ML22144A231
| ML22144A231 | |
| Person / Time | |
|---|---|
| Site: | SHINE Medical Technologies |
| Issue date: | 05/24/2022 |
| From: | Jim Costedio SHINE Medical Technologies |
| To: | Document Control Desk, Office of Nuclear Reactor Regulation |
| References | |
| 2022-SMT-0062 | |
| Download: ML22144A231 (74) | |
Text
3400 Innovation Ct
- Janesville, WI 53546
- 877.512.6554
- info@shinemed.com
- www.SHINEtechnologies.com May 24, 2022 2022-SMT-0062 10 CFR 50.30 U.S. Nuclear Regulatory Commission ATTN: Document Control Desk Washington, DC 20555
References:
(1) SHINE Medical Technologies, LLC letter to the NRC, SHINE Medical Technologies, LLC Application for an Operating License, dated July 17, 2019 (ML19211C143)
(2) NRC letter to SHINE Medical Technologies, LLC, SHINE Medical Technologies, LLC - Request for Additional Information Related to the Instrumentation and Control Systems (EPID No. L-2019-NEW-0004), dated July 1, 2021 (ML21172A195)
(3) SHINE Medical Technologies, LLC letter to the NRC, SHINE Medical Technologies, LLC Application for an Operating License Supplement No. 8 and Response to Request for Additional Information, dated September 29, 2021 (ML21272A341)
(4) SHINE Medical Technologies, LLC letter to the NRC, SHINE Medical Technologies, LLC Application for an Operating License Response to Request for Additional Information, dated August 27, 2021 (ML21239A049)
SHINE Technologies, LLC Application for an Operating License Supplement No. 22 and Revision 1 of the SHINE Response to Request for Additional Information 7-15 Pursuant to 10 CFR Part 50.30, SHINE Technologies, LLC (SHINE) submitted an application for an operating license for a medical isotope production facility to be located in Janesville, Wisconsin (Reference 1). The NRC staff determined that additional information was required to enable the staffs continued review of the SHINE operating license application (Reference 2).
SHINE responded to the staffs requests for additional information (RAI) via Reference 3and Reference 4.
SHINE has determined that the SHINE Response to RAI 7-10, provided via Reference 4, requires supplemental information, and the SHINE Response to RAI 7-15, provided via Reference 3, requires revision.
provides a revision to TECRPT-2018-0028, HIPS Platform Application Specific Action Item Report for the TRPS and ESFAS, to address Open Technical Items identified by the NRC staff during regulatory audits. SHINE previously provided TECRPT-2018-0028 to support the SHINE Response to RAI 7-10 (Reference 4). The SHINE Response to RAI 7-10 does not require revision as a result of the revision to TECRPT-2018-0028.
provides Revision 1 of the SHINE Response to RAI 7-15. Revision 1 supersedes the previously provided SHINE Response to RAI 7-15 in its entirety.
If you have any questions, please contact Mr. Jeff Bartelme, Director of Licensing, at 608/210-1735.
Document Control Desk Page 2 I declare under the penalty of perjury that the foregoing is true and correct.
Executed on May 24, 2022.
Very truly yours, James Costedio Vice President of Regulatory Affairs and Quality SHINE Technologies, LLC Docket No. 50-608 Enclosures cc:
Project Manager, USNRC SHINE General Counsel Supervisor, Radioactive Materials Program, Wisconsin Division of Public Health
65 pages follow ENCLOSURE 1 SHINE TECHNOLOGIES, LLC SHINE TECHNOLOGIES, LLC APPLICATION FOR AN OPERATING LICENSE SUPPLEMENT NO. 22 AND REVISION 1 OF THE SHINE RESPONSE TO REQUEST FOR ADDITIONAL INFORMATION 7-15 TECHNICAL REPORT NUMBER TECRPT-2018-0028, REVISION 2 HIPS PLATFORM APPLICATION SPECIFIC ACTION ITEM REPORT FOR THE TRPS AND ESFAS
TECRPT-2018-0028 Revision 2 Page 2 of 66 REVISION LOG Revision Number Description of Changes Date 0
Initial Issue 3/12/2020 1
- Significant updates for how each ASAI is addressed for nearly all ASAIs in response to NRC requests for addition information as well as to align with the current SHINE facility FSAR subsections and content
- Added Section 5 to identify changes to the HIPS platform (from that described in the HIPS platform topical report) for the TRPS and ESFAS system designs
- Added Section 6 to provide traceability of conformance of the TRPS and ESFAS with IEEE Std. 7-4.3.2-2003
- Added Section 7 to provide traceability of conformance of the TRPS and ESFAS with DI&C-ISG-04
- Added Section 8 to provide traceability of conformance of the TRPS and ESFAS with SECY-93-087 9/21/2021 2
- Clarified the number of switching outputs for each EIM in Section 5.4
- Added Section 5.7.4 to specify the overlap of self-testing and periodic surveillance tests
- Added Tables 5-1 and 5-2 to specify the changes to HIPS module LEDs compared to the HIPS platform topical report
- Updated multiple reference revisions/dates in Section 9 See Approval Signature
TECRPT-2018-0028 Revision 2 Page 3 of 66 Table of Contents 1
Objective........................................................................................................................................ 4 2
Methods.......................................................................................................................................... 4 3
Analysis Results............................................................................................................................. 5 4
Conclusions.................................................................................................................................. 48 5
HIPS Platform Modifications......................................................................................................... 48 5.1 Hardwired Module Input Routing............................................................................................ 48 5.2 Use of Fiber Optic Communications...................................................................................... 48 5.3 Communications Module (CM) Bi-Directional Communications............................................. 48 5.4 Implementation of EIM Switching Outputs............................................................................. 48 5.5 Specific Implementation of Communications Modules........................................................... 49 5.5.1 Scheduling, Bypass, and Voting Modules....................................................................... 49 5.5.2 Gateway Communications Modules................................................................................ 50 5.6 SBVM Safety Data Bus Frame.............................................................................................. 51 5.7 Self-Testing........................................................................................................................... 51 5.7.1 Analog to Digital Converter............................................................................................. 51 5.7.2 EIM Input and Output Testing......................................................................................... 52 5.7.3 HWM Input Channel Test............................................................................................... 52 5.7.4 End-to-End Testing......................................................................................................... 52 5.8 HIPS Module LEDs................................................................................................................ 52 5.9 Remote Input Submodule (RISM).......................................................................................... 54 6
IEEE Std. 7-4.3.2-2003 Traceability Matrix................................................................................... 54 7
Digital I&C Interim Staff Guidance 04 Traceability Matrix.............................................................. 55 8
SRM for SECY-93-087 Traceability Matrix.................................................................................... 64 9
References................................................................................................................................... 65 List of Tables Table 3-1 HIPS Platform Application Specific Action Item Evaluation for the TRPS and ESFAS........... 5 Table 5-1: HIPS Module LEDs............................................................................................................. 53 Table 5-2: HIPS Platform Fault Classification...................................................................................... 53 Table 6-1: TRPS and ESFAS IEEE Std. 7-4.3.2-2003 Traceability Matrix............................................ 54 Table 7-1: TRPS and ESFAS DI&C-ISG-04 Traceability Matrix........................................................... 55 Table 8-1: TRPS and ESFAS SECY-93-087 Traceability Matrix.......................................................... 64
TECRPT-2018-0028 Revision 2 Page 4 of 66 1 Objective The target solution vessel (TSV) reactivity protection system (TRPS) and the engineered safety features actuation system (ESFAS) are safety-related instrumentation and control (I&C) systems for the SHINE Medical Isotope Production Facility (the SHINE facility). The design of the TRPS and ESFAS is based upon the Highly Integrated Protection System (HIPS) platform that has a Topical Report (Reference 1) approved by the Nuclear Regulatory Commission (NRC) (Reference 2). The NRCs final safety evaluation report (SE) for the HIPS platform includes a list of application-specific action items (ASAIs) which identify criteria that applicants or licensees referencing the HIPS platform SE should address. The objective of this report is to provide a reference document for how these ASAIs are addressed in the design of the TRPS and ESFAS for the SHINE facility.
2 Methods The method applied in this report was to evaluate each ASAI identified in the SE for the HIPS platform topical report (Reference 1) for applicability to SHINEs licensing application. The applicability was documented, and if the ASAI was determined to be not applicable, justification for why it is not considered applicable is provided. If the ASAI was determined to be applicable, a reference is given for the appropriate sections of the SHINE facility FSAR or for the appropriate design basis document which provides the material that addresses the ASAI. The results of this method are provided in Table 3-1.
It should be noted that some of the standards which were applied to the HIPS topical report (IEEE Std 603, IEEE Std 7-4.3.2, SECY-93-087, and DI&C-ISG-04) are not directly applicable to the SHINE application. Because the SHINE application is for a research and test reactor, NUREG-1537 outlines the criteria by which the SHINE design will be reviewed against.
TECRPT-2018-0028 Revision 2 Page 5 of 66 3 Analysis Results Table 3-1 HIPS Platform Application Specific Action Item Evaluation for the TRPS and ESFAS ASAI No.
SER Referenced Section(s)
ASAI Description Applicability and Description of How the TRPS and ESFAS Design Addresses the ASAI Applicable SHINE design criteria for TRPS and ESFAS as stated in Sections 7.4.2 and 7.5.2 of SHINEs Final Safety Analysis Report 1
2.0 An applicant or licensee referencing this SE must establish full compliance with the design criteria and regulations identified in NuScale DSRS Chapter 7, Table 7.1, or the appropriate plant design criteria that are relevant to the specific application(s) of the HIPS platform as a safety-related I&C system in an NPP as defined in 10 CFR 50.55a(h).
Partially applicable. The SHINE facility licensing application is not anticipated to be reviewed against the guidance of the NuScale DSRS or the design criteria defined in 10 CFR 50.55a(h). However, Chapter 7 of SHINEs Final Safety Analysis Report (FSAR) documents the design criteria and regulations identified in NUREG-1537 relevant to the HIPS platform based TRPS and ESFAS designs and also provides evidence of full compliance with those design criteria and regulations.
Not applicable 2
2.0 3.0 An applicant or licensee referencing this SE must demonstrate that the HIPS platform used to implement the application-specific or plant-specific system is unchanged from the base platform addressed in this Applicable. Changes to the base HIPS platform equipment as described in the HIPS platform topical report for the TRPS and ESFAS designs are identified and discussed in Section 5 of this report. A description of how the HIPS platform TRPS and ESFAS Not applicable
TECRPT-2018-0028 Revision 1 Page 6 of 66 ASAI No.
SER Referenced Section(s)
ASAI Description Applicability and Description of How the TRPS and ESFAS Design Addresses the ASAI Applicable SHINE design criteria for TRPS and ESFAS as stated in Sections 7.4.2 and 7.5.2 of SHINEs Final Safety Analysis Report SE. Otherwise, the applicant or licensee must clearly and completely identify any modification or addition to the base HIPS platform as it is employed and provide evidence of compliance by the modified platform with all applicable regulations that are affected by the changes.
design implementation supports meeting the design criteria identified in NUREG-1537 is provided in Subsection 5.4.5. Descriptions of the architectural implementation of the HIPS platform is provided in the TRPS and ESFAS System Design Description (SDD) documents (Reference 6 and 7).
3 3.6 Although the staff determined that the HIPS platform supports satisfying various sections and clauses of IEEE Std. 603-1991, an applicant or licensee referencing this SE must identify the approach taken to satisfy each applicable clause of IEEE Std. 603-1991.
Because this SE does not address a specific application, establish a definitive safety system or protective action, or identify and analyze the impact of credible events along with their direct and indirect consequences, an applicant or Not applicable. Although the design of the TRPS and ESFAS will satisfy many sections and clauses of IEEE Std. 603-1991 because they are based upon the base HIPS platform design, the SHINE facility design basis is not required to conform with IEEE Std. 603. The SHINE facility design is required to conform to the guidance of NUREG-1537.
Not applicable
TECRPT-2018-0028 Revision 2 Page 7 of 66 ASAI No.
SER Referenced Section(s)
ASAI Description Applicability and Description of How the TRPS and ESFAS Design Addresses the ASAI Applicable SHINE design criteria for TRPS and ESFAS as stated in Sections 7.4.2 and 7.5.2 of SHINEs Final Safety Analysis Report licensee should identify its plant-specific design basis for its safety system application and the applicability of each IEEE Std. 603-1991 clause to its application-specific HIPS platform-based safety system or component.
Furthermore, the applicant or licensee must demonstrate that the plant-specific and application-specific use of the HIPS platform satisfies the applicable IEEE Std. 603-1991 clauses in accordance with the plant-specific design basis and safety system application.
4 3.7 Although the staff determined that the HIPS platform supports satisfying various sections and clauses of IEEE Std. 7-4.3.2-2003, an applicant or licensee referencing this SE must identify the approach taken to satisfy each applicable clause of IEEE Std. 7-4.3.2-2003.
Applicable. Section 6 of this report provides a traceability matrix to support demonstration of conformance of the TRPS and ESFAS designs with IEEE Std. 7-4.3.2-2003.
Not applicable
TECRPT-2018-0028 Revision 2 Page 8 of 66 ASAI No.
SER Referenced Section(s)
ASAI Description Applicability and Description of How the TRPS and ESFAS Design Addresses the ASAI Applicable SHINE design criteria for TRPS and ESFAS as stated in Sections 7.4.2 and 7.5.2 of SHINEs Final Safety Analysis Report The applicant or licensee should consider its plant-specific design basis. This SE does not address a specific application, establish a definitive safety system or protective action, or identify and analyze the impact of credible events along with their direct and indirect consequences. The applicant or licensee should identify its plant-specific design basis for its safety system application and the applicability of each IEEE Std. 7-4.3.2-2003 clause to its application-specific HIPS platform-based safety system or component.
Furthermore, the applicant or licensee must demonstrate that the plant-specific and application-specific use of the HIPS platform satisfies the applicable IEEE Std. 7-4.3.2-2003 clauses in accordance with the plant-specific design basis and safety system application.
TECRPT-2018-0028 Revision 2 Page 9 of 66 ASAI No.
SER Referenced Section(s)
ASAI Description Applicability and Description of How the TRPS and ESFAS Design Addresses the ASAI Applicable SHINE design criteria for TRPS and ESFAS as stated in Sections 7.4.2 and 7.5.2 of SHINEs Final Safety Analysis Report 5
3.8 Although the staff determined that the HIPS platform includes features to support satisfying various sections and clauses of DI&C-ISG-04, an applicant or licensee referencing this SE must evaluate the HIPS platform-based system for full conformance against this guidance. The applicant or licensee should consider its plant-specific design basis. This SE does not address a specific application, establish a definitive safety system or protective action, or identify and analyze the impact of credible events along with their direct and indirect consequences.
