ML15222A243
| ML15222A243 | |
| Person / Time | |
|---|---|
| Site: | SHINE Medical Technologies, PROJ0792 |
| Issue date: | 06/30/2015 |
| From: | SHINE Medical Technologies |
| To: | Office of Nuclear Reactor Regulation |
| Shared Package | |
| ML15222A231 | List: |
| References | |
| SMT-2015-036 | |
| Download: ML15222A243 (20) | |
Text
ENCLOSURE 2 ATTACHMENT 1 SHINE MEDICAL TECHNOLOGIES, INC.
SHINE MEDICAL TECHNOLOGIES, INC. APPLICATION FOR CONSTRUCTION PERMIT RESPONSE TO REQUEST FOR ADDITIONAL INFORMATION 6B.3-30 SHINE MEDICAL TECHNOLOGIES NUCLEAR CRITICALITY SAFETY REFERENCE MANUAL JUNE 2015 19 pages follow
SHINE Medical Technologies Nuclear Criticality Safety Reference Manual June 2015
Page 2 of 19 TABLE OF CONTENTS
1.0 INTRODUCTION
............................................................................................3 2.0 SHINE NUCLEAR CRITICALITY SAFETY (NCS) POLICY STATEMENT ...4 2.1 POLICY........................................................................................................................................ 4 2.2 REASON ...................................................................................................................................... 4 2.3 POLICY REQUIREMENTS ............................................................................................................. 4 3.0 SHINE NUCLEAR CRITICALITY SAFETY PROGRAM................................5 3.1 Criticality Safety Program ........................................................................................................... 5 3.2 Validation Procedure.................................................................................................................. 6 3.3 NCSE Procedure.......................................................................................................................... 7 3.3.1 Introduction (NCSE Section 1.0) ............................................................................................. 8 3.3.2 Normal Case Operating Conditions (NCSE Section 2.0)............................................................ 8 3.3.3 Nuclear Criticality Hazard Identification (NCSE Section 3.0) .................................................... 8 3.3.4 Nuclear Criticality Hazard Evaluation (NCSE Section 4.0) ......................................................... 9 3.3.5 Nuclear Criticality Parameter Discussion (NCSE Section 5.0) ................................................. 10 3.3.6 Criticality Safety Controls (NCSE Section 6.0) ........................................................................ 11 3.3.7 List of Assumptions (NCSE Section 7.0) ................................................................................. 13 3.3.8 Conclusion (NCSE Section 8.0) .............................................................................................. 13 3.3.9 References (NCSE Section 9.0).............................................................................................. 13 3.3.10 NCSE Appendices ................................................................................................................. 13 3.4 NCS Training & Qualifications Procedure.................................................................................. 13 3.5 Implementation of NCS Controls .............................................................................................. 14 3.6 Configuration Control/Change Management ........................................................................... 15 3.7 General Criticality Safety Limits................................................................................................ 15 3.8 Audits and Inspections ............................................................................................................. 15 3.9 Criticality Safety Non-Compliance ............................................................................................ 16 3.10 Criticality Safety Guidelines for Fire Fighting ............................................................................ 16 3.11 Emergency Response................................................................................................................ 17 3.12 Criticality Detectors and Alarm Systems ................................................................................... 17 3.13 Testing and Calibration of Active Engineered Controls ............................................................. 18 3.14 Criticality Safety Controls Program Procedure.......................................................................... 18 4.0 SHINE NUCLEAR CRITICALITY SAFETY EVALUATIONS.......................19
Page 3 of 19
1.0 INTRODUCTION
The SHINE facility creates 99Mo via fission of uranium-235 (235U) and uranium-238 (238U) in a subcritical aqueous solution. The facility exists in two parts, an Irradiation Facility (IF) where the 99Mo is produced and a Radioisotope Production Facility (RPF) where the 99Mo is extracted from the uranium-aqueous solution.
Because the processes in the IF are licensed by the NRC as a utilization facility, nuclear criticality safety only concerns the processes in the RPF.
In the RPF uranium metal with a nominal enrichment of 19.75% 235U is dissolved in nitric acid in the Target Solution Preparation System and converted to uranium oxide in the Thermal Denitration (TDN) System. Uranium oxide is dissolved in sulfuric acid in the Target Solution Preparation System in preparation for irradiation in one of eight Target Solution Vessels (TSVs) located in the IF.
After approximately five and a half days of irradiation, the uranyl sulfate solution is removed from the TSV and returned to the RPF. The 99Mo and other commercially-important isotopes are separated, purified, analyzed, and packaged for shipment in the RPF. The RPF includes several intermediate and supporting processes, including target solution cleanup using the solvent extraction process UREX.
