.
.
I OFI
ORNL
P 3011
...
i
21
MICROCOPY RESOLUTION TEST CHART
NATIONAL BUREAU OF STANDARDS - 1963
ORAVU P.3011

OPERATING EXPERIENCE WITH SYSTEMS DESIGNED
FOR MANEUVERABILITY AND HIGH AVAILABILITY!
CASTI PRICSS
Conf.670314.-3
E. P. Epler
Oak Ridge National Laboratory
Oak Ridge, Tennessee
HQ
3.00, MN
The requirement of maneuverability and availability in high performance reactors led
to the development of a second goneration of reactor control and protective systems ut ORNL.
These systems, designed for general application, have been installed in the MSRE, a high
temperature molten salt reactor; ihe Aberdeen Pulse Reactor, a fast burst reactor; and in the
HFIR, a 100 Mw(t) high flux production reactor.
The systems applind to the HFIRconsist of three wide-range startup channels, three
regulating channels, and a protective system consisting of three safety channels. All employ
solid-state components and are modular in construction. Experience has been gained with
this equipment during low power operation, which began a year ago, and full power operation
over the past six months.
When development was started on these systems several years ago, there was nothing
obtainable at that time which showed promise of satisfying the needs of high performance
reactors. Equipment then obtainable has since been installed in power reactors and these
have experienced unaccountably low availability; a recent Holmes and Narver study reports
that, for the five reactors examined, an average of 10 scrams cccurred per year: approximately
half were spurious, and half resulted from having exceeded preset limits. These systems have
solid-state components and two-out-of-three logic. in some cases two-out-of-two logic has
been resorted to in an effort to improve availability.
.
...
..
.
. ...
..
...
..
'Research sponsored by the U. S. Atomic Energy Commission under contract with the
Union Carbide Corporation.
?L. C. Oakes, "A Second Generation of Reactor Control Systems as Applied to the
High Flux Isotope Reactor," 7th Tripartite Conference, May 24-28, 1965, Bournemouth,
England.
38. J. Garrick, W. C. Gekler, and H. P. Pomrehn, "Are Plant Engineered Safeguards
Reliable," Nucleonics 25 (1), 45-49 (Jan. 1967).
DISTRIBUTION OF THIS DOCUMENT IS UNUMITEN
- -
...
-
-
-
...
-
The first generation of ORNL reactor control and safety systems was also considered
to be inadequate for high performance applications even though the past performance of
these systems had been excellent. A first-generation system installed ut the ORR has cono
tributed to the very high availability of that reactor where over the past seven years less
than one scram per year occurred which could be attributed to this system. This performance
record is contrary to generally held beliefs regarding this class of equipment in that the
response is fast (less than 15 msec to first movement of safety rods), useas one-out-of-three
logic, and is constructed of thermionic glassware.
This performance, though adequate for the ORR, would be inadequate for the HFIR
where each channel of the protective system must be able to compute flux-to-flow ratio,
as well as heat pover. The gain of the flux amplifier is reset, by means of a servo driven
potentiometer, to bring indicated flux into ogreement with heat power. On a fast power
reduction from 100 to 10 Mw, the afterheat at the lower level must be computed so that the
reset flux-to-flow ratio will be meaningful. Because these systems are so complex and have
a large number of many different types of components, the means of testing as employed on
first-generation systems to determine their reliability would be inadequate.
Although the performance of the ORR control and protective systems is excellent, avail-
ability is impaired by, on the average, four power outages per year which require reactor
shutdown. In some cases the core must be partially reloaded to override fission product
poisoning. This would be costly for the HFIR because a core costs almost $ 100,000 and has
a life of three weeks. During the second week following a scram, the probability of Xe
priisoning would be high. During the third week the probability of Sm poisoning would be
high and such poisoning would result in loss of remaining core life, inasmuch as the one-piece
core cannot be partially reloaded. The HFIR system has therefore been designed for high
.
maneuverability with fast automatic restart following a scram und fost reduction of power
from 100 to 10 Mwin 10 sec, following a power outage ar.d loss of coolant flow.
The three wide-range channels control the automatic stort from source range to 10 Mw.
From 10 to 100 Mw the power is controlled by programming the three servo channels. The
multiple servo system was designed with two objectivos: (:) high availability in that the
reactor would continue to be maneuverable if one servo channel should fail; and (2) high
maneuverability on electric power outage.
The three servos each receive independent signals of flux-to-flow ratio with flux reset
to agree with computer heat power and with correction for afterheat. The output shafts of
the three channels drive a single rod through a velocity adder, in this case a differential gear
arrangement, such that the rod is driven at the average velocity of the three servo motors.
Should one channel fail, the other two channels will drive their motors so as to cancel the
effect of the failed channel without a noticeable perturbation of reactor power level.
