes that the proposed changes to TS Table 4.2-1 are acceptable.

3.5.6 Proposed Changes to MITR-II TS Bases The regulation at 10 CFR 50.36(a)(1) states that a summary statement of the bases or reasons for such specifications, other than those covering administrative controls, shall also be included in the application, but shall not become part of the TSs. Consistent with 10 CFR 50.36(a)(1),

the licensee submitted changes to TS Bases as part of the LAR (Ref. 1) as supplemented, that provide the reasons for the proposed TSs. The proposed Bases also follow the guidance provided in Appendix 14.1 to NUREG-1537, Part 1 (Ref. 3.1) and ANSI/ANS-15.1-2007 (Ref. 22).

3.6 Conclusion on TS Changes The NRC staff reviewed the licensees proposed TSs submitted with the LAR, which included description of the design, testing, and operation of the proposed NSS upgrade. The NRC staff evaluated the MITR-II TS changes proposed for upgrade of the reactors I&C systems to new digital components. Based on its evaluation of the information presented above, the NRC staff concludes:

  • The proposed changes to LCOs specify the lowest functional capability or performance levels of equipment required for safe operation of the facility, as required by 10 CFR 50.36(c)(2)(i).
  • The proposed TS surveillance requirements assure that the necessary quality of system components is maintained and that the facility operation will be within the safety limits, and that the LCOs will be met as required by 10 CFR 50.36(c)(3).

Therefore, the NRC staff concludes that the proposed changes to TSs 3.2.3, 3.2.7 and 4.2, provide reasonable assurance that the MITR-II will be operated as analyzed in the LAR, as supplemented, and that adherence to the proposed TSs will provide reasonable assurance that the health and safety of the public will not be endangered by MITR-II operation in the proposed manner. Accordingly, the NRC staff concludes that the proposed changes to the TSs are acceptable.

In addition, based on the evaluation above, the NRC staff finds that the LCOs and testing and calibration requirements in the existing TSs, as modified by the proposed TS changes, specify the lowest functional capability or performance levels of equipment required for safe operation of the facility. The staff also finds that the TSs require testing/calibration to assure that the necessary quality of systems and components is maintained, that facility operation will be within safety limits, and that the limiting conditions for operation will be met. Thus, existing TSs, as revised, include LCOs and SRs consistent with the guidance in ANSI/ANS 15.1 and 10 CFR 50.36 requirements and provide reasonable assurance that the NSS will function as designed.

4.0 ENVIRONMENTAL CONSIDERATION

The NRC regulation, 10 CFR 51.22(b), states that no environmental assessment or environmental impact statement is required for any action when the category of action, for which

the Commission has declared to be a categorical exclusion by finding that the action does not individually or cumulatively have a significant effect on the human environment, is met.

The issuance of this amendment involves changes in the installation or use of a facility component located within the restricted area, as defined in 10 CFR Part 20 and changes to SRs. Therefore, the issuance of the amendment is eligible for categorical exclusion if it meets the 10 CFR 51.22(c)(9) criteria below:

(i) The amendment or exemption involves no significant hazards consideration;

[10 CFR 51.22(c)(9)(i)]

Pursuant to 10 CFR 50.92(c), the Commission may make a final determination that a license amendment involves no significant hazards consideration if operation of the facility, in accordance with the proposed amendment, would not:

(1) involve a significant increase in the probability or consequences of an accident previously evaluated [10 CFR 50.92(c)(1)]; or The license amendment authorizes the upgrade of the NSS trip inputs to the RPS (including scram logic) and revises TSs to reflect differences in scram logic, minimum number of required channels for operability, and use of the low count rate trip, but does not alter the design of the reactor, including fuel type, tank design, and containment. The safety limits and LSSS setpoints are unchanged by this LAR and the TS, as revised, do not change the lowest functional capability or change the performance levels of equipment required for safe operation of the facility, and includes surveillance requirements to maintain the quality of the equipment. The probability or consequences of the maximum hypothetical accident (MHA) analyzed in the license renewal SAR (Ref. 7), which assumes melting of fuel caused by coolant flow blockage, remain unchanged. The proposed TSs do not significantly change any of the LCO trip setpoint values, because the proposed low count rate scram with a trip setpoint of 5 cps is equivalent to the previous off-scale low scram. The scram ensures that the reactor is started with adequate instrumentation response. The licensee used the same conservative factors for instrument error and delay time as previously approved by the NRC. Chapter 13 of the SAR (Ref. 7),

