chapter 7 instrumentation and controls

Form 412.09 (Rev. 10)

Idaho National Laboratory

CHAPTER 7 – INSTRUMENTATION AND CONTROL – TREAT FACILITY FSAR

Identifier: Revision: Effective Date:

SAR-420 1 03/01/17 Page: 7-1 of 7-66

CHAPTER 7

INSTRUMENTATION AND CONTROLS

Further dissemination authorized to DOE and DOE contractors only; other requests

shall be approved by the originating facility or higher DOE programmatic authority.

Form 412.09 (Rev. 10)




SAR-420 1 03/01/17 Page: 7-2 of 7-66

CONTENTS

7. INSTRUMENTATION AND CONTROLS ................................................................................... 7-7

7.1 Introduction ........................................................................................................................ 7-7

7.1.1 Identification of Safety Systems ..................................................................... 7-7 7.1.2 Identification of Safety Criteria ...................................................................... 7-9

7.2 Reactor Trip System ......................................................................................................... 7-10

7.2.1 Description .................................................................................................... 7-10 7.2.2 Analysis ........................................................................................................ 7-19

7.3 Reactivity Control System ................................................................................................ 7-29


7.4 Systems Required for Safe Shutdown .............................................................................. 7-34

7.4.1 Seismic Scram ............................................................................................... 7-35 7.4.2 Manual Scram ............................................................................................... 7-35

7.5 Display Instrumentation ................................................................................................... 7-36


7.6 Non-Safety-Related with Augmented Requirements Instrumentation Systems ............... 7-44

7.6.1 Reactor Control System Description ............................................................ 7-44 7.6.2 Reactor Control System Analysis ................................................................. 7-51 7.6.3 Dedicated Information System Description .................................................. 7-56 7.6.4 Dedicated Information System Analysis....................................................... 7-62

7.7 Other Non-Safety Related Systems .................................................................................. 7-63

7.7.1 Filtration/Cooling System ............................................................................. 7-63 7.7.2 Experiment Support System ......................................................................... 7-64 7.7.3 Radiation-monitoring System ....................................................................... 7-64

7.8 Reliability and Operability ............................................................................................... 7-65

7.9 References ........................................................................................................................ 7-65

Form 412.09 (Rev. 10)




SAR-420 1 03/01/17 Page: 7-3 of 7-66

FIGURES Figure 7-1. I&C information flow diagram. .............................................................................................. 7-8 Figure 7-2. RTS block diagram................................................................................................................ 7-15 Figure 7-3. Nuclear instrument ranges. .................................................................................................... 7-17 Figure 7-4. Reactor control console. ........................................................................................................ 7-37 Figure 7-5. I&C room layout. .................................................................................................................. 7-43 Figure 7-6. Manual reactor control system. ............................................................................................. 7-45 Figure 7-7. Automatic reactor control system block diagram. ................................................................. 7-47 Figure 7-8. Rod motion interlocks flowchart. .......................................................................................... 7-53 Figure 7-9. Transient rod interlock flowchart. ......................................................................................... 7-54 Figure 7-10. DIS block diagram. ............................................................................................................. 7-57

TABLES Table 7-1. RTS/trip initiators. .................................................................................................................. 7-12 Table 7-2. RTS codes and standards. ....................................................................................................... 7-18 Table 7-3. Environmental conditions at RTS component locations......................................................... 7-19 Table 7-4. Environmental conditions at the reactivity control system locations. .................................... 7-30 Table 7-5. Reactivity control system codes and standards. ..................................................................... 7-30 Table 7-6. Control console component legend. ....................................................................................... 7-38 Table 7-7. Environmental conditions at the RCS component locations .................................................. 7-49 Table 7-8. RCS codes and standards applicability matrix ....................................................................... 7-49 Table 7-9. DIS control room information. ............................................................................................... 7-59 Table 7-10. DIS codes and standards. ...................................................................................................... 7-60 Table 7-11. F/CS instrumentation and controls. ...................................................................................... 7-63 Table 7-12. Environmental conditions at the F/CS component locations. ............................................... 7-64

Form 412.09 (Rev. 10)




SAR-420 1 03/01/17 Page: 7-4 of 7-66

INTENTIONALLY BLANK

Form 412.09 (Rev. 10)




SAR-420 1 03/01/17 Page: 7-5 of 7-66

ACRONYMS/ABBREVIATIONS

A amp ac alternating current ANSI American National Standards Institute AR nonsafety-related with augmented requirements ARCS automatic reactor control system

BF3 Boron trifluoride BAR basement auxiliary room

CRD control rod drive CRIS control rod interlock system cps counts per second

DAS data acquisition system dc direct current DIS dedicated information system DMT dedicated microprocessor tester DOE Department of Energy

ESS experiment support system

F/CS filtration and cooling system FMEA failure mode and effects analysis FSAR Final Safety Analysis Report

GDC general design criteria

IEEE Institute of Electrical and Electronics Engineers IFA instrumented fuel assembly INL Idaho National Laboratory

MW megawatt ms millisecond MRCS manual reactor control system MFC Materials and Fuels Complex

NBS National Bureau of Standards NEC National Electrical Code NSR nonsafety-related

PPS plant protection system psia pounds per square inch absolute psid pounds per square inch differential

RCR reactor control room RCS reactor control system RDT reactor development and technology RTD resistance temperature detector RTS reactor trip system

SDD system design description SR safety-related SSC structure, system, and component

Form 412.09 (Rev. 10)




SAR-420 1 03/01/17 Page: 7-6 of 7-66

SSR solid state relay

TE transient enable TREAT Transient Reactor Test (TREAT) facility TRSI transient rod signal interface TS technical specifications

UL Underwriters Laboratories Standards for Approved Materials UPS uninterruptible power supply

V volt W watt

Form 412.09 (Rev. 10)




SAR-420 1 03/01/17 Page: 7-7 of 7-66

7. INSTRUMENTATION AND CONTROLS

As discussed in Chapter 1, Introduction and General Description of Facility, the light water reactor (LWR) edition of Nuclear Regulatory Commission (NRC) Regulatory Guide (RG) 1.70 (NRC 1978) was used as the guide to format and content for this chapter. RG 1.70 is designated in 10 CFR 830 (2001) as an acceptable format and content guide for U.S. Department of Energy (DOE) reactor safety analysis reports. Instrumentation and control (I&C) system design characteristics required by RG 1.70 that directly support the design or accident analyses of the Transient Reactor Test (TREAT) facility are discussed in this chapter.

7.1 Introduction

This chapter describes the TREAT I&C systems necessary to shut down the reactor upon development of abnormal conditions, to control the reactor in order to perform in-reactor experiments, and to continuously monitor the reactor status. The systems that perform these functions are shown in Figure 7-1. The shutdown function is provided by the plant protection system (PPS). The PPS is composed of the reactor trip system (RTS) that detects the need for and initiates a reactor shutdown, and the portion of the reactivity control system that implements a shutdown command by rapidly inserting all control rods by means of scram mechanisms associated with each rod. Control of the reactor is provided by the reactor control system (RCS) and reactivity control system which position the control rods by means of control rod drives. Monitoring of selected reactor parameters, as well as the filtration/cooling system (F/CS), is provided by the dedicated information system if normal or standby power is available.

7.1.1 Identification of Safety Systems

TREAT I&C systems include safety-related (SR), nonsafety-related (NSR) with augmented requirements (NSR-AR), and other NSR structures, systems, and components (SSCs). The master list of SR-SSCs and NSR-AR-SSCs is presented in Chapter 3, Design of Structures, Components, Equipment, and Systems, Section 3.2.

7.1.1.1 Safety-Related Systems. As shown in Chapter 3, Table 3-2, the RTS manual scram and seismic trip subsystems are designated as SR-SSCs. All remaining I&C systems are classified as NSR-AR-SSCs or NSR-SSCs.

7.1.1.2 Systems Required for Safe Shutdown. Although not required to be designated as SR-SSCs as a result of the accident analyses in Chapter 15, Accident Analyses, to align TREAT to industry precedent with other test/research reactors licensed by the NRC or operated by DOE, the RTS manual scram and seismic trip subsystems are designated in Chapter 15 as SR-SSCs to meet the SR-SSC Criterion 1 to ensure the reactor is shut down and maintained in a safe shutdown condition for the applicable accident scenarios. The reactor scram system I&C supporting the reactor trip system (RTS) is discussed in Section 7.1.1.4 and the reactivity control system in Section 7.3.

7.1.1.3 Safety-Related System Display Instrumentation. There are no SR system displays. The display instrumentation is composed of the RTS and RCS displays in the control and I&C rooms described in Section 7.5.

Form 412.09 (Rev. 10)




SAR-420 1 03/01/17 Page: 7-8 of 7-66

Figure 7-1. I&C information flow diagram.

Form 412.09 (Rev. 10)




SAR-420 1 03/01/17 Page: 7-9 of 7-66

7.1.1.4 Non-Safety-Related with Augmented Requirements Instrumentation Systems. The NSR-AR-SSC instrumentation systems are composed of the following systems:

• Reactor trip system (RTS) (excluding the safety portions described in 7.1.1.1) in Section 7.2

• Manual reactor control system (MRCS) in Section 7.6.1

• Automatic reactor control system (ARCS) in Section 7.6.1

• Dedicated information system (DIS) in Section 7.6.3.

7.1.1.5 Systems Not Required for Safety. The instrumentation systems not required for safety are the following:

• Filtration/cooling system (F/CS) described in Section 7.7.1

• Experiment support system described in Section 7.1.1

• Radiation monitoring system described in Section 7.7.2.

7.1.1.6 Comparison with Other Plants. TREAT is a unique experimental reactor, not a power reactor. Some of the more significant differences from power reactors relative to plant safety are:

• TREAT was designed for both steady-state and transient operations

• The graphite in the fuel functions as a heat sink and since TREAT is once-through air cooled, there is no primary coolant system

• The fission product inventory is much smaller (insignificant) than in power reactors

• TREAT operates for short durations; the reactor is shut down most of the time

• Rate of change of TREAT reactor power is much greater than power reactors

• There are very few safety-related SSC at TREAT compared to a power reactor.

7.1.2 Identification of Safety Criteria

The following section gives design bases for the PPS and NSR-AR-SSCs. The general design criteria (GDC) discussed in Chapter 3, Section 3.1 were considered in the design of the systems given in the identification of safety systems (Section 7.1.1). In general, the scope of the design criteria documents is given in the document itself, and determines applicable systems or parts of systems.

7.1.2.1 Design Bases. TREAT went critical and initially operated in 1959. The original design was consistent with standard building practices, codes, and standards in place at that time. In 1983, the PPS was updated per standards for that time. The applicable standards, codes, and practices are listed in the Design Basis section for each system discussed.

7.1.2.1.1 Reactor Trip System—The RTS provides additional protection to ensure reactor safety limits are not exceeded during startup, steady-state, and transient operations. No specific requirements for operability or reliability of RTS instrumentation are identified in the accident analysis, and as such, they are not required to be designated as SR-SSCs in the accident analysis. No credit is assumed in the accident analysis for the reactor interlock set points, or scram set points on reactor temperature, period, energy, and power.

Form 412.09 (Rev. 10)




SAR-420 1 03/01/17 Page: 7-10 of 7-66

However, to align TREAT to industry precedent with other test/research reactors licensed by the NRC or operated by DOE, the RTS manual scram and seismic trip subsystems are designated in Chapter 15 as SR-SSCs to meet the SR-SSC Criterion 1 to ensure the reactor is shut down and maintained in a safe shutdown condition for the applicable accident scenarios.

7.1.2.1.2 Electric Power Systems—The electric power systems required for the operation of the TREAT instrumentation and control systems are described in Chapter 8, Electric Power Systems.

7.1.2.2 General Design Criteria. Chapter 3, Table 3-1 specifies the SSCs to which the GDC have been applied. Detailed discussion of the GDC applicable to the TREAT instrumentation and control systems is provided in the subsections of this chapter.

7.2 Reactor Trip System

7.2.1 Description

The reactor trip system (RTS) provides monitoring circuits to detect the occurrence of unanticipated reactor operating conditions. The system compares instrumentation signals against preset limits. If abnormal conditions occur, a trip signal is transmitted to the protective action circuits.

The protective action circuits (i.e., RTS trip channels) receive trip signals from reactor power, period, energy and temperature monitoring circuits, pressure switches, ARCS control and monitor computers, voltage monitoring system, seismic monitors, and manual scram switches located in the control room, subpile room, reactor top, and reactor ground floor. Upon receipt of a trip signal, scram action is effected by interrupting the electric power to the rod scram latches and hydraulic valves, which in turn causes the rods to shut down the reactor, using stored energy (high-pressure accumulator) in the scram actuation system.

Status/alarm and information transmission circuits generate and transmit reactor performance data to the ARCS control and monitor computers, and control room displays. RTS trip status information is also provided to both the ARCS control and monitor computers. Remote RTS alarms and status lights are provided in the control room.

An automated procedure for the functional testing and calibration of the RTS, which precedes each transient operation, is provided by a dedicated microprocessor tester (DMT). The DMT is also used to test the RTS prior to steady-state operations.

A detailed description of the TREAT RTS and DMT is located in “TREAT Reactor Trip System Design Description, User’s Manual” (ANL 1984a) and “User’s Manual for the TREAT Dedicated Microprocessor Tester” (ANL 1988).

7.2.1.1 Functional Performance Requirements. The RTS performs the following basic plant protection and surveillance functions: 1. Automatic detection of the need for rapid shutdown with command for rapid insertion (scram) of

the control/shutdown, compensation/shutdown, and transient rods to shut down the reactor and maintain it shutdown

2. Manual initiation of reactor trip by operator action

Form 412.09 (Rev. 10)




SAR-420 1 03/01/17 Page: 7-11 of 7-66

3. Interface with other systems by (a) providing current information to the reactor operators in the control rooms to the ARCS, to the DIS, and (b) accepting scram commands from other systems.

7.2.1.2 Reactor Trips. Table 7-1 summarizes the available initiators for the reactor trips. The various RTS input trip channels and input trip logic are described in the RTS Design Description User’s Manual (ANL 1984a) and are summarized below:

7.2.1.2.1 Transient Linear Power Channel—Each of the three transient linear power channels monitors reactor power over a transient-mode range from below 105 to 1011 W (watts), corresponding to full-scale current ranges from 10-9 to 10-3 A (amps). Prior to transient operation, adjustments are made to the linear channel range, ion chamber position, and a downstream gain control (linear power calibration located in transient input trip logic) such that a 10-V analog signal delivered into the trip comparators in the transient input trip logic chassis correspond to a power level less than the maximum value permitted.

7.2.1.2.2 Transient Energy Channel—Each of the three transient energy channels delivers an analog output voltage proportional to the integrated current, i.e., accumulated charge, and is calibrated in micro-coulombs (µC). The input current signal is supplied from an ion chamber and is nominally proportional to reactor power. The output voltage is related to integrated power or energy. Ranges are provided from 1 through 100 µC in a 1-2-5 sequence by the selection of integrating-capacitor values. The circuit is designed to integrate for input currents over the range of 10-11 to 10-3 A, independent of selected charge range. This current range corresponds to a transient-mode reactor power range of 103 to 1011 W.

7.2.1.2.3 Transient Log Power/Period Channel—Each of the three transient log-power/period channels delivers analog output voltages directly proportional to the logarithm of reactor power and inversely proportional to reactor period, over a power range from approximately 103 to 1011 W. This power range corresponds to input signal currents from 10-11 to 10-3 A. Only the output signal related to reactor period is used as an RTS shutdown initiator. Three period ranges are provided, spanning from infinity to 2000/200/20 ms. Response times of the log circuit range from 30 ms at 10-11 A, to 0.2 ms for currents of 10-8 A and up. The differentiator response time is set to 30 ms.

7.2.1.2.4 Steady-State Linear Power Channel—Each of the two steady-state linear power channels delivers an analog output voltage approximately proportional to reactor power, with full-scale current ranges from 10-9 through 10-3A, which, with proper ion-chamber positioning, correspond to a reactor power range of approximately 1 to 106 W.

7.2.1.2.5 Steady-State Log Power/Period Channel—Each of the two steady-state log-power/period channels delivers analog output voltages nominally proportional to the logarithm of reactor power, and inversely proportional to reactor period, over a steady-state power range from 10-2 to 106 W. This power range corresponds approximately to input signal currents from 10-11 to 10-3 A. Only the period output is used as an RTS shutdown initiator. A single output period range of -50 through +5 seconds is provided. Response times of the log circuit range from 100 ms at the low current end of 10-11 A, to 50 ms for all currents above 10-9 A.

Form 412.09 (Rev. 10)




SAR-420 1 03/01/17 Page: 7-12 of 7-66

Table 7-1. RTS/trip initiators.

