Text

Proposed Changes to the Tec hnical Specification s Related to the Licen se A mend ment Reque st for the Upgrade of the Ins trumentation and Control System for the Armed Forc es Radiobiology Research Institute TRIGA Reactor

4 April 2022 Contents

Summary................................................................................................................................................. 3 1 Change #1 - Table 2. Minimum Reactor Safety System Scrams........................................................ 4 1.1 Safety Analysis - Technical Specification Table 2 - Watchdog Timer Circuit s............................ 5 1.2 Safety Analysi s - Technical Specification Table 2 - AC Power Loss............................................ 6 2 Change #2 - Table 3. Minimum Reactor Safety System Interlocks.................................................... 8 2.1 Safety Analysis - Technical Specification Table 3 - Operational Channel................................... 9 2.2 Safety Analysis - Technical Specification Table 3 - Low Source Interlock.................................. 9 3 Change #3 - Reactor Safety Systems Surveillances......................................................................... 11 3.1 Safety Analysis - Technical Specification 4.2.2........................................................................ 12 4 Change #4 - Fac il it y I nt erl oc k Sy st em Surv ei ll anc es....................................................................... 13 4.1 Safety Analysis - Technical Specificat ion 4.2.4 - Core Dolly Interlock Override Switch............ 14 5 Update to the Safety Analysis Report............................................................................................. 19 6 Other Documents.......................................................................................................................... 19 7 Conclusion..................................................................................................................................... 19 Appendix A - Page Markups.................................................................................................................. 20

ii

Summary

The safety analysis presented concludes that the health and safety of the public will not be endanger ed by operation and t hat such activities a r e i n c om pl i a nc e w it h regulations, t herefor e, t he approval of these proposed changes wi l l not be i nimic al t o t he common def ense and security or to the health and safety of the public.

This document supersed es al l previously proposed changes to the Technical Specifications that were detailed in the submittals dated November 10, 2020, February 5, 2021, February 11, 2021, and January 7, 20 22.

The current N RC approved technical specifications are detailed in the Technical Specifications for the AFRRI Reactor Facility dated 30 September 20 1 6 (ML16077A302 ) and as amended on August 1 4, 2019 (ML19058A327 ).

3 1 Cha ng e #1 - Table 2. Minimum Reactor Safety System Scrams

TS 3.2.2 Tabl e 2 Mi nimum Reac t or Safet y Syst em Sc rams needs t o be revi sed t o reflect that there are two watchdog timer circuits and that the names of the components have changed slightly. The last row will be amended as follows:

a. Column 1 will be amended from Watchdog (DAC to CSC) to Watchdogs (UIT and CCS).

b. Column 2 wi ll be amended to specify the maximum time of 15 seconds for the scram to occur.

c. Columns 3 and 4 wil l be amended to require two watchdog timer circuits, one for each computer, for both steady-state and pulse modes of operation.

d. The last row has been added t o spe cify a loss of AC power scram. This is consistent wit h Sec ti on 8.2 and Table 14.1 in U.S. Nuclear Regulatory Commission, NUREG 1537 Part 1, Guidelines for Preparing and Reviewing Applications for the Licensing of Non-Power Reactors, Format and Content, 1996.

On page 14 of the Technical Specifications:

Table 2. Min imum Reactor Safety System Scrams

Channel Maximum Set Point Effective Mode Steady State Pulse Fuel Tem perat ur e 60 0°C 2 2 P erc ent P ower, H i gh Fl ux 1.1 MW 2 0 Console Manual Scram Button Closure switch 1 1 High Voltage Loss to Safety Channel 20 % Loss 2 1 Pulse Time 15 seconds 0 1 Em erg enc y St op Closure switch 3 3 (1 in each exposure room, 1 on console)

P ool Wat er Lev el 1 4 feet from t he t op of 1 1 t he c ore Watchdog (DAC to CSC) On digital console 1 1 Watchdogs (UIT and CCS) 15 seconds 2 2 AC Power Loss 15 seconds 1 1 Bases The fuel temperature and power level scrams provide protection to ensure that the reactor can be shut dow n before t he fuel t em perat ure safet y l im it i s exceeded. The manual scram allows the operator to shut down the system at any time if an unsafe or abnormal condition occurs. In the event of failure of the power supply for the safety channels, operation of the reactor without adequate instrumentation is prevent ed. The preset pulse timer ensures t hat t he reac t or power level will ret urn t o a low level aft er pulsing. The emergency stop allows personnel trapped in a potentially hazardous exposure room, or the reactor operator, to scram the reactor through the facil it y i nt erl oc k sy st em. The pool wat er l ev el ensures that a loss of biological shielding would result in a reactor scram. The watchdog scram ensures reliable c om m uni c at i on bet w een t he User I nt erfac e Term i nal (UI T) and t he C onsol e C om put er Sy st em ( CC S). Da t a Acquisition Computer (DAC) and the Control System Computer (CSC). The AC power l oss sc ram ensures that a loss of AC power to the uninterruptible power supply (UPS) for the reactor control console will res ul t i n a s c ram.