Applicable. Section 7 of this report provides a traceability matrix to support demonstration of conformance of the TRPS and ESFAS designs with DI&C-ISG-04.
Not applicable 6
3.9 Although the staff determined that the HIPS platform includes features to support satisfying various sections of the SRM to SECY-93-087, an applicant or licensee referencing this SE must evaluate the HIPS platform-based Applicable. Section 8 of this report provides a traceability matrix to support demonstration of conformance of the TRPS and ESFAS designs with SECY-93-087.
Not applicable
TECRPT-2018-0028 Revision 2 Page 10 of 66 ASAI No.
SER Referenced Section(s)
ASAI Description Applicability and Description of How the TRPS and ESFAS Design Addresses the ASAI Applicable SHINE design criteria for TRPS and ESFAS as stated in Sections 7.4.2 and 7.5.2 of SHINEs Final Safety Analysis Report system for full compliance against this requirement. The applicant or licensee should consider its plant-specific design basis. This SE does not address a specific application, establish a definitive safety system or protective action, or identify and analyze the impact of credible events along with their direct and indirect consequences.
7 3.1.4.3 An applicant or licensee referencing this SE must provide administrative controls (e.g., procedures, technical specifications) to prevent an operator from placing the same SFM across more than one division into maintenance bypass concurrent with a single failure of a different division.
Applicable. Sections 3.2.1 and 3.2.2 of the technical specifications of the SHINE facility operating license application documents the required facility technical specifications applicable to placing a TRPS or ESFAS safety function module (SFM) into maintenance bypass. SHINE technical specification Limiting Conditions for Operation (LCO) 3.2.3 and 3.2.4 contain a note that specifies that any single SFM may be bypassed for up to 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> while the variable(s) associated with the SFM is in the condition of applicability for the purpose of performing a Channel Test or Channel TRPS Criterion 33 and 37 ESFAS Criterion 34 and 38
TECRPT-2018-0028 Revision 2 Page 11 of 66 ASAI No.
SER Referenced Section(s)
ASAI Description Applicability and Description of How the TRPS and ESFAS Design Addresses the ASAI Applicable SHINE design criteria for TRPS and ESFAS as stated in Sections 7.4.2 and 7.5.2 of SHINEs Final Safety Analysis Report Calibration. By only allowing a single SFM to by bypassed at one time, SHINE ensures that the same SFM across multiple divisions (which would be more than one SFM) will not be placed into maintenance bypass. By specifying this in the technical specifications, SHINE ensures that administrative controls are in place consistent with the NRC-approved HIPS TR to prevent an operator from placing the same SFM across more than one division into maintenance bypass.
8 3.2 An applicant or licensee referencing this SE should verify having appropriate physical independence between nonsafety-related and safety-related equipment to satisfy the Class 1E to non-Class 1E separation requirements, consistent with the guidelines of RG 1.75, Revision 3.
Partially applicable. Subsections 7.4.2.2.5 and 7.5.2.2.5 (Independence) of the SHINE facility FSAR describes how the HIPS based TRPS and ESFAS equipment implements physical, electrical, communications, and functional independence between nonsafety-related and safety-related equipment.
TRPS Criterion 20 and 21 ESFAS Criterion 21 and 22 9
3.4 An applicant or licensee referencing this SE must provide the basis for the allocation of safety functions Applicable. The TRPS and ESFAS are both implemented with 3 redundant divisions.
Each of the three divisions requires a different type of FPGA to address a potential Not applicable
TECRPT-2018-0028 Revision 2 Page 12 of 66 ASAI No.
SER Referenced Section(s)
ASAI Description Applicability and Description of How the TRPS and ESFAS Design Addresses the ASAI Applicable SHINE design criteria for TRPS and ESFAS as stated in Sections 7.4.2 and 7.5.2 of SHINEs Final Safety Analysis Report between the two diverse divisions to mitigate the effects of a postulated CCF concurrent with Chapter 15 events of its final safety analysis report.
CCF of one type of FPGA. The three types of FPGAs implemented on the divisional modules is as follows:
- Division A: Microsemi IGLOO2 (FLASH based FPGA)
- Division B: Intel MAX10 (Hybrid Flash and SRAM based FPGA)
- Division C: Altera Artix-7 (SRAM based FPGA)
An assessment of the design and implementation of diversity within the TRPS and ESFAS and the allocation of the safety functions among the diverse divisions to mitigate the effects of SHINE FSAR Chapter 13 events is provided in the Diversity and Defense-in-Depth Assessment of the TRPS and ESFAS (Reference 5).
10 3.4 An applicant or licensee referencing this SE must verify that all diversity attributes of a HIPS platform (i.e., equipment diversity, design diversity, and functional diversity) conform to the diversity design details provided in the TR.
Applicable. An assessment of the design and implementation of diversity within the TRPS and ESFAS and the allocation of the safety functions among the diverse divisions to mitigate the effects of SHINE FSAR Chapter 13 events is provided in the Diversity and Not applicable
TECRPT-2018-0028 Revision 2 Page 13 of 66 ASAI No.
SER Referenced Section(s)
ASAI Description Applicability and Description of How the TRPS and ESFAS Design Addresses the ASAI Applicable SHINE design criteria for TRPS and ESFAS as stated in Sections 7.4.2 and 7.5.2 of SHINEs Final Safety Analysis Report Defense-in-Depth Assessment of the TRPS and ESFAS (Reference 5).
11 3.4 An applicant or licensee referencing this SE must verify that the diverse FPGA technologies have unique identification.
Applicable. Subsections 7.4.3.10 and 7.5.3.9 (Classification and Identification) of the SHINE facility FSAR respectively describe how the HIPS-based TRPS and ESFAS equipment designs address unique identification.
Not applicable 12 3.6.2.1 3.6.2.5 3.6.2.6.3.1 3.6.2.6.3.3 3.8.1.18 An applicant or licensee referencing this SE should perform a system-level FMEA to demonstrate that the application-specific use of the HIPS platform identifies each potential failure mode and determines the effects of each failure. The FMEA should demonstrate that single failures, including those with the potential to cause a nonsafety system action (i.e., a control function) resulting in a condition requiring protective action (i.e., a protection function), cannot Applicable. The TRPS and ESFAS Failure Modes and Effects Analysis (Reference 4) evaluates potential single failures and determines the effects of each failure for the TRPS and ESFAS. As documented in the FMEA (Reference 4), failure modes that can prevent the systems from performing their intended functions are detected by design, built-in system diagnostics, or by periodic testing. The results of the FMEA determined that there are no single failures or non-detectable failures that can prevent the TRPS or ESFAS from performing their required safety functions.
TRPS Criterion 16 and 17 ESFAS Criterion 16, 17 and 18
TECRPT-2018-0028 Revision 2 Page 14 of 66 ASAI No.
SER Referenced Section(s)
ASAI Description Applicability and Description of How the TRPS and ESFAS Design Addresses the ASAI Applicable SHINE design criteria for TRPS and ESFAS as stated in Sections 7.4.2 and 7.5.2 of SHINEs Final Safety Analysis Report adversely affect the protection functions, as applicable.
13 3.6.2.1 An applicant or licensee referencing this SE should demonstrate that the application-specific diagnostic, self-test, and manually initiated test and calibration features will not adversely affect channel independence, system integrity, or the systems ability to meet the single-failure criterion.
Applicable. Subsections 7.4.5.2.1 (Independence) and 7.4.5.2.2 (Redundancy) of the SHINE facility FSAR describe how the principles of redundancy and independence are incorporated into the design of the TRPS and ESFAS. The TRPS and ESFAS Failure Modes and Effects Analysis (Reference 4) evaluates potential single failures and determines the effects of each failure for the TRPS and ESFAS.
TRPS Criterion 47 ESFAS Criterion 48 14 3.6.2.1 An applicant or licensee referencing this SE must review the actions to be taken when failures and errors are detected during tests and self-tests and ensure that these actions are consistent with system requirements. In addition, the applicant or licensee should describe how errors and failures are indicated and managed after they are detected. Finally, the applicant Partially applicable. Subsections 7.4.4.4 and 7.5.4.5 (Testing Capability) and Subsection 7.4.5.5 (System Performance Analysis) of the SHINE facility FSAR describes the self-testing and diagnostic features of the TRPS and ESFAS design.
The alarm function for the SHINE facility is located in the nonsafety-related process integrated control system (PICS), which is outside the scope of the systems using the HIPS platform. Section 7.6.4.1 discusses Not applicable
TECRPT-2018-0028 Revision 2 Page 15 of 66 ASAI No.
SER Referenced Section(s)
ASAI Description Applicability and Description of How the TRPS and ESFAS Design Addresses the ASAI Applicable SHINE design criteria for TRPS and ESFAS as stated in Sections 7.4.2 and 7.5.2 of SHINEs Final Safety Analysis Report or licensee should confirm that this information is provided in the single-failure analysis for the plant-specific application.
how errors and failures are indicated via the PICS after they are detected. The TRPS and ESFAS Failure Modes and Effects Analysis (Reference 4) evaluates potential single failures and determines the effects of, and methods of detection, for each failure for the TRPS and ESFAS.
15 3.6.2.2 3.6.4.3 An applicant or licensee referencing this SE must demonstrate that the application-specific logic satisfies the completion of protective action requirements.
Applicable. Subsections 7.4.3.3 and 7.5.3.2 (Completion of Protective Actions) respectively discuss how the TRPS and ESFAS ensure completion of protective actions.
TRPS Criterion 43, 44, and 45 ESFAS Criterion 44, 45, and 46 16 3.6.2.3 3.7.1.3 An applicant or licensee referencing this SE must confirm that the HIPS platform manufacturer is currently on the Nuclear Procurement Issues Committee list or confirm that the HIPS manufacturing quality processes conform to the applicants or licensees program that is compliant with 10 CFR Part 50, Appendix B (i.e., vendor is included in the Partially applicable. The overall quality assurance program applied to the design of the safety-related I&C systems is described in SHINEs Quality Assurance Program Description (QAPD), 2000-09-01 (Reference 3). SHINEs QAPD is based upon ANSI/ANS-15.8-1995, which provides an acceptable method of complying with the requirements of 10 CFR 50.34 for a production or utilization facility. Subsections 7.4.2.2.15, 7.5.2.2.15 (Quality), 7.4.3.13 and TRPS Criterion 4, 5, 6, 7, 8, 9, 10, 11, 12, and 13 ESFAS Criterion 4, 5, 6, 7, 8, 9, 10, 11, 12, and 13
TECRPT-2018-0028 Revision 2 Page 16 of 66 ASAI No.
SER Referenced Section(s)
ASAI Description Applicability and Description of How the TRPS and ESFAS Design Addresses the ASAI Applicable SHINE design criteria for TRPS and ESFAS as stated in Sections 7.4.2 and 7.5.2 of SHINEs Final Safety Analysis Report applicants Approved Vendor List).
The applicant or licensee will need to demonstrate that the HIPS software and associated development life cycle conform to applicable regulatory requirements.
7.5.3.12 (Design Codes and Standards) of the SHINE facility FSAR respectively identify the required codes and standards to be used in the design development of the TRPS and ESFAS. Subsection 7.4.5.4 (Software Requirements Development) describes the requirements for the TRPS and ESFAS software development life cycle.
17 3.6.2.4 3.6.2.6.2 3.7.1.4 3.8.1.17 An applicant or licensee referencing this SE must confirm that the HIPS platform equipment is qualified to the applicable regulatory requirements.
Applicable. The overall quality assurance program applied to the design of the safety-related I&C systems is described in SHINEs QAPD, 2000-09-01 (Reference 3). SHINEs QAPD is based upon ANSI/ANS 15.8-1995, which provides an acceptable method of complying with the requirements of 10 CFR 50.34 for a production or utilization facility.
Subsections 7.4.3.13 and 7.5.3.12 (Design Codes and Standards) of the SHINE facility FSAR respectively identify the required codes and standards to be used in qualifying the TRPS and ESFAS equipment.
TRPS Criterion 54 and 55 ESFAS Criterion 55 and 56 18 3.6.2.5 An applicant or licensee referencing this SE must identify the safe states Applicable. The safe states for TRPS and ESFAS actuated components are provided in TRPS Criterion 28 and 46
TECRPT-2018-0028 Revision 2 Page 17 of 66 ASAI No.
SER Referenced Section(s)
ASAI Description Applicability and Description of How the TRPS and ESFAS Design Addresses the ASAI Applicable SHINE design criteria for TRPS and ESFAS as stated in Sections 7.4.2 and 7.5.2 of SHINEs Final Safety Analysis Report 3.7.1.5.1 3.8.1.20 for protective functions and the conditions that require the system to enter a fail-safe state. The applicant or licensee must also demonstrate system qualification for installation and operation in mild environment locations.
Subsection 7.4.3.8 and Table 7.5-2 of the SHINE facility FSAR, respectively. The conditions that require the TRPS and ESFAS to enter a fail-safe state are provided in Sections 7.4.3.1 and 7.5.3.1, respectively.
A TRPS and ESFAS Failure Modes and Effects Analysis (Reference 4) was conducted for the TRPS and ESFAS, which evaluated each component of the systems, how it may fail, and what the effect of the failure on the systems would be in the presence of a single failure. Effects on the systems include assuming a fail-safe state, only alarm the failure, or assuming a fail-safe state and alarm the failure. Which of these effects occur depends on the mode of failure for each component and is documented in the FMEA.
Subsections 7.4.3.13 and 7.5.3.12 (Design Codes and Standards) of the SHINE facility FSAR respectively identify the required codes, standards, and the conditions to be used in qualifying the TRPS and ESFAS equipment. HIPS platform environmental and seismic qualification testing results are ESFAS Criterion 29 and 47
TECRPT-2018-0028 Revision 2 Page 18 of 66 ASAI No.
SER Referenced Section(s)
ASAI Description Applicability and Description of How the TRPS and ESFAS Design Addresses the ASAI Applicable SHINE design criteria for TRPS and ESFAS as stated in Sections 7.4.2 and 7.5.2 of SHINEs Final Safety Analysis Report documented in Reference 8. HIPS platform electromagnetic and radio frequency interference qualification testing results are documented in Reference 9.
19 3.6.2.5 3.7.1.5.1 3.8.1.19 3.8.1.20 An applicant or licensee referencing this SE must confirm that system real-time performance is adequate to ensure completion of protective actions within critical time frames required by the plant safety analyses.
