Text

G. Piefer Dr. Gregory Piefer Chief Executive Officer SHINE Technologies, LLC 3400 Innovation Court Janesville, WI 53546

SUBJECT:

SHINE MEDICAL TECHNOLOGIES, LLC REGULATORY AUDIT OF INSTRUMENTATION AND CONTROL SYSTEMS DESCRIBED IN OPERATING LICENSE APPLICATION, SESSION 3 (EPID NO. L-2019-NEW-0004)

Dear Dr. Piefer:

The U.S. Nuclear Regulatory Commission (NRC) staff has prepared an audit plan related to the review of Chapter 7, Instrumentation and Control Systems, of the SHINE Medical Technologies, LLC operating license application. The enclosed audit plan provides the regulatory basis for the audit, describes the scope of the audit, identifies the audit team, and provides a listing of audit questions.

The audit will be conducted virtually and is intended to close gaps identified during the technical review. As such, the audit will be held on April 7, 2022, from 2:30pm to 4:30pm. Additional audit sessions may be scheduled to support the continued review of the operating license application.

Following completion of the audit, the NRC staff will provide an audit summary. The summary will include a description of any information identified during the audit that will need to be docketed to supplement the application and allow the NRC staff to continue its review.

April 6, 2022

G. Piefer If you have any questions, please contact me at (301) 415-1217, or by electronic mail at Joshua.Borromeo@nrc.gov.

Sincerely, Joshua M. Borromeo, Chief Non-Power Production and Utilization Facility Licensing Branch Division of Advanced Reactors and Non-Power Production and Utilization Facilities Office of Nuclear Reactor Regulation Docket No. 50-608 Construction Permit No. CPMIF-001

Enclosure:

As stated cc: See next page Signed by Borromeo, Joshua on 04/06/22

SHINE Medical Technologies, LLC Docket No. 50-608 cc:

Jeff Bartelme Licensing Manager SHINE Technologies, LLC 3400 Innovation Court Janesville, WI 53546 Nathan Schleifer General Counsel SHINE Technologies, LLC 3400 Innovation Court Janesville, WI 53546 Christopher Landers Director, Office of Conversion National Nuclear Security Administration, NA 23 U.S. Department of Energy 1000 Independence Ave SW Washington, DC 20585 Mark Paulson, Supervisor Radiation Protection Section Wisconsin Department of Health Services P.O. Box 2659 Madison, WI 53701-2659 Test, Research and Training Reactor Newsletter Attention: Amber Johnson Dept of Materials Science and Engineering University of Maryland 4418 Stadium Drive College Park, MD 20742-2115 Mark Freitag City Manager P.O. Box 5005 Janesville, WI 53547-5005 Bill McCoy 1326 Putnam Avenue Janesville, WI 53546 Alfred Lembrich 541 Miller Avenue Janesville, WI 53548

ML22095A067 NRR-106 OFFICE NRR/DANU/PM NRR/DANU/LA NRR/DANU/BC NAME HCruz NParker JBorromeo DATE 4/5/2022 4/5/2022 4/6/2022

Enclosure OFFICE OF NUCLEAR REACTOR REGULATION REGULATORY AUDIT PLAN, SESSION 3 REGARDING CHAPTER 7, INSTRUMENTATION AND CONTROL SYSTEMS OPERATING LICENSE APPLICATION SHINE MEDICAL TECHNOLOGIES, LLC DOCKET NO. 50-608

Background

The U.S. Nuclear Regulatory Commission (NRC) staff is continuing its review of the SHINE Medical Technologies, LLC (SHINE) operating license application, submitted by letter dated July 17, 2019 (Agencywide Documents Access and Management System (ADAMS) Accession No. ML19211C044), in addition to Chapter 7, Instrumentation and Control Systems, of the SHINE final safety analysis report (FSAR) and responses to requests for additional information (RAI). This regulatory audit is intended to close technical gaps identified during the review of Chapter 7, as communicated periodically to SHINE in a Chapter 7 status tracker and documented in this plan.

Regulatory Audit Bases The licensees proposed instrumentation and control systems is being reviewed in accordance with the applicable regulatory requirements of Title 10 of the Code of Federal Regulations Part 50, Domestic Licensing of Production and Utilization Facilities, and applicable guidance provided in NUREG-1537, Guidelines for Preparing and Reviewing Applications for the Licensing of Non-Power Reactors, Part 1, Format and Content, and Part 2, Standard Review Plan and Acceptance Criteria (ADAMS Accession Nos. ML042430055 and ML042430048, respectively).

