Text

58 pages follow ENCLOSURE 4 SHINE MEDICAL TECHNOLOGIES, LLC MEETING SLIDES FOR THE DECEMBER 4 AND 5, 2019 PUBLIC MEETING BETWEEN SHINE MEDICAL TECHNOLOGIES, LLC AND THE NRC SHINE INSTRUMENTATION AND CONTROL SYSTEMS PUBLIC VERSION

Instrumentation and Controls Catherine Kolb, I&C/Operations Manager Ryan McGee, I&C Engineer Gregg Clarkson, Rock Creek Innovations

SHINE Medical Technologies l 2 SHINE I&C Overview and Architecture Target Solution Vessel Reactivity Protection System Engineered Safety Features Actuation System Safety-Related Control System Design Criteria Process Integrated Control System Human Factors Engineering Rock Creek Highly Integrated Protection System Topics Covered

SHINE Medical Technologies l 3 SHINE instrumentation and control systems provide the facility operators the ability to monitor and control irradiation facility (IF) and radioisotope production facility (RPF) processes from a single, integrated control room Control systems described in Chapter 7 of the Final Safety Analysis Report (FSAR) include:

Eight identical safety-related system instances, each dedicated to an individual irradiation unit (IU)

Target solution vessel reactivity protection system (TRPS)

Neutron flux detection system (NFDS)

A single safety-related system used to prevent or mitigate accidents related to common facility systems, in both the IF and RPF, excluding irradiation units

Engineered safety features actuation system (ESFAS)

A single nonsafety-related system used to control processes throughout the facility (in both the IF and RPF) and provide the human system interface (HSI) for facility operators

Process integrated control system (PICS)

Instrumentation and Controls

SHINE Medical Technologies l 4 Other systems described in Chapter 7 of the FSAR include:

Stack release monitoring (SRMS): provides monitoring of the main facility stack and the safety-related exhaust point (carbon delay bed effluent)

Radiation monitoring (RAMS and CAMS): area radiation monitors and continuous airborne contamination monitoring

Criticality accident alarm system (CAAS): monitors only the RPF, using neutron detection Instrumentation and Controls

SHINE Medical Technologies l 5 I&C Design Architecture

SHINE Medical Technologies l 6 I&C Design Architecture

SHINE Medical Technologies l 7 Monitors variables specific to an individual IU that are credited in the SHINE safety analysis The TRPS provides:

Three divisions of signal condition and trip determination (A, B, and C)

Two divisions of voting and actuation (A and B)

The TRPS provides actuation signals to components associated with the associated IU cell TRPS functions are IU mode dependent

Bypasses of actuation signals are automatically applied or removed dependent on the operating mode of the associated IU

TRPS maintains the mode of the IU The TRPS does not provide normal control of IU components; the normal control function is provided by PICS Target Solution Vessel Reactivity Protection System

SHINE Medical Technologies l 8 TRPS Architecture

SHINE Medical Technologies l 9 Safety Actuations provided by the TRPS are:

IU Cell Safety Actuation

Isolation of the primary system boundary

Isolation of the primary confinement boundary

Open the dump valves

Open the high voltage power supply breakers

Transition to Mode 3 operation

IU Cell Nitrogen Purge

Opens purge valves to the affected IU Cell

Sends signal to the ESFAS to open the nitrogen purge IF header valves

Driver Dropout

Opens the neutron driver high voltage power supply breakers The TRPS also provides a defense-in-depth function to limit the rate that the target solution vessel can be filled during Mode 1 (Startup) - Fill Stop Target Solution Vessel Reactivity Protection System

SHINE Medical Technologies l10 TRPS Control Components

SHINE Medical Technologies l11 IU Cell Safety Actuation Variable Analytical Limit Setpoint LSSS?