Section 13.2.2.2 Ramp Reactivity Insertion states that the period scram will shut the reactor down if the ramp insertion is from a low power and the high flux scram will shut down the reactor if the ramp is initiated from a high power level. The proposed NSS continues to provide automatic scrams at the same reactor period and flux levels assumed in the SAR analysis and found acceptable to the NRC staff in the license renewal SE (Ref. 8). The proposed NSS provides increased reliability because the self-checks performed by the DWK 250 will automatically scram the reactor when a channel fault is detected as required by proposed TS Table 3.2.3-1 (Continued). The upgraded NSS provides an input to the RPS without impacting the diverse capability of the RPS to shut down and maintain the safe shutdown of the reactor. Consequently, the proposed amendment does not alter the frequency of any initiating event or the probability or consequences of the MITR-II accident analyses previously evaluated.

For these reasons, there is no significant increase in the probability or consequence of an accident previously evaluated.

(2) Create the possibility of a new of different kind of accident from any accident previously evaluated [10 CFR 50.92(c)(2)]; or

The license amendment authorizes the upgrade of the NSS trip inputs to the RPS (including scram logic) and revises TSs to reflect differences in scram logic, minimum number of required channels for operability, and use of the low count rate trip, but does not alter the design of the reactor, including fuel type, tank design, and containment. The amendment does not change the primary indication of power level or the controls used by the reactor operator to move control rods in manual or automatic mode. The automatic scrams provided by the upgraded NSS act as inputs to the RPS and does not change how the RPS responds to a trip signal (i.e., automatically scrams the reactor when a trip setpoint is exceeded). Operation of the MITR-II with the upgraded NSS remains bounded by the license renewal accident analyses found to be acceptable by the NRC staff because the existing TS safety limits and LSSSs are unchanged by the amendment. The revised LCOs do not change the automatic protective function of the RPS and the revised SRs ensure the quality of the equipment is maintained. The upgraded NSS performs continuous self-checks and will initiate an automatic scram if a channel has a fault and a second channel has any trip condition. A loss of electrical power will continue to result in an automatic scram. Since the NSS does not impact any structure, system, or component other than the RPS as discussed above, failures of the proposed NSS does not cause a new or different kind of accident. Any failure of the proposed NSS will result in an automatic scram. Therefore, the upgraded system and associated TSs, will not result in any new or different accident sequences.

For these reasons, the proposed amendment does not create the possibility of a new or different kind of accident from any accident previously evaluated.

(3) Involve a significant reduction in a margin of safety [10 CFR 50.92(c)(3)]

The amendment revises the instruments input to the RPS without altering the TS 2.2, LSSS and corresponding safety margin. The proposed changes to an LCO trip setpoint and other TS changes do not impact the thermal power limit of the reactor. The existing safety margin and calculation methodology in the SAR are not modified, and the safety margin previously approved by the NRC is maintained. The proposed LCO and SR changes do not significantly change any of the automatic scram set points and continue to ensure the lowest functional capability of equipment required for safe operation and maintain the quality of the RPS.

For these reasons, the proposed amendment does not result in a significant reduction in a margin of safety.

Based on the above, the NRC staff concludes that this amendment involves no significant hazards consideration.

(ii) There is no significant change in the types or significant increase in the amounts of any effluents that may be released offsite; and [10 CFR 50.92(c)(9)(ii)].

The license amendment authorizes the NSS modification and TS revisions, but the amendment does not change the reactor source term, the fission products generated, or amounts of any effluents that may be released offsite because there is no change to the facility design, licensed power, or procedures that control radiation sources and potential effluents. In addition, the amendment does not change potential accidents or potential release paths from the facility and does not change the MIT radiation protection program or radioactive waste management program. For these reasons, there is no significant

change in the types or significant increase in the amounts of any effluents that may be released offsite.

(iii) There is no significant increase individual or cumulative occupational radiation exposure.

