Presentation on UFTR Licensing Amendment ApplicationIntroduction to the UF Team, their functions, and support teams from AREVA & Siemens Proposed TXS Protection System Safety System

Presentation on UFTR Licensing Presentation on UFTR Licensing Amendment ApplicationAmendment Application

(Phase 0)(Phase 0)

Alireza HaghighatAlireza HaghighatFP&L ProfessorFP&L ProfessorUFTR DirectorUFTR Director

&&Gabriel Gabriel GhitaGhita

Research ScientistResearch ScientistProject CoordinatorProject Coordinator

Nuclear & Radiological Engineering DepartmentNuclear & Radiological Engineering DepartmentUniversity of FloridaUniversity of FloridaGainesville, FloridaGainesville, Florida

For presentation to the NRC, Washington DC, Oct. 16, 2009

22

OutlineOutlineIntroduction to the reactor designIntroduction to the reactor design

Core, primary loop, secondary loop, reactor cell, confinementCore, primary loop, secondary loop, reactor cell, confinementAccident scenariosAccident scenarios

Current I&C designCurrent I&C designFeaturesFeaturesLicensing requirementLicensing requirement

Introduction to the UF Team, their functions, and support teams Introduction to the UF Team, their functions, and support teams from AREVA & from AREVA & SiemensSiemens

Proposed TXS Protection SystemProposed TXS Protection System

Safety System Design BasisSafety System Design Basis

D3 Analysis (considering Design Basis changes)D3 Analysis (considering Design Basis changes)

Introduction to plansIntroduction to plansQAPQAPV&VV&V

Discussion on TXS EquipmentDiscussion on TXS Equipment

Possibility of installation of a redundant Train for testing, bePossibility of installation of a redundant Train for testing, benchmarking and trainingnchmarking and training

Proposed scheduleProposed schedule

33

UFTR timelinesUFTR timelines

Established in 1959 with a power of 10 kWEstablished in 1959 with a power of 10 kW

In 1963, its power was increased to 100 kWIn 1963, its power was increased to 100 kW

In 1970, its fuel was changed from LEU to HEUIn 1970, its fuel was changed from LEU to HEU

In Sept. 2006, its fuel was changed from HEU to In Sept. 2006, its fuel was changed from HEU to LEULEU

Schematic of UFTR (axial projection)

Core

GraphiteShield Tank

55

Schematic of UFTRSchematic of UFTR(Horizontal projection)(Horizontal projection) N

66

UFTR CoreUFTR Core

N

77

UFTR CoreUFTR Core

Control blade

Fuel box

Graphite

S1S2

S3 RG

N

88

Fuel Plate CharacteristicsFuel Plate CharacteristicsLEU

Fuel Type U3Si2-AlFuel Meat Size

Width (cm)Thickness (cm)Height (cm)

Fuel Plate SizeWidth (cm)Thickness (cm)Height (cm)

Cladding material 6061 AlCladding Thickness (cm)Fuel Enrichment (nominal) 19.75%“Meat”

Composition (wt% U)Mass of 235U per Plate (nominal)Number of Plates per Fuel Bundle

99

Core at critical condition Core at critical condition –– Fuel pattern and blade positionsFuel pattern and blade positions

Safety 1, at 26.3 degreesSafety 2, at 26.3 degrees

Safety 3, at 26.3 degrees Regulating, at 16.9 degrees

Dummy bundle

10 fuel plates &

3 Dummy plates

1010

Total neutron flux distributionTotal neutron flux distribution

1111

Bundle power distribution (kW)Bundle power distribution (kW)

Schematic of

the core

1212

Core LifetimeCore Lifetime

Expected end-of-life LEU core with fuel burnup

of ~86.67 MWD;

This is based on full-power operation time of

4 hr/day,

5 day/week,

20 years

UFRT Primary Coolant Loop Design

(including locations of sensing devices)

- RTD

-

Level Indicator

-

Flowmeter

-

Closed Valve (Normal Operation)

From Demineralizer Loop

Coolant Storage Tank

Heat Exchanger

To Demineralizer Loop

Rupture Disk

Dump Valve

Secondary Storage Well

UFTR Core

Air Bleed Valve

To Secondary Side

- NI

Fission Chamber/BF3

Ion Chamber

-

Primary Flow

L

L

1414

Operating RegionOperating Region

0

25

50

75

100

125

150

175

200

225

250

275

15 20 25 30 35 40 45 50 55

True Coolant Flow Rate, gpm

True

Rea

ctor

Pow

er, k

W

Tin = 86 F

Tin = 100 F

Tin = 110 F

OPERATING REGIONfor Max. Tin = 110 oF

Figure 5. 20 mil tolerance on Water Channel Spacing and 0.065" Repositioning of Each Assembly Due to Combs

True Max. Power: 125 kWLSSS Power: 119 kW

Max Operating Power: 100 kW

For Max, Inlet Temp. = 100 oFTrue Minimum Flow Rate: 39 gpmLSSS Flow Rate: 41 gpmOperating Flow Rate: 48 gpmFor Max, Inlet Temp. = 110 oFTrue Minimum Flow Rate: 43 gpmLSSS Flow Rate: 45 gpmOperating Flow Rate: 52 gpm

OPERATING REGION for Max. Tin = 100 oF

1515

ParameterParameter TrueTrueLimitLimit

LSSSLSSS OperatingOperatingValuesValues

Power (Power (kWkW)) 125125 119119 100100

Inlet Flow Rate (Inlet Flow Rate (gpmgpm)) 3434 3636 4343

Inlet Temperature (Inlet Temperature (FF)) 100100 9999 8080

Outlet Temperature (Outlet Temperature (FF)) 165165 155155 9595

UFTR Control Parameters and Settings

Accident Scenarios & AnalysisAccident Scenarios & Analysis

1717

Accident ScenariosAccident ScenariosA rapid insertion of 0.6% A rapid insertion of 0.6% ΔΔk/kk/k

reactivity. reactivity.

This scenario represents the reactivity insertion This scenario represents the reactivity insertion resulting from the rapid ejection of the maximum resulting from the rapid ejection of the maximum worth of all moveable and nonworth of all moveable and non--secured experiments secured experiments from the reactor. Cases were analyzed both with and from the reactor. Cases were analyzed both with and without reactor SCRAM. without reactor SCRAM.

A reactivity ramp insertion of 0.06% A reactivity ramp insertion of 0.06% ΔΔk/k/sk/k/s

for 10 for 10 seconds. seconds.