If electric power failure should occur, the flux regulating system would sense a reduction
in flow after a 300-msec delay and would insert the regulating rod to maintain the required
flux-to-flow ratio. The limited capacity of the regulating rod would soon be exhausted, and
assistance from the shim safety rods would be required. In the absence of electric power to
drive the shim rods, air motors would function. These motors, one for each shim rod, are
primarily for fast rundown of the rod drive for fast recovery following a scram; they operate
only in the insert direction at approximately ten times normal rod speed. In approximately
10 sec after power failure, the reactor is at 10 Mw and still under servo control. Coolant is
supplied for 10-Mw operation by the three main coolant pumps; each pump is independently
driven by a series dc motor with its own storage battery. The series motors are rated at 1/10
normal pump speed, and require 1/100 of full power to supply 10% flow. No switching is
required, and these systems are monitored continuously. To date no malfunction has occurred.
The pump coast down has functioned smoothly; however, many difficulties were
encountered in maintaining power at 10 Mw and in successfully restarting coolant flow,
maintaining system pressure and in starting the main pumps which produced a hot slug if
started too soon or a cold slug if started too late. After saveral attempts to restart the
pumps had resulted in scrams, goditional computer studies of transient conditions were made.
Successful programming was finally achieved at the beginning of the first 100-Mw run. We
are impressed that a large power reactor which must continue to operate in spite of transients
in load or coolant will require that careful attention be given to all systems which might be
involved. We are also impressed at the improbability of successful operation of engineered
safeguards which must work successfully on the first try.
On-line testing is provided for each of the seven inputs to the protective system. This
testing is simplified by the logic element which consists of a three-coil manget applied to
each shim safety rod. One coil when energized contributes negligible force; two coils are
sufficient to supply approximately 175% of the required holding force, and the third coil
when energized simply saturates the entire magnetic structure and contribut is no appreciable
additional force. The seven inputs to each of three channels are connected through OR gates
to reduce to zero the current in one coil in each magnet to effect a channel trip. On-line
testing is performed by perturbing the sensor for each input and observing that the current
for one coil in each magnet is reduced to zero. As an example, the temperature channels
are perturbed by directing a stream of hot water on the sensing element, the operation being
conducted by the operator by means of push buttons located on the console. Although this
particular system performs satisfactorily, a simpler and less costly system will be sought for
LEGAL NOTICE
the next application.
The report wu prepared u an account of Government spesored work. Netther the United
Bustos, nor the Commission, nor ww porno noting and bell of the Couplastoa:
A. Makas may warranty or reprowatatoa, exprend or implied, with respect to the accy-
racy, completeness, or wefulness of the information coatained in this report, or that the ve
of my information, apparatus, mohod, or procon disclosed to the report may not indlage
prinuoly owad rau; or
B. Aamuan any liabiutas with respect to the we of, or for dan mening frog the
uw of any information, apcrutas, method, or procesi di cloud in the report.
As wood in the above, "pernon sotty on behalf of the Commiasdog" including my -
ployw or contrator of the Commission, or plor of the coatrnotor, to the oceat that
much employee or corrector of the Commission, or employee of much contractor propara,
dioratatou, or provides accouw, may information perrunat to Me employment or contract
with the Commission, or bio employmeat with such contractor,
.
--
--
--
-----
Tests of the seven inputs to each of the three channels once per shift for a period of a
year adds up to approximately 20,000 tests. During six months of 100 Mw operation no
scrams resulted from spurious trips during testing. The logic arrangement is that of general
coincidence, i.e., a temperature trip on one channel coincident with a flux trip on another
channel will produce a scram. Some doubt was expressed that such a system would be
operable because of spurious trips, especially during testing. It is gratifying that no such
scrams cccurred; in fact only two scrams occurred during six months at full power, both of
which were due to operating errors. One was caused by improper sequencing following
recovery from a power outage, and the other by inadvertent actuation of the manual scram
switch.
It is somewhat surprisirg that in 20,000 tests during the first year of operation, even
though there is a very large number of components in the protective system, no failure to
danger had been detected. The system was designed on the assumption that one failure per
channel would occur per year. Since we had no experience with failure rates for this class
of equipment, we set the test interval at one day on the pessimistic assumption that there
would be four failures per channel per year. The once-per-shift testing rate was established
simply to gain experience with on-line testing. Experience to date indicates that even one
failure per channel per year was pessimistic and that the interval between tests, should testing
become impossible or likely to produce a scram, could be extended, if needed, to three to
four days without lessening the specified reliability.
Spurious trips have also been surprisingly few. The cause of several trips was traced to
operational amplifiers whose choppers were square-wave driven; those sine-wave-driven were
satisfactory. After this difficulty was corrected one spurious trip occurred in the past three .
months. The number of spurious trips is expected to become smaller until it equals the ORR
experience of less than one trip per year.
During the shakedown period we learned that many changes and calibrutions could be
performed on-line with small risk of producing a scram. This is possible because of the
physical and functional isolation of the three protective channels, which physically come
together only in the rod magnet. This physical separation is further enhanced by the simple
syrometry of the system wherein one enclosure contained one startup channel, one regulating
channel, and one protective channel. It became evident that one third of the entire system
could be de-energized or not as desired for maintenance or calibration. Since the HFIR core
can be replaced in 4 to 6 hours, it is desirable to reduce downtime for cclibration and mainte-
nance to a minimum. This calibration and maintenance is increasingly being performed on-line
during the first two days of core life when a scrar: would be of, minimum importance. An addi-
tional advantage is that the effects of a maintenance error are confined to a single channel
with the reactor at rated power. This is an attractive safety advantage when contrasted with
an error found in three channels during startup.