[10 CFR 50.92(c)(9)(iii)]

The amendment does not change the licensed power level or significantly alter reactor operations or requirements. The site perimeter (controlled area) and basic configuration of the facility are unchanged from that approved previously by the NRC staff during license renewal (Ref. 8). The amendment will not change existing administrative controls or the radiation protection program at MIT for limiting individual or cumulative occupational radiation doses. The TSs will continue to help minimize individual and cumulative occupational radiation exposure to keep occupational and public radiation doses within the regulatory limits of 10 CFR Part 20. For these reasons, there is no significant increase in individual or cumulative occupational radiation exposure.

In summary, the NRC staff has determined that the amendment involves no significant hazards consideration. There is no significant increase in the amounts, and no significant change in the types, of any effluents that may be released offsite, and no significant increases in individual or cumulative occupational radiation exposure. The amendment also makes editorial, corrective, or other minor revisions to the TSs. Accordingly, the amendment meets the eligibility criteria for categorical exclusion set forth in 10 CFR 51.22(c)(9) and 10 CFR 51.22(c)(10)(v). Pursuant to 10 CFR 51.22(b), no environmental impact statement or environmental assessment needs to be prepared in connection with the issuance of the amendment.

5.0 CONCLUSION

The NRC staff has concluded, based on the considerations above, that (1) there is reasonable assurance that the health and safety of the public will not be endangered by operation in the proposed manner, (2) there is reasonable assurance that such activities will be conducted in compliance with the Commissions regulations, and (3) the issuance of the amendment will not be inimical to the common defense and security or to the health and safety of the public.

Principal Contributors: R. Alvarado, NRR N. Carte, NRR D. Hardesty, NRR P. Boyle, NRR Date: December 4, 2019

6.0 REFERENCES

1. Massachusetts Institute of Technology, License Amendment Request for Upgrade of Nuclear Safety System in MIT Reactor Protection System, September 30, 2014 (Agencywide Documents Access and Management System (ADAMS) Accession No. ML14282A039)
2. Massachusetts Institute of Technology, Massachusetts Institute of Technology -

Document Submittal in Advance of License Amendment, November 18, 2013 (ADAMS Package No. ML19262H519) 2.1 Massachusetts Institute of Technology, Massachusetts Institute of Technology -

Document Submittal in Advance of License Amendment, November 18, 2013 (ADAMS Accession No. ML13339A343) 2.2 Massachusetts Institute of Technology, Nuclear Safety System Upgrade - DWK 250 Digital System, October 2013 (ADAMS Accession No. ML13339A344)

3. Massachusetts Institute of Technology, Massachusetts Institute of Technology -

Qualification and Certification Documents for Mirion DWK 250 as a Follow-up to the Phase 0 Public Meeting of 6 March 2014, June 12, 2014 (ADAMS Accession Package No. ML14161A031) (Proprietary information withheld per 10 CFR 2.390) 3.1 Massachusetts Institute of Technology, Massachusetts Institute of Technology -

Qualification and Certification Documents for Mirion DWK 250 as a Follow-up to the Phase 0 Public Meeting of 6 March 2014, dated June 6, 2014 (ADAMS Accession No. ML14161A035) 3.2 Massachusetts Institute of Technology, Revision 1 to Doc. No. SA-1330117 B50E, Introduction and Overview for the Set of Qualification Documents Concerning the Digital Wide Range Channel DWK 250 Intended to be Installed at the Massachusetts Institute of Technology MIT, July 10, 2013 (ADAMS Accession No. ML14161A036) 3.3 Massachusetts Institute of Technology, Revision 1 to Doc. No. SA-1330117 B50E, Introduction and Overview for the Set of Qualification Documents Concerning the Digital Wide Range Channel DWK 250 Intended to be Installed at the Massachusetts Institute of Technology MIT, July 10, 2013 (ADAMS Accession No. ML14161A037 (Proprietary information withheld per 10 CFR 2.390)

4. Massachusetts Institute of Technology, License Amendment Request for Upgrade of the Nuclear Safety System in the MIT Reactor Protection System, Docket No. 50-20, License R-37, May 12, 2016 (ADAMS Accession No. ML16139A786)
5. U.S. Nuclear Regulatory Commission, NUREG-1537, Guidelines for Preparing and Reviewing Applications for the Licensing of Non-Power Reactors, Parts 1 and 2, February 1996 (ADAMS Package No. ML12251A353) 5.1. U.S. Nuclear Regulatory Commission, NUREG-1537, Part 1, Format and Content, February 28, 1996 (ADAMS Accession No. ML042430055)

