Text

August 13, 2021 Dr. Gregory Piefer Chief Executive Officer SHINE Medical Technologies, LLC 101 East Milwaukee Street, Suite 600 Janesville, WI 53545

SUBJECT:

SHINE MEDICAL TECHNOLOGIES, LLC - REQUEST FOR ADDITIONAL INFORMATION RELATED TO CYBER SECURITY (EPID NO. L-2019-NEW-0004)

Dear Dr. Piefer:

By letter dated July 17, 2019 (Agencywide Documents Access and Management System (ADAMS) Accession No. ML19211C044), as supplemented by letters dated November 14, 2019 (ADAMS Accession No. ML19337A275), March 27, 2020 (ADAMS Accession No. ML20105A295), August 28, 2020 (ADAMS Accession No. ML20255A027),

November 13, 2020 (ADAMS Accession No. ML20325A026), December 10, 2020 (ADAMS Accession No. ML20357A084), December 15, 2020 (ADAMS Accession No. ML21011A264),

and March 23, 2021 (ADAMS Accession No. ML21095A235), SHINE Medical Technologies, LLC (SHINE) submitted to the U.S. Nuclear Regulatory Commission (NRC) an operating license application for its proposed SHINE Medical Isotope Production Facility in accordance with the requirements contained in Title 10 of the Code of Federal Regulations (10 CFR) Part 50, Domestic Licensing of Production and Utilization Facilities.

During the NRC staffs review of SHINEs operating license application, questions have arisen related to cyber security considerations for which additional information is needed. The enclosed request for additional information (RAI) identifies information needed for the NRC staff to continue its review of the SHINE final safety analysis report (FSAR), submitted in connection with the operating license application, and prepare a safety evaluation report. Specific chapters and technical areas of the SHINE operating license application covered by this RAI include Chapter 7, Instrumentation and Control Systems, and the physical security plan.

It is requested that SHINE provide responses to the enclosed RAI within 60 days from the date of this letter. To facilitate a timely and complete response to the enclosed RAI, the NRC staff is available to meet with SHINE to clarify the scope of information and level of detail expected to be included in the RAI response and corresponding FSAR update. SHINE may coordinate the scheduling and agendas for any such meetings with the responsible project manager assigned to this project.

In accordance with 10 CFR 50.30(b), Oath or affirmation, SHINE must execute its response in a signed original document under oath or affirmation. The response must be submitted in accordance with 10 CFR 50.4, Written communications. Information included in the response that is considered sensitive or proprietary, that SHINE seeks to have withheld from the public, must be marked in accordance with 10 CFR 2.390, Public inspections, exemptions, requests for withholding. Any information related to safeguards should be submitted in accordance with

G. Piefer 10 CFR 73.21, Protection of Safeguards Information: Performance Requirements. Following receipt of the additional information, the NRC staff will continue its evaluation of the subject chapters and technical areas of the SHINE operating license application.

As the NRC staff continues its review of SHINEs operating license application, additional RAIs for other chapters and technical areas may be developed. The NRC staff will transmit any further questions to SHINE under separate correspondence.

If SHINE has any questions, or needs additional time to respond to this request, please contact me at 301-415-1524, or by electronic mail at Steven.Lynch@nrc.gov.

Sincerely, Signed by Lynch, Steven on 08/13/21 Steven T. Lynch, Senior Project Manager Non-Power Production and Utilization Facility Licensing Branch Division of Advanced Reactors and Non-Power Production and Utilization Facilities Office of Nuclear Reactor Regulation Docket No. 50-608 Construction Permit No. CPMIF-001

Enclosure:

As stated cc: See next page

SHINE Medical Technologies, LLC Docket No. 50-608 cc:

Jeff Bartelme Licensing Manager SHINE Medical Technologies, LLC 101 East Milwaukee Street, Suite 600 Janesville, WI 53545 Nathan Schleifer General Counsel SHINE Medical Technologies, LLC 101 East Milwaukee Street, Suite 600 Janesville, WI 53545 Christopher Landers Director, Office of Conversion National Nuclear Security Administration, NA 23 U.S. Department of Energy 1000 Independence Avenue, SW Washington, DC 20585 Mark Paulson Supervisor Radiation Protection Section Wisconsin Department of Health Services P.O. Box 2659 Madison, WI 53701-2659 Test, Research and Training Reactor Newsletter Attention: Amber Johnson Dept. of Materials Science and Engineering University of Maryland 4418 Stadium Drive College Park, MD 20742-2115 Mark Freitag City Manager P.O. Box 5005 Janesville, WI 53547-5005 Bill McCoy 1326 Putnam Avenue Janesville, WI 53546 Alfred Lembrich 541 Miller Avenue Janesville, WI 53548

ML21210A438 NRR-088 OFFICE NRR/DANU/PM NRR/DANU/LA NRR/DANU/BC NRR/DANU/PM NAME SLynch NParker DHardesty SLynch DATE 7/30/2021 8/2/2021 8/4/2021 8/13/2021 OFFICE OF NUCLEAR REACTOR REGULATION REQUEST FOR ADDITIONAL INFORMATION REGARDING OPERATING LICENSE APPLICATION FOR SHINE MEDICAL TECHNOLOGIES, LLC CONSTRUCTION PERMIT NO. CPMIF-001 SHINE MEDICAL ISOTOPE PRODUCTION FACILITY DOCKET NO. 50-608 By letter dated July 17, 2019 (Agencywide Documents Access and Management System (ADAMS) Accession No. ML19211C044), as supplemented by letters dated November 14, 2019 (ADAMS Accession No. ML19337A275), March 27, 2020 (ADAMS Accession No. ML20105A295), August 28, 2020 (ADAMS Accession No. ML20255A027),

November 13, 2020 (ADAMS Accession No. ML20325A026), December 10, 2020 (ADAMS Accession No. ML20357A084), December 15, 2020 (ADAMS Accession No. ML21011A264),

and March 23, 2021 (ADAMS Accession No. ML21095A235), SHINE Medical Technologies, LLC (SHINE) submitted to the U.S. Nuclear Regulatory Commission (NRC) an operating license application for its proposed SHINE Medical Isotope Production Facility in accordance with the requirements contained in Title 10 of the Code of Federal Regulations (10 CFR) Part 50, Domestic Licensing of Production and Utilization Facilities.

During the NRC staffs review of SHINEs operating license application, questions have arisen related to cyber security considerations for which additional information is needed. The request for additional information (RAI) identifies information needed for the NRC staff to continue its review of the SHINE final safety analysis report (FSAR), submitted in connection with the operating license application, and prepare a safety evaluation report. Specific chapters and technical areas of the SHINE operating license application covered by this RAI include Chapter 7, Instrumentation and Control Systems, and the physical security plan (PSP).

Applicable Regulatory Requirements and Guidance Documents The NRC staff is reviewing the SHINE operating license application, which describes the SHINE irradiation facility, including the irradiation units, and radioisotope production facility, using the applicable regulations, as well as the guidance contained in NUREG-1537, Part 1, Guidelines for Preparing and Reviewing Applications for the Licensing of Non-Power Reactors, Format and Content, issued February 1996 (ADAMS Accession No. ML042430055), and NUREG-1537, Part 2, Guidelines for Preparing and Reviewing Applications for the Licensing of Non-Power Reactors, Standard Review Plan and Acceptance Criteria, issued February 1996 (ADAMS Accession No. ML042430048). The NRC staff is also using the Final Interim Staff Guidance

[ISG] Augmenting NUREG-1537, Part 1, Guidelines for Preparing and Reviewing Applications for the Licensing of Non-Power Reactors: Format and Content, for Licensing Radioisotope Production Facilities and Aqueous Homogeneous Reactors, dated October 17, 2012 (ADAMS Accession No. ML12156A069), and Final Interim Staff Guidance Augmenting NUREG-1537, Part 2, Guidelines for Preparing and Reviewing Applications for the Licensing of Non-Power Reactors: Standard Review Plan and Acceptance Criteria, for Licensing Radioisotope Enclosure

Production Facilities and Aqueous Homogeneous Reactors, dated October 17, 2012 (ADAMS Accession No. ML12156A075). As applicable, additional guidance cited in SHINEs FSAR or referenced in NUREG-1537, Parts 1 and 2, or the ISG Augmenting NUREG-1537, Parts 1 and 2, has been utilized in the review of the SHINE operating license application.

