*
4
..
.
wa
;
'
I OFI
ORNL P.
3249

:
!! INI
17
*
.
.
.
1
:
EEEFEEFT
1.25 1.4 1.16
***
MICROCOPY RESOLUTION TEST CHART
NATIONAL BUREAU OF STANDARDS – 1963

mere
***
*
*
*
*
****
*
*
*
*
*
**
*****
*
**
*
*
*
*
*
..
.
-
-
.
rt
.--
W
ORNUP 3249.
Conf-670713.-4
AUG 25 1967
OPERATING EXPERIENCE WITH THE HFIR PROTECTION SYSTEM
I
24
A..E. G. Bates
E. P. Epler
b. C. Oakes
CYSTI PRICES
Oak Ridge National laboratory
Oak Ridge, Tennessee
1.
.
of
.
1
"
H.C. $3.00, MN, 65
General
The High Flux Isotope Reactor? operates at 100 Mw producing transuranium elements
.
and various isotopes. The core flux is 2 x 1015 nv minimum, and xenon and samarium poison-
. ing are unusually severe. The cylindrical core, 2 ft long and 17 in. OD consists of two
concentric fuel sections. Control elements are two 1/4 in. wall cylinders placed between
the core and its beryllium reflector. The inner cylinder has shim and regulating functions
and is withdrawn downward to add reactivity. The outer cylinder is divided into four
separately positioned quadrants, or plates, that have shim-safety functions and are withdrawn
upward to add reactivity. The poison is nonuniformly distributed along the length of the
control elements such that they are blackest (most absorbant) to neutrons when fully inserted
and become less black as withdrawn. With this arrangement, and assuming that the control
elements are withdrawn symmetrielly (inner cylinder downward and the outer plates upward),..
the power distribution about the horizontal midplane of the reactor is symmetrical. The fuel
STAN
is fully enriched oxide and the core life is 3 weeks. The concentrations of xenon and samarium
.
poisons are such that, during the last week of core life, should the reactor scram, the
probability is very high that it cannot be restarted. Since fuel addition is not possible with
-.:
.
ANNA
.
si
the two piece core, failure to restart would result in the loss of the remaining core life.
S
'Research sponsored by the U. S. Atomic Energy Commission under contract with
the Union Carbide Corporation.
T
hat.
TE
.
27. T. Binford and E. N. Cramer, The High Flux Isotope Reactor, ORNL-3572,
Vol. 1 (May 1964).
LEGAL NOTICE
.
This report mo prepared as an account of Government sponsored work. Neither the United
States, por the Commission, nor any person acting on behalf of the Commission:
A. Makes uy warranty or representation, expressed or implied, with respect to the accu-
racy, completeness, or usefulness of the informantion contained in this roport, or that the uso
of Lay Informaton, apparatus, method, or process disclosed in the report may not infringe
privately owned righto; or
B. Assumes any liabilities with respect to the use of, or for damagos resulting from the
use of any information, apparatus, method, or process disclosed in this report.
As used in the above, "person acting on behalf of the Commission': includen any em-
ployoo or contractor of the Commission, or employee of such contractor, to the extent that
such employoo or contractor of the Commission, or employee of such contractor preparos,
! disseminates, or provides acceso any information pursuant to his omployment or contract
con with the Commission, or his employment with such contractor.
BUTION OF THIS DOCUMENT IS UNLIM
pt
Contributing to the high performance of the HFIR is its relatively short turn-around time.
It is possible to shut the reactor down, refuel it, and return it to power in approximately
6 hr. In practice, however, refuelling is usually delayed for 6 to 10 hr following shutdown
to allow some reduction in the after-heat generation rate while the core is still being force
cooled. Even so, handling must be done with great care, since a core section inadvertently
filted or turned on its side may lose its convection cooling and start to melt if not righted
promptly.
Requirements of the Reactor Protection System
Customarily the primary requirement of the protection system is to permit routine,
interference-free operation of the protected reactor at its design power and, at the same
time, to prevent operation under conditions that could lead to core damage or destruction.