This scenario represents the insertion of reactivity This scenario represents the insertion of reactivity due to control blade withdrawal at the maximum rate due to control blade withdrawal at the maximum rate allowed by the UFTR Technical Specifications. This allowed by the UFTR Technical Specifications. This accident is assumed to be terminated by reactor accident is assumed to be terminated by reactor SCRAM. SCRAM.

1818

A rapid insertion of 0.6% A rapid insertion of 0.6% ΔΔk/kk/k

reactivity with reactivity with scramscram (fresh fuel)(fresh fuel)

PowerPower 100 kW100 kW 100 kW100 kW 100 kW100 kW 100 kW100 kW

Steady State ConditionSteady State Condition 43 43 gpmgpm, , Tin=86Tin=86o o FF

34 34 gpmgpm, , Tin=86Tin=86oo

FF34 34 gpmgpm, ,

Tin=109Tin=109oo

FF43 43 gpmgpm, ,

Tin=86Tin=86oo

FFBlade Drop Time (s)Blade Drop Time (s) 1.01.0 1.01.0 1.01.0 1.51.5

Time to Peak Power (s)Time to Peak Power (s) 0.140.14 0.140.14 0.140.14 0.140.14

Peak Power (kW)Peak Power (kW) 316316 316316 316316 318318

TTfuelfuel

(max) at Peak Power ((max) at Peak Power (ooCC)) 51.951.9 54.454.4 66.766.7 51.951.9

TTfuelfuel

(max(max) () (ooCC)) 52.252.2 54.854.8 67.067.0 52.552.5

TTcladclad

(max(max) () (ooCC)) 52.252.2 54.754.7 67.067.0 52.552.5

TTcoolcool

maxmax

((ooCC)) 44.644.6 47.647.6 59.959.9 44.644.6

1919


reactivity with reactivity with scramscram (depleted fuel)(depleted fuel)




FF34 34 gpmgpm, ,

Tin=109Tin=109oo

FF43 43 gpmgpm, ,

Tin=86Tin=86oo

FFBlade Drop Time (s)Blade Drop Time (s) 11 11 11 1.51.5



TTfuelfuel

(max) at Peak Power ((max) at Peak Power (ooCC)) 5252 54.854.8 6767 52.152.1

TTfuelfuel

(max(max) () (ooCC)) 52.652.6 55.355.3 67.567.5 52.652.6

TTcladclad

(max(max) () (ooCC)) 52.652.6 55.355.3 67.567.5 52.552.5

TTcoolcool

maxmax

((ooCC)) 44.544.5 47.547.5 59.859.8 44.544.5

2020


reactivity reactivity withoutwithout

scramscram (fresh fuel)(fresh fuel)

PowerPower 100 kW100 kW 100 kW100 kW 100 kW100 kW



FF34 34 gpmgpm, ,

Tin=109Tin=109oo

FFTime to Peak Power (s)Time to Peak Power (s) 2.482.48 2.442.44 2.302.30

Peak Power (kW)Peak Power (kW) 11991199 11861186 11121112

TTfuelfuel

(max) at Peak Power ((max) at Peak Power (ooCC)) 9595 9595 100100

TTfuelfuel

(max(max) () (ooCC)) 107107 108108 109109

TTcladclad

(max(max) () (ooCC)) 107107 108108 109109

TTcoolcool

maxmax

((ooCC)) 101101 101101 102102

After the sudden jump, power remains at 600 kW for 300 seconds, after which time, the coolant reaches the saturation temperature and boiling

occurs in the uppermost nodes of the coolant channel; negative coefficient of reactivity will

shutdown the reactor.

2121


reactivity reactivity withoutwithout

scramscram (depleted fuel)(depleted fuel)

PowerPower 100 kW100 kW 100 kW100 kW 100 kW100 kW



FF34 34 gpmgpm, ,

Tin=109Tin=109oo

FFTime to Peak Power (s)Time to Peak Power (s) 2.362.36 2.322.32 2.192.19

Peak Power (kW)Peak Power (kW) 13371337 13211321 12351235

TTfuelfuel

(max) at Peak Power ((max) at Peak Power (ooCC)) 9696 9696 101101

TTfuelfuel

(max(max) () (ooCC)) 108108 109109 110110

TTcladclad

(max(max) () (ooCC)) 108108 109109 110110

TTcoolcool

maxmax

((ooCC)) 101101 101101 102102

After the sudden jump, power remains at 600 kW for 300 seconds, after which time, the coolant reaches the saturation temperature and boiling

occurs in the uppermost nodes of the coolant channel; negative coefficient of reactivity will

shutdown the reactor.

2222

A slow insertion of 0.06% A slow insertion of 0.06% ΔΔk/k/sk/k/s

reactivity with reactivity with scramscram (fresh fuel)(fresh fuel)




FF34 34 gpmgpm, ,

Tin=109Tin=109oo

FF43 43 gpmgpm, ,

Tin=86Tin=86oo

FFBlade Drop Time (s)Blade Drop Time (s) 1.01.0 1.01.0 1.01.0 1.51.5



TTfuelfuel

(max) at Peak Power ((max) at Peak Power (ooCC)) 52.152.1 54.654.6 66.866.8 52.152.1

TTfuelfuel

(max(max) () (ooCC)) 52.152.1 54.654.6 66.866.8 52.152.1

TTcladclad

(max(max) () (ooCC)) 52.052.0 54.654.6 66.866.8 52.052.0

TTcoolcool

maxmax

((ooCC)) 44.644.6 47.647.6 60.060.0 44.644.6

2323

A slow insertion of 0.06% A slow insertion of 0.06% ΔΔk/k/sk/k/s

reactivity with reactivity with scramscram (depleted fuel)(depleted fuel)




FF34 34 gpmgpm, ,

Tin=109Tin=109oo

FF43 43 gpmgpm, ,

Tin=86Tin=86oo

FFBlade Drop Time (s)Blade Drop Time (s) 11 11 11 1.51.5



TTfuelfuel

(max) at Peak Power ((max) at Peak Power (ooCC)) 5252 54.854.8 6767 52.152.1

TTfuelfuel

(max(max) () (ooCC)) 52.652.6 55.355.3 67.567.5 52.652.6

TTcladclad

(max(max) () (ooCC)) 52.652.6 55.355.3 67.567.5 52.552.5

TTcoolcool

maxmax

((ooCC)) 44.544.5 47.547.5 59.859.8 44.544.5

2424

Other AccidentsOther AccidentsLOCA during full power operationLOCA during full power operationThe increase in fuel temperature following a LOCA results in shuThe increase in fuel temperature following a LOCA results in shutdown of the tdown of the reactor,reactor,

Either by the negative void coefficient of reactivity,Either by the negative void coefficient of reactivity,Or by the insertion of control blades into the reactorOr by the insertion of control blades into the reactor

In both cases, the fuel temperature will increase by less than 1In both cases, the fuel temperature will increase by less than 177ooC (30C (30ooF) F)

Sudden insertion of maximum excess reactor of 1.4% Sudden insertion of maximum excess reactor of 1.4% ΔΔk/kk/k

results in an results in an energy release of <6.1 MW and a cladding temperature of <300 C.energy release of <6.1 MW and a cladding temperature of <300 C.

