Text

October 12, 2017 Mr. Alberto Queirolo, Director of Reactor Operations Massachusetts Institute of Technology Nuclear Reactor Laboratory Research Reactor 138 Albany Street, MS NW12-116A Cambridge, MA 02139

SUBJECT:

MASSACHUSETTS INSTITUTE OF TECHNOLOGY - REQUEST FOR ADDITIONAL INFORMATION FOR NUCLEAR SAFETY SYSTEM UPGRADE LICENSE AMENDMENT REQUEST (CAC NO. MF5003)

Dear Mr. Queirolo:

The U.S. Nuclear Regulatory Commission (NRC) is continuing its review of your license amendment request (LAR) for Facility Operating License No. R-37, dated September 30, 2014, as supplemented by letters dated May 12, 2016, and July 6, 2017 (available on the NRCs public Web site at www.nrc.gov under Agencywide Documents Access and Management System Accession Nos. ML14282A039, ML16139A786 and ML17193A188, respectively), for the Massachusetts Institute of Technology (MIT) as part of the upgrade of the Nuclear Safety System for the MIT Reactor. During our review, questions have arisen for which additional information is needed. The enclosed request for additional information (RAI) identifies the information needed to continue our review. We request that you provide responses to the enclosed RAI within 60 days from the date of this letter.

In accordance with Title 10 of the Code of Federal Regulations (10 CFR) 50.30(b), Oath or affirmation, you must execute your response in a signed original document under oath or affirmation. Your response must be submitted in accordance with 10 CFR 50.4, Written communications. Information included in your response that is considered sensitive or proprietary, that you seek to have withheld from the public, must be marked in accordance with 10 CFR 2.390, Public inspections, exemptions, requests for withholding. Any information related to security should be submitted in accordance with 10 CFR 73.21, Protection of Safeguards Information: Performance Requirements. Following receipt of the additional information, we will continue our evaluation of your LAR.

If you have any questions, or need additional time to respond to this request, please contact me at 301-415-3936 or by electronic mail at Patrick.Boyle@nrc.gov.

Sincerely,

/RA/

Patrick G. Boyle, Project Manager Research and Test Reactors Licensing Branch Division of Policy and Rulemaking Office of Nuclear Reactor Regulation Docket No. 50-20 License No. R-37

Enclosure:

As stated cc: w/enclosure: See next page

Massachusetts Institute of Technology Docket No. 50-20 cc:

City Manager City Hall Cambridge, MA 02139 Department of Environmental Protection One Winter Street Boston, MA 02108 Mr. Jack Priest, Director Radiation Control Program Department of Public Health 529 Main Street Schrafft Center, Suite 1M2A Charlestown, MA 02129 Mr. John Giarrusso, Chief Planning and Preparedness Division Massachusetts Emergency Management Agency 400 Worcester Road Framingham, MA 01702-5399 Test, Research and Training Reactor Newsletter P.O. Box 118300 University of Florida Gainesville, FL 32611-8300 Ms. Sarah M. Don, Reactor Superintendent Massachusetts Institute of Technology Nuclear Reactor Laboratory Research Reactor 138 Albany Street, MS NW12-116B Cambridge, MA 02139

ML17237B992 *concurred via e-mail NRR-106 OFFICE NRR//DPR/PRLB/PM NRR//DPR/PRLB/LA*

NRR//DPR/PRLB/BC NRR/DLP/PRLB/PM NAME PBoyle NParker AAdams PBoyle DATE 8/30/2017 8/30/2017 9/28/2017 10/12/2017

Enclosure OFFICE OF NUCLEAR REACTOR REGULATION REQUEST FOR ADDITIONAL INFORMATION FOR THE LICENSE AMENDMENT REQUEST TO UPGRADE THE NUCLEAR SAFETY SYSTEM AT THE MASSACHUSETTS INSTITUTE OF TECHNOLOGY REACTOR LICENSE NO. R-37; DOCKET NO. 50-20 By letter dated September 30, 2014, and as supplemented by letters dated May 12, 2016, and July 6, 2017 (Agencywide Documents Access and Management System (ADAMS) Accession Nos. ML14282A039, ML16139A786, and ML17193A188, respectively), the Massachusetts Institute of Technology (MIT, the licensee) submitted a request to upgrade the nuclear safety system (NSS) portion of the Reactor Protection System (RPS) and incorporated by reference letters dated November 18, 2013, and June 6, 2014 (ADAMS Accession Nos. ML13339A343 and ML14161A035, respectively).

The proposed upgrade of the NSS will replace the current six channels (three for reactor period and three for reactor power level, any one of which will trip the reactor). The new system will contain four channels each of which monitors both the reactor period and the reactor power level. The new system will trip the reactor when a scram input from two separate channels occurs at the same time (concurrently). The two channels for trip is also called two out of four scram logic, which is different from the existing one out of three scram logic utilized by the RPS.