In the HFIR these conditions are appreciably more stringent than in other ORNL designed
reactors; for example, the HFIR operates at levels relatively close to burn-out. To permit
such operation the protection system must be unusually stable, trouble and maintenance free.
Further, the system response must be made quite short (15 msec nominally, including magnet
and latch release delays) to protect against optimum voids. Because the turn-around time
is so short it would be highly desirable if both the protection and the operation (reactor
control) systems could be maintained on-line.
Design Objectives
The design objectives, simply stated, were to develop a protection system capable
of preventing nucleate boiling in the core for all foreseeable credible accidents involving
either the heat generating or heat removal systems. Because of the complexity of the system,
continuous automatic monitoring for the detection of unsafe failures, a feature of the
"1-of-n" arrangement that has beer. standard at ORNL for many years, is impractical
and a testable coincidence system is ust. I instead. The testing frequency, once per day,
was selected to ensure that the protection system would be inoperative due to random com-
ponent failures no more than 1 hr per year. Since this number is based on the assumption
that random component failures affect only the channel in which they occur, a design
objective was to isolale individual protection channels from each other and from the operation
system. The number also assumes that the design of the operation system ke such that it
yields no more than one excursion for 10 years of operation, an easily ret objective.
Another objectiva was to design out all systematic failures. The time and effort to
be applied in such endeavors is heavily influenced by economic and other factors and continues
only until an acceptable level of freedom is believed to have been reached. Assuming the
reactor does run until shut down due to obsolescence, only thereafter will it be possible
to evaluate the degree of success achieved.
Features of the HFIR Protection System
The protection system consists of three independent channels of instrumentation (one
of which is shown in detail in Fig. 1) connected to scram in two-of-three general coincidence.
.
Each channel has seven inputs: five are direct from sensors and two, flux-to-flow and heat-
power, are calculated from information from four sensors. Further, the flux signal (power)
in each channel is automatically and continuously corrected to heat-power, to coinpensa te
for changes in shading of the ion chambers by the control plates as they are withdrawn
during the life of a core, and for after-heat conditions following rapid power reductions.
Testing for unsafe failures is performed routinely and on schedule by the reactor operators
by means of push buttons on the reactor control console.
L. C. Oakes, A Second Generation of Reactor Control Systems as Applied to the
High Flux Isotope Reactor, ORNL-TM-1259, (Sept. 1965). -

WCA
TC
Fig. 1
FTC
40290
haltimilor
CA
SM
-
Block Diagram of One Channel
HFIR Protection System
Nearly all maintenance of the reactor protection and operation system equipment is
performed on-line also. All the elect:onic equipment and the associated test, indicating
and recording instruments are assembled into three netal cabinets. Each cabinet contains
one channel of the protection system and one start-up and one regulating channel of the
operation system. Electrical and physical separation are provided; there aru individual
battery and charger supplies for the loads in each cabinet.
Maintenance, testing and adjusting of equipment within a cabinet are performed freely
without fear of inadvertently tripping another channel or interfering with its normal functioning.
Neither reactor protection nor operation is impaired by taking any or all the equipment in
..
one cabinet out of service.
Computer-like construction practices are followed in the design and fabrication of the
electronic equipment. The different channels are assembled from a variety of plug-in modules,
each containing discrete solid-state subcircuits. Identical fast-trip comparator and operational
amplifier modules, for example, form parts of most subsysterns.
On-Line Testing Methods in the HFIR
The major problem with testing as a procedure for finding unsafe failures is that, to be
.
.
conclusive, the whole channel, sensor through final actuator, must be tested simultaneously.
To a purist, a flux channel, for example, would be considered to be acceptable only if,
on raising the flux at the chamber to the trip level, the safety rods actually scrammed. Since
the object of building reactors is to operate them and not to be test beds for protection systems,
the purist's method is impractical.