4 1.1 Safety Analysis - Technical Specification Ta b le 2 - Watchdog Timer Circuits The previous instrumentation and control s y st em c onsist ed of t he Cont rol Syst em Console (CSC) c omput er and the Data Acquisition and Control (DAC) computer. The CSC was responsible for acquiring raw dat a from the DAC and processing it for display, performing calculations, and maintaining a number of statistics pertaining to the reactor and reactor facility, tasks similar to the new UIT and CSS computers. The C SC also continuously monitored the console switches for operator inputs, and then provided t he nec essary control functions by issuing commands to the DAC. For example, the rod positions w ere adjusted by issuing commands to the CSC which in turn transmitted these commands to the DAC via data communication networks. The DAC t hen rei ssued these commands to the rod drive mechanisms.

Both the DAC computer and CSC computer incorporated watchdog ti m er circuits (W DT). These c irc uit s monitored the firmware operating system to ensure all tasks w ere c ompl et ed i n t he desi gnat ed ti me. I f any of the watchdog timers w ere not res et by t he oper at i ng sy st em, rel ay s on the watchdog board would de-en ergi z e. These r el ay s we re hardwired into the SCRAM loop.

The n ew instrumentation and control console also contains two computer systems, the control computer system (CCS) and the user interface terminal (UIT). Watchdog ti m er circuits have also been incorporated for eac h c om put er syst em t o ensure det ec t i on of problems such as CPU latch-up, control system faults, wiring/cabling failure, unauthorized tampering, unanticipated software conditions, communications problems, or power failures.

The watchdog timers monitor the UIT computer and CCS computer and are wired in with the SCRAM loop.

The software must periodically send a keep -alive signal t o t he watc hdog t imers t o prevent t hem from alarming and thus scramming the reactor. The time delay before an alarm occurs is adjustable between 5 and 15 seconds. The CCS and UIT watchdog timers monitor the computers and if ei t her of t he computers fails to send a signal to their WDT, the respective WDT will time out and a SCRAM occurs. When the watchdog timers lose power, their outputs will default to a failsafe condition, which will also scram the reactor.

Watchdog timeout occurs when the software is doing some internal processing and fails to refresh watchdog timers within a set period (usually 7-10 seconds). This can happen, for example, if the software ent ers an "i nfi nit e l oop" or ot herwi se "freez es up. " I f the sy st em c annot respond to reactor inputs within t he spec i fi ed am ount of t im e, t he syst em wi ll s c r am the control rods via a watchdog scram. In general, it should be very rare for a watchdog timeout to occur during normal reactor operation wit h the software operating properly. In some cases, it could be possible for the operating system to consume so much time that a watchdog timeout occurs even though the software is otherwise operating properly; but this should be a very rare occurrence. Should a watchdog timeout occur during normal system operation and the software has not frozen up, this could be an indication that system resources need to be freed. In this c ase, the control console system should be shutdown and restarted.

The nuclear instrumentation that prevents the reactor from exc eedi ng a safet y l imit are i ndepend ent of the digital instrumentation and are completely analog, and as such do not rely on communication with the control console to initiate protective scram actions.

The worst case scenario would involve the uncontrolled withdrawal of a control rod caused by a non-responsive syst em result ing in a reactivit y insert ion event. The NLW-1000 provides the reactor period si gnal while t he C SC enforc es vi a soft ware t he l ess t han 3-second period interlock protection. A ut om ati c mode allows for the simultaneous withdrawal of all three standard control rods. Normally, the less than 3 second period interlock limits the reactivity insertion rate, however in the event that the computer fails i n suc h a way t hat it is incapable of communicating this interlock to the rod drives, t he 3-second period interlock is rendered non-functional and a ramp reactivity insertion accident may occur. Scenarios

5 initiating at a power level of 100 watts and 1 MW have been analyzed and are detailed in Revision 1 of the Supplemental Information for the License Amendment Request for the Upgrade of the Instrumentation and Control System for the Armed Forces Radiobiology Research Institute TRIGA Reactor.

