ML20044D731

From kanterella
Revision as of 03:14, 12 March 2020 by StriderTol (talk | contribs) (StriderTol Bot insert)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
Fourteen-Day Rept of Reportable Event Re Inadvertent Mod of Univ of Virginia Reactor Console.
ML20044D731
Person / Time
Site: University of Virginia
Issue date: 05/12/1993
From: Mulder R
VIRGINIA, UNIV. OF, CHARLOTTESVILLE, VA
To:
Shared Package
ML20044D729 List:
References
NUDOCS 9305200202
Download: ML20044D731 (39)


Text

E

- (, . -

I I

I  :

I 14-DAY REPORT OF A " REPORTABLE EVENT" CONCERNING AN INADVERTENT MODIFICATION OF THE I UNIVERSITY OF VIRGINIA REACTOR CONSOLE I

I Submitted by:  ;

j I Robert U. Mulder, Director j U.Va. Reactor Facility

May 12,1993 ,

I l I

I I 9305200202 930512 PDR S

ADDCK 05000062 PDR

i

~

m Table of Contents  ;

I 1

P.m '

I. S u m m ary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 l II. Discovery of the Console Problem ......................2 1 I III.

IV.

V.

Source of the Console Problem . . . . . . . . . . . . . . . . . . . . . . . . . 3 Initial Actions . . . . . . . . . . . . . . . . . . ... ..............5 i Consequences of the Change to the Scram Logic . . . . . . . . . . . . 6 I VI. Root Cause Analysis ................................7 VII. Self-Identified Violations . . . . . . . . . . . . ............... 10 VIII. Actions Required by UVAR Technical Specifications . . . . . . . 13 IX. Safety Significance . . . . . . . . ........... ....

ll ....... 14 '

A. Loss of Off. site Electrical Power . . . . . . . . . . . . . . . . . . . . 19 l

l B.

C.

Reactor Period (startup and power operation) . . . . . . . . . .

Complete Loss of Primary Coolant Flow . . . . . . . . . . . . . .

19 20 1

D. Partial Loss of Primary Coolant Flow . . . . . . . . . . . . . . . . 21 l E. H igh Powe r . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F. Key Switch . . . . .............................

22 23 G. Ran ge Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

X. Corrective Actions . . . . . . . . . ....................... 24 XI. Regulatory Enforcement Conside.ations ................ 27 Aopendices A. Spurious reactor trips and their significance . . . . . . . . ...... 29 B. Mixer drivers
Hardware Considerations ..... ........... 31 C. Scram logic . . . . . . . . . . . .......................... 34 i D. UVAR scrams and alarms . . ......... .............. 36 I

lI i

I l

l t

i i

i

l L i 1

i m

14-DAY REPORT OF A " REPORTABLE EVENT"

{ CONCERNING AN INADVERTENT MODIFICATION OF THE UVAR CONSOLE

- I.

SUMMARY

At 6:30 PM on April 28,1993 the Reactor Director was notified by members of his reactor r staff of the discovery of a problem with the reactor console instrumentation. The investigation conducted later that evening by the Reactor Director, the Reactor Supervisor and a reactor operator (RO) revealed that the reactor had been operated that afternoon at 7 full power for 5.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> with five major automatic trips required by Technical L Specifications (TS) not operable. The inoperable trips were: two power range, low flow, primary pump off, and reactor period. However, other automatic shutdown capability 7 associated with in-core parameters was available, partially offsetting those not available. In u addition, the NRC licensed reactor operator at the console had all the usual alarms, reactor instrumentation readings and manual shutdown capability available to him. The 7 reactor was operated in this condition because the operators had no indication that some E

of the required trip functions were not available until the period trip capability happened to be tested later that evening at reactor shutdown.

m This situation developed as a result of an unintentional and inadvertent modification of the automatic shutdown logic circuitry in the console, made by another senior reactor operator

{ following an automatic reactor shu'.down near mid-day.

That senior operator (SRO), v.ho has been the primary person responsible for electronic E maintenance of the console 6uring the past decade, interchanged what had appeared to him to be two identical mixer driver (MD) modules in the scram logic drawer. Contrary to his belief, these modules were not exactly alike in that they had been altered internally prior to their installation in the console in the early 1970's, at the time of UVAR console upgrade from tube technology. The modifications introduce.d into the MDs more than 20 L years ago were to tie together the unused inputs inside the MDs. With the MDs in their assigned positions the tie-offs did not affect scram logic, and thus the modifications were I not documented in the detailed schematics kept of the MDs. Since the unused inputs have different numbers and positions in the two MDs, when the MDs were interchanged several trip functions were tied together in parallel. Had the tie-offs not been made, the interchange would not have compromised the trip functions.

i The reactor was operated at a power level of two megawatts without incident for 5.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> <

during the afternoon of April 28 following the exchange of the MDs. The operators that ,

afternoon had no way of knowing that key trip functions were unavailable, since everything  :

I appeared normal with all visual reactor information available. Only a test of the scram l

l system with the reactor shutdown would have permitted knowledge of the lack of certain tnps.

l A test of the trip system had been performed successfully that morning, as required by standard operating procedures (SOPS). A test was not performed after the interchange of the MDs because the operator, and then his direct supervisor for reactor operations, judged (at the time) that the simple exchange of modules did not require this.

i I

l t

I 9 During the period that the reactor was operated in siolation of some license requirements, no operational parameters for the reactor were exceeded, no safety limits were violated 3 and no damage was caused to the reactor or the conso!e. The switching of the MDs did lE not damage other electronic components in the conse,le. Following discovery of the l problem and its cause, the console was quickly and easily returned to its original functional condition with the return of the MDs to their initial configuration.

The UVAR is currently shutdown with all systems back in normal working order. While operable, the reactor remains shutdown until we discuss the results of our evaluation and implemented corrective actions with the NRC Region II Regional Administrator, or his designee, in conformance with the NRC Confirmation of Action Letter of April 30,1993.

.I l

II. DISCOVERY OF TIIE CONSOLE PROBLEM During shutdown of the University of Virginia Reactor (UVAR) at 5:46 PM on Thursday, l April 28,1993, the Reactor Supenisor (who has a Senior Reactor Operator "SRO" NRC license) was determining the integrated reactor power for the day. As shutdown was i nearing completion with the reactor already subcritical, the Supenisor began to demonstrate to the reactor operator at the console a technique used to "round number" the power integration reading on the integration display.

lg In the power integration reading round-off process, sometimes performed following reactor lg shutdown, the intermediate range channel drawer mode selector switch is taken out of l " operate," and the selector switch run through test positions. With the switch in the S

l 3 sec. / IO position and if the delta-temperature reading (from either decay beat or a test signal) is greater than zero, then one or two additional clicks (equal to 0.01 MW-hours each) can be added to the integrated power meters. This has the effect of advancing the power integrator numeral to its next whole number.

The selector switch can be advanced up to a position that causes a test of the period

E scram. The Supenisor commented to the RO, as he was about to switch into the test
5 position for the purpose of inducing an intentional automatic shutdown, that the reactor i

should trip through activation of the reactor safety system (RSS) because the intermediate period indication would be made to go below 3.3 seconds. In other words, the remaining l control rod should drop the remaining short distance into the core. The reactor did not

, trip as expected. Instead, the remaining rod was driven into the core.

i I ,

i l

l I 2

~

- Ill. SOURCE OF Tile CONSOLE PROBLEM in the process of investigating the failure of the UVAR to be tripped by the injection of a false period trip signal, afternoon entries made in the reactor logbook were reviewed by

_ the RO and the Supervisor. The entries show that at mid-day on April 28, a spurious automatic reactor shutdown (trip) occurred during the shift of the SRO most experienced in electronics and the reactor console systems. (Please refer to Appendix A for a

_ discussion of spurious scrams).

UVAR logbook entries of April 28 indicate that this Senior Reactor Operator assessed and noted in the logbook possible causes for this scram. To explain his assessment, it must be l pointed out first that there are two parallel pathways in the scram circuitry (please refer to the copy of Fig. 3.15 Scram Logic Drawer, taken from the UVAR Design and Analysis Handbook, an updated Safety Analysis Report for the UVAR).