5.2. U.S. Nuclear Regulatory Commission, NUREG 1537, Part 2, Standard Review Plan and Acceptance Criteria, February 28, 1996 (ADAMS Accession No. ML042430048)

6. U.S. Nuclear Regulatory Commission, Copy of MIT License and Technical Specifications through Amendment No. 41, June 12, 2018 (ADAMS Accession No. ML18218A436)
7. Massachusetts Institute of Technology, MIT Research Reactor Safety Analysis Report Submitted with License Renewal Application Dated 2/10/2000, February 10, 2000 (ADAMS Accession No. ML053190384) (Redacted - contains security related information)
8. U.S. Nuclear Regulatory Commission, Massachusetts Institute of Technology, Safety Evaluation, Renewed Facility Operating License No. R-37 (TAC No. MA6084),

November 1, 2010 (ADAMS Accession No. ML102320082) 9 U.S. Nuclear Regulatory Commission, Massachusetts Institute of Technology - Request for Additional Information for Nuclear Safety System Upgrade License Amendment Request (CAC No. MF5003, EPID No.: L-2016-LLA-0003), August 30, 2018 (ADAMS Accession No. ML18218A447)

10. U.S. Nuclear Regulatory Commission, Regulatory Guide 2.5, Rev. 1, Quality Assurance Program Requirements for Research and Test Reactors, June 30, 2010 (ADAMS Accession No. ML093520099)
11. Massachusetts Institute of Technology, MIT, Submittal of Response to Request for Additional Information for Nuclear Safety System Upgrade License Amendment Request, October 25, 2018 (ADAMS Accession No. ML18317A055)
12. Massachusetts Institute of Technology, The Massachusetts Institute of Technology -

Submittal of Supplement to Response to RAI for Nuclear Safety System Upgrade License Amendment Request (CAC #MF5003, EPID #L-2016-LLA-0003), December 6, 2018 (ADAMS Accession No. ML18345A054)

13. Massachusetts Institute of Technology, Further Follow-Up Response Regarding TS 3.2.3 to Request for Additional Information for the License Amendment Request to Upgrade the Nuclear Safety System at the MIT Reactor, License R-37, Docket No. 50-20 (CAC No.

MF5003), February 27, 2019 (ADAMS Accession No. ML19063A496)

14. Massachusetts Institute of Technology, License Amendment Request for Upgrade of the Nuclear Safety System in the MIT Reactor Protection System, Docket No. 50-20, License R-37, July 6, 2017 (ADAMS Accession No. ML17193A188)
15. Massachusetts Institute of Technology, Massachusetts Institute of Technology (MIT) -

Response to Request for Additional Information for the License Amendment Request to Upgrade the Nuclear Safety System, December 14, 2017 (ADAMS Accession No. ML17354A009)

16. U.S. Nuclear Regulatory Commission, MIT Audit Report - Supporting Nuclear Safety System Upgrade, License Amendment Request, October 30, 2017 (ADAMS Accession No. ML17283A142)
17. U.S. Nuclear Regulatory Commission, Massachusetts Institute of Technology Regulatory Audit for Nuclear Safety System Upgrade License Amendment Request, July 5, 2017 (ADAMS Accession No. ML17177A189)
18. U.S. Nuclear Regulatory Commission, Massachusetts Institute of Technology - Request for Additional Information for Nuclear Safety System Upgrade License Amendment Request, October 12, 2017 (ADAMS Accession No. ML17237B992)
19. U.S. Nuclear Regulatory Commission, Massachusetts Institute of Technology - Request for Additional Information for Nuclear Safety System Upgrade License Amendment Request (CAC No. MF5003), March 12, 2018 (ADAMS Accession No. ML18059A236)
20. Massachusetts Institute of Technology, Response to Follow-Up Request for Additional Information for the License Amendment Request to Upgrade the Nuclear Safety System at the MIT Reactor, April 20, 2018 (ADAMS Accession No. ML18120A115)
21. Massachusetts Institute of Technology, Follow-Up Response Regarding TS 3.2.3 to Request for Additional Information for the License Amendment Request to Upgrade the Nuclear Safety System at the MIT Reactor, License R-37, Docket No. 50-20 (CAC No.