Applicable. Assumed maximum response time and response time analysis for the TRPS and ESFAS is discussed in Subsection 7.4.5.2.3 (Predictability and Repeatability) of the SHINE facility FSAR.
SHINE Criterion 13 TRPS Criterion 14 and 24 ESFAS Criterion 14 and 25 20 3.6.2.6.1 3.8.1.2 3.8.1.16 An applicant or licensee referencing this SE must demonstrate that the full system design, any use of a shared component, the equipments installation, and the power distribution architecture provide the required independence.
Applicable. Subsection 7.4.5.2.1 (Independence) of the SHINE facility FSAR describes how the HIPS based TRPS and ESFAS equipment implements physical, electrical, communications, and functional independence.
TRPS Criterion 18, 20, 21, 22, and 23 ESFAS Criterion 19, 21,22, 23, and 24 21 3.6.2.6.1 3.8.1.2 3.8.1.16 An applicant or licensee referencing this SE must provide redundant power sources to separately supply Applicable. Division A of both the TRPS and ESFAS is powered from Division A of the uninterruptible power supply system (UPSS).
Division B of both the TRPS and ESFAS is powered from Division B of the UPSS.
TRPS Criterion 17 ESFAS Criterion 17
TECRPT-2018-0028 Revision 2 Page 19 of 66 ASAI No.
SER Referenced Section(s)
ASAI Description Applicability and Description of How the TRPS and ESFAS Design Addresses the ASAI Applicable SHINE design criteria for TRPS and ESFAS as stated in Sections 7.4.2 and 7.5.2 of SHINEs Final Safety Analysis Report the redundant power conversion features within the HIPS platform.
Division C of both the TRPS and ESFAS receives auctioneered power from Division A and Division B of the UPSS. Both the TRPS and ESFAS require 125 VDC power, which the UPSS provides as described above.
Each TRPS and ESFAS cabinet is provided a single 125 VDC power supply, which is used to power three (3) redundant 125 VDC to 24 VDC converters located at the top of the cabinet. The 24V supply is then distributed to each of three (3) chassis mounting bays as needed, where it is then used to power two (2) redundant 24 VDC to 5 VDC converters located beneath each chassis bay. These provide independent +5V A and +5V B power channels to each chassis.
22 3.2.2 3.6.2.6.3.1 3.8.1.1 3.8.1.2 An applicant or licensee referencing this SE must verify that the safety network provides electrical, physical, and communications independence and security requirements for communication Applicable. Subsection 7.4.5.2.1 (Independence) of the SHINE facility FSAR describes how the HIPS based TRPS and ESFAS equipment implements physical, electrical, communications, and functional independence.
TRPS Criterion 20, 21 and 22 ESFAS Criterion 21, 22 and 23
TECRPT-2018-0028 Revision 2 Page 20 of 66 ASAI No.
SER Referenced Section(s)
ASAI Description Applicability and Description of How the TRPS and ESFAS Design Addresses the ASAI Applicable SHINE design criteria for TRPS and ESFAS as stated in Sections 7.4.2 and 7.5.2 of SHINEs Final Safety Analysis Report 3.8.1.3 3.8.1.8 3.8.1.16 from safety to nonsafety-related systems.
23 3.6.2.6.3.2 3.6.2.6.4 3.8.1.1 3.8.1.2 3.8.1.16 An applicant or licensee referencing this SE must perform isolation testing on the HIPS platform equipment to demonstrate the capability to satisfy the Class 1E to non-Class 1E isolation requirements, consistent with the guidelines of RG 1.75, Revision 3.
Partially applicable. Subsection 7.4.5.2.1 (Independence) of the SHINE facility FSAR describes how the HIPS based TRPS and ESFAS equipment implements physical, electrical, communications, and functional independence.
The results of isolation testing of HIPS platform equipment consistent with the guidelines of RG 1.75, Revision 3 is provided in the HIPS Platform EMI/RFI and Isolation Testing Report (Reference 7).
TRPS Criterion 19, 20, 21, and 22 ESFAS Criterion 20, 21, 22, and 23 24 3.6.2.7 3.6.3.5 An applicant or licensee referencing this SE must describe how the HIPS platform equipment is used for testing and calibration of safety-related features.
Applicable. The TRPS and ESFAS are designed with the capability for calibration and surveillance testing, including channel checks, calibration verification, and time response measurements to verify that I&C safety systems perform required safety functions. The TRPS and ESFAS allow systems, structures, and components TRPS Criterion 47 and 48 ESFAS Criterion 48 and 49
TECRPT-2018-0028 Revision 2 Page 21 of 66 ASAI No.
SER Referenced Section(s)
ASAI Description Applicability and Description of How the TRPS and ESFAS Design Addresses the ASAI Applicable SHINE design criteria for TRPS and ESFAS as stated in Sections 7.4.2 and 7.5.2 of SHINEs Final Safety Analysis Report (SSCs) to be tested while retaining the capability to accomplish required safety functions. The TRPS and ESFAS use modules from the HIPS platform which are designed to eliminate non-detectable failures through a combination of built-in self-testing and periodic surveillance testing.
Testing from the sensor inputs of the TRPS and ESFAS through to the actuated equipment is accomplished through a series of overlapping sequential tests, most of which may be performed during normal plant operations. Performance of periodic surveillance testing does not involve disconnecting wires or installation of jumpers for at-power testing. The self-test features maintain division independence by being performed within the division.
The part of TRPS and ESFAS that cannot be tested during normal operations is the actuation priority logic circuit on the equipment interface module (EIM). This includes the manual control room switches and the nonsafety-related interface that provide inputs to the actuation priority logic.
TECRPT-2018-0028 Revision 2 Page 22 of 66 ASAI No.
SER Referenced Section(s)
ASAI Description Applicability and Description of How the TRPS and ESFAS Design Addresses the ASAI Applicable SHINE design criteria for TRPS and ESFAS as stated in Sections 7.4.2 and 7.5.2 of SHINEs Final Safety Analysis Report The actuation priority logic consists of discrete components and directly causes actuation of field components. The actuation priority logic is a simple circuit that has acceptable reliability to be tested when the irradiation unit is in Mode 0.
While the TRPS and ESFAS is in normal operation, self-tests run without affecting the performance of the safety function, including its response time. TRPS and ESAFS data communications are designed with error detection to enhance data integrity. The protocol features ensure communications are robust and reliable with the ability to detect transmission faults. Similar data integrity features are used to transfer diagnostics data. The TRPS and ESFAS provides a means for checking the operational availability of the sense and command feature input sensors relied upon for a safety function during normal plant operation.
This capability is provided by one of the following methods:
Perturbing the monitored variable
TECRPT-2018-0028 Revision 2 Page 23 of 66 ASAI No.
SER Referenced Section(s)
ASAI Description Applicability and Description of How the TRPS and ESFAS Design Addresses the ASAI Applicable SHINE design criteria for TRPS and ESFAS as stated in Sections 7.4.2 and 7.5.2 of SHINEs Final Safety Analysis Report Cross-checking between channels that have a known relationship (channel check)
Introducing and varying a substitute input to the sensor Fault detection and indication occurs at the module level, which enables plant personnel to identify the module that needs to be replaced. Built-in self-testing will generate an alarm and report a failure to the operator and place the component (e.g., safety function module (SFM), scheduling, bypass, and voting modules (SBVMs), or EIM components) in a fail-safe state.
The maintenance workstation (MWS) is used to perform modification of configurable variables and setpoints and in-chassis calibration of TRPS and ESFAS equipment.
Prior to using the MWS, the affected SFM must be taken out of service. Physical and logical controls are put in place to prevent modifications to a safety channel when it is being relied upon to perform a safety function.
TECRPT-2018-0028 Revision 2 Page 24 of 66 ASAI No.
SER Referenced Section(s)
ASAI Description Applicability and Description of How the TRPS and ESFAS Design Addresses the ASAI Applicable SHINE design criteria for TRPS and ESFAS as stated in Sections 7.4.2 and 7.5.2 of SHINEs Final Safety Analysis Report 25 3.6.2.7 3.6.3.5 An applicant or licensee referencing this SE must provide additional diagnostics or testing functions (i.e., self-tests or periodic surveillance tests) to address any system-level failures that are identified as detectable only through periodic surveillance.
Applicable. Testing capabilities for the TRPS and the ESFAS is described in Subsections 7.4.4.4 and 7.5.4.5 (Testing Capability) of the SHINE facility FSAR, respectively. The part of the TRPS and ESFAS that cannot be tested during normal operations is the actuation priority logic circuit on the equipment interface module (EIM). This includes the manual control room switches and the nonsafety-related interface that provide inputs to the actuation priority logic.
The actuation priority logic consists of discrete components and directly causes actuation of field components.
TRPS Criterion 48 and 49 ESFAS Criterion 49 and 50 26 3.6.2.7 3.6.3.5 An applicant or licensee referencing this SE must describe how the HIPS platform equipment is used for any automatic sensor cross-check as a credited surveillance test function and the provisions to confirm the continued execution of the automatic tests during plant operations.
Partially applicable. Required Channel Checks are discussed in the SHINE facility technical specifications. The TRPS and ESFAS have redundant gateways which gather the output of the monitoring and indication communications modules (MICMs) for each of the three divisions. The data for each of the three divisions are compared and the results are provided to the process integrated control system (PICS). The results TRPS Criterion 47 ESFAS Criterion 48
TECRPT-2018-0028 Revision 2 Page 25 of 66 ASAI No.
SER Referenced Section(s)
ASAI Description Applicability and Description of How the TRPS and ESFAS Design Addresses the ASAI Applicable SHINE design criteria for TRPS and ESFAS as stated in Sections 7.4.2 and 7.5.2 of SHINEs Final Safety Analysis Report of the comparison can be used to support performing a channel check.
27 3.6.2.8.1 An applicant or licensee referencing this SE must describe any manual controls and associated displays used to support manually controlled safety actions necessary to accomplish a safety function for which no automatic control is provided.
Not applicable. The SHINE facility design basis does not include manually controlled safety actions for which no automatic control is provided.
Not applicable 28 3.6.2.8.2 An applicant or licensee referencing this SE must describe how the HIPS platform safety system status information is used in displays to provide unambiguous, accurate, complete, and timely status of safety system protective actions.
Applicable. TRPS and ESFAS monitoring and indication information is transmitted redundantly from each systems divisional monitoring and indication communications module (MICM) via one-way isolated RS-485 connections to respective redundant nonsafety gateway communications modules (GWCMs), which are located in two redundant gateway chassis. The GWCMs for the TRPS are functionally and logically independent from the GWCMs for the ESFAS and vice versa. They are physically located within two chassis, and the two SHINE Criterion 6
TECRPT-2018-0028 Revision 2 Page 26 of 66 ASAI No.
SER Referenced Section(s)
ASAI Description Applicability and Description of How the TRPS and ESFAS Design Addresses the ASAI Applicable SHINE design criteria for TRPS and ESFAS as stated in Sections 7.4.2 and 7.5.2 of SHINEs Final Safety Analysis Report chassis are located in the ESFAS Division C cabinet.
All GWCMs within Gateway Chassis A will utilize the same field programmable gate array (FPGA) type that is utilized in Division A of the TRPS and ESFAS. All GWCMs within Gateway Chassis B will utilize the same FPGA type that is utilized in Division B of the TRPS and ESFAS. This ensures that a software common cause failure for one of these two FPGA types will not disable the function of providing TRPS and ESFAS monitoring and indication information to PICS.
A description of how safety system status is used in displays is provided in Section 7.6 (Control Console and Display Instruments) of the SHINE facility FSAR.
29 3.6.2.8.3 An applicant or licensee referencing this SE must describe how the HIPS platform bypass status information is used to automatically actuate the bypass indication for bypassed or inoperable conditions, when Applicable. Subsections 7.4.4.3 and 7.5.4.4 (Maintenance Bypass) of the FSAR also provides a description of the use of manual switches for placing HIPS modules in bypass. A description of how the safety system status is provided to the PICS for TRPS Criterion 42 ESFAS Criterion 43
TECRPT-2018-0028 Revision 2 Page 27 of 66 ASAI No.
SER Referenced Section(s)
ASAI Description Applicability and Description of How the TRPS and ESFAS Design Addresses the ASAI Applicable SHINE design criteria for TRPS and ESFAS as stated in Sections 7.4.2 and 7.5.2 of SHINEs Final Safety Analysis Report required, and provide the capability to manually activate the bypass indication from within the control room.
indication to the operators is given above in the response to ASAI 28.
30 3.6.2.8.4 An applicant or licensee referencing this SE must describe how the information displays are accessible to the operator and are visible from the location of any controls used to effect a manually controlled protective action provided by the front panel controls of a HIPS-based system.
Partially applicable. TRPS and ESFAS equipment is not used to display information for the operator.
The TRPS and ESFAS monitoring and indication information will be available to the operators in the facility control room at the PICS operator workstations. A subset of the TRPS and ESFAS monitoring and indication information will be displayed at the main control board in the facility control room near where the manual control for actuating TRPS and ESFAS safety functions are located.
SHINE FSAR Subsection 7.4.5.2.4 describes the TRPS and ESFAS information available to the operators in the facility control room.
SHINE Criterion 6 31 3.6.2.9 An applicant or licensee referencing this SE must provide additional control of access features to address the system-level aspects Applicable. Subsection 7.4.5.3 (Access Control and Cyber Security) of the SHINE facility FSAR describes how the HIPS based TRPS Criterion 1, 2, and 3
TECRPT-2018-0028 Revision 2 Page 28 of 66 ASAI No.
SER Referenced Section(s)
ASAI Description Applicability and Description of How the TRPS and ESFAS Design Addresses the ASAI Applicable SHINE design criteria for TRPS and ESFAS as stated in Sections 7.4.2 and 7.5.2 of SHINEs Final Safety Analysis Report for a safety system using the HIPS platform.
TRPS and ESFAS equipment design addresses the control of access.
ESFAS Criterion 1, 2, and 3 32 3.6.2.10 3.8.1.13 An applicant or licensee referencing this SE must provide additional diagnostics or testing functions (self-tests or periodic surveillance tests) to address any system-level failures that are identified as detectable only through periodic surveillance. The applicant or licensee must also ensure that failures detected by these additional diagnostics or testing functions are consistent with the assumed failure detection methods of the application-specific single-failure analysis.