The systems and processes in the SHINE facility subject to nuclear criticality safety shall be designed so that keff shall not exceed the Upper Subcritical Limit (USL) for normal and credible abnormal conditions.
The SHINE Nuclear Criticality Safety Reference Manual outlines the criticality safety program at the SHINE facility, and lists the Nuclear Criticality Safety Evaluations (NCSEs) that cover the fissile material operations in the SHINE facility.
The criticality safety program is applied to SHINE for fissile material operations outside of the Irradiation Facility. Safe operations with nuclear materials within the irradiation facility are handled through passive and active design features within that facility.
Both the criticality safety program and the NCSEs shall be written to meet the requirements of the NUREG-1537, and the ANSI/ANS 8 series of consensus standards.
The need for a criticality safety program is addressed in ANSI/ANS 8.1, Nuclear Criticality Safety in Operations with Fissionable Material Outside Reactors, and in ANSI/ANS 8.19, Administrative Practices for Nuclear Criticality Safety.
An effective nuclear criticality safety program fosters an acceptable balance of risk and benefit. This includes cooperation among management, supervision, nuclear criticality safety staff, and workers. Criticality safety relies on evaluations, implementation and maintenance of controls, and each employees conformance with operating procedures.
ANSI/ANS 8.1 lists requirements that are the basic elements of a criticality safety program, including management and employee responsibilities, configuration control, audits and reviews, emergency preparedness, and training.
Page 4 of 19 A criticality program may be set up in a variety of ways. Some sites create a criticality manual that contains all criticality program requirements, while others break out the various program elements into a series of procedures. At the SHINE facility, both approaches are taken. The criticality safety reference manual serves as a top tier document. It contains the nuclear criticality safety policy statement, and outlines each of the criticality safety program elements. The criticality safety program procedures provide detailed information that management, supervision, and the safety staff require to effectively conduct operations at the SHINE facility with criticality safety in mind.
This criticality safety reference manual is divided into four sections: the introduction, the nuclear criticality safety policy statement, an outline of each SHINE facility criticality safety program element, and a list of the NCSEs that exist to demonstrate nuclear criticality safety in the SHINE facility.
2.0 SHINE NUCLEAR CRITICALITY SAFETY (NCS) POLICY STATEMENT 2.1 POLICY For activities involving fissile material, SHINE Medical Technologies shall ensure that all practicable measures are taken to prevent a criticality accident. This is accomplished by demonstrating that all credible upsets remain subcritical. Each process that has an accident sequence leading to criticality will have sufficient controls in place to ensure double contingency protection.
2.2 REASON To provide a safe work environment for SHINE Medical Technologies employees, to protect the health and safety of the public and the environment, and to ensure compliance with all applicable governmental regulations and license conditions.
2.3 POLICY REQUIREMENTS
- 1. Criticality safety shall not be eroded for the sake of expediency, schedule, production, or economic pressure.
- 2. SHINE management shall develop and maintain a NCS Program based on applicable Government requirements, industry standards, site safety policy and accepted safety practices. The NCS Program embraces the ideas and ideals delineated in NUREG-1537 and the American Nuclear Society standard ANSI/ANS-8 series.
- 3. All SHINE employees shall receive a level of criticality safety training appropriate to their work assignments.
- 4. Prevention of a criticality accident shall be the personal responsibility of each SHINE employee involved with fissile materials, including the design, operation, maintenance, and cleanup of facilities and equipment. Each individual shall comply with NCS limits and controls exactly, without taking shortcuts or making unauthorized changes to procedures or equipment.
Page 5 of 19
- 5. SHINE management shall foster a work environment whereby employees are encouraged to question and report any operation believed to be unsafe, including stop work authority.
3.0 SHINE Nuclear Criticality Safety Program The criticality safety program elements for the SHINE facility are the procedures summarized below.
3.1 Criticality Safety Program For activities involving fissile material, all practicable measures shall be taken to prevent a criticality accident. To promulgate the ideal of this policy, SHINE management is committed to the development and maintenance of a NCS Program.
The SHINE NCS Program procedure defines the criticality safety program for the facility. It identifies the objective of the criticality safety program, identifies the responsibilities of various levels of management and of employees, and lists the elements required to comprise the criticality safety program. It also discusses when exemptions to the program elements are permitted. The program procedure is the umbrella document under which all of the remaining elements of the criticality program fall. The program procedure satisfies, at least in part, the requirements of ANSI/ANS 8.19 Sections 4, 5, and 6.