During the review of the license amendment request (LAR), several open item were identified and previously transmitted to MIT (ADAMS Accession Nos. ML17130A898, ML17156A524, and ML17170A271, respectively).

The U.S. Nuclear Regulatory Commission (NRC) staff performed a regulatory audit at the MIT reactor (MITR-II) in Cambridge, MA from July 24-26, 2017, in accordance with the audit plan (ADAMS Accession No. ML17177A189). The purpose of the audit was to determine if the design and development processes used, and the outputs of those processes resulted in a NSS that meets applicable regulatory requirements, and the guidance from the applicable criteria in Section 7.4, Reactor Protection System, of the draft Interim Staff Guidance (ISG) for NUREG-1537, Part 2, Guidelines for Preparing and Reviewing Applications for Licensing of Non-Power Reactors: Acceptance Criteria (ADAMS Accession No. ML15134A486). In addition, the regulatory audit was to address open items and identify information that would be required to be docketed in order to support the basis of the licensing decision and allow the NRC staff to more efficiently gain insights on the MITR-II NSS custom built components.

During the audit, NRC staff reviewed the design, development, fabrication and testing of the NSS. Based on the information provided, NRC staff found that the current design at MIT has changed from the design provided to NRC as part of the LAR and its supplements. In addition, it appears that some design features that provide a basis for our regulatory decision, such as drop timer interface, test key switches, and RS-232 interface, etc., have not been completely developed and documented. In addition, the staff had difficulty confirming MITs utilization of its quality assurance (QA) program, in the design development and testing of the MIT-developed components of the NSS. These issues were discussed with MIT at the end of the audit and will be documented in the audit report. The NRC staff will issue the audit report in the near future.

MIT has since clarified that they are not making additional changes to the system and the remaining documentation of a few NSS components will be docketed.

The NRC staff cannot finish its review of the LAR until complete documentation of the final design and integrated testing results are provided. This documentation must include the revised and complete description and logic diagrams for all NSS components developed by MIT. In addition, NRC staff identified the following request for additional information (RAI), which were discussed during the audit and are necessary to support NRC review. We request that you provide responses to the following RAIs within 30 days from the date of this letter.

Regulatory Basis for the Request The NRC staff reviewed the licensees LAR, as supplemented, to ensure that: (1) there is reasonable assurance that the health and safety of the public will not be endangered by operation in the proposed manner, (2) activities proposed will be conducted in compliance with the Commissions regulations, and (3) the issuance of the amendment will not be inimical to the common defense and security or to the health and safety of the public. The NRC staff considered the following during its review of the proposed changes.

Title 10 of the Code of Federal Regulations (10 CFR), Part 50, Domestic Licensing of Production and Utilization Facilities, provides the regulatory requirements for licensing of non-power reactors.

The regulations in 10 CFR 50.34, Contents of applications; technical information, paragraph (a)(7), require each applicant for a construction permit to build a production or utilization facility to include, in its preliminary safety analysis report (SAR), a description of the QA program to be applied to the design and construction of the structures, systems, and components of the facility. Furthermore, 10 CFR 50.34(b)(6)(ii) requires that each applicant for a license to operate a facility include, in the final SAR, a description of the managerial and administrative controls to be used to ensure safe operation.

The regulations in 10 CFR 50.36, Technical specifications, require that each applicant for a license authorizing operation of a production or utilization facility include in this application proposed technical specifications (TSs).

On November 6, 2015, the NRC published in the federal register (80 FR 70850) draft ISG to Chapter 7 Instrumentation and Control, of NUREG-1537, Part 1 and Part 2 (ADAMS Accession Nos. ML15134A484 and ML15134A486, respectively). This draft ISG updates and expands the content of Chapter 7 of NUREG-1537, Part 1 and Part 2 respectively, to provide guidance to the licensee in preparing a license application and to the NRC staff in evaluating the LAR for instrumentation and control systems. This guidance was used for evaluating the LAR.

Request for Additional Information 1.0 MITR Quality Assurance program In the LAR, Section 7.4.1.7, Equipment Quality Control and Qualification, MIT stated that they applied the MITR QA program to all equipment used for the RPS and for its upgrade.

The ISG Part 1 guidance criteria 7.4-26 addresses review of the QA program to ensure the components and equipment of the new NSS system is commensurate with their safety

importance. The NRC staff reviewed the licensees QA program and determined that the QA program satisfies the requirements of 10 CFR 50.34, paragraphs (a)(7) and (b)(6)(ii).