High Source Range Neutron Flux 1.5 times the nominal flux at 95% volume of the critical fill height 1.5 times the nominal flux at 95% volume of the critical fill height Yes High Wide Range Neutron Flux 240% power 240% power Yes High Time-Averaged Neutron Flux 104% power, averaged over 45 seconds 104% power, averaged over 45 seconds Yes Low TOGS Mainstream Flow

[ ]PROP/ECI

[ ]PROP/ECI Yes Low TOGS Dump Tank Flow

[ ]PROP/ECI

[ ]PROP/ECI Yes High TOGS Condenser Demister Outlet Temperature 77°F 69.8°F Low TOGS Oxygen Concentration 10%

11%

High RVZ1 Radiation 5 times background radiation 5 times background radiation Proprietary Information - Withheld from public disclosure under 10 CFR 2.390(a)(4)

Export Controlled Information - Withheld from public disclosure under 10 CFR 2.390(a)(3)

SHINE Medical Technologies l12 IU Cell Safety Actuation Proprietary Information - Withheld from public disclosure under 10 CFR 2.390(a)(4)

Export Controlled Information - Withheld from public disclosure under 10 CFR 2.390(a)(3)

Variable Analytical Limit Setpoint LSSS?

Low PCLS Flow

[ ]PROP/ECI, delayed by 180 seconds

[ ]PROP/ECI, delayed by 180 seconds Yes High PCLS Temperature 77°F, delayed by 180 seconds 72.9°F, delayed by 180 seconds Yes Low PCLS Temperature 59°F 63.5°F High ATIS Mixed-Gas Return Line Pressure 8 psia 7.7 psia Low-High TSV Dump Tank Level 6.2%

3%

High-High TSV Dump Tank Level 87.9%

85%

TSV Fill Isolation Valves Position Not Closed Not Closed Facility Master Operating Permissive Removed Not Active Not Active

SHINE Medical Technologies l13 IU Cell Nitrogen Purge Variable Analytical Limit Setpoint LSSS?

Low-High TSV Dump Tank Level 6.2%

3%

High-High TSV Dump Tank Level 87.9%

85%

Low TOGS Oxygen Concentration 10%

11%

Low TOGS Mainstream Flow

[ ]PROP/ECI

[ ]PROP/ECI Yes Low TOGS Dump Tank Flow

[ ]PROP/ECI

[ ]PROP/ECI Yes High TOGS Condenser Demister Outlet Temperature 77°F 69.8°F ESFAS Loss of External Power Loss of Power Loss of Power Proprietary Information - Withheld from public disclosure under 10 CFR 2.390(a)(4)

Export Controlled Information - Withheld from public disclosure under 10 CFR 2.390(a)(3)

SHINE Medical Technologies l14 Driver Dropout Proprietary Information - Withheld from public disclosure under 10 CFR 2.390(a)(4)

Export Controlled Information - Withheld from public disclosure under 10 CFR 2.390(a)(3)

Variable Analytical Limit Setpoint LSSS?

Low Power Range Neutron Flux

[

]PROP/ECI

[

]PROP/ECI Low PCLS Flow

[ ]PROP/ECI

[ ]PROP/ECI High PCLS Temperature 77°F 72.9°F

SHINE Medical Technologies l15 Each IU operates on a typical cycle of startup (filling), followed by 5.5 days of irradiation, followed by a cool down period and transfer of solution to the RPF

Between successive cycles, there is a mode of operation where no target solution is present in the IU (Mode 0)

The IU Operational Modes are:

Mode 0 - Solution Removed

Mode 1 - Startup

Mode 2 - Irradiation

Mode 3 - Shutdown / Post-Irradiation

Mode 4 - Transfer to RPF Target Solution Vessel Reactivity Protection System

SHINE Medical Technologies l16 TRPS provides an independent control system for each IU, and functions to:

Maintain the operating mode of the IU,

Monitors the permissives to move between modes, and

Creates the interlocks in each mode.

The operator provides an input to the TRPS (using the PICS HSI) to increment through one mode at a time TRPS also transitions the IU to Mode 3 in the event an IU Cell Safety Actuation or if the facility master operating permissive is removed Target Solution Vessel Reactivity Protection System

SHINE Medical Technologies l17

Mode 0 (Solution Removed) to Mode 1 (Startup)

Transition from Mode 0 to Mode 1 is prevented until the TSV dump valves and TSV fill isolation valves have been confirmed to be closed and TOGS mainstream flow is at or above the low flow limit.

Mode 1 (Startup) to Mode 2 (Irradiation)

Transition from Mode 1 to Mode 2 is prevented until the TSV fill isolation valves indicate fully closed and the

[

]PROP/ECI.

Mode 2 (Irradiation) to Mode 3 (Post-Irradiation)

Transition from Mode 2 to Mode 3 is prevented until the HVPS breakers have been confirmed opened.