Regulatory Scope The scope of this audit addresses updates to the SHINE FSAR and associated responses to RAIs on the highly integrated protection system (HIPS), target solution vessel (TSV) reactivity protection system (TRPS), engineered safety feature actuation system (ESFAS). Consistent with the regulatory basis specified in the system RAIs, this information will supplement the licensing review to understand and confirm how TRPS and ESFAS: (1) will perform its safety function including after a single failure and meeting requirements for environmental qualification, redundancy, diversity, and independence; (2) will have surveillance tests and intervals that give confidence that the equipment will reliably perform its safety function; and (3) has appropriate digital hardware and software verification and validation programs to provide confidence in design quality. The audit may also address additional information and FSAR revisions provided for other systems, such as the process integrated control system (PICS). Therefore, any additional information identified from the audit that is needed to address a regulatory finding may also be documented in the audit report.

Desired Outcomes for the Audit The desired outcomes of the audit are to: (1) gain a better understanding of information underlying the application in the area of instrumentation and control systems, (2) identify specific information that will require docketing to support the basis of the licensing or regulatory decision; and (3) close open technical items or identify a closure path in the Audit Topics and Questions section of this audit plan.

Information and Material necessary for the Regulatory Audit SHINE will need to provide ESFAS and TRPS design documents (e.g., as referenced in response to RAI 7-10) in the electronic reading room to support the audit, to resolve open technical items. The NRC staff anticipates SHINE identifying additional documents that may address open technical items.

Audit Team The NRC staff participating in this audit will be:

Dinesh Taneja (NRR/DEX) - HIPS and ESFAS Lead, Audit Team Leader

Norbert Carte (NRR/DEX) -TRPS Lead

Michael Waters (NRR/DEX)

Michael Balazik (NRR/DANU)

Duane Hardesty (NRR/DANU)

Jesse Seymour (NRR/DRO)

Audit Team Logistics The virtual audit will be held on April 7, 2022, from 2:30pm to 4:30pm. This audit session will address the topics and questions as identified below. Should an additional audit session be needed, it will be scheduled accordingly. Additional audit sessions may be planned in advance, as new open technical items are identified, to support the understanding of information necessary to facilitate the continued review of the operating license application.

Deliverables At the completion of the regulatory audit, the NRC staff will prepare a regulatory audit report, which will be issued within 60 days after the audit. New audit plans (including distinct entrance and exit discussions) will be issued as new open technical items are identified. Closure paths for each item will be captured in the Audit Topics and Questions section of this audit plan.

Audit Session 3: April 7, 2022, from 2:30pm to 4:30pm SECTION Open Items Closure Path and Information Needs (Request for Confirmatory Information Response, Supplement, Updated FSAR, etc.)

7.2.5.4 HIPS Design Process Open Technical Item 7.2.5-07 Provide in the electronic reading room HIPS programmable logic lifecycle process verification and validation summary documents for the requirements, design, implementation, and testing phases for the TRPS and ESFAS including the project requirements traceability matrix. (It is unclear to the NRC staff how underlying documents are portioned between HIPS platform-level logic development and the application-specific logic development for TRPS & ESFAS).

The NRC staff will examine and discuss selected, risk-significant requirements, through requirements, design, implementation, and testing phases, and verification to confirm adequacy and implementation of the development plans. This information is needed to confirm that the TRPS and ESFAS is designed for reliable operation in the normal range of environmental conditions anticipated within the facility, and logic-based platform used in the guidelines and requirements of the NRC Regulatory Guides (RGs) and Institute of Electrical and Electronics Engineers (IEEE) standards applicable to the TRPS and ESFAS safety related applications (see Section 7.4 and 7.5, NUREG-1537, Part 2).

7.4.2.1.2 Protection System Functions Open Technical Item 7.4.2-21 NUREG-1537, Part 1, Chapter 3.1, Design Criteria, states:

...general design criteria should include...design to cope with anticipated transients and potential accidents...

anticipated transients and potential accidents should include malfunction of any control function.