Reactor Power Mode

Measured Parameter

or Function Type

Sensor/Source Location Number

Sensor Range Inputs/RTS

Channel Trip

Initiator Input Output

All Pneumatic Pressure

Pressure Switch Control Shutdown CRD

2 per CRD 50-425 psig 5 to 0 mA 4 (1 per CRD) Low Pressure

All Pneumatic Pressure

Pressure Switch Compensation Shutdown CRD

2 per CRD 50-425 psig 5 to 0 mA 4 (1 per CRD) Low Pressure

All Hydraulic Pressure

Pressure Switch Transient CRD 2 per CRD Pilot Spool

0-4000 psig 5 to 0 mA 4 (1 per CRD) Low Pressure

Transient Hydraulic Pressure

Pressure Switch Transient CRD 2 per Slave Spool

0-4000 psig 5 to 0 mA 4 (1 per CRD) Low Pressure

All Hydraulic Pressure

Pressure Switch Low Pressure Slave Spool Power Supply

2 0-4000 psig 5 to 0 mA 1 Low Pressure Note g

All Ground Acceleration

Seismic Detector

Basement Aux. Room & Subpile Room Wall

2 -0.25 to +0.25 g

120 to 0 Vac Note a High Acceleration

All Manual Scram Scram Button Note b 5 Stations (Dbl Contact Readout)

Normally Closed Contacts

5 to 0 mA (15 to 0 V backup)

4 Operator action

All ARCS: ‘Reactor Simulation’

Connector Loop-Thru Continuity

RTS Transient Channels

11 N/A N/A Note j Simulation Cable Connected

All Failsafe Design Feature

N/A N/A N/A N/A N/A N/A Loss of Normal Power

All Test Fault Interlock

N/A N/A 20 N/A N/A N/A Ion chamber HV

Start-up Steady-State

Neutron Flux (Lin Power)

Compensated Ion Chamber

Core Midrange Biological Shield

2 0.01-106 W 10-11 to 10-3 A 1 High Lin Power Note c, i


Neutron Flux (Log Power)

Compensated Ion Chamber


2 0.01-106 W 10-12 to 10-3 A 1 Short Period Note c, i

Form 412.09 (Rev. 10)




SAR-420 1 03/01/17 Page: 7-13 of 7-66

Reactor Power Mode

Measured Parameter

or Function Type

Sensor/Source Location Number

Sensor Range Inputs/RTS

Channel Trip

Initiator Input Output


Fuel Temperature Core Thermocouples

Instrumented Fuel Assembly (IFA)

1 or 2 per IFA 0 to 1500°C 0 to 5 V 4 Note d

High Fuel Temp. Note c, i

Transient Neutron Flux (Lin Power)

Uncompensated Ion Chamber


3 103 to 1011 W

10-11 to 10-3A 1 High Lin Pwr Note e,f

Transient Neutron Flux (Log Power)



3 103 to 1011 W

10-11 to 10-3A 1 Short Period Note e,f

Transient Neutron Flux (Energy)



3 103 to 1011 W

10-11 to 10-3A 1 High In. Pwr Notes e,f,g,h

Transient Fuel Temperature Core Thermocouples

Instrumented Fuel Assembly (IFA)

2 per IFA 0 to 1500°C 0 to 5 V 4 Note d

High Fuel Temp.

Transient Request RTS Scram

ARCS Control Computer Output Module

I&C Room 3 N/A N/A 1 Loss of Current Loop Note g

Transient Request RTS Scram

ARCS Monitor Computer Output Module

I&C Room 3 N/A N/A 1 Loss of Current Loop

All Nuclear Instruments

Connector Loop-Thru Continuity

I&C Room 1 per cable N/A N/A 4 cables DMT cable connected

Notes a. Seismic detectors operate independently of RTS logic circuits by directly removing ac power from latch supplies. b. Scram buttons located in the reactor control room (2), Reactor Building (subpile room, reactor top, and ground floor). c. Trip set point will limit clad temperature to less than 600°C. d. Instrumented fuel assemblies (IFAs) thermocouples report to both steady-state and transient RTS bistable trip units. e. Trip set point will limit clad temperature to less than 600°C. f. Has transient independent and transient dependent trip points; the power and period trip levels are a function of energy. g. Enabled for transient mode only. h. Measured value of this parameter is used to selectively enable more conservative power and period trip points during the course of the transient. i. RTS requires ARCS concurrence before bypassing steady-state trips (to assume the transient protective posture). j. Interlock operates independently of RTS logic circuits by directly removing ac power from latch supplies.

Form 412.09 (Rev. 10)




SAR-420 1 03/01/17 Page: 7-14 of 7-66

7.2.1.2.6 Reactor Fuel Temperature Channels—Each of the two four-channel reactor fuel temperature systems is used to monitor four fuel thermocouples. Primarily, these channels are part of the steady-state group and are merely duplicated like the steady-state linear and log-power/period channels. A total of eight temperature measurements can be monitored and two operable channels are required by TS-420. Four of the trip set points may be set to more conservative values during steady-state operations. Except for slowly varying transient power levels, thermocouple response times are too slow to provide effective protection during transient operations. However, each of the thermocouples is monitored and a trip signal is sent if any of them exceed their set point.

7.2.1.2.7 Pressure Switch Channels—Each of the duplicated 17-channel units (described in Table 7-1, Inputs/RTS column, and in Figure 7-2) delivers logic-level outputs indicating the open-vs-closed status of each pressure switch input. The 17 channels are composed of four control/shutdown rod drive (one per drive), four compensation/shutdown rod drive (one per drive), eight transient control rod drive (two per drive) during transient operations and one low-pressure slave spool power supply. All trip on the low-pressure condition.

7.2.1.2.8 Transient Input Trip Logic Units—The primary function of each of the three transient input trip logic units (A, B and C) is to accept the analog input voltage signals from the transient linear power, transient integrated power, and transient log-power/period channels, compare each input against one or more reference levels, and generate a latched trip signal when a reference level is exceeded.

7.2.1.2.9 Steady-State Input Trip Logic Units—Each of the two steady-state input trip logic units (A and B) performs a function for the steady-state channels that is analogous to the function performed by the transient input trip logic for the transient channels. The steady-state trip units accept analog input voltage signals from the two steady-state nuclear channels (linear power and log/period) and from the fuel temperature channels, compare each against one or more reference levels, and generate a latched trip signal when a reference level is exceeded. They also accept the digital signals from the 17 pressure switch channels and generate a latched trip signal if any one of these signals indicates a loss of pressure. Four of the channels involving transient rod drive pressure switches are shutdown initiators only for the transient mode of operation; they are deactivated when operation is in the steady-state mode. Activation requires the presence of the transient enable (TE) signal delivered from the steady-state input trip logic, which is used to open and close gates placed in the signal path for these four channels.

7.2.1.2.10 Seismic Trip Channels—Two seismic channels are provided, one sensor is in the subpile room and one is in the basement auxiliary room (BAR). Each channel comprises a triaxial (vertical, lateral, transverse) seismic sensor/comparator unit, a seismic switch channel control unit, and a seismic channel power relay unit. Each seismic sensor/comparator unit and associated power relay unit is supplied 120-V 60-hertz power from a separate power channel of the RTS actuator interface power control unit—channel 1 from power channel A and channel 2 from power channel B. The two seismic channels are connected together and to the RTS actuator interface power control unit to allow either or both seismic channels to trip off ac power to both latch power supplies.

Form 412.09 (Rev. 10)




SAR-420 1 03/01/17 Page: 7-15 of 7-66

Figure 7-2. RTS block diagram.

Form 412.09 (Rev. 10)




SAR-420 1 03/01/17 Page: 7-16 of 7-66

7.2.1.3 RTS Instrumentation.

7.2.1.3.1 Sensors and Transmitters—A sensor and transmitter, or a combination sensor/transmitter, measures a reactor process variable and emits an analog electrical output signal proportional to the variable being monitored. See RTS Design Description User’s Manual (ANL 1984a) for a detailed description of the RTS sensors and transmitters.

7.2.1.3.2 Output Trip Logic (P1, P2, P3)—The primary function of these triplicated units is to accept trip signal inputs from several sources and to deliver trip signal outputs simultaneously to the control inputs of eight solid-state relays (SSRs), which open eight power busses to various latch circuits, allowing all control rods to be inserted quickly (see Figure 7-2).

The trip signal inputs are supplied from transient input trip logic units (A, B, and C), steady-state input trip logic units (A and B), five manual scram buttons (see Section 7.4.2), single trip from experimenters, and the control and monitor computers (activated only during the transient mode of operation).

All of the latched trip signal outputs from the three transient input trip logic units, and from the two SS input trip logic units, are delivered in parallel to the three output trip logic units. The purpose of the parallel connection is to ensure that full trip capability is maintained even in the event that two of the three output trip units fail. The transient trip logic is 1 out of 3 and the steady-state trip logic is 1 out of 2.

See RTS Design Description User’s Manual (ANL 1984a) for a detailed description of the RTS output trip logic.

7.2.1.3.3 Scram Actuator Interface—The scram interface is composed of seven units: the power control unit, three trip units (A, B and C), output unit, and two seismic sensor/comparator units. A block diagram illustrates the scram actuator instrumentation in Figure 7-2. Two separately regulated latch power supplies provide 32-Vdc power for all latch coils. The dc power is distributed from the power control unit over two groups of four main dc busses, through series arrangements of the SSRs within the three-trip units. These eight busses emerge from trip unit C, then connect to the circuits within the output unit, and to the transient, control/shutdown and compensation/shutdown, rod drive latch coils. The eight SSRs within each trip unit may be turned off by the signals delivered from the respective output trip logic units, P1, P2, or P3.

Each of the two 120-Vac power inputs are brought back out to supply one of the two seismic sensor/comparator units with operating power through the power control unit (See Section 7.4.1). The high side of each ac line is connected through a series arrangement of trip contacts for the two seismic sensor/comparator units, and delivered back to the power control unit through the seismic trip connections.

7.2.1.3.4 Nuclear Instrumentation—The nuclear instrumentation monitoring reactor power levels to generate the required trip signals for specific neutron levels is described in the RTS Design Description User’s Manual (ANL 1984a). A block diagram illustrates the required instrumentation in Figure 7-2 and the instrument ranges are illustrated in Figure 7-3. The DIS/MRCS and ARCS instruments are included in Figure 7-3.

Form 412.09 (Rev. 10)




SAR-420 1 03/01/17 Page: 7-17 of 7-66

Figure 7-3. Nuclear instrument ranges.

7.2.1.3.5 Interfaces—The interfacing RTS connections to the following systems are described in the RTS Design Description User’s Manual (ANL 1984a):

• Control room console

• ARCS simulator computer

• Dedicated microprocessor tester (DMT)

• ARCS control and monitor computers

7.2.1.3.6 Power Supply—The RTS is supplied with ac power from the normal power source via the standby power bus. The three groups of the RTS (A, B & C) are powered from two regulating transformers with Groups A and C on one transformer and Group B on the other. The two steady-state log channels are supplied with power by the DIS, which is also on the standby power bus. On loss of normal power, all RTS logic will go to the tripped/scram state. In addition, power is interrupted to the 12 control rod drives, and all rods scram. Power is restored to the standby power bus, and all displays and status lights are restored within about 10 seconds after failure of offsite power. The standby power bus is powered either by normal power or by the standby generator as described in Chapter 8. The uninterruptible power supply (UPS) units are sized for a minimum of 13 hours of operation following the loss of power to the standby power bus.

Form 412.09 (Rev. 10)




SAR-420 1 03/01/17 Page: 7-18 of 7-66

7.2.1.3.7 Seismic Operating Conditions—The portions of the RTS that are credited with seismic functions are designed and constructed to remain operational and meet all functional requirements as defined in the equipment design specifications during seismic-induced base rock accelerations up to 1 g, to ensure reliable shutdown capability.

7.2.1.4 Set Points. Requirements to ensure RTS operability are defined in TS-420 and associated programmatic operational limits are defined in TREAT operating instructions.

7.2.1.5 Design-Basis Information.

7.2.1.5.1 Codes and Standards—The codes and standards listed in Table 7-2 were considered for applicability in the RTS design, as described in detail in Section 7.2.2.4 below.

Table 7-2. RTS codes and standards.

No. Title

IEEE 279-1971 Criteria for Protection Systems for Nuclear Power Generating Stations (ANSI/IEEE)

IEEE 336 Installation, Inspection, and Testing Requirements for Class 1E Instrumentation and Electric Equipment at Nuclear Power Generating Stations

IEEE 338 Standard Criteria for the Periodic Testing of Nuclear Power Generating Station Class 1E Power and Protection Systems (ANSI/IEEE)

IEEE 352-1975 Guide for General Principles of Reliability Analysis of Nuclear Power Generating Station Protection Systems (ANSI/IEEE)

IEEE 379-1977 Standard Application of the Single-Failure Criterion to Nuclear Power Generating Station Class 1E Systems (ANSI/IEEE)

IEEE 384 Standard Criteria for Independence of Class 1E Equipment and Circuits

IEEE 494 Standard Method for Identification of Documents Related to Class 1E Equipment and Systems for Nuclear Power Generating Stations (ANSI/IEEE)

IEEE 498 Standard Requirements for the Calibration and Control of Measuring and Test Equipment Used in the Construction and Maintenance of Nuclear Power Generating Stations

IEEE 500 IEEE Guide to the Collection and Presentation of Electrical, Electronic and Sensing Component Reliability Data for Nuclear-Power Generating Stations.

Note – This Standard was used as a source of data for the RTS Reliability Analysis, and does not impose specific requirements.

IEEE 572-1985 IEEE Standard for Qualification of Class 1E Connection Assemblies for Nuclear Power Generating Stations

IEEE 577 Requirements for Reliability Analysis in the Design and Operation of Safety Systems for Nuclear Power Generating Stations.

IEEE 603 Standard Criteria for Safety Systems for Nuclear Power Generating Stations (Revision of IEEE STD 603-1977)

Form 412.09 (Rev. 10)




SAR-420 1 03/01/17 Page: 7-19 of 7-66

No. Title

IEEE 627 Design Qualification of Safety Systems Equipment used in Nuclear Power Generating Stations.

ANSI N42.4 High Voltage Connectors for Nuclear Instruments

ANSI N45.2 Quality Assurance Program Requirements for Nuclear Facilities

RDT C1-1T Instrumentation and Control Equipment Grounding and Shielding Practices

RDT C10-1T Thermocouple Signal Transmitter

National Electrical Code (NEC)

National Electrical Manufacturers Association

Underwriters Laboratories Standards for Approved Materials

Uniform Building Code (UBC)

7.2.1.5.2 Performance Requirements—Design requirements for various RTS components are described in the RTS Design Description User’s Manual (ANL 1984a). The protection system ranges for the RTS instrumentation covering the expected range of the variables during power operation are shown in Figure 7-3. The RTS units including sensors and cables are designed to meet accuracy and response-time requirements for the environmental conditions at RTS component locations shown in Table 7-3. There are no specific RTS trip functions or maximum allowable response times required in the accident analyses in Chapter 15.

Table 7-3. Environmental conditions at RTS component locations.

Location Component Environmental Condition

Core (Above Fuel) Leadout Cabling for Thermocouples 10–600°C

Fuel Zone Thermocouples 10–820°C

Subpile Room and Basement Auxiliary Room

Electric Power & Control Hardware. Seismic Channels 20–50°C

Reactor Building (MFC-720)

Power & Control Circuitry, Electrical Hardware, and Preamplifiers 10–35°C

I&C Room Electrical Equipment Status Displays, Computer

15–35°C Normally Air Conditioned

Nuclear Instrumentation Thimbles Ion Chambers and Cables 10–100°C

7.2.2 Analysis

7.2.2.1 Functional Adequacy. The primary function of the RTS (see Section 7.2.1.1) is to detect unanticipated reactor conditions, and when appropriate, initiate rapid shutdown. During transient operations, the transient-independent and transient-dependent circuit portions of each of the three transient input trip logic units are continuously comparing integrated power against permissible energy set points, and the instantaneous power level against boundary lines of major importance. If the power level

Form 412.09 (Rev. 10)




SAR-420 1 03/01/17 Page: 7-20 of 7-66

exceeds the preset boundary, or the reactor period becomes too short, or fuel temperatures too high, the resulting trip action will command the solid-state relays to remove power from the latch coils of all 12 control rod drives.

During steady-state operation, the reactor is protected by the steady-state power, temperature, and period trips. These functions are adequate to protect the core from all postulated design basis accidents described in Chapter 15. During transient and steady-state operations, the RTS trips on other important trip signals, i.e., manual, ARCS, seismic, loss of power, pressure switches on the pneumatics and hydraulics of the control rods, and experimenter system.

The SSR time delay for the dc-powered control and compensation rod latches and the transient rod scram solenoid is specified to be a maximum of 0.5 ms (which is larger than the manufacturer’s specified maximum of 0.25 ms). Three other delay time components must be added to this value: the 0.05 ms response time of the transient linear channel on its least sensitive range, and the 0.10 ms delay time through two bistable trip circuits. The total delay time for dc latch power removal is less than 2 ms for high power or high-energy conditions requiring a scram on the least sensitive power and energy ranges. Other time delays (e.g., period trip) are as low as reasonably achievable. When the transient-independent and transient-dependent comparators are both counted, the total number of circuits sensing the need for rapid shutdown is 11 per channel. The RTS also provides reactor status information to the control room and ARCS.

7.2.2.2 Design Adequacy. The RTS design provides the number and type of nuclear instruments required to cover the entire reactor power range, as listed in Table 7-1 and further described in Section 7.6.1.

