Text

ENCLOSURE 4 SHINE MEDICAL TECHNOLOGIES, LLC MEETING SLIDES FOR THE DECEMBER 4 AND 5, 2019 PUBLIC MEETING BETWEEN SHINE MEDICAL TECHNOLOGIES, LLC AND THE NRC SHINE INSTRUMENTATION AND CONTROL SYSTEMS PUBLIC VERSION 58 pages follow

Instrumentation and Controls Catherine Kolb, I&C/Operations Manager Ryan McGee, I&C Engineer Gregg Clarkson, Rock Creek Innovations

Topics Covered SHINE I&C Overview and Architecture Target Solution Vessel Reactivity Protection System Engineered Safety Features Actuation System Safety-Related Control System Design Criteria Process Integrated Control System Human Factors Engineering Rock Creek Highly Integrated Protection System SHINE Medical Technologies l 2

Instrumentation and Controls SHINE instrumentation and control systems provide the facility operators the ability to monitor and control irradiation facility (IF) and radioisotope production facility (RPF) processes from a single, integrated control room Control systems described in Chapter 7 of the Final Safety Analysis Report (FSAR) include:

Eight identical safety-related system instances, each dedicated to an individual irradiation unit (IU)

Target solution vessel reactivity protection system (TRPS)

Neutron flux detection system (NFDS)

A single safety-related system used to prevent or mitigate accidents related to common facility systems, in both the IF and RPF, excluding irradiation units Engineered safety features actuation system (ESFAS)

A single nonsafety-related system used to control processes throughout the facility (in both the IF and RPF) and provide the human system interface (HSI) for facility operators Process integrated control system (PICS)

SHINE Medical Technologies l 3

Instrumentation and Controls Other systems described in Chapter 7 of the FSAR include:

Stack release monitoring (SRMS): provides monitoring of the main facility stack and the safety-related exhaust point (carbon delay bed effluent)

Radiation monitoring (RAMS and CAMS): area radiation monitors and continuous airborne contamination monitoring Criticality accident alarm system (CAAS): monitors only the RPF, using neutron detection SHINE Medical Technologies l 4

I&C Design Architecture SHINE Medical Technologies l 5

I&C Design Architecture SHINE Medical Technologies l 6

Target Solution Vessel Reactivity Protection System Monitors variables specific to an individual IU that are credited in the SHINE safety analysis The TRPS provides:

Three divisions of signal condition and trip determination (A, B, and C)

Two divisions of voting and actuation (A and B)

The TRPS provides actuation signals to components associated with the associated IU cell TRPS functions are IU mode dependent Bypasses of actuation signals are automatically applied or removed dependent on the operating mode of the associated IU TRPS maintains the mode of the IU The TRPS does not provide normal control of IU components; the normal control function is provided by PICS SHINE Medical Technologies l 7

TRPS Architecture SHINE Medical Technologies l 8

Target Solution Vessel Reactivity Protection System Safety Actuations provided by the TRPS are:

IU Cell Safety Actuation Isolation of the primary system boundary Isolation of the primary confinement boundary Open the dump valves Open the high voltage power supply breakers Transition to Mode 3 operation IU Cell Nitrogen Purge Opens purge valves to the affected IU Cell Sends signal to the ESFAS to open the nitrogen purge IF header valves Driver Dropout Opens the neutron driver high voltage power supply breakers The TRPS also provides a defense-in-depth function to limit the rate that the target solution vessel can be filled during Mode 1 (Startup) - Fill Stop SHINE Medical Technologies l 9

TRPS Control Components SHINE Medical Technologies l10

Proprietary Information - Withheld from public disclosure under 10 CFR 2.390(a)(4)

Export Controlled Information - Withheld from public disclosure under 10 CFR 2.390(a)(3)

IU Cell Safety Actuation Variable Analytical Limit Setpoint LSSS?