It is shown that the overpower scrams provided by the NP-1000 and NPP-1000 activate within approximately 2.5 seconds, well before any watchdog would time-out, and t hat t he sc enarios are well wi t hi n t he maxi mum react ivit y li mit of $3.50.

The design function of the watchdog timers is not to prevent transient conditions but to automatically shutdown the reactor and alert the operator that the digital portion of the control system is not functioning properly, therefore the 15 seconds maximum setpoint for the watchdog timer is more than sufficient to satisfy this function and is equal to the maximum setpoint for the Pulse Timer.

Watchdog timer lights are provided for both the CCS and UIT to indicate when a watchdog timer timeout has occurred.

Watchdog t im er scram tests can either be performed one of three ways: (1) initiating the automatic reactor prestart tests on the Prestart Tests Display, (2) via checkboxes on the Test Functions Display, or (3) using the Scram and Interlock Test 2 Rotary Switch located on the Reactor Mode Control Panel. Aft er t ypic all y 5-10 seconds, but no more than 15 seconds, the associated watchdog circuitry shall SC RAM t he rods. Surv ei l l anc e TS 4. 2. 2. b requi res t hat t hese w at c hdog t i m ers are t est ed w eek l y w hen ev er op erat i ons are planned. The periodicities that pertain to the previous watchdog timer circuits are still applicable and appropriate for the new circuits and are not amended.

A malfunction of the watchdog ti m er circuits resulting in a failure to detect a loss of communication with the computer systems will not prevent any scram actions originating from the nuclear instrumentation, since these actions are completely analog and separate from the digital components. Theref ore, it is concluded that the failure of the watchdog timers will not result in the exceeding of a safety limit and that the proposed change to Table 2 of TS 3.2.2 will continue to perform the design function required by this channel in a safe and reliable manner without imposing any undue risk to the health and safety of the public.

1.2 Safety Analysis - Technical Specification Ta b le 2 - AC Power Loss Consistent with Section 8.2 and Table 14.1 in U.S. Nuclear Regulatory Commission, NUREG 1537 Part 1, a limiting condition for operation for a loss of AC power scram, along with a companion surv eil l anc e (refer to Section 3 of this document) has been added to the technical specifications.

AC power is supplied to the reactor instrumentation and control console v i a t he uninterruptibl e pow er supply (UPS) located in the control room. The UPS is not required for the performance of any safety function, but it is desirable as it allows for a graceful shutdown of the console computers in the event of the loss of AC pow er.

The loss of AC power t o t he UPS will open a cont act on the UPS and a scram wi ll be gener a t ed. This ensures t hat the reactor will automatically scram and enter and remain in a safe shutdown condition. The ti me requirem ent for this scram to occur is no more than 15 seconds.

If AC power is lost, the primary and secondary cooling systems will lose power and shut down. The 1 MW, full power, reactor pool heat up rate is 14.8°C /hr. W it h a typical operating primary water temperature of 20°C, it will take approximately 2.7 hours8.101852e-5 days <br />0.00194 hours <br />1.157407e-5 weeks <br />2.6635e-6 months <br /> to reach the primary w at er t em perat ure l i mit o f 60 °C, t her ef or e a maximum 15 second response time does not result in t he exc eedi ng of a safet y li mi t.

6 As with the coolant systems, the ventilation system will also lose power a nd i s desi gn ed t o fail-safe to t he confinement condition, thus ensuring the control of any airborne radioactive material. Therefor e a maximum 15 second response time does not result in the exceeding of a rel ease l i m it.

In t he event that AC power is lost, Reac t or Proc edure 00 4 - SCRAMS, Alarms and Abnormal Conditions requi res t he reactor operator to verify that the reactor has scrammed and to subsequently remove t he reactor console k ey, which will also result in a scram.

The appropriate s ections of the Safety Analysis Report will be updated to reflect this additional technical specification.

7 2 Cha ng e #2 - Table 3. Minimum Reactor Safety System Interl ocks

TS 3.2.2 Ta bl e 3 Minimum Reactor Safety System Interlocks needs to be revised to reflect that the terminology operational channel is no longer applicable for the new instrumentation and that the source range rod withdrawal interlock be specified in watts not cps. Column one will be amended as follows:

a. Row 3 will be amended from operational channel to Linear Power Channel.

b. Row 3 will be am ended t o refl ec t t hat t he l ow sourc e int erl oc k set poi nt i s spec i fi ed i n w att s a nd not counts per second.

c. Row 5 will be amended from operational channel to Log Power Channel.