The scram command produces automatic insertion of all control rods. The design of the RTS is such that the scram command causes the control/shutdown and compensation/shutdown rods to be driven in pneumatically and the transient rods to be driven in hydraulically. When this action is initiated, it cannot be stopped by operator intervention and proceeds to completion automatically.

The scram command cannot be reset or cleared unless the parameter producing the scram command no longer exceeds the trip set point. The RTS design is such that each of the channel scram commands passes through at least two latching bistable trip circuits, one within the transient or steady-state input trip logic unit, and one within the output trip logic unit. Each of these identical bistable trip circuits is designed so that the input trip command must be at its normal (untripped) level before the reset operation will clear the scram command.

All of the electronic units associated with either of the duplicated steady-state groups of instruments or the triplicated transient groups of instruments are enclosed within rack cabinets assigned for exclusive containment of group A, B, or C. The sensor and/or preamplifier cables associated with the three groups are routed through individual conduits assigned to contain group A, B, or C exclusively. Each preamplifier is enclosed in an individual impact-resistant metallic enclosure, and only preamplifiers associated with different channels within a given group are mounted in proximity to each other.

The seismic scram sensors and associated electronics are located in the seismically analyzed subpile room and BAR, and have their trip relay contact connections carried over cables to the actuator interface power unit located in the I&C room. All of the seismic channel hardware is designed to function properly for acceleration levels to 1 g.

Form 412.09 (Rev. 10)




SAR-420 1 03/01/17 Page: 7-21 of 7-66

Most of the RTS electronic equipment, except for some preamplifiers and the seismic channels, are located in the I&C room with an ambient temperature of 15–35°C. The most probable temperature associated failures for any of the electronic components involve exceeding a junction maximum temperature limit. The narrowest margin for any such component is 20°C, which implies that the ambient temperature in the I&C room would have to reach 55°C to produce such a failure. It is not expected that the ambient temperature would approach even the 35°C limit. A high-temperature condition inside the I&C room RTS cabinets will be annunciated by temperature alarms in the control room.

The preamplifiers located in the Reactor Building maintain function and accuracy over the specified ambient range of 10–35°C, and temperature margins for functional performance are greater than the 20°C margin applicable to the I&C room (because of lower internal temperature rises within the enclosures).

The temperature and humidity are monitored in the subpile room, BAR, Reactor Building, and the I&C room, and will cause alarms in the control room when any unacceptable limits are reached. The radiation levels that RTS components are exposed to are too low to cause any instantaneous or long-term effects.

After the positions of all of the RTS ion chambers have been determined during the preoperational physics test program, on the basis of providing the desired ion chamber currents, the chamber positions will be fixed and recorded. Relative chamber positions are displayed behind lockable covers; the chamber positions will be administratively controlled.

The number of different component types within the RTS electronic system has been minimized. Commercially available components within the system were chosen to maximize the number of manufacturers who can supply interchangeable units, insofar as possible or practical.

Most of the isolation devices within the RTS that are required to interface signals to and from other systems have maximum isolation voltage ratings of 1500-Vdc or peak ac, or higher. The maximum credible potential which could be accidentally applied to one of these isolation devices is at most 900 V, which is the maximum output for the high-voltage power supplies. The safety margin is nearly a factor of two.

Panel layouts are engineered for efficiency of human interaction by providing legible and understandable markings and high-visibility indicator lights. Operation in the simulated transient mode, and in the test mode for DMT testing, requires a number of cables to be connected to the RTS. The connector types are chosen to provide reliability over many cycles of use, and ease of connection. To a maximum practical extent, connectors are of mixed types, or keyed to prevent incorrect connections, not only for the simulator and DMT cables, but also throughout the RTS.

All adjustable set points involving safety functions for the RTS are readable from the set-point dials, with the set-point voltage levels readable at front panel test jacks. All such functions are under key lock control provided by the use of see-through rack cabinet doors with locks.

The manual scram function is accomplished by multiple contact pairs of the five scram buttons, with each pair of contacts being normally closed. Three of the contact pairs connect into the three output trip logic units, where the scram signal will propagate through solid state circuits and finally deactivate the fast-acting solid state relays that remove latch coil power. A fourth set of scram button contacts connect to the actuator interface power unit where electro-mechanical relays are deactivated. These contacts directly remove all latch power without dependence on any solid state elements.

Form 412.09 (Rev. 10)




SAR-420 1 03/01/17 Page: 7-22 of 7-66

The single-failure criterion requires that the failure of any single channel or component of the RTS will not prevent the RTS from being able to perform its safety functions. This criterion is met primarily through redundancy in the form of triplication of the transient-mode channels, of the output trip logic units, and of the trip units containing the solid-state relays. It would be necessary to encounter simultaneous failures within these groups of triplicated units to prevent the RTS from performing its functions associated with transient-mode operation. The probability of such an occurrence is extremely low, as indicated in the reliability analysis referenced in Section 7.8. The degree of risk of excessive fuel temperatures is much less for the operating power levels of the steady-state mode. For this reason and because the triplicated power level, period, and temperature transient-mode circuits remain effective during steady-state operation, the degree of redundancy is also less, with the steady-state channels merely duplicated.

The low probability for a complete RTS failure is made possible by the use of fail-safe techniques wherever practical. All component failure modes that can be arranged to be fail-safe may be subtracted from the total probability-of-failure value, thus reducing it. Some of the specific fail-safe techniques incorporated in the RTS design are as follows:

1. Most electro-mechanical relays involved in the control of latch power are designed to remove latch power when the relay is deactivated. This is the most probable failure mode, producible by an internal open in the relay coil, broken connections to the relay coil, failure of the voltage source supplying the relay coil, mechanical sticking in the deactivated position, and failure of contacts to close.

2. In all uses of opto-isolators to convey logic-level signals, the zero level of current through the light-emitting-diode input is associated with the trip condition, since a zero level of light output is a more probable failure than an excessive level of light. The zero level of light output will also be the result of a reduced-voltage failure mode for the +5-V logic power supply.

3. Circuit design features have been incorporated to guarantee that the removal of most internal RTS interconnecting cables will generate a scram. This includes all cables feeding signals into the three transient input trip logic units or the two steady-state input trip logic units, all trip signal connections between these input trip logic units and the output trip logic units, and all trip signals carried from the output trip logic units to the solid-state relays of the trip units. Removal of those RTS cables that will not cause a scram is not considered a significant safety problem because of the DMT testing procedures, which flag any such disconnected cable if the connection was broken prior to testing and operation.

Failure to remove DMT or simulator cables prior to operation will prevent reactor operation.

7.2.2.3 Quality Verification. The design and installation of the RTS and DMT were subjected to a series of design reviews required by project procedures during the 1983 upgrade provide additional assurance that the design was adequate.

The fabrication and testing of the RTS was governed by applicable project quality assurance plans which included bench testing of each RTS and DMT unit and the overall systems, and testing of the RTS with the DMT to ensure that their joint functioning was adequate. The testing with the DMT included seeded faults in the RTS so that all responses of the DMT were exercised and found acceptable.

Form 412.09 (Rev. 10)




SAR-420 1 03/01/17 Page: 7-23 of 7-66

Components and modules are of a quality that is consistent with minimum maintenance requirements and low failure rates. Quality levels are achieved through the specification of requirements known to promote high quality, such as requirements for design, manufacturing, quality control, inspection, calibration, and testing. See Chapter 17, Quality Assurance.

7.2.2.4 Conformance to Safety Criteria. There are no Chapter 15 accidents that rely on the RTS for accident mitigation. Therefore, the codes and standards listed in Table 7-2 are not directly applicable to the RTS design. Nonetheless, the codes and standards listed in Table 7-2 were applied to the RTS design as follows:

IEEE 279, Criteria for Protection Systems for Nuclear Power Generating Stations (ANSI/IEEE): The single failure criterion is met by the use of redundant channels numbering either two or three, and by careful isolation to prevent the propagation of a single failure across channel boundaries.

The TREAT program has achieved a high level of quality of components and modules by applying a reliability analysis, by developing designs that provide a wide margin between operating conditions and maximum limits, and by selecting components that are highly reliable based upon previous usage experience. Reliability will also be enhanced by the use of inspection, and extensive testing procedures and calibration.

The RTS is designed to retain its functional capability over the most extreme anticipated ranges of temperatures by the selection of critical components with low temperature coefficients. Components that could affect performance due to the absorption of moisture have been selected to minimize that characteristic. The system is designed to be fail-safe in the event of a loss of the main power supply, which is the 120 Vac normal power. Another feature involves the use of a metallic barrier separating the circuits connected to opposite contacts of the seismic trip contacts. These are contacts which must open to generate a trip, and the barrier reduces the probability of the contacts becoming shorted as the result of crushing the enclosure.

Channel independence is provided by enclosing the duplicated and triplicated channels and trip logic circuits in separate metallic cabinets, and separating the channel wiring in conduits and wireways.

All signals provided to the RCS and elsewhere from the RTS are isolated by the use of isolation devices, such that no credible failure at the output side of the device could prevent the RTS from functioning properly. The lowest isolation rating is 350 V for isolators which deliver 0 to 10 V signals to the ARCS only. The highest potential within the ARCS is the nominal 800 V chamber voltage. Voltage limiters have been placed in the ARCS receiving lines to limit voltage to less than 30 V for these signals. The minimum isolation voltage rating for all remaining isolators is 1,500 V, and the maximum credible external voltage is 900 V.

There is no known condition where a single random failure could cause a control system action requiring reactor shutdown, and simultaneously prevent a protection channel from functioning properly.

One postulated common-mode failure could occur if high-voltage spikes on the ac power line were to couple through the power supply circuits and become imposed upon the solid-state relays, causing all of them to fail in the shorted condition. A backup trip feature is provided which bypasses the solid-state relays, and is capable of producing reactor trips through the use of conventional mechanical relays which are not susceptible to damage from voltage spikes.

Form 412.09 (Rev. 10)




SAR-420 1 03/01/17 Page: 7-24 of 7-66

The relationship between ion-chamber current and reactor power is either known or will be determined during the first steady-state operation (for both steady-state and transient instrumentation). This is accomplished by adjusting reactor power level during startup and steady-state operation and subsequent monitoring of the signal level which should result. Channel overlap to the RTS transient and ARCS nuclear channels is also confirmed.

The DMT testing procedures, together with the provisions built into the channels of the RTS that give the DMT access to signals for measurement and the capability of selecting ranges and applying built-in test signals, provide a ready means for test and calibration of the system. Further provisions give access to the built-in test signals so that they can be calibrated with NBS traceability by periodic manual procedures. Provisions for manual testing are provided so that reactor operation is possible when the DMT is unavailable.

During steady-state operation, the integrated power (energy) trip is bypassed. One bypass is employed during the DMT testing procedures, but this is under keylock control, and the procedures are sequenced so that removal of the bypass is verified by subsequent tests.

Manual initiation of reactor trip is accomplished by pushbuttons which activate the trip action through four paths. Three paths involve the turning off of all of the solid-state relays through logic circuits. A fourth path involves the direct removal of latch power through a chain of two mechanical relays with manual pushbutton contacts in series with the coils.

All set-point adjustments and key test points are located on the front panels of the RTS units, and access to the front panels is under administrative control due to the use of transparent doors with key locks.

The requirements of IEEE-279, Sections 4.9, 4.10, and 4.11 for the capability of on-line sensor check, channel test and calibration, and channel bypass are not implemented at TREAT. TREAT does not operate for long periods of time like a power reactor. The RTS at TREAT is tested prior to each day of reactor operation.

The TREAT RTS has no operating bypasses, so the requirements of IEEE-279, Sections 4.12, 4.13, and 4.14 are not applicable.

IEEE 336, Installation, Inspection, and Testing Requirements for Class lE Instrumentation and Electric Equipment at Nuclear Power Generating Station: All sections of this standard were complied with during the installation, inspection, and testing of the RTS.

IEEE 338, Standard Criteria for Periodic Testing of Nuclear Power Generating Station Class lE Power and Protection Systems (ANSI/IEEE): A comprehensive failure modes and effects analysis (FMEA) of the PPS and the DMT was performed.

A reliability analysis of the RTS was performed.

An exception is taken to Section 5 of the standard. The RTS is not designed to be testable during operation. The RTS is tested prior to reactor operations.

Response time testing is not required for the RTS, since there are no response times specified to mitigate Chapter 15 accidents as described in Chapter 15, Section 15.2.2.3. Response time testing may be performed only for the electronics related to the nuclear detectors. As described in Chapter 15,

Form 412.09 (Rev. 10)




SAR-420 1 03/01/17 Page: 7-25 of 7-66

Section 15.2.2.3, the thermocouples have an inherent significant time delay so they do not provide protection for fast transients. The RTS trips based on pressure switch inputs, seismic detectors, and other inputs do not provide protection for transient reactor operation. Only the nuclear detectors provide such protection. Response time testing of the process to sensor is not performed and is in conformance with the standard. Response time testing of the ion chambers detectors themselves is not done. Excluding the detectors is acceptable because the principles of detector operation provide a virtually instantaneous response. Response time testing of the control-rod-scram insertion time is required by the Technical Specifications TS-420 and is performed as a routine maintenance item to verify acceptable performance of the control-rod system.

IEEE 352, Guide for General Principles of Reliability Analysis of Nuclear Power Generating Station Protection Systems (ANSI/IEEE): This standard was used as a guide to perform a detailed FMEA of the RTS and DMT and to perform a quantitative reliability analysis of the RTS.

IEEE 379, Standard Application of the Single-Failure Criterion to Nuclear Power Generating Station Class 1E Systems (ANSI/IEEE): The RTS is capable of performing its function in the presence of any single detectable failure within the system. As part of the reliability analysis, a qualitative common cause failure analysis was performed. No known common mode, common cause failure possibilities exist in the RTS. No known undetectable failure possibilities exist. The common ac power supply to multiple RTS channels is discussed above under IEEE 279.

IEEE 384, Standard Criteria for Independence of Class lE Equipment and Circuits: RTS independence is provided by enclosing the duplicated and triplicated channels and trip logic circuits in separate metallic cabinets. Interconnecting wiring is run in separate raceways. Physical separation is used as specified in the standard.

Fire protection is provided where redundant equipment is placed within the same area. Temperature sensors are placed in these critical areas with alarms at the reactor control console to indicate when the temperature has exceeded the maximum ambient limit.

Buffers have been used to isolate the Class lE and non-Class lE equipment.

IEEE 494, Standard Method for Identification of Documents Related to Class lE Equipment and Systems for Nuclear Power Generating Stations (ANSI/IEEE): The term “Plant Protection System” (PPS) is placed on the first page of each document and above the title block of each drawing pertaining to the systems that are defined to be part of the PPS.

IEEE 498, Standard Requirements for the Calibration and Control of Measuring and Test Equipment Used in the Construction and Maintenance of Nuclear Power Generating Stations: A documented program has been established, implemented and maintained for the calibration and control of measuring and test equipment used to verify the performance of the PPS and DMT in conformance with this standard.

The measuring and test equipment used for critical measurements and calibrations of the RTS and DMT following their fabrication by the ANL Electronics Division is obtained from a controlled group of instruments. These instruments, and the controls associated with them, abide by all requirements of RDT Standard F3-2T, which is nearly identical to IEEE 498. The document and the entire calibration system was audited and approved by the Quality Assurance Division.

Form 412.09 (Rev. 10)




SAR-420 1 03/01/17 Page: 7-26 of 7-66

IEEE 500, IEEE Guide to the Collection and Presentation of Electrical, Electronic and Sensing Component Reliability Data for Nuclear-Power Generating Stations: This standard was used as one of the sources of data for component failure rate information in the RTS reliability analysis.

IEEE 577, IEEE Standard Requirements for Reliability Analysis in the Design and Operation of Safety Systems for Nuclear Power Generating Stations: This standard was used as a guide to perform the reliability analysis of the RTS. The standards listed in IEEE 577 have been addressed separately.

IEEE 603, Standard Criteria for Safety Systems for Nuclear Power Generating Stations: The criteria contained in this standard were used to establish functional and design requirements for the RTS. The remainder of the IEEE 603 requirements that are directly applicable to the RTS have been addressed in the response to Standard IEEE 279.

IEEE 627, Design Qualification of Safety Systems Equipment Used in Nuclear Power Generating Stations: All equipment used in the RTS is designed to work in a normal service environment. No severe environmental conditions exist.

The electrical specifications for the individual units of the RTS constitute the required qualification criteria. Following completion of fabrication, each unit was individually bench tested according to a detailed test plan. The test plan included step-by-step procedures to be followed in making a series of electrical measurements, data entries of the measured values, and acceptance limits. The measurements included calibrations of all parameters for which specifications are given, response time measurements, and all other measurements required to verify the proper functioning of the entire circuit.

Following the individual bench tests, all units of the RTS were assembled into a complete system, and interconnected to the DMT for an additional series of tests intended to verify the DMT performance, in addition to providing further verification of RTS performance. This series of tests constitutes the qualification program, which was thoroughly documented for evidence of qualification.

Only random statistical failures are anticipated, which have been considered in the reliability analysis. The RTS equipment has been assessed for aging, and several possibilities exist, e.g., neutron detectors and cables, electrolytic capacitors. The effects of aging in components will be compensated for by the TREAT testing and maintenance programs. If a high failure rate develops in a particular type of component, all such components will be replaced. No RTS equipment has significant aging mechanisms as described in section 4.4.1 of IEEE 627; therefore, there is no qualified life for any TREAT RTS components. Nor does TREAT have a Qualification Program.