The primary objectives of the NCS Program are to provide a safe work environment for SHINE employees, to protect the health and safety of the public and environment, and to ensure compliance with all applicable government regulations and license conditions. The Program shall be based on applicable Government requirements, industry standard, the Site safety policy, and accepted safety practices. The Program should allow for cost-effective operation of SHINEs processes and operations, and similarly should provide for timely reviews, recommendations and approvals for new fissile material handling operations, processing or storage facilities, or modifications of or additions to, existing operations. The NCS organization is independent of operations to the greatest extent that is practical.
Elements comprising the SHINE NCS Program are presented in Table 1. Listed with each program element are the U.S. Code of Federal Regulations and/or the ANSI/ANS Standards that serve as the basis for the particular program element.
Page 6 of 19 Table 1: NCS Program Elements Program Element Name Requirement Basis for Element Criticality Safety Policy ANSI/ANS-8.19 Verification & Validation of ANSI/ANS-8.1 NCS Codes ANSI/ANS-8.24 Nuclear Criticality Safety ANSI/ANS-8.1 Evaluations ANSI/ANS-8.19 Nuclear Criticality Training ANSI/ANS-8.19 and Qualifications ANSI/ANS-8.20 10CFR19.12 Implementation of ANSI/ANS-8.19 Criticality Safety Controls 10CFR 50.36 and Limits Configuration Control / 10CFR 50.36 Change Control 10CFR50.59 General Criticality Safety ANSI/ANS-8.1 Limits Audits and Inspections ANSI/ANS-8.19 Criticality Safety Non- ANSI/ANS-8.19 Compliances: 10CFR 19.12 Investigating, Reporting, Tracking and Trending Emergency Response ANSI/ANS-8.1 ANSI/ANS 8.23-1997 ANSI/ANS 8.19 Criticality Detector and ANSI/ANS-8.3 Alarms System 10CFR 19.12 Criticality Safety Controls ANSI/ANS-8.1 Program 10CFR 50.36 3.2 Validation Procedure Nuclear criticality safety analyses are performed for fissile material systems and operations at SHINE outside the Irradiation Facility. The nuclear criticality safety analysis establishes the nuclear safety operating limits for the systems and operations. Calculation methods are used to provide an estimate of criticality conditions and the margin of sub-criticality for the systems and operations under evaluation. The computational methods predict the neutronic behavior of the
Page 7 of 19 system and operation. However, certain approximations are inherent in the computer code used, including inexact neutron cross-section data and statistical uncertainty.
Validation compares the computational method with documented critical experiments to determine any calculation bias that might exist between the calculated reactivity of a given system and the actual conditions. It is a process that determines and establishes computational method applicability, adequacy, and uncertainty.
The critical experiments selected should be obtained from referenced publications (e.g., the International Handbook of Evaluated Criticality Safety Benchmark Experiments). The experiments are typically categorized by parameters of enrichment, geometry, fissile material type (i.e., homogeneous versus heterogeneous and chemical form), and moderation. Therefore, the selection of experiments should be similar to and representative of the models that are expected to be evaluated. Once the experiments have been selected, the corresponding input files provided by the handbook or developed by the experiment description shall be executed with the analytical code and corresponding computer system to be validated.
The purpose of a computer code validation is to determine values of keff that are demonstrated to be sub-critical (at or below the Upper Sub-critical Limit) for areas of applicability similar to systems or operations being analyzed. The Upper Sub-critical Limit (USL) is determined as part of the computer code validation and has an additional margin applied. The margin is used to define an upper subcritical limit, as follows:
k-subcritical = 1.0 - bias - bias uncertainty - margin of subcriticality for safety A margin of subcriticality for safety of 0.05 is used.
Validation is required in ANSI/ANS 8.1, Section 4.3, which lists the issues to be addressed in the validation, and the requirement to document the validation in a technical report.
3.3 NCSE Procedure A Nuclear Criticality Safety Evaluation (NCSE) is a document that defines the fissile material operation, identifies the hazards that could lead to an inadvertent criticality, implements controls that prevent any of the identified hazards from occurring, and demonstrates the operation complies with the Double Contingency Principle.
The NCSE procedure provides guidance to the NCSE author to assure that the NCSE contains all required information, and to promote uniformity and consistency among different authors. It also serves as a guide for technical reviewers, as all NCSEs are independently verified. The requirement to produce an NCSE for a fissile material operation is found in ANSI/ANS 8.1, Section 4.1.2, and more explicitly in ANSI/ANS 8.19, Section 8.