~

81 Both MD's M3 12 only Power 1 Period Pump on/ Header down Power 2 Pool level 1 Range switch Manual Reactor door Pool level 2 I

Pump off Pump on Manual Ground floor low flow Face rad. Escape hatch Bridge rad. Truck door key switch Fire / Evacuation Pool temp, Air to header

) )

Scram ON Annunciators MD 12 l 2 cps from l NI Test I

Reset K2a O ......... SR t l f5 y

O

e T NA 45 l

l I Solid State Relay W

= K2 M.

K1  :

Solid State Relay k ""

nsole ... .

Sole mag ug ir lW q yt p,nn g 333,p l } f 3 p,j,ys l l

! p mag W 13 p

scram Relay Figure 3.15 Scram ler.ic Drawer I

l il 3

~

One side of the circuitry controls the shutdown functions of two of the control rods and the second side controls the third rod. The fourth rod, a regulating rod, is not scrammable. Each side of the circuitry contains a component called a solid-state relay (SSR) and a mixer / driver (MD) module. The SSR plug-in modules are identical units. As regards the MDs, in Figure 3.15 they are shown as single blocks with identifiers MD#1 and MD#2. These SSR and MD modules have been in use since the early 1970's and outwardly appear identical, with the exception for identifying serial numbers on the labels.

In the accompanying text on page 3-31 of the Handbook, both the MD modules are described as "being essentially 28 input OR gates." There is no mention of any difference between them. (Please refer to Appendix B for a discussion of the Mixer Driver Characteristics).

The SRO with electronic background and familiarity with the console interior noted in the logbook that he could isolate the side down which the signal causing the spurious trip had l come, by holding the reset button in and obsening which rods had magnet current. It occurred him that by a simple exchange of the SSR modules he might trace from which SSR module the spurious signal could be coming from.

With the reactor shutdown, the SSRs were switched. The SRO waited for a time with the console instrumentation on and the reactor shutdown, and observed that the spurious scram signals were still coming en the original side of the system. The SRO then recorded in the logbook that he had eliminated the SSR modules as a source of the spurious scram signals.

The MD modules were identified as the next potential source of the spurious signal.

I These MDs were also interchanged in the belief that they, like the SSRs, were identical.

With the reactor still shutdown, the MD modules in the interchanged position and the console turned on, the SRO waited for another spurious scram signal to occur. When g after about 30 minutes no further spurious shutdown signals were received, the SRO E discussed the possibility of restarting the reactor with the Reactor Administrator. There being no discernable cause for the original scram (no scram annunciators had lit), a I reactor restart was authorized by the Reactor Administrator without a recheck of the automatic trips.

I Unfortunately, the modules were intentionally left in the exchanged position,1) because they were believed identical, and 2) it was hoped that information would be obtained as to the source of future spurious scrams while the reactor was operating. The reactor was restarted and operated without incident for the rest of the afternoon. Two other operators took their scheduled turns at the console (the shifts are two hours in duration) until the programmed shutdown in the early euning. Without the performance of a test of the l scram system, and all other indicators functioning, these operators had no indication that anything was amiss.

' Had the problem not been identified by chance at shutdown on Wednesday evening, with the purposeful actuation of the period trip, the problem would have been uncovered l Thursday morning with the performance of the Daily Checklist prior to reactor startup.

Thus, the actual moment of discovery is not a critical issue.

I _ - _ _ ___ _ _ _ _

4

- IV. INITIAL ACTIONS Returning to the events during the early evening of April 28, after the console problem

- was uncovered notifications were made by the Reactor Supenisor to the Reactor Administrator, the Reactor Director and the SRO on duty at mid-day. These actions were appropriate and in accordance with our procedures.

_ Upon receiving the report of the problem with the console electronic logic system, the Reactor Director requested the Supenisor verify which scram channels had been temporarily inoperable during the afternoon. [ Note: This verification did not involve

- starting up the reactor, completing the part of the Daily Checklist dealing with the test of the scrams.] Next, the Director returned to the Reactor Facility to begin his personal assessment, and prepare a preliminary report for the Reactor Safety Committee, the u University of Virginia administration and the NRC.

7 Following the request by the Reactor Director to fully identify the problem discovered, the Reactor Supenisor switched the two mixer drivers back to their original location in the drawer with the UVAR shutdown and proceeded to test the reactor safety system with the E help of the RO. They found that all trips functioned properly. Thus, the problem with

+ the console appeared connected only with the interchange of the mixer / driver modules.

The covers to the modules were removed and it was determined by visual inspection that the modules were wired somewhat differently, although the components were the same.

~

nus. it was concluded that the modules were not interchangeable, as had been believed and suggested by the schematic in Figure 3-15. Indeed, with the modules returned to the original position in the drawer, the portion of the reactor Daily Checklist pertaining to the I scram logic was successfully completed several times. De test failed for some of the scrams (indicated below) with the modules in the position occupied during the afternoon operation.

Next, the UVAR was tagged out-of-senice, appropriate entries were completed in the logbook, and the processes ofidentifying the violations and making local notifications of a reportable event were begun. The next day, meetings were held among University officials, I' a local press release was prepared, and made, and the NRC was called within the required 24-hour notification period and sent a special report by facsimile. On its own accord, the I university decided to take the reactor out of operation until,1) full corrective actions satisfactory to its Reactor Safety Committee are completed and,2) we have discussed the results of our evaluation and implemented corrective actions with the NRC Region II l Regional Administrator, or his designee, in conformance with the NRC Confirmation of Action Letter.

l 1

5

V. CONSEQUENCES OF TIIE CIIANGE TO TIIE SCRAM LOGIC Operation with the modules in the interchanged position resulted in key reactor protective automatic trips required by the Technical Specifications to become inoperable. The reactor system trips not operable were:

Two power-level scrams Intermediate-range period scram (Low) Primary coolant flow scram (Loss of) Power to primary pump scram Range switch scram Key switch scram The first five are required by UVAR Technical Specifications (i.e. license).

The reactor system trips operable with the MDs interchanged were:

Pool water temperature scram All three manual scrams Two poolwater level scrams Bridge radiation monitor scram Air pressure to header scram Face radiation monitor scram Evacuation alarm scram Truck door open, escape hatch open, and Mineral Irradiation Facility scram (tied into one input)

Primary coolant pump-on scram Header-down with pump-on scram The start-up count rate interlock (not a trip) was available.

I Interested readers are referred to Appendix C for a technical discussion of the trip channel circuit.

I Note: All the trips in both lists are again operable with the MDs put back in their original configuration. However, although operational, the UVAR has been taken out of service.

It is noted also that in this report the terms trip and scram are used interchangeably.

I i

I _ _ _ _ _ _ _ _ _ _ _ _ - - - _ _ _ _ _ - - _ _

6

VI. ROOT CAUSE ANALYSIS Discussion The senior operator who interchanged the SSR and MD modules is experienced in electronics, basing had training in electronics in the U.S. Nasy's nuclear program. He has 13 years of experience on the U.Va. reactor staff and is the person most familiar with the I reactor console instrumentation. At the time of hire, he contributed heavily to a 1982 UVAR console upgrade. On the afternoon of April 28, his actions appeared logical and

, appropriate to him and the Reactor Administrator (an individual who has held an SRO license for over 30 years and presently occupies one of the two reactor supervisor positions on the reactor staff). Unfortunately, the SRO (and the RA) relied too much on an inaccurate and imperfect memory of work done on the scram logic drawer more than a decade previously.

I l

Knowledge that a difference existed between the modules and/or additional procedural I requirements in the SOPS would have prevented this particular situation. The SRO who l l made the interchange had performed an upgrade to the scram logic drawer in 1982, but did not immediately recall some of his knowledge from that time. The detailed schematic of the scram system is available, but the generic drawing in the updated Safety Analysis I Report (SAR) was looked at since the SAR is easier to find. The detailed drawings of the interconnections between modules in the scram logic drawer show that different inputs were used between the two MD modules. While the MD modules were " modified" from I the off-the-shelf state to disable the (different) unused inputs in each one, this was not shown in the MD reference book at the Reactor Facility. Still, a consultation of the detailed drawings alone would have alerted the troubleshooter to the potential problem I with an interchange of the MDs.