Applicable. The self-testing and required surveillance testing for the TRPS and the ESFAS are described in Subsections 7.4.4.4 and 7.5.4.5 (Testing Capability) of the SHINE facility FSAR. The TRPS and ESFAS Failure Modes and Effects Analysis (Reference 4) identified no nondetectable TRPS or ESFAS failures.
TRPS Criterion 48 and 49 ESFAS Criterion 49 and 50 33 3.6.2.11 An applicant or licensee referencing this SE must establish the identification and coding requirements for cabinets and cabling for a safety system.
Applicable. Subsections 7.4.3.10 and 7.5.3.9 (Classification and Identification) of the SHINE facility FSAR respectively describes how the TRPS and ESFAS equipment is uniquely identified in accordance with SHINE component numbering guidelines. The TRPS Criterion 50 ESFAS Criterion 51
TECRPT-2018-0028 Revision 2 Page 29 of 66 ASAI No.
SER Referenced Section(s)
ASAI Description Applicability and Description of How the TRPS and ESFAS Design Addresses the ASAI Applicable SHINE design criteria for TRPS and ESFAS as stated in Sections 7.4.2 and 7.5.2 of SHINEs Final Safety Analysis Report equipment identification includes, but is not limited to, system designation (code),
equipment train, and division.
34 3.6.2.12 An applicant or licensee referencing this SE must demonstrate that the application-specific system design implemented with the HIPS platform meets the applicable regulatory requirements for auxiliary features.
Applicable. A supporting feature for the TRPS and ESFAS which is not a part of the systems is the electrical power provided by the uninterruptible power supply system (UPSS). Section 8a2.2 of the SHINE facility FSAR describes the design basis of the UPSS.
Other auxiliary features of the TRPS and ESFAS that are a part of the systems by association (i.e., not isolated from the TRPS or ESFAS) but are not required for the TRPS and ESFAS to perform their safety functions include the following:
- 1) Continuous online self-testing and diagnostics
- 2) Communication from safety-related portions of the TRPS and ESFAS to non-safety related systems
- 3) Capability for control of safety-related components by using non-safety Not applicable
TECRPT-2018-0028 Revision 2 Page 30 of 66 ASAI No.
SER Referenced Section(s)
ASAI Description Applicability and Description of How the TRPS and ESFAS Design Addresses the ASAI Applicable SHINE design criteria for TRPS and ESFAS as stated in Sections 7.4.2 and 7.5.2 of SHINEs Final Safety Analysis Report related PICS via the APL within the EIM
- 4) Isolation devices and circuitry 35 3.6.2.13 An applicant or licensee referencing this SE must demonstrate that the application-specific system design implemented with the HIPS platform meets the applicable regulatory requirements for shared systems.
Applicable. Subsection 7.1.2 and Figure 7.1-1 of the SHINE facility FSAR describes the use of a separate TRPS for each IU Cell.
SHINE Criterion 5 36 3.6.2.14 An applicant or licensee referencing this SE must confirm that the HIPS platform equipment meets any specified human factors requirements.
Applicable. Subsections 7.4.3.7 and 7.5.3.6 (Human Factors) of the SHINE facility FSAR describe how human factors are incorporated into the design of the TRPS and ESFAS.
TRPS Criterion 51 ESFAS Criterion 52 37 3.6.2.15 3.7.1.15 An applicant or licensee referencing this SE must confirm that the HIPS platform equipment meets any specified quantitative or qualitative reliability goals.
Applicable. Reliability characteristics of the TRPS and ESFAS designs are described in Subsections 7.4.2.1.3 and 7.5.2.1.3 (Protection System Repeatability and Testability) of the SHINE facility FSAR.
TRPS Criterion 23 and 24 ESFAS Criterion 24 and 25
TECRPT-2018-0028 Revision 2 Page 31 of 66 ASAI No.
SER Referenced Section(s)
ASAI Description Applicability and Description of How the TRPS and ESFAS Design Addresses the ASAI Applicable SHINE design criteria for TRPS and ESFAS as stated in Sections 7.4.2 and 7.5.2 of SHINEs Final Safety Analysis Report 38 3.6.3.1 3.6.4.1 An applicant or licensee referencing this SE must describe how the HIPS platform equipment is used to provide automatic safety system sense and command features for required safety functions.
Applicable. The design criteria for the TRPS and ESFAS are provided in Subsections 7.4.2 and 7.5.2 (Design Criteria) respectively.
The design basis for the sense and command features of the TRPS and ESFAS is provided in Subsections 7.4.4 and 7.5.4 (Operation and Performance) respectively for the TRPS and ESFAS of the SHINE facility FSAR.
SHINE Criterion 14 39 3.6.3.2 3.6.4.2 An applicant or licensee referencing this SE must describe how the HIPS platform equipment is used to provide manual safety system sense and command features for required safety functions.
Applicable. The design basis for the manual sense and command features for the TRPS and ESFAS is provided in Subsections 7.4.3.7 and 7.5.3.6 (Human Factors) respectively for the TRPS and ESFAS of the SHINE facility FSAR.
TRPS Criterion 15 and 52 ESFAS Criterion 15 and 53 40 3.6.3.3 An applicant or licensee referencing this SE must describe how the HIPS platform equipment is used for sense and command features to provide protection against the resulting condition of a nonsafety system action that has been caused by a single credible event, including Applicable. The design basis for the sense and command features for the TRPS and ESFAS is provided in Subsections 7.4.3.12 and 7.5.3.11 (Prioritization of Functions) respectively for the TRPS and ESFAS of the SHINE facility FSAR.
TRPS Criterion 27 ESFAS Criterion 28
TECRPT-2018-0028 Revision 2 Page 32 of 66 ASAI No.
SER Referenced Section(s)
ASAI Description Applicability and Description of How the TRPS and ESFAS Design Addresses the ASAI Applicable SHINE design criteria for TRPS and ESFAS as stated in Sections 7.4.2 and 7.5.2 of SHINEs Final Safety Analysis Report its direct and indirect consequences.
41 3.6.3.4 An applicant or licensee referencing this SE must describe how the HIPS platform equipment is used to acquire and condition field sensor measurements of the required variables.
Applicable. The design basis for acquiring and conditioning inputs in the TRPS and ESFAS is provided in Subsection 7.4.5 (Highly Integrated Protection System Design) of the SHINE facility FSAR.
SHINE Criterion 13 42 3.6.3.6 3.6.4.4 An applicant or licensee referencing this SE must describe how the HIPS platform equipment is used for operating bypasses.
Applicable. Subsection 7.4.4.2 of the SHINE facility FSAR describes the use of operational bypasses for the TRPS during the operation of the irradiation unit (IU) cells.
Automatic operational bypasses are only associated with the TRPS. As stated in FSAR Subsection 7.5.4.2, automatic operational bypasses are not used in the ESFAS.
TRPS Criterion 33, 34, 35, 36, 37, 38, 39, 40, and 42 ESFAS Criterion 34, 35, 36, 37, 38, 39, 40, 41, and 43 43 3.6.3.7 An applicant or licensee referencing this SE must describe how the HIPS platform equipment is used for maintenance bypasses and provide Applicable. Subsection 7.4.5 (Highly Integrated Protection System Design) of the SHINE facility FSAR describes how the HIPS based TRPS and ESFAS equipment is used for maintenance bypasses. For the SHINE application, maintenance bypasses are TRPS Criterion 41 ESFAS Criterion 42
TECRPT-2018-0028 Revision 2 Page 33 of 66 ASAI No.
SER Referenced Section(s)
ASAI Description Applicability and Description of How the TRPS and ESFAS Design Addresses the ASAI Applicable SHINE design criteria for TRPS and ESFAS as stated in Sections 7.4.2 and 7.5.2 of SHINEs Final Safety Analysis Report the technical specification requirements.
associated with the sense and command features only for the TRPS and ESFAS.
There are no maintenance bypass capabilities associated with execute features in the SHINE application of the HIPS platform.
Channels associated with an SFM of the TRPS and ESFAS can be taken out of service by direct component replacement or the manipulation of manual switches.
Components that are designed to be replaced directly are the scheduling and bypass modules (SBMs), SBVMs, equipment interface modules (EIMs), and HWMs.
Subsections 7.4.4.3 and 7.5.4.4 of the SHINE FSAR describe how the sense and command features can be placed into maintenance bypass for the TRPS and ESFAS, respectively.
Subsections 3.2.1, 3.2.2, 3.2.5 and 3.2.6 of the technical specifications of the SHINE facility operating license application document the required facility technical
TECRPT-2018-0028 Revision 2 Page 34 of 66 ASAI No.
SER Referenced Section(s)
ASAI Description Applicability and Description of How the TRPS and ESFAS Design Addresses the ASAI Applicable SHINE design criteria for TRPS and ESFAS as stated in Sections 7.4.2 and 7.5.2 of SHINEs Final Safety Analysis Report specifications applicable to placing a TRPS or ESFAS SFM into maintenance bypass.
44 3.6.3.8 An applicant or licensee referencing this SE must describe the setpoints, setpoint methodologies, or HIPS platform module accuracies used for a safety system implemented with the HIPS platform equipment.
Applicable. Subsections 7.4.3.11 and 7.5.3.10 (Setpoints) of the SHINE facility FSAR discusses the setpoints for the TRPS and ESFAS, respectively. Tables 7.4-1 and 7.5-1 respectively provide the accuracies required for the TRPS and ESFAS monitored variables.
TRPS Criterion 29, 30 and 32 ESFAS Criterion 30, 31 and 33 45 3.6.4.5 An applicant or licensee referencing this SE must describe how the HIPS platform equipment is used for maintenance bypasses.
Applicable. Subsection 7.4.5 (Highly Integrated Protection System Design) of the SHINE facility FSAR describes how the HIPS based TRPS and ESFAS equipment is used for maintenance bypasses.
For the SHINE application, maintenance bypasses are associated with the sense and command features only for the TRPS and ESFAS. There are no maintenance bypass capabilities associated with execute features in the SHINE application of the HIPS platform.
Subsections 7.4.4.3 and 7.5.4.4 of the SHINE FSAR describe design for TRPS Criterion 37 and 41 ESFAS Criterion 38 and 42
TECRPT-2018-0028 Revision 2 Page 35 of 66 ASAI No.
SER Referenced Section(s)
ASAI Description Applicability and Description of How the TRPS and ESFAS Design Addresses the ASAI Applicable SHINE design criteria for TRPS and ESFAS as stated in Sections 7.4.2 and 7.5.2 of SHINEs Final Safety Analysis Report maintenance bypass in the TRPS and ESFAS, respectively.
46 3.6.5 An applicant or licensee referencing this SE must describe power sources to the HIPS platform equipment and how they meet applicable regulatory requirements.
Applicable. The design bases description for the TRPS and ESFAS power source is provided in Section 8a2.2 of the SHINE facility FSAR.
Division A of both the TRPS and ESFAS is powered from Division A of the uninterruptible power supply system (UPSS).
Division B of both the TRPS and ESFAS is powered from Division B of the UPSS.
Division C of both the TRPS and ESFAS receives auctioneered power from Division A and Division B of the UPSS. Both the TRPS and ESFAS require 125 VDC power, which the UPSS provides as described above.
Each TRPS and ESFAS cabinet is provided a single 125 VDC power supply, which is used to power three (3) redundant 125 VDC to 24 VDC converters located at the top of the cabinet. The 24V supply is then distributed to each of three (3) chassis mounting bays as needed, where it is then SHINE Criterion 27.
TECRPT-2018-0028 Revision 2 Page 36 of 66 ASAI No.
SER Referenced Section(s)
ASAI Description Applicability and Description of How the TRPS and ESFAS Design Addresses the ASAI Applicable SHINE design criteria for TRPS and ESFAS as stated in Sections 7.4.2 and 7.5.2 of SHINEs Final Safety Analysis Report used to power two (2) redundant 24 VDC to 5 VDC converters located beneath each chassis bay. These provide independent +5V A and +5V B power channels to each chassis.
47 3.7.1.5.2 An applicant or licensee referencing this SE must confirm that the manufacturer followed the same design, development, and iV&V processes for test and calibration functions as for all other HIPS platform functions.
Applicable. The required quality and standards of TRPS and ESFAS programmable logic development processes are described in Subsection 7.4.5.4 (Software Requirements Development) of the SHINE facility FSAR. The calibration features of the TRPS and ESFAS are designed, developed, and validated at the same level as the safety related functional logic. The calibration features of the TRPS and ESFAS are implemented independently from the safety functions of the system but are implemented on the same FPGA as the safety functions and are therefore designed, developed, and validated to the same rigor as the safety functions of the systems.
TRPS Criterion 4, 5, 6, 7, 8, 9, 10, 11, and 12 ESFAS Criterion 4, 5, 6, 7, 8, 9, 10, 11, and 12 48 3.7.1.5.2 An applicant or licensee referencing this SE that relies on a separate Not applicable. A separate computer is not relied upon for the sole verification of test Not applicable
TECRPT-2018-0028 Revision 2 Page 37 of 66 ASAI No.
SER Referenced Section(s)
ASAI Description Applicability and Description of How the TRPS and ESFAS Design Addresses the ASAI Applicable SHINE design criteria for TRPS and ESFAS as stated in Sections 7.4.2 and 7.5.2 of SHINEs Final Safety Analysis Report computer for the sole verification of test and calibration data should ensure adequate iV&V, configuration management, and quality assurance for the test and calibration functions of the separate computer.
and calibration data for the TRPS and ESFAS.
49 3.7.1.5.3 An applicant or licensee referencing this SE must confirm that the manufacturer followed the same design, development, and iV&V processes for self-diagnostics functions as for all other HIPS platform functions.
Applicable. The required quality and standards of TRPS and ESFAS programmable logic development processes is described in Subsection 7.4.5.4 (Software Requirements Development) of the SHINE facility FSAR. The self-testing features of the TRPS and ESFAS are designed, developed, and validated at the same level as the safety related functional logic. The overlapped self-test features of the TRPS and ESFAS are integral to the operation of the system and are therefore designed, developed, and validated to the same rigor as the safety functions of the systems.
TRPS Criterion 4, 5, 6, 7, 8, 9, 10, 11, and 12 ESFAS Criterion 4, 5, 6, 7, 8, 9, 10, 11, and 12 50 3.7.1.5.3 An applicant or licensee referencing this SE must verify that the Applicable. Subsections 7.4.3.13 and 7.5.3.12 (Design Codes and Standards) of TRPS Criterion 4, 5, 6, 7, 8, 9, 10, 11, 12, and 47
TECRPT-2018-0028 Revision 2 Page 38 of 66 ASAI No.