Maximum Hypothetical Accident (MHA)Maximum Hypothetical Accident (MHA)Fuel Handling Accident (FHA)Fuel Handling Accident (FHA)

It is postulated that because of severe mechanical damage, the It is postulated that because of severe mechanical damage, the aluminum cladding is stripped from one fuel plate; it is assumedaluminum cladding is stripped from one fuel plate; it is assumed

that that 2.7% of the total volatile activity instantaneously escapes from2.7% of the total volatile activity instantaneously escapes from

the the fuel plate into the reactor cell. fuel plate into the reactor cell.

Estimated occupational and public doses are smaller by several Estimated occupational and public doses are smaller by several orders magnitude relative to exposure limits.orders magnitude relative to exposure limits.

Current Current UFTR Analog I&CUFTR Analog I&C

and and OperationsOperations

2626

Current UFTR Analog Protection & Control SystemCurrent UFTR Analog Protection & Control SystemARM

WLM

FRM

TC

Electrical Monitoring One Safety Train

Indi

cato

rs

Shutdow

n

(RTS

, manual)

2727

Shutdown MechanismsShutdown Mechanisms

AutomaticAutomaticBlade Drop (BD) Blade Drop (BD) –– Clutch current controlClutch current controlDump valve (DV) Dump valve (DV) –– SelonoidSelonoid current controlcurrent control

ManualManualIndicators (sirens, monitors & displays) followed by Indicators (sirens, monitors & displays) followed by operators manual actions: BD and/or DVoperators manual actions: BD and/or DV

PassivePassiveNEGATIVE coolant void and temperature coefficient NEGATIVE coolant void and temperature coefficient of reactivityof reactivity

2828

Unique FeaturesUnique Features

Low power (the peak power per bundle = 5 kW)Low power (the peak power per bundle = 5 kW)Low fuel temperature (~50 C);Low fuel temperature (~50 C);Negative coefficients of reactivity;Negative coefficients of reactivity;

Example: Even for an unprotected insertion of 0.6% Example: Even for an unprotected insertion of 0.6% ΔΔk/kk/k , the peak , the peak fuel temperature is ~108C (fuel melting point is 582 C) fuel temperature is ~108C (fuel melting point is 582 C)

Under regular conditions, reactor can be shutdown by Under regular conditions, reactor can be shutdown by dumping the coolantdumping the coolantNo need for Engineering Safety Features Actuate System No need for Engineering Safety Features Actuate System (ESFAS)(ESFAS)One train protection and control systemOne train protection and control systemNo protection for single failure is neededNo protection for single failure is needed

Facts

Results

Introduction of the UF Team, Introduction of the UF Team, their functions, and support their functions, and support

teams from AREVA & Siemensteams from AREVA & Siemens

3030

Project Organization UFTRProject Organization UFTR

UFTR Digital Control System Upgrade Project - OrganizationUFTR Digital Control System Upgrade Project - Organization

Project ManagerProf. Alireza Haghighat

Project CoordinatorDr. Gabriel Ghita, RS

Lead: Prof. Glenn SjodenCo-lead: Dr. G. Ghita, RSProf. A. HaghighatMatt Marzano, GR Jennifer Musgrave, UG

Lead: Prof. Jim BaciakCo-lead: Brian Shea, RMProf. Mark HarrisonMatt Berglund, SRO Andrew Holcomb, UG

CCB=Configuration Control Board, IV&V=Independent Verification &

Validation, GR=Graduate Student, MS=Master in Science, QA=Quality Assurance, RS=Research Scientist, RM=Reactor Manager,

SRO=Senior Reactor Operator, UG=Undergraduate Student

Lead: Prof. A. HaghighatDr. Gabriel Ghita, RSProf. James BaciakDaniel Lago, UGSteven Brown, UG

Auditor:Dr. William Van Dyke

CCB:Prof. A. HaghighatDr. G. Ghita, RSProf. Glenn SjodenProf. James BaciakBrian Shea, RM

Lead:Prof. Edward Dugan

Prof. Mark Harrison Prof. DuWayne Schubring George Fekete. UG

QA Management IV&V

Hardware & InstallationSoftware DevelopmentSystem Design & Analysis

3131

Project Organization AREVA + UFTRProject Organization AREVA + UFTR

AREVA Corporate Sponsor Mehdi Tadjalli

AREVA PM Eric Wallace

AREVA PE Sean Kelley

AREVA Project Team

Installation Support TBD

HW Lead Engineer Ryan Nash

SW Lead Engineer Jason Reed

Training Mike Fillian

Licensing SupportMark Burzynski

QA ManagerMark Milo

Siemens PMOldrich

Klokocka

GmbH PMHerbert

Nussbaumer

UFTR PM Dr. Alireza Haghighat

UFTR Organization

Proposed TXS Protection SystemThe TXS system block consists of hardware and software that provide for the protection, control, indication, and monitoring.

Current licensed UFTR protection and control system utilizes one train,

which contains two sets of nuclear instrumentation that have to be operational simultaneously for a complete coverage of reactor power.

Similar to the current UFTR protection and control system, we propose a one-train

system which includes signal diversity; it is capable of identifying invalid signals and their diverse signals.

It is worth noting we are also considering a two-train design (i.e., with two levels of redundancy) for training, education and research purposes.

Figure below depicts the TXS system (with two trains), which is comprised of the following components:

Acquisition and Processing (AQP) Voter – Voting and Actuation (VT) (needed for the two-train design)Main Control Room (MCR)Monitoring Service Interface (MSI)

Proposed TXS Protection System

AQP: Acquisition and Processing VT: VoterMSI: Monitoring and Service Interface QDS: Qualified Display SystemSU: Service UnitGW: GatewayRTS: Reactor Trip System

T-3000 control system

Safety System Design BasisSafety System Design Basis

Here, we discuss the changes to be considered for the UFTR Design Basis due to the digital protection system upgrade. To facilitate this discussion, we will utilize the IEEE-603 Design Basis clauses.

