Text

OFFICE OF NUCLEAR REACTOR REGULATION REGULATORY AUDIT QUESTIONS REGARDING INSTRUMENTATION AND CONTROL SYSTEMS DESCRIBED IN OPERATING LICENSE APPLICATION CONSTRUCTION PERMIT NO. CPMIF-001 SHINE MEDICAL TECHNOLOGIES, LLC SHINE MEDICAL ISOTOPE PRODUCTION FACILITY DOCKET NO. 50-608 By letter dated July 17, 2019 (Agencywide Documents Access and Management System (ADAMS) Accession No. ML19211C044), as supplemented by letter dated November 14, 2019 (ADAMS Accession No. ML19337A275) SHINE Medical Technologies, LLC (SHINE) submitted to the U.S. Nuclear Regulatory Commission (NRC) an operating license application for its proposed SHINE Medical Isotope Production Facility in accordance with the requirements contained in Title 10 of the Code of Federal Regulations (10 CFR) Part 50, Domestic Licensing of Production and Utilization Facilities.

During the NRC staffs review of the SHINE operating license application, questions have arisen related to SHINEs instrumentation and control (I&C) systems for which additional information is needed determine that there is reasonable assurance of adequate protection of public health and safety and that applicable regulatory requirements are met. These questions identify additional information needed for the NRC staff to continue its review of the SHINE I&C systems and may become formal requests for additional information following the March 16 through March 19, 2020, regulatory audit.

Regulatory Basis and Applicable Guidance Documents The SHINE I&C systems, as described in the SHINE operating license application, are being evaluated using the following regulations in 10 CFR and guidance:

• Section 50.34(b)(2) of 10 CFR, which requires a description and analysis of the structures, systems, and components of the facility, with emphasis upon performance requirements, the bases, with technical justification therefor, upon which such requirements have been established, and the evaluations required to show that safety functions will be accomplished. The description shall be sufficient to permit understanding of the system designs and their relationship to safety evaluations.

• NUREG-1537, Part 1, Guidelines for Preparing and Reviewing Applications for the Licensing of Non-Power Reactors: Format and Content, issued February 1996 (ADAMS Accession No. ML042430055), including:

Attachment

o Section 3.1, Design Criteria, which states that the design criteria should include applicable standards, guides, and codes; NRC regulatory guides; and national, State, and local building, plumbing and electrical codes.

o Section 7.2.1, Design Criteria, which states that the applicant should discuss the criteria for developing the design bases for the I&C systems. The basis for evaluating the reliability and performance of the I&C systems should be included.

• NUREG-1537, Part 2, Guidelines for Preparing and Reviewing Applications for the Licensing of Non-Power Reactors: Standard Review Plan and Acceptance Criteria, issued February 1996 (ADAMS Accession No. ML042430048)

Audit Questions Audit Question 1 - Section 3.1, Design Criteria Section 3.1 of the SHINE final safety analysis report (FSAR) in Chapter 3, Design of Structures, Systems, and Components, identifies the design criteria for I&C systems in the SHINE facility.

Generally, Chapter 7, Instrumentation and Control Systems, of the FSAR should include the description of how each I&C system meets the design criteria. However, Chapter 7 of SHINEs FSAR does not describe how the I&C system designs implement SHINEs design criteria.

Further, Chapter 7 of the FSAR includes the design bases for each I&C system. Generally, an FSAR should describe the relationship between the design criteria and design bases to explain how the system was designed and built. However, Chapter 7 of SHINEs FSAR does not describe the relation of the design bases to the design criteria in Chapter 3, as illustrated in the following two examples:

• Example 1 - Section 3.1 Criterion 15, Protection system reliability and testability, which is applicable to the Target Solution Vessel (TSV) Reactivity Protections system (TRPS),

the Neutron Flux Detections System (NFDS), and the Engineered Safety Features Actuation System (ESFAS), states:

Criterion 15 - Protection system reliability and testability The protection systems are designed for high functional reliability and inservice testability commensurate with the safety functions to be performed. Redundancy and independence designed into the protection systems are sufficient to ensure that:

(1) no single failure results in loss of the protection function, and (2) removal from service of any component or channel does not result in loss of the required minimum redundancy unless the acceptable reliability of operation of the protection system can be otherwise demonstrated.