SER Referenced Section(s)
ASAI Description Applicability and Description of How the TRPS and ESFAS Design Addresses the ASAI Applicable SHINE design criteria for TRPS and ESFAS as stated in Sections 7.4.2 and 7.5.2 of SHINEs Final Safety Analysis Report manufacturer included the self-diagnostic functions within its type testing of the HIPS platform standardized circuit boards during EQ.
the SHINE facility FSAR respectively identify the required codes and standards to be used in qualifying the TRPS and ESFAS equipment, respectively. All HIPS self-diagnostic functions were included within the type testing of the HIPS platform circuit boards during EQ. Evidence of this is provided in the completed testing procedures which are included as part of the HIPS platform EQ testing results reports (References 6 and 7).
ESFAS Criterion 4, 5, 6, 7, 8, 9, 10, 11, 12, and 48 51 3.7.1.5.3 An applicant or licensee referencing this SE must demonstrate that the combination of HIPS platform self-tests and system surveillance testing provide the necessary test coverage to ensure that there are no undetectable failures that could adversely affect a required safety function.
Applicable. As described in Subsections 7.4.4.4 and 7.5.4.5 (Testing Capability) of the SHINE facility FSAR, end-to-end testing of the entire HIPS platform is performed through overlap testing. Individual self-tests in the various components of the TRPS ensure that the entire component is functioning correctly. Self-test features are provided for components that do not have setpoints or tunable parameters. All TRPS and ESFAS components, except the discrete APL of the EIM, have self-testing capabilities that ensure the information passed on to the following step in the safety data path is correct.
TRPS Criterion 47 ESFAS Criterion 48
TECRPT-2018-0028 Revision 2 Page 39 of 66 ASAI No.
SER Referenced Section(s)
ASAI Description Applicability and Description of How the TRPS and ESFAS Design Addresses the ASAI Applicable SHINE design criteria for TRPS and ESFAS as stated in Sections 7.4.2 and 7.5.2 of SHINEs Final Safety Analysis Report The TRPS and ESFAS Failure Modes and Effects Analysis (Reference 4) evaluated potential single failures and determined that there are no undetectable failures that could adversely affect the required TRPS and ESFAS safety functions.
52 3.7.1.6 An applicant or licensee referencing this SE must demonstrate that the full system design, any use of a shared component, the equipments installation, and the communication bus architecture provide the required independence.
Applicable. Subsection 7.4.5.2.1 (Independence) of the SHINE facility FSAR describes how the HIPS based TRPS and ESFAS equipment implements physical, electrical, communications, and functional independence.
TRPS Criterion 18, 19, 20, 21, 22, 23, 24, 25, and 26 ESFAS Criterion 19, 20, 21, 22, 23, 24, 25, 26 and 27 53 3.7.1.6 An applicant or licensee referencing this SE must verify that the safety network provides communications independence and security requirements for communication from safety-to nonsafety-related systems.
Applicable. Subsection 7.4.5.2.1 (Independence) of the SHINE facility FSAR describes how the HIPS based TRPS and ESFAS equipment implements physical, electrical, communications, and functional independence.
TRPS Criterion 20 and 22 ESFAS Criterion 21 and 23 54 3.7.1.11 An applicant or licensee referencing this SE must establish the Applicable. Subsections 7.4.5.4.6.3, 7.4.3.10, and 7.5.3.9 of the FSAR describe how the HIPS-based TRPS and ESFAS TRPS Criterion 50
TECRPT-2018-0028 Revision 2 Page 40 of 66 ASAI No.
SER Referenced Section(s)
ASAI Description Applicability and Description of How the TRPS and ESFAS Design Addresses the ASAI Applicable SHINE design criteria for TRPS and ESFAS as stated in Sections 7.4.2 and 7.5.2 of SHINEs Final Safety Analysis Report identification and coding requirements for cabinets and components for a safety system and the methods to verify that the correct firmware or software is installed in the correct hardware component.
equipment design addresses equipment identification.
The programmable logic lifecycle process includes automatically generating a unique FPGA logic design image number which is used as an FPGA logic design identification number. The FPGA logic design image number can be displayed on the MWS and is included on all logic design documentation and within the hardware description language (HDL) code for the image so the user can verify the installed FPGA design against the logic design documentation.
The FPGA logic design identity image number is included in the following logic development workflow outputs:
- Programmable Logic Design Specifications
- Programmable Logic Test Specifications
- Programmable Logic Test Results
- Requirements Traceability Matrix
- The FPGA logic top level HDL code file ESFAS Criterion 51
TECRPT-2018-0028 Revision 2 Page 41 of 66 ASAI No.
SER Referenced Section(s)
ASAI Description Applicability and Description of How the TRPS and ESFAS Design Addresses the ASAI Applicable SHINE design criteria for TRPS and ESFAS as stated in Sections 7.4.2 and 7.5.2 of SHINEs Final Safety Analysis Report The FPGA logic design image number is used as a system logic design configuration verification tool that verifies the correctness of the current system logic design within a chassis.
55 3.8.1.1 An applicant or licensee referencing this SE must demonstrate that a full system design does not, with the exception of division voting logic, depend on any information or resource originating or residing outside its own safety division to accomplish its safety function.
Applicable. Subsection 7.4.5.2.1 (Highly Integrated Protection System Design) of the SHINE facility FSAR describes how the HIPS equipment implements divisional voting logic.
Other than divisional voting logic, the TRPS and ESFAS do not depend on any information or resource originating or residing outside of each safety division to accomplish their safety functions.
TRPS Criterion 18, 20, and 21 ESFAS Criterion 19, 21, and 22 56 3.8.1.5 An applicant or licensee referencing this SE must confirm that system real-time performance is adequate, assuming the longest possible completion time to ensure the completion of protective actions within the critical time frames required by the plant safety analyses.
Applicable. A response time analysis for the TRPS and ESFAS is discussed in Subsection 7.4.5.2.3 (Predictability and Repeatability) of the SHINE facility FSAR.
TRPS Criterion 23 and 24 ESFAS Criterion 24 and 25
TECRPT-2018-0028 Revision 2 Page 42 of 66 ASAI No.
SER Referenced Section(s)
ASAI Description Applicability and Description of How the TRPS and ESFAS Design Addresses the ASAI Applicable SHINE design criteria for TRPS and ESFAS as stated in Sections 7.4.2 and 7.5.2 of SHINEs Final Safety Analysis Report 57 3.8.1.12 An applicant or licensee referencing this SE must configure the slave modules (e.g., SFMs and EIMs) to alarm and assume a fail-safe state.
Applicable. A TRPS and ESFAS Failure Modes and Effects Analysis (Reference 4) was conducted for the TRPS and ESFAS, which evaluated each component of the systems, how it may fail, and what the effect of the failure on the systems would be in the presence of a single failure. Effects on the systems include assuming a fail-safe state, only alarm the failure, or assuming a fail-safe state and alarm the failure. Which of these effects occur depends on the mode of failure for each component and is documented in the FMEA.
TRPS Criterion 48 ESFAS Criterion 49 58 3.8.1.18 An applicant or licensee referencing this SE should verify having appropriate physical, logical, and programmatic controls during the system development phases to ensure that unwanted, unneeded, and undocumented functionality is not introduced into digital safety systems.
Applicable. Subsection 7.4.5.3.1 (Secure Development Operating Environment) and 7.4.5.4 (Software Requirements Development) of the SHINE facility FSAR describes the Secure Development Environment requirements for TRPS and ESFAS system development. As discussed in Subsection 7.4.5.4, the plans and procedures for the design/development, V&V activities, configuration management, and their associated documentation for TRPS Criterion 2, 5, and 6
ESFAS Criterion 2, 5, and 6
TECRPT-2018-0028 Revision 2 Page 43 of 66 ASAI No.
SER Referenced Section(s)
ASAI Description Applicability and Description of How the TRPS and ESFAS Design Addresses the ASAI Applicable SHINE design criteria for TRPS and ESFAS as stated in Sections 7.4.2 and 7.5.2 of SHINEs Final Safety Analysis Report completion of performance are to be provided by the TRPS and ESFAS vendor.
59 3.8.1.19 3.8.1.20 An applicant or licensee referencing this SE must describe how the HIPS platform equipment is used to provide a deterministic communication structure for required safety functions.
Applicable. TRPS and ESFAS integrity characteristics which support a deterministic communication structure are discussed in Subsection 7.4.5.2.3 (Predictability and Repeatability) of the SHINE facility FSAR.
TRPS Criterion 24 ESFAS Criterion 25 60 3.8.3.1.2 An applicant or licensee referencing this SE must demonstrate that the full system design supports cross-divisional and nonsafety communication with the appropriate independence and isolation.
Applicable. How communications independence is implemented within the TRPS and the ESFAS is discussed in Subsection 7.4.5.2.1 (Independence) of the SHINE facility FSAR.
TRPS Criterion 21 and 22 ESFAS Criterion 22 and 23 61 3.8.3.1.3 An applicant or licensee referencing this SE must demonstrate that the application-specific use of an enable nonsafety switch and its configuration details will not adversely affect the channel independence nor the operation of safety-related equipment when the Applicable. The use of an enable nonsafety switch and associated priority logic within the TRPS and ESFAS is described in Subsection 7.4.5 (Highly Integrated Protection System Design) of the SHINE facility FSAR. Specific logic diagrams for how the enable nonsafety switch is implemented in TRPS and ESFAS logic is provided in Figures 7.4-1 and 7.5-1, Not applicable
TECRPT-2018-0028 Revision 2 Page 44 of 66 ASAI No.
SER Referenced Section(s)
ASAI Description Applicability and Description of How the TRPS and ESFAS Design Addresses the ASAI Applicable SHINE design criteria for TRPS and ESFAS as stated in Sections 7.4.2 and 7.5.2 of SHINEs Final Safety Analysis Report safety-related equipment is performing its safety function. In addition, the applicant or licensee must demonstrate that the application-specific use of an enable nonsafety switch should not be able to bring a safety function out of bypass condition unless the affected division has itself determined that such action would be acceptable.
respectively. Use of the enable nonsafety switch is also discussed in Subsections 7.4.3 and 7.5.3 of the SHINE facility FSAR.
62 3.9.1 3.9.2 An applicant or licensee referencing this SE must demonstrate that the HIPS platform equipment is used to provide FPGA diversity between redundant portions of the systems to eliminate HIPS platform digital CCF vulnerabilities.
Partially applicable. Implementation of diversity within the TRPS and the ESFAS is discussed in Subsection 7.2.2.4 (Diversity) and Subsection 7.2.2.5 (Simplicity) of the SHINE facility FSAR. An assessment of the design and implementation of diversity within the TRPS and ESFAS and the allocation of the safety functions among the diverse divisions to mitigate the effects of SHINE FSAR Chapter 13 events is provided in the Diversity and Defense-in-Depth Assessment of the TRPS and ESFAS (Reference 5).
TRPS Criterion 16 ESFAS Criterion 16
TECRPT-2018-0028 Revision 2 Page 45 of 66 ASAI No.
SER Referenced Section(s)
ASAI Description Applicability and Description of How the TRPS and ESFAS Design Addresses the ASAI Applicable SHINE design criteria for TRPS and ESFAS as stated in Sections 7.4.2 and 7.5.2 of SHINEs Final Safety Analysis Report 63 3.9.2 3.9.3 An applicant or licensee referencing this SE must address any other digital CCF vulnerabilities in the application-specific D3 analysis.
Applicable. Implementation of diversity within the TRPS and the ESFAS is discussed in Subsection 7.2.2.4 (Diversity) and Subsection 7.2.2.5 (Simplicity) of the SHINE facility FSAR. An assessment of the design and implementation of diversity within the TRPS and ESFAS and the allocation of the safety functions among the diverse divisions to mitigate the effects of SHINE FSAR Chapter 13 events is provided in the Diversity and Defense-in-Depth Assessment of the TRPS and ESFAS (Reference 5).
TRPS Criterion 16 ESFAS Criterion 16 64 3.9.3 An applicant or licensee referencing this SE must demonstrate that the HIPS platform equipment is used to provide FPGA diversity between redundant portions of the system architecture (e.g., in each of two redundancies in a four-fold redundant system or in one redundancy in a two-fold redundant system) to ensure HIPS platform safety performance in the presence of a digital CCF.
Partially applicable. Implementation of diversity within the TRPS and the ESFAS is discussed in Subsection 7.2.2.4 (Diversity) and Subsection 7.2.2.5 (Simplicity) of the SHINE facility FSAR. The TRPS and ESFAS are both implemented with 3 redundant divisions. Each of the three divisions requires a different type of FPGA to address a potential CCF of one type of FPGA. The three types of FPGAs implemented on the divisional modules is as follows:
TRPS Criterion 16 ESFAS Criterion 16
TECRPT-2018-0028 Revision 2 Page 46 of 66 ASAI No.
SER Referenced Section(s)
ASAI Description Applicability and Description of How the TRPS and ESFAS Design Addresses the ASAI Applicable SHINE design criteria for TRPS and ESFAS as stated in Sections 7.4.2 and 7.5.2 of SHINEs Final Safety Analysis Report
- Division A: Microsemi IGLOO2 (FLASH based FPGA)
- Division B: Intel MAX10 (Hybrid Flash and SRAM based FPGA)
- Division C: Altera Artix-7 (SRAM based FPGA)
An assessment of the design and implementation of diversity within the TRPS and ESFAS and the allocation of the safety functions among the diverse divisions to mitigate the effects of SHINE FSAR Chapter 13 events is provided in the Diversity and Defense-in-Depth Assessment of the TRPS and ESFAS (Reference 5).
65 3.9.4 An applicant or licensee referencing this SE must demonstrate that the HIPS platform equipment is used to provide diversity for indication and component control signals to ensure HIPS platform monitoring and control performance in the presence of a digital CCF.
Partially applicable. Implementation of diversity within the TRPS and the ESFAS is discussed in Subsection 7.2.2.4 (Diversity) and Subsection 7.2.2.5 (Simplicity) of the SHINE facility FSAR. An assessment of the design and implementation of diversity within the TRPS and ESFAS and the allocation of the safety functions among the diverse divisions to mitigate the effects of SHINE FSAR Chapter 13 events is provided in the TRPS Criterion 16 ESFAS Criterion 16
TECRPT-2018-0028 Revision 2 Page 47 of 66 ASAI No.
SER Referenced Section(s)
ASAI Description Applicability and Description of How the TRPS and ESFAS Design Addresses the ASAI Applicable SHINE design criteria for TRPS and ESFAS as stated in Sections 7.4.2 and 7.5.2 of SHINEs Final Safety Analysis Report Diversity and Defense-in-Depth Assessment of the TRPS and ESFAS (Reference 5).