Equipment required to function under seismic conditions has been qualified by analysis.

ANSI N45.2, Quality Assurance Program Requirements for Nuclear Facilities: A Quality Assurance plan has been prepared for the RTS. This QA plan invokes ANSI N45.2. NQA-1 was not available at the inception of the design of this system.

RDT Cl-1T, Instrumentation and Control Equipment Grounding and Shielding Practices: The equipment grounding and shielding practices specified in the standard have been applied to the design of the RTS.

7.2.2.5 General Design Criteria. The applicable GDC listed in Chapter 3, Table 3-1 were considered in the RTS design as follows:

Form 412.09 (Rev. 10)




SAR-420 1 03/01/17 Page: 7-27 of 7-66

GDC-1, Quality Standards and Records: The overall project quality assurance program which complies with ANSI N45.2, 1977, “Quality Assurance Program Requirements for Nuclear Facilities,” and was supplemented with a project-imposed quality assurance plan for the ANL Electronics Division, guided the design, fabrication and testing of the RTS. Records of the design, fabrication, and testing of the RTS were supplied to the project by the ANL Electronics Division, to be maintained during the life of the system.

GDC-2, Design Bases for Protection Against Natural Phenomena: Protection of the reactor during earthquakes is provided by the incorporation of two seismic switch channels. These channels sense the onset of a seismic disturbance at a trip level of 0.02 g or lower, and will immediately generate a scram signal through the RTS. Further protection against the effects of high winds and tornadoes is provided partly by the fail-safe condition of the design against a loss of 120-V normal power, which will also immediately scram the reactor. If normal power should be maintained during high winds or tornadoes which cause building damage, further protection is provided by the separation of the duplicated and triplicated RTS channels. This makes it improbable that all redundant channels would be damaged simultaneously, so that at least one channel would retain the capability of performing the scram function in response to any of the intended scram initiators. Critical circuits in the power control unit of the actuator interface are compartmentalized to prevent the possibility of shorting across seismic trip contacts, or other trip contacts, in the event of chassis-crushing accidents that might result from tornado damage to the building.

GDC-3, Fire Protection: Conservative design throughout the circuits of the RTS has been implemented by the use of wide safety margins between operating levels of voltage or power and maximum ratings. This decreases the probability of fires originating within the RTS circuits. Protection against a loss of scram capability due to fires originating outside the RTS is provided mainly by the duplication or triplication of channels, with suitable barriers between the channels and through use of fire suppression systems.

GDC-4, Environmental and Missile Design Bases: The provisions incorporated in the RTS, as outlined under the GDC-2 response above, apply to this criterion.

GDC-5, Sharing of Structures, Systems, and Components: Although the information developed by the RTS is delivered to, and thus shared by, several other systems, all such connections are made through suitable isolation devices. The nature of the isolating devices are such that there is no credible means by which a malfunction in an interconnected non-RTS system could influence the ability of the RTS to perform its function.

GDC-6, Design Bases for Experimental Facilities: Although this criterion does not apply directly to the RTS, the RTS has the capability to connect a scram signal derived from an experimental facility.

GDC-10, Reactor Design: The principal function of the RTS is to guarantee that fuel clad temperatures are minimized.

GDC-12, Suppression of Reactor Power Oscillations: The RTS exerts no control over reactor power that could produce oscillations. It is designed with state-of-the-art rapid-time response circuitry to permit the detection of power oscillations, with automatic scram if values exceed acceptable limits.

GDC-13, Instrumentation and Control: The RTS provides instrumentation that will aid the physics test program and that will be calibrated by that program.

Form 412.09 (Rev. 10)




SAR-420 1 03/01/17 Page: 7-28 of 7-66

GDC-19, Control Room: The steady-state log-power/period channels of the RTS are powered from standby power and supply information to the control room about the status of the reactor in the event of a loss of normal power. These duplicated channels will continue to supply to the control room an indication of reactor power and period, with the power indication covering a range of 10-2 to 10+6 W. Except for manual scram inputs, all reactor scrams produced by the RTS are automatic, requiring no action on the part of an operator in the control room. All other RTS indicators in the control room are on the standby power bus.

GDC-20, Protection System Functions: Except for manual scram inputs, all reactor scrams produced by the RTS are automatic.

GDC-21, Protection System Reliability and Testability: The RTS has been designed on the basis of a reliability analysis that provides a probability of system-level failure of less than 10-9 per challenge. It is also designed so that no single failure can result in the loss of the system function, as accomplished by duplication or triplication of channels, by the use of suitable isolation devices to prevent the propagation of a malfunction between units, and by the strategic use of protective devices such as transient suppressors and over-voltage crow-bars. The RTS is also designed for automated testing of all of its critical protective functions by the connections to the DMT.

GDC-22, Protection System Independence: The RTS features redundant independent trip channels and is suitably isolated between channels and systems outside the RTS. The principal path for the generation of a reactor scram in the RTS involves the deactivation of a group of redundant solid-state relays with very short response times. Diversity is provided by a backup trip feature that bypasses the SSRs and directly produces a scram through the action of conventional mechanical relays, although with somewhat longer time delay.

GDC-23, Protection System Failure Modes: The RTS has been designed to produce fail-safe consequences (reactor scram) in response to credible failures, operational errors, etc., wherever practicable. Most interconnecting cables, the removal of which would result in failure to scram otherwise, have a cable interlock feature that immediately produces the desired scram when the cable is removed. The RTS will produce a scram in the event of a loss or degradation of 120-V normal power, if any ion-chamber voltage supply drops below a preselected level, or if any DMT or simulator connector is left connected after testing. All scram signals transmitted through opto-isolators associate the scram condition with zero current through the input LED, to provide a scram in the event of the most probable open circuit malfunction resulting in zero LED current. It is impractical, if not impossible, to provide fail-safe consequences for all conceivable types of component failures or malfunctions. The emphasis has been placed on making this provision for the most probable types of failures, or for a maximum fraction of failure types where individual probabilities are unknown.

GDC-24, Separation of Protection and Control Systems: Except for suitably isolated information signals delivered to the reactor control system, the RTS is completely separated in function from the control system.

GDC-25, Protection System Requirements for Reactivity Control Malfunctions: The RTS is designed to scram the reactor upon any single failure of the reactivity control system if this failure causes a trip setting to be exceeded.

Form 412.09 (Rev. 10)




SAR-420 1 03/01/17 Page: 7-29 of 7-66

GDC-29, Protection Against Anticipated Operational Occurrences: TREAT does not have Anticipated Operational Occurrences as described in the definitions of Appendix A to 10 CFR 50 and GDC-29. As described in Chapter 15, a spectrum of postulated offnormal events has been considered. The RTS is not required to mitigate those events.

7.2.2.6 Reliability Analysis. The reliability of the RTS is discussed in Section 7.8.

7.3 Reactivity Control System

7.3.1 Description

7.3.1.1 System Description. The reactivity control system monitors the positions of the control rods and the condition of the control rod scram actuation systems, and includes (1) the systems that provide the power for normal control rod positioning, and (2) the systems that provide the stored energy for scramming the control rods. The reactivity control system consists of four compensation/shutdown rod drives with one control rod per drive, four control/shutdown rod drives with two control rods per drive, and four transient rod drives with two control rods per drive. The compensation/shutdown and control/shutdown rods are positioned by electric motor drives and scrammed with pneumatic assistance when unlatched from the motor drives. The compensation/shutdown drives have hydraulic scram latches, and the control/shutdown drives have magnetic scram latches. The transient rod drives are hydraulically positioned and are hydraulically scrammed by means of scram solenoid valves.

The mechanical portions of the reactivity control system are described in Chapter 4, Reactor, Section 4.2.3. The scram latches, scram solenoid valves, scram actuators, and scram actuation support systems, and the scram control of the reactivity control system are also a part of the PPS (see Section 7.1). The reactivity control system positions control rods as commanded by the RCS (see Section 7.6.1) and scrams all rods upon command from the RTS (see Section 7.1.1.4). The reactivity control system also provides the monitoring sensors and switches required by the RCS and RTS. The reactivity control system is described in “TREAT Upgrade Component Design Description for Reactivity Control System” (ANL 1992a).

The reactivity control system receives input from two systems:

• RTS, the reactivity control system provides the scrammable rod elements as subsequently described in this section

• RCS, the reactivity control system provides the control rod assemblies that are controlled by the RCS.

7.3.1.2 Design Bases.

7.3.1.2.1 Functions—The reactivity control system is provided to position or scram the control rods and to monitor control-rod-drive systems status as required by the RTS and RCS.

Form 412.09 (Rev. 10)




SAR-420 1 03/01/17 Page: 7-30 of 7-66

7.3.1.2.2 Design Requirements—To meet the functional requirements, the reactivity control system must satisfy various design requirements as it interfaces with the RTS and RCS. As such, the PPS portion of the reactivity control system has been designed consistent with the RTS design requirements. Design requirements are further discussed in the “TREAT Upgrade Component Design Description for Reactivity Control System” (ANL 1992a). Environmental conditions for various reactivity control system components are listed in Table 7-4.

Table 7-4. Environmental conditions at the reactivity control system locations.

Location Design Components Affected Environmental Conditions Subpile Room, Basement Auxiliary Room

Rod Drives, Electric Power & Control, Hydraulic, Pneumatic & Mech. Hardware

20–50°C

Reactor Building Power & Control Circuitry & Electrical Hardware

10–35°C

I&C Room Electrical Equipment Status Displays, Computer

15–35°C Normally Air Conditioned

7.3.1.2.3 Quality Assurance Requirements—The quality assurance program for

the reactivity control system shall be in accordance with the quality assurance procedures outlined in Chapter 17. The quality assurance requirements are determined on the basis of relative importance of components and subsystems for achieving safety and operational performance objectives.

7.3.1.2.4 Codes and Standards—The codes and standards listed in Table 7-5 were considered for applicability in the reactivity control system design, as described in detail in Section 7.3.2.4 below.

Table 7-5. Reactivity control system codes and standards.

No. Title

IEEE 352-1975 IEEE Guide for General Principles of Reliability Analysis of Nuclear Power Generating Station Safety Systems

IEEE 500-1984 IEEE Guide To The Collection And Presentation Of Electrical, Electronic, Sensing Component, And Mechanical Equipment Reliability Data for Nuclear-Power Generating Stations

IEEE 730-1984 IEEE Standard for Software Quality Assurance Plans


RDT C1-1T Instrumentation and Control Equipment Grounding and Shielding Practices

National Electrical Code



Uniform Building Code

Form 412.09 (Rev. 10)




SAR-420 1 03/01/17 Page: 7-31 of 7-66

7.3.1.2.5 General Design Criteria—The applicable GDC listed in Chapter 3, Table 3-1 were considered in the reactivity control system design as follows:

GDC-1, Quality Standards and Records: The overall project quality assurance program which complies with ANSI N45.2, 1977, “Quality Assurance Program Requirements for Nuclear Facilities,” and was supplemented with a project-imposed quality assurance plan for the ANL Electronics Division, guided the design, fabrication and testing. Records of the design, fabrication, and testing of the system were supplied to the project by the ANL Electronics Division, to be maintained during the life of the system.

GDC-2, Design Bases for Protection Against Natural Phenomena: Protection of the reactor during earthquakes is provided by the incorporation of two seismic switch channels. These channels sense the onset of a seismic disturbance at a trip level of 0.02 g or lower, and will immediately generate a scram signal through the RTS. Further protection against the effects of high winds and tornadoes is provided partly by the fail-safe condition of the design against a loss of 120-V normal power, which will also immediately scram the reactor. The control rod drive mechanisms and important support system equipment items are protected from missiles, pipe whipping, and fluid damage by selective location in the subpile and BAR and through extensive use of protective metal coverings. Each control rod is provided with a seismic restraint.

GDC-3, Fire Protection: The reactivity control system design minimizes the probability and effects of fire through; maximum use of noncombustible and heat resistant materials; location and protective covering of equipment containing combustible material; and installation of oil mist detection and fire suppression in the subpile and BAR.

GDC-4, Environmental and Missile Design Bases: The provisions incorporated in the RTS and reactivity control system, as outlined under the GDC-2 response above, apply to this criterion. Reactor subcriticality would be maintained for any credible core rearrangement or flooding caused by environmental conditions, provided the control rods remain in the core. Subcriticality will be maintained when the test loop is removed from the core and also when individual control rods are removed for examination and maintenance.

GDC-5, Sharing of Structures, Systems, and Components: The subsystems of the reactivity control system are only used for reactivity control and are not shared with any other systems.

GDC-6, Design Bases for Experimental Facilities: The subsystems of the reactivity control system are only used for reactivity control and are not shared with experimental facilities The static and kinetics calculations for this section take into account the experiment vehicle in the center of the core and the inclusion of the radial slot for hodoscope operations. The physical presence of the vehicle and slot were modeled.

GDC-10, Reactor Design: The reactivity insertion accident analyses in Chapter 15, Section 15.2, use Technical Specification limits provided for the reactivity control system equipment. The analyses show that the safety limit for the fuel is not exceeded during the worst case accident. A principal function of the reactivity control system is to guarantee that fuel clad temperatures are minimized. Experimental data are available and will be verified, which show that acceptable operating limits for the TREAT core are not exceeded during normal operation or during off-normal events.

Form 412.09 (Rev. 10)




SAR-420 1 03/01/17 Page: 7-32 of 7-66

GDC-12, Suppression of Reactor Power Oscillations: The reactivity control system exerts no control over reactor power that could produce oscillations. It is designed with state-of-the-art rapid-time response circuitry to permit the detection of power oscillations, with automatic scram if values exceed acceptable limits. This criterion normally refers to spatial oscillations caused by xenon poisoning in power reactors. No such oscillations are possible in the TREAT reactor.

GDC-13, Instrumentation and Control: The reactivity control system provides instrumentation to monitor control rod and rod drive positions, operation of the drive latches, and operating parameters of the control rod drive hydraulic and pneumatic support systems. Instrumentation has been provided for the initial core physics measurement program to make the measurements required to characterize the core power distribution, and to relate nuclear instrumentation calibrations to reactor power and peak clad temperatures. This instrumentation provides the capability to monitor core physics parameters over their anticipated ranges for normal operation, for anticipated operational occurrences (upset conditions), and for postulated accident conditions. The reactor control system and reactor trip system are designed to maintain core variables and systems within prescribed ranges.

GDC-20, Protection System Functions: The reactivity control system provides three diverse banks of control rods to effect reactor shutdown. The rod drive mechanisms used are designed to initiate a high-speed insertion of the control rods on receipt of a command from the RTS. Except for manual scram inputs, all reactor scrams produced by the RTS are automatic.

GDC-21, Protection System Reliability and Testability: The reactivity control system moves rods based on commands from the RTS. The pneumatic and hydraulic support systems used by the control rod drives have been designed as separate and dedicated subsystems, each of which is provided with redundant RTS initiators. The RTS has been designed on the basis of a reliability analysis which provides a probability of system-level failure of less than 10-9 per challenge. It is also designed so that no single failure can result in the loss of the system function, as accomplished by duplication or triplication of channels, by the use of suitable isolation devices to prevent the propagation of a malfunction between units, and by the strategic use of protective devices such as transient suppressors and over-voltage crow-bars. The RTS is also designed for automated testing of all of its critical protective functions by the connections to the DMT.

GDC-22, Protection System Independence: The reactivity control system moves rods based on commands from the RTS. The RTS features redundant independent trip channels and is suitably isolated between channels and systems outside the RTS. The principal path for the generation of a reactor scram in the RTS involves the deactivation of a group of redundant solid-state relays with very short response times. Diversity is provided by a backup trip feature which bypasses the SSRs and directly produces a scram through the action of conventional mechanical relays, although with somewhat longer time delay.

GDC-23, Protection System Failure Modes: Key components effecting high-speed insertion (scram) of the reactivity control system control rods are the latches provided on the rod drives and the rod drive pneumatic and hydraulic support systems. Degradation of these components and support systems or loss of power causes immediate scram through an RTS command. The RTS has been designed to produce fail-safe consequences (reactor scram) in response to credible failures, operational errors, etc., wherever practicable. Most interconnecting cables, the removal of which would result in failure to scram otherwise, have a cable interlock feature that immediately produces the desired scram when the cable is removed. The RTS will produce a scram in the event of a loss or degradation of 120-V normal power, if any ion-chamber voltage supply drops below a preselected level, or if any DMT or simulator connector is left connected after testing. All scram signals transmitted through opto-isolators associate the scram condition

Form 412.09 (Rev. 10)




SAR-420 1 03/01/17 Page: 7-33 of 7-66

with zero current through the input LED, to provide a scram in the event of the most probable open circuit malfunction resulting in zero LED current.

GDC-24, Separation of Protection and Control Systems: The design of the reactivity control system equipment limits sharing of protective systems components to the maximum extent practical. Except for suitably isolated information signals delivered to the reactor control system, the RTS is completely separated in function from the control system.

GDC-25, Protection System Requirements for Reactivity Control Malfunctions: The RTS is designed to scram the reactor upon any single failure of the reactivity control system if this failure causes a trip setting to be exceeded. As in the cases of GDC-10 and GDC-20, acceptable operating limits for the TREAT core are not exceeded.