High Source Range Neutron Flux 1.5 times the nominal flux at 1.5 times the nominal flux at Yes 95% volume of the critical fill 95% volume of the critical fill height height High Wide Range Neutron Flux 240% power 240% power Yes High Time-Averaged Neutron Flux 104% power, 104% power, Yes averaged over 45 seconds averaged over 45 seconds Low TOGS Mainstream Flow [ ]PROP/ECI [ ]PROP/ECI Yes Low TOGS Dump Tank Flow [ ]PROP/ECI [ ]PROP/ECI Yes High TOGS Condenser Demister 77°F 69.8°F Outlet Temperature Low TOGS Oxygen Concentration 10% 11%

High RVZ1 Radiation 5 times background 5 times background radiation radiation SHINE Medical Technologies l11

Proprietary Information - Withheld from public disclosure under 10 CFR 2.390(a)(4)

Export Controlled Information - Withheld from public disclosure under 10 CFR 2.390(a)(3)

IU Cell Safety Actuation Variable Analytical Limit Setpoint LSSS?

Low PCLS Flow [ ]PROP/ECI, delayed [ ]PROP/ECI, delayed Yes by 180 seconds by 180 seconds High PCLS Temperature 77°F, delayed by 180 72.9°F, delayed by 180 Yes seconds seconds Low PCLS Temperature 59°F 63.5°F High ATIS Mixed-Gas Return Line 8 psia 7.7 psia Pressure Low-High TSV Dump Tank Level 6.2% 3%

High-High TSV Dump Tank Level 87.9% 85%

TSV Fill Isolation Valves Position Not Closed Not Closed Facility Master Operating Permissive Not Active Not Active Removed SHINE Medical Technologies l12

Proprietary Information - Withheld from public disclosure under 10 CFR 2.390(a)(4)

Export Controlled Information - Withheld from public disclosure under 10 CFR 2.390(a)(3)

IU Cell Nitrogen Purge Variable Analytical Limit Setpoint LSSS?

Low-High TSV Dump Tank Level 6.2% 3%

High-High TSV Dump Tank Level 87.9% 85%

Low TOGS Oxygen Concentration 10% 11%

Low TOGS Mainstream Flow [ ]PROP/ECI [ ]PROP/ECI Yes Low TOGS Dump Tank Flow [ ]PROP/ECI [ ]PROP/ECI Yes High TOGS Condenser Demister Outlet 77°F 69.8°F Temperature ESFAS Loss of External Power Loss of Power Loss of Power SHINE Medical Technologies l13

Proprietary Information - Withheld from public disclosure under 10 CFR 2.390(a)(4)

Export Controlled Information - Withheld from public disclosure under 10 CFR 2.390(a)(3)

Driver Dropout Variable Analytical Limit Setpoint LSSS?

Low Power Range Neutron Flux [ [

]PROP/ECI ]PROP/ECI Low PCLS Flow [ ]PROP/ECI [ ]PROP/ECI High PCLS Temperature 77°F 72.9°F SHINE Medical Technologies l14

Target Solution Vessel Reactivity Protection System Each IU operates on a typical cycle of startup (filling), followed by 5.5 days of irradiation, followed by a cool down period and transfer of solution to the RPF Between successive cycles, there is a mode of operation where no target solution is present in the IU (Mode 0)

The IU Operational Modes are:

Mode 0 - Solution Removed Mode 1 - Startup Mode 2 - Irradiation Mode 3 - Shutdown / Post-Irradiation Mode 4 - Transfer to RPF SHINE Medical Technologies l15

Target Solution Vessel Reactivity Protection System TRPS provides an independent control system for each IU, and functions to:

Maintain the operating mode of the IU, Monitors the permissives to move between modes, and Creates the interlocks in each mode.

The operator provides an input to the TRPS (using the PICS HSI) to increment through one mode at a time TRPS also transitions the IU to Mode 3 in the event an IU Cell Safety Actuation or if the facility master operating permissive is removed SHINE Medical Technologies l16

Proprietary Information - Withheld from public disclosure under 10 CFR 2.390(a)(4)

Export Controlled Information - Withheld from public disclosure under 10 CFR 2.390(a)(3)

Mode Transition Criteria - Normal Sequence Mode 0 (Solution Removed) to Mode 1 (Startup)

Transition from Mode 0 to Mode 1 is prevented until the TSV dump valves and TSV fill isolation valves have been confirmed to be closed and TOGS mainstream flow is at or above the low flow limit.

Mode 1 (Startup) to Mode 2 (Irradiation)

Transition from Mode 1 to Mode 2 is prevented until the TSV fill isolation valves indicate fully closed and the

[

]PROP/ECI.