On page 15 of the Technical Specifications:

Table 3. Min imum Reactor Safety System Interlocks

Effective Mode Action Prevented Steady Pulse State Pulse initiation at power levels greater than 1 kW X Withdrawal of any control rod except transient X Any rod withdrawal with count rate below 0.5 cps power l ev el bel ow 1 x 10 -5 watts as measured by the operational channel Li near P ower X X Channel (NMP-100 0)

Simultaneous manual withdrawal of two standard rods X Any rod withdrawal if high voltage is lost to the operational channel X X Log Power Channel (NLW-10 00 )

Withdrawal of any control rod if reactor period is less than 3 seconds X Application of air if t he transient ro d d ri v e is n ot fully down. Thi s X i nt erl oc k is n ot required i n square wav e m ode.

• Reac t or safet y sy st em i nt erl oc ks shal l be t est ed dai l y when ever operations involving these functions are planned

Bas es The int erl ock preventing the i nitiation of a pulse at a power l evel above 1 kW ensures that the pulse magnitude will not r es ul t in exc eedi ng th e f u el el em ent tem p erat ur e s af ety limit. Th e i nt erlock that pr ev ents mov em ent of st and ar d cont rol r od s in puls e m od e will pr ev ent th e i nad v ert ent i ncr ea s e in st eady state reactor power prior to initiation of a pulse. Requiring a minimum c ount rat e p ow er l ev el to be m ea s u r ed by t h e op erational chan n el Lin ear Pow er Chan n el ensu r es su ffici ent so urc e n eut ro ns to brin g th e reactor critical under controlled conditions. The interlock that prevents the simultaneous manual withdraw al of two sta nd ard c ontr ol r ods limits th e amount of r eactivity ad d ed p er unit tim e. C or r ec t hi gh voltage to the operati onal channel Log Power Channel ensu r es accur at e po w er in dications. P r ev enti ng th e withdrawal of any control rod if the period is less than 3 sec onds minimizes the possibility of exc eeding the maximum permissibl e power l ev el or t h e fu el t em p e rat u r e saf et y l i m i t.

8 2.1 Safety Analysis - Technical Specification Ta b le 3 - Operational Channel The pr evious neutron power monitor, NM -10 00, was designated as the operational channel and consisted of both a m ul ti-range linear component and the wide range log component utilizing the signal from one fission chamber covering the entire neutron flux range from source to full power, with the source range output covering the lower six decades and a linear percent power output covering the upper t hree decades of reactor power.

The NM-1 000 has been repl ac ed by t wo c ompl et el y separat e and independent channels, therefore the terminology of operational channel is no longer applicable. The linear portion of the NM-1000 has been replaced by the NMP-100 0. The N MP-1000 i s a m ul ti-range linear channel capable of providing indication from the source range through full power. The NMP-1000 will be known as t he Linear P ow er Channel. The logarithmic portion of the NM-100 0 has been replaced by t he N LW-1000. The NLW-1000 is a logarithmic channel and is also capable of providing indication from the source range through full power. The NLW-1000 will be known as the Log P ow er Channel. Ther efor e, the term Operational Channel has been changed to Linear Power Channel and Log Power Channel as appropriate.

This proposed change is t o bet t er refl ec t t he c urrent channels installed and t he terminology used at the facility and al s o t o remove any ambiguity as to which channel the specifications apply, therefore, it is concluded that this proposed change to Table 3 of TS 3.2.2 does not impose any undue risk to the health and safety of the public.

2.2 Safety Analysis - Technical Specification Ta b le 3 - Low Source Interlock The NMP-1000 channel provides the Low Source Interlock. The NMP-1000 uses a compensated ion chamber, and as such, outputs a current and is designed to display in watts and not counts per second (c ps), t herefor e t he i nt erl ock set poi nt needs to be specified in watts.

N ei t her t h e N LW-100 0 nor NMP-1 000 provides a reading in cps. The NLW-100 0 displays percent full power while t he NMP-1000 displays watts. Providing an equivalency from either instrument to cps would be difficult and inaccurat e.

The d esign function of the low source interlock is to only permit rod withdrawal when there are sufficient neutrons to provide proper instrument response for bringing the reactor critical under controlled conditions. Therefor e, it is only necessary to verify that the channel is capable of performing this design function. This is accomplished by using a neutron source to ensure that the channel is responding to neutrons and not just gammas. The neutron source used at AFRRI is a 3 curie (Ci) americium-beryllium (Am-Be), cylindrical-shaped, double encapsulated source. The source is located in the core, and remains there during operation, but can be removed for training, maintenance, and to verify the functionality of t he sourc e i nt erl oc k.