Page 8 of 19 The SHINE NCSE structure is as follows:
1.0 Introduction 2.0 Normal Case Operating Conditions 3.0 Nuclear Criticality Hazard Identification 3.1 Hazard Identification Method 3.2 Hazard Identification Results 4.0 Nuclear Criticality Hazard Evaluation 5.0 Nuclear Criticality Parameter Discussion 6.0 Nuclear Criticality Safety Controls 6.1 Passive Design Features 6.2 Active Engineered Features 6.3 Administrative Controls 6.4 General Requirements 7.0 List of Assumptions 8.0 Conclusion 9.0 References Appendices 3.3.1 Introduction (NCSE Section 1.0)
NCSE Section 1.0 introduces the document, defines the scope, describes the equipment or processes being analyzed, and states the purpose of the analysis.
3.3.2 Normal Case Operating Conditions (NCSE Section 2.0)
NCSE Section 2.0 describes the normal case operating conditions based on a detailed process flow and equipment description. Normally expected deviations from the process design intent are also presented. The analysis must demonstrate that normal case operations and expected process deviations will remain acceptably sub-critical, and below the USL.
3.3.3 Nuclear Criticality Hazard Identification (NCSE Section 3.0) 3.3.3.1 Hazard Identification Method (NCSE Section 3.1)
NCSE Section 3.1 describes the method used to identify the NCS hazards.
Several methods of hazard analysis may be used including, but not limited to:
x What-if Analysis, x Failure Mode and Effect Analysis (FMEA) x Preliminary Hazard Analysis, x HAZOP, and x And other generally recognized and accepted safety analysis techniques.
The methodology used is determined based on the complexity of the system being analyzed. Justification for the method used is documented in the NCSE.
At a minimum, the upsets listed in Appendix A of ANSI/ANS 8.1 should be considered. The NCSE analyst, process engineer, and at least one of the process operators should be involved in the hazard identification process.
Documentation of the complete hazard analysis may be included in an Appendix or a separate document that is referenced in the NCSE.
Page 9 of 19 3.3.3.2 Hazard Identification Results (NCSE Section 3.2)
NCSE Section 3.2 contains the results table summarizing the upset conditions identified during the hazard analysis. The table is used as the basis for criticality hazard evaluation. It contains both upset conditions that require further analysis and upset conditions that have no impact on criticality safety.
3.3.4 Nuclear Criticality Hazard Evaluation (NCSE Section 4.0)
The upset conditions, identified in NCSE Section 3.2 as requiring further analysis to ensure criticality safety, are evaluated in NCSE Section 4.0. Section 4.0 addresses each accident scenario to demonstrate compliance with the double contingency principle, or non-credibility as required by the NCSE Procedure.
For each upset condition or grouping of upset conditions identified in NCSE Section 3.2 as requiring further analysis:
- 1) A discussion of the accident sequence for the upset condition is presented.
- 2) For hazards that can be demonstrated to be not credible (or otherwise cannot credibly lead to a criticality), the technical basis for the not credible determination shall be listed. No further discussion or double contingency analysis of the scenario is then required.
- 3) For upset conditions that are determined to be credible routes to a criticality, arguments must be presented to support compliance with the double contingency principle. The discussion should present a minimum of two unlikely, concurrent, and independent events that must occur before a criticality is possible. Fault trees for each credible scenario are presented in this section.
- 4) In cases where calculations are used to support double contingency or not credible arguments, reference to the appropriate calculation document must be provided. The limiting keff results should be presented. The keff shall not exceed the USL, which includes an applicable subcritical margin (0.05 'k).
3.3.4.1 Summary of Criticality Safety Events with a Qualitative Risk Assessment To conclude the Nuclear Criticality Safety Hazard Evaluation section of the NCSE, a summary table must be generated that includes a semi-quantitative risk assessment of each event group for which double contingency protection is applied.
The summary table includes the following headings:
x Accident Sequence x Initiating Event Sequence x Enabling Events (if applicable) x Primary Criticality Barrier x Secondary Criticality Barrier x Defense-in-Depth Controls x Risk Score
Page 10 of 19
- 1) Accident Sequence This column in the summary table provides the information necessary to link the accident sequence with the discussion in the previous sections of the NCSE.
- 2) Initiating Event Sequence The initiating event begins the accident sequence that leads to an accidental criticality. This is typically the event identified in the hazard analysis.
This column provides a short description of the initiating event associated with the criticality event sequence. Following the short description is an evaluation of the probability of occurrence of the initiating event.