TECRPT-2018-0028 Revision 2 Page 48 of 66 4 Conclusions Each application specific action item identified in the final safety evaluation report for the HIPS platform topical report (Reference 1) was evaluated for applicability to SHINEs medical isotope production facility licensing application. The resulting applicability determination was documented in Table 3-1, and if the ASAI was determined to be not applicable, justification for why it was not considered applicable was provided. If the ASAI was determined to be applicable, a reference was provided for either the appropriate sections of the SHINE facility FSAR or the appropriate design basis document which provides evidence that the applicable action items have been adequately addressed for the design of the TRPS and ESFAS.
5 HIPS Platform Modifications This section identifies modifications and additions to the fundamental HIPS platform equipment design and functionality described in the HIPS platform topical report (Reference 1) which are to be implemented as part of the TRPS and ESFAS designs. This section does not describe the differences between the representative architecture presented in the topical report and the application specific equipment architectures for the TRPS and ESFAS.
5.1 Hardwired Module Input Routing Section 2.5.2 of the HIPS platform topical report states that Trip/ Bypass inputs to the Hardwired Modules are routed only to the scheduling and bypass modules (SBMs) where it is used. There are two differences for this statement in the TRPS and ESFAS designs. This first is that the inputs to the Hardwired Modules are used at the SBMs (Division C), the SBVMs (Divisions A and B), the MICMs (for monitoring and indication information), and also at the EIMs for manual actuation of protective functions and manual nonsafety functions. The second difference is that the inputs to the Hardwired Modules are made available to all modules in the same chassis. The modules listed above utilize the signals that are made available on the backplane from the Hardwired Modules.
Additionally, discussion of the use of the trip/bypass switches with the SBMs in the topical report applies the same to the use of the trip/bypass switches with the SBVMs in Divisions A and B of the TRPS and ESFAS designs.
5.2 Use of Fiber Optic Communications Sections 2.5.3, 4.3, and 4.6.2 of the HIPS platform topical report describes the use of fiber optic ports for inter-divisional transmit-only or receive-only fiber optic ports. The TRPS and ESFAS designs do not use fiber optic ports for inter-divisional communications. The inter-divisional communications in the TRPS and ESFAS are implemented with transmit-only or receive-only copper RS-485 connections.
5.3 Communications Module (CM) Bi-Directional Communications Section 2.5.3 of the HIPS platform topical report discusses transmit-only or receive-only communications for a CM. The TRPS and ESFAS designs utilize CMs (see discussion of the gateway communications modules in Section 5.5.2 below) in Divisions A and B to communicate bi-directionally with the PICS via the MODBUS protocol. This is justified because the function of these CMs is non-safety related and the information which is provided to the PICS from these CMs is received from each division of the TRPS or ESFAS via transmit-only isolated connections.
5.4 Implementation of EIM Switching Outputs Section 2.5.4.4 of the HIPS Platform topical report states that each EIM can control two groups of field components and each group can have up to two field devices. The HIPS platform has been modified
TECRPT-2018-0028 Revision 2 Page 49 of 66 for the TRPS and ESFAS designs such that each EIM can control four groups of field components and each group can have up to two field devices. Also, the redundancy of dual high side and dual low side contacts for each output switch is not implemented in the TRPS and ESFAS EIM designs. This is acceptable because the actuation loads for the SHINE application are small solenoids which does not justify using the dual high side and dual low side arrangement and allows for a higher density of outputs per EIM.
5.5 Specific Implementation of Communications Modules 5.5.1 Scheduling, Bypass, and Voting Modules Throughout the HIPS platform topical report, the use of Scheduling and Bypass Modules (SBM) and Scheduling and Voting Modules (SVM) is discussed as part of a representative architecture which is provided in the topical report to help describe the design principles implemented within the HIPS platform. Both modules are example types of the HIPS Platform Communications Module. The TRPS and ESFAS designs utilize a type of Communications Module that is referred to as a Scheduling, Bypass, and Voting Module (SBVM) in Divisions A and B. The SBVM combines all functions, capabilities, and design principles described in the topical report for a SBM and a SVM into a single module. This was implemented to minimize the total number of HIPS hardware modules necessary for the required TRPS and ESFAS functionality. As such, the use of a SBVM in the TRPS and ESFAS designs does not represent a modification or addition to the HIPS Platform as described in the topical report, however it is identified in this section to explain the apparent use of a different module from that described in the topical report.
Since the SVM functionality on each SBVM will load each of the specific TRPS or ESFAS applications voting registers with the partial trip determination actuation (PTDA) information received by its SBM functionality, Figure 7-8 of the topical report is modified as shown in Figure 5-1 below to add a note that the Wait for Sync is not necessary for the SBVMs. In Figure 5-1, because the TRPS and ESFAS implement 1oo2, 2oo2, or 2oo3 voting, which is different from the 2oo4 voting discussed in the HIPS platform topical report for the representative architecture, the 2oo4s have also been removed from the HIPS platform topical report. This figure has also been modified to show the three TRPS/ESFAS divisions as opposed to the four divisions of the representative architecture in the HIPS platform topical report.
TECRPT-2018-0028 Revision 2 Page 50 of 66 Figure 5-1: SBVM MOD_OK - Loading Voting 5.5.2 Gateway Communications Modules The gateway communications module (GWCM) is a HIPS platform communications module not described in the HIPS platform topical report which performs only nonsafety related monitoring and indication functions. TRPS and ESFAS monitoring and indication information is transmitted redundantly from each systems divisional monitoring and indication communications module (MICM) via one-way isolated RS-485 connections to respective redundant nonsafety GWCMs, which are located in two redundant gateway chassis. The GWCMs for the TRPS are functionally and logically independent from the GWCMs for the ESFAS and vice versa. As described in Section 2.5.3 of HIPS platform topical report, the GWCMs, which are HIPS platform communications modules, have four communications ports, each of which can be configured as receive-only or transmit-only. Three of the four communications ports of each GWCM are configured as receive-only ports for their respective status and diagnostics information input. The fourth communications port of each GWCM is configured for two-way communications with the respective PICS channel using the MODBUS communications protocol. Two-way communication is a departure from the HIPS platform topical
TECRPT-2018-0028 Revision 2 Page 51 of 66 report description of a communications module. This is acceptable because the communication from the GWCM is a nonsafety function, and the upstream communication from each MICM to a GWCM is isolated and one-way only.
5.6 SBVM Safety Data Bus Frame As discussed above in Section 5.5, the TRPS and ESFAS utilize an SBVM which performs the functions described in the HIPS platform topical report for both the SBM and the SVM. Sections 7.6.3 through 7.7.1 of the topical report describe the operations and safety data bus frames for the SBM and SVM. The TRPS and ESFAS will incorporate a change to how the SBVM votes on the PTDA and communicates actuation data to the EIMs. Instead of sending separate trip determination actuation (TDA) information for each safety function group (SFG) to the EIMs, all safety function groups are voted on at the same time and the TDA for all SFGs are then transferred to the EIMs at once. For this change, Figure 7-12 of the topical report is modified to show a single transaction below in Figure 5-2 for the TRPS and ESFAS implementation.
Figure 5-2: SBVM HIPS Bus Frame Transaction Time Figure 7-14 of the topical report is modified simply to show the SBM and SVM functionality being performed by the SBVM module (dashed box) as shown below in Figure 5-3.
Figure 5-3: Timing diagram for the TRPS and ESFAS 5.7 Self-Testing 5.7.1 Analog to Digital Converter Sections 7.1.1 and 8.2.1 of the HIPS platform topical report describe the self-testing features for the analog to digital converter (ADC) for an analog input submodule (ISM). The auto-calibration function described included the use of external passive components, whereas the TRPS and ESFAS designs will incorporate the critical passive components onto the ADC chip. This results in very precise values
TECRPT-2018-0028 Revision 2 Page 52 of 66 that are factory calibrated and are significantly less prone to drift over time and temperature, therefore the auto-calibration function is not implemented for the TRPS and ESFAS designs.
5.7.2 EIM Input and Output Testing The self-testing described in Sections 8.2.3.2 and 8.2.3.4 of the HIPS platform topical report for discrete input circuitry (open/closed contact tests) and high drive output testing is not being implemented for the TRPS and ESFAS designs. These tests were not implemented as they would require interaction between the FPGA logic and the analog APL circuitry, and it was desired to keep the interface between the FPGA and APL as simple as possible.
5.7.3 HWM Input Channel Test The self-test identified in Section 8.2.7 of the HIPS platform topical report for HWM input signals is not being implemented for the TRPS and ESFAS designs. This test is also not implemented because it would require interaction of the FPGA with the hardwired input circuitry (used for manual protection system actuation) and it was desired to not allow any interface of the FPGA with this capability.
5.7.4 End-to-End Testing Figure 8-2 of the HIPS platform topical report shows the overlap of built-in self-tests and periodic surveillance testing. This figure is updated as shown in Figure 5-4 to add periodic surveillance testing for the following:
all safety related inputs (to the SFMs and HWMs) discrete signals between the TRPS and ESFAS SBVMs EIM actuation priority logic and outputs Figure 5-4: TRPS and ESFAS Overlap of Testing 5.8 HIPS Module LEDs Section 8.2.7 of the HIPS platform topical report identifies that LED tests will be performed to identify if an incorrect LED status is being displayed. This test will not be performed on a continuous basis for the TRPS and ESFAS designs for the following reasons:
Module front panel indication is not a safety function
TECRPT-2018-0028 Revision 2 Page 53 of 66 Correct LED operation will be tested as part of factory and installation testing Section 8.4 of the HIPS platform topical report describes the two LEDs on the front of each HIPS module which are used to indicate the state of the module latches, the operational state of the module, and the presence of any faults for the module. The TRPS and ESFAS designs will include the following changes to the function of the LEDs from that presented in the topical report:
The ACTIVE LED will turn Red on a vital fault or when the module has one latch open The FAULT LED will never flash and not turn Red The FAULT LED will turn Yellow for any fault (non-vital or vital)
Table 5-1: HIPS Module LEDs LED Name Indication type Green Red Yellow Off ACTIVE Board power indicator Board powered Latches closed Board powered One latch open N/A Board is OFF Both latches open FAULT HIPS module fault indicator Solid - module not in FAULT Module in FAULT Module in FAULT or previously in FAULT with indication not yet cleared Module in FAULT Table 5-2: HIPS Platform Fault Classification Class of Failure Description Active LED Fault LED Fatal Fatal faults refer to a severe type of fault that compromises the control function of the HIPS module. The most obvious fatal fault is the complete loss of input power to the HIPS chassis.
The result is a loss of all HIPS module functionality and status indication.
Off Off Vital Vital faults refer to the class of errors that compromise the HIPS module and cause it to become inoperable for the performance of one or more safety functions. The occurrence of a vital fault requires immediate maintenance.
Green Red Non-vital Non-vital faults refer to the class of errors that do not affect the overall HIPS module performance or integrity. Following one or more non-vital faults, the HIPS module is still operable and its integrity has not been compromised. Maintenance is required and is performed by the station in accordance with the work management system.
For example, the loss of one redundant power source is regarded as a non-vital failure.
Green Green (flashing)
TECRPT-2018-0028 Revision 2 Page 54 of 66 5.9 Remote Input Submodule (RISM)
The RISM is a new module which is not discussed in the HIPS platform topical report. Each RISM directly interfaces with the Neutron Flux Detection System (NFDS) equipment and is directly associated with a single SFM that allows for remotely locating one ISM from its associated SFM. The ISM used on a RISM is the same as described in the HIPS platform topical report for an ISM with the modification described above in Section 5.7. The ISM can be configured for a specific input type and calibrated as described in the HIPS platform topical report for the SFM.
Once an input channel is in digital format on the ISM, the input information is provided by the RISM via an isolated, one-way RS-485 connection to its associated SFM within the division for triplication and trip determination. There is an additional RS-485 connection between the RISM and its associated SFM which independently supports modification of tunable parameters necessary on the RISM.
5.10 SBVM Manual Testing Capability The HIPS platform topical report did not discuss use of the Calibration and Test Bus (CTB) with Communications Modules. Because the TRPS and ESFAS designs include providing discrete signals between the SBVMs of both systems, the capability for manually testing these inputs and outputs using CTB functional logic is being added to the SBVM. Similar to use of the CTB for an SFM, this testing can only be performed when an SBVM is taken out of service (OOS) (i.e., the OOS switch on the front of the SBVM is active). Activating the OOS switch permits initiation of testing of only the discrete output signals from an SBVM.
Similar to modifications of setpoints and other tunable parameters for the SFM, these manual tests are initiated from the MWS, which can only interact with a single module at a time via an MICM, which also must be taken OOS to initiate the test.
6 IEEE Std. 7-4.3.2-2003 Traceability Matrix This section provides a summary of conformance of the TRPS and ESFAS with IEEE Std. 7-4.3.2-2003.
Table 6-1: TRPS and ESFAS IEEE Std. 7-4.3.2-2003 Traceability Matrix IEEE Std.
Section Number Section TRPS/ESFAS Conformance 5.1 Single Failure Criteria N/A 5.2 Completion of Protective Action N/A 5.3 Quality N/A 5.4 Equipment Qualification N/A 5.5 System Integrity 5.5.1 Design for Computer Integrity See responses to ASAIs 18 and 19 in Table 3-1 above.
5.5.2 Design for Test and Calibration See responses to ASAIs 47 and 48 in Table 3-1 above.
TECRPT-2018-0028 Revision 2 Page 55 of 66 5.5.3 Fault Detection and Self-diagnostics See responses to ASAIs 49, 50, and 51 in Table 3-1 above.
5.6 Independence See responses to ASAIs 52 and 53 in Table 3-1 above.
5.7 Capability for Test and Calibration N/A 5.8 Information Displays N/A 5.9 Control of Access N/A 5.10 Repair N/A 5.11 Identification N/A 5.12 Auxiliary Features N/A 5.13 Multi-Unit Stations N/A 5.14 Human Factors Consideration N/A 5.15 Reliability N/A 6
Sense and Command Features N/A 7
Execute Features N/A 8
Power Source Requirements N/A 7 Digital I&C Interim Staff Guidance 04 Traceability Matrix This section provides a summary of conformance of the TRPS and ESFAS with DI&C-ISG-04.