Mode 3 (Post-Irradiation) to Mode 4 (Transfer to RPF)

Transition from Mode 3 to Mode 4 is prevented if an automated IU Cell Safety Actuation is present.

Mode 4 (Transfer to RPF) to Mode 0 (Solution Removed)

Transition from Mode 4 to Mode 0 is prevented until the TSV dump tank level is below the low-high dump tank level setpoint.

Mode Transition Criteria - Normal Sequence Proprietary Information - Withheld from public disclosure under 10 CFR 2.390(a)(4)

Export Controlled Information - Withheld from public disclosure under 10 CFR 2.390(a)(3)

SHINE Medical Technologies l18

Mode 0 (Solution Removed) to Mode 3 (Shutdown)

Transition from Mode 0 to Mode 3 is initiated automatically by TRPS or by an operator via manual actuation or the facility master operating permissive. Initiation of this transition generates an IU Cell Safety Actuation.

Mode 1 (Startup) to Mode 3 (Shutdown)

Transition from Mode 1 to Mode 3 is initiated automatically by TRPS or manually by an operator via manual actuation or the facility master operating permissive. Initiation of this transition generates an IU Cell Safety Actuation.

Mode 2 (Irradiation) to Mode 3 (Shutdown)

Transition from Mode 2 to Mode 3 is the normal transition sequence but may also be initiated automatically by TRPS or by an operator via manual actuation or the facility master operating permissive. Initiation of this transition generates an IU Cell Safety Actuation.

Mode 4 (Transfer to RPF) to Mode 3 (Shutdown)

Transition from Mode 4 to Mode 3 is initiated automatically by TRPS or by an operator via manual actuation or the facility master operating permissive. Initiation of this transition generates an IU Cell Safety Actuation.

Mode Transition Criteria - IU Cell Safety Actuation

SHINE Medical Technologies l19

Mode 3 to Secure State

Transition from Mode 3 to the secure state is initiated manually by an operator via disengaging the facility master operating permissive. While operating in the secure state, transition to another mode of operation is not allowed.

Secure State to Mode 3

Transition from the secure state to Mode 3 is initiated manually by an operator via engaging the facility master operating permissive. Initiation of this transition permits a transition to another mode of operation.

Mode Transition Criteria - Secure State

SHINE Medical Technologies l20 TRPS Mode of Operation for the Irradiation Unit Proprietary Information - Withheld from public disclosure under 10 CFR 2.390(a)(4)

Export Controlled Information - Withheld from public disclosure under 10 CFR 2.390(a)(3)

PROP/ECI

SHINE Medical Technologies l21 Monitors variables throughout the SHINE facility, in both the IF and RPF, that are credited in the SHINE safety analysis, but that are NOT specific to an IU The ESFAS provides continuous protection of the safety functions for which it is responsible; unlike TRPS, functions are NOT mode dependent The ESFAS provides:

Three divisions of signal condition and trip determination (A, B, and C)

Two divisions of voting and actuation (A and B)

The ESFAS provides actuation signals to IF and RPF components NOT associated with any IU

Components include those located in both the IF (e.g., the common portions of the tritium purification system) and the RPF (e.g., the supercell and vacuum transfer system)

The ESFAS does not provide normal control of IF and RPF components; the normal control function is provided by PICS Engineered Safety Features Actuation System

SHINE Medical Technologies l22 Safety Actuations provided by the ESFAS are:

Radiologically Controlled Area (RCA) Isolation

Supercell Isolation

Carbon Delay Bed Isolation

Vacuum Transfer System (VTS) Safety Actuation

Tritium Purification System (TPS) Isolation

IU Cell Nitrogen Purge

RPF Nitrogen Purge

Molybdenum Extraction and Purification System (MEPS) [ ]PROP/ECI Isolation

Extraction Column Alignment Actuation

Iodine and Xenon Purification and Packaging (IXP) Alignment Actuation

Dissolution Tank Isolation Engineered Safety Features Actuation System Proprietary Information - Withheld from public disclosure under 10 CFR 2.390(a)(4)

Export Controlled Information - Withheld from public disclosure under 10 CFR 2.390(a)(3)