For the purposes of this review, the term reactor, as it appears in NUREG-1537, the ISG Augmenting NUREG-1537, and other relevant guidance can be interpreted to refer to SHINEs irradiation unit, irradiation facility, or radioisotope production facility, as appropriate within the context of the application and corresponding with the technology described by SHINE in its application. Similarly, for the purposes of this review, the term reactor fuel, as it appears in the relevant guidance listed above, may be interpreted to refer to SHINEs target solution.

Cyber Security Considerations The following regulatory requirements are applicable to RAIs CS-1 and CS-2:

Paragraph (b)(2) of 10 CFR 50.34, Contents of applications; technical information, requires, in part, that an FSAR include [a] description and analysis of the structures, systems, and components of the facility, with emphasis upon performance requirements, the bases, and the evaluations required to show that safety functions will be accomplished. The description shall be sufficient to permit understanding of the system designs and their relationship to safety evaluations.

Paragraph (a)(6) of 10 CFR 50.57, Issuance of operating license, states, in part, that an operating license may be issued upon finding that [t]he issuance of the license will not be inimical to the common defense and security or to the health and safety of the public.

The following excerpts from the SHINE FSAR form the basis of the RAIs CS-1 and CS-2:

Sections 7.4.2.2, TRPS System Design Criteria, and 7.5.2.2, ESFAS System Design Criteria, of the SHINE FSAR include Criterion 3, respectively, which state, in part, that the Target Solution Vessel Reactivity Protection System (TRPS) and Engineered Safety Features Actuation System (ESFAS) designs shall incorporate design or administrative controls to prevent/limit unauthorized physical and electronic access to critical digital assets (CDAs) during the operational phase, including the transition from development to operations. CDAs are defined as digital systems and devices that are used to perform or support, among other things, physical security and access control, safety-related functions, and reactivity control.

CS-1 While SHINE includes TRPS and ESFAS Criterion 3 in its FSAR, limited information has been provided in the SHINE operating license application, including the PSP, or during the regulatory audit conducted on June 15, 2021 (ADAMS Accession No. ML21161A116), to support the NRC staffs understanding of the controls to prevent/limit unauthorized physical and electronic access to CDAs.

Provide a network diagram (or other portrayal) that demonstrates design or administrative controls are incorporated to prevent/limit unauthorized physical and electronic access, including the following access methods to SHINE critical systems and/or CDAs: physical access, wired communication access, wireless communication access, portable media, and mobile devices. Also include information related to the protection of the devices accessed via these methods.

This information is necessary to support the NRC staffs understanding of the controls to prevent/limit unauthorized physical and electronic access to CDAs and determine that SHINE is appropriately implementing its TRPS and ESFAS Criterion 3 and that issuance of the license will not be inimical to the common defense and security.

CS-2 While SHINE includes TRPS and ESFAS Criterion 3 in its FSAR, limited information has been provided in the SHINE operating license application, including the PSP, or in the regulatory audit conducted on June 15, 2021, regarding a program that would identify which digital systems and devices would be defined as CDAs and how such CDAs would be protected. During the June 15 regulatory audit, SHINE indicated there are corporate cyber security program elements in place that are applicable to CDAs within the facility. These programmatic elements may include access control, audit and

accountability, asset and communication path protection, identification and authentication, system hardening, media protection, personnel security, system and information security, physical protection, defense in depth (detection, response, recover), defensive security architecture, incident response, contingency planning, configuration management, training, supply chain, security assessment, and risk management.

Provide documentation that describes how the above programmatic elements are implemented in the design of CDAs.

This information is necessary for the NRC staff to evaluate the cyber security protections for SHINE CDAs and determine that SHINE is appropriately implementing its TRPS and ESFAS Criterion 3 and that issuance of the license will not be inimical to the common defense and security.