Table 7-1: TRPS and ESFAS DI&C-ISG-04 Traceability Matrix ISG-04 Section Number Requirement TRPS/ESFAS Conformance 1
Interdivisional Communications SP 1 A safety channel should not be dependent upon any information or resource originating or residing outside its own safety division to accomplish its safety function. This is a fundamental consequence of the independence requirements of IEEE Std. 603. It is recognized that division voting logic must receive inputs from multiple safety divisions.
See responses to ASAIs 8, 22, 23, and 55 in Table 3-1 above.
SP 2 The safety function of each safety channel should be protected from adverse influence from outside the division of which that channel is a member. Information and signals originating outside the division must not be able to inhibit or See responses to ASAIs 8, 20, 21, 22, and 23 in Table 3-1 above.
TECRPT-2018-0028 Revision 2 Page 56 of 66 delay the safety function. This protection must be implemented within the affected division (rather than in the sources outside the division) and must not itself be affected by any condition or information from outside the affected division.
This protection must be sustained despite any operation, malfunction, design error, communication error, or software error or corruption existing or originating outside the division.
SP 3 A safety channel should not receive any communication from outside its own safety division unless that communication supports or enhances the performance of the safety function.
Receipt of information that does not support or enhance the safety function would involve the performance of functions that are not directly related to the safety function. Safety systems should be as simple as possible. Functions that are not necessary for safety, even if they enhance reliability, should be executed outside the safety system. A safety system designed to perform functions not directly related to the safety function would be more complex than a system that performs the same safety function but is not designed to perform other functions.
The more complex system would increase the likelihood of failures and software errors. Such a complex design, therefore, should be avoided within the safety system. For example, comparison of readings from sensors in different divisions may provide useful information concerning the behavior of the sensors (for example, on-line monitoring). Such a function executed within a safety system, however, could also result in unacceptable influence of one division over another, or could involve functions not directly related to the safety functions, and should not be executed within the safety system.
Receipt of information from outside the division, and the performance of functions not directly related to the safety function, if used, should be justified. It should be demonstrated that the added system/software complexity associated with the performance of functions not directly related to the safety function and with the receipt of information in support of those functions does not significantly increase the likelihood of software specification or coding errors, including errors that would affect more than one division.
The applicant should justify the definition of significantly used in the demonstration.
See responses to ASAI 22 in Table 3-1 above.
SP 4 The communication process itself should be carried out by a communications processor separate from the processor that executes the safety function, so that communications errors N/A
TECRPT-2018-0028 Revision 2 Page 57 of 66 and malfunctions will not interfere with the execution of the safety function. The communication and function processors should operate asynchronously, sharing information only by means of dual-ported memory or some other shared memory resource that is dedicated exclusively to this exchange of information. The function processor, the communications processor, and the shared memory, along with all supporting circuits and software, are all considered to be safety related, and must be designed, qualified, fabricated, etc., in accordance with 10 C.F.R. Part 50, Appendix A and B. Access to the shared memory should be controlled in such a manner that the function processor has priority access to the shared memory to complete the safety function in a deterministic manner. For example, if the communication processor is accessing the shared memory at a time when the function processor needs to access it, the function processor should gain access within a timeframe that does not impact the loop cycle time assumed in the plant safety analyses. If the shared memory cannot support unrestricted simultaneous access by both processors, then the access controls should be configured such that the function processor always has precedence. The safety function circuits and program logic should ensure that the safety function will be performed within the timeframe established in the safety analysis, and will be completed successfully without data from the shared memory in the event that the function processor is unable to gain access to the shared memory.
SP 5 The cycle time for the safety function processor should be determined in consideration of the longest possible completion time for each access to the shared memory. This longest-possible completion time should include the response time of the memory itself and of the circuits associated with it, and should also include the longest possible delay in access to the memory by the function processor assuming worst-case conditions for the transfer of access from the communications processor to the function processor. Failure of the system to meet the limiting cycle time should be detected and alarmed.
See responses to ASAI 56 in Table 3-1 above.
SP 6 The safety function processor should perform no communication handshaking and should not accept interrupts from outside its own safety division.
N/A SP 7 Only predefined data sets should be used by the receiving system. Unrecognized messages and data should be identified and dispositioned by N/A
TECRPT-2018-0028 Revision 2 Page 58 of 66 the receiving system in accordance with the pre-specified design requirements. Data from unrecognized messages must not be used within the safety logic executed by the safety function processor. Message format and protocol should be pre-determined. Every message should have the same message field structure and sequence, including message identification, status information, data bits, etc. in the same locations in every message. Every datum should be included in every transmit cycle, whether it has changed since the previous transmission or not, to ensure deterministic system behavior.
SP 8 Data exchanged between redundant safety divisions or between safety and nonsafety divisions should be processed in a manner that does not adversely affect the safety function of the sending divisions, the receiving divisions, or any other independent divisions.
See responses to ASAI 22 in Table 3-1 above.
SP 9 Incoming message data should be stored in fixed predetermined locations in the shared memory and in the memory associated with the function processor. These memory locations should not be used for any other purpose. The memory locations should be allocated such that input data and output data are segregated from each other in separate memory devices or in separate pre-specified physical areas within a memory device.
N/A SP 10 Safety division software should be protected from alteration while the safety division is in operation.
On-line changes to safety system software should be prevented by hard-wired interlocks or by physical disconnection of maintenance and monitoring equipment. A workstation (e.g.,
engineer or programmer station) may alter addressable constants, setpoints, parameters, and other settings associated with a safety function only by way of the dual-processor /
shared-memory scheme described in this guidance, or when the associated channel is inoperable. Such a workstation should be physically restricted from making changes in more than one division at a time. The restriction should be by means of physical cable disconnect, or by means of keylock switch that either physically opens the data transmission circuit or interrupts the connection by means of hard-wired logic. Hard-wired logic as used here refers to circuitry that physically interrupts the flow of information, such as an electronic AND gate circuit (that does not use software or firmware) with one input controlled by the hardware switch and the other connected to the information source: the information appears at the output of the gate only when the switch is in a position that applies a TRUE or 1 at the input to which it is connected. Provisions that rely on N/A
TECRPT-2018-0028 Revision 2 Page 59 of 66 software to effect the disconnection are not acceptable. It is noted that software may be used in the safety system or in the workstation to accommodate the effects of the open circuit or for status logging or other purposes.
SP 11 Provisions for interdivisional communication should explicitly preclude the ability to send software instructions to a safety function processor unless all safety functions associated with that processor are either bypassed or otherwise not in service. The progress of a safety function processor through its instruction sequence should not be affected by any message from outside its division. For example, a received message should not be able to direct the processor to execute a subroutine or branch to a new instruction sequence.
N/A SP 12 Communication faults should not adversely affect the performance of required safety functions in any way. Faults, including communication faults, originating in nonsafety equipment, do not constitute single failures as described in the single failure criterion of 10 C.F.R. Part 50, Appendix A. Examples of credible communication faults include, but are not limited to, the following:
N/A Messages may be corrupted due to errors in communications processors, errors introduced in buffer interfaces, errors introduced in the transmission media, or from interference or electrical noise.
N/A Messages may be repeated at an incorrect point in time.
Messages may be sent in the incorrect sequence.
Messages may be lost, which includes both failures to receive an uncorrupted message or to acknowledge receipt of a message.
Messages may be delayed beyond their permitted arrival time window for several reasons, including errors in the transmission medium, congested transmission lines, interference, or by delay in sending buffered messages.
N/A Messages may be inserted into the communication medium from unexpected or unknown sources.
N/A Messages may be sent to the wrong destination, which could treat the message as a valid message.
N/A Messages may be longer than the receiving buffer, resulting in buffer overflow and memory corruption.
N/A Messages may contain data that is outside the expected range.
N/A
TECRPT-2018-0028 Revision 2 Page 60 of 66 Messages may appear valid, but data may be placed in incorrect locations within the message.
N/A Messages may occur at a high rate that degrades or causes the system to fail (i.e.,
broadcast storm).
N/A Message headers or addresses may be corrupted.
N/A SP 13 Vital communications, such as the sharing of channel trip decisions for the purpose of voting, should include provisions for ensuring that received messages are correct and are correctly understood. Such communications should employ error-detecting or error-correcting coding along with means for dealing with corrupt, invalid, untimely or otherwise questionable data. The effectiveness of error detection/correction should be demonstrated in the design and proof testing of the associated codes, but once demonstrated is not subject to periodic testing. Error-correcting methods, if used, should be shown to always reconstruct the original message exactly or to designate the message as unrecoverable. None of this activity should affect the operation of the safety-function processor.
See responses to ASAI 32 in Table 3-1 above.
SP 14 Vital communications should be point-to-point by means of a dedicated medium (copper or optical cable). In this context, point-to-point means that the message is passed directly from the sending node to the receiving node without the involvement of equipment outside the division of the sending or receiving node. Implementation of other communication strategies should provide the same reliability and should be justified.
N/A SP 15 Communication for safety functions should communicate a fixed set of data (called the "state") at regular intervals, whether data in the set has changed or not.
N/A SP 16 Network connectivity, liveness, and real-time properties essential to the safety application should be verified in the protocol. Liveness, in particular, is taken to mean that no connection to any network outside the division can cause an RPS/ESFAS communication protocol to stall, either deadlock or livelock.
(Note: This is also required by the independence criteria of: (1) 10 C.F.R. Part 50, Appendix A, General Design Criteria (GDC) 24, which states, interconnection of the protection and control systems shall be limited so as to assure that safety is not significantly impaired.; and (2)
IEEE Std. 603-1991 IEEE Standard Criteria for Safety Systems for Nuclear Power Generating Stations.)
See responses to ASAIs 8, 20, 21, 22, and 23 in Table 3-1 above.
SP 17 Pursuant to 10 C.F.R. § 50.49, the medium used in a vital communications channel should be See responses to ASAI 17 in Table 3-1 above.
TECRPT-2018-0028 Revision 2 Page 61 of 66 qualified for the anticipated normal and post-accident environments. For example, some optical fibers and components may be subject to gradual degradation as a result of prolonged exposure to radiation or to heat. In addition, new digital systems may need susceptibility testing for EMI/RFI and power surges, if the environments are significant to the equipment being qualified.
SP 18 Provisions for communications should be analyzed for hazards and performance deficits posed by unneeded functionality and complication.
See responses to ASAIs 12 and 58 in Table 3-1 above.
SP 19 If data rates exceed the capacity of a communications link or the ability of nodes to handle traffic, the system will suffer congestion.
All links and nodes should have sufficient capacity to support all functions. The applicant should identify the true data rate, including overhead, to ensure that communication bandwidth is sufficient to ensure proper performance of all safety functions.
Communications throughput thresholds and safety system sensitivity to communications throughput issues should be confirmed by testing.
See responses to ASAIs 19 and 59 in Table 3-1 above.
SP 20 The safety system response time calculations should assume a data error rate that is greater than or equal to the design basis error rate and is supported by the error rate observed in design and qualification testing.
See responses to ASAIs 18, 19, and 59 in Table 3-1 above.
2 Command Prioritization SP 1 A priority module is a safety related device or software function. A priority module must meet all of the 10 C.F.R. Part 50, Appendix A and B requirements (design, qualification, quality, etc.)
applicable to safety-related devices or software.
N/A SP 2 Priority modules used for diverse actuation signals should be independent of the remainder of the digital system, and should function properly regardless of the state or condition of the digital system. If these recommendations are not satisfied, the applicant should show how the diverse actuation requirements are met.
N/A SP 3 Safety-related commands that direct a component to a safe state must always have the highest priority and must override all other commands. Commands that originate in a safety-related channel but which only cancel or enable cancellation of the effect of the safe-state command (that is, a consequence of a common-cause failure in the primary system that erroneously forces the plant equipment to a state that is different from the designated safe state.),
and which do not directly support any safety function, have lower priority and may be overridden by other commands. In some cases, such as a containment isolation valve in an N/A
TECRPT-2018-0028 Revision 2 Page 62 of 66 auxiliary feedwater line, there is no universal safe state: the valve must be open under some circumstances and closed under others. The relative priority to be applied to commands from a diverse actuation system, for example, is not obvious in such a case. This is a system operation issue, and priorities should be assigned on the basis of considerations relating to plant system design or other criteria unrelated to the use of digital systems. This issue is outside the scope of this ISG. The reasoning behind the proposed priority ranking should be explained in detail. The reviewer should refer the proposed priority ranking and the explanation to appropriate systems experts for review. The priority module itself should be shown to apply the commands correctly in order of their priority rankings, and should meet all other applicable guidance. It should be shown that the unavailability or spurious operation of the actuated device is accounted for in, or bounded by, the plant safety analysis.
SP 4 A priority module may control one or more components. If a priority module controls more than one component, then all of these provisions apply to each of the actuated components.
N/A SP 5 Communication isolation for each priority module should be as described in the guidance for interdivisional communications.
N/A SP 6 Software used in the design, testing, maintenance, etc. of a priority module is subject to all of the applicable guidance in RG 1.152, which endorses IEEE Std. 7-4.3.2-2003 (with comments). This includes software applicable to any programmable device used in support of the safety function of a prioritization module, such as programmable logic devices, programmable gate arrays, or other such devices. Section 5.3.2 of IEEE Std. 7-4.3.2-2003 is particularly applicable to this subject. Validation of design tools used for programming a priority module or a component of a priority module is not necessary if the device directly affected by those tools is 100% tested before being released for service.
100% testing means that every possible combination of inputs and every possible sequence of device states is tested, and all outputs are verified for every case. The testing should not involve the use of the design tool itself. Software-based prioritization must meet all requirements (quality requirements, V&V, documentation, etc.) applicable to safety-related software.
N/A SP 7 Any software program that is used in support of the safety function within a priority module is safety-related software. All requirements that apply to safety-related software also apply to N/A
TECRPT-2018-0028 Revision 2 Page 63 of 66 prioritization module software. Nonvolatile memory (such as burned-in or reprogrammable gate arrays or random-access memory) should be changeable only through removal and replacement of the memory device. Design provisions should ensure that static memory and programmable logic cannot be altered while installed in the module. The contents and configuration of field programmable memory should be considered to be software, and should be developed, maintained, and controlled accordingly.
SP 8 To minimize the probability of failures due to common software, the priority module design should be fully tested (This refers to proof-of-design testing, not to individual testing of each module and not to surveillance testing.). If the tests are generated by any automatic test generation program then all the test sequences and test results should be manually verified.
Testing should include the application of every possible combination of inputs and the evaluation of all of the outputs that result from each combination of inputs. If a module includes state-based logic (that is, if the response to a particular set of inputs depends upon past conditions), then all possible sequences of input sets should also be tested. If testing of all possible sequences of input sets is not considered practical by an applicant, then the applicant should identify the testing that is excluded and justify that exclusion.