I It is accurate to state that no other operator would have had the confidence to take the initiative to exchange the MDs without prior consultation of detailed schematics, colleagues, and obtaining prior management approval. In hindsight, errors of judgement I by the SRO, and then the Reactor Administrator, resulted in the loss of some automatic trips. The manipulations on the console should have been characterized as maintenance. )

Also, the modules should not have been assumed identical. Instead, detailed drawings should have been consulted, the modules opened and compared, the proposed change documented and duly authorized by higher management. A specific written procedure for this type of change did not exist but is now being proposed and will be implemented.

I Finally, the trip system should have been tested for proper performance after the change had been completed.

It was uncharacteristic for this SRO not to have at the very least " tested the circuit" following the interchange of the MDs. The performance of a second Daily Checklist should have been called for following manipulation of the console electronics to verify l operability of the protective systems prior to the reactor restart in the afternoon. In so doing, the inoperable scrams would have been detected. It is noted that a Daily Checklist is done once every day [usually in the morning, prior to reactor startup as per standard l operating procedures (SOPS)) to verify that the required systems are functional. The Daily

Checklist was not repeated because the interchange of the modules did not appear to constitute a modification to the console to the operator and administrator.

The Reactor Director can vouch that this SRO has shown a high level of safety consciousness in the past. The general high opinion and esteem for this SRO extends to the departmental faculty and the Reactor Safety Committee. In keeping with his character, the SRO immediately stepped forward and took entire responsibility for the event. In truth, the responsibility is shared between him, the Reactor Administrator, and management, and could have been influenced positively by the availability of additional procedures covering troubleshooting of the console and response following spurious trips.

It is noted that personnel disciplinary action is a consideration in such a circumstance.

However, disciplinary actions are an internal matter to the University and will not be discussed in this report.

At the time of the 1982 reactor console upgrade, performed subsequent to Reactor Safety Committee approval, our electronics-expert SRO had proposed that the inputs to the scram logic drawer be re-arranged and fed to both mixer drivers (Memo to ReSC of February 12, 1982). The ReSC minutes (March 8,1982) indicate that the ReSC approved the proposed new annunciator system and the addition of a pump-on/ header-down scram but decided that the location of signals going into the scram logic system should remain unchanged. Had the inputs been rearranged to occupy separate and consistent input numbers between the two MDs, their interchange would not have caused a change in the scram logic. Also, if the unused inputs to the MDs had not been tied together, their interchange would not have caused a change in the scram logic. [ Note: With the reactor shutdown, the UVAR console was tested with unmodified MDs taken from the shutdown CAVALIER reactor console and found to work as intended.]

The occurrence of spurious trips has here-to-fore not been seen as a cause for safety <

concern. However, their occurrence and the informal response (troubleshooting) elicited to trace them did initiate this event. Spurious trips may be due to ground loops and old l electronic components. Unplanned trip frequency will likely reduce with time simply as a I consequence of the replacement of old console components, already beginning with funding from the DOE Reactor Instrumentation Program. It is clear that the search for the elimination of unwanted spurious trips should be attempted only in a careful i considered fashion using pre-approved procedures.

UVAR Technical Specification 4.5 addresses the topic of reactor maintenance. Central to I the non-performance of a test of the scram system was the (improper) understanding by the SRO and the Reactor Administrator of the definition for " maintenance." The SRO and Administrator believed that maintenance had not been attempted, since the console l had (presumably) not been changed, although the modules had been lifted and replaced on the contact bus. [ Note: Maintenance is not a term defined in the UVAR TS. Neither is this term defined in the ANS-15 " Operations of Research Reactors Glossary of Definitions l and Terminology." Definitions for " troubleshooting" and " maintenance" are found in INPO's Guideline for Conduct of Maintenance at Nuclear Power Stations, April 1992.]

8

f Whenever a mistake is made, consideration is usually given to time pressures. It appears l that in this case some time was taken by the SRO to discuss the situation with the i Administrator, and the necessary conclusions should have been reachable within this period.

I Of a lesser magnitude in this search for root causes is the lack of redundancy of expertise.

Lack of personnel redundancy is unavoidable, due to the small staff size at research reactors. The SRO who switched the MDs has been relied on by the entire staff for his electronic expertise. Another individual, who has a degree in electrical engineering, has recently obtained his reactor operators license. His expertise will assist the reactor staff in the area of electronics and instrumentation.

I The lack of a " devil's advocate" was felt in this case. Some simple questions as to the proof for the assumption that the MDs were alike from the Reactor Administrator would l have set the SRO to thinking and have changed the sequence of events for the better.

The event was a product of unlikely circumstances, and is not reflective of generalized l breakdown in operating procedures. Nevertheless, it is useful to search for underlying root causes, search of similar problems and seek the improvement of the standard operating I procedures which are intended to help humans to overcome their propensity for mistakes.

Such is the case here, and a number of SOP changes have been made or proposed.

Summary The identified root causes for this event were: a recent history of " spurious" automatic scrams: judgement error on the part of the SRO as to what was should have been regarded I- as maintenance of a safety-critical reactor console system; error on the part of the Reactor Administrator to rely on the greater electronic expertise of the SRO without testing the I SRO's assumptions involved in making the MD interchange; lack of definitions in the SOPS for the terms " troubleshooting" and " maintenance;" the non-performance of a scram operability test prior to restart of the reactor following the exchange of the modules.

I I

I I

I 9

I . -

L

~

L

- VII. SELF-IDENTIFIED VIOLATIONS The regulations from the UVAR SOPS and TS which were violated are reproduced below.

, They are quoted individually and then followed by explanatoly comments.

1 L

m Violations of UVAR Standard Operating Procedures (SOPS)

L

" 2. General Regidations

- A. The reactor and operations must at all times meet the license requirements and the operationallimitations as setfonh in License R-66."

r L Contrary to the above, the reactor did not meet license requirements during the 5.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> it operated with some TS requires automatic trips unavailable.

E L " 2. General Regulations E .

u

~

D. No jumpers or by-passes shall be installed or removed in the control console unless the following conditions are met:

I No safety system is compromised 1.

2. A record is made in the logbook
3. Specific approval is obtained from the Reactor Supervisor or Facility Director."

Contrary to the above, the exchange of the MD modules resulted in an inadvertent I and unintentional by-passing of protective systems. While this action was recorded in the logbook, the by-passes were made without specific approval.

" 2. General Regidations K The reactor shall not be operated if any instmmentation required by the Technical Specifications is not fully operable."

I Contrary to the above, the UVAR was operated for a short period of time (5.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br />) with certain required instrumentation (already described previously) not fully l operable.

I I 10

I u

Violations of UVAR Technical Specifications i

a 7 1. Technical Specification 3.2, Reactor Safety System L

Specification: The reactor shall not be operated unless the safey system channels described in the following table are operable:

1 u

7 Applicable Channels from Technical Specipcations Table 3.1, Safety System Channels l

Channel Min. # Operable Sex Point Function Mode Required P""

',P *"O 1 lo.e ofponer scram forced convection pnmare coolant pow 1 min. of 800 g>m scram forced ccmwction max. of 3 Mu's scram forced conwction 7 reactor poner lesel 2 L max. of 0.3 MWt scram natural consection reactor period 1 min. of 3 sec. scram all modes Contrary to the above, the automatic safety system trip settings indicated above were u inadvertently disabled during 5.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> of reactor operation on April 28,1993.

2. Technical Specification 3.3, Reactor Instrumentation Specification: The reactor shall not be operated unless the measuring channels described in Section 3.2 " Reactor Safety Systems" and in the following  ;

table are operable:

l Applicable Channels from Technical Specifications Table 3.2, Measuring Channels L

l Channel Min. # Operable Mode Required Intermediate & period 1 all modes I Contrary to the above, the automatic safety trips listed on the previous page in this I report (from UVAR TS Table 3.1) were inadvertently disabled daring 5.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> of reactor operation on April 28,1993. Also, the measuring channel listed above (from UVAR TS Table 3.2) was placed into test position (one which should have caused a scram) while the reactor was being shutdown and was suberitical but did not meet I the definition of shutdown in that all three shim rods were not fully inserted.