SHINE Medical Technologies l23 ESFAS Architecture

SHINE Medical Technologies l24 RCA Isolation functions to isolate potential sources of radiation throughout the facility upon a high radiation signal in either radiological ventilation zone 1 (RVZ1) or radiological ventilation zone 2 (RVZ2) facility exhaust The RCA Isolation function:

Isolates RVZ1 and RVZ2 facility exhaust dampers

Isolates RVZ2 supply isolation dampers

Isolates RVZ3 isolation dampers

Opens RVZ1 and RVZ2 exhaust blower breakers (to shut down exhaust blowers)

Opens RVZ2 supply blower breakers (to shut down supply blowers)

Isolates each of the supercell areas

Provides a VTS Safety Actuation

Provides a TPS Isolation RCA Isolation

SHINE Medical Technologies l25 RCA Isolation Components

SHINE Medical Technologies l26 RCA Isolation Components

SHINE Medical Technologies l27 VTS Safety Actuation is required to stop the transfer of target solution or other radioactive solutions upon indication of liquid in the VTS piping (potential tank overflow), liquid in the radioactive drain system (RDS) sump tank (potential tank leak), high radiation in the extraction, IXP, or PVVS supercell hot cells, or high radiation in the facility RVZ1 or RVZ2 exhaust (RCA Isolation)

The VTS Safety Actuation stops the transfer of fluid and limits potential sources of liquid ingress to the RDS sump tank by:

Opening vacuum transfer pump breakers

Opening vacuum break valves

Isolating the MEPS eluate and wash block valves

Isolating the IXP eluate and wash block valves VTS Safety Actuation

SHINE Medical Technologies l28 VTS Safety Actuation Components

SHINE Medical Technologies l29 VTS Safety Actuation Components

SHINE Medical Technologies l30 Supercell Isolation is required to perform confinement actions for each hot cell of the supercell upon a high radiation signal from the associated hot cell Supercell Isolation:

Isolates the associated Supercell hot cell inlet and outlet dampers

Provides a VTS Safety Actuation (for extraction, IXP, and PVVS hot cells only)

Provides MEPS [ ]PROP/ECI Isolation (for extraction hot cells only)

Supercell Isolation Proprietary Information - Withheld from public disclosure under 10 CFR 2.390(a)(4)

Export Controlled Information - Withheld from public disclosure under 10 CFR 2.390(a)(3)

SHINE Medical Technologies l31 Supercell Isolation (Extraction Hot Cell)

Proprietary Information - Withheld from public disclosure under 10 CFR 2.390(a)(4)

Export Controlled Information - Withheld from public disclosure under 10 CFR 2.390(a)(3)

PROP/ECI

SHINE Medical Technologies l32 Supercell Isolation (Extraction Hot Cell)

Proprietary Information - Withheld from public disclosure under 10 CFR 2.390(a)(4)

Export Controlled Information - Withheld from public disclosure under 10 CFR 2.390(a)(3)

PROP/ECI

SHINE Medical Technologies l33 Additional ESFAS Safety Actuations Proprietary Information - Withheld from public disclosure under 10 CFR 2.390(a)(4)

Export Controlled Information - Withheld from public disclosure under 10 CFR 2.390(a)(3)

Dissolution Tank Isolation Dissolution Tank Isolation is required to close radioisotope process facility cooling system (RPCS) supply cooling valves and supply and exhaust ventilation dampers on indication of high level in the target solution preparation system (TSPS) dissolution tank to prevent overflow of the tank into the uranium handling glovebox and isolate the glovebox.

MEPS [ ]PROP/ECI Isolation MEPS [ ]PROP/ECI Isolation functions to close the associated extraction [

]PROP/ECI isolation valves and open the extraction feed pump breakers on indication of target solution leakage into the [

]PROP/ECI, high radiation in the affected extraction cell RVZ1 exhaust duct, or liquid detection in the RDS sump tank (indicative of a potential leak of fluid inside the extraction cell),

or in the event of an RCA Isolation.

Extraction Column Alignment Actuation Extraction Column Alignment Actuation functions to deenergize the associated extraction hot cell three-way valves and extraction column eluent valve to prevent inadvertent misdirection of target solution.

IXP Alignment Actuation IXP Alignment Actuation functions to deenergize the IXP three-way valves and recovery column eluent valve to prevent inadvertent misdirection of target solution.

Carbon Delay Bed Isolation:

Carbon Delay Bed Isolation functions to isolate the associated carbon delay bed group upon indication of a fire within that bed, detected by elevated carbon monoxide concentration.