3535

Clause # Clause Comment4-1 The design basis events applicable to each mode of operation of the

generating station along with the initial conditions and allowable limits of plant conditions for each such event.

no change

4-2 The safety functions and corresponding protective actions of the

execute features for each design basis event.

no change

4-3 The permissive conditions for each operating bypass capability that is to be provided.

N/A

4-4 The variables or combinations of variables, or both, that are to

be monitored to manually or automatically, or both, control each protective action; the analytical limit associated with each variable, the ranges (normal, abnormal, and accident conditions); and the rates of change of these variables to be accommodated until proper completion of the protective action is ensured.

change

4-5 The protective actions identified in clause 4-2 that may be controlled by manual means initially or subsequently to initiation.

no change

4-6 For those variables in clause 4-4 that have a spatial dependence (i.e., where the variable varies as a function of position in a particular region), the minimum number and locations of sensors required for protective purposes.

change

3636

Clause # Clause Comment4-7 The range of transient and steady-state conditions of both motive

and control power and the environment (e.g., voltage, frequency,

radiation, temperature, humidity, pressure, vibration, and electromagnetic interference) during normal, abnormal, and accident conditions throughout which the safety system shall perform.

change

4-8 The conditions having the potential for functional degradation of safety system performance and for which provisions shall be incorporated to retain the capability for performing the safety functions (e.g., missiles, pipe breaks, fires, loss of ventilation, spurious operation of fire suppression systems, operator error, failure in non-safety-related systems).

N/A

4-9 The methods to be used to determine that the reliability of the safety system design is appropriate for each safety system design and any qualitative or quantitative reliability goals that may be imposed on the system design.

N/A

4-10 The critical points in time or the plant conditions, after the onset of a design basis event.

change

4-11 The equipment protective provisions that prevent the safety systems from accomplishing their safety functions.

no change

4-12 Any other special design basis that may be imposed on the system

design (e.g., diversity, interlocks, regulatory agency criteria).

change

Clause 4.1 of IEEE Std. 603Clause 4.1 of IEEE Std. 603““The design basis events applicable to each mode of operation of The design basis events applicable to each mode of operation of the the

generating station along with the initial conditions and allowabgenerating station along with the initial conditions and allowable limits of le limits of plant conditions for each such eventplant conditions for each such event”” (IEEE(IEEE--603)603)

The proposed protection system has two modes of operation, automatic and manual.

Below, for each Design Basis Event, the mode of system operation

is provided:Loss-of-Coolant Accident (LOCA) during the full power operation (automatic)Slow Insertion of 0.06% ∆k/k/s for 10 seconds (automatic) Sudden Insertion of the Maximum Allowed Excess Reactivity of 1.4% Δk/k (automatic)Sudden Insertion of the Maximum Allowed Reactivity of 0.6% Δk/k (automatic)Control Blade System Malfunction (manual)Loss of Power (manual)

3737Clauses

Clause 4.2 of IEEE Std. 603Clause 4.2 of IEEE Std. 603

3838Clauses

Clause 4.2 of IEEE Std. 603 (contClause 4.2 of IEEE Std. 603 (cont’’d)d)List of Design Basis Events (Accidents)List of Design Basis Events (Accidents)

LossLoss--ofof--Coolant Accident (LOCA)Coolant Accident (LOCA)LOCA will cause the loss of the valid flow rate meter (FRM) signLOCA will cause the loss of the valid flow rate meter (FRM) signal in the al in the primary coolant loop, which will cause automatic initiation of Bprimary coolant loop, which will cause automatic initiation of BDT via TXS. Loss DT via TXS. Loss of coolant in the core due to the LOCA will also contribute to tof coolant in the core due to the LOCA will also contribute to the safe shutdown he safe shutdown of the UFTR as a result of the negative void coefficient of reacof the UFTR as a result of the negative void coefficient of reactivity.tivity.

Reactivity insertion eventsReactivity insertion eventsSlow insertion of 0.06% Slow insertion of 0.06% ∆∆k/k/sk/k/s without scramwithout scramSudden Insertion of the Maximum Allowed Excess Reactivity (1.4% Sudden Insertion of the Maximum Allowed Excess Reactivity (1.4% ∆∆k/kk/k))Sudden Insertion of the Maximum Allowed Reactivity (0.6% Sudden Insertion of the Maximum Allowed Reactivity (0.6% ∆∆k/kk/k))

The above reactivity events shall cause automatic initiation of The above reactivity events shall cause automatic initiation of FT via TXS when FT via TXS when any NI signal becomes invalid due to high reactor power.any NI signal becomes invalid due to high reactor power.

Control Blade System MalfunctionControl Blade System MalfunctionThis anticipated operational occurrence shall be mitigated by opThis anticipated operational occurrence shall be mitigated by opening the Dump ening the Dump Valve initiated by the MRS.Valve initiated by the MRS.

Loss of PowerLoss of PowerLoss of Power directly causes BDT, thus no execute feature must Loss of Power directly causes BDT, thus no execute feature must be initiated be initiated during this event.during this event.

3939Clauses


““The permissive conditions for each operating bypass capability tThe permissive conditions for each operating bypass capability that is to hat is to be providedbe provided”” (IEEE 603)(IEEE 603)

There is no need for an operating bypass for UFTR, thus there arThere is no need for an operating bypass for UFTR, thus there are no e no permissive conditions for this type of bypass.permissive conditions for this type of bypass.

4040Clauses

4141


“The variables or combinations of variables, or both, that are to be monitored to manually or automatically, or both, control each protective action; the analytical limit associated with each variable, the ranges (normal, abnormal, and accident conditions); and the rates of change of these variables to be accommodated until proper completion of the protective action is ensured” (IEEE 603)

The existing analog protection system has four levels of protection for the design basis events:

-

pre-operation check, -

monitoring, -

interlocks, and -

trip system.

For the new digital protection system, besides the aforementioned levels, we are considering signal diversity in order to protect the system against the Common Cause Failure.