GDC-26, Reactivity Control System Redundancy and Capability: TREAT has three independent reactivity control systems (transient, control/shutdown, and compensation/shutdown) of different design principles and meets the requirements of GDC 26. Reactivity is contained in each of these independent reactivity control systems such that a loss of one system will not preclude maintaining the reactor in a cold shutdown condition by insertion of the remaining two reactivity control systems.

GDC-28, Reactivity Limits: The compensation/shutdown and control/shutdown rod drives are mechanically incapable of inserting reactivity at a rate fast enough to cause damage to the core or its support structures (see Chapter 4, Section 4.2.3 and Chapter 15). The transient rod drives are capable of fast reactivity addition, and experimental determinations have been made to show that, for ramp rates and limited reactivity at the upper extreme of the transient rod drive capabilities, the reactivity that can be added to the core at the fastest rate will be incapable of causing the core temperature to exceed 820°C.

GDC-29, Protection Against Anticipated Operational Occurrences: TREAT does not have Anticipated Operational Occurrences as described in the definitions of Appendix A to 10 CFR 50 and GDC-29. As described in Chapter 15, a spectrum of postulated offnormal events has been considered. The RCS is not required to mitigate those events.

7.3.2 Analysis

7.3.2.1 Functional Adequacy. The reactivity control system provides the sensors and actuation systems required by the PPS and the RCS. These systems have also been designed to be single failure proof.

7.3.2.2 Design Adequacy. The design meets the requirements by providing the specific instruments and controls required by the operational requirements and meeting the structural and environmental, configuration and essential features, and maintenance requirements.

The single failure criteria imposed on the reactivity control system is met through the design and location of the pneumatic and hydraulic support system equipment utilized by the rod drives for attaining high-speed insertion (scram) of the control rods and duplicated RTS trip monitors.

The design of the pneumatic supply system, used by both control/shutdown and compensation/shutdown rod drives for high-speed insertion of the control rods, provides an individual and dedicated pneumatic supply subsystem for each rod drive. Air receiver tanks used for this system are located in the BAR, providing missile protection for the rod drives. The receiver tanks and connecting

Form 412.09 (Rev. 10)




SAR-420 1 03/01/17 Page: 7-34 of 7-66

piping leading to the rod drives are also protected from damage from external sources through use of heavy metal coverings.

The design of the hydraulic supply system used for the compensation/shutdown rod drive high-speed latches provides single failure protection through the use of individual hydraulic fluid return lines and protection of these return lines from damage by external sources through use of heavy metal coverings. Damage resulting in complete closure of a hydraulic return line will result in failure of the corresponding latch to open. Damage resulting in a puncture or shear of any hydraulic line or flexible hose will either have no impact or will immediately release all four latches.

The hydraulic supply system designed for the transient control rod drives also provides an individual and dedicated hydraulic supply subsystem for each rod drive. Hydraulic accumulators used for this system are located near the rod drives in the subpile room to meet rod-drive performance requirements. To provide missile protection for the rod drives, the accumulators are secured to a rigid support, which in turn is anchored securely to the floor and wall of the subpile room. Additional protection is provided by a heavy metal covering of the accumulators. Fluid supply lines are supported and protected by metal covering wherever practical. Flexible hoses used for fluid supply are kept to minimum lengths to minimize possible equipment damage resulting from breakage and whipping. The hydraulic power supply that uses high-speed rotating equipment such as pumps, pump motors, and motor-to-pump couplings is located in the BAR.

7.3.2.3 Quality Verification. Quality of the reactivity control system was verified through the design review process and testing of individual components, and the entire system for conformance to procurement specifications and the reactivity control system design requirements. Components and modules are of a quality that is consistent with minimum maintenance requirements and low failure rates.

7.3.2.4 Conformance to Safety Criteria. There are no Chapter 15 accidents that rely on the reactivity control system for accident mitigation. Therefore, the codes and standards in Table 7-5 are not directly applicable to the reactivity control system design. Nonetheless, the codes and standards listed in Table 7-5 were applied to the reactivity control system design consistent with the RTS (see Section 7.2.2.4).

7.3.2.5 Reliability Analysis. The reliability of the reactivity control system is discussed in the “TREAT Upgrade Component Design Description for Reactivity Control System” (ANL 1992a).

7.4 Systems Required for Safe Shutdown

Most reactors rely upon physical scrams as the primary level of protection. As described in Chapter 15, Section 15.2.2.1, TREAT in its self-limiting mode of operation has a three-level approach to reactivity control. As demonstrated in Chapter 15, Section 15.2, the SR requirement to shut down the reactor and maintain it in a safe shutdown condition is ensured by the reactor’s physically inherent strong negative temperature coefficient of reactivity, and not on immediate scram action from the reactor trip system (RTS). However, to align TREAT to industry precedent with other test/research reactors licensed by the NRC or operated by DOE, the RTS manual scram and seismic trip subsystems are designated in Chapter 15 as SR-SSCs to meet the SR-SSC Criterion 1 to ensure the reactor is shut down and maintained in a safe shutdown condition for the applicable accident scenarios.

Functions necessary for a safe shutdown are included in the plant protection system (PPS). The PPS initiates negative reactivity insertion into the reactor to maintain fuel temperature within limits for normal operation and anticipated transients. The seismic scram subsystem and the manual scram buttons

Form 412.09 (Rev. 10)




SAR-420 1 03/01/17 Page: 7-35 of 7-66

provide the safe shutdown capabilities for the TREAT PPS. No additional systems are required for safe shutdown.

7.4.1 Seismic Scram

The seismic scram subsystem operates independently of RTS logic circuits by directly removing ac power from control rod drive latch power supplies. Two seismic channels, as shown in Figure 7-2, are capable of initiating a reactor scram when the ground acceleration at either sensor exceeds the set point level. These trip signals do not pass through the SSRs in RTS trip logic circuits, but directly interrupt the ac power line which is the source of power for all of the CRD latches.

The seismic event detection subsystem shall remain functional during seismic induced base rock accelerations up to 1 g, to ensure reliable shutdown capability.

The sensor/comparator units for the two seismic channels are commercial equipment. The units meet the desired fail-safe characteristics and provide for the desired functional testing capability. The sensor/comparator units are located, as required, in the seismically analyzed subpile and BAR, and interconnect to control units located in the I&C room with the remainder of the RTS as shown in Figure 7-2.

The sensing device, whose function is to detect the initial buildup of a seismic wave as quickly as possible, is a force-balance accelerometer that typically provides a flat response from 0 to 50 Hz. The wide frequency response provides for quicker triggering action in the presence of frequency components above 10 Hz which are frequently present. The nominal sensor range is ±0.25 g full scale, and the comparator circuits are set to trigger at the lowest level possible to avoid spurious trips, but no greater than 0.02 g. These sensors within each of the two channels monitor all three axes -- vertical, transverse, and lateral. For each axis, a pair of comparators sense when the acceleration exceeds the trip reference level in either the positive or negative direction. The trip function is fulfilled by deactivating a main trip relay with contacts wired into the 120-Vac power chain within the power unit of the actuator interface. Figure 7-2 indicates the wiring arrangement between the power unit and the two seismic sensor/comparator units that accomplish this function.

The two seismic sensor/comparator units are wired in series to both RTS groups. There is a metallic barrier separating the circuits connected to opposite contacts of the seismic trip contacts. These are contacts which must open to generate a trip, and the barrier reduces the probability of the contacts becoming shorted as the result of crushing the enclosure. In this way, these circuits meet the intent of IEEE 279-1971, Sections 4.5 and 4.6.

No credit is taken for the seismic trip in accident mitigation, although it provides an additional layer of protection. The seismic scram circuit (L6570-8364-DB, Sheet A3) SR-SSC boundary consists of (1) the Seismic Sensor/Comparators and (2) and the wiring interface to the RTS Actuator Interface Power Control Unit.

7.4.2 Manual Scram

The manual scram subsystem operates as a part of the triplicated RTS trip logic circuits with an independent backup trip. A group of trip signal inputs is provided by five manual scram buttons at four locations: top of the reactor, subpile room, control room (two scram buttons provided at the control console and the transient control chassis), and on the Reactor Building floor. The manual scram function is accomplished by multiple contact pairs of the five scram buttons, with each pair of contacts being normally closed. Three of the contact pairs connect into the three RTS output trip logic units (see

Form 412.09 (Rev. 10)




SAR-420 1 03/01/17 Page: 7-36 of 7-66

Figure 7-1), where the scram signal propagates through solid-state circuits and finally deactivates the fast-acting solid-state relays that remove latch coil power. A fourth set of backup scram button contacts connects to the actuator interface power unit where an electro-mechanical relay is deactivated, and its contacts directly remove all latch power without dependence on any solid-state elements.

The manual scram SR-SSC boundary consists of the circuit that includes the five manual scram switches (BAR, Reactor Top, Rx Main Floor, and Control Room (2)) (L6570-8348-DB, sheet A1), K-2 and K-6 relays in RTS Actuator Interface Power Control Unit (L6570-8348-DB, sheet A1, and interconnecting wiring.

7.5 Display Instrumentation

This section describes the instrumentation systems that provide information to reactor operators, enabling them to perform required safety functions, monitor SR and NSR-AR instrumentation systems. The reactor operations indicators and recorders are located in the control room of MFC-724. (See Chapter 9, Buildings and Auxiliary Systems, Figure 9-2 for the control room layout.) Reactor instrumentation channels, the dedicated microprocessor tester (DMT), and other systems are rack mounted in the instrumentation and control room located in the Reactor Building (MFC-720). The instrumentation and displays for the RTS and RCS are designated NSR-AR-SSCs in Chapter 3, Table 3-2.

7.5.1 Description

Below is a list of instruments, indicators, and recorders available to the reactor operator at the control console in MFC-724 (see Figure 7-4 and Table 7-6):

• Startup Instrument Channels - driven from Boron trifluoride (BF3) proportional counters. The channels cover a range of 10-5 W to 1.0 W, and provide log count rate on meters, recorders, and pulse counters; period is displayed on meters.

• Linear Operating Instrument - driven from a compensated ionization chamber. The channel covers a range of 10-1 W to 106 W, and a display of its linear power measurement is provided on a meter and recorder.

• Linear Operating Instrument Range Indicator - provided on a meter and recorder. The range is selectable manually at the reactor control console.

• Steady-State Log/Period channels - driven from a compensated (or uncompensated) ionization chambers and provided on meters and a recorder. These channels cover a range of 10-2 W to 106 W and provide input to the RTS.

• Steady-State Linear Channels - driven from compensated or uncompensated ionization chambers and displayed on meters and a recorder. These channels cover a range of 1.0 W to 106 W and provide input to the RTS.

• Steady-State Linear Range Indicator - provided on a meter. The range is selectable manually at the reactor control console.

Transient Linear Power Channels - driven from uncompensated ionization chambers and provided on meters. These channels cover a range of 105 W to 1011 W and provide input to the RTS.

Form 412.09 (Rev. 10)




SAR-420 1 03/01/17 Page: 7-37 of 7-66

Figure 7-4. Reactor control console.

Form 412.09 (Rev. 10)




SAR-420 1 03/01/17 Page: 7-38 of 7-66

Table 7-6. Control console component legend. Tag Description

SW-1 COMPENSATION ROD SELECT

SW-2 COMPENSATION ROD WITHDRAW/INSERT

SW-3 CONTROL ROD SELECT

SW-4 CONTROL ROD WITHDRAW/INSERT

SW-5 TRANSIENT ROD SELECT

SW-6 TRANSIENT ROD WITHDRAW/INSERT

SW-7 INSERT ALL

SW-8 HYDRAULIC PUMP POWER

SW-9 STEADY-STATE LINEAR RANGE SELECT CHANNEL A

SW-10 STEADY-STATE LINEAR RANGE SELECT CHANNEL B

SW-11 LATCH POWER

SW-12 MANUAL SCRAM

SW-13 MANUAL SCRAM

SW-14 RESET

SW-15 HYDRAULIC PUMP SELECT

SW-16 TRANSIENT START

SW-17 REACTOR MODE

SW-18 LINEAR INSTRUMENT RANGE SELECT

SW-19 BF3 HI VOLTAGE ON/OFF CHAN A

SW-20 HYDRAULIC PUMP EMERGENCY STOP

SW-21 BF3 HI VOLTAGE ON/OFF CHAN B

SW-22 ANNUNCIATOR ALARM SWITCHES

SW-24 CORE TEMPERATURE SELECT (FUEL TEMP A)

SW-25 CORE TEMPERATURE SELECT (FUEL TEMP B)

SW-26 BUILDING VENTILATION ON/OFF

SW-27 BLOWER 201 START/STOP

SW-28 BYPASS VALVE CONTROL OPEN/CLOSE & MANUAL/AUTO

SW-29 BLOWER 202 START/STOP

SW-30 FILTRATION/COOLING SYSTEM ALARM PANEL POWER

SW-31 MAIN ALARM PANEL POWER

SW-32 PERIOD TIMER START/STOP

SW-33 TIME CONSTANT SELECT--STARTUP COUNTER A

SW-34 TIME CONSTANT SELECT--STARTUP COUNTER B

Form 412.09 (Rev. 10)




SAR-420 1 03/01/17 Page: 7-39 of 7-66

Tag Description Tag Description

B-1 REACTOR DIFFERENTIAL TEMPERATURE and COOLING AIR FLOW RECORDER B-6 TOTAL AIR FLOW

B-2 EMPTY SPACE FOR FUTURE USE B-7 REACTOR INLET TEMP. B-3 REACTOR OUT TEMPERATURE (DIGITAL) B-8 HEPA IN TEMP. B-4 REACTOR OUT PRESSURE (DIGITAL) B-9 F/C ALARM LAMP NETWORK

B-5 REACTOR DIFFERENTIAL TEMPERATURE (DIGITAL)

Tag Description Tag Description C-1 CLOCK (DIGITAL) C-17 TRANSIENT ROD POS IND. C-2 PERIOD TIMER (DIGITAL) C-18 TRANSIENT ROD POS IND. (DIGITAL) C-3 LCR CHAN A C-19 SELECTED ROD-TRANSIENT C-4 STARTUP PERIOD CHAN A C-20 LINEAR INST. RANGE (DIGITAL) C-5 STARTUP COUNTER A (DIGITAL) C-21 CORE FUEL TEMP. A (DIGITAL) C-6 LCR CHAN B C-22 CORE FUEL TEMP. B (DIGITAL) C-7 STARTUP PERIOD CHAN B C-23 LOG PWR. S.S. CHAN A C-8 STARTUP COUNTER B (DIGITAL) C-24 PERIOD S.S. CHAN A C-9 CORE MIMIC C-25 LIN POWER S.S. CHAN A C-10 COMP. ROD POS. IND (DIGITAL) C-26 LIN PWR RANGE S.S. CH A (DIGITAL) C-11 SELECTED ROD - COMP. C-27 LOG POWER S.S. CHAN B C-12 LINEAR OPERATING INST. C-28 PERIOD S.S. CHAN B C-13 CONTROL ROD POS IND. C-29 LIN POWER S.S. CHAN B C-14 CONTROL ROD POS IND. (DIGITAL) C-30 LIN PWR RANGE S.S. CH B (DIGITAL) C-15 SELECTED ROD - CONTROL C-31 TREAT INTERNAL TELEPHONE (P.A.) C-16 DIS LINEAR RECORDER E-1 FUEL TEMPERATURE RECORDER E-2 LOG/PERIOD S.S. RECORDER E-3 START UP COUNTER RECORDER E-4 COUNTER TIMER POWER SUPPLY E-5 ROD SELECT LOGIC POWER SUPPLY F-1 VIDEO EQUALIZATION AMPLIFIERS F-2 TRANSIENT LIN PWR CHAN A F-3 TRANSIENT LOG PWR CHAN A F-4 TRANSIENT PERIOD CHAN A F-5 TRANSIENT LIN PWR CHAN B F-6 TRANSIENT LOG PWR CHAN B F-7 TRANSIENT PERIOD CHAN B F-8 TRANSIENT LIN PWR CHAN C F-9 TRANSIENT LOG PWR CHAN C F-10 TRANSIENT PERIOD CHAN C F-11 TRANSIENT ELAPSED TIME COUNTER (DIGITAL) F-12 COMPUTER DISPLAY TERMINAL F-13 TRANSIENT CONTROL PANEL F-14 COMPUTER KEYBOARD

Form 412.09 (Rev. 10)




SAR-420 1 03/01/17 Page: 7-40 of 7-66

• Transient Log/Period Channels - driven from uncompensated ionization chambers and displayed on meters. These channels cover a range of 103 W to 1011 W and provide input to the RTS. Period ranges are from infinity to 2000/200/20 ms.

• Transient Energy Channels - driven from uncompensated ionization chambers and available to a high-speed visicorder. These channels cover a range of 103 W to 1011 W, and provide input to the RTS.

• Compensation Rod Drive Position Indicator - displays one selected rod-drive position on a digital panel meter. The compensation rod drive group selector switch, provided on the control console, selects one of the four rod drives for display.

• Control Rod Drive Position Indicator - provided on bar graphs and a digital panel meter. All four rod-drive positions are displayed continuously on the bar graphs; one selected rod drive is displayed on the digital panel meter. The control/shutdown rod drive group selector switch, provided on the reactor console selects any one of the four rod drives for this display.