RPF Nitrogen Purge:

RPF Nitrogen Purge is required to mitigate the loss of hydrogen recombination capability in RPF tanks by providing N2PS nitrogen sweep gas to tanks upon an indication of loss of PVVS.

IU Cell Nitrogen Purge IU Cell Nitrogen Purge is required to provide N2PS nitrogen sweep gas to one or more IU(s) on a loss of normal hydrogen recombination capability by opening the N2PS IU cell header valves.

TPS Isolation TPS Isolation functions to deenergize and close valves associated with the Confinement boundary of the TPS glovebox and dampers associated with the TPS room upon indication of high tritium concentration within the glovebox or in the exhaust of the glovebox stripper system.

SHINE Medical Technologies l34 ESFAS Variables Proprietary Information - Withheld from public disclosure under 10 CFR 2.390(a)(4)

Export Controlled Information - Withheld from public disclosure under 10 CFR 2.390(a)(3)

Variable Analytical Limit Setpoint LSSS?

PVVS Flow 5.0 SCFM 7.1 SCFM Yes RVZ1 RCA Exhaust 5 times background radiation 5 times background radiation RVZ2 RCA Exhaust 5 times background radiation 5 times background radiation RVZ1 Supercell Exhaust 5 times background radiation 5 times background radiation MEPS [ ]PROP/ECI Conductivity 8.8 micromho/cm 8.8 micromho/cm PVVS Carbon Delay Bed Carbon Monoxide 20 ppm 20 ppm VTS Vacuum Header Liquid Detection Switch Active Active RDS Liquid Detection Switch Active Active

SHINE Medical Technologies l35 ESFAS Variables Variable Analytical Limit Setpoint LSSS?

TPS Exhaust to Facility Stack Tritium 80 Ci/m3 70 Ci/m3 TPS Glovebox Tritium 150 Ci/m3 139 Ci/m3 TRPS IU Cell Nitrogen Purge Active Active MEPS Three-way Valve Supplying Position Indication Supplying Supplying IXP Three-Way Valve Supplying Position Indication Supplying Supplying TSPS Dissolution Tank Level 100%

98%

UPSS External Power Signal Loss of power, actuation delayed by 180 seconds Loss of power, actuation delayed by 180 seconds

SHINE Medical Technologies l36 Safety-Related Control System Design Criteria and Design Basis

SHINE Medical Technologies l37 Access Control (TRPS and ESFAS Criteria 1 - 3)

TRPS and ESFAS control components are located within lockable cabinets

TRPS and ESFAS programmable logic is developed within the Rock Creek Isolated Development Network (IDN)

Software Requirements Development (TRPS and ESFAS Criteria 4 - 13)

TRPS and ESFAS requirements are defined in SHINE functional requirement specifications, and transmitted to RCI for incorporation into software development lifecycle process, which includes provisions for:

Configuration control

Verification and validation

Requirements traceability

Programmable logic is maintained on the IDN

RCI maintains a SHINE-approved quality assurance program Safety-Related Control System Design Criteria

SHINE Medical Technologies l38 General Instrumentation and Control Design (TRPS and ESFAS Criteria 14 and 15)

Provided power from reliable UPS power source with two-hour post loss of off-site power supply

Implement a discrete level logic circuit downstream from the digital logic to accommodate manual actuation Single Failure (TRPS Criteria 16 and 17 and ESFAS Criteria 16 - 18)

Three divisions of signal conditioning and trip determination

Two divisions of actuation logic

Nonsafety inputs are interlocked at the discrete logic level by a safety-related switch

Nonsafety inputs use a binary address with a mirrored complement scheme such that a single incorrect bit cannot address the incorrect module

A unique mode input is provided for each Division A and Division B for operator transition of the modes in TRPS

Any monitoring only inputs are processed on an independent input submodule and not placed on the safety data buses Safety-Related Control System Design Criteria

SHINE Medical Technologies l39 Independence (TRPS Criteria 18 - 26 and ESFAS Criteria 19 - 27)

Physical separation

Electrical isolation

Communications independence

Functional independence Prioritization of Functions (TRPS Criterion 27 and ESFAS Criterion 28) 1.

Automatic Safety Actuation and Manual Safety Actuation 2.