Clauses

Item Component Item Component1 Core Vent 14 Primary Coolant Resistivity Determinations2 Diluting Fan System 15 Blade Withdrawal Time Measurement3 Blade Gear Box 16 Primary Coolant4 Manometers and Magnetic Gage 17 Magnet Power Key5 Portal Monitor 18 Log/linear recorder 6 Core Vent and Diluting Fan Systems 19 Equipment Pit Checkout and Gamma Radiation Levels7 Shield Water 20 Water Sample Analysis8 Demineralizer

Pump 21 Air Particulate Detectors9 Magnet Power Key 22 Radiation Monitor Console

10 Exterior lights 23 Secondary Water and Strainer11 Neutron recorder 24 Security System Monitors12 Primary Coolant Pump 25 Complete Records13 Source Alarm

4242

Table 1 -

List of components checked prior to reactor startup

Clause 4.4 of IEEE Std. 603 (contClause 4.4 of IEEE Std. 603 (cont’’d)d)

Clauses

4343

Table 2 -

Description of Monitoring parameters during operations


Item Parameter1

2

3

4

5

6

7

8

Main AC power line

Primary and secondary coolant pump power

Console power

Core ventilation fan power

Stack dilution fan

Area radiation monitor

Stack/vent monitor

Air particulate

Table 3 -

Description of InterlocksID Description1

2

3

4

5

Inhibits attempt of simultaneous withdrawal of 2 or more safety blades (mode 2*)

Inhibits attempt of withdrawal of regulating blade with a period

(T) < 30 s (mode 2)

Inhibits withdrawal of blades if the source count rate is < 2 cps (mode 1**)

Inhibits withdrawal of blades if period (T) <10 s (mode 1)

Inhibits reactor operation if safety channels 1 & 2 are not operable (mode 1)*Mode 2: Automatic control**Mode 1: Manual Protection and Control

Clauses

4444

Clause 4.4 of IEEE Std. 603 (contClause 4.4 of IEEE Std. 603 (cont’’d)d)Condition Type of Trip

Automatic•

Period ≤

3 sec

•

Power ≥

119 kW

•

Loss of chamber high voltage (≤90%)

•

Loss of electrical power to control console

•

Primary cooling systemo Loss of pump powero Low-water level in core ( ≤

42.5")o No outlet flowo Low inlet water flow ≤

41 gpm

•

Secondary cooling system (at power levels > 1 kW)o Loss of flow (well water ≤

60 gpm,)o Loss of pump power

•

High primary coolant inlet temperature ≥

99°

F

•

High primary coolant outlet temperature ( ≥

155°

F)

•

Shield tank -

Low water level (6" below established normal level)

•

Ventilation systemo Loss of power to dilution fano Loss of power to core vent system

FT*

FT

FT

FT

BDT**

BDT

BDT

BDT

BDT

BDT

Manual•

Manual scram bar

•

Console key-switch OFF (two blades off bottom)

BDT

FT

Table 4 List of conditions for trip

*FT: Full Trip (including Dump Valve Trip and BDT)** BDT: Blade drop Trip

Clauses


4545

Reactor Feature Primary Mode of Detection AIc DId Segment of UFTRHigh Power Level *FCa, ICb 2 - CoreReactor Period, Low Power Level

*BF3, IC 2 - Core

Temperature *Resistive TD 10 - core, primary, secondaryFlow Rate Flow Rate Monitor (FRM) 2 2 primary, secondaryWater Level Water Level Monitor* (WLM) 2 1 Core, storage tank*, shield tankArea Radiation Level Area Radiation Monitor (ARM) 4 4 east, north, south, west*

Fan Availability Fan Monitor (FM) 1 2 Core ventilation, stack dilution, stack dilution RPM

Table 5. List of signals for each train of the proposed UFTR TXSTable 5. List of signals for each train of the proposed UFTR TXS

systemsystem

aFission

Chamber; bIon

Chamber; cAI, Analog Input; dDI, Digital Input*Indicates a new monitoring device and/or location that shall be

added in the proposed system

Sensor/Monitor Core Primary Secondary Reactor Cell ConfinementFC+BF3 -IC -RTD - - -FRM - - -WLM - -ARM - -FM - -

Table 6. Signal diversity within each train

Clauses


4646

Manual reactor scram (MRS) is available in the event that TXS fails to initiate RTS. Depression of the MRS button causes the control blade drive

(clutch current control) to shut off, which allows the blades to drop into the core due to gravity. The MRS button will also provide a HW and SW interrupt for the TXS system. This event is referred to as a blade-drop trip (BDT). If the control blades do not function properly and the core overheats, the negative void and temperature coefficients will cause the core to go subcritical and shut down

even without insertion of the control blades. Therefore, instrumentation is not an absolute necessity for shutting the UFTR down because of its inherent safety features.

“The protective actions identified in Clause 4-2 that may be controlled by manual means initially or subsequently to initiation” (IEEE 603)

Clauses

Clause 4.5.1 of IEEE Std. 603“The points in time and the plant conditions during which manual control is allowed” (IEEE 603)Protective action may be initiated by manual means at any time during reactor operation.


4747

Clause 4.5.2 of IEEE Std. 603“The justification for permitting initiation or control subsequent to initiation solely by manual means” (IEEE 603)Justification for permitting initiation by manual means lies in the fact that no action or inaction of the operator during a design basis event can NOT result in the uncontrolled release of radioactivity.

Clause 4.5.3 of IEEE Std. 603“The range of environmental conditions imposed upon the operator during normal, abnormal, and accident conditions throughout which the manual operations shall be performed” (IEEE 603)Environmental conditions imposed upon the operator during normal, abnormal, and accident conditions shall not be of concern, since the worst-case accident scenario does not result in the release of radioactivity. It is also important to note that the new main control room (MCR) will be isolated from the reactor cell.

Clause 4.5.4 of IEEE Std. 603“The variables in clause 4.4 that shall be displayed for the operator to use in taking manual action” (IEEE 603)All variables listed in Table 1

shall be displayed for the operator on the Qualified Display System (QDS) of the TXS protection system and the display of the

T3000 control system. The new system has an added qualified display, i.e., QDS.

Clauses


4848

“For those variables in item d) that have a spatial dependence (i.e., where the variable varies as a function of position in a particular region), the minimum number and locations of sensors required for protective purposes” (IEEE 603)

The number and locations of sensors required for protective purposes is provided in Table 1. Loss of all valid signals from any one of the five segments of the UFTR listed in Table 3 shall result in the safe shutdown of the UFTR via BDT.