11

3. Technical Specification 4.5, Maintenance Specification: Following maintenance or modification of a control or safety system component, it shall be verified that the system is operable before it is retumed to sersice or during its initial operation.

- Contrary to the above, an action which was not considered to be maintenance or a

- modification, at the time it was done, did in fact inadvertently modify a component of the safety system. The operation of the system was not verified to check its

- operability before being returned to service because it was not believed that a E modification had taken place.

4. Technical Specification 6.3, Operating Procedures Specification: Written procedures, resiewed and approved by the Reactor Safety C Committee, shall be in effect and followed for the items listed below.

L These procedures shall be adequate to ensure the safe operation of the reactor, but should not preclude the use ofindependent judgment and action should the situation require such.

(the two applicable sections are:)

1

~

(3) actions to be taken to correct specific and unforeseen potential malfimctions of systems or components, including responses to

- alarms, suspected primary coolant system leaks, abnormal reacthirv changes (5) preventative and corrective maintenance operations that could have an effect on reactor safety.

Contrary to the above, no specific procedures existed for trouble-shooting problems with the reactor instrumentation as may be interpreted to be required by the wording in (3) above. Nor is there a Technical Specification definition for, or a good understanding of, of all the actions that might be considered to be maintenance. i Therefore, for some actions such as the switching of the modules in the scram logic  ;

l drawer there were no specific or general procedures.

I I

1 12 '

VIII. ACTIONS REQUIRED BY UVAR TECHNICAL SPECIFICATIONS The inadvertent change to the UVAR console was a reportable occurrence as per Technical Specification 6.4.2., " Action to be Taken in the Event of a Reportable j Occurrence;" '

(Note: only the applicable items are listed below:) l I

A reportable occurrence is any of thefollowing conditions:

l (1) any safety system setting less conservative than specified in Section 2.2 of these specifications (3) safety system component malfunction or other component or system malfunctions during reactor operation that could, or threaten to, render the safety system incapable ofperforming its intended safetyfunction, unless

  • immediate shutdown of the reactor is initiated (5) an observed inadequacy in the implementation of either administrative or procedural controls, such that the inadequacy could have caused the existence ,

or development of an unsafe condition in connection uith the operation of the reactor Item (1) is applicable because certain safety system settings were set less conservative than specified in section 2.2 in that they were inadvertently disabled.

Item (3) is applicable in that a safety system component was made to be malfunctioning during reactor operation by the switching of two electronics modules prior to reactor start-up (even though this switch was mistakenly believed to have produced no change what-so-ever).

Item (5) is applicable because either the administrative and procedural controls to prevent the incident which occurred did not exist or they were not effectively implemented.

I I

I 13 i

IX. SAFETY SIGNIFICANCE For a 5.5 hour5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> period, important automatic trips required by the reactor license were not available during the afternoon of April 28,1993. The fact that certain scram functions were not available could only have been determined had an operational check of the scrams been performed prior to the afternoon restart of the reactor. This operational check was not performed because it was not recognized that the interchange of the modules constituted maintenance, requiring operability checks. Scram unavailability can't be determined during reactor operation.

The reactor is normally operated four days per week for about 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br /> per day. Thus, l the longest period the reactor could have been operated in this mode was about 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br />.

The Daily Checklist is always done before start of reactor operation each morning and would have determined the problem with the scram drawer logic. Had the modules been l interchanged at the end or at the beginning of the workday, the problem would have been discovered with the Daily Checklist prior to reactor operation.

Reactor operation was normal that afternoon. The strip-chart recorders indicate both smooth N-16 and reactor neutron flux level traces. The values recorded on the Hourly g Console Data Sheet for that afternoon were all within normal operational parameters. No 3 out-of-the ordinary conditions were noted in the reactor logbook until the discovery of the problem as shutdown was being completed.

Considerations are presented below showing that if the reactor had been challenged by l

equipment degradation or failure, with a very high likelihood automatic trips associated j with in-core experimental facilities and/or a reactor operator manual trip would have kept

n the reactor from exceeding safety limits. The automatic scrams associated with in-core experimental facilities were checked that morning and were not have been affected by the interchange of the MDs because they were on terminals that were symmetrically located.

Reference is made to Table A (on the following pages), where the UVAR operational

.g indicators which were available to the reactor operators that afternoon are listed. It is observed that functional alarms and automatic trips associated with in-core experimental irradiation facilities were available that roughly compensated for the lack of some license required automatic trips. These are the core differential temperature (" delta-T') visual and  ;

l audible alarms, the core gamma-level monitor visual and audible alarms, the reactor bridge i l

radiation level audible and visual alarms and automatic trip, the mineral irradiation facility l ll visual alarm and automatic trip, the four Hot-thimble Facility visual and audible alarms, the primary pump-switch-on/ header-down light and automatic trip, the (3) manual trips,

)

and the automatic control (servo deviation) visual and audible alarms associated with the  ;

l regulating rod. In addition to the audible and/or visual alarms, the operator had reactor l power indicators in clear line of sight, of which the most important are also presented in Table A. The rows shaded in Table A highlight the systems that offered important alarms ll or scrams which compensated for the unavailable scrams.

The safety action required in all cases for all scenarios is the dropping of control rods into l I the reactor core due to an automatic or manual scram. The safety function is j l

14 l l

accomplished by the control rods falling by gravity a short distance into the reactor core once the magnetic force which keeps them suspended is cut. Such is the case when the electric current supply to the electromagnets ceases. This safety function occurs when a manual scram button is pressed. It also occurs when there is loss of electrical power to the Reactor Facility.

To qualitatively illustrate the compensation which was available, various scenarios are presented below. Each one is possible, however with varying degrees of likelihood. A Probabilistic Risk Assessment (PRA) has not been attempted, for the benefit is small and the time required much exceeds the time available for filing this report. For the same reason, highly unlikely scenarios which would be difficult to model and time-consuming to compute have also not been attempted.

The overall conclusion that is reached is that'the operator had the necessary reactor operational information available to him to safely operate the reactor and to manually trip the reactor if conditions had required this. The automatic scrams associated with irradiation experiments in the reactor core roughly compensated for the scrams that were disabled.

}

15 I _ - _ - - - --

- . - - m -

TA!LE A (p gs 1 cf 3): UVAR OPERATIONAL INDICATORS AVAILAELE TO REACTOR OPERATOR (with mixer driv:rs switched)

Shaded rows highlght the systems that offered impor1 ant alarms or scrams which compensated for the unavaliable scrams Visual m nal @2 In cabon of Indcaw indcahon Scram or ham Reactor system indication Avail-Readings Abnormal Condition Availability or audible Alarm Level , g, alarm b "' 2m cps (w/ chamber out) increasing I "7 tem 1eI"2r"d3) avaiiabie visuai none --

so e "

ad null r infinite a positive value available visual none -

intermediate range level (NV) 4x10"nv >4x10' and increasing available visual none (local, remote & recorder) --

a Wod null or infinite a positive value 8 available visual no linear power level 2x10' amps >2x10' amps & increasing available visual none -

power range level #1 about 100% >100% and increasing 25 available visual no power range level #2 about 100% >100% and increasing 2 available visual "

a core differential temperature : about 12.87J i > 137!:. i 0 avitilables  !!Soth .l ,,,,.

reactor pool temperature varies between 70 and 1007 g x ed to 2105 F

i pnmary coolant flow rate 1030 gpm < 1010 gpm available visual P am electrical power to primary pump on at 2 MW off above 200 kW P Uff light visual no N-16 (heat exchanger room) & recorder 3.2x10' amps >3.5x10* amps available visual none -

core gartime level mondi SM (7.9x10* amps) #

.'>8.5x10 ampsj favailablej v

Lbsthi mnstant air particulate monitor a 150-200 cpm >300 cpm available both > 400 cpm -

r, m

, , r, , , c-- m - ~ -

TA2LE A (p:ga 2 cf 3): UVAR OPERATIONAL INDICATORS AVAILA!LE TO REACTOR OPERATOR (with mixer driv:ra switched)

Shadad rows hghteght the systems that offered important alarms or scrams which compensated for the unavailable scisms.