The protection systems are designed to permit periodic testing, including a capability to test channels independently to determine failures and losses of redundancy that may have occurred.

Section 7.4.4.9, Operational Bypass, Permissives, and Interlocks, in the FSAR identifies functions that will be bypassed during operation and references Section 7.1.4, Highly Integrated Protection System [HIPS] Design, for information on the maintenance bypass philosophy for the SHINE facility. However, the FSAR does not describe how this philosophy is implemented for the functions identified. Further, the approach used for HIPS design was for a system architecture (4 divisions) different than the architecture selected for NFDS, TRPS, and ESFAS (3 divisions). The FSAR should describe how the logic configured in the safety systems (i.e., NFDS, TRPS, and ESFAS) will treat a channel when it is bypassed or out of service (OOS), as well as, the impact it would have on the safety logic and reliability of the system.

• Example 2 - Section 3.1 Criterion 18, Separation of protection and control systems, which is applicable to TRPS, NFDS, and ESFAS, states:

The protection system is separated from control systems to the extent that failure of any single control system component or channel, or failure or removal from service of any single protection system component or channel that is common to the control and protection systems leaves intact a system satisfying all reliability, redundancy, and independence requirements of the protection system. Interconnection of the protection and control systems is limited to assure that safety is not significantly impaired.

Chapter 7 of the FSAR identifies the I&C systems for the SHINE Facility. Several sections in this chapter imply that common components (e.g., field sensors, valves, etc.) are used or shared between the safety systems (i.e., TRPS and ESFAS) and the control system (i.e., the process integrated control system (PICS)). For example, a signal from a field sensor is used by both the safety system and the control system. Another example is a signal to close a valve can be generated by both the PICS (to control volume) and the TRPS (to isolate the tank). In these examples, the field sensor or the valve are shared by the control system and the safety system.

Based on the description provided in Chapter 7, it is not clear what components are shared.

Further, for shared components, it is not clear how the systems will meet Section 3.1, Criterion 18, Separation of protection and control systems. For components that are shared between systems, the FSAR should identify these components and describe how I&C systems meet Criterion 18.

(a) Describe how each I&C system meets each design criterion listed in Section 3.1.

(b) Describe the relation of the design bases to the design criterion listed in Section 3.1.

Audit Question 2 - I&C System-Specific Design Criteria Chapter 7 of the FSAR identifies additional system-specific design criteria for each I&C system (e.g., see: 7.4.2, Design Criteria). In addition, Chapter 7 describes the design bases (e.g.,

see: 7.4.3, Design Basis) and design attributes (e.g., see: 7.4.4, Design Attributes) for each I&C system. The descriptions provided in the design attributes do not describe the design in sufficient detail to permit understanding of the system designs and their relationship to safety evaluations, as illustrated in the following three examples:

• Example 1 - Section 7.3.1.3, Fail Safe, states, PICS Criterion 5 - The PICS shall assume a defined safe state with loss of electrical power to the PICS. Section 7.6.2.5, Fail Safe, states, PICS Criterion 20 - The operator workstations and main control board shall be designed to assume a safe state on loss of electrical power or exposure to adverse environments. Chapter 7 does not define the safe state of the PICS and the operator workstations and main control board. Chapter 7 should describe the defined safe state for the PICS, operator workstations, and main control board when power is lost.

