ML21130A313
| ML21130A313 | |
| Person / Time | |
|---|---|
| Site: | SHINE Medical Technologies |
| Issue date: | 05/12/2021 |
| From: | Steven Lynch NRC/NRR/DANU/UNPL |
| To: | |
| Lynch S | |
| Shared Package | |
| ML21130A312 | List: |
| References | |
| Download: ML21130A313 (8) | |
Text
OFFICE OF NUCLEAR REACTOR REGULATION REGULATORY AUDIT TOPICS REGARDING INSTRUMENTATION AND CONTROL SYSTEMS DESCRIBED IN OPERATING LICENSE APPLICATION CONSTRUCTION PERMIT NO. CPMIF-001 SHINE MEDICAL TECHNOLOGIES, LLC SHINE MEDICAL ISOTOPE PRODUCTION FACILITY DOCKET NO. 50-608 By letter dated July 17, 2019 (Agencywide Documents Access and Management System (ADAMS) Accession No. ML19211C044), as supplemented by letters dated November 14, 2019 (ADAMS Accession No. ML19337A275), March 27, 2020 (ADAMS Accession No. ML20105A295), August 28, 2020 (ADAMS Accession No. ML20255A027),
October 30, 2020 (ADAMS Accession No. ML20325A026), December 10, 2020 (ADAMS Accession No. ML20357A084), December 15, 2020 (ADAMS Accession No. ML21011A264),
and March 23, 2021 (ADAMS Accession No. ML21095A235), SHINE Medical Technologies, LLC (SHINE) submitted to the U.S. Nuclear Regulatory Commission (NRC) an operating license application for its proposed SHINE Medical Isotope Production Facility in accordance with the requirements contained in Title 10 of the Code of Federal Regulations (10 CFR) Part 50, Domestic Licensing of Production and Utilization Facilities.
To support the review of the SHINE operating license application, the NRC staff will conduct a virtual regulatory audit related to the SHINE instrumentation and control systems on May 12, 2021. The specific topics below identify areas where additional information is needed for the NRC staff to continue its review of the SHINE instrumentation and control systems topics and may become formal requests for additional information following the regulatory audit.
SHINEs implementation of the highly integrated protection system (HIPS) is being used for the target solution vessel reactivity protection system (TRPS) and engineered safety features actuation system (ESFAS). Confirmatory information is needed to ensure there is reasonable assurance of adequate protection of public health and safety and that applicable regulatory requirements are met. This regulatory audit is an opportunity for the NRC staff to improve its understanding of the HIPS platform design, and its application in TRPS and ESFAS, as proposed in the SHINE final safety analysis report (FSAR). The NRC staff intends to implement audits for other application review areas, as appropriate, such as the TRPS operation, ESFAS operation, PICS, and other systems, as appropriate.
Regulatory Basis and Applicable Guidance Documents SHINE instrumentation and control systems, as described in the SHINE operating license application, are being evaluated using the following regulations in 10 CFR:
Enclosure 2
Section 50.34, Contents of applications; technical information, paragraph (b)(2), which requires a description and analysis of the structures, systems, and components of the facility, with emphasis upon performance requirements, the bases, with technical justification therefor, upon which such requirements have been established, and the evaluations required to show that safety functions will be accomplished. The description shall be sufficient to permit understanding of the system designs and their relationship to safety evaluations.
The NRC staffs review of the SHINE instrumentation and control systems topics is also based on the following:
NUREG-1537, Part 1, Guidelines for Preparing and Reviewing Applications for the Licensing of Non-Power Reactors: Format and Content, issued February 1996 (ADAMS Accession No. ML042430055)
NUREG-1537, Part 2, Guidelines for Preparing and Reviewing Applications for the Licensing of Non-Power Reactors: Standard Review Plan and Acceptance Criteria, issued February 1996 (ADAMS Accession No. ML042430048)
Final Interim Staff Guidance Augmenting NUREG-1537, Part 1, Guidelines for Preparing and Reviewing Applications for the Licensing of Non-Power Reactors: Format and Content, for Licensing Radioisotope Production Facilities and Aqueous Homogeneous Reactors, dated October 17, 2012 (ADAMS Accession No. ML12156A069)
Final Interim Staff Guidance Augmenting NUREG-1537, Part 2, Guidelines for Preparing and Reviewing Applications for the Licensing of Non-Power Reactors:
Standard Review Plan and Acceptance Criteria, for Licensing Radioisotope Production Facilities and Aqueous Homogeneous Reactors, dated October 17, 2012 (ADAMS Accession No. ML12156A075)
Audit Topics Audit Topic 1: System Configuration The design bases, acceptance criteria, and guidelines used for design of the TRPS and ESFAS should be specified, and an analysis of the adequacy of the designs to perform the functions necessary to ensure facility safety and its conformance to the design bases and acceptance criteria should be provided by the applicant. The SHINE operating license application specifies the NRC-approved HIPS topical report (TR) as the platform being implemented into the TRPS and ESFAS designs. The NRCs approval of the HIPS TR included 65 application specific action items (ASAIs) for any licensees using the HIPS platform. Some of these ASAIs are specific to nuclear power plants and may not apply to the SHINE facility. SHINE provided its disposition to these ASAIs in response to NRC requests for additional information. The NRC staff needs to confirm the differences between the HIPS platform TR approved by the NRC staff and the HIPS implementation that is being used by SHINE for the TRPS and ESFAS. Further, the NRC staff needs to confirm the differences between the HIPS for the TRPS and the HIPS for the ESFAS. This will require identification of components and modules that will be part of the HIPS for the TRPS and ESFAS. The following are examples of items needed for the NRC staff to understand SHINE implementation of the HIPS platform:
Number and types of field programmable gate arrays (FPGAs) used in the HIPS for TRPS and ESFAS. The FSAR (e.g., Chapter 7.4.2.1.4) implies that the HIPS will use three types of FPGAs. However, the TR for the HIPS platform described using two types of FPGA.