In the HFIR system on-line testing does not include the safety plates and their latch
.
mechanisms. The latches are part of the drive assembly, and their reliability was established
during the proving phase of the drive development program. In practice, the latches, safety ";
PF.
n
agu
be
My
plates and drives are tested each shutdown although this is much more often than necessary
in light of their demonstrated long mean time to failure. These tests include checking the
overall response time of the channels and the latch mechanisms and the time-of-flight of
the safety plates. Typical values are 290 msec overall for time-of-flight including all
delays, sensor through latch mechanism, and 10 msec for response time including release
of the latch electromagnet. Safety plates start moving in approximately 5 msec following
magnet release, and under an initial acceleration of 4 x g imparted by compressed springs.
The three protection channels are entirely independent of each other up to the four
safety-plate latch mechanisms and it is within the electromagnets of the latches that coincidence
is effected. Each of those magnets has three independent windings, one under control of each
protection channel, and as long as any two or all three windings of a magnat are energized,
the associated latch is held closed. With this arrangement the complete electrical part of
the protection system can be tested simply by tripping and clearing each channel in sequence
and without actually releasing a safety plate. Ammeters, in the individual latch magnet-coil
circuits indicate tripped or operate conditions depending on whether or not they show zero
or normal current. Trips are also indicated, but less directly, by pilot lights controlled by
the various trip memories.
The remaining problems are those of finding ways of testing the individual sensors. The
sensors furnish the test signals to the other parts of the subchannels (see Fig. 1) and a
channel trip is evidence of proper operation.
Testing the faulty-fuel-element detector is relatively simple. The subchannel is set
up in such a way that with its ion chamber exposed to the radiation normally present when
the reactor is at full power the channel is tripped. A shield is then interposed between
the source and the chamber to reduce the radiation level at the sensor to approximately half
op.ro
the actual level (an amount far enough below trip level to permit the usual variations in
the day-to-day level without causing spurious trips).
The shield is rotated out of the
operating position by a motor powered drive, controlled from the reactor conscle, to trip
the channel and back to its original position to return conditions to normal so the operator
may clear the trip.
The arrangement for testing the primary cooling system low pressure subchannel is
also simple and direct. The pressure transducer is connected to the primary system through
an orifice. Tapped off between the orifice and the transducer is a valve which when opened
allows water from the primary system to flow through the orifice thus developing a pressure
drop across it. The various parts (valve, orifice and piping) are sized so that the pressure
at the transducer goes low enough to trip the channel when the valve is open. To be sure
that the test valve recloses completely, the operator compares the readings of the proper
pressure indicator in the control room, before and after testing. In the worst case, a valve
leak causes a trip that cannot be cleared in the normal manner.
The reactor coolant inlet temperature subchannels are tested by spraying hot water
directly on the sheaths of the individual resistance bulbs. (These subchannels also supply
temperature inforriation to the AT network of the heat-power subchannels). The hot water :
nozzles work best, it seems, when located downstream from the temperature elements,
which is where they should be to avoid disturbing the normal pattern of water flow over
the sheaths.
Reactor heat-power is calculated automatically and continuously from coolant flow and
AT information. The AT signal is generated in a network from reactor coolant inlet and
outlet temperature information. Of these three, flow, inlet, and outlet temperature, only..
.
Sv
-
the signal from the last one changes directly with reactor power. The heat-power subchannel:
trip is tested, therefore, by testing the coolant outlet temperature sensor. It is tested in
the same way as the inlet temperature sensor.
The coolant water low-low-flow trip test cannot include the flow sensor, a venturi.
The rata of flow of coolant in the system cannot be reduced appreciably while the reactor
S-
is at power, for obvious reasons, and bypassing the water around the sensor to simulate a
low flow is impractical. Fortunately the venturi, historically, has been a reliable and
trouble-free device and there is little need to retest it routinely.
The HFIR coolant venturi is special in that it is fitted with three sets of piezometer
rings, one for each protection channel. Since there is no detectable coupling or interaction
between the pressure signals from the three sets of piezometer rings the independence of the
three protection channels is preserved.