PICS nonsafety control signals Fail Safe (TRPS Criterion 28 and ESFAS Criterion 29)

Controlled components are designed to go to their deenergized state (defined safe state) on loss of power Safety-Related Control System Design Criteria

SHINE Medical Technologies l40 Setpoints (TRPS Criteria 29 - 32 and ESFAS Criteria 30 - 33)

Setpoints are based on a documented methodology Operational Bypass, Permissives, and Interlocks (TRPS Criteria 33 - 42 and ESFAS Criteria 34 - 43)

An out-of-service switch is provided to take a channel or group of channels into a maintenance state

When the out-of-service switch is active, the position of a trip/bypass switch is used in place of the channel output

In TRPS, permissives are used to prevent transition between modes when system status doe not meet mode transition criteria

In TRPS, the current mode determines which safety channels are interlocked when not needed (e.g.,

low-high dump tank level IU Cell Safety Actuation is not needed in the post-irradiation mode)

Safety-Related Control System Design Criteria

SHINE Medical Technologies l41 Completion of a Protective Action (TRPS Criteria 43 - 45 and ESFAS Criteria 44 - 46)

Actuation logic is designed so that after an automatic or manual actuation, the output of the actuation logic cannot change until a new status (position) is requested

Position indication is used to prevent a change of the status of the actuation logic until the protective action is complete (assuming no safety actuation is still present)

Equipment Qualification (TRPS Criterion 46 and ESFAS Criterion 47)

Rack mounted equipment is installed in a mild environment and is qualified to the environment

Equipment is tested to appropriate standards for EMI/RFI Surveillance (TRPS Criteria 47 - 49 and ESFAS Criteria 48 - 50)

End to end coverage of the platform is provided by built in self-testing apart from the discrete priority logic which requires periodic surveillance

The platform supports methods for channel checks Safety-Related Control System Design Criteria

SHINE Medical Technologies l42 Classification and Identification (TRPS Criterion 50 and ESFAS Criterion 51)

Components are uniquely labeled and identified in accordance with SHINE identification and classification procedures.

Human Factors (TRPS Criteria 51 - 53 and ESFAS Criteria 52 - 54)

Manual actuation is provided for each automatic actuation

Indication and diagnostic information in the platform is transmitted to the PICS HSI Quality (TRPS Criteria 54 and 55 and ESFAS Criteria 55 and 56)

ANSI/ANS 15.8-1995 as well as various other industries standard were used to ensure quality of the TRPS and ESFAS systems Safety-Related Control System Design Criteria

SHINE Medical Technologies l43 TRPS/ESFAS Status Proprietary Information - Withheld from public disclosure under 10 CFR 2.390(a)(4)

PROP

SHINE Medical Technologies l44 The PICS is a collection of instrumentation and control equipment located throughout the facility.

PICS supports:

Monitoring,

Indication, and

Control of various systems located in both the IF and RPF.

A portion of the PICS supports the main control board and operator workstations in the facility control room by receiving operator commands and collecting and transmitting facility information to the operators.

The PICS is used to monitor parameters and perform manual and automatic actions during each of the operational modes of an IU.

Process Integrated Control System

SHINE Medical Technologies l45

PICS interfaces with TRPS and ESFAS:

PICS receives indication and diagnostic information through uni-directional transmission from the TRPS and ESFAS.

PICS provides a hardwired parallel interface from the PICS control system to the actuation and priority logic to enable the operator to reset the state of the TRPS or ESFAS following a safety actuation.

Interface is provided through a binary addressing scheme that uses a mirrored complement to prevent a single failure of the interface from addressing the incorrect priority logic.

Sensor inputs used by the TRPS or ESFAS are provided to the PICS through a monitoring and indication module in the safety system using an isolated communications path, which is separate and independent of the safety data bus.

PICS uses a hardwired interface to the TRPS to provide a discrete input to incrementally change the mode of an IU.

Control components that are directly controlled by both the TRPS and the PICS are configured with an in-series hardware configuration so that the TRPS may override PICS component control.

Process Integrated Control System

SHINE Medical Technologies l46 The PICS provides a human system interface for the operators to interact and control the various processes and systems that interface with the PICS.

There are two operator workstations located in the facility control room, providing operator controls for irradiation process and for transferring target solution through the facility. There is also a supervisor workstation in the facility control room for support of the facility operators.