Modules approved in the HIPS TR and modules used in the HIPS for the TRPS and ESFAS.
Use of functional segregation in the HIPS for the TRPS and ESFAS.
Number and configuration of hardwired modules (HWM) in each division of the TRPS and ESFAS.
Data validation, transmission, bypass and voting for the scheduling, bypass, and voting modules installed in the HIPS for the TRPS and ESFAS.
Design and implementation of the built-in self-test function in the safety function module (SFM).
Design and development processes followed for the logic in the HIPS for the TRPS and ESFAS.
Verification and validation activities performed for the logic in the HIPS for the TRPS and ESFAS.
Configuration management established for the logic in the HIPS for the TRPS and ESFAS.
Aspects of the development environment addressed in the HIPS TR that are applicable to the SHINE application.
Audit Topic 2: System Diversity The protection systems should be reliable and perform their intended safety functions under all conditions (see: SHINE Design Criterion 19, which provides for protection systems performing with an extremely high probability of accomplishing their safety functions). Therefore, the design of the protection systems should consider features that can improve the reliability of the system such as independence, redundancy, diversity, maintenance, testing, and quality components. To address failures of the HIPS and increase reliability, the HIPS design includes diversity within the equipment, as well as, diverse means to actuate the safety signals if the automatic system were to fail. The NRC staff needs to audit the design and implementation of the diversity means used in the systems and described in the SHINE FSAR. The following are examples of items the NRC staff needs to discuss with SHINE to understand instrumentation and control system diversity:
Use of diverse FPGA technologies and their identification.
Diversity attributes included in the HIPS for the TRPS and ESFAS.
Design and implementation of built-in diversity within the TRPS and ESFAS, and allocation of the safety functions among the diverse divisions to mitigate the effects of postulated failures.
Assessment to determine vulnerabilities to common cause failures (CCF) (e.g., defense-in-depth and diversity analysis).
Diversity within the TRPS and ESFAS relied upon to protect against digital CCF in the TRPS and ESFAS.
Audit Topic 3: Power Supply The protection systems should use reliable and independent power supplies to power the protection systems during normal operation and emergency power during loss of power. The TR for the HIPS platform describes the power requirements for a licensee using the HIPS. The following are examples of items the NRC staff needs to discuss with SHINE to improve its understanding of power supplies and power requirements for the TRPS and ESFAS:
Sources of power supply during normal and emergency operation.
Safety classification of power supplies for the TRPS and ESFAS.
Audit Topic 4: Bypass The irradiation units should have operable protection capability in all operating modes and conditions, as analyzed in the FSAR. The ESFAS actuation systems should be designed to be operable whenever an accident could happen for which the application shows consequence mitigation is necessary. To demonstrate proper system operability, the protection systems should be regularly tested, as defined in the technical specifications (TSs). For maintenance and testing, modules of the HIPS can be placed in either bypass or trip. The FSAR does not describe and justify the use of operational and maintenance bypass (some description is provided in the TSs. The following are examples of items the NRC staff needs to discuss with SHINE to improve its understanding of SHINEs bypass capabilities:
Design and implementation of bypass capabilities of modules in the HIPS for the TRPS and ESFAS.
Information on how signals and voting logics are treated during trip, inoperable and bypass.
Use of the out-of-service switch and trip/bypass switches and differences between maintenance bypass or trip state.
Effects of using bypass at the module level and/or division in the single failure criterion.
Transmission of trip or bypass signal through the HWM and effect on the bypass and voting modules.
Restrictions identified in the TR of the HIPS platform for placing the same SFM across more than one division in maintenance bypass.
Audit Topic 5: Equipment Qualification The TRPS and ESFAS should be designed for reliable operation in the normal range of environmental conditions and postulated credible accidents, transients, and other events in the SHINE facility that could require their operation. Thus, the protection systems should meet the SHINE-specific requirements for seismic, electromagnetic interference/radio-frequency interference (EMI/RFI), and normal range of environmental conditions anticipated within the facility. The FSAR only describes the environmental conditions for the different areas with the SHINE facility. However, the FSAR does not confirm whether the equipment environmental qualifications demonstrate that they envelop the facility requirements. The following are examples of items the NRC staff needs to discuss with SHINE to improve its understanding of SHINEs equipment qualification:
Confirmation of qualified life for the TRPS and ESFAS equipment.