A differential pressure fransducer (DP cell) converts the pressure drop across the venturi
into a flow-proportional signal. Near the DP cell the pressure lines from the piezometer
rings are connected together by a spring-closed solenoid-operated valve. To test the low-low-
flow trip the valve is opened, reducing the pressure differential across the cell to the trip
value. The test valve and instrument lines are sized to suit the pressures developed by the
venturi at the full reactor power flow rate. As in the case of the pressure check the operator
can determine that the test valve closed properly by comparing the indicated flow rates
before and after the test.
Within the operating range of the HFIR, the permissible power level is a function of
cooling rate. The ratio of flux-to-flow is selected rather than flux alone for the flux-related
trip. A special ion chamber, having one operating and one stand-by section, makes testing
of the flux portion of the subchannel possible. The stand-by section, having approximately
half the sensitivity of the operating section, is paralleled with the operating section for the
test, and this increases the chamber current to the trip level, assuming that the reactor is
.
at full power. The flow portion of the flux-to-flow subchannel, is checked in the same manner;
as the low-low-flow subchannel.
Under steady-state operating conditions, there is no flow of water through the instru-
ment tops and only a slight displacement occurs when the reactor coolant flow rate changes
from minimum to maximum or back to minimum. There is flow, however, during the time
either DP cell bypass-valve is open to make a subchannel test and undesirable interaction
occurs between cells if the hardware is installed as described previously. Isolation is
effected by adding a small restriction between one instrument tap and each DP celi. The
restrictions are sized such that the flow through them, while a test is in progress, is too
small to cause any appreciable pressure drop in the lines back to the venturi and therefore too
small to effect the flow indication of the DP cell not under test.
The last of the protection system trips is rate-of-rise of flux. This test is run at power
also and is performed by connecting a current source to the flux chamber signal lead. The
resulting ramp-shaped signal is equivalent, as far as the tiux amplifier is concerned, to that
caused by a reactor power increase of slightly more than 20 Mw/sec.
Operating Experience
The HFIk has been in operation, to date and at sensible power, for 19 months; the last
11 months were at full power. During the 11 months of operation at full power, there were
three reactor scrams: two were due to human error and one was due to equipment malfunction.
Of the first two, one was caused by inadvertent operation of the scram switch on the consolė,
and the other resulted from cooling system temperature transients caused by not following
procedures for raising reactor power following a short electric power outage.
The scram due to equipment failure is an example of a class of scrams to which a two-of-
three coir.cidence system is vulnerable during on-line testing; that is, while one channel is
tripped during testing, a spurious trip occurs in a second channel. This time both trips
happened to be from coolant inlet temperature subchannels. Water is distributed through an :
individual line, containing a spring-closed solenoid valve, from a heater to each temperature-
sensor spray nozzle. Normally the pressure in the hot water system is the same as in the
.
primary loop; however, when a temperature test is made, the pressure in the hot water
system is increased at the same time the selected sensor spray valve is opened. On this
occasion one spray valve apparently had not closed following a test and when another inlet
water subchannel was checked, trips resulted in both channels. Although the design
and application of valves is "old art" it is surprisingly difficult to find any that work well
in a number of apparently ordinary applications one of which is in the HFIR hot water spray
system.
In addition to the three scrams a single shim-safety plate dropped one time following
completion of a channel test routine, and shortly after the reactor first began operating at
full power. The cause of the drop has not been found but there had been no repeats as of
July 1967.
The number of scrams and cross-channel trips occurring during the shake down period,
occurring between the time the reactor reached sensible power in January 1966 and full
power in September that year, are given in Table 1. During this period
Table 1 Scrams and Cross-Channel Trips Jan. -Sezit. 1966
Period
Scrams
Cross-Channel Trips
Jan. - March
April - June
:
5
July - Aug.
channel trips were set at levels related to the actual operating power rather than to full
power. Although the scrams were real as far as the instruments were concerned, they were
caused by transient temperature conditions during flow tests, pump run-downs following
loss of electric power, and rapid returns to former operating leveia iollowing restoration
of power. The sequence of restarting pumps, pressurizers and fans, and the adjustment of
flow control valves could be determined only by actual operating tests. Once these sequences
were established, the operators were trained in the proper procedures.