• Example 2 - Criterion 15, Protection system reliability and testability, in Chapter 3 requires that redundancy and independence designed into the protection systems are sufficient to ensure that no single failure results in loss of protection function. The design attributes should describe how this design criterion is implemented in the safety system design. The description in Chapter 7 only states that the TRPS and ESFAS consists of redundant divisions that use physical separation and isolation. The design basis for redundancy is explained in Section 7.2.2.2. The FSAR should describe how no single failure will affect the safety system, so that the safety system can maintain the safety limits (SLs) described in Chapter 13, Accident Analysis, of the FSAR.

• Example 3 - Criterion 15 in Chapter 3 requires adequate reliability or redundancy to protect against the loss of a protection function when a component is removed from service. Further, Section 7.2.2.2.1, Redundancy in the Target Solution Vessel Reactivity Protection System and Engineered Safety Feature Actuation System, states, in part:

The safety I&C system platform design includes redundancy in the areas of power, module, communication, equipment interface, and platform.

These features ensure that no single failure results in loss of the protection function, and removal from service of any component or channel does not result in loss of the required minimum redundancy unless the acceptable reliability of operation of the protection system can be otherwise demonstrated. [emphasis added]

However, the design basis and design attributes sections in Chapter 7 do not include design detail and descriptions for the NRC staff to determine how minimum redundancy is maintained and that single failure criterion is met when a component/channel is removed from service. The description in Chapter 7 should state how equipment, components or channels are removed from service to maintain the safety function and ensure operability of at least minimum protection for all reactor operations.

For each design criterion identified in Chapter 7 for all I&C systems, describe how the design implements (or meets) system-specific design criteria.

Audit Question 3 - Codes and Standards Chapter 7 of the FSAR includes a list of codes and standards that SHINE applied to the design of each I&C system (e.g., for the TRPS design, this list is in Section 7.4.4.15, Quality) and another list in Section 7.9, References. Codes and Standards are used to ensure that the system was designed using accepted engineering and industrial practices. However, it is not clear how SHINE used these codes and standards for the design of I&C systems. Chapter 7 should describe how codes and standards were used in the design of the I&C system. For

example, Chapter 7 could state that SHINE used the guidance in IEEE Standard 344 to qualify TRPS as Category 1 seismic device. During the audit, the NRC staff will verify how the system design satisfies applicable standards and may request additional docketed information, if necessary.

Describe how each of the codes or standards listed in the FSAR are used to design each of the I&C systems, including compliance or guidance.

Audit Question 4 - I&C Technical Specifications The proposed technical specifications (TSs) in the application should identify the safety systems necessary to protect the facility when a postulated accident occurs. The proposed TS should include: Limiting Conditions for Operation (LCOs), Limiting Safety System Settings (LSSSs),

and surveillance requirements (SR). LCOs are the lowest functional capability or performance levels (e.g., LSSSs) of equipment required for safe operation of the facility. The SR should identify the tests performed on a predetermined periodicity to verify that required safety system is operating as assumed in the accident analyses and within the licensing basis or the facility is operating outside an LCOs. The TS should be based on the analysis provided in Chapter 13 of the FSAR. However, the relationship between LCOs, LSSSs, and SRs are not clear and appears to be inconsistent in some cases for the respective descriptions in Chapter 7 and 13, as illustrated in the following two examples:

• Example 1 - Table 7.4-1, TRPS Monitored Variables, of Chapter 7 identifies the Analytical Limit, Range, Accuracy, and Instrument Response Time, for several monitored variables. However, in several instances the values (e.g., Analytical Limits (ALs), LSSS, Instrument Range, etc.) identified for I&C systems in Chapter 7, SHINE TS, and Chapter 13 are not consistent.

• Example 2 - TS Section 2.2, Limiting Safety System Settings, lists nine LSSSs and provides a basis for each. The basis for LSSS 2.2.1 includes a description of the associated AL, and makes references to two FSAR sections without clearly stating what limiting event was used to establish the AL. The FSAR identifies the limiting postulated accident applicable to each mode of operation, initial conditions, and boundary conditions. (This information should be consistent with the analysis provided in Chapter 13 of the FSAR.) This information is then used to identify safety controls that can prevent or mitigate the consequences of the postulated accident and the variables that will be monitored to provide protective actions. This information is also used to identify the safety associated with each variable and its LSSSs.