Visual Indication of Scram Reactor system indication Nominal (@2 MW) Indicator indication Scram or Readings hail-Abnormal Condition Availability or audible Alarm Level g g, alarm reactor bridge radiation level :

.1.5 4 2.5 mr/hr ' >4 rnr/hr available both - ;yes reactor face radiation monitor- r r-

{ 0.15 - 0.3 mr/hr ' >0.5 mr/hr available . both . yes Mineral Irradiation FaclHty lead shield - 1 about 507 greater than above about.145T.

s at aW same tak as aw m > 155T '

t:mperature pool temperature Ms d Y

. reactor power - scram -

available meter Mineral Irradiation Facihty coohng gas us% outsW >W temperature about 130*F about 160"F yes I control control scram room room

> 295 *C, alarm Hot Thimble facihties temperatures - # a S i various (270-295'C) l b na available: b th ye t tolerance nominal - l trip out &

cutomatic control, servo deviation Jzero or null . . > than a few % deviation;

. available : . both alarm at --

<>7%

primary pump on with header down.: beader up light, pump on Ight.: header tails with the pump :. .. light forj -Ight for :

scrarn -indicated normal primary flow r fans 'yes'

~ running : header up header up reactor room argon monitor a recorder 100-300 cpm > 400 cpm available cpm both _

l vent duct argon rnonitor & recorder 100-300 cpm > 400 cpm available both E -

"' " "P ' "

e f im d t 2600-2800 nanommps > 3000 nano-amps available visual none -

TABLE A (page 3 of 3): UVAR OPERATIONAL INDICATOR 3 AVAILABLE TO REACTOR OPERATOR (with mixer (rivera r. witched) shaded rows highieght the syttems that ofhsred important alarms or scrams which compensated br the incvailable saams.

Visual Scram Reactor system indication Nominal (@2 MW) Indication of Indicator indication Scram or Readings Avail-Abnormal Condition Availability or audible Alarm Level ,

alarm I

scram on high power by range switch (with prima uP 2 MW position 200 kW position none none to 2 k no u

position when above 250 kW scram by switching range switch (with pnmay u to 2 MW 200 kW position 2 MW position none none position no d

above 200 kW low poollevel scram #1 19'4"-19'6" pool level < 19'3%" causes scram none scram only a Y'S low pool level scram #2 19'4'-19 9 pool level < 3 a"

< 19'3%" causes scram none scram only yo, three manual scrarrs /  :(nonej "

(reset ino. indication [ 4 scram only  ;: yes" truck door open scram reset, door closed te ctor r mck door none scram only *"","' yes escape hatch open scram reset, hatch closed hatch open *""

none scram only Y'8 a

evacuation & fire alarms button p hed or sensor U reset none scram only , yes key switch turned on turned off position scram only "

sa

I A. Loss of Off-site Electrical Power The loss of electrical power to the Reactor Facility is the most likely challenge to the reactor. l Although likely, it is handled routinely by the fail-safe design of the safety system. This system fulfills its purpose quite simply with the insertion of the control rods which fall when the l electromagnets are de-energized.

B. Reactor Period (startup and power operation)

Here is no mechanism for a large insertion of positive reactivity other than deliberate, malicious action by the operator or a total failure of the control rod drives such that they l withdraw without operator action (very highly-improbable). The falling away of all seven experiments with some small negative reactivity worth from the core could have added +1.1%

delta-k/k. The falling of even one experiment would be highly unlikely. As explained in the subsequent section, reactor overpower would have resulted in either automatic or manual shutdown, assuming no malicious intent on the part of the reactor operator.

Reactor Initially Operating Below 2 MW The reactor was started up once following the interchange of the MDs. During startup, the reactor operator had (and was attentive to) reactor period indication at all times.

I Procedures require that the reactor operator maintain the reactor period at greater than 100 seconds during the initial phase of the startup. The period is maintained at this rather conservative level due to the natural unavailability of period protection during the I initial phase. The period protection circuity is on the intermediate range channel which does not detect a rising neutron flux until the flux level has increased several orders of magnitude. During the second phase of startup, once the intermediate range is on-scale, I a 30 second period limitation is procedurally enforced. The margin from the 30 second administrative limitation to the scram setpoint of 3.5 seconds (not available) is substantial. A trip signal would have been processed only had an operator intentionally withdrawn the rods at a sufficiently-high rate to produce a reactor period of less than 3.5 seconds. Given the attention paid to the period indication by the operator on startup, the lack of period protection for the latter phase was not significant due to high l improbability of a positive reactisity insertion great enough to cause a three second period. Consequences from the reactor going over-power would have been prevented by the remaining automatic and manual trips available.

I If one postulates a positive period resulting from erroneous operator action (too rapid withdrawal of control rod) or from a negative reactivity-worth e::periment falling away l from the core, the power would rise at a rate depending on the magnitude of the reactivity insertion. With low-magnitude positive reactivity insertion, reactor power would rise until the delta-T, core gamma and/or the hot-thimble facility temperature I alarms are obtained. The delta-T temperature caly needs to rise by a few tenths of a degree, the core gamma monitor rise by less than 20% of its 2 MW value and the hot-l thimble temperatures rise by about 5 C to produce audible and visual alarms. The I

operator would thus know that the reactor power level was going up and would then

.I l

!I I manually trip the reactor. In the likely situation that the reactor is level at 2 MW full power under servo control, the operator would be made aware of the reactivity change by the automatic (servo) control mechanism tripping out at r 7% deviation, resulting in lI an audible and visual alarm.

Reactor Initially Operatine at 2 MW il Protection from reactivity insertion with the reactor at 2 MW is discussed under the high power scenario heading.

I C. Complete Loss of Primary Coohnt Flow l Loss of primary reactor coolant flow is a possibility that needs to be considered, however, its occurrence is not very likely. His is borne out by the experience of some 33-years of reactor operation. In this time there has never been a loss of coolant flew to levels below the scram

,l set peint. ,

1 sss or flow through the core can occur three ways, either by the pump ceasing to work with I tue putip motor still functional, the pump motor ceasing to work (causing the impeller to stop turning) or the flow header falling away from its normal position beneath the reactor gridplate I while the pump is on. [ Note: The header" is a funnel-like structure connecting the bottom of the reactor core with the primary coolant pipe. It must be movable to permit reactor cooling by natural convection. In natural convection mode, it is in the down position. It is held in the up position by the difference in pressure generated through the down-flow of coolant.]

First, assume total pump failure through the loss of the coupling between the impeller and the I motor. This would cause the header to fall with the pump still energized, resulting in an automatic shutdown from the header-down/ pump-on scram.

I In the second case, assume that the motor fails, which would stop the pump. If the electrical breaker on the motor trips before the header falls from the loss of flow, the header-down/ pump-on scram would not be initiated. However, when the header falls with the reactor g operating at two megawatts there would be an immediate trip out of automatic control due to the insertion of negative reactivity resulting from the increase in the average in-core temperature. The trip out of automatic regulating rod controlleads to visual and audible l alarms at the console which would alert the operator te the unusual situation. Also, the reactor power level would immediately decrease in response to the negative reactivity insertion.

In fact, the reactor power level would have to drop to below 200 kW because the core l differential temperature at 200 kW in natural convection mode is greater than the delta-T in forced convection mode at 2 MW. The aggregate rods positions in the full-power mode are therefore lower than in the natural convection mode.

I In the third case, with the header falling and the pump remaining on, the reactor trips from the header-down/ pump-on scram. This is the situation that this particular scram was designed I' to handle.

I 20

D. Partial Loss of Primary Coolant Flow The possibility of a reduction in the amount of coolant flow through the core to levels below the scram set point also needs to be investigated. Just as there has never been a complete loss of flow neither has there been a case when there has been a reduction in the coolant flow rate below the scram set point. The observed reduction in flow over many years has been slow and small (a total of less than about 30 gpm, that is 3% of 1030 gpm normal flow). This gradual decrease over time is explained through wear on the impeller and/or the collection of small debris on a protective screen located in the primary piping upstream of the impeller.