- 3) Enabling Event Sequence An enabling event is one that occurs concurrent with or prior to primary or secondary criticality barrier failure and must be present to allow the accident sequence to propagate.
The column for enabling event sequence in the summary table provides a short description of any enabling events associated with the criticality event sequence. Following the short description is an evaluation of the probability of occurrence of each enabling event.
- 4) Primary and Secondary Criticality Barriers These columns provide a short description of the primary and secondary criticality safety controls used to provide Double Contingency Protection for the criticality event sequence. Each control must be assigned a failure frequency.
- 5) Defense-in-Depth Controls This column provides a short description of any defense-in-depth criticality safety controls discussed for the criticality event sequence. Each control must be assigned a failure frequency.
- 6) Risk Score This column provides a summation of the failure and occurrence probability index values from the previous columns.
3.3.5 Nuclear Criticality Parameter Discussion (NCSE Section 5.0)
The nuclear criticality parameters should be discussed to meet flow down requirements from the ANSI/ANS-8 series standards. NCSE Section 5.0 presents the nuclear criticality parameters, discusses whether they are controlled or not controlled, and provides a cross-reference between the parameters and the identified criticality scenarios from the hazard analysis. Only the credible and evaluated criticality scenarios should be referenced in the table. If a specific parameter is not controlled for the fissile material operation being evaluated, a brief basis for why the parameter is not controlled or a bounding assumption (e.g., full reflection is assumed) should be provided. An example table with some
Page 11 of 19 of the rows completed is provided below to illustrate the parameter discussion format.
Table 2: Nuclear Criticality Safety Parameter Discussion (example)
Nuclear Parameter Controlled (Y/N) Basis/Bounding Hazard ID Assumption Scenario Nos.
Applicable to NCS Mass Y Controlled to less 1, 10, 17 than safe mass based on batch limits Enrichment Y Maximum operating 2, 3 enrichment is 1.2%
Volume N The component has None an unfavorable volume.
Geometry N The component has None an unfavorable geometry Concentration N Full theoretical None Or Density density assumed Moderation N Optimum moderation None assumed Interaction Y 2-ft spacing control 4, 5, 7 on interaction with other fissile material Reflection N Full water reflection None is assumed Neutron Absorption N No credit taken for None or Poison neutron absorption in structural materials Other Factors N None identified None 3.3.6 Criticality Safety Controls (NCSE Section 6.0)
NCSE Section 6.0 lists the controls, both physical and administrative, necessary for double contingency and to ensure an acceptable risk of operation. The controls are taken from the contingency analysis for each of the NCS hazards.
The preferred hierarchy for establishing criticality control of fissile material operations is:
- 1) Passive design features, including favorable geometry
- 2) Active engineered controls
- 3) Enhanced administrative controls
- 4) Simple Administrative The following subsections may appear in Section 6.0
Page 12 of 19 6.1 Passive Design Features This section lists the passive physical controls necessary for criticality safety.
Passive design features do not rely on mechanical or human interaction to perform their safety function. Examples of this type of control in the SHINE Facility include (but are not limited to):
x Geometrically Safe Configuration for Process Tanks, Pipes, and Other Process Equipment - Prevents criticality. In addition, this control serves to protect against criticality-induced vessel or pipe rupture.
x Positive Displacement Pump (PDP) Design - Includes design features needed to ensure pressure relief to protect against overpressure from pump deadheading. If overpressure occurs, target solution or fissile solution could spill and result in a criticality.
x Safe Geometry Overflow System - This system ensures that vessels will not discharge excess solution into inappropriate areas or systems (e.g., into the PVVS). The overflow system is geometrically safe.
6.2 Active Engineered Features This section lists the active physical controls necessary for criticality safety.
Active engineered features require some type of mechanical, non-human intervention to perform their safety function. An example of this type of control in the SHINE Facility includes (but is not limited to):
x Sump Level Sensors - Ensures that material is removed from the sumps based on high level before overflowing back into the room.
6.3 Administrative Controls Administrative controls rely solely on humans to perform their safety function.
This section lists the controls associated with process operation that rely on operating procedures or other operator-dependent systems for implementation. Enhanced administrative controls involve an assisting resource such as a computer program or alarm. Simple administrative controls rely solely on the actions of an operator as prescribed in operating procedures. An example of this type of control in the SHINE Facility includes (but is not limited to):
x Fissile Concentration Limits - Administrative limits for fissile material that address both enrichment and concentration of 235U.