• Transient Rod Drive Position Indicator - provided on bar graphs and a digital panel meter. All four rod drives are displayed continually on the bar graphs; one selected rod drive is displayed on the digital panel meter. The transient rod drive group selector switch, provided on the reactor console, selects any one of the four rod drives for this display.

• Rod Full-In Indicators - provided at a core “mimic” panel of the control room console. Limit switches at each rod engage and provide contact closure, turning on lights as each rod is fully inserted into the core.

• Drive Full-Out Indicator - provided at a core “mimic” panel of the control room console. Limit switches engage and provide contact closure, turning on lights as each control/shutdown and compensation rod drive is fully withdrawn.

• Rod Latched Indicators - provided at a core “mimic” panel of the control room console to indicate that drive motor and rod are latched together. Limit switches engage and provide contact closure, turning on lights as each latch is made for the control/shutdown and compensation rod systems.

• Selected Rod Indicators - provided in each of the three rod groups to indicate which rod has been selected for operation and digital display of its position.

• Core Temperature Indicators - provided on meters and a recorder. Each input channel receives thermocouple information from four fuel thermocouples. Information about the core fuel temperature is conveyed to the reactor operator in the control room. These channels provide input to the RTS.

• Annunciator Panel - provided through audible and visual displays.

• Annunciator Control Switches - comprised of acknowledge, reset, and test buttons. When an off-normal condition is annunciated, the reactor operator must acknowledge this fact. When an off-normal condition returns to normal, the operator must reset the associated annunciator. A test button is provided for testing the audio and visual alarms.

• Reactor Mode Select Switch - used to select from four modes of reactor operation: simulated transient, test, steady-state, or transient enable.

• Transient Start Switch - begins the transient when the computers have determined that all systems are in a “ready” condition.

Form 412.09 (Rev. 10)




SAR-420 1 03/01/17 Page: 7-41 of 7-66

• Latch Control Power Switch - engages selected rod latches, depending on which reactor mode-select switch setting has been selected, and whether the RTS has been reset.

• Hydraulic Pump Power Switch - delivers power to the hydraulic pumps systems through permissive interlocks, depending on the reactor mode-select switch setting.

• Manual Scram Switch - provided at the control console and the transient control chassis to scram the reactor manually.

• Rod Select Switches - provided at the reactor console for each of the three rod groups. These switches allow the operator to select the rod to be moved. Interlocks prevent withdrawal of more than one rod at a time during manual operation. By placing the selector switch for each group in the “ALL” position, all rods in each group can be inserted at the same time whenever the “INSERT ALL” switch is depressed.

• Rod Withdraw/Insert Switch - provided for each group of rods. These switches allow withdraw/insert functions for the rod selected. Interlocks prevent withdrawal of more than one rod at a time during manual operation. However, one rod may be withdrawn while another is being inserted simultaneously from a different rod group. That is, a transient rod and a control rod can be manually run in opposite directions at the same time if desired.

• Master Runback-Insert All Switch - inserts the rods selected by the rod selector switches. To insert all rods at the same time, selector switches are first turned to the “ALL” position, and then the master runback switch is pressed to the “INSERT ALL” position. The master runback switch will only drive the pneumatic control rod drives in as a group. The transient control rod drives must be inserted using the transient control rod selector switch and the transient control rod drive insert/withdraw switch.

• BF3 Voltages On/Off Switch - turns the voltage on or off to the startup channel proportional counters. Voltage is normally removed to prevent degradation of these chambers in high neutron flux levels.

• Operating Range Selector Switches - provided for the linear operating instrument channel and for both steady-state linear channels. These manually operated devices may be switched to keep pace with the changing reactor power during startup and steady-state operations.

• Core Temperature Select Switches – selects the output from one RTS thermocouple from each of the A and B channels for display on a digital panel meter.

• Manual Reset Switch - provides a reset signal to all RTS chassis (trips will clear only if all trip conditions have been satisfied) and to the reactor control system.

• Reactor Public Address Control Switch - control room communications to the Reactor Building for operations and emergency.

• The reactor F/CS display and control panel is described in Section 7.7.1.

• The weather display instruments are described in Section 7.1.1.

• The experiment display and controls are described in Section 7.7.2.

• The radiation monitoring instruments are described in Section 7.7.3.

Form 412.09 (Rev. 10)




SAR-420 1 03/01/17 Page: 7-42 of 7-66

Instrumentation and Control Room: The I&C room is located in the Reactor Building. The following channels, the dedicated microprocessor tester (DMT), and other systems are rack mounted in this room as shown in Figure 7-5. Electronic equipment status displays are available on local indicating meters mounted on the individual units of the RTS, reactivity control system, ARCS, and MRCS located in the I&C room.

• RTS Transient Linear Channels

• RTS Transient Energy Channels

• RTS Transient Log/Period Channels

• RTS Steady-State Linear Channels

• RTS Steady-State Log/Period Channels

• ARCS Linear Channel

• ARCS Log/Period Channel

• RTS Fuel Temperature Channels

• DMT Analog Pressure Channels

• RTS Pressure Switch Channels

• DIS/MRCS Log CRM/Period Channel B

• RTS Transient Input Trip Logic Channels

• RTS Steady-State Input Trip Channels

• RTS Output Trip Logic Channels

• RTS Actuator Interface Channel

• RTS Seismic Switch Channels

• Automatic Reactor Control System

• Control Rod Interlock System

• Transient Rod Control System.

7.5.2 Analysis

The SR and NSR-AR display instrumentation is integrated into the RCS. See Section 7.6.2 for the functional and design analysis that demonstrates that the reactor operator has information to perform the required safety and normal operation functions.

Form 412.09 (Rev. 10)




SAR-420 1 03/01/17 Page: 7-43 of 7-66

Figure 7-5. I&C room layout.

Form 412.09 (Rev. 10)




SAR-420 1 03/01/17 Page: 7-44 of 7-66

7.6 Non-Safety-Related with Augmented Requirements Instrumentation Systems

7.6.1 Reactor Control System Description

The reactor control system (RCS) provides the information and control functions necessary to (1) manually start up the reactor from a shutdown state, (2) conduct operations and irradiate experiments in both steady-state and transient modes, (3) shut down the reactor either manually or automatically, and (4) maintain indication that the reactor is in a safe shutdown condition during the removal of test or calibration apparatus from the reactor, refueling, and control rod maintenance. The RCS is further described in “TREAT Component Design Description for Reactor Control System” (ANL 1982a). The RCS consists of the MRCS, ARCS, and Control Rod Interlock System (CRIS) as shown in Figure 7-1. It interfaces with the following systems:

• Reactivity control system (as described in Section 7.3). All requests for rod motion other than scram commands come from the RCS.

• Reactor trip system (RTS as described in Section 7.1.1.4). The RCS may issue scram requests to the reactor trip system.

• Experiment support system (data acquisition system, hodoscope, and loop support systems as described in Section 7.7.2) to provide well-coordinated experiments.

The MRCS sends rod position demands to the RCS to control reactor power during reactor startup, steady-state, and shutdown operations. The ARCS provides computer-generated commands to the transient rod control system to control the reactivity of the reactor during the transient mode of operation. The ARCS is disabled except during the transient mode of operation. The CRIS is an additional level of electronic logic between all manual nonscram requests for rod motion in the RCS and the rod drive mechanisms. The interlock system minimizes the probability that the consequence of an operator error or equipment malfunction will require intercession by the RTS.

Any RCS rod position demands are overridden by a scram initiated by the RTS (see Section 7.1.1.4). In addition, reactor power and core temperature information is conveyed to the reactor control room by the DIS (see Section 7.6.3).

7.6.1.1 Manual Reactor Control System. The MRCS is a conventional, hardwired control system. It contains no preprogrammed controllers. This system is located in the Control Building (MFC-724). Signals are conveyed to and from the console by dedicated buried cables connecting the Reactor Building and the Control Building.

The MRCS (Figure 7-6) comprises the various instruments and manually operated controls. The number, type, and power range coverage of the instruments are presented in Figure 7-3. The manual controls are discussed in the “TREAT Component Design Description for Reactor Control System” (ANL 1982a). The reactor operator uses the MRCS to issue rod motion requests via the CRIS to control the reactivity of the reactor during manual startup, steady-state, and shutdown operations. To support the console operator, control rod position indicators provide full-out, full-in, intermediate position, and latch information for each control rod and rod drive mechanism of the reactivity control system. The information is provided to the operators console, the CRIS, and the ARCS.

Form 412.09 (Rev. 10)




SAR-420 1 03/01/17 Page: 7-45 of 7-66

Figure 7-6. Manual reactor control system.

Form 412.09 (Rev. 10)




SAR-420 1 03/01/17 Page: 7-46 of 7-66

7.6.1.2 Automatic Reactor Control System. The ARCS is located in the Reactor Building. The system is contained in three relay racks located along the south wall of the I&C room. This distributed microprocessor network employs modular construction using commercially available modules and industrial enclosures. The ARCS distributed computer network incorporates microprocessor board-level functions. The board-level functions communicate within a network using the IEEE 796 Multibus backplane and/or the RS-232 serial communication standard.

The ARCS directs the movement of the transient rods to provide computer control for the reactor during shaped transient and natural burst operations. The transient start command is enabled under key lock administrative control. With the reactor in transient mode, high speed reactivity addition by the transient control rods is enabled, and the reactivity of the reactor is controlled by a microprocessor control system located in the Reactor Building. Figure 7-7 shows the configuration of the ARCS. The ARCS provides two forms of control of the transient rod drives: (1) open-loop control, in which the transient rods are moved according to a preprogrammed rod position sequence; and (2) closed-loop control, in which the transient rods are moved in response to feedback measurements of reactor power, period and log power, and software-generated integrated power (energy), to produce a specified power burst shape. Figure 7-3 shows the types and ranges of the nuclear instrumentation provided for the ARCS.

In addition the ARCS, by virtue of its monitor computer, provides the first line of defense against an offnormal excursion during the production of a specified transient. Finally, the ARCS can operate with simulators to simulate key plant elements so that mock transients can be produced without operation of the reactor. This simulation feature is helpful during software development. It allows a test environment close to conditions existing during actual reactor operation. The simulation feature facilitates the development and qualification of transient specific instruction sets. A more detailed description of the ARCS and the simulators in the distributed computer network are discussed in “User’s Manual for the TREAT Automatic Reactor Control System” (ANL 1992b).

7.6.1.3 Control Rod Interlock System. The CRIS is a conventional, hardwired, combinational logic system located in the Reactor Building. This system is contained in a single-relay rack adjacent to the three-relay racks enclosing the ARCS. The system receives control rod motion requests from the control console via dedicated buried signal lines between the Reactor Building and the Control Building. After imposing interlock criteria on these requests, the requests are passed on to the control rod drive motive power systems.

The CRIS provides all the discrete logic control functions required to operate the control rod drives in the startup, steady-state, and transient modes. The system minimizes the probability that an operator error or equipment malfunction will require intercession by the RTS. The system also contains status and alarm monitoring to provide operational information to the control room for operator interaction. The CRIS limits reactivity insertion rates by restricting the MRCS to one-drive-at-a-time control rod withdrawals (does not apply to rod insertions); allows high-speed transient rod motion by the ARCS (only if the elements of that system report a “ready for transient” profile); and can be overridden by the RTS.

The reactor operator interfaces with the CRIS through the manual control switches of the MRCS and also with the ARCS. The manual control rod drive control switches are identified as SW-1 through SW-7 in Figure 7-4 and Table 7-6. A more detailed description of the control rod operation through the MRCS and CRIS is discussed in “TREAT Component Design Description for Reactor Control System” (ANL 1982a).

Form 412.09 (Rev. 10)




SAR-420 1 03/01/17 Page: 7-47 of 7-66

Figure 7-7. Automatic reactor control system block diagram.

Form 412.09 (Rev. 10)




SAR-420 1 03/01/17 Page: 7-48 of 7-66


7.6.1.4.1 Functions—The functions of the RCS are to (a) start up the reactor from a shutdown state; (b) conduct test operations and irradiate experiments in both steady-state and transient modes; (c) shut down the reactor either manually or automatically at the attainment of predetermined but variable power levels, transient energy release, or time period; and (d) maintain indication that the reactor is in a safe shutdown condition during the removal of test or calibration apparatus from the reactor and during refueling, reactor maintenance, and control rod maintenance. These functions are provided by the three systems defined below.

Manual Reactor Control System: The MRCS provides the instrumentation and manually operated controls to (a) bring the reactor from a shutdown condition to initial criticality; (b) operate the reactor at low-power, steady-state condition, up to 120 kW (typical), for neutron radiography, fuel-pin and flux-monitor irradiation, reactor-power measurements, and similar operations; (c) move the transient and control/shutdown rods to the pretransient positions required for transient operation; and (d) manually bring the reactor to a safe shutdown condition.

Automatic Reactor Control System: The ARCS provides both open- and closed-loop computer control of reactor power to achieve, respectively, transients which (a) are initiated by a step insertion of reactivity, and are terminated when a predetermined reactor period, power, energy release, or time interval has been realized; or (b) follow a predetermined time and power or period profile, and are terminated when a predetermined experiment parameter, reactor parameter, or time interval has been realized. Period or power channels may be used to control or terminate the transients. Computer-generated signals and a separate clock are used to terminate the transient.

The transient rods are controlled by both the MRCS and the ARCS. The control/shutdown and compensation/shutdown rods and drives are controlled by the MRCS only. Any RCS rod position command is overridden by a scram command from the RTS.

Control Rod Interlock System: The CRIS stands between the source of all requests for rod motion in the RCS and the rod-drive mechanisms. The system minimizes the probability that an operator error or equipment malfunction will require intercession by the RTS. A scram command from the RTS overrides the CRIS.

7.6.1.4.2 Design Requirements—The RCS design requirements for TREAT are discussed in “TREAT Component Design Description for Reactor Control System” (ANL 1982a). Environmental conditions for the reactor control system are shown in Table 7-7.

Temperature and humidity limits for the various components shall be provided in order that temperature and humidity control room alarms, using sensors in the Reactor Building areas, may be properly set. Subsystem/components must accommodate radiation levels associated with steady-state and transient operations.

7.6.1.4.3 Quality Assurance Requirements—The quality assurance program for the RCS shall be in accordance with the quality assurance procedures outlined in Chapter 17. The quality assurance requirements are determined on the basis of relative importance of components and subsystems for achieving safety and operational performance objectives.

7.6.1.4.4 Codes and Standards—The codes and standards tabulated in Table 7-8 were considered for applicability in the RCS design, as discussed in detail in Section 7.6.2.4 below.

Form 412.09 (Rev. 10)




SAR-420 1 03/01/17 Page: 7-49 of 7-66

Table 7-7. Environmental conditions at the RCS component locations

Location Design Components Affected Environmental

Conditions

Core (Above Fuel) Leadout Cabling for Thermocouples 10–600°C

Core Instrumented Fuel Assemblies

Compensation Rods and Rod Followers, Thermocouples 10–1220°C

Subpile Room Electric Power & Control, Mech. Hardware 20–50°C

Reactor Building Power & Control Circuitry & Electronic Hardware 10–35°C

Reactor I&C Room Electronic Equipment Status Displays, Computer

15–35°C normally air-conditioned

Control Room Electronic Equipment Control & Status Display


Outdoor Electronic Equipment Power & Control Cabling between Reactor & Control Building (Underground Installation)

-34 to +49°C

Nuclear Instrumentation Thimbles

BF3 Counters, Ion Chambers, and Compensated Ion Chamber Cables 10–100°C

Table 7-8. RCS codes and standards applicability matrix

Code CRIS MRCS ARCS

IEEE 352 X X

IEEE 500 X X

IEEE/ANSI 730 X

RDT C1-1T X X X

7.6.1.4.5 General Design Criteria—The applicable GDC listed in Chapter 3, Table 3-1, were considered in the RCS design as follows:

GDC-1, Quality and Records: The SAREF Project’s Policy and Procedures Manual applies to all upgraded TREAT activities. In the context of GDC-1, Procedure SD-02, “Engineering and Design Control,” was followed for the control, conduct, and documentation requirements imposed on the reactor control system design and fabrication.

GDC-5, Sharing of Structures, Systems, & Components: The reactor control system shares the reactivity control system with the RTS. The reactor control system interface, however, occurs upstream of the RTS interface. This design feature guarantees an RTS override of the reactor control system whenever the RTS detects the need for protective action. In fact, the RTS must actively assert the fact that it does not require protective action in order for the reactor control system demands to be effective on this shared system.

Form 412.09 (Rev. 10)




SAR-420 1 03/01/17 Page: 7-50 of 7-66

GDC-6, Design Bases for Experimental Facilities: During the course of following its transient prescription, the reactor control system may accommodate real-time requests from the experiment support system. The reactor control system prescription, however, is certified as an independent and complete specification for the intended reactor transient; requests from the experiment support system will be accepted only if they would act to reduce energy deposition when compared to the prescription.

GDC-10, Reactor Design: The reactor control system has been designed to enable reliable operator and automatic control of the reactor.