During the functionality test, the source is removed from its normal in core location and the power monitoring instrument, NMP-1000, is allowed to drop below the interlock setpoint which trips the rod withdraw interlock and prohibits the withdrawal of control rods. This test ensures t hat t he i nt erl oc k i s set properly.

From Figure 2-1, it is shown that a setpoint of 1x10-5 watt s is well above t he level when t he sourc e is removed which provides assurance that channel is operating correctly by detecting sufficient source neutron prior to startup. Therefor e, it is concluded that the proposed change to Table 3 of TS 3.2.2 for the source range interlock will continue to perform the design function required by this channel.

In the unlikely event that the NMP-1000 fails to provide the proper respons e and the operator attempts to start the reactor with little or no source neutrons, this could result in a reactivity insertion event. This

9 event would be bounded by the analysis presented in the Chapter 13 of the SAR and in Section 1.3.5 of the Supplement to the LAR, therefore, the consequences would be minimal.

1MW

100 kW

10 kW

1 kW

100 W

10 W

1 W

0.1 W

0.01 W

0.001 W

Source Level with Am-Be Source Installed 0.0001 W

Low Source Interlock Setpoint 0.00001 W Source Level with Am-Be Source Removed

0.000001 W

Fi g ure 2 Ranges of Operation for the NMP -1000

10 3 Cha ng e #3 - Reactor Safety Systems Surveillance s

TS 4.2.2.b has two revisions, the first to correct a typographical error and del et e t he repeat ed words of eac h. The second, to explicitly state that t he c ha nnel s t o be t es t ed a r e t he reactor safety system channels as specified in TS 3.2.2 Table 2 and Table 3 wit h t he exc ept ion of t he exposure room emer genc y st op scrams.

TS 4.2.2.c al s o contains two revisions. The first is an addition that spec i fi es t hat the setpoints for the high voltage loss to the safety channel scrams hav e been verified as part of the channel calibrations. The sec ond, is the removal of the refer ence to the NM1000 since this channel is obsolete and has been replaced with the NLW and NMP channels, which are already included in the specification.

TS 4. 2.2. e has been r evi sed t o expl i ci tl y st at e t he exposure room em er g enc y st op sc ram s shal l be t est ed annually, and a specification for the testing of the AC power loss scram has a l s o been added.

On page 28 of the Technical Specifications:

4.2.2. REACTOR SAFET Y SYSTEM S Applicability Thes e spec i fi c ati ons appl y t o t he surv ei ll anc e requi rement s for m easurem ent, t est, and calibration of the reactor safety systems.

Objec t i v e The obj ective is to verify the performance and operability of the systems and components that are directly related to reactor safety.

Specifications

a. A channel test of the scram function of the high-flux safety channels shall be made each day that reactor operations are planned.

b. A c hannel t est of eac h of each of the reactor safety system channels in Table 2 and Table 3 wi t h t he exc ept i on of t he exposure room em ergenc y st op and AC power loss sc r am s for the intended mode of operation shall be performed weekly, whenever opera tions are planned.

c. Channel calibration, including verification of the setpoints for the high voltage loss to safety channel scrams, shall be made of the NP, NPP, NM1000, NLW, NMP or any other console instrumentation designated to provide direct power level information to the operator, annually not to exceed 15 months.

d. A thermal power calibration shall be completed annually not to exceed 15 months.

e. The exposur e room em er genc y stop and AC power loss s c r am s shall be tested annually, not to exceed 15 months.

f. The low pool wat er scram shall be t est ed weekly not t o exceed 1 0 days whenever operat ions are planned.

g. The console manual scram button shall be tested weekly not to exceed 10 days whenev er operations are planned.

Bases TRIGA system components have proven operational reliability. Daily tests ensure reliable scram functions and ensure the d etection of channel drift or other possible deterioration of operating characteristics. The

11 channel checks ensure that the safety system channel scrams are operable on a daily basis or prior to an extended run. The power level channel calibration will ensure that the reactor is operated within the authorized power levels.

3.1 Safety Analysis - Technical Specification 4.2.2 Specification 4.2.2 b The first change to 4.2.2.b is to correct a typographical error and delet e the rep eated words of each.

This proposed change is purely editorial in nature, therefor e it is concluded that this changes does not impose any undue risk to the health and safety of the public.

This second change to 4.2.2.b is an addition to explicitly state that the channels listed in Table 2 and Tabl e 3 are the channels that are required to undergo a w eek l y channel test for the intended mode of operation whenever op erations are planned. The previous specification stated reactor safety system channels which is ambiguous with regard to what is defined as a reactor safety system channel. Th e proposed change rem ov es this ambiguity. Si n c e all requirements and setpoints remain unchanged it is concluded that this changes does not impose any undue risk to the health and safety of the public.