Clauses


4949

“The range of transient and steady-state conditions of both motive and control power and the environment (e.g., voltage, frequency, radiation, temperature, humidity, pressure, vibration, and electromagnetic interference) during normal, abnormal, and accident conditions throughout which the safety system shall perform” (IEEE 603)

The existing UFTR control room is located within the reactor cell, which uses the same energy supply and environmental control.

The new TXS system components are located in the MCR, which is isolated from the reactor cell. The MCR receives power and air-conditioning that is independent from the reactor cell. Prevention of electromagnetic interference is achieved by the shielding effect of metallic front plates in each TXS cabinet. Thus, conditions within the MCR are not subject to change due the UFTR transient or steady-state conditions.

Clauses

5050


“The conditions having the potential for functional degradation of safety system performance and for which provisions shall be incorporated to retain the capability for performing the safety functions (e.g., missiles, pipe breaks, fires, loss of ventilation, spurious operation of fire suppression systems, operator error, failure in non-safety-related systems)” (IEEE 603)

Conditions having the potential for functional degradation of protection system performance are not of concern since the loss of the protection system does not result in affecting the integrity of the fuel, and therefore there is no uncontrolled release of radiation.

Clauses


5151

“The methods to be used to determine that the reliability of the safety system design is appropriate for each safety system design and any qualitative or quantitative reliability goals that may be imposed on the system design” (IEEE 603)

Reliability analysis is not required for safety assessments because of the inherent safety features of the UFTR.

Clauses

5252

Clause 4.10 of IEEE Std. 603Clause 4.10 of IEEE Std. 603“The critical points in time or the plant conditions, after the onset of a design basis event” (IEEE 603)

Conditions having the potential for functional degradation of protection system performance are not of concern since the loss of the protection system does not result in the uncontrolled release of radiation.

Clause 4.10.1 of IEEE Std. 603“The point in time or plant conditions for which the protective actions of the safety system shall be initiated”

Table 5 and 6 show the conditions for interlocks, and automatic and manual initiation of the reactor trips, respectively.

Clause 4.10.2 of IEEE Std. 603“The point in time or plant conditions that define the proper completion of the safety function” (IEEE 603)

Protective action is complete when either BDT or FT has been initiated. It is important to note that physical failure of the RTS does not cause an uncontrolled release of radiation. Indication of initiation shall be provided

in the main control room (MCR).

Clauses


Clause 4.10.3 of IEEE Std. 603“The point in time or the plant conditions that require automatic control of protective actions” (IEEE 603)

No automatic control is required following the RTS initiation.

Clause 4.10.4 of IEEE Std. 603“The point in time or the plant conditions that allow returning a safety system to normal” (IEEE 603)

Plant conditions return to normal once enough valid signals are available to continue operation of the UFTR. Signals that their values are within the LSSS ranges are considered valid and are provided in Clause 4.4.

Clauses


“The equipment protective provisions that prevent the safety systems from accomplishing their safety functions” (IEEE 603)

No safety functions shall be disabled as a means for protective provisions

Clause 4.12 of IEEE Std. 603Clause 4.12 of IEEE Std. 603“Any other special design basis that may be imposed on the system design (e.g., diversity, interlocks, regulatory agency criteria)” (IEEE 603)

Because the proposed system contains digital instrumentation and

controls, D3 among system components is analyzed. The issue of SWCCF amongst digital equipment is addressed.The proposed monitoring train offers signal diversity, and the protection system includes system diversity.

Clauses

D3 AnalysisD3 Analysis

5656

Echelon of DefenseEchelon of Defense

Because of the aforementioned unique features Because of the aforementioned unique features of the UFTR, the four echelons of defense of the UFTR, the four echelons of defense (NUREG/CR(NUREG/CR--6303) reduces to three as follows:6303) reduces to three as follows:

Control SystemControl SystemReactor Trip System (RTS)Reactor Trip System (RTS)Monitoring and Indicator System (MIS)Monitoring and Indicator System (MIS)

Echelons of defense provide multiple barriers to Echelons of defense provide multiple barriers to radiation release for a reactor.radiation release for a reactor.

5757

Design of the Protection SystemDesign of the Protection System

The proposed system is divided into several blocks. It The proposed system is divided into several blocks. It shall be credibly assumed that internal failure within shall be credibly assumed that internal failure within these blocks will be contained. these blocks will be contained.

TXS : Teleperm

X-window Safety;

T-3000: control system; and,

MRS: Manual Reactor Scram

5858

System block functions System block functions

System blocks address different combinations of System blocks address different combinations of the three echelons of defensethe three echelons of defense

Block Control System RTS MIS

MRS

TXS

T-3000

5959

Interactions between blocksInteractions between blocks

All the signals within a train are input to both the All the signals within a train are input to both the TXS and TTXS and T--3000 systems; this is important 3000 systems; this is important because,because,

In case of failure of the TXS system (not known to the In case of failure of the TXS system (not known to the operator), the operator can identify the situation operator), the operator can identify the situation through the Tthrough the T--3000 displays, and3000 displays, andInitiate the MRS Initiate the MRS

TXS maintains a unidirectional communication TXS maintains a unidirectional communication with Twith T--3000 through its Gateway (GW)3000 through its Gateway (GW)

6060

Diversity among system blocksDiversity among system blocks

TXS TXS vsvs

TT--30003000These systems, which are computerThese systems, which are computer--based, based, have different hardware and software, have different hardware and software, resulting in monitoring diversityresulting in monitoring diversity

Manual Reactor Scram (MRS)Manual Reactor Scram (MRS)This block has an inherent diversity from the This block has an inherent diversity from the TXSTXS

6161

Diversity Diversity ––

Echelons of DefenseEchelons of Defense

Failure of MRS blockFailure of MRS blockNo impact on echelons of defense: TXS will initiate No impact on echelons of defense: TXS will initiate RTS. TRTS. T--3000 and TXS will remain functioning as a 3000 and TXS will remain functioning as a MIS.MIS.

Failure of TXS blockFailure of TXS blockNo impact on echelons of defense: MIS echelon will No impact on echelons of defense: MIS echelon will only contain indication of failed TXS system (via Tonly contain indication of failed TXS system (via T--3000) and therefore MRS will initiate RTS echelon3000) and therefore MRS will initiate RTS echelon

Failure of TFailure of T--3000 block3000 blockNo impact on echelons of defense: RTS initiated via No impact on echelons of defense: RTS initiated via MRS.MRS.