Mode 2 (Irradiation) to Mode 3 (Post-Irradiation)

Transition from Mode 2 to Mode 3 is prevented until the HVPS breakers have been confirmed opened.

Mode 3 (Post-Irradiation) to Mode 4 (Transfer to RPF)

Transition from Mode 3 to Mode 4 is prevented if an automated IU Cell Safety Actuation is present.

Mode 4 (Transfer to RPF) to Mode 0 (Solution Removed)

Transition from Mode 4 to Mode 0 is prevented until the TSV dump tank level is below the low-high dump tank level setpoint.

SHINE Medical Technologies l17

Mode Transition Criteria - IU Cell Safety Actuation Mode 0 (Solution Removed) to Mode 3 (Shutdown)

Transition from Mode 0 to Mode 3 is initiated automatically by TRPS or by an operator via manual actuation or the facility master operating permissive. Initiation of this transition generates an IU Cell Safety Actuation.

Mode 1 (Startup) to Mode 3 (Shutdown)

Transition from Mode 1 to Mode 3 is initiated automatically by TRPS or manually by an operator via manual actuation or the facility master operating permissive. Initiation of this transition generates an IU Cell Safety Actuation.

Mode 2 (Irradiation) to Mode 3 (Shutdown)

Transition from Mode 2 to Mode 3 is the normal transition sequence but may also be initiated automatically by TRPS or by an operator via manual actuation or the facility master operating permissive. Initiation of this transition generates an IU Cell Safety Actuation.

Mode 4 (Transfer to RPF) to Mode 3 (Shutdown)

Transition from Mode 4 to Mode 3 is initiated automatically by TRPS or by an operator via manual actuation or the facility master operating permissive. Initiation of this transition generates an IU Cell Safety Actuation.

SHINE Medical Technologies l18

Mode Transition Criteria - Secure State Mode 3 to Secure State Transition from Mode 3 to the secure state is initiated manually by an operator via disengaging the facility master operating permissive. While operating in the secure state, transition to another mode of operation is not allowed.

Secure State to Mode 3 Transition from the secure state to Mode 3 is initiated manually by an operator via engaging the facility master operating permissive. Initiation of this transition permits a transition to another mode of operation.

SHINE Medical Technologies l19

Proprietary Information - Withheld from public disclosure under 10 CFR 2.390(a)(4)

Export Controlled Information - Withheld from public disclosure under 10 CFR 2.390(a)(3)

TRPS Mode of Operation for the Irradiation Unit PROP/ECI SHINE Medical Technologies l20

Engineered Safety Features Actuation System Monitors variables throughout the SHINE facility, in both the IF and RPF, that are credited in the SHINE safety analysis, but that are NOT specific to an IU The ESFAS provides continuous protection of the safety functions for which it is responsible; unlike TRPS, functions are NOT mode dependent The ESFAS provides:

Three divisions of signal condition and trip determination (A, B, and C)

Two divisions of voting and actuation (A and B)

The ESFAS provides actuation signals to IF and RPF components NOT associated with any IU Components include those located in both the IF (e.g., the common portions of the tritium purification system) and the RPF (e.g., the supercell and vacuum transfer system)

The ESFAS does not provide normal control of IF and RPF components; the normal control function is provided by PICS SHINE Medical Technologies l21

Proprietary Information - Withheld from public disclosure under 10 CFR 2.390(a)(4)

Export Controlled Information - Withheld from public disclosure under 10 CFR 2.390(a)(3)

Engineered Safety Features Actuation System Safety Actuations provided by the ESFAS are:

Radiologically Controlled Area (RCA) Isolation Supercell Isolation Carbon Delay Bed Isolation Vacuum Transfer System (VTS) Safety Actuation Tritium Purification System (TPS) Isolation IU Cell Nitrogen Purge RPF Nitrogen Purge Molybdenum Extraction and Purification System (MEPS) [ ]PROP/ECI Isolation Extraction Column Alignment Actuation Iodine and Xenon Purification and Packaging (IXP) Alignment Actuation Dissolution Tank Isolation SHINE Medical Technologies l22

ESFAS Architecture SHINE Medical Technologies l23

RCA Isolation RCA Isolation functions to isolate potential sources of radiation throughout the facility upon a high radiation signal in either radiological ventilation zone 1 (RVZ1) or radiological ventilation zone 2 (RVZ2) facility exhaust The RCA Isolation function:

Isolates RVZ1 and RVZ2 facility exhaust dampers Isolates RVZ2 supply isolation dampers Isolates RVZ3 isolation dampers Opens RVZ1 and RVZ2 exhaust blower breakers (to shut down exhaust blowers)

Opens RVZ2 supply blower breakers (to shut down supply blowers)

Isolates each of the supercell areas Provides a VTS Safety Actuation Provides a TPS Isolation SHINE Medical Technologies l24

RCA Isolation Components SHINE Medical Technologies l25

RCA Isolation Components SHINE Medical Technologies l26

VTS Safety Actuation VTS Safety Actuation is required to stop the transfer of target solution or other radioactive solutions upon indication of liquid in the VTS piping (potential tank overflow), liquid in the radioactive drain system (RDS) sump tank (potential tank leak), high radiation in the extraction, IXP, or PVVS supercell hot cells, or high radiation in the facility RVZ1 or RVZ2 exhaust (RCA Isolation)

The VTS Safety Actuation stops the transfer of fluid and limits potential sources of liquid ingress to the RDS sump tank by:

Opening vacuum transfer pump breakers Opening vacuum break valves Isolating the MEPS eluate and wash block valves Isolating the IXP eluate and wash block valves SHINE Medical Technologies l27

VTS Safety Actuation Components SHINE Medical Technologies l28

VTS Safety Actuation Components SHINE Medical Technologies l29

Proprietary Information - Withheld from public disclosure under 10 CFR 2.390(a)(4)

Export Controlled Information - Withheld from public disclosure under 10 CFR 2.390(a)(3)

Supercell Isolation Supercell Isolation is required to perform confinement actions for each hot cell of the supercell upon a high radiation signal from the associated hot cell Supercell Isolation:

Isolates the associated Supercell hot cell inlet and outlet dampers Provides a VTS Safety Actuation (for extraction, IXP, and PVVS hot cells only)

Provides MEPS [ ]PROP/ECI Isolation (for extraction hot cells only)

SHINE Medical Technologies l30

Proprietary Information - Withheld from public disclosure under 10 CFR 2.390(a)(4)

Export Controlled Information - Withheld from public disclosure under 10 CFR 2.390(a)(3)

Supercell Isolation (Extraction Hot Cell)

PROP/ECI SHINE Medical Technologies l31

Proprietary Information - Withheld from public disclosure under 10 CFR 2.390(a)(4)

Export Controlled Information - Withheld from public disclosure under 10 CFR 2.390(a)(3)

Supercell Isolation (Extraction Hot Cell)

PROP/ECI SHINE Medical Technologies l32

Proprietary Information - Withheld from public disclosure under 10 CFR 2.390(a)(4)

Export Controlled Information - Withheld from public disclosure under 10 CFR 2.390(a)(3)

Additional ESFAS Safety Actuations RPF Nitrogen Purge: Dissolution Tank Isolation Extraction Column Alignment Actuation RPF Nitrogen Purge is required to mitigate the Dissolution Tank Isolation is required to close Extraction Column Alignment Actuation loss of hydrogen recombination capability in RPF radioisotope process facility cooling system functions to deenergize the associated tanks by providing N2PS nitrogen sweep gas to (RPCS) supply cooling valves and supply and extraction hot cell three-way valves and tanks upon an indication of loss of PVVS. exhaust ventilation dampers on indication of extraction column eluent valve to prevent high level in the target solution preparation inadvertent misdirection of target solution.

IU Cell Nitrogen Purge system (TSPS) dissolution tank to prevent overflow of the tank into the uranium handling IXP Alignment Actuation IU Cell Nitrogen Purge is required to provide glovebox and isolate the glovebox.