Verbi ag e was added to provide an ex c ept i on from this specification f or t he ex pos ur e r oom em er g enc y stop sc r am s. AFRRI has always interpreted that the exposure room emergency stop scrams are only tested annually as required in Specification 4.2.2. e. The peri odi c it y for t he em erg enc y st op sc ram s i s has proven to be more than adequate. The emergency s t ops are industry standard turn -to-reset pushbuttons that are wired to be normally closed (i.e., opening the circuit causes a scram), therefor e any break in or malfunction of the circuit would cause a scram. The c ont ac t bl oc k for t he em erg enc y s t op has an el ec t ri c al life rating of 1,000,000 operations, so a failure is unlikely, therefore this change does not impose any undue risk to the health and safety of personnel or to the public.

Specification 4.2.2.c The first change to 4.2.2.c is the addition to explicitly state that a verification of the setpoints for the High Voltage Loss to the Safety Channel scrams shall be performed as part of the annual channel calibration. An annual periodicity for this specification is consistent with Section 4.2.5.b o f ANSI/ANS 15.1-2007 The Development of Technical Specifications for Research Reactors. Therefore it is concluded that this change does not impose any undue risk to the health and safety of the public.

The second change to 4.2.2.c is to remove the reference t o t he NM1000 channel. The NM1000 channel is obsolete and is no longer installed.

Specification 4.2.2. e The c hange t o 4. 2.2. e i s to explicitly st at e t hat it is t he exp osure room emer genc y st op sc rams are tested annually a n d i s di s c u s s ed a b o v e. The c onsole emerg enc y st op sc ram i s t est ed on a w eek l y basi s as required by 4.2.2.b and remains unchanged, therefore it is concluded that this changes does not impose any undue risk to the health and safety of the public.

The annual periodicity for the testing of the AC power loss scram was chosen to minimize the unnecessary cycling of power to the UPS. In the event that the automatic scram fails to occur the reactor operator is procedurally required to scram the reactor by removing the reactor console key as discussed above, therefore is concluded that this periodicity does not impose any undue risk to the health and safety of the public.

12 4 Cha ng e #4 - Facility Interlock System Surveillances

TS 4. 2. 4 needs t o be revi sed t o refl ec t t he i nst al l ati on of t he c ore dolly override switch. The c ore dol l y interlock override switch is inconsistent with the current technical specifications since it is possible, using and installed switch, to move the core dolly in region 2 while the lead shield doors are closed. Therefor e, v erbi age was added t o spec i fi c at i on 4.2. 4. b t o all ow for t he m ov em ent of t he c ore dol l y i n regi on 2 whil e t he l ead doors are c l osed wi t h t he use of t he c ore dol ly i nt erl oc k ov erri de swit c h. The use of t he ov erri de switch is administratively controlled su ch that trained reactor personnel are directly supervising the core m ov em ent whil e t he swi tc h i s engag ed.

On page 30 of the Technical Specifications:

4.2.4. FACILITY INTERLOCK SYSTEM Applicability This specification applies to the surveillance requirements that ensure the integrity of the facility interlock system.

Objec t i v e The obj ective is to ensure performance and operability of the facility interlock system.

Specifications Functional checks shall be made annually, not to exceed 15 months, to ensure the following:

a. With the lead shield doors open, neither exposure room plug door can be electrically opened.

b. The core dolly cannot be moved i nt o in region 2 with the lead shield doors closed except during t he use of t he core dolly interlock ov erri de swit c h.

c. The lead shield doors cannot be open ed to allow movement into the exposure room proj ection unless a warning horn has sounded in that exposure room, or unless two licensed reactor operators have visually inspected the room to ensure that no personnel remain in the room prior to securing the plug door.

Bases Thes e functional checks will verify operation of the interlock system. Experience at AFRRI indicates that this is adequate to ensure operability.

13 4.1 Safety Analysis - Technical Specification 4. 2.4 - Core Dolly Interlock Override Switch As part of the digital instrumentation and control upgrade, a core dolly override switch was added to the front of the Facility Interlock Cabinet (FIS). The O&M Manual briefly describes the override switch as t oggl e swi tc h RP2. Refer t o P age 3-28 of the O&M Manual and Dr awing T3A10 0 E8 40 Rev B. Figure 4-1 shows a close up of the switch, while Figure 4-4 shows that location of the switch on the FIS cabinet.

The switch has the following positions shown in Fi gu r e 4-1.