A cross-channel trip is a scram, but is due to malfunctioning of subchannels of the
protection system. In one or both of the channels the trip is spurious, and most frequently,
according to HFIR records, the subchannels causing the trips were monitoring different
variables.
Most of the 11 cross-channel trips occurring during shake down were caused by noise
in the faulty-fuel-element detector subchannel and the leaking hot water valves in the
temperature test system. The sensitivity to noise was corrected and the valve problem was
described previously. Of the other trips, one was due to human error, that is, testing a
channel before checking that one of the others was not already tripped. A variation of this
type of error, testing a channel, pressing a "clear" button belonging to a different channel
thus leaving the first channel tripped, and then scraming the reactor by test tripping a.
second channel, has been expected but so far it has been avoided. Another trip was of
unknown origin because the memory lights did not come on; and two more were the result
of unexplained spurious signals occurring in one channel while another was being checked.
The "general" coincidence logic arrangement was selected for the HFIR in preference
to "local" coincidence. In general coincidence, one subchannel associated with each
plant variable supplies a signal to an "OR" unit. A coincidence of two signals from the
"OR" units will initiate protective action. Also a coincidence of a flux subchannel signal
to one "OR" unit and a temperature subchannel signal to another "OR" unit will initiate
an unwanted protective action. In local coincidence each of the subchannels associated with
a given plant variable supplies a signal to a coincidence unit.. Each coincidence unit, in turn;
supplies a signal to an "OR" unit. The "OR" unit produces a protection system signal.
Thus, a coincidence of signals from two temperature channels will initiate protective
he
to
action but one temperature signal plus one flux signal will not initiate unwanted action.
The general coincidence arrangement was chosen because of its simplicity and because
with
it affords more complete channel isolation. More importantly it makes possible a complete
channel test from sensor to the latch magnet coil and without the necessity of switching
out or blocking portions of the system to test.
Some concern has been expressed that the use of general coincidence would result in
mas iniciatori na teren de contra incendiatimes the leader internetseiten und in der nur in moment in the first
too many unwanted scrams. Inasmuch as no scrams have occurred to date attributable to
the use of general coincidence it is an entirely satisfactory choice.
e
mo
de wereld
So far no unsafe failures have been discovered during routine testing of channels. A
in
number of modules have been suspected of being near failure or, at least, of giving marginal
performance. One or two types of transistors were replaced with improved, more recently
developed varieties. In the operational amplifiers, unstable and marginal operation and
a rash of difficulties with mechanical choppers were apparently related to each other because
these difficulties disappeared when the chopper excitation was changed from square wave
to sine wave ac. The square wave excitation had shortened the contact dwell time during
voltage reversal and apparently had affected the stability of some of the amplifier circuits.
Three flurries of single-channel trips were corrected: one was related to the chopper
excitation just discussed, another was due, first, to inadvertent wetting of the faulty-fuel-
element detector and cables and, following that, to attempts to heat dry them, and one was
due to a loose terminal in a dc feed line to an instrument cabinet. Connector pins were
UEVO
*
misplaced on occasion when modules were not replaced properly and the resulting poor
...
.
.. -
contacts were responsible for some intermittent tripping and clearing of single channels.
AL
N
PE
A
.
N
.
--
........................
.....
........
21
.
.
. .
.
.
. . .142
.
.
. .
.)
13
Routine tests of the safety-latch release time and plate time-of-flight show no trends
away from the design values. Overall response time, including release of the magnet
armature, is 10 + 2 msec, and the plate is in motion 5 msec later.
There was some concern that the instrument technicians would find it difficult to
change their thinking and trouble-shooting techniques from all vacuum tube one-of-three
protection systems to the all-solid-state, two-of-three coincidence system of the HFIR. Ir
MY
nto
e
additi:n to being all solid state, the new hardware contains circuitry that is entirely
m
different from that in the vacuum tube systems, and new devices such as chopper stabilized
mo
.