6262

Effect of CommonEffect of Common--Cause FailureCause Failure

Since the CCF is confined within a block, there Since the CCF is confined within a block, there is no impact on the echelons of defenseis no impact on the echelons of defense

Software errors and CCF are possible within the Software errors and CCF are possible within the TXS block, but because of system diversity, TXS block, but because of system diversity, these errors are not possible within the MRS these errors are not possible within the MRS block.block.

CCF amongst sensing equipments is possible CCF amongst sensing equipments is possible across different sensors within the same train. across different sensors within the same train. TXS processor has the necessary logic to TXS processor has the necessary logic to identify the problem and initiate RTS. identify the problem and initiate RTS.

6363

CCF of different typesCCF of different typesType 1Type 1

This will not result in the loss of protection due to the signalThis will not result in the loss of protection due to the signal diversity diversity between sensing equipment. between sensing equipment.

Type 2Type 2Signal diversity may mitigate this type of failure. However, becSignal diversity may mitigate this type of failure. However, because of ause of unique design features of the UFTR, there is no need for ESFAS. unique design features of the UFTR, there is no need for ESFAS.

Type 3Type 3Signal diversity may mitigate this type of failure. However, becSignal diversity may mitigate this type of failure. However, because of ause of unique design features of the UFTR, there is no need for ESFAS.unique design features of the UFTR, there is no need for ESFAS.

Software CCFSoftware CCFExistence of the MRS, and the diversities between the TXS and TExistence of the MRS, and the diversities between the TXS and T--3000 3000 blocks are adequate for preventing a SWCCF across the protectionblocks are adequate for preventing a SWCCF across the protectionsystem. In addition, loss of all protective functions does not csystem. In addition, loss of all protective functions does not cause any ause any fuel failure and therefore no possibility of uncontrolled releasfuel failure and therefore no possibility of uncontrolled release of e of radioactivity. radioactivity.

6464

Concluding Remarks on D3Concluding Remarks on D3

The proposed system exhibits adequate D3 to address The proposed system exhibits adequate D3 to address all reasonable vulnerabilities to system failure. all reasonable vulnerabilities to system failure. Vulnerability to CCF is adequately addressed by the Vulnerability to CCF is adequately addressed by the proposed strategy primarily because of the design proposed strategy primarily because of the design diversity that exists between the analog and digital diversity that exists between the analog and digital means for initiating RTS. means for initiating RTS.

The TXS system will also have improved reliability due to The TXS system will also have improved reliability due to extensive signal diversity and possible redundancy of extensive signal diversity and possible redundancy of inputs. inputs.

As a final note, the analysis found that no failure of As a final note, the analysis found that no failure of equipment or operator action/inaction can result in fuel equipment or operator action/inaction can result in fuel failure and therefore uncontrolled release of radioactivity.failure and therefore uncontrolled release of radioactivity.

Planning & related documentations

The UFTR is using a previously-approved (under NRC evaluation) digital system, with appropriate modifications due to particular

characteristics of the research reactor. According to ISG-6, the UFTR falls under Tier 2 application approach.

6666

List of UFTR DocumentsList of UFTR DocumentsRef: QA1Ref: QA1--QAPP Attachment #4 List of UFTR DocumentsQAPP Attachment #4 List of UFTR Documents

# Document ID UFTR Documents1 UFTR-QAP UFTR QA Program2 UFTR-QAP-01-P Conduct of Quality Assurance

3 UFTR-QA1-QAPP Quality Assurance Project Plan (QAPP)4 UFTR-QA1-01 Software Quality Assurance Plan (SQAP)5 UFTR-QA1-02 Software Configuration Management Plan (SCMP)6 UFTR-QA1-03 Software Verification and Validation Plan (SVVP)8 UFTR-QA1-05 Software Safety Plan (SSP)9 UFTR-QA1-06.1 Software Test Plan –

SIVAT Plan 10 UFTR-QA1-06.2 Factory Acceptance Test (FAT) Plan

11 UFTR-QA1-14 Safety System Design Basis12 UFTR-QA1-100 Functional Requirements Specification (FRS)13 UFTR-QA1-101.1 List of I/Os14 UFTR-QA1-102.3 ID Coding15 UFTR-QA1-103 Diversity and Defense-in-Depth (D3) Analysis16 UFTR-QA1-104 Failure Modes Effect Analysis (FMEA)17 UFTR-QA1-105 TELEPERM XS Cyber Security18 UFTR-QA1-106 Reliability Analysis19 UFTR-QA1-107 Safety Analysis20 UFTR-QA1-108 Requirement Traceability Matrix

Reviewed by AREVA

Draft documents not reviewed

6767

Quality Assurance ProgramQuality Assurance ProgramRef: UFTRRef: UFTR--QAP Quality Assurance Program for UFTRQAP Quality Assurance Program for UFTR

Forward to ANS Quality Assurance Program Requirements for Forward to ANS Quality Assurance Program Requirements for Research Reactors, ANSI/ANSResearch Reactors, ANSI/ANS--15.815.8--1995 (reaffirmed 2005):1995 (reaffirmed 2005):““It must be noted that research reactors have two characteristicsIt must be noted that research reactors have two characteristics

which which affect the type of quality assurance program that should be applaffect the type of quality assurance program that should be applied to ied to them, when compared to power reactors:them, when compared to power reactors:

i) Reliability of most of the components of a research reactor i) Reliability of most of the components of a research reactor does not affect the health and safety of the public since failurdoes not affect the health and safety of the public since failure of e of the component generally shuts the system down and little else the component generally shuts the system down and little else occurs. occurs. ii) A typical research reactor operates on a limited budget withii) A typical research reactor operates on a limited budget with

its its continued existence dependent upon maintaining a lowcontinued existence dependent upon maintaining a low--cost, cost, reliable operation.reliable operation.

Because of these inherent characteristics, the quality assuranceBecause of these inherent characteristics, the quality assurance

program for research reactors is applied primarily to safetyprogram for research reactors is applied primarily to safety--related and related and important items and should be graded appropriately to be economiimportant items and should be graded appropriately to be economically cally feasiblefeasible””. .

6868

Quality Assurance ProgramQuality Assurance ProgramRef: UFTRRef: UFTR--QAP Quality Assurance Program for UFTRQAP Quality Assurance Program for UFTR

Quality Assurance Program Requirements for Research Reactors, Quality Assurance Program Requirements for Research Reactors, ANSI/ANSANSI/ANS--15.815.8--1995 (reaffirmed 2005):1995 (reaffirmed 2005):2.1 Organization2.1 Organization““It is recognized that for most research reactor facilities, the It is recognized that for most research reactor facilities, the organization organization is small, with its personnel performing multiple functions.is small, with its personnel performing multiple functions.””