A reduction in the flowrate through the core might be caused by either a malfunctioning pump or some type of flow blockage. Degradation of primary flow sufficient to drop the header will scram the reactor. Coolant flow degradation not sufficient to drop the header would be obsened no later than the performance of the Console Data Sheet, filled out on an hourly schedule. A small drop in coolant flow would not have a negative impact on the reactor. He rod servo-control drive mechanism would drive the regulating rod a small distance out of the reactor in response to an actual decrease in reactor power caused by the greater average core coolant temperature. The reactor can safely accommodate the larger delta-T applicable to natural convection operation, calculated to be about 19*F.

Next, considering an unlikely instantaneous drop in coolant flow to levels below the low-flow scram setpoint (remembering that the low flow automatic trip was not available), the delta-T would increase suddenly by an amount proportional to the flow change and would audibly alarm. De true delta-T reading, directly visible to the reactor operator, would show a higher than normal differential temperature across core. The reaction of the operator would be to J manually trip the reactor if the delta-T reading is significant (above 13.1 F, compared to the

) usual 12.85*F) or to look at other instruments to check whether the (apparent) power increase is real. The lower coolant flow rate would be observed. Also, the N-16 level would likely show a decrease, given greater decay due to longer time between core and the detector position. Rear w power readings from the nuclear instrumentation near the core would

[ increase (due c. greater neutron leakage from the core due to the lower density, higher water temperature in the core). These power readings would be above the true core power level.

The reactor automatic control system would respond with the insertion of the regulating rod, a s beneficial outcome. The operator would react by manually tripping the reactor because of disagreement between the instruments.

(

( 21

[ ..

E. High Power Slow to Moderate Power Increases The Mineral Irradiation Facility (MIF) has three scrams associated with it. Two are important to the qualitative analysis being made here. The scrams are the cooling gas flow-temperature and the lead-shield temperature as sensed with thermocouples. They trip the reactor whenever their temperature setpoints are exceeded (see Table A). The gas flow temperature setpoint is 160*F and the lead shield setpoint is 155*F.

The MIF lead-shield temperature response is known to be rapid and fairly linear with reactor power (heating is due to gamma and neutron interaction). On April 28 with the reactor power at 2 MW, the shield temperature was at about 130 F and the pool temperature at 80 F. 'Dius, the 155 F MIF lead shield setpoint corresponded to (155-80)/(130-80) X 2 MW or about 3 MW. The power level scrams (not available) are set at 2.5 MW. The MIF scrams were checked for operability during the Daily Checklist performed on the morning of April 28, and remained functional after the exchange of the MD modules. Assuming that the operator was inattentive and that the reactor power had increased significantly above 2 MW, an automatic trip would have occurred at l

about 3 MW (the LSSS), well within the safety limit (defined as a curve based on a combination of coolant flow and reactor power).

Fast Power increase Gross over-power would only be possible due to an intentional operator insertion of positive reactivity by control rod motion. The falling away of all seven expe.riments with negative reactivity worth from the core could have added +1.1% delta-k/k, but this is a ,

very improbable scenario. Postulating that the automatic trip covered above in the slow to moderate power increase scenario not have time to actuate, the reactor bridge radiation monitor would eventually deliver the automatic trip. It is noted that on such an excursion, vibration produced in the core could be sufficient to cause either the dropping of the header (delivering another automatic trip) or the dropping of one and then the remaining control rods. [The control rods are held up by the barest margin of magnetic force and are therefore susceptible to vibration. On occasion, they drop and trip the reactor when personnel walk onto the reactor bridge.)

Motion of the poolwater surface could actuate the automatic pool-level trips. With the

[ pool filled to ahnost overflowing, a 2.5 inch ripple would accomplish this. Normally, the l pool fill is somewhat lower than the point of overflow, so as little as a 0.5 inch ripple could be sufficient to produce an automatic trip.

22.

r

w F. Kev Switch  ;

[ The reactor should be automatically tripped in the event that removal of the console key is

- attempted (extremely unlikely attempt). It is difficult to conceive of a situation where the operator would want to attempt to shut down the reactor by removal of the key. Upon trying l this without success (this would have been the case on the afternoon of April 28), the sensible operator would manually trip the reactor. The key switch scram is not required by Technical ,

Specifications.

G. Range Switch I The purpose of the range switch is to prevent the reactor from being operated above 0.2 MW with the primary pump off. The switch changes the high power scram settings from 0.25 MW I to 2.5 MW when it is thrown. To operate the reactor above 0.2 MW without the pump o i the operator would have had to ignore the header position indication light (yellow for down, green for up) and the lack of a pump power indicator light (green), both clearly visible at the I console. With natural convection upflow, the core gamma monitor located seven feet above the core would detect thermally rising N-16 and eventually alarm. The automatic trip would I be initiated by the reactor bridge radiation level, if the operator had not manually tripped the reactor by then.

I It is noted that the UVAR is almost never operated in natural convection mode. It is operated at full power just under 2 MW almost all of the time. To possibly get the reactor to a condition where safety limits would have been violated, the primary pump would have had to I have been turned off before the afternoon startup was attempted, and the operator would have m had to fail to notice the pump-off condition in addition to the header-down indication. No natural convection operation was scheduled for April 28,1993.

I I

il I

'I i I l l

1

l CD6 M '

6'I C a r" P/0

?! j M pt C#8 8' N ?19 +2SV 9 l l C Ato q, . n3 l 10PM- i l 2K A6 22E 8.S R l l C Att w 08 j, y tw l

,, ' l CEl2 g2 2f329A tz +t-M F 5" G j A,rg ad* l Cple

-, .M val e #NT56A l

N0ft

1. ALL DIODES a nt 14 4868 UMLts$

. g OTHE AwlSE SetCsFit0.

14 + ICM RIS tOMM I a t6 2N 613 20 I " R4 l 36 22 2400  %

23'I = ,

VR2 / J2 l i

g INF59E Q" 24'l Ckt9 N nao O

l  : ~i!

~'s/i69412+2u CApac! Top _ __ 2 006 twa fr~

I CREO cast g: l9 g- l! ,- Jo,s55312-ore, CnoxG IO ryM L!

2% QCD2f- >

= I y3s

- = 6 49 419*00-72 wm/M *C ft.or

. - 49* - 48 myrdU Jtrre*M _,

26 SM I * ' - - #7 5'2'0F*d W M##### 4a

] INTEStLOCK l I)39 4F ~ ~ M W 97 EmWJ - M7E' '

y p 27' l CR22 M - - 44t.45 WP-/f! AM ,)

O ns l Cn2S - - m* meewar rnr.rr m rer a a 2et- n - - i n so-are rrem .saw:e <<x

~g . Cn2s E l' Y

~ ~ E #' " # *0' **

n monsit w#f#~rx.soce d#d;" e"r r o"s#

M -.

O O .- * ,_

m :s l Cn2s = - 2 M 6993W0E2 hstr. Ae yr 9f t* 30 H~ > '

l, f fc W is*%A** f f M JNrr?" / ) , , , _ .

~

  • g S CR26 3'" I U O . . . .'- -

32, l C R2 i

.T.t

> , 7

  1. 3 _~d hhhhk([ N S A g.

_L--A- . -1, d CthMATIC DIAGRAM-

,,1, c. ..t v e. 9 .= - -

-t- - - c .4 .i, x ~

l.

~

w _.

- - - l' r -801001 5 % 2, -

,,,n m. I  :.~ - . . . . .2 't

~-.

A l 5__.... I , _ !4 . . l 3 _[ q ,

,i ,

l L

DEPAILTA1ENT OF NUCLFAlt ENGINED;ING AND ENGINEERING PIIYSICS SCIIOOL OF ENGINEERING AND APPLIED SCIENCE UNIVDISITY OF VIRGINIA E Phone: 924-713G 3EMORANDUM February 12, 1982 TO: Reactor Safety Committee Via B.L. Shriver i

FROM: B. Hosticka h J' u

SUBJECT:

Scram Logic System and Annuniciator Panel I would like permission to re-arrange the inputs to the scram logic drawer so that each scram input is separate and is fed to both mixer drivers.