6.4 General Requirements NCSE Section 6.4 lists any requirements that are general in nature and are intended to ensure a consistent interface with other programmatic requirements such as fissile material transportation and other program elements. This section should document controls that are not strictly necessary for compliance with the double contingency principle. Examples of requirements that might be included in this section include (but are not limited to):
x Posting of criticality safety controls.
x Requirements to log certain activities.
Page 13 of 19 x Good practice items.
3.3.7 List of Assumptions (NCSE Section 7.0)
NCSE Section 7.0 lists the assumptions (not controls) contained in the evaluation. The bounding assumptions from the NCS Parameter Discussion table are included in Section 7.0. Each assumption must be valid for the fissile material operation. The intent of Section 7.0 is to summarize the basic assumptions from the various applications throughout the evaluation in a single location for ease of review and for use during the field verification activities.
3.3.8 Conclusion (NCSE Section 8.0)
NCSE Section 8.0 summarizes the technical basis for criticality safety of the SHINE facility.
3.3.9 References (NCSE Section 9.0)
References are provided for sources of data, information, and calculations to permit traceability and allow evaluation result reproduction as necessary.
3.3.10 NCSE Appendices Appendices should be used as appropriate for supporting materials and information. This could include detailed criticality calculations, accident analysis results, and informal or letter references required by the evaluation.
3.4 NCS Training & Qualifications Procedure Two Training and Qualification (T&Q) procedures are implemented at SHINE:
one that applies specifically to NCS engineers, and a second that applies to all employees. The basis for the SHINE NCS training and qualification program comes from ANSI/ANS-8.20.
The T&Q procedure for NCS engineers lists the prerequisites, qualification requirements, on-site training, and continuing educational requirements for individuals who perform criticality safety functions. Contractors used by SHINE to perform criticality safety analysis must be confirmed to meet the requirements of the T&Q procedures for NCS engineers.
Qualified nuclear criticality safety engineers are trained to be:
x Sufficiently familiar with the physics of nuclear criticality and with associated safety practices to furnish technical guidance to management appropriate to the scope of operations; x Skilled in the interpretation of data pertinent to NCS; x Involved in technical support functions of surveillance, of analyzing facility data, planning modifications, reviewing programs and work control documents, and resolving technical problems within the area of NCS; and x Sufficiently familiar with facility operations, configurations, and safety authorization bases to provide sound criticality safety technical guidance to facility management.
NCS Engineers are afforded the opportunity to participate in one or more of the following professional development activities:
Page 14 of 19 x Attend an NCS Seminar or Topical Meeting.
x Publish papers, reports, books, or other peer-reviewed documents.
x Participate in national consensus standards working group (ANS-8 committees).
The T&Q procedure for all employees lists criticality safety training requirements for various classes of employees, including Fissile Material Handler, Supervisors, and Support Personnel. The training provides an understanding of:
x The importance of criticality safety x Rules, procedures, limits and controls for preventing a criticality accident x Criticality emergency procedures x Potential health effects of criticality accidents x Criticality safety related features, such as active and passive engineered controls x Criticality safety program at the site x Parameters important to criticality safety 3.5 Implementation of NCS Controls The NCS controls implementation procedure specifies the verification process that the criticality group uses to ensure the active and passive engineered controls, as well as the administrative limits that are identified in NCSEs, are implemented in the field. Implementation verification is required in ANSI/ANS 8.17, paragraph 4.8.
An Implementation Plan (IP) is prepared by the Criticality Safety Engineer for employing new or revised limits and controls from the NCSE. The IP includes the removal of superseded postings and the placement of new postings. It also addresses other items, such as specifying procedures that require updating, verifying equipment status, and ensuring training is provided on the new limits.
The IP details how each administrative and engineered control is implemented and verified. NCSEs with the potential to impact other operations are coordinated with those operations.
All IPs contain a Traceability Matrix (TM) correlating the criticality safety controls from the NCSE to posting, procedural, and engineered safety feature requirements. The process used to verify passive or active engineered controls must be carefully considered and must be determined on a case by case basis.
For example, if a fissile material handling cart posting has been revised to reflect new fissile mass values allowed in each position, then it would not be necessary to re-verify cart engineered dimensions, assuming the cart had not been modified since the last verification. However, if the NCSE revision specifies new or modified position spacing requirements, the TM must include re-verification of the required cart spacing dimensions.
For NCSEs that involve new or revised posting or procedure controls, training is provided to the appropriate operations staff. This training may be in the form of all hands briefing or other training format appropriate for the affected operation.