Chapter 7 of the FSAR could identify the specific event associated with each AL. The bases could then reference the specific part of Chapter 7 that includes the appropriate reference to the analysis of the limiting event. Note: The bases should not include material that is not elsewhere in the FSAR (since it is not evaluated by the NRC staff), but may include new summaries of material that is otherwise included in FSAR.

(a) Clarify inconsistencies among the instrument range, ALs, SLs and associated LSSSs in Chapters 7 and 13 of the application, as well as the TSs. The FSAR should include sufficient information to conclude that SLs are protected, and that LSSS and LCO settings were established through the analyses in Chapter 13.

(b) For the safety functions, verify and update the description in the FSAR to be consistent with the description in the bases for TS for LSSSs.

Audit Question 5 - HIPS Topical Report Chapter 7 describes the HIPS platform for the TRPS and ESFAS. However, the FSAR appears to contain inconsistent descriptions on the use of the HIPS and/or implies how the HIPS platform will be used to implement the design of the TRPS and ESFAS, as illustrated in the following two examples:

• Example 1 - Section 7.9 of the FSAR references the NRC reviewed and generically approved HIPS platform topical but the FSAR contains no explicit descriptions of the conformance or exception claims to the HIPS platform design and site-specific actions in the topical; therefore, it is not clear the degree to which platform design and operation in the topical is being applied to the TRPS and ESFAS.

• Example 2 - The HIPS platform topical approved by NRC describes a system with four instrument channels and how the trip/bypass and OOS switches are safely used; however, Chapter 7 only includes three instrument channels and includes no superseding descriptions.

(a) Clarify how the TRPS and ESFAS use the generically approved HIPS platform. If the application intends to credit the NRC-approved HIPS platform, then:

i. Describe how the Application Specific Action Items identified for the HIPS platform are dispositioned, including those that are not applicable, for the TRPS and ESFAS to be used in the SHINE application.

ii. Describe the differences between the system architecture approved for HIPS platform and the architecture proposed for the TRPS and ESFAS and explain it is acceptability for the SHINE application.

(b) Provide a description of the system design, suitability and adequacy of the HIPS for performing its functions and conformance with the design criteria and bases. This question is similar to the request in Audit Question 1, but in this case, SHINE should indicate the specific design or attributes in the HIPS platform that will meet each design criterion.

Audit Question 6 - Systems controlled by PICS The FSAR states that the PICS will monitor, control, and operate I&C systems in the Irradiated Facility (IF) and the radioisotope production facility (RPF) portions of the SHINE facility.

However, the FSAR does not clearly identify all I&C systems controlled by PICS (i.e., Figure 7.3-1, Process Integrated Control System Interfaces, in the FSAR refers to IF Process Systems, RPF Process Systems, and Other I&C Systems). Further, the FSAR only identifies systems in the IF that will interface with the PICS, but not those in the RPF.

(a) Identify all I&C systems that the PICS will monitor, control, and operate the SHINE facility.

(b) Describe how PICS will operate the SHINE facility and in case of its failure, the safety controls included to mitigate or prevent an accident.

(c) Provide the system architecture that shows all systems that interface or interact with PICS, not only those installed in the IF.

Audit Question 7 - Definitions The FSAR uses the terms Channel and Division. However, the FSAR does not clearly define or distinguish what constitutes a channel and a division. For example, Section 7.2.5.3, Access Control, states, in part:

Each division of TRPS and ESFAS systems has a nonsafety-related MWS for the purpose of online monitoring and offline maintenance and calibration. The HIPS platform MWS supports online monitoring through one-way isolated communication ports. The MWS is used to update setpoints and tunable parameters in the HIPS chassis when the safety function is out of service.