Section 7.4.2.1.2 states: SHINE Design Criterion 14 -The protection systems are designed to: (1) initiate, automatically, the operation of appropriate systems to SECTION Open Items Closure Path and Information Needs (Request for Confirmatory Information Response, Supplement, Updated FSAR, etc.)

ensure that specified acceptable target solution design limits are not exceeded as a result of anticipated transients; and (2) sense accident conditions and to initiate the operation of safety-related systems and components.

There are no anticipated transients that would result in target solution design limits being exceeded. However, it is not apparent from the FSAR how malfunction of control systems was addressed as a potential category of anticipated operational occurrences and anticipated transients.

Explain how malfunction of any control system was addressed and describe whether and how a PICS failure analysis was developed. This information is needed to confirm adequacy of the design to perform the functions necessary to ensure TSV safety and its conformance to the design bases and acceptance criteria.

7.4.2.2.2 Software Requirements Development Open Technical Item 7.4.2-22 For software requirements development, describe what elements are programmed as part of the generic HIPS platform programming, and what is programmed or configured as part of the TRPS application development.

The NRC staff seeks this understanding in order to assist in determining the relationship of HIPS development and TRPS development with respect to software requirements development, in conjunction with open item 7.2.5-07 for life cycle development. This information is needed to confirm that the logic-based platform used in the guidelines and requirements of NRC RGs and IEEE standards applicable to the TRPS and ESFAS safety related applications (see Section 7.4 and 7.5, NUREG-1537, Part 2).

SECTION Open Items Closure Path and Information Needs (Request for Confirmatory Information Response, Supplement, Updated FSAR, etc.)

7.4.3.1 Safety Functions Open Technical Item 7.4.4-19 The implementation of a safety function requires that certain components be in certain specified states or positions.

Specifically, FSAR Chapter 7.4.3.1, Safety Functions, includes a subchapter for each TRPS safety function. In each of these subchapters, all of the specific components actuated (i.e., deenergized) are listed. The FSAR Chapters 4 and 13 were also used to confirm that certain safety functions positioned certain components to a particular state, and these descriptions were consistent with those in Chapter 7; however, it was not possible to confirm how all the component positioning described in Chapter 7 is credited in Chapters 4 and 13, or whether Chapter 7 describes the proper positioning of all components to achieve the intended safety function.

(a) Describe how functions in Section 7.4.3.1 are credited in Chapter 13. Highlight a specific scenario identified in FSAR Chapter 7.4.3.1 to explain how the components are credited/applied/analyzed in Chapter 13, to be sufficient for achieving the associated safety function.

(b) Since a failure mode of the TRPS is to actuate all components necessary for all safety functions, identify the associated SHINE analysis document and describe the process for analyzing TRPS actuations of components.

This information is needed to confirm adequacy of the design to perform the functions necessary to ensure TSV safety and its conformance to the design bases, acceptance criteria, and the guidelines used (see Section 7.4, NUREG-1537, Part 2).

7.4.5 TRPS -HIPS Design Open Technical Item 7.4.5-20 FSAR Table 7.4-1, TRPS Monitored Variables, contains a column titled Instrument Response Time. Furthermore, FSAR Chapter 7.4.5.2.3, Predictability and Repeatability, SECTION Open Items Closure Path and Information Needs (Request for Confirmatory Information Response, Supplement, Updated FSAR, etc.)

states the required HIPS response time. However, FSAR Chapter 7 or Chapter 13 does not appear to describe the overall system response time for a safety actuation from each sensor (i.e., Sensor, HIPS, and Actuated Components),.

Identify and describe the response time analysis performed for the TRPS safety functions. Identify a scenario addressed by a TRPS safety function as an example (e.g.,

one listed in FSAR Chapter 7.4.3.), and explain the relationship of the actuation and assumed completion time to the response time analysis. This information is needed to confirm that proposed trip setpoints, time delays, accuracy requirements, and actuated equipment response to verify that the TRPS is consistent with the FSAR analyses of safety limits (see Section 7.4, NUREG-1537, Part 2).

7.5.2.1.2 Protection System Functions Open Technical Item 7.5-01 In addressing SHINE Design Criterion 14, Section 7.5.2.1.2 of the SHINE FSAR states that there are no anticipated transients that require the initiation of the ESFAS to ensure specified acceptable target solution design limits are not exceeded and refers to Subsection 7.5.3.1 that describes the ESFAS safety functions relied upon for specific accident scenarios. Based on review of these FSAR sections and the ESFAS logic diagrams depicted in Figure 7.5-1 of the FSAR:

1) ESFAS safety function described in Subsection 7.5.3.1.11 -7.5.3.1.13 (molybdenum extraction and purification system (MEPS) Heating Loop Isolation) of the FSAR is not consistent with the logic diagram on Figure 7.5-1, Sheet 13.