N2PS nitrogen sweep gas to one or more IU(s) IXP Alignment Actuation functions to on a loss of normal hydrogen recombination MEPS [ ]PROP/ECI Isolation deenergize the IXP three-way valves and capability by opening the N2PS IU cell header recovery column eluent valve to prevent valves. MEPS [ ]PROP/ECI Isolation functions to inadvertent misdirection of target solution.

close the associated extraction [

TPS Isolation ]PROP/ECI isolation valves and open Carbon Delay Bed Isolation:

the extraction feed pump breakers on indication TPS Isolation functions to deenergize and close of target solution leakage into the [ Carbon Delay Bed Isolation functions to isolate valves associated with the Confinement ]PROP/ECI, high radiation in the affected the associated carbon delay bed group upon boundary of the TPS glovebox and dampers extraction cell RVZ1 exhaust duct, or liquid indication of a fire within that bed, detected by associated with the TPS room upon indication of detection in the RDS sump tank (indicative of a elevated carbon monoxide concentration.

high tritium concentration within the glovebox potential leak of fluid inside the extraction cell),

or in the exhaust of the glovebox stripper or in the event of an RCA Isolation.

system.

SHINE Medical Technologies l33

Proprietary Information - Withheld from public disclosure under 10 CFR 2.390(a)(4)

Export Controlled Information - Withheld from public disclosure under 10 CFR 2.390(a)(3)

ESFAS Variables Variable Analytical Limit Setpoint LSSS?

PVVS Flow 5.0 SCFM 7.1 SCFM Yes RVZ1 RCA Exhaust 5 times background 5 times background radiation radiation RVZ2 RCA Exhaust 5 times background 5 times background radiation radiation RVZ1 Supercell Exhaust 5 times background 5 times background radiation radiation MEPS [ ]PROP/ECI 8.8 micromho/cm 8.8 micromho/cm Conductivity PVVS Carbon Delay Bed Carbon 20 ppm 20 ppm Monoxide VTS Vacuum Header Liquid Active Active Detection Switch RDS Liquid Detection Switch Active Active SHINE Medical Technologies l34

ESFAS Variables Variable Analytical Limit Setpoint LSSS?

TPS Exhaust to Facility Stack 80 Ci/m3 70 Ci/m3 Tritium TPS Glovebox Tritium 150 Ci/m3 139 Ci/m3 TRPS IU Cell Nitrogen Purge Active Active MEPS Three-way Valve Supplying Supplying Supplying Position Indication IXP Three-Way Valve Supplying Supplying Supplying Position Indication TSPS Dissolution Tank Level 100% 98%

UPSS External Power Signal Loss of power, actuation Loss of power, actuation delayed by 180 seconds delayed by 180 seconds SHINE Medical Technologies l35

Safety-Related Control System Design Criteria and Design Basis SHINE Medical Technologies l36

Safety-Related Control System Design Criteria Access Control (TRPS and ESFAS Criteria 1 - 3)

TRPS and ESFAS control components are located within lockable cabinets TRPS and ESFAS programmable logic is developed within the Rock Creek Isolated Development Network (IDN)

Software Requirements Development (TRPS and ESFAS Criteria 4 - 13)

TRPS and ESFAS requirements are defined in SHINE functional requirement specifications, and transmitted to RCI for incorporation into software development lifecycle process, which includes provisions for:

Configuration control Verification and validation Requirements traceability Programmable logic is maintained on the IDN RCI maintains a SHINE-approved quality assurance program SHINE Medical Technologies l37

Safety-Related Control System Design Criteria General Instrumentation and Control Design (TRPS and ESFAS Criteria 14 and 15)

Provided power from reliable UPS power source with two-hour post loss of off-site power supply Implement a discrete level logic circuit downstream from the digital logic to accommodate manual actuation Single Failure (TRPS Criteria 16 and 17 and ESFAS Criteria 16 - 18)

Three divisions of signal conditioning and trip determination Two divisions of actuation logic Nonsafety inputs are interlocked at the discrete logic level by a safety-related switch Nonsafety inputs use a binary address with a mirrored complement scheme such that a single incorrect bit cannot address the incorrect module A unique mode input is provided for each Division A and Division B for operator transition of the modes in TRPS Any monitoring only inputs are processed on an independent input submodule and not placed on the safety data buses SHINE Medical Technologies l38

Safety-Related Control System Design Criteria Independence (TRPS Criteria 18 - 26 and ESFAS Criteria 19 - 27)

Physical separation Electrical isolation Communications independence Functional independence Prioritization of Functions (TRPS Criterion 27 and ESFAS Criterion 28)