Four limited functionality workstations are located in the radiologically controlled area to assist in operations where manual process are prevalent (e.g., target solution preparation, supercell operations, tritium purification operations, and radioactive liquid waste immobilization).

The PICS provides a main control board with static displays that provide a view only interface of the variables identified as important to the safe operation of the SHINE facility.

Process Integrated Control System

SHINE Medical Technologies l47 Control Room Layout Security-Related Information - Withheld Under 10 CFR 2.390(d)

SRI

SHINE Medical Technologies l48 Process Integrated Control System Status Proprietary Information - Withheld from public disclosure under 10 CFR 2.390(a)(4)

PROP

SHINE Medical Technologies l49 SHINE has developed a Human Factors Engineering (HFE) program to guide the design and development of I&C systems.

Guidelines have been developed to be used in evaluating I&C designs.

A preliminary HFE evaluation of the control room layout was completed.

Human Factors Engineering

SHINE Medical Technologies l50 Human Factors Engineering

SHINE Medical Technologies l51

Partnership for the design and implementation of the SHINE safety-related I&C systems

Rock Creek Innovations has architected Field Programmable Gate Array (FPGA) based safety-related I&C platforms with expertise focused on the design, licensing, and deployment in multiple protection system applications

Highly Integrated Protection System (HIPS)

Hybrid Analog/Digital System with FPGA logic on all modules implementing multiple deterministic finite state machines (no executable software)

The HIPS Topical Report has been approved by the NRC and the Advisory Committee on Reactor Safeguards (ACRS) for use in NuScales safety-related I&C systems SHINE Medical Technologies - Rock Creek Innovations Partnership

SHINE Medical Technologies l52 SHINEs use of the HIPS is described in the FSAR following for the format and content guidance of the draft Chapter 7 Interim Staff Guidance (ISG) augmenting NUREG-1537 SHINE chose not to incorporate the Safety Evaluation (SE) of the NuScale Topical Report (TR) 1015-18653 into the SHINE licensing basis, as the SE evaluated the suitability of the platform against nuclear power plant-specific standards (i.e., IEEE Standard 603-1991 and IEEE Standard 7-4.3.2-2003)

Accordingly, an application-specific action item evaluation was not incorporated into the SHINE licensing basis

Section 4.2 of the SE requires an application-specific action item evaluation be performed when requesting NRC approval of the HIPS platform for safety-related applications in nuclear power plants Licensing of the HIPS for the SHINE Facility

SHINE Medical Technologies l53 The highly integrated protection system (HIPS) is designed to provide a robust platform for safety-related and important-to-safety applications Key design concepts incorporate the following fundamental design principles:

independence redundancy diversity and defense-in-depth (D3) predictability and repeatability Hybrid analog and digital system with field programmable gate array (FPGA) programmable logic on all modules implementing multiple deterministic finite state-machines HIPS Platform Design Approach

SHINE Medical Technologies l54 HIPS Module Types The HIPS platform consists of the HIPS chassis and a system of modules that are interchangeable between chassis Module Name Abbreviation Description/Use Safety Function Module SFM Signal conditioning and actuation determination of safety function(s). Provides scaled value of input process to nonsafety controls and safety display for monitoring purposes (FPGA and analog).

Communications Module CM Controls, collects, and transmits information between HIPS modules or to external components (FPGA and analog).

Equipment Interface Module EIM Provides final equipment actuation output and includes priority logic circuitry for automatic and manual actuation inputs (FPGA and analog).

Hardwired Module HWM Converts hardwired contact inputs into logic levels for direct connection on dedicated backplane traces to a particular module as per the detail application design (analog only).

SHINE Medical Technologies l 55 TRPS Safety Data Paths (Animation)

Proprietary Information - Withheld from public disclosure under 10 CFR 2.390(a)(4)

PROP

SHINE Medical Technologies l 56 TRPS Div C Chassis Safety Data Work Cycle (Animation)

Proprietary Information - Withheld from public disclosure under 10 CFR 2.390(a)(4)

PROP

SHINE Medical Technologies l 57 TRPS Div A Voting Safety Data Work Cycle (Animation)

Proprietary Information - Withheld from public disclosure under 10 CFR 2.390(a)(4)

PROP

SHINE Medical Technologies l58 HIPS Development