Page 15 of 19 For NCSEs that support new processes or activities or significant changes to existing processes or activities, the IP contains a requirement to schedule a Criticality Safety Assessment to be completed two to four months after the onset of operations. The Criticality Safety Assessment will ensure that implementation was adequate, limits are useable, and the original scope remains acceptable. It is required to observe operations and interview operators in the conduct of this assessment.
3.6 Configuration Control/Change Management The Configuration Control/Change Management process is performed in accordance with the SHINE Configuration Management program and implementing procedures. The procedure governing the Configuration Control/Change Management process ensures that changes are made to the process with the proper review and analysis The SHINE 10CFR50.59 process will be used to determine if NRC approval is required for proposed changes.
3.7 General Criticality Safety Limits The General Criticality Safety Limits procedure lists generic criticality safety limits that must be observed throughout the facility. These general criticality safety limits and controls have been developed to provide consistent guidance to facility operations by authorizing certain basic work activities.
The criticality safety limits and controls identified are applicable anywhere on the site, subject to Criticality Accident Alarm System (CAAS) requirements and restrictions associated with other safety or security disciplines.
The limits and controls presented establish common practices for the site, and define certain de minimis quantities for criticality safety purposes. Situations that may require specific evaluations or special precautions are identified.
3.8 Audits and Inspections Audits and Inspections are key elements of a good criticality safety program.
The purpose of an audit is to verify that the requirements of each NCSE have been implemented and are being observed by operations.
Internal audits are performed by members of the criticality safety staff on a regular basis. The frequency of each internal audit is based on the risk of the system as defined by the individual NCSE, with the minimum frequency of each assessment being performed at least annually.
External audits are performed by individuals outside of the criticality safety staff, to provide an independent assessment of the criticality safety program. These types of audits are typically performed every two to three years. As opposed to internal audits, which are detailed and specific to a particular operation or NCSE, external audits typically represent a vertical slice of the entire program.
Inspections are weekly informal walk-downs of operations performed by criticality safety staff members. The audits and inspections procedure details when audits are required, how they are documented, who must perform them, and
Page 16 of 19 qualification requirements. Audits are required by ANSI/ANS 8.1 and ANSI/ANS 8.19.
The following list of questions should be used to facilitate the review of operations to determine if process conditions have been altered so as to affect the NCS Evaluation.
x Have any design modifications and/or repairs been made to the process or facility since the previous audit or inspection? If so, do the modifications/repairs affect the NCS Evaluation basis?
x Have any operating procedure revisions been made since the previous audit or inspection? If so, do the procedure revisions affect the NCS Evaluation basis?
x Have any changes (minor or significant) been made in the way work is conducted for which the operation team determined formal design modifications or procedure revisions were not necessary? (Assess changes for operational drift.)
x Have any changes been made in operation support documents or operator aids? (For example, calculation sheets, material log sheets, support paperwork, etc.)
x Does the operation or activity observed during the performance of this audit or inspection agree with the process/activity description in the NCS Evaluation?
x Are all assumptions listed in the NCS Evaluation still valid?
x Are the controls listed in the NCS Evaluation for parameters such as volume, geometry, mass, spacing, etc., still valid and appropriately implemented?
3.9 Criticality Safety Non-Compliance The Criticality Safety Non-Compliance procedure provides direction to the criticality staff for investigating criticality non-compliance. Non-compliance arises when it is discovered that a requirement in an NCSE is not being followed. There are varying degrees of non-compliance, depending on how important the control is to the double contingency argument. The criticality staff uses the Criticality Safety Non-Compliance procedure to determine how to categorize the non-compliance and how to track it. Also covered is how to track and trend non-compliances. Criticality Safety Non-Compliance is addressed in ANSI/ANS 8.19.
All instances of non-compliance are entered into the SHINE Issues Management system.
3.10 Criticality Safety Guidelines for Fire Fighting Firefighting guidelines are developed as part of the analysis and controls in the NCSE. If the firefighting techniques have an impact on the moderation, interaction, or other parameters, then controls that limit the firefighting techniques will be employed and implemented in emergency response procedures. Periodic
Page 17 of 19 training will be provided to both SHINE fire brigade members and off-site fire support organizations regarding permitted manual fire suppression techniques at the SHINE facility.
There are no foam firefighting systems within the RCA in the SHINE facility.
SHINE does not allow off-site fire support organizations to use foam firefighting agents within the SHINE RCA.
3.11 Emergency Response The Emergency Response procedure provides instruction to the staff in responding to a criticality emergency. Note a criticality emergency may not be an actual criticality event; it could be a situation that could lead to a criticality if corrective actions are not taken. The requirement to have a documented emergency response plan for criticality accidents is the subject of ANSI/ANS 8.23.