Left - Regi on 1

C ent er - OFF

Ri ght - Regi on 3

Fi g ure 4 Core Dolly Override Switch

The switch is momentary, i.e., it will spring return to the center or OFF position when not actively held to the left or right positions. It is important to note that the override switch does not actually move the c ore dol l y, it onl y perm it s t he c ore dol ly t o be m ov ed. The ac t ual m ov em ent of t he c ore dol ly i s sti ll controlled with pushbuttons on the Reactor Mode Control Panel (or foot pedals) in the control room.

For eac h regi on t here are t wo l im it switc hes t hat wi ll st op c ore dol l y m ov em ent - the inner and outer l i mi t swit c hes. Refer t o Fi gure 4-2 for a diagram of the switches. The out er l i mit swit c h st ops t he c ore dolly when it reaches the far end of the travel to prevent contacting the pool liner. The out er swit c hes cannot be overridden. To prevent contact with the lead shield doors, the inner limit switch stops the core dolly from further movement if the lead shield doors are not fully opened.

Fi g ure 4 Core Dolly Limit Switch Diagram

14 For example, take the scenario of the operator moving the core dolly toward region 3 with the lead door closed. Once the core dolly comes off of the inner limit switch (switch is now open) the core dolly will stop and further movement of the core dolly is prohibited, this includes movement back toward region 1. Originally, the only way to recover from this scenario was to manually actuate the switch. This was accomplished by inserting a finger through a cutout in the core dolly rail and pushing down on the lever arm of t he swi tc h. Refer t o Fi gu r e 4 -3 bel ow.

Fi g ure 4 Core Dolly Limit Switch Access Point

This introduced a potential pinch/crush hazard to personnel who performed this task. This scenario would occur (twice, Steps 3 and 69) during the performance of M033 Facility Interlock Checklist procedure. To eliminate the hazard, the previous FIS was modified and an override switch was added to the inside of t he c abi net. Refer t o Fi gure 4-6. The new FIS cabinet maintains this functionality.

The use of the override switch is administratively controlled such that trained reactor personnel are required to be di rec tl y superv i si ng t he c ore m ov em ent whil e t he swi tc h i s engag ed. This requirement is inherently enforced since the override switch is momentary and has to be actively held in place to perm i t m ov em ent of t he c ore doll y. In the event of operator error or equipment malfunction the torque gen erated by core dolly drive mechanism is limited by a slip clutch. The slip clutch is set to prevent damage if the core shroud or any other part of the core dolly comes into contact with an obstruction, such as the core shroud contacting the lead shield doors. As such, a failure resulting in inadvertent contact between the core shroud and an obstruction has minimal consequences. Ther efor e, m ov em ent of the core dolly in region 2 while the lead shield doors are closed during m ai nt enanc e acti v it i es does not impose any undue risk to the health and safety of the reactor, reactor personnel or to the public.

15 Core Dolly Overrid e Switch

Fi g ure 4 Core Dolly Override Switch

16 Fi g ure 4 Core Dolly Wiring Schematic T3A100E840

17 Fi g ure 4 Previous Core Dolly O verride Switch Previous Core Dolly O verride Swi tch 18 5 Update to the Safety Analysis Report

Upon approval of these proposed changes the TRIGA Reactor Safety Analysis Report will be updated as required.

6 Other Documents

Facility procedures may need minor revisions and will be performed as required and pursuant to 10 CFR Part 50.59. The Emergency Plan does not require any r evisions upon approval of these proposed changes.

The Physical Security Plan does not require any revisions upon approval of these proposed changes.

7 Conclusion

The safety analysis presented concludes that the health and safety of the public will not be endangered by operation in the proposed request and that such activities are in compliance with regulations, therefore, the issuance of the amendment will not be i nimical to the common defense and se curity or to the health and safety of the p ublic.

19 Appendix A - Page Markups

20 Table 2. Minimum Reactor Safety System Scrams

Channel Maximum Set Point Effective Mode Steady State Pulse Fuel Temperature 600°C 2 2 Percent Power, High Flux 1.1 MW 2 0 Console Manual Scram Button Closure switch 1 1 High Voltage Loss to Safety Channel 20% Loss 2 1 Pulse Time 15 seconds 0 1 Emergency Stop Closure switch 3 3 (1 in each exposure room, 1 on console) 14 feet from the top of Pool Water Level the core 1 1 Watchdogs (UIT and CCS) 15 seconds 2 2 AC Power Loss 15 seconds 1 1