GDC-12, Suppression of Reactor Power Oscillations: The reactor kinetics and transient rods have been modeled in the CSMP environment using the physics parameters presented in Chapter 4. The RCS control strategy has been developed against these models and shown to be a stable control system capable of meeting its functional requirements.

GDC-13, Instrumentation and Control: As shown in Figure 7-3, the reactor control system is provided with nuclear instrumentation that is separate from the RTS channels. Also shown in that figure is that the RTS instruments extend one decade above the maximum reactor power level required by the reactor control system to meet the experiment program needs.

GDC-19, Control Room: A control console has been designed which supports all anticipated reactor operations. Included at this console are the DIS readouts, the reactor mode switch, manual scram pushbuttons, and general “balance-of-plant” information. The DIS readouts will remain active following a loss of normal power scram, enabling the operator to witness reactor progress to the shutdown state.

GDC-24, Separation of Protection and Control Systems: As shown in Figure 7-5, the reactor control system equipment is located in a relay rack cluster separate from the RTS rack cluster. The wiring of the two systems is also physically separated. All communication between these two systems is buffered by RTS safety-grade isolation devices. Separate nuclear instrumentation has been provided for the reactor control system.

GDC-25, Protection System Requirements for Reactivity Control Malfunctions: The RTS is designed to scram the reactor upon any single failure of the reactor control system if this failure causes a trip setting to be exceeded.

GDC-27, Automatic Reactor Control System Capability: The spurious trip rate has been found to be acceptable. Normally, a simulated transient will be produced as a prelude to producing the actual transient. This simulated transient will exercise the high-speed transient rods, the effect of the RTS trip set points, and the reactor control system hardware and software. This test is performed without placing the reactor “at risk” due to hardwired interlocks that prevent the reactor from becoming critical. The monitor computer contains algorithms that will detect a nonconforming transient rod or an uncorrelated instrument reading. In addition, the monitor acts as a conservative trip system that is capable of detecting an undesirable condition, in most cases, ahead of the RTS.

Transient Prescription: The transient prescription is required to provide all necessary control actions independently. If the experiment support system-generated setback requests are made, they can act only to reduce the energy that would otherwise have been deposited by the prescription.

Buffers to External Systems: The reactor control system is electrically protected from any credible failure occurring within an interfacing external system.

Form 412.09 (Rev. 10)




SAR-420 1 03/01/17 Page: 7-51 of 7-66

Real-Time Simulation Interlocks: The reactor is protected from the presence of the ARCS simulators by hard-wired interlocks. The interlocks, in turn, depend on the position of the reactor mode switch. For the “simulated transient” and “test” switch positions, the simulation cables may be connected to the RTS and ARCS nuclear instruments without generating a static scram. This configuration is permitted because the core cannot became critical owing to the fact that latch power is unconditionally removed from both the control/shutdown and compensation/shutdown rod systems for these same switch positions. On the other hand, when the reactor is or may become critical (“steady-state” or “transient enable” positions), the attachment of one or more simulator cables to a nuclear instrument will result in an immediate scram.

Rod Scram Diagnosis: To help identify trend lines toward nonconformance, the ARCS measures the transit time of each rod as they respond to the RTS “scram command,” which terminates every transient operation.

7.6.1.4.6 Reliability Requirements—The RCS design in general shall be adequately reliable against random failures and external single events. Disciplined engineering analyses shall be documented as part of the design. These shall include consideration of means to minimize failures that could ruin equipment or place a too-frequent trip demand on the RTS.

Transient Operation: The ARCS is operational during reactor transient operation. This system, which must operate reliably to accomplish experiment requirements and to minimize RTS challenges, contains two basic subsystems:

• Process Control. This element shall control the plant process so as to produce the prescribed transient profile. This subsystem shall operate with a hardware reliability of ≥0.999/transient.

• Monitor. This element shall monitor the plant process for prescribed transient milestone conformance, and intercede so as to limit the consequence of an ARCS process control failure. It shall operate with a hardware reliability of ≥0.999/transient.

To enhance software reliability, the ARCS shall provide separate elements that support real-time simulation of both the transient rod system and reactor kinetics. These simulation elements shall be implemented so that their presence is transparent to both the monitor and the control elements. The simulator elements shall provide the basis for qualification of transient production software.

Steady-State Operation: The MRCS is operational during steady-state reactor operations. The reactor operator is the essential control element.

7.6.2 Reactor Control System Analysis

7.6.2.1 Functional Adequacy. Explicit kinetics analyses using best-estimate reactor parameters have shown that the required transients could be produced in TREAT, and have established the reactivity insertion rate and total reactivity insertion requirement necessary to produce each of these transients. This information was used in the design of the ARCS that drives the transient rods to produce the desired transient shapes.

7.6.2.2 Design Adequacy. The three main subsystems of the RCS provide the systems needed to fulfill the design requirements as discussed in the following sections.

Form 412.09 (Rev. 10)




SAR-420 1 03/01/17 Page: 7-52 of 7-66

Manual Reactor Control System: The MRCS provides the operator enough instrument displays, manually operated controls, and drive interlocks to (a) bring the reactor from a shutdown condition to initial criticality; (b) operate the reactor at low-power steady-state condition, up to 120 kW (typical), for neutron radiography, fuel pin and flux monitor irradiation, reactor power measurements, and similar operations; (c) move the transient and shutdown rods to the pretransient positions required for transient operation; (d) manually shut down the reactor to a safe shutdown condition, and (e) position the compensation/shutdown rods and the control/shutdown rods during reactor startup and shutdown as required.

Automatic Reactor Control System: The ARCS is used to direct the movement of the transient rods to produce reactor transients in accordance with a prestored transient prescription. It includes a process control computer that produces the prescribed power-vs-time trajectory by commands to the transient rod controllers, and a process monitor computer that checks the performance of the control computer and system hardware. Upon sensing an undesired condition, the process monitor issues a scram request to the reactor trip system of the plant protection system. Figure 7-7 shows the real-time transient rod and reactor simulators that verify there are no hardware failures or software errors in the control and monitor computers before initiation of a transient. The ARCS can be operated with both simulators in the loop, or with the actual transient rod systems providing position inputs to the reactor simulator. During the simulations, the reactor is kept subcritical by maintaining the full insertion of the control/shutdown and compensation/shutdown rods. The output of the reactor simulator is used to generate simulated ion-chamber currents at the input of the measurement channels.

Control Rod Interlock System: The CRIS provides all the discrete logic control functions required to operate the reactor control rod drives in the startup, steady-state, and transient modes. The system also contains all status/alarm monitoring devices required to support the operation of the discrete logic control features, and to provide operational information to the TREAT control room for operator interaction.

The CRIS has been designed to stand between the source of all manual requests for rod motion in the RCS and the rod-drive mechanisms. The system minimizes the probability that the consequence of an operator error or equipment malfunction will cause intercession by the RTS. This is done by limiting reactivity insertion rates, by restricting the MRCS to single and sequential control rod withdrawals, by allowing high-speed transient rod motion by the ARCS only if the elements of that system report a “ready for transient” profile, and by being overridden by the RTS.

The normal power system is the only source of ac power for the interlock system. This source also supplies the rod drives through separate motor starter networks. A failure of this power source will prevent any movement of the rod drives by the RCS (but does not preclude scram/insertion by the RTS).

The interlock system senses those conditions necessary for rod movement, and depending upon the conditions sensed, may inhibit rod movement. Diverse circuitry is provided to sense four conditions: withdraw enable, manual command, transient enable, and no-fault diagnosed in the control logic. The indicated conditions are combined in logic circuits to prevent outward movement of more than one rod drive at a time in the manual mode.

Compensation/Shutdown and Control/Shutdown Interlocks: For the compensation/shutdown and control/shutdown control rod drives, the CRIS interfaces with the reactivity control system at the appropriate motor starter. The interlock design requires coincident assertion of two enabling terms at this interface to energize the motor starter. The logical criteria imposed on an operator request for rod-drive motion are depicted in Figure 7-8.

Form 412.09 (Rev. 10)




SAR-420 1 03/01/17 Page: 7-53 of 7-66

Figure 7-8. Rod motion interlocks flowchart.

Transient Rod Interlocks: A similar MRCS interlock design exists for the transient rod system. However, because this system must respond to computer commands from the ARCS, as well as operator commands from the MRCS, additional logic circuits are provided by the CRIS.

As shown in Figure 7-9, a valid operator request for transient rod motion results in changing a position demand counter. This digital count is converted to its equivalent analog value, and applied to a difference detecting amplifier for comparison with the measured position of the subject transient rod. The output of the difference amplifier is then a proportional position error signal, and is applied to one input of a summing amplifier. The remaining input of this amplifier is connected to the control computer position demand port for the subject transient rod. This signal is also an error signal based either on nuclear (closed-loop) or rod position (open-loop) feedback as determined by the transient specification.

The summing amplifier, together with the solid-state switch programming of its input lines, provides the functional equivalent of a mutually exclusive analog “OR” gate. The logic criteria developed for determining the state of these switches are premised on logic failures resulting in the application of a default selection of the position demand counter (MRCS) error source to the summing amplifier. This feature represents a fail-safe condition since the position demand counters contain, throughout the transient, those values that provided the 50-W reactor power level from which transients typically begin.

Form 412.09 (Rev. 10)




SAR-420 1 03/01/17 Page: 7-54 of 7-66

Figure 7-9. Transient rod interlock flowchart.

7.6.2.3 Quality Verification. The control room is designed to provide all information and control devices required for the operator to control the TREAT reactor and the associated systems during startup, steady-state, transient, and shutdown operational modes. The control room is the principal area of activity for reactor operations. During startup and steady-state operations, personnel may be in the Reactor Building; however, there is no requirement, nor are systems or equipment provided, for these personnel to control or manipulate the reactor and the associated systems (other than to initiate manual scrams). In accordance with the component design description of the RCS, the control room contains operator interfaces for (1) the MRCS and ARCS, (2) the DIS information displays, (3) the RTS

Form 412.09 (Rev. 10)




SAR-420 1 03/01/17 Page: 7-55 of 7-66

information displays and remote manual scram and reset circuits, and (4) the balance-of-plant systems. Other features to enhance reliability are listed below:

• Two independent computers are used for transient operations and operated under keyswitch control. The control computer produces the prescribed transient and checks the monitor computer. The monitor computer compares the transient against prescribed milestones, aborts a transient if out of acceptable tolerance bands, and terminates a transient at a specific time (via a backup scram).

• Real-time simulations of transient rod motion and core kinetics are used. During simulation, the core is held subcritical by the compensation/shutdown and control/shutdown rods. Simulation studies are conducted of transient rods as moved by the process control computer according to prescription. In addition, simulated or real rod motion is “watched” by the core simulator, which, in response, provides synthesized ion-chamber currents for the RTS and ARCS nuclear instruments. Simulation results are recorded and may be analyzed for correctness (several iterations may be required).

• Simulation elements are transparent to the transient production network. This requirement results in a control system in which the software, once certified under simulated conditions, can be applied without alteration to produce an actual reactor transient.

• History and audit databases which record the course of the transient produced and key control decisions/actions that occur. This feature provides posttransient diagnostic trace data.

7.6.2.4 Conformance to Safety Criteria. There are no Chapter 15 accidents that rely on the RCS for accident mitigation. Therefore, the codes and standards in Table 7-8 are not directly applicable to the RCS design. Nonetheless, the codes and standards listed in Table 7-8 were applied to the RCS design as follows:

IEEE 352-1975, Guide for General Principals of Reliability Analysis of Nuclear Power Generating Station Protection Systems (ANSI/IEEE) and IEEE 500-1978, Reliability Data: Quantitative reliability analysis of the RCS and RTS is referenced in Section 7.7 of this document. The analysis referenced has incorporated the methodology of IEEE 352. Both IEEE 500 and MIL-HDBK 217D, January 1982, were consulted as sources of applicable reliability data (failure rates by generic type).

IEEE/ANSI 730-1981, Standard for Software Quality Assurance Plan: IEEE 730 provided the basis for scheduling the software development cycle as well as defining key milestones that marked the progress of that development. The RCS software development cycle included a software requirement specification, a software verification plan, and software design description.

RDT Cl-1T, Instrumentation and Control Equipment Grounding and Shielding Practices, January 1973: This standard provided the basis against which the RCS/plant wiring was designed.

General Design Criteria: The GDC as discussed in Chapter 3, Section 3.1 have been met.

Form 412.09 (Rev. 10)




SAR-420 1 03/01/17 Page: 7-56 of 7-66

7.6.2.5 Reliability Analysis. The reliability of the RCS is discussed in, “TREAT Component Design Description for Reactor Control System” (ANL 1982a).

7.6.3 Dedicated Information System Description

This system contains the nuclear instrument channels associated with reactor startup and steady-state reactor operation. Figure 7-3 identifies these instruments and the power ranges they cover. Indicators and controls for these instruments are located on the reactor control console to support the operator during reactor startup and shutdown operations.

7.6.3.1 System Description. The DIS provides selected core performance information to the control room operator during the startup, steady-state, and shutdown operational modes and provides essential information to the control room immediately following loss of normal power. The DIS features two independent and redundant channels for most information transfer.

The DIS interfaces with the reactor core to report fuel temperatures, control rod positions, and reactor power. The DIS monitors the core by use of dedicated thermocouples, three dedicated neutron flux monitors, and two neutron flux monitors shared with the RTS.

The DIS is located primarily in the Reactor Building and generally consists of two independent and redundant information channels (Channels A and B), which provide information to the control room through redundant interconnecting cables that are kept separated to the fullest extent practicable. Two DIS cabinets are located in the Reactor Building, one in the I&C room, and one in the BAR. Sensors throughout the plant monitor core parameters as well as the F/CS. Redundant DIS readouts in the control room are also kept separated to the fullest extent practicable and are protected from fire propagation by a fire protection system.

Core Neutron Flux and Temperature Channels: The DIS contains two independent and redundant channels of nuclear instrumentation (Channels A and B) to support operator information requirements from the source range up to and including the steady-state range (see Figure 7-10). BF3 startup channels supply both log count rate and period information to the operator in the control room; coverage is provided from source level to approximately 1 W of reactor power. Nuclear information is supplied to the operator via log-period channels and a single linear operating instrument, which overlap the startup range by approximately two decades and provide reactor power information from 0.01 W to approximately 1 MW. They are installed to provide information to the operator regarding the flux levels existing in the core during startup, steady-state, and shutdown operations. The BF3 and linear operating nuclear instrument channels are considered nonsafety-related because any runaway from low power will be terminated by the steady-state RTS channel scrams. The chassis for the Channel A BF3 instrument and the linear operating instrument are located in the BAR. The chassis for the Channel B BF3 instrument is located in the I&C room.

Form 412.09 (Rev. 10)




SAR-420 1 03/01/17 Page: 7-57 of 7-66

Figure 7-10. DIS block diagram.

The BF3 startup channel consists of circuits to detect and process pulses emanating from a BF3 detector. The signal outputs from this channel (period and log count rate) are transmitted in analog form to the control room through 4 to 20-mA current loops. Meters for both period and log count rate are also provided on the front of the chassis. A pulse circuit is also provided to transmit startup range pulses to a counter located in the control room. The pulse counter circuit will transmit counts from a range of 10 to 106 counts per second. To alert fuel loading personnel to a potential criticality, an audio count speaker is provided in the Reactor Building. The speaker is driven through an audio pulse counter amplifier, which outputs audio pulses proportional to the count rate sensed.

When the BF3 channel reaches the upper limits of the startup range, it is desirable to turn off the high voltage to the BF3 detector, thereby preventing its degradation by high flux fields. A remote high-voltage control switch in the control room enables the operator to de-energize the BF3 high-voltage power supply. When the high-voltage supply is turned off, a status light is actuated in the control room.

Form 412.09 (Rev. 10)




SAR-420 1 03/01/17 Page: 7-58 of 7-66

The log-period channels and the linear operating instrument operate over a range of 10-11 to 10-3A, based on current output from dedicated ion chambers. The 10-11 A corresponds to 0.01 W and 10-3 A to 1 MW. The log-period channels are also part of the RTS steady-state trip channels. The linear operating instrument contains a remote-control range-select device, by means of which the operator in the control room can adjust the range of the picoammeter in accordance with changing flux levels in the reactor. The range-select circuits provide direct confirmation feedback to the control room by indicating the range the operator has selected and on which range the linear operating instrument is operating. The linear operating instrument provides no protective function for the reactor other than to furnish the operator with an accurate source of power-level information.

Each DIS channel monitors core fuel temperature through four thermocouples shared with the RTS. Temperature signals are transmitted to control room analog indicators and present the temperature information on digital display modules. A strip chart recorder records the information whenever standby power is available. The DIS contains channels to monitor coolant flow, pressure, and temperature conditions associated with the reactor F/CS (see Section 7.7.1). Signals from a flowmeter, a pressure sensor, and RTDs installed in the core exit ducts are processed by DIS signal conditioning equipment. Information signals of 4 to 20-mA are transmitted via cables to the control room display indicators and may be recorded at the plant operator’s discretion. Also provided are high-level alarms on coolant outlet temperature and a low-level alarm on core flow. Should the core temperature or flow vary outside the accepted conditions, the alarm will provide alarm information via the control room alarm panel. The control room alarms are not available on loss of normal power. The DIS also provides the operator with status information on the operation of the two F/CS blowers.