Physical and logical controls are put in place to prevent modifications to a safety channel when it is being relied upon to perform a safety function. A temporary cable and OOS switch are required to be activated before any changes can be made to an SFM. When the safety function is removed from service, either in bypass or trip, an indication is provided by the HIPS platform that can be used to drive an alarm in the facility control room to inform the operator. Adjustments to parameters are performed in accordance with facility technical specifications, including any that establish the minimum number of redundant safety channels that must remain operable for the applicable operating mode and conditions.

[emphasis added]

This paragraph seems to use the terms channel and division interchangeably.

Define what constitutes a channel and a division.

Audit Question 8 - Channel Operability and Bypass 10 CFR 50.36(c)(2) states that the TSs will include LCOs. 10 CFR 50.36(c)(2)(i) defines LCOs as the lowest functional capability or performance levels of equipment required for safe operation of the facility. 10 CFR 50.36(a)(1) states, in part, A summary statement of the bases or reasons for such specifications, other than those covering administrative controls, shall also be included in the application, but shall not become part of the technical specifications.

Criterion 15 in Chapter 3 requires adequate reliability or redundancy to protect against the loss of a protection function when a component is removed from service. The design of the TRPS states that it meets the single failure criteria by having three independent channels of instrumentation (any two of which can initiate a protective action). In other words, any single failure in the TRPS would not prevent a protective action from being implemented. However, the TS LCOs only require two channels of instrumentation to be operable (see TS LCO 3.2.4);

this means that the licensee would allow the TRPS to be operated indefinitely with one channel inoperable (immediate shutdown is specified if only one is operable). The basis for TS LCO 3.2.4 states, in part:

TS LCO 3.2.4 states:

Note - Any single required instrumentation Channel may be inoperable while the variable is in the condition of applicability for the purpose of performing a Channel Check or Channel Calibration.

The basis for TS LCO 3.2.4 states, in part:

The NFDS provides indication of neutron flux and TSV power during IU operations, as described in FSAR Section 7.8. The NFDS signals provide input to TRPS functions, as described in FSAR Subsection 7.4.5. Three Channels of NFDS are provided for each of the variables in Table 3.2.4, one Channel for each of Divisions A, B, and C. Only two Channels are required to be Operable to provide redundancy to protect against a single failure. When all three Channels are Operable, actuation of the safety function occurs on 2-out-of-3 voting logic.

When any single Channel is inoperable, the inoperable Channel is required to be placed in trip, effectively changing the voting logic to 1-out-of-2, preserving the single failure protection.

Any single Channel may be placed in bypass during performance of a required SR, effectively changing the voting logic to 2-out-of-2 (with two other Channels Operable) or 1-out-of-1 (with one other Channel Operable).

However, the required actions in the TS do not include the requirement that, When any single Channel is inoperable, the inoperable Channel is required to be placed in trip, effectively changing the voting logic to 1-out-of-2, preserving the single failure protection. Furthermore, TS LCO 3.2.4 and associated basis provide no restrictions on the length of time that operation in this condition is allowed, and why unrestricted operation in a condition where the single failure criteria is not met provides adequate safety.

Based on this information, it appears that when a single channel is in bypass, the system cannot meet the single failure criterion. Further, because this LCO and associated basis provide no restrictions on the length of time that operation in this condition is allowed, the system can operate this way, in a condition where the single failure criteria is not met, for unlimited duration.

Therefore, the NRC staff cannot evaluate how this unrestricted operation provides adequate safety to shutdown the IF in the event of a single failure within the system.

Therefore, it seems the TS LCO is inconsistent with the description in the associated TS basis.

(a) Verify and update Chapter 7 and the proposed TS to clarify when a single channel is operable.

(b) Describe how placing a channel in bypass (reducing the number of operable channels) would affect the voting logic and preserve the single failure criterion.