E This will involve eliminating the auxiliary scram bus and splitting dual

' scrams such as pool level #1 and low flow. The console manual scram will remain undisturbed and continue to be on the output of the system.

E u In conjuction with the above modification I will install a new scram annuniciator system that has a separate placard light for each scram m input. The scram input that actually caused the scram (i.e. the first I scram received) would be indicated by a flashing light, all subsequent ones  !

l would light up solid.

l Previous discussions of the staff have brought up the desirability i of a " pump on header down" scram that would eliminate the possibility of I operating the reactor with this conflicting flow configuration. IF a scram is desired, this would be a convenient time to install it.

such Drawings of the old scram system, the proposed scram system and the annunciator system including technical details are attached.

l I This nodification does not require a change in technical specifications nor does it involve an unreviewed safety question.

I I

Attachment to Appendix B page 2 of 8 I

i ,

l 1 June 79 Revision t

l t

O O

da -3 5 k 5 M l m . 8

=

t2 lE Q x .' 8 k

  • u

~

ll l %o * >.

.s

_A___ .'

aa" d

m" ll i  %

g E

a

-- < - _. c Te Q

5 u

E e

  • m o -,

l

\,

  • y a M 3 o ,

e u lE --*

5 u

,g s * -

3!

l -

' s} rauw c -~ --

jj! -3 n =

}x

,-3 ~jl. p ,I!

w { J- a ~

l

+

s qy,1 x-

- - a $_^

xv 3

[

v

_L a ik ei 5L m i e 5 c 4- m ti- t u 1 > >. u l .

O . _ . . _ .

! ie -

l --.

l s

  • o

, s m.-

! s  : -

in a nb  : **-

g .a -

s g

& i4 %

4

=

  • m M l \

t t

o h~

rc

]F--* y'~ <

] '-

fY, o

. W u e t

,x sw M P A d n

m o NA i (  %  !

e T oT "

! N 'k( ) ~<

N --t U s

N%

s tM ,

d

% 3~ u 1

e l w G I

Attachment to Appendix B t

page 3 of 8 i

i t

l 1 I Scram inputs to mixer drivers

! i l Switch developed scrams: l Pool level #1 Truck Door

! Escape Hatch Manual in Rx Room Manual on ground floor l Pump On lg Range switch lE Relay developed scrams:

l Evacuation l Key switch l

Air to Header Pool temperature Face radiation Bridge radiation Pump Off lg Pool level #2

g Low flow (pump on - header down)

Bistable developed scrams:

Power range #1 Power range #2 Intermediate period I Note: This page was retyped from the original for the purpose of producing a more legible copy in the 14-day reportable occurrence event report.

I lI I

Attachment to Appendix B page 4 of 8

c N a u ' s'C.

O et s

?!

<p $ i r X n' M \

c c T- w" N i

' s 4

]44 a &

r e

( *s

%, _ s u o 2U

<;; =

r

' =< . s (( 4 u '* .

k A i i IS d

e L% e g s5

  • t  %

t 1 t 4

+ 4

" n, t M d vt t,

s ( c +.

s s

h u s 7 5

, :vy

(

\

9

~

J i t

~

c' (A T -

r "t o  ? N s .

g \

[ ,e N, s -

1 1Ae o

o -

)

A'

  • j &1 v 4 0

t g r -

1

- {,Z

, ____.J d

% 'i 3s i d d i rJ J 3 1

,t - . k. sa 4E y L I

L

% F m LLLA t_u. i t s i i _

Wa t 3

E i ' 9 1

1 ,

} - ~ 4(1 +

a t

u. w  ;

d W{(\ \ \ \\ \_,#

r LL.3 Lu b o 5{

u J

[. . v7 t C

tl-M" A 1 *-

E. k$

h ca s E  %

u' ' .* e <

Attachment to Appendix B page Sa of 8 (see sb) ll l

r l

L i

1 w ,-- ._

y - -. -

's

, N.

u .

t

5-s . s -:

A ~

  • 1

[ s 8

7 u gi' w 2 . _ _ _ x t 5 gE m t tu -

i '

% + , ~/ -

' TP f . p tt 1111 c:~ 0 Lt-

',.%s

'D. g e

. v1 -

l  !

1

3 ,

ate a

~ i d )~ v S.A

~

s R( 1~- s ,

~

.- s ~ -  ;

- *' '* a e, o ,

u J. y f -

I l g a0 $

) ']~ p NO ,

e -

  • s- .

i- :-+,c

_ y g QJ  ;

I o $9 a kn ..

g lij [j r I i

l r

m s.

n rm f '

4?*  ?. ,I

  • I

= '

~.. e r

- s < l i d e, .  ; 'N  ;

n b I5 E

("d {

I  ; e+t s

~ LJ

' i R -wv--

)

)

. ~

k 0, -

.iu '

~

a \ u43- l +

+ -

! * ^~Y -

i  !

V . . . -

  • "*.a [ l { tw1

?' b. ,i l l'I $$i j

1 .

l - --

/)*1

--e----

5\ R l~  :: .5*

eJ

>g

'4 3 xs *t n .

l z e h.

,ia**  !

6 1

4 4

l 72 2 6 3

v (

I '$2 kttachmedi t6 'A;ipendix B page 5b of 8 (improved Sa)

I l _

I . - - - - , - . .. .-- .-. ., . . . , - - - . - , ._

us...u .s ....sa. ..

l'IGUPI III-16 AUXILIRRY SCRAli SYSTrli O

E 110 V AC KEY RESET RELAY L SWITCH SWI TCl! COIL 12345678910 _L_.

7 () f hY ll -! }'l l-CM N  ;

9 E

i C RELAY CONTACTS

() C I

L E

E REIAY COIL

[ h

FIACTOR ON" ,

i LIGHT C

TO norn

" ~

RELAY ONTACT I KEY O-SWITCl!

+10 V POWER SUPPLY I DUAL PRIMARY SCRAMS I PRI. PUMP l POW. 3 q FF I +10 V POOLLEhEL$1 TO MIXEn-DRIVER ,

l l

+10 V , T.OW PII.

l FLO11 l

I P U'. ER SUPPL.Y  : 4 FOOL LEVEL #2

) TO MTXER-DRIVER ,

I Page 57 TSAR Page 4 5 FS AR t.rien dine n t I l

Attachment to Appendix B page 6 of 8 l

June 79 Revision 1

b au n R$ ES gn- .c >nu $a na 9, Nan x W 9 ,#" -

M Sd

  • 3dC , g

, t su h A h "

w D_~ m. Se a

~ u 5" m 28 5 $esn5 m v' e T--

$~ 9

  • .au . y --. ,_

_. c n

.I c:

g!-

MIS

-m -~ M o

O n

a n d

a m -,

u _-

d a 1 3 3 s  ; y

$ o m

a = --

v ,

u m.

gg - -. o G om

) -

O Y < a

-3 m b "

h

~

p -dia y; h hh u y fx gm Q

e T-- =

YF, ,

  • L--

2 4" 5 m

-5 k 3 5 3 -

4

--t i. y y I

g . > x a s sa :o --

s s - . --.

DE l I E o

o E!

as a

i

, _ _ , a 5

-- m M ,

3 . y 3 --

~2 p - _r- m e

e

--v,L-g - e <

- < -w a . a e -

I n r. o e. m o a g a6 ,-. 4 t',

g u a n

O M M gg f,

gf3 a m .

M M Qo e N 0-R*

2 u,

- m a

I* O et o  %

e, - < n n.

n <M g

m ".La

.- ag 175 na (1g SU Page 51 Attachment to Appendix B page 7 of 8 I

Reactor Safety Committee Page 2 March 8, 1982 Page 10 add statement as follows:

I The excess reactivity will vary somewhat depending on the core configuration.

shutdown margin.

The limiting factor is the specification on the Page 11, under start-up count rate - function

.I change two shim rods to three shim rods.

under air pressure to header add setpoint of 5 psig I Page 30 a Page 33 correct typographical errors change approximately 100 C to the boiling point of water 5.0 The proposed change to the scram logic system and annunciator panel was reviewed by the committee. It was decided that the signals going into the

, scram logic system should remain unchanged. The committee approved the new annuniciator system and the addition of a pump on - header down scram.