In steady-state operation, the core cooling differential temperature is provided to the control room to support heat balance evaluations. The differential temperature signal is transmitted to the control room and is recorded on the differential temperature recorder. The differential temperature recording capability is not available upon loss of the standby power source since the recorder is not powered by the UPS; however, the indication is still available.

Power Supplies: Each channel of DIS-A and DIS-B is powered from either standby power or normal power. Standby power is used for the Channel A reactor control system and RTS channels located in RTS Group A, the DIS rack located in the BAR, and F/CS train two. The normal power supply is used to power functionally similar equipment located in RTS Group B racks, the I&C room DIS rack, and F/CS train one (see Figure 7-10). The control room DIS instruments are powered by standby power with provisions for manual transfer to the control room normal power feeder.

The DIS control room displays will be available to the reactor operator following an outage of normal power. Because DIS-A is also backed up by the standby power bus, operation of this channel can be extended as long as the standby power generator is fueled and operating. Fuel is pumped from a tank to the standby generator day tank with a pump on the standby power bus. The electric power systems for the F/CS instrumentation are described in detail in Chapter 8.

Control Room Interfaces: The DIS information displays in the control room are powered directly by electrical current loop signals. The recorders are powered by the standby power bus. The DIS operator control switches are also operational upon the loss of normal power, based on the design requirements established for the DIS. See Table 7-9 for the types of information provided to the control room operator.

Form 412.09 (Rev. 10)




SAR-420 1 03/01/17 Page: 7-59 of 7-66

Table 7-9. DIS control room information.

System

Channel

A B

DIS Log CRM/Period Startup X X

Linear Operating Instrument X

RTS Steady-State Log-Power/Period X X

Core Fuel Temperature X X

F/CS Stack Radiation indicator Alarm X

Coolant Temperature - Core Inlet X

Coolant Temperature - Core Outlet Alarm X

Coolant Temperature - Core Outlet X

Delta-T Coolant Across Core X

Coolant Temperature - HEPA Filter Inlet X

Coolant Temperature - HEPA Filter Inlet X

Alarms

Blower Status X X

Coolant Flow X

Blower Vibration X X

TR Transient Rod Position - Full Down Indication Light

1 (for each rod drive)

CR Compensation Shutdown Rod Position - Full Down Indication Light - Latch Separation Indication Light - Drive Motor Actuator Full Up Indication Light - Control Rod Position Instrumentation

1 (for each rod drive) 1 (for each rod drive) 1 (for each rod drive) 1 (for each rod drive)

CSR Control Shutdown Rod Position - Full Down Indication Light - Latch Separation Indication Light - Drive Motor Actuator Full Up Indication Light - Control Rod Position Instrumentation

1 (for each rod drive) 1 (for each rod drive) 1 (for each rod drive) 1 (for each rod drive)

These switch networks--which include the bistable and alarm reset switch, linear operating

instrument range select switch (Channel A only), and BF3 high-voltage cutoff switch--are powered from their respective DIS channels. The bistable and alarm reset switch enables the operator to reset, from remote range, the fault alarms on the reactor nuclear instrumentation.

Interfaces: The DIS interfaces with the RTS, F/CS, Transient Rods, Compensation Rods, and Control/Shutdown Rods.

Form 412.09 (Rev. 10)




SAR-420 1 03/01/17 Page: 7-60 of 7-66

• RTS – steady-state log/period channels.

• F/CS – all major information systems of the F/CS are powered from the DIS.

Calibration and Test Features: Calibrations of the RTS, RCS, and F/CS components associated with the DIS are described in RTS Design Description User’s Manual (ANL 1984a), “TREAT Upgrade Component Design Description for Reactivity Control System (ANL 1992a) and in “Component Design Description for Reactor Filtration/Cooling System” (ANL 1992c).


7.6.3.2.1 Functions—The DIS supports normal startup, steady-state, and shutdown operations, and provides critical information to the control room under abnormal plant conditions.

7.6.3.2.2 Design Requirements—The DIS design requirements for TREAT are discussed in “TREAT Component Design Description for Reactor Control System” (ANL 1982a). Environmental conditions for the DIS are the same as for the RCS shown in Table 7-7.

7.6.3.2.3 Quality Assurance Requirements—The quality assurance program for the DIS shall be in accordance with the quality assurance procedures outlined in Chapter 17. The quality assurance requirements are determined on the basis of relative importance of components and subsystems for achieving safety and operational performance objectives.

7.6.3.2.4 Codes and Standards—The codes and standards listed in Table 7-10 were considered for applicability in the design of the DIS, as described in detail in Section 7.6.4.4 below.

Table 7-10. DIS codes and standards.

Number Title

IEEE 379 Standard Application of the Single-Failure Criterion to Nuclear Power Generating Station Class 1E Systems (ANSI/IEEE)

IEEE 384 Standard Criteria for Independence of Class 1E Equipment and Circuits

IEEE 497 Standard Criteria for Accident Monitoring Instrumentation for Nuclear Power Generating Stations


National Electrical Code



Uniform Building Code

7.6.3.2.5 General Design Criteria—The applicable GDC listed in Chapter 3, Table 3-1 were considered in the RTS design as follows:

GDC-1, Quality Standards and Records: The DIS design was conducted in accordance with SAREF Projects Procedure SQ-01 which provides quality assurance program requirements.

Form 412.09 (Rev. 10)




SAR-420 1 03/01/17 Page: 7-61 of 7-66

GDC-2, Design Bases for Protection Against Natural Phenomena: The DIS is designed with independent, redundant, separated channels, thus minimizing the effects of natural phenomena to readout/controls in the control room. The control room instruments have line-surge protection from lightning strikes.

GDC-3, Fire Protection: The DIS has separated cables and two chassis contained in two separated rooms (areas), thus minimizing the effects of fire disabling this system. Each area is equipped with fire suppression equipment; noncombustible materials are used in the construction of these systems. Those elements of the F/CS that are considered as part of the DIS are separated as much as possible to minimize effects of fire.

GDC-4, Environmental and Missile Design Bases: The DIS is contained in two separated rooms (areas) thus minimizing the effects of missiles, pipe whipping, or discharging fluids, etc., to disable this system and therefore prevent readout/control at the control room. The elements of the F/CS that are considered as part of the DIS are separated as much as possible to minimize effects of missiles, pipe whipping, or discharging fluids. The UPS is redundant and separated.

GDC-5, Sharing of Structures, Systems, and Components: Part of the DIS is shared by the RTS. These systems are the steady-state log/period channels and the fuel temperature channels. These systems, however, are suitably buffered through isolation devices so that failure within the DIS will not prevent either of these systems from affecting the functions of the other.

GDC-13, Instrumentation and Control: The DIS provides instrumentation for core nuclear and temperature parameters and both instrumentation and control for the filtration/cooling systems. These systems monitor and control normal operation as well as anticipated operational upset conditions.

GDC-18, Inspection and Testing of Electric Power Systems: The DIS construction contains many junction boxes and terminal strips readily available for periodic inspection. The systems have the capability for periodic testing.

GDC-19, Control Room: A remotely located control room is provided and contains DIS instruments, which monitor nuclear and fuel temperature channels. Monitoring and control instruments are also provided for the F/CS in the control room.

GDC-64, Monitoring Radioactive Releases: A stack gamma monitor is provided and is considered part of the DIS. In addition, a gross gamma monitor is provided at the HEPA filter assembly.

7.6.3.2.6 Reliability Requirements— The DIS shall be designed to ensure that adequate reliability has been provided against random failures and credible external single events except earthquakes and tornadoes.

Form 412.09 (Rev. 10)




SAR-420 1 03/01/17 Page: 7-62 of 7-66

7.6.4 Dedicated Information System Analysis

7.6.4.1 Functional Adequacy. The DIS supports the startup, steady-state, and shutdown operational modes by providing (1) source range log count rate and period instrumentation, (2) linear operating instrumentation, (3) fuel temperature instrumentation, and (4) reliable power to the RTS steady-state log period channels and major instrumentation in the F/CS. The DIS also provides core performance and core filtration/cooling information to the reactor operator in the control room during abnormal plant conditions by conveying a wide variety of parameters to the control room using a two-channel system.

7.6.4.2 Design Adequacy. The design meets the requirements set forth in Section 7.6.3.2.2 by providing core and F/CS information through independent systems. Separation of DIS channels includes location of the DIS chassis in different rooms and separate routing of wiring as much as is practicable. Redundant nuclear instrument readout devices (except linear channel) are provided in the control room; each is supplied from separated independent cables within the control room. Where redundant cables are not separated by a barrier (i.e., in the control room cabinets) fire propagation is prevented by a fire protection system.

7.6.4.3 Quality Verification. Components and modules are of a quality that is consistent with minimum maintenance requirements and low failure rates. Quality levels are achieved through the specification of requirements known to promote high quality, such as requirements for design, manufacturing, quality control, inspection, calibration, and testing. See Chapter 17.

7.6.4.4 Conformance to Safety Criteria. There are no Chapter 15 accidents that rely on the DIS for accident mitigation. Therefore, the codes and standards in Table 7-10 are not directly applicable to the DIS design. Nonetheless, the codes and standards listed in Table 7-10 were applied to the DIS design as follows:

IEEE 379, Standard Application of the Single-failure Criterion to Nuclear Power Generating Stations Class lE Systems: The DIS contains two channels that are separated and has two main chassis located in separate rooms to minimize single-failure modes except tornadoes or earthquakes.

IEEE 384, Standard Criteria for Independence of Class lE Equipment and Circuits: Input and output cables for each DIS channel are in separated conduits to provide independent, redundant information channels.

ANSI N45.2, Quality Assurance Program Requirements for Nuclear Facilities: The quality assurance program for the DIS is in accordance with Chapter 17 and includes control over design, procurement, fabrication and testing.

General Design Criteria: The GDC was met as discussed in Chapter 3, Section 3.1.

7.6.4.5 Reliability Analysis. The DIS reliability is ensured by design features that allow for separation and redundancy in monitoring instruments, displays, cables, and power supplies.

Form 412.09 (Rev. 10)




SAR-420 1 03/01/17 Page: 7-63 of 7-66

7.7 Other Non-Safety Related Systems

7.7.1 Filtration/Cooling System

The reactor filtration/cooling system (F/CS) contains and transports the core cooling air through a filter system. Particulates generated within the reactor core are removed and retained by HEPA filters. The filtered core effluent is vented to the atmosphere through the Reactor Building exhaust stack. See Chapter 5, Filtration/Cooling System, and refer to “Component Design Description for Reactor Filtration/Cooling System” (ANL 1992c), for additional information describing the F/CS. Instrumentation is provided to report F/CS operational status and to monitor system performance. See Table 7-6. Controls are also provided to operate the two F/CS blowers. F/CS parameters are summarized in Tables 7-11 and 7-12.

Table 7-11. F/CS instrumentation and controls.

Parameter Function

Reactor Outlet Temperature Digital Display

Reactor Differential Temperature Digital Display

Reactor Inlet Temperature Digital Display

Reactor Outlet Pressure Digital Display

Total Flow Digital Display

HEPA Inlet Temperature Digital Display

Blower 1 Run Lamp (Green)

Blower 2 Run Lamp (Green)

Reactor Outlet Temperature High PANALARM (Red)

Low Cooling Air Flow PANALARM (Red)

HEPA Inlet Temperature High PANALARM (Red)

Blower 1 Vibration PANALARM (Red)

Blower 2 Vibration PANALARM (Red)

Blower 1 Start Switch

Blower 2 Start Switch

Blower 1 Stop Switch

Blower 2 Stop Switch

Bypass Valve Manual/Auto Switch

Bypass Valve Open/Close Switch

Total Flow Chart Recorder

Reactor Differential Temperature Chart Recorder

Form 412.09 (Rev. 10)




SAR-420 1 03/01/17 Page: 7-64 of 7-66

Table 7-12. Environmental conditions at the F/CS component locations.

Location Design Components Affected Environmental

Condition Reactor Building (high-bay area and fan room)

Power & control circuitry and electronic hardware

10–35°C

Reactor I&C room Electronic equipment status displays, computer


Control room Electronic equipment control and status display


7.7.2 Experiment Support System

The experiment support system is composed of the hodoscope and loop support system. The experiment support systems are not safety-related. They are, however, designed with separated redundant channels to ensure that no single event will impact more than one of the two independent channels that supply experiment information to the respective support system.

7.7.2.1 Hodoscope. The hodoscope is a unique instrument designed to examine and record the movement of the fuel contained in the experiment loop in real time during transient conditions when fuel damage is produced. It is capable of examining movement through an optically opaque experiment loop with opaque coolant.

The hodoscope is a fast neutron imaging system capable of imaging abnormal nuclear fuel power excursion experiments in the center of the TREAT reactor in real time. It consists of collimator arrays, neutron detectors, detector preamplifiers, count rate accumulators, a data acquisition system (DAS), and calibration functions. It also requires an interface to the ARCS for notification of experiment initiation, status, and termination.

The hodoscope DAS simultaneously acquires count rate data from the 720 channel neutron detector interface electronics assemblies (scalers) that interface to the two hodoscope imaging arrays. The hodoscope DAS is located in the hodoscope room of MFC-720 (Room 120). The hodoscope operator’s console is located in the Reactor Building with remote hodoscope status indications and control functions in the control room in MFC-724.

A detailed description of the TREAT hodoscope is located in “TREAT Fast Neutron Hodoscope System Design Description” (ANL 1982b).

7.7.2.1 Loop Support System. Loop support systems will be designed and implemented by the experimenters. Analysis requirements are expected to be generated by the experiment analysis group and will be a function of each experiment customer’s requirements. See Chapter 10.

7.7.3 Radiation-monitoring System

The radiation-monitoring system is in operation at all times except when maintenance or calibration is necessary. The radiation monitoring system consists of the following components:

Form 412.09 (Rev. 10)




SAR-420 1 03/01/17 Page: 7-65 of 7-66

• A radiation-monitoring system consisting of 10 channels of area monitors. Each channel consists of a detector and an electronic chassis with audible and visual alarms located in the reactor area being monitored and a radiation level indicator with alarm and status indicators located in the control room and health physics office. All channels have a range of 0.1 mR/h to 100 R/h. The output of the exhaust stack channel (R6) is recorded on a chart recorder.

• The airborne activity in the Reactor Building is monitored by two cart-mounted continuous-sampling units with an integral recorder and an alarm that automatically resets. The range of the detector is 50 to 1,000,000 counts/min. A remote alarm and meter are installed in the control room in Building 724 and in the health physics office in the Reactor Building. In the event of the installed CAM failure, when the area is occupied, portable air samples may be taken until the CAM is repaired or replaced. A spare CAM is available to replace a failed unit or monitor the air in a local work area that might contain airborne activity.

7.8 Reliability and Operability

A number of studies have been conducted to verify the reliability of the TREAT RTS and portions of the reactivity control system associated with the PPS (ANL 1984b; Halverson 1983). The reliability of the DMT and the RCS have been studied as well. The results of these studies and analyses are described in the referenced documents. The references are provided to give confidence that the PPS will operate with reasonable reliability. The entire RTS will be used during reactor operations.

7.9 References

10 CFR 830, 2001, “Safety Basis Requirements,” Subpart B, Code of Federal Regulations, Office of the Federal Register.

ANL, 1982a, “TREAT Component Design Description for Reactor Control System,” S3300-0010-AJ-00, Rev. 0, Argonne National Laboratory.

ANL, 1982b, “TREAT Fast Neutron Hodoscope System Design Description,” R0206-1000-SA, Rev. 1, Argonne National Laboratory.

ANL, 1984a, “TREAT Reactor Trip System Design Description, User’s Manual,” L6570-8379-DA, Rev. 4, Argonne National Laboratory.

ANL, 1984b, “TREAT Upgrade Reactor Scram System Reliability Analysis,” S3330-0026-IT-00, Rev. 1, Argonne National Laboratory.

ANL, 1988, “User’s Manual for the TREAT Dedicated Microprocessor Tester,” Z0003-0148-OP-00, Rev. 0, Argonne National Laboratory.

ANL, 1990, “Guide for Irradiation Experiments in TREAT,” Z0004-0001-OR-03, Rev. 0, Argonne National Laboratory.

ANL, 1992a, “TREAT Upgrade Component Design Description for Reactivity Control System,” S3330-0012-AJ-03, Rev. 3, Argonne National Laboratory.

Form 412.09 (Rev. 10)




SAR-420 1 03/01/17 Page: 7-66 of 7-66

ANL, 1992b, “User’s Manual for the TREAT Automatic Reactor Control System,” Z0003-0150-OP-03, Rev. 0, Argonne National Laboratory.

ANL, 1992c, “Component Design Description for Reactor Filtration/Cooling System,” S3314-0020-HJ-02, Rev. 2, Argonne National Laboratory.

Halverson, S. L., ANL, to W. C. Lipinski, ANL, August 26, 1983, “TREAT Upgrade, DMT Failure Modes and Effects Analysis, Revised Report,” NAP-83-157.

NRC, 1978, “Standard Format and Content of Safety Analysis Reports for Nuclear Power Plants,” Regulatory Guide 1.70, Rev. 3, U.S. Nuclear Regulatory Commission.

TS-420, “TREAT Technical Specifications,” current rev.