1. Automatic Safety Actuation and Manual Safety Actuation

2. PICS nonsafety control signals Fail Safe (TRPS Criterion 28 and ESFAS Criterion 29)

Controlled components are designed to go to their deenergized state (defined safe state) on loss of power SHINE Medical Technologies l39

Safety-Related Control System Design Criteria Setpoints (TRPS Criteria 29 - 32 and ESFAS Criteria 30 - 33)

Setpoints are based on a documented methodology Operational Bypass, Permissives, and Interlocks (TRPS Criteria 33 - 42 and ESFAS Criteria 34 - 43)

An out-of-service switch is provided to take a channel or group of channels into a maintenance state When the out-of-service switch is active, the position of a trip/bypass switch is used in place of the channel output In TRPS, permissives are used to prevent transition between modes when system status doe not meet mode transition criteria In TRPS, the current mode determines which safety channels are interlocked when not needed (e.g.,

low-high dump tank level IU Cell Safety Actuation is not needed in the post-irradiation mode)

SHINE Medical Technologies l40

Safety-Related Control System Design Criteria Completion of a Protective Action (TRPS Criteria 43 - 45 and ESFAS Criteria 44 - 46)

Actuation logic is designed so that after an automatic or manual actuation, the output of the actuation logic cannot change until a new status (position) is requested Position indication is used to prevent a change of the status of the actuation logic until the protective action is complete (assuming no safety actuation is still present)

Equipment Qualification (TRPS Criterion 46 and ESFAS Criterion 47)

Rack mounted equipment is installed in a mild environment and is qualified to the environment Equipment is tested to appropriate standards for EMI/RFI Surveillance (TRPS Criteria 47 - 49 and ESFAS Criteria 48 - 50)

End to end coverage of the platform is provided by built in self-testing apart from the discrete priority logic which requires periodic surveillance The platform supports methods for channel checks SHINE Medical Technologies l41

Safety-Related Control System Design Criteria Classification and Identification (TRPS Criterion 50 and ESFAS Criterion 51)

Components are uniquely labeled and identified in accordance with SHINE identification and classification procedures.

Human Factors (TRPS Criteria 51 - 53 and ESFAS Criteria 52 - 54)

Manual actuation is provided for each automatic actuation Indication and diagnostic information in the platform is transmitted to the PICS HSI Quality (TRPS Criteria 54 and 55 and ESFAS Criteria 55 and 56)

ANSI/ANS 15.8-1995 as well as various other industries standard were used to ensure quality of the TRPS and ESFAS systems SHINE Medical Technologies l42

Proprietary Information - Withheld from public disclosure under 10 CFR 2.390(a)(4)

TRPS/ESFAS Status PROP SHINE Medical Technologies l43

Process Integrated Control System The PICS is a collection of instrumentation and control equipment located throughout the facility.

PICS supports:

Monitoring, Indication, and Control of various systems located in both the IF and RPF.

A portion of the PICS supports the main control board and operator workstations in the facility control room by receiving operator commands and collecting and transmitting facility information to the operators.

The PICS is used to monitor parameters and perform manual and automatic actions during each of the operational modes of an IU.

SHINE Medical Technologies l44

Process Integrated Control System PICS interfaces with TRPS and ESFAS:

PICS receives indication and diagnostic information through uni-directional transmission from the TRPS and ESFAS.

PICS provides a hardwired parallel interface from the PICS control system to the actuation and priority logic to enable the operator to reset the state of the TRPS or ESFAS following a safety actuation.

Interface is provided through a binary addressing scheme that uses a mirrored complement to prevent a single failure of the interface from addressing the incorrect priority logic.

Sensor inputs used by the TRPS or ESFAS are provided to the PICS through a monitoring and indication module in the safety system using an isolated communications path, which is separate and independent of the safety data bus.

PICS uses a hardwired interface to the TRPS to provide a discrete input to incrementally change the mode of an IU.

Control components that are directly controlled by both the TRPS and the PICS are configured with an in-series hardware configuration so that the TRPS may override PICS component control.

SHINE Medical Technologies l45

Process Integrated Control System The PICS provides a human system interface for the operators to interact and control the various processes and systems that interface with the PICS.

There are two operator workstations located in the facility control room, providing operator controls for irradiation process and for transferring target solution through the facility. There is also a supervisor workstation in the facility control room for support of the facility operators.