..
operational amplifiers, trip compara tors, and OR gates. To fit the group of technicians for
the new work they wern given formal training in transistor fundamentals, circuitry and
handling techniques, following which they were familiarized with the HFIR system and
were disse time but do not wanted to the
maintenance procedures. Further, numerous push buttons, test points and indicating instru-
ments were built into the modules and bins which, when used according to written procedures,
ert with
traini
make the locating of defective modules simple enough that, as it has been demonstrated, it
vetru
can be done by the reactor operators. Finally, one of the technicians was trained very
on location discovered
thoroughly in system and detailed module maintenance. He was assigned, full time, to the
omissio
designers to perform equipment acceptance tests, repair defective modules and assist
testen nie
in the installation and shakedown of the equipment. He, in turn, passes his specialized
knowledge on to the other technicians as the occasions arise.
mention to base la
Transistors, as a whole, have been relatively trouble free. Two or three types were
replaced by others of more recent design and more suitable characteristics. Field effect
ihmistente consentire il el other or not
1S
transistors (FETs) require special treatment after installation in equipment, as well as before.
One of the ways in which an input FET could be damaged was discovered in the design stage,
VA
and preventive measures were adopted. When a reactor or failed-fuel-element detector
meios content to
s
4.
entre
flux amplifier is removed from its bin the chamber signal circuit is opened. Chamber
current continues to flow, however, charging the cable and chamber capacitance. When
an amplifier is installed in the bin in question part of energy stored in the cable is dissipated;
in the input FET, frequently destroying it. The protective device added to each amplifier
. is a push button that is connected between the signal lead and ground. This button is held
in its depressed position, when an amplifier is being installed, until after it has been
plugged into its bin receptacle thus discharging the energy directly to ground rather than
through the FET.
The flux amplifier FETs are subject to damage from various other sources; electrical noise
picked up by the chamber or signal cable may cause spikes large enough to puncture them;
the chamber currents may be large enough under accident conditions to damage and or
overload the FETs, and leakage between the high voltage and signal electrodes of the ion
chambers may also produce the same results. To prevent such failures a protective circuit
has recently been added to each of the chamber umplifiers. it consists of three components:
two low-leakage silicon diodes, one wired.cathode to FET gate and anode to ground, and
the other in the opposite way; and one low-valued resistor inserted between the FET gate
..
and the input signal connector. The diode conduction voltage is too high to interfere with
signals significantly larger than normal but is low enough to protect the FETs. The series
resistor is sized to limit the diode current should the chamber high voltage be applied to
the signal circuit inadvertently or through equipment failure.
Other dividends accrue from performing maintenance on-line than from the conservation of
down-time. For example, mistakes, made during maintenance or installed in modules
inadvertently while making repairs or under the guise of improvements, become apparent
.
immediately or at the latest during channel check-out and can be corrected before another
15
channel is taken out of service. An unexpected dividend results from performing all the
maintenance during regular day shifts. The work is done by assigned personnel, technical
assistance and supervision is on hand and nothing need be given "a lick and a promise" or
deferred to the next shutdown just to meet a start-up dead line. Safety is enhanced in
both instances.
Conclusions
The ORNL second generation of reactor protection systems has been applied successfully
to the HFIR. Testing for unsafe component failures, routine maintenance and most repair
work to the system are all done routinely while the reactor is at power. On-line maintenance
has advantages over off-line mainter.ance in addition to conservation of down-time, and tends
to enhance safety. Well designed systems employing general coincidence logic and having
at least as many as seven inputs, probably will contribute less than one spurious scram per
year. Although the HFIR is a production reactor, the techniques and hardware arrangements
employed in the design of its protection system have resulted in high system reliability and
thus may be of general interest.
i
.
.
171
END

DATE FILMED
10 / 9 /67








..-
O
.
PO
*
*
R