6.0 The committee reviewed the proposed changes to UVAR SOP, Section 11, abnormal procedures and approved with the following changes:

Introduction:

add following sentence after first paragraph. eg b If an abnor evaluate the asc gm d

= ... e{t agpossible y ar4_a reportable Senior Operator shall be p n occurrence-

. mt to Add: Section m) Pool Temperature Page 11 1.0 change to read as follows:

I With the reactor operating at power, the indication (s) on the power range channel (s) is reading five % (100 kw) below the power level as indicated by the differential temperature across the core.

I b.

c.

add following sentence:

If instrument is not required notify Senior Reactor Operator.

change last sentence to read:

l l

I There must be two people at the bridge to adjust wells and the adjustment

!I shall be supervised by a Senior Reactor Operator.

Page 11 b.1 change as follows:

If the unexplained reactivity change results .in a stable period of 30 seconds or less the reactor shall be shutdown. If any reactor safety system exceeds its scram setpoint and the reactor does not scram, the operator shall scram the reactor manually.

lI add page 11-14 Section m:

A. Pool Temperature The reactor pool temperature should rise approximately 10 F per hour when the reactor is first brought to power but the rate should decrease as time passes.

a) Symptoms

1. Pool temperature continues to rise after system has stabilized.

Attachment to Appendix B page 8 of 8 f'

r l

C I Appendix C Scram IAgic A review of the scram-logic drawer drawing that has been kept up to date yields the following I observations. It is assumed that during the original installation of this drawer in circa 1971 all of the unused inputs of the 28 input mixer driver were bypassed by shorting out the input diodes within the Mixer-Driver-B modules. There were only a few inputs used at that time as listed below.

ORIGINAL Mixer Driver Input Function i MDI-27 Low Flow & Pool Level #1 MDI-28 Intermediate Period I MDI-29 MDI-30 Range Switch Auxiliary Scrams MDI-31 Power Range #1 MD2-8 Pump Off & Pool Level #2 MD2-9 Intermediate Period MD2-10 Range Switch l MD2-11 Auxiliary Scrams MD2-12 Power Range #2 When comparing this list with the list of disabled scrams, there is a striking similarity. (Note:

The key switch now occupies the location of the old Auxiliary Scram and the poollevels now have independent inputs.)

iI In 1982, when the Auxiliary Scram bus was divided into its component scrams and the pool j levels were separated from their shared locations to facilitate the installation ofindividual 3 scram annunciators, the new scrams were given identical locations on both mixer drivers as tabulated below, while the old scrams retained their original positions.

I l

f I

l l 34 i

1982 MODIFICATION Mixer Driver Input Function MDI-1 & MD2-1 Pool Temperature MDI-2 & MD2-2 Manual Ground Floor MDI-3 Pool Level #2 MD2-3 Pool Level #1 MDI-4 & MD2-4 Manual Reactor Room MDI-5 & MD2-5 Air To Header MDI-6 & MD2-6 Pump ON l MDI-7 & MD2-7 MDI-13 & MD2-13 Bridge Radiation Face Radiation MDI-14 & MD2-14 Truck Door MDI-20 & MD2-20 Escape Hatch MDI-21 & MD2-21 Pump On Header l MDI-25 & MD2-25 Evacuation / Fire MDI-27 Low Flow I MDI-28 MDI-29 MDI-30 Intermediate Period Range Switch Key Switch MDI-31 Power Range #1 MD2-8 Pump Off I MD2-9 MD2-10 MD2-11 Intermediate Period Range Switch 1

{

Key Switch MD2-12 Power Range #2 The "new" scrams are also the ones that continued to be operational during this event, in which the original scrams were non-operational. The up-to-date drawing of the Scram Logic Drawer does not show the internals of the modules and the manual for the modules do not indicate that any inputs in the system have been disabled. As part of the modification in 1982, the above listed inputs were re-enabled in the mixer drivers.

No explanation has been found as to why the original installation did not use interchangeable inputs for the scrams. When SRO B.H. schemed out the modification of 1982, he saw no hinderance to using the same inputs on both channels. His notes from the 1982 modification

, clearly indicate that at that time he was aware of the asymmetry in the mixer drivers but assigned no undue importance to this. (It is a pity that he did not have a recollection of his work on this part of the console more than a decade ago.)

The permanently shutdown CAVALIER also does not use symmetric input to its Mixer Drivers.

I 35

a

- I u

i

- Appendix D UVAR Scrams and Alarms Complete List Of UVAR SCRAMS m

The first logic scram is indicated by flashing light, subsequent ones by solid light. All scrams I are accompanied by Scram Alarm both visual (on the Combined Alarm Panel) and constant l audible tone. Manual Scram on Console is mechanical switch downstream of Scram Logic.

1. Power Range #1 . . . . . . . . . . . . . (250 kW or 2.5 MW, UIC)
2. Power Range #2 . . . . . . . . . . . (250 kW or 2.5 MW, UIC)
3. Pool Level #1 . .. . . . . (19'3", mechanical switch)

L 4. Pool Level #2 . . .... . . . . . (19'3", electrical conductivity switch)

5. Primary Pump Off . . . . . . . . . (transition, senses voltage to motor)

E 6. Primary Pump On . . . . . . . . . . . (transition, pump "ON" switch)

' 7. Bridge Radiation . . . . ....... (30 mR/hr, ion chamber above pool)

8. Face Radiation . .. ...... . (2 mR/hr, ion chamber at ground Door)

E 9. Range Switch . . . . . . . . . . . . . (2 MW mode with flow header down)

10. Pump On, Header Down . . . . . (primary pump on with flow header down)
11. Air to Header . . . .. .. . . . . ( >2 psi air to floats that raise flow header)
12. Truck Door Open .... . . (confinement is lost, mechanical switch) l I 13. Escape Hatch Open . . . . . . . . . . . (mechanical switch) 13a. Mineral Irradiation Scram . . . (high gamma shield temperature or low stone bed

. .. .... .... .. cooling gas flow) .

I 14. Manual by Room Door .... . . (mechanical switch)

15. Manual by Back Door . . . . . . . . . (mechanical switch) 15a. Neutron Beam Port Scram . (entrance into block house with beam port drained)

I 16. Evacuation Alarm . .

16a. Fire Alarm . . . . .

(four mechanical switches and alarms)

. .... (five pull boxes and six heat sensors)

17. Pool Temperature .. . . . . . . . . (105"F, RTD sensor)

I 18. Intermediate Period . . .

19. Low Flow . . . . .....

. . . (3.5 sec, CIC)

. (960 gpm, differential pressure across orifice) l 20. Key Switch .............

. . . (mechanical switch)

21. Manual Scram on Console . . . . . (hard contact mechanical switch)

UVAR Interlocks j Shim Safety Rod Withdrawal prevented unless:

l

1) Source Counts indication greater than 2 CPS
2) Instruments NOT in test i a. Power Range #1 and #2 I
b. Intermediate Range
c. Source Range ,

l d. Pool Temperature l t

4 i

I l 36

l l

UVAR Alarms l

Alarms have a red lamp to indicate current status and a yellow lamp that locks on until cleared by operator. Scram alarm has continuous tone silenced by operator. Other alarms have intermittent tone silenced by the operator or automatically after two minutes.

1. Scram Alarm .............. (any scram)
2. Seno Rod Control Lost . . . . . . . . (any reason to loose automatic rod control)
3. Area or Argon Monitor high Level (particular instrument has red light) l 4. Core Gamma High Radiation . . . (gamma ion chamber 10 ft. above core)

! 5. Constant Air Monitor . . . . . . . . (particulates in reactor room from fission gasses)

6. Heat Exchanger Room Door . . . . (entrance to high radiation area)
7. Demin. Room Door . . . . . . . . . . . (entrance to high radiation area)
8. Core Differential Temperature Higb(over power) l 9. Demin. Conductivity High . . . . . . ( > 2 micro siemens, demin. sending bad water)
10. Secondary Pump OFF . . . . . . . . (any time secondary pump is off)
11. Hot-Thimble Temperature . . . . . (any temperature either high or low)

I I

I  !

l 4

l l

I I 37

.