Confirmation that the effects of EMI/RFI and power surges, including computer-based digital systems, are addressed.
Confirmation that the system meets the site-specific requirements for seismic and normal range and postulated credible accidents and transients of environmental conditions anticipated within the SHINE facility.
Audit Topic 6: Failure Modes The TRPS and ESFAS are credited for the safe operation of the SHINE facility. The TRPS and ESFAS should be designed to maintain their functions or to achieve safe reactor shutdown in the event of a single random malfunction within the system. Therefore, the FSAR should describe the potential vulnerabilities that can affect their operation and how the system would behave if they manifest. For example, a licensee demonstrate this by performing a failures mode and effect analysis to identify potential failures and how the system will behave. In addition, the HIPS should be designed to fail into a safe state or into a state demonstrated to be acceptable on some other defined basis if conditions such as disconnection of the system, loss of energy (e.g., electric power, instrument air), or when experiencing postulated adverse environments (e.g., extreme heat or cold, fire, pressure, steam, water, and radiation). The following are examples of items the NRC staff needs to discuss with SHINE to improve its understanding of SHINEs failure modes:
Failure modes identified for the modules included in the HIPS for the TRPS and ESFAS.
Failures detected by self-tests and diagnostics or periodic surveillance are consistent with the assumed failure detection methods of the TRPS and ESFAS specific single-failure analysis.
Audit Topic 7: Maintenance and Testing The TRPS and ESFAS equipment should be designed to be readily tested and calibrated to ensure operability and TSs including surveillance tests and intervals should ensure availability and operability of these actuation systems. The protection system (e.g., HIPS equipment) therefore requires appropriate testing, calibration, and inspection to ensure continued proper operation of the equipment. The SHINE FSAR and TSs provide an abbreviated summary of these activities. The following are examples of items the NRC staff needs to discuss with SHINE to improve its understanding of SHINEs maintenance and testing:
Modification of configurable variables and setpoints.
Features and limitations to perform in-chassis calibration.
Surveillance tests using automatic sensor cross-check.
Test and calibration functions of the HIPS platform and compliance with regulatory guidance.
Validation of self-testing functions in prototype HIPS equipment.
Audit Topic 8: System Operation The TRPS and ESFAS should include sensors (detectors) sufficient to cover the expected range of variation of the monitored variable during normal and transient operation (e.g., see SHINE Design Criterion 13). Also, this information should be sufficient to verify that individual safety limits are protected by independent channels. The FSAR describes the TRPS and ESFAS operation for the SHINE facility. For safety and protection of the SHINE facility, these systems should monitor and display necessary information of all monitored variable during normal operation and transient circumstances. The SHINE FSAR identifies variables monitored but it does not clearly describe the display of these variables in the control room console. The following are examples of items the NRC staff needs to discuss with SHINE to improve its understanding of SHINEs system operation:
Information necessary to be displayed for the operator to manually actuate safety functions if necessary.
The process integrated control system (PICS) design demonstrating how monitored variables from the TRPS and ESFAS are sufficiently diverse such that any failure does not prevent the operator from obtaining or resolving conflicting information.
Audit Topic 9: Codes and Standards SHINE identified codes and standards to which it committed to use to demonstrate meeting SHINE Design Criteria, NRC guidance, and regulations and to develop high quality instrumentation and control systems. In addition, the TR for the HIPS platform identified codes and standard to be used for an application using the HIPS. It is not clear if the codes and standards required in the TR were used for the design and development of the TRPS and ESFAS. The following are examples of items the NRC staff needs to discuss with SHINE to improve its understanding of SHINEs commitments to implementing codes and standards:
Codes and standards used for the design and development of the logic for the TRPS and ESFAS.
Codes and standards used for the environmental, seismic, radiation, and EMIR/RFI qualification of the HIPS for the TRPS and ESFAS.
Information and Other Material Necessary for Regulatory Audit The NRC audit team will require access to licensees knowledgeable of the technical aspects of the application related to the HIPS digital platform, TRPS, and ESFAS instrumentation and controls systems and the relevant documentation and analyses used to support these portions of the application. The following types of information related to the topics above should be available to the audit team.
The following documents should be available for this audit:
TRPS and ESFAS functional requirements TRPS and ESFAS system design description TRPS and ESFAS test plans TRPS and ESFAS verification and validation plan TRPS and ESFAS equipment qualification plan TRPS and ESFAS test results During the audit, the NRC staff will perform thread audits of selected system requirements.
Thread audits are an accepted method for checking the verification and validation efforts of the applicant.
The NRC staff will identify these requirements before the audit and communicate them to SHINE with sufficient time for their preparation.