The Emergency Response procedure also defines the emergency response actions and responsibilities in the event of a criticality accident at the SHINE facility, including identification of potential criticality hazards, criticality detection and alarm system, emergency evacuation process, personnel accountability and contamination control, emergency assessment, Response Team rescue/safe shutdown, emergency notification, off-site support, emergency organization and response centers, personnel training, and periodic criticality emergency exercises.
3.12 Criticality Detectors and Alarm Systems The Criticality Accident Alarm System (CAAS) complies with ANSI/ANS-8.3-1997 (R2012) (ANSI/ANS, 2012a), as modified by Regulatory Guide 3.71. The CAAS procedure implements requirements for the CAAS program, including design criteria, testing requirements, and training requirements, to ensure the ANSI
/ANS-8.3 requirements are met. CAAS provides monitoring for potential criticality events.
The CAAS at SHINE is composed of criticality monitors and alarms, which are strategically located throughout the facility. The criticality accident alarm system (CAAS) provides for continuous monitoring, indication, and recording of neutron or gamma radiation levels in areas where personnel may be present and wherever an accidental criticality event could result from operational processes.
An evaluation is performed to ensure the placement of detectors is sufficient to detect a criticality accident that produces an absorbed dose rate in free air of 20 rads/min at 2 meters from the reacting material. Two detectors cover each area needing CAAS coverage.
An alarm condition initiated by the detectors will result in alarms that are clearly audible in areas that must be evacuated or there are alternative notification methods (e.g. flashing or rotating lights) that are documented to be effective in notifying personnel that evacuation is necessary.
Page 18 of 19 When the evacuation alarm sounds, employees are trained to immediately evacuate via designated routes to the evacuation assembly area. The facility announcement system may also be used to advise personnel of an evacuation or alarm condition.
3.13 Testing and Calibration of Active Engineered Controls The Testing and Calibration of Active Engineered Controls procedure lays out the requirements for testing and calibration of active engineered controls that are relied on for criticality safety. The procedure provides guidance necessary for performing functional tests, verification inspections, and calibration of the equipment designated active engineered controls, and identified as Criticality Safety Controls (CSC) at SHINE.
The Nuclear Criticality Safety Evaluation (NCSE) designates certain active engineered controls as Criticality Safety Controls (CSC). CSCs for SHINE are listed in the SHINE Technical Specifications. To ensure the availability and reliability of the active engineered controls that have been designated CSCs, calibration, functional testing, and/or verification inspections shall be performed.
Those active components which are listed in the Technical Specifications will have their testing and calibration requirements specified in the Technical Specifications surveillance requirements.
3.14 Criticality Safety Controls Program Procedure The Nuclear Criticality Safety Evaluation (NCSE) designates certain process controls related to criticality safety as Criticality Safety Controls (CSCs). All CSCs, criticality control limits, and administrative controls are included in the Technical Specifications as required by 10 CFR 50.36.
The main objective of the CSC procedure is to ensure that process controls identified as CSCs have proper management measures in place to ensure availability and reliability.
The CSC Program includes requirements to ensure the following:
x CSCs are uniquely identified.
x CSCs are tested and calibrated.
x Required test and maintenance procedures are developed for involved equipment.
x Test and maintenance procedures are controlled.
x Maintenance on equipment meets certain requirements and is performed by trained workers.
x As-built drawings are maintained and controlled for systems that contain CSCs.
x Test results and maintenance records are maintained for involved equipment.
Page 19 of 19 4.0 SHINE Nuclear Criticality Safety Evaluations Nuclear Criticality Safety Evaluations (NCSEs) are performed and documented for each of the fissile operations outside the Irradiation Facility. A Nuclear Criticality Safety Evaluation is a stand-alone safety report that contains a comprehensive process description, including description of equipment, materials, and activities; identification of the hazards that are significant to criticality safety, an evaluation of each criticality accident pathway, with a demonstration of double contingency, a description of any calculations relied on in the double contingency arguments, and finally a listing of all passive engineered, active engineered, and administrative controls needed for to demonstrate compliance with the double contingency principle.
Nuclear criticality safety evaluations will be performed to ensure that fissile operations will remain subcritical during both normal and accident scenarios. An approved margin of subcriticality will be included in these evaluations. Nuclear criticality safety is analyzed for the design features of the plant system or component and for the operating practices that relate to maintaining NCS. The analysis of individual systems or components and their interaction with other systems or components containing enriched uranium is performed to ensure the NCS criteria are met. The SHINE facility NCSEs cover the following operations:
[List of NCSEs pending completion.]