Four limited functionality workstations are located in the radiologically controlled area to assist in operations where manual process are prevalent (e.g., target solution preparation, supercell operations, tritium purification operations, and radioactive liquid waste immobilization).

The PICS provides a main control board with static displays that provide a view only interface of the variables identified as important to the safe operation of the SHINE facility.

SHINE Medical Technologies l46

Security-Related Information - Withheld Under 10 CFR 2.390(d)

Control Room Layout SRI SHINE Medical Technologies l47

Proprietary Information - Withheld from public disclosure under 10 CFR 2.390(a)(4)

Process Integrated Control System Status PROP SHINE Medical Technologies l48

Human Factors Engineering SHINE has developed a Human Factors Engineering (HFE) program to guide the design and development of I&C systems.

Guidelines have been developed to be used in evaluating I&C designs.

A preliminary HFE evaluation of the control room layout was completed.

SHINE Medical Technologies l49

Human Factors Engineering SHINE Medical Technologies l50

SHINE Medical Technologies - Rock Creek Innovations Partnership Partnership for the design and implementation of the SHINE safety-related I&C systems Rock Creek Innovations has architected Field Programmable Gate Array (FPGA) based safety-related I&C platforms with expertise focused on the design, licensing, and deployment in multiple protection system applications Highly Integrated Protection System (HIPS)

Hybrid Analog/Digital System with FPGA logic on all modules implementing multiple deterministic finite state machines (no executable software)

The HIPS Topical Report has been approved by the NRC and the Advisory Committee on Reactor Safeguards (ACRS) for use in NuScales safety-related I&C systems SHINE Medical Technologies l51

Licensing of the HIPS for the SHINE Facility SHINEs use of the HIPS is described in the FSAR following for the format and content guidance of the draft Chapter 7 Interim Staff Guidance (ISG) augmenting NUREG-1537 SHINE chose not to incorporate the Safety Evaluation (SE) of the NuScale Topical Report (TR) 1015-18653 into the SHINE licensing basis, as the SE evaluated the suitability of the platform against nuclear power plant-specific standards (i.e., IEEE Standard 603-1991 and IEEE Standard 7-4.3.2-2003)

Accordingly, an application-specific action item evaluation was not incorporated into the SHINE licensing basis Section 4.2 of the SE requires an application-specific action item evaluation be performed when requesting NRC approval of the HIPS platform for safety-related applications in nuclear power plants SHINE Medical Technologies l52

HIPS Platform Design Approach The highly integrated protection system (HIPS) is designed to provide a robust platform for safety-related and important-to-safety applications Key design concepts incorporate the following fundamental design principles:

• independence

• redundancy

• diversity and defense-in-depth (D3)

• predictability and repeatability Hybrid analog and digital system with field programmable gate array (FPGA) programmable logic on all modules implementing multiple deterministic finite state-machines SHINE Medical Technologies l53

HIPS Module Types The HIPS platform consists of the HIPS chassis and a system of modules that are interchangeable between chassis Module Name Abbreviation Description/Use Signal conditioning and actuation determination of safety Safety Function function(s). Provides scaled value of input process to SFM Module nonsafety controls and safety display for monitoring purposes (FPGA and analog).

Communications Controls, collects, and transmits information between HIPS CM Module modules or to external components (FPGA and analog).

Provides final equipment actuation output and includes priority Equipment EIM logic circuitry for automatic and manual actuation inputs (FPGA Interface Module and analog).

Converts hardwired contact inputs into logic levels for direct Hardwired HWM connection on dedicated backplane traces to a particular Module module as per the detail application design (analog only).

SHINE Medical Technologies l54

Proprietary Information - Withheld from public disclosure under 10 CFR 2.390(a)(4)

TRPS Safety Data Paths (Animation)

PROP SHINE Medical Technologies l 55

Proprietary Information - Withheld from public disclosure under 10 CFR 2.390(a)(4)

TRPS Div C Chassis Safety Data Work Cycle (Animation)

PROP SHINE Medical Technologies l 56

Proprietary Information - Withheld from public disclosure under 10 CFR 2.390(a)(4)

TRPS Div A Voting Safety Data Work Cycle (Animation)

PROP SHINE Medical Technologies l 57

HIPS Development SHINE Medical Technologies l58