During the regulatory audit, MIT did not provide sufficient documentation demonstrating how certain aspects of its QA program were followed in the design development and testing of the MIT-developed components of the NSS. For example, it was not clear to the NRC staff how the documents created for the MIT-developed components represent all the verification required by the MITR QA program.

RAI #1: Provide a summary description of the MIT QA program as applied to the NSS design modification and how the MIT staff has implemented its QA program for this project.

a) Describe the QA programmatic elements related to the design control and testing of the MIT-developed components of the NSS (e.g., independent QA approval of the design and testing procedures, and traceability of design changes and approvals during final development and testing).

b) Provide examples (e.g., records) that illustrate how the QA program was implemented.

2.0 NSS Description and Operation MIT designed and developed many of the components for the NSS, and docketed this information in the LAR and supplements. However, during the audit, NRC staff noted that the information docketed (e.g., system description and logic schematics) did not represent the latest revision of these components. For example, MIT docketed R3W-256-2, DWK Safety System Global Connection Diagram, Revision 1.4, but MIT staff was using Revision 1.6. Furthermore, there were modifications made to the system that were not reflected in this document (e.g., the schematic does not show signal connection from the Key Switch Module (KSM) to the Safety System Monitoring and Status Display (programmable logic controller (PLC))).

RAI #2: Provide complete system descriptions and logic schematics that describe the function and operation of all components developed by MIT, as appropriate. In addition, during the audit, NRC staff identified the following information, which is missing, and needs to be provided as part of the complete description of MIT-developed components of the NSS:

a) The LAR and supplemental information does not describe the DWK 250 test condition scram bypass, key switch. Provide a description of how this switch is used to perform surveillance or pre-startup testing. A summary description of any other MIT-developed features for maintenance, surveillance, or calibration purposes must also be included.

b) The LAR and its supplements, MIT described the use of a cable plug when a DWK 250 module is removed for maintenance or trouble shooting. However, the information provided does not describe how the cable plug will be used and test procedures have not been provided to the NRC. Provide a description of how the cable plug will be used during maintenance or trouble shooting and identify the test procedures that will make use of the cable plug.

c) Drawing R3W-256-2, DWK Safety System Global Connection Diagram, does not show all connections to the NSS components. For example Revision 1.6 does not include the

following connections: (1) between Signal Distribution Module (SDM) and the PLC and (2) KSM to PLC.

1) Provide the updated description for the final design of the PLC.

2) The Mirion DWK 250s have an interlock signal to tell the PLC if the channels are connected in the correct location. However, this information was not provided in the LAR and supplemental information. Explain how this interlock signal works and its configuration in the PLC.

d) The amendment and supplemental information does not describe the drop timer interface. Describe how this interface operates, how it will be used, and the test procedures that will be used with the drop timer interface.

e) During the audit, MIT did not provide documentation supporting the nominal trip setting for the <100 kW operating mode being set at 80 kilowatts (kW). Describe how the uncertainty and drift were used to established the 80 kW setpoint for the system while operating in the <100 kW operating mode.

f) The description of the light emitting diode (LED) Scram Display was modified to include the use of the lamp test and the DWK 250 test condition scram bypass key switch.

Provide an updated description for the final design of the LED Scram Display.

g) The SDM provide access to each of the four DWK 250 channels through the breakout box to set adjustable parameters by a dedicated computer. Clarify if the breakout box will be used in the final NSS design, and if so, how it will be used and its access controlled.

3.0 System Response In the supplemental information submitted on July 6, 2017 (ADAMS Accession No. ML17193A188), MIT described the system response time, which was determined to be no more than 500 milliseconds (mS). However, during the audit MIT showed informal records of calculation of the system response time that obtained a response greater than 600 mS. During the audit, it was not clear why these two system response times were inconsistent.

RAI #3: Provide the system response time calculation to confirm the actual value for the final NSS design.

4.0 NSS Testing By letter dated May 12, 2016 (ADAMS Accession No. ML16139A786), MIT stated, The new Nuclear Safety System will receive pre-operational and operational testing under a Test Plan.

During the audit, MIT provided the test procedures and test results for Factory Acceptance Testing (FAT) of the Mirion DWK 250 racks. This FAT testing was based on a simulated input of the detectors (i.e., testing that included detectors in a radiation field was not performed).

Subsequently, the Mirion DWK 250 equipment was delivered, tested with the associated detectors in the target radiation environment, and associated adjustable parameters were set appropriately; these test procedures and results were reviewed as part of the audit.

However, at the time of the audit, MIT had not formally documented the tests performed for the

MIT-developed components of the scram logic card (SLC), SDM, the <100 kW KSM, the Withdraw Permit Circuit modification, etc. In addition, MIT had not yet formally performed or documented the integrated system testing of the Mirion components with the MIT-developed components. Because the integrated system will include the Mirion DWK 250s and the components developed by MIT, integration testing shall be performed to verify all systems and components work properly and as required when integrated.