MF5003), May 3, 2018 (ADAMS Accession No. ML18128A200)

22. American National Standards Institute/American Nuclear Society, ANSI/ANS-15.1-2007, The Development of Technical Specifications for Research Reactors, ANS, LaGrange Park, IL, 20076
23. American National Standards Institute/American Nuclear Society, ANSI/ANS-15.8-1995, Quality Assurance Program Requirements for Research Reactors, ANS, LaGrange, Park, IL, September 12, 1995
24. Institute of Electrical and Electronics Engineers, IEEE Standard 7-4.3.2, IEEE Standard Criteria for Digital Computers Systems in Safety Systems of Nuclear Power Generating Stations, Piscataway, New Jersey, 1993
25. Institute of Electrical and Electronics Engineers, IEEE Standard 603-1991, IEEE Standard Criteria for Safety Systems for Nuclear Power Generation Stations, Piscataway, New Jersey, 1991
26. U.S. Nuclear Regulatory Commission, Summary of Public Meeting with Massachusetts Institute of Technology Digital Instrumentation and Control Upgrade Pre-Application Process, November 15, 2012 (ADAMS Package No. ML12319A070)
27. U.S. Nuclear Regulatory Commission, Summary of Public Meeting with Massachusetts Institute of Technology Re: Digital Instrumentation and Control Upgrade License Amendment Application, March 27, 2014 (ADAMS Package No. ML14078A659)
28. U.S. Nuclear Regulatory Commission, Mirion Trip Report: Regarding MIT License Amendment Request for Its Upgrade of The Nuclear Safety System in the Reactor Protection System, June 24, 2015 (ADAMS Accession No. ML15169B146)
29. American National Standards Institute/American Nuclear Society, ANSI/ANS 15.15-1978, Criteria for the Reactor Safety Systems of Research Reactors, ANS, LaGrange Park, Illinois, 1978.

30 U.S. Nuclear Regulatory Commission, Regulatory Guide (RG) 1.152-1996, Criteria for Digital Computers in Safety Systems of Nuclear Power Plants, January 31, 1996 (ADAMS Accession No. ML003740015)

7.0 TABLE OF ACRONYMS 10 CFR Title 10 of the Code of Federal Regulations AC alternating current ADAMS Agency-wide Documents Access and Management System AEC Automotive Electronics Council (Component Technical Committee)

ANSI/ANS American National Standards Institute / American Nuclear Society cps counts per second D2 Deuterium DC direct current DWK digital wide range EMI/RFI electromagnetic interference/radio-frequency interference ESD electrostatic discharge ESFAS Engineered safeguards features actuation system FPGA field-programmable gate array GDC(s) General Design Criterion/Criteria I&C Instrumentation and Control I/O input/output IEEE Institute of Electrical and Electronics Engineers KTA Kerntechnischer Ausschu (German Nuclear Safety Standards Commission)

KSM key-switch module kW kilo watts LAR License Amendment Request LCO Limiting conditions for operation LED light-emitting diode LSSS limiting safety system setting MHA maximum hypothetical accident Miron Mirion Technologies, Incorporated MIT Massachusetts Institute of Technology MITR-II Massachusetts Institute of Technology Reactor ms milliseconds MW Megawatts NIM nuclear instrument module NRC U.S. Nuclear Regulatory Commission NSS Nuclear Safety System NUREG Nuclear Regulatory Report nv neutron flux in units of neutrons/centimeters2/second PLC programmable logic control QA Quality Assurance RAI Request for Additional Information RCS Reactor Control System RG Regulatory Guide RMS Radiation Monitoring System RPS Reactor Protection System SAR Safety Analysis Report SD Secure Digital SDM Signal Distribution Module SE Safety Evaluation

SL Safety Limit SLC Scram Logic Card SR(s) Surveillance Requirement(s)

SSC structures, systems, and components TCB Test Condition Scram Bypass TKV 23 Mirion Model TKV 23 wide-range preamplifier unit TS(s) Technical Specification(s)

TUV Technischer Uberwachungs-Verein, or Technical Inspection Association UPS uninterrupted power supply VAC Volts Alternating Current VDC Volts Direct Current WPC Withdraw Permit Circuit

Retrieved from "https://kanterella.com/w/index.php?title=ML19123A212&oldid=2393900"