SECTION Open Items Closure Path and Information Needs (Request for Confirmatory Information Response, Supplement, Updated FSAR, etc.)

2) ESFAS safety function described in Subsection 7.5.3.1.25 -7.5.3.1.27 (extraction column alignment actuation) of the FSAR is not consistent with the logic diagram on Figure 7.5-1, Sheet 15.

3) ESFAS safety function described in Subsection 7.5.3.1.28 (iodine and xenon purification alignment actuation) of the FSAR is not consistent with the logic diagram on Figure 7.5-1, Sheet13.

4) ESFAS safety function described in Subsection 7.5.3.1.29 (dissolution tank Isolation) of the FSAR is not consistent with the logic diagram on Figure 7.5-1, Sheet 13.

5) Subsection 7.5.3.1.24 states that radiologically controlled area isolation initiates TPS [tritium purification system]

Process Vent Actuation as one of the safety functions, whereas Figure 7.5-1, Sheet 11 states TPS Process Vent Isolation.

Explain and correct these apparent discrepancies and verify the accuracy of the other ESFAS safety functions and Division B ESFAS logic diagrams. This information is needed to verify that design of the ESFAS actuation systems give reasonable assurance of reliable operation for accidents which consequence mitigation is required.

Open Technical Item 7.5-02 Section 7.5.2.1.2 of the SHINE FSAR states that there are no anticipated transients that require the initiation of the ESFAS to ensure specified acceptable target solution design limits are not exceeded and refers to Subsection 7.5.3.1 that describes the ESFAS safety functions relied upon for specific accident scenarios. In the FSAR, ESFAS safety functions refer to Chapter 13 accident and event scenarios. However, Chapter 13 does not Closed, pending NRC staff review of supporting SHINE information provided on the Electronic Reading Room.

SECTION Open Items Closure Path and Information Needs (Request for Confirmatory Information Response, Supplement, Updated FSAR, etc.)

appear to provide the basis for the analytical limits (ALs) or the response times.

Identify the source of information that documents the basis for the ALs and response times identified in Table 7.5-1.

Demonstrate the applicability of Table 7.5-1 ALs to the specific ALs that are assumed in Chapter 13 accidents scenarios that rely upon ESFAS TRPS and corresponding values in the TS. Describe the response time analysis performed for the ESFAS safety functions (see open item 7.4.2-08 and 7.4.5-20). This information is needed to confirm proposed trip setpoints, time delays, accuracy requirements, and actuated equipment response to verify that the ESFAS is consistent with the FSAR analyses of safety limits.

7.5.2.1.4 Protection System Independence Open Technical Item 7.5-03 Section 7.5.3.4 of the SHINE FSAR states that the ESFAS components are qualified to the environmental and radiological parameters provided in Tables 7.2-1 through 7.2-3.

Clarify where in the FSAR the equipment qualification (EQ) test of cables and sensors are documented. Provide the EQ test reports for cables and sensors in the electronic reading room or clarify when they will be available. This information is needed to verify that ESFAS is designed to operate reliably in the environment until the accident has been brought to a stable condition (see Section 7.5 of NUREG-1537, Part 2).

7.5.2.1.6 Separation of Protection and Control Systems Open Technical Items 7.5-04 SHINE Design Criterion 18 states that failure of any single control system component or channel, or failure or removal from service of any single protection system component or channel that is common to the control and protection systems, leaves intact a system satisfying all Closed, pending SDD update.

SECTION Open Items Closure Path and Information Needs (Request for Confirmatory Information Response, Supplement, Updated FSAR, etc.)

reliability, redundancy, and independence requirements of the protection system.

Section 7.5.2.1.6 of the SHINE FSAR states that there are no sensor outputs that have both an ESFAS safety-related protection function and a non-safety-related control function.

However, Section 6 of the TECRPT-2020-0002, Revision 5, ESFAS SDD states that the following ESFAS input parameters are also used as input for PICS controls:

1.

Radioactive drain system (RDS) liquid detection switch signal 2.

Vacuum transfer system (VTS) vacuum header liquid detector switch (TBD) 3.