Bases

The fuel temperature and power level scrams provide protection to ensure that the reactor can be shut down before the fuel temperature safety limit is exceeded. The manual scram allows the operator to shut down the system at any time if an unsafe or abnormal condition occurs. In the event of failure of the power supply for the safety channels, operation of the reactor without adequate instrumenta tion is prevented. The preset pulse timer ensures that the reactor power le vel will return to a low level after pulsing. The emergency stop allows personnel trapped in a potentially hazardous exposure room, or the reactor operator, to scram the reactor through the facility interlock system. The pool water level ensures that a loss of biological shielding would result in a reactor scram. The watchdog scram ensures reliable communi cation between the User Interface Terminal (UIT) and the Console Comp uter System (CCS). The AC power loss scram ensures that a loss of AC power to the uninterruptible power supply (UPS) for the reactor control console will result in a scram.

14 Table 3. Minimum Reactor Safety System Interlocks

Action Prevented Effective Mode Steady State Pulse Pulse initiation at power levels greater than 1 kW X Withdrawal of any control rod except transient X Any rod withdrawal with power level below 1 x 10-5 watts as measured by the Linear Power Channel (NMP-1000) X X Simultaneous manual withdrawal of two standard rods X Any rod withdrawal if high voltage is lost to the Log Power Channel (NLW-1000) X X Withdrawal of any control rod if reactor period is less than 3 seconds X Application of air if the transi ent rod drive is not fully down.

This interlock is not requi red in square wave mode. X

• Reactor safety system interlocks shall be tested daily whenever operations involving these functions are planned

Bases

The interlock preventing the initiation of a pulse at a power level above 1 kW ensures that the pulse magnitude will not allow the fuel element temperature to exceed the safety limit. The interlock that prevents movement of standard control rods in pulse mode will prevent the inadvertent increase in steady state reactor power prior to initiation of a pulse. Requiring a minimum power level to be measured by the Linear Power Channel ensures sufficient source neutrons to bring the reactor critical under controlled conditions. The interlock that prevents the simultaneous manual withdrawal of two standard control rods limits the amount of reactivity added per unit time. Correct high voltage to the Log Power Channel ensures accurate power indications. Preventing the withdrawal of any control rod if the period is less than 3 seconds minimizes the possibility of exceeding the maximum permissible power level or the fuel temperature safety limit.

15 4.2.2. REACTOR SAFETY SYSTEMS

Applicability

These specifications apply to the surveillance requirements for measurement, test, and calibration of the reactor safety systems.

Objective

The objective is to verify the performance and operability of the systems and components that are directly related to reactor safety.

Specifications

a. A channel test of the scram function of the high-flux safety channels shall be made each day that reactor operations are planned.

b. A channel test of each of the reactor safety system channels in Table 2 and Table 3 with the exception of the exposure room emergency stop and AC power loss scrams for the intended mode of operation shall be performed weekly, whenever operations are planned.

c. Channel calibration, including verification of the setpoints for the high voltage loss to safety channel scrams, shall be made of the NP, NPP, NLW, NMP or any other console instrumentation designated to provide direct power level information to the operator, annually not to exceed 15 months.

d. A thermal power calibration shall be completed annually not to exceed 15 months.

e. The exposure room emergency stop and AC power loss scrams shall be tested annually, not to exceed 15 months.

f. The low pool water scram shall be tested weekly not to exceed 10 days whenever operations are planned.

g. The console manual scram button shall be tested weekly not to exceed 10 days whenever operations are planned.

Bases

TRIGA system components have proven operational reliability. Daily tests ensure reliable scram functions and ensure the detection of channel drift or other possible deterioration of operating characteristics. The channel checks ensure that the safety system channel scrams are operable on a daily basis or prior to an extended run. The power level channel calibration will ensure that the reactor is operated within the authorized power levels.

28 4.2.4. FACILITY INTERLOCK SYSTEM

Applicability

This specification applies to the surv eillance requirements that ensure the integrity of the facility interlock system.

Objective

The objective is to ensure performance and operability of the facility interlock system.

Specifications

Functional checks shall be made annually, not to exceed 15 months, to ensure the following:

a. With the lead shield doors open, neither exposure room plug door can be electrically opened.

b. The core dolly cannot be moved in region 2 with the lead shield doors closed except during the use of the core dolly interlock override switch.

c. The lead shield doors cannot be opened to allow movement into the exposure room projection unless a warning horn has sounded in that exposure room, or unless two licensed reactor operators have visually inspected the room to ensure that no personnel remain in the room prior to securing the plug door.

Bases

These functional checks will verify operation of the interlock system.

Experience at AFRRI indicates that this is adequate to ensure operability.

30