““(a) quality is achieved and maintained by those who have been (a) quality is achieved and maintained by those who have been assigned responsibility for performing the work;assigned responsibility for performing the work;

(b) quality achievement is verified by persons not directly perf(b) quality achievement is verified by persons not directly performing orming the workthe work””

2.3.3 Design verification2.3.3 Design verification““Design verification shall be performed by competent individuals Design verification shall be performed by competent individuals or or groups other than those who performed the design, but who may begroups other than those who performed the design, but who may be

from from the same organizationthe same organization””..

6969

Verification and Validation (V&V)Verification and Validation (V&V)Ref: Ref: UFTRUFTR--QA1QA1--03, Software Verification and Validation Plan03, Software Verification and Validation Plan

UFTR Digital Control System Upgrade Project - OrganizationUFTR Digital Control System Upgrade Project - Organization

Project ManagerProf. Alireza Haghighat

Project CoordinatorDr. Gabriel Ghita, RS

Lead: Prof. Glenn SjodenCo-lead: Dr. G. Ghita, RSProf. A. HaghighatMatt Marzano, GR Jennifer Musgrave, UG

Lead: Prof. Jim BaciakCo-lead: Brian Shea, RMProf. Mark HarrisonMatt Berglund, SRO Andrew Holcomb, UG

CCB=Configuration Control Board, IV&V=Independent Verification &

Validation, GR=Graduate Student, MS=Master in Science, QA=Quality Assurance, RS=Research Scientist, RM=Reactor Manager,

SRO=Senior Reactor Operator, UG=Undergraduate Student

Lead: Prof. A. HaghighatDr. Gabriel Ghita, RSProf. James BaciakDaniel Lago, UGSteven Brown, UG

Auditor:Dr. William Van Dyke

CCB:Prof. A. HaghighatDr. G. Ghita, RSProf. Glenn SjodenProf. James BaciakBrian Shea, RM

Lead:Prof. Edward Dugan

Prof. Mark Harrison Prof. DuWayne Schubring George Fekete. UG

QA Management IV&V

Hardware & InstallationSoftware DevelopmentSystem Design & Analysis

Based on our organization size and limited resources, we have seBased on our organization size and limited resources, we have selected the third lected the third (i.e., Internal IV&V) form of independence as described in (i.e., Internal IV&V) form of independence as described in IEEEIEEE--10121012--19981998. In this . In this form of independence, the development and IV&V personnel are froform of independence, the development and IV&V personnel are from the same m the same organization.organization.In our project, the IV&V personnel are not involved in the develIn our project, the IV&V personnel are not involved in the development, they have opment, they have managerial independence, and the major portion of their budget imanagerial independence, and the major portion of their budget is independent of s independent of the developerthe developer’’s budgets budget..

1.1.

Independence of the V&V organization (Independence of the V&V organization (management, schedule, and finance)management, schedule, and finance)

7070

2. The number of the V&V personnelQuality Assurance Program Requirements for Research Reactors, Quality Assurance Program Requirements for Research Reactors,

ANSI/ANSANSI/ANS--15.815.8--1995 (reaffirmed 2005):1995 (reaffirmed 2005):2.1 Organization2.1 Organization

““It is recognized that for most research reactor facilities, the It is recognized that for most research reactor facilities, the organization is organization is small, with its personnel performing multiple functions.small, with its personnel performing multiple functions.””

Verification and ValidationVerification and ValidationRef: Ref: UFTRUFTR--QA1QA1--03, Software Verification and Validation Plan03, Software Verification and Validation Plan

3.

The results of the V&V effort are to be fully and carefully documented, and that each of the discrepancies be documented in a report that includes how they were resolved, tested, and accepted by the V&V

organization.

4. Software Integrity Level (SIL)The unique safety features of the UFTR allow the use of the V&V software integrity level 1 as described in IEEE 1012-1998. Following table provides the required tasks for different SI levels.

7575

TXS Equipment changesTXS Equipment changes

The new generation of the TXS equipment The new generation of the TXS equipment is very similar to the previous generation.is very similar to the previous generation.

SVE2 processor has not changedSVE2 processor has not changedAnalog and digital I/O modules have the same Analog and digital I/O modules have the same functionality and they will be used in functionality and they will be used in compatibility modecompatibility modeCommunication lines have improved and Communication lines have improved and have larger data throughputhave larger data throughputQDS, SU, and GW are the same as previous QDS, SU, and GW are the same as previous generationgeneration

Discussion on the two-train option

The proposed UFTR protection and control system includes three main components:

TXS digital protection systemT-3000 digital system for monitoring and indication, and controlManual Reactor Scram (MRS) system which is invoked by the operator for initiating of RTS

Similar to the current UFTR license, we intend to apply for a one-train safety system. This train, however, includes various signals (from NIs

and sensors) which

provide an added benefit of signal diversity. (The old system includes only NIs

with no diversity.)

We are exploring the possibility of adding a redundant train for the purpose of testing and training of hardware and software

7777

Proposed ScheduleDate Task Phase

Sept 2008 –

Oct 2009 Preparation of QA and planning documentations Preliminary design

and analysis; Training of personnel on TXS and T-3000 systems; Design,

analysis and manufacturing of a new piping system

Oct. 16, 2009 Presentation of the preliminary design and analysis and related documentations to the NRC

0

Oct 16 –

Dec. 2009 NRC decision on the proposed design and planning; Installation of the new piping system, testing and analysis of the system; Initiate installation of

new Nuclear Instrumentations (NIs) and sensors

January 2010 Submittal of preliminary documentations to the NRC 1

Jan –

March 2010 Review and preparation of Request for Additional Information (RAI) by the NRC; Installation and testing of NIs

and sensors

March –June 2010 Resolution of the NRC RAIs; Installation, testing and benchmarking of NIs

and sensors

July 2010 Completion and submittal of documentations for the detailed design 2

July –

Sept 2010 Review and preparation of RAIs

by the NRC; Initiate preparation of training documentations

Sept –

Dec 2010 Resolution of the NRC RAIs, Initiate Manufacturing

Jan –March 2011 Manufacturing

March -

April 2011 Factory Testing

April –

May 2011 Installation

May –

June 2011 Integration testing and preparation of final documentations on FAT, post-

installation, operations and training

3