Division A & B high TPS irradiation unit (3,4,5,6,7,8) target chamber (exhaust & supply) pressure (TBD) 4.

Process vessel vent system flow (pressure, differential pressure, & temperature signals) for calculated flow values 5.

Division A & B MEPS (area A, B, C) extraction column (lower & upper) 3-way valve position 6.

Division A & B IXP (lower & upper) 3-way valve position Clarify if this a discrepancy and update the FSAR to clarify the sensor outputs that have both an ESFAS safety-related protection and a non-safety-related control function. The NRC staff will subsequently evaluate the configuration to conformance with SHINE Design Criterion 18. This information is needed to understand the separation and independence of PICS and ESFAS, SECTION Open Items Closure Path and Information Needs (Request for Confirmatory Information Response, Supplement, Updated FSAR, etc.)

verify that accident mitigation would not be compromised by a combination of the two systems.

7.5.2.1.8 Criticality Control in the Radioisotope Production Facility Open Technical Item 7.5-05 SHINE Design Criterion 37 for ESFAS states that criticality in the radioisotope production facility is prevented by physical systems or processes and the use of administrative controls. Use of geometrically safe configurations is preferred. Control of criticality adheres to the double contingency principle. A criticality accident alarm system to detect and alert facility personnel of an inadvertent criticality is provided.

Specify where in the FSAR the criticality accident alarm system (CAAS) is discussed. Clarify whether the CAAS an independent system or a part of ESFAS or PICS. This information is needed to verify that design of the ESFAS actuation systems give reasonable assurance of reliable operation for accidents which consequence mitigation is required.

Open Technical Item 7.5-06 Section 7.5.2.1.8 of the SHINE FSAR states that the ESFAS provides VTS actuation and target solution preparation system dissolution tank isolation as the two safety functions required by the SHINE criticality safety program described in Section 6b.3.

Based on review of the SHINE FSAR Section 6b.3.2, there appears to be potentially three safety functions that are identified that require active engineered criticality safety control. SHINE FSAR Section 6b.3.2.8, Radioactive Drain System, states that precipitation of solids requires application of the DCP [double contingency principle] to prevent criticality accidents.

The hold tanks are equipped with level instrumentation Closed, based on discussion during Audit Session 2.

The NRC staff understand that CAAS is a standalone system and is described in FSAR Chapter 6b. Suggest SHINE revise Chapter 7 of the FSAR to clarify that the CAAS portion of SHINE Design Criterion 37 does not apply to the proposed instrumentation and control systems (i.e., ESFAS, PICS, etc.).

SECTION Open Items Closure Path and Information Needs (Request for Confirmatory Information Response, Supplement, Updated FSAR, etc.)

to detect a leak of solution transferred to RDS. FSAR Section 7.5.4.1.9, RDS Liquid Detection states that the RDS liquid detection signal detects leakage or overflow from other tanks and piping resulting in initiation of a VTS safety actuation.

Clarify whether the this is an ESFAS safety function required as one of the active engineered criticality safety controls, and update the FSAR as appropriate. This information is needed to verify that design of the ESFAS actuation systems give reasonable assurance of reliable operation for accidents which consequence mitigation is required.

7.5.2.1.9 Monitoring Radioactivity Releases Open Technical Item 7.5-07 SHINE Design Criterion 38 states means are provided for monitoring the primary confinement boundary, hot cell, and glovebox atmospheres to detect potential leakage of gaseous or other airborne radioactive material. Potential effluent discharge paths and the plant environs are monitored for radioactivity that may be released from normal operations, including anticipated transients, and from postulated accidents.

Section 7.5.2.1.9 of the SHINE FSAR states the ESFAS monitors for potential radioactivity releases and lists specific activities/areas that are monitored to address SHINE Design Criterion 38. However, MEPS heating loop radiation extraction is not listed.

FSAR Sections 7.5.3.1.11-13, and 7.5.4.1.6 describe a high MEPS heating loop radiation extraction area detection and isolation actuation to protect against leakage of high radiation solutions.

SECTION Open Items Closure Path and Information Needs (Request for Confirmatory Information Response, Supplement, Updated FSAR, etc.)

Clarify whether SHINE Criterion 38 include MEPS heating loop radiation extraction area and update the FSAR as appropriate. This information is needed to verify that design of the ESFAS actuation systems give reasonable assurance of reliable operation for accidents which consequence mitigation is required.