The LAR and its supplements refer to a Test Plan and a Global System Test that MIT stated will be used to validate the NSS system. However, during the audit, these documents were not available for the MIT-developed components of the NSS.

RAI #4: Describe the test approach and test procedures used to test and validate the final design of the NSS system. Additionally, provide the Test Plan and test summary report(s) that describe the results observed during testing in accordance with the test procedures for the MIT-developed components and the integrated system tests for the final NSS design.

Following approval of the upgraded NSS, MIT will integrate the upgraded NSS into the MITR and perform testing to ensure proper installation and proper operation of all interfaces. MIT noted in the audit that it has not developed an installation and operation Test Plan or procedures. However, MIT stated in its LAR that the system will be tested in accordance to the Global System Test.

RAI #5: Describe the test approach and provide the installation test procedure(s) that will be used to integrate the final NSS design into the MITR-II for the NSS upgrades.

5.0 Technical Specification The LAR and its supplements identified modifications to MIT TS 3.2.3 and TS 4.2.1. However, MIT did not provide a markup of the TS with justifications for the proposed changes. In addition, the information in the LAR must be consistent with the proposed modification for TSs. For example, Modified TS 3.2.3, Table 3.2.3-1, identifies two operable channels for Period, but the description in Section 7.2.6 in Chapter 7 of the SAR identifies three operable channels. In addition, at the time of the audit, MIT had not finalized and approved the surveillance test procedures.

RAI #6: Provide the following:

a) Revised TS 3.2.3 and TS 4.2.1 with justification and bases for the changes proposed.

b) Clarify if the installation of the proposed NSS system will require changes to the surveillance frequency identified in the TS. If so, describe how the periodicity of the surveillance frequency was determined.

c) Provide the surveillance requirements to be performed associated with these TSs.

6.0 Mirion DWK 250 RS-232 Port Communication In the LAR, MIT described that the adjustable parameters of the DWK 250s could be changed via the communication RS-232 connector on the front and a terminal block on the back. MIT was considering using this port during testing by plugging a dedicated, password-protected, non-networked computer to be used for data acquisition from all four DWK 250s. Currently MIT

is not using this port to change parameters. However, during the audit, MIT expressed interest on using this feature in the near future.

RAI #7: Explain if the RS-232 port is going to be used. If used, explain how it is going to be used and controlled and the corresponding test procedures.

7.0 System Classification The ISG Part 2 guidance for design criteria 7.4-34 states, Verify that the RPS equipment is distinctly identified to indicate its safety classification and to associate equipment according to divisional or channel assignments. The LAR does not clearly identify the safety classification of the NSS components. This was discussed during the audit, and MIT explained that components required to generate a scram signal are considered to be safety related. However, NRC staff requires clear identification of the safety related components.

RAI #8: Provide a clear description of the classification for each component of the NSS.

In addition, the NSS includes a LED Scram Display to signal trip condition signals from the SLC-1 and SLC-2. The LED Scram Display also includes the reset buttons, one corresponding to each DWK 250 channel. The console operator needs to manually push the Reset button for the corresponding channel in order to clear the alarm for that channel latched in both of the SLCs. All alarms should be reset prior to restarting the reactor.

The LAR and its supplements identified the LED Scram Display as a non-safety related component of the NSS. However, it is not clear to the NRC staff why the LED Scram Display is not a safety related component of the NSS, since the reset buttons of the trip functions is performed from the LED Scram Display.

RAI #9: Explain why the LED scram display is considered a non-safety related component.

8.0 Console Layout At the time of the audit, the NSS components were installed in a temporary rack, with the exception of the Mirion DWK 250s, which were already installed in the panel. The LAR and its supplement do not indicate the final location or arrangements for the NSS, and this information was not available during the audit.

RAI #10: Provide the console layout indicating where the NSS components will be located in the final design.

9.0 Cyber Security At the time of the audit MIT had not documented any cyber security measures related to the use, testing, and calibration of the DWK-250s. Comments made by the MIT staff during the audit indicated that decisions about control and calibration were still being made. Specifically, a determination has not been made regarding the calibration and testing of the system being done manually or with a laptop.

In order for the NRC staff to proceed with its cyber security review of the installed equipment, the cyber security controls must be understood. For example, if a laptop, computer, or other similar device will be used, cyber security measures shall be used to ensure that a compromise

of the device(s) used to configure the DWK 250s cannot result in adverse impact to the safety system.

RAI #11: Provide an explanation of the method that will be used to configure the DWK-250 settings and how these settings will be protected from unauthorized modification.