The wide-range channel, although only recently fully assembled with solid-state com-
ponents, has been under development over a longer period than the remainder of the system.
In 1946 W. H. Jordan and P. R. Bell at ORNL developed the Ai linear amplifier for general
laboratory use. It was quite natural, therefore, that a fission counter and Al amplifier were
chosen as a source-range startup instrument.
In the very early applications of source range instrumentation to water reactors several
alternatives were available to cover an acceptable wide range. One could install a very
large source, accept a low count rate at startup, accept a blind restart in recovering from a
scram, or move the fission counter as required to satisfy all conditions. Mechanical drives
were developed to withdraw the counter through holes in concrete shielding, with a graphite
block attached to the counter as a neutror. scattering device. Withdrawal in water was
– simpler, and additionally, water provided an almost perfect exponential attenuation with
respect to distance from the core.
In 1953 a high-temperature fission counter was developed for the Aircraft Reactor
Experiment, a high-temperature molten-solt reactor. It was intended that the chamber be
located at the center of the core at startup where the ternperature would be 1500°F. How-
over at such temperatures the insulators emitted spurious pulses; it was necessary to cool
the environment to 750°F. Since the counter was movable and was withdrawn from the
center of the core during startup, the cooling presented no problem.
In 1955 a pool-type reactor was assembled for the first Geneva conference. It was
desirable that this reactor be fully automated from source level to full power so that digni-
farles might themselves operate the reactor from source range to full power by pushing a
single button. Two fission counters and drives were provided and so arranged that the counter
would automatically be withdrawn when the upscale range limit was reached. This crude
approximation of a wide-range channel operated satisfactorily and was at the last report
still ope:ating satisfactorily at Würenlingen, Switzerland.
Similar installations were later made for the BSR, the PCA, and the ORR. A simple
extension of this arrangement is to provide continuous motion of the counter rather than
several discrete movements. This is accomplished by applying a servo motor to the fission-
counter drive mechanism with the demand set to hold the count rate constant at some value
in the upper portion of the instrument range. If a quantity proportional to chamber position
is added to the output of the log count-rate circuit, the sum will be proportional to the
logarithm of reactor power. This can be demonstrated by manually moving the counter and
observing that although the count rate changes, total indicuted power does not change.
A system was assembled and tested in a reactor for a year, after which two 10-decade channels
were installed in the MSRE and three in the HFIR.
Experience with both installations has been entirely satisfactory. We were concerned
that mechanical jitter, caused by counting statistics, would cause excessive wec: of the
drive mechanism. This problem was alleviated by adjusting the upper limit to stop rod
travei before reaching full reactor power. This will result in an increase in count rate,
and statistical fluctuations will show up as a fluctuating count rate rather than as mechanical
jitter. It is also significant that motion of the counter occurs only during changes in power
level and that during start up the counter remains fully inserted until after criticality is
attained and the power has risen one or more decades thereafter.
Although the MSRE is a high temperature reactor, the counters for the wide-range channels
os weil as the ionization chambers are located in water-filled wells which constitute a con-
venient form of shielding as well as an exponential attenuating medium. In this environment
the attenuation curve of the neutron flux with distance initially deviated from a straight line,
and although these deviations could be straightened out with c function generator, excessive
travel was required of the servo motor in crossing the flat places where flux changed little
with distance. The situation was remedied by the application of shielding shims, and little
remains to be corrected by the function generator.
In the HFR, although it is a water reactor, the wide-range counters are installed in a
dry hole. Since the drive is located in the subpile room, a water seal would otherwise have
been necessary to maintain water in the thimble. This resulted in a very straight curve of flux
with respect to distance. At midrange the maximum discrepancy among the three channels is
approximately one-third of a decade when the three are adjusted to agree at full scale. It
now appears that the function generator can either be eliminated or replaced by a simpler
mechanical device.
Although the wide-range system in its present form has been applied to only two
reactors, we are confident that smooth exponential attenuation can be achieved in a
variety of reuctor types with the proper selection of shielding materials.
The systems applied to the HFIR employ ar. unusual amount of redur.dancy: three wide-
range channels, three regulating channels, und although not unusual, three protective
channels. We were at times hard put to defend the heat-power calculators in the protec-
tive system and three additional heat-power calculators in the regulating system. The time
response of the protective system is also unusual for c 100-Mw reactor in that it is designed
to release the shim safety rods in 10 msec. We are now convinced that ihe high degree of
channel independence, built into the protective system for safety and in the regulating and
wide range systems for serviceability, is amply justified. The techniques leading to a high
degree of availability through on-line testing and on-ling maintenance and with freedom
from spurious scrams, to a high degree of maneuverability, and to fast safety system response
should be applicable to other reactor types.
END

DATE FILMED
6 / 7 /67






.
.
eine
w
...
.
---
--- ****