The applicant should show that the testing planned or performed provides adequate assurance of proper operation under all conditions and sequences of conditions. Note that it is possible that logic devices within the priority module include unused inputs: assuming those inputs are forced by the module circuitry to a particular known state, those inputs can be excluded from the all possible combinations criterion. For example, a priority module may include logic executed in a gate array that has more inputs than are necessary. The unused inputs should be forced to either TRUE or FALSE and then can be ignored in the all possible combinations testing.
N/A SP 9 Automatic testing within a priority module, whether initiated from within the module or triggered from outside, and including failure of automatic testing features, should not inhibit the safety function of the module in any way. Failure of automatic testing software could constitute common-cause failure if it were to result in the disabling of the module safety function.
N/A SP 10 The priority module must ensure that the completion of a protective action as required by IEEE Std. 603 is not interrupted by commands, N/A
TECRPT-2018-0028 Revision 2 Page 64 of 66 conditions, or failures outside the module's own safety division.
3 Multidivisional Control and Display Systems 3.1 Independence and Isolation SP 1 Nonsafety stations receiving information from one or more safety divisions:
N/A SP 2 Safety-related stations receiving information from other divisions (safety or nonsafety):
See responses to ASAI 60 in Table 3-1 above.
SP 3 Nonsafety stations controlling the operation of safety-related equipment:
See responses to ASAI 61 in Table 3-1 above.
SP 4 Safety-related stations controlling the operation of equipment in other safety-related divisions:
N/A SP 5 Malfunctions and Spurious Actuations N/A 3.2 Various human factors engineering requirements.
N/A 3.3 D3 considerations may influence the number and disposition of operator workstations and possibly of backup controls and indications that may or may not be safety-related. The guidance provided herein is not dependent upon such details.
D3 considerations may also impose qualification or other measures or guidelines upon equipment addressed in this ISG. The guidance presented herein does not include such considerations.
Consideration of other aspects of D3 is outside the scope of this guidance. Additional guidance concerning D3 considerations is provided separately.
N/A 8 SRM for SECY-93-087 Traceability Matrix This section provides a summary of conformance of the TRPS and ESFAS with SECY-93-087.
Table 8-1: TRPS and ESFAS SECY-93-087 Traceability Matrix SRM Section Number Requirement TRPS/ESFAS Conformance 1
The applicant shall assess the defense-in-depth and diversity of the proposed instrumentation and control system to demonstrate that vulnerabilities to common-mode failures have adequately been addressed. The staff considers software design errors to be credible common-mode failures that must specifically be included in the evaluation. An acceptable method of performing analyses is described in NUREG-0493, "A Defense-In-Depth and Diversity Assessment of the RESAR-414 Integrated Protection System," March 1979. Other methods proposed by an applicant will be reviewed individually.
See responses to ASAIs 9 and 62 in Table 3-1 above.
2 In performing the assessment, the vendor or applicant shall analyze each postulated common-See responses to ASAIs 9, 10, 62, and 63 in Table 3-1 above.
TECRPT-2018-0028 Revision 2 Page 65 of 66 mode failure for each event that is evaluated in the accident analysis section of the safety analysis report (SAR). The vendor or applicant shall demonstrate adequate diversity within the design for each of these events. For events postulated in the plant SAR, an acceptable plant response should not result in a non-coolable geometry of the core, violation of the integrity of the primary coolant pressure boundary, or violation of the integrity of the containment.
3 If a postulated common-mode failure could disable a safety function, then a diverse means, with a documented basis that the diverse means is unlikely to be subject to the same common-mode failure, shall be required to perform either the same function or a different function. The diverse or different function may be performed by a nonsafety system if the system is of sufficient quality to perform the necessary function under the associated event conditions. Diverse digital or nondigital systems are considered acceptable means. Manual actions from the control room are acceptable if adequate time and information are available to the operators. The amount and types of diversity may vary among designs and will be evaluated individually.
See responses to ASAIs 9, 10, 63, and 64 in Table 3-1 above.
4 A set of safety-grade displays and controls located in the main control room shall be provided for manual, system-level actuation of critical safety functions and monitoring of parameters that support the safety functions. The displays and controls shall be independent and diverse from the safety computer system identified in items I and 3 above. The specific set of equipment shall be evaluated individually, but shall be sufficient to monitor the plant states and actuate systems required by the control room operators to place the nuclear plant in a hot-shutdown condition. In addition, the specific equipment should be intended to control the following critical safety functions: reactivity control, core heat removal, reactor coolant inventory, containment isolation, and containment integrity.
See responses to ASAIs 10 and 65 in Table 3-1 above.
9 References
- 1. NuScale Power, LLC, TR-1015-18653-NP-A, Design of the Highly Integrated Protection System Platform, Revision 2, September 2017, NRC ADAMS Accession No. ML17256A892
- 2. U.S. Nuclear Regulatory Commission Letter, Final Safety Evaluation for NuScale Power, LLC Licensing Topical Report: 1015-18653, Design of the Highly Integrated Protection System Platform, Revision 2, dated June 6, 2017, ADAMS Accession No. ML17116A094.
- 3. SHINE Medical Technologies, 2000-09-01, Quality Assurance Program Description (QAPD).
TECRPT-2018-0028 Revision 2 Page 66 of 66
- 4. Rock Creek Innovations, SMT-016-1000-64012, Failure Modes and Effects Analysis, Revision 3, August 24, 2021
- 5. SHINE Medical Technologies, TECRPT-2019-0041, Diversity and Defense-in-Depth Assessment of TRPS and ESFAS, Revision 3, September 6, 2021
- 6. SHINE Medical Technologies, TECRPT-2019-0048, TRPS System Design Description, Revision 2, September 6, 2021
- 7. SHINE Medical Technologies, TECRPT-2020-0002, Engineered Safety Features Actuation System Design Description, Revision 4, August 20, 2021
- 8. Rock Creek Innovations, RCI-942-1000-61000, Environmental and Seismic Qualification Report for HIPS Platform EQTS, Revision 2, June 2, 2021
- 9. Rock Creek Innovations, RCI-942-1000-61001, EMC and Isolation Qualification Report for HIPS Platform EQTS, Revision 0, September 2, 2021 6
DAA 05/23/22 6
DAA 05/23/22 4
DAA 05/23/22 DAA 05/23/22 DAA 05/23/22 DAA 05/23/22
Page 1 of 6 ENCLOSURE 2 SHINE TECHNOLOGIES, LLC SHINE TECHNOLOGIES, LLC APPLICATION FOR AN OPERATING LICENSE SUPPLEMENT NO. 22 AND REVISION 1 OF THE SHINE RESPONSE TO REQUEST FOR ADDITIONAL INFORMATION 7-15 REVISION 1 OF THE SHINE RESPONSE TO REQUEST FOR ADDITIONAL INFORMATION 7-15 The NRC staff determined that additional information was required to enable the staffs continued review of the SHINE Technologies, LLC (SHINE) operating license application (Reference 1). SHINE provided the response to a portion of the NRC staffs request for additional information (RAI), including the SHINE Response to RAI 7-15, via Reference 2.
SHINE has determined that the SHINE Response to RAI 7-15 requires revision. Revision 1 of the SHINE Response to RAI 7-15 is provided below.
RAI 7-15 NUREG-1537, Part 2, Section 7.4, states, in part, that the protection system be sufficiently distinct in function from the [control system] that its unique safety features can be readily tested, verified, and calibrated. In addition, NUREG-1537, Part 2, Section 7.4, also states, in part, that the protection system function and time scale should be readily tested to ensure operability of at least minimum protection for alloperations. Therefore, the TRPS and ESFAS should be designed to be readily tested and calibrated to ensure operability.
Additionally, the TSs, including surveillance tests and intervals, should ensure availability and operability of these actuation systems.
SHINE Design Criterion 15 requires the TRPS be designed to permit periodic testing, including a capability to test channels independently to determine failures and losses of redundancy that may have occurred. Section 7.4.4.3 of the SHINE FSAR describes how a channel can be placed in maintenance bypass and its effect on the voting logic. Section 7.4.4.4, Testing Capability, of the SHINE FSAR describes testing capabilities included in the TRPS.
The approved TR for the HIPS platform describes the diagnostic and maintenance features (e.g., built-in self-testing, periodic testing, etc.) available in the HIPS platform. Because the HIPS platform diagnostic and maintenance features were conceptual designs, the NRC staff identified ASAIs 13, 14, 24, 25, 32,49, 50, and 51 as necessary for facility-specific implementation. The ASAIs require an applicant or licensee to describe how diagnostic and maintenance features are implemented in the site-specific application. Specifically, an applicant or licensee should (1) demonstrate diagnostic and maintenance features provide necessary test coverage, and (2) demonstrate that the use of these features wont prevent the system from performing its safety and protection functions. In response to RAI 7-4, SHINE described whether these ASAIs are applicable to SHINE and their dispositions.
The NRC staff generally agrees with the SHINEs stated applicability of these ASAIs to the TRPS and ESFAS. However, the description and information in the SHINE FSAR do not
Page 2 of 6 include sufficient detail on the configuration of self-testing and diagnostics to evaluate conformance to the maintenance and testing features described in the HIPS TR and how the SHINE design criteria are met.
Update the SHINE FSAR to describe how diagnostic and maintenance features are implemented in the HIPS equipment for the TRPS and ESFAS. Demonstrate that the features provide necessary test coverage. Also, demonstrate that the use of these features wont prevent the systems from performing their safety and protection functions.
The NRC staff need this information to verify that testing and maintenance of the TRPS and ESFAS will ensure operability of the equipment and meet the SHINE Design Criterion 15. The information requested above is necessary to support the evaluation findings in Section 7.4 of NUREG-1537, Part 2, including that [t]he design reasonably ensures that the design bases can be achieved, the system will be built of high-quality components using accepted engineering and industrial practices, and the system can be readily tested and maintained in the design operating condition.
The following are examples of the types of information the NRC staff needs to evaluate testing and maintenance features implemented in the TRPS and ESFAS. SHINE should ensure that the response to this RAI addresses these examples. However, the NRC staff notes that these are representative examples and not an exhaustive list of all information SHINE may determine to be appropriate to include in its RAI response and any FSAR updates:
Modification of configurable variables and setpoints Features and limitations to perform in-chassis calibration Surveillance tests using automatic sensor cross-check Test and calibration functions of the HIPS platform and compliance with regulatory guidance Validation of self-testing functions in HIPS equipment SHINE Response A description of the diagnostic and maintenance test features in the Highly Integrated Protection System (HIPS) platform equipment for the target solution vessel (TSV) reactivity protection system (TRPS) and engineered safety features (ESF) actuation system (ESFAS) follows.
The TRPS and ESFAS are designed with the capability for calibration and surveillance testing, including channel checks, calibration verification, and time response measurements to verify that I&C safety systems perform required safety functions. The TRPS and ESFAS allow systems, structures, and components (SSCs) to be tested while retaining the capability to accomplish required safety functions. The TRPS and ESFAS use modules from the HIPS platform which are designed to eliminate non-detectable failures through a combination of self-testing and periodic surveillance testing.
Testing from the sensor inputs of the TRPS and ESFAS through to the actuated equipment is accomplished through a series of overlapping sequential tests, most of which may be performed during normal plant operations. Performance of periodic surveillance testing does not involve disconnecting wires or installation of jumpers for at-power testing. The self-test features maintain division independence by being performed within the division.
Page 3 of 6 The part of TRPS and ESFAS that cannot be tested during normal operations is the actuation priority logic circuit on the equipment interface module (EIM). This includes the manual control room switches and the nonsafety-related interface that provide inputs to the actuation priority logic. The actuation priority logic consists of discrete components and directly causes actuation of field components. The actuation priority logic is a simple circuit that has acceptable reliability to be tested when the irradiation unit (IU) is in Mode 0.
While the TRPS and ESFAS is in normal operation, self-tests run without affecting the performance of the safety function, including its response time. TRPS and ESFAS data communications are designed with error detection to enhance data integrity. The protocol features ensure communications are robust and reliable with the ability to detect transmission faults. Similar data integrity features are used to transfer diagnostics data. The TRPS and ESFAS provides a means for checking the operational availability of the sense and command feature input sensors relied upon for a safety function during normal plant operation.
This capability is provided by one of the following methods:
Perturbing the monitored variable Cross-checking between channels that have a known relationship (channel check)
Introducing and varying a substitute input to the sensor The TRPS and ESFAS have redundant gateways which gather the output of the monitoring and indication communications modules (MICMs) for each of the three divisions, as depicted in Figure 7-15-1 Revision 1. The data for each of the three divisions are compared to perform a channel check, and the results are provided to the process integrated control system (PICS).
The TRPS and ESFAS incorporate failure detection and isolation techniques. Fault detection and indication occurs at the module level, which enables plant personnel to identify the module that needs to be replaced. Self-testing will generate an alarm and report a failure to the operator and place the component (e.g., safety function module [SFM]; scheduling, bypass, and voting module [SBVM]; or EIM components) in a fail-safe state.
The self-testing features of the HIPS platform are designed, developed, and validated at the same level as the functional logic. The overlapped self-test features of the HIPS platform are integral to the operation of the system and are therefore designed, developed, and validated to the same rigor as the rest of the platform.
The maintenance workstation (MWS) is used to perform modification of configurable variables and setpoints, as well as in-chassis calibration, of TRPS and ESFAS equipment, as descried in the SHINE Response to RAI 7-18 (Reference 2). A limitation is placed on the use of the MWS in that an SFM will not receive data from the MWS unless it has been placed into out-of-service (OOS), which is further described in the SHINE Response to RAI 7-18.
Diagnostic data for the division of the TRPS and ESFAS are provided to the MWS. Diagnostics data are communicated via the monitoring and indication bus (MIB), which is a physically separate communications path from the safety data path, ensuring the diagnostics functionality is independent of the safety functionality.
The description of the self-testing features and use of the MWS described above satisfies Section 5.5.2 and Section 5.5.3 of Institute of Electrical and Electronics Engineers (IEEE)
Standard 7-4.3.2-2003, Standard Criteria for Digital Computers in Safety Systems of Nuclear
Page 4 of 6 Power Generating Stations (Reference 3), as described in Appendix B of NuScale Power, LLC (NuScale) Topical Report TR-1015-18653, Design of the Highly Integrated Protection System Platform Topical Report (Reference 4).
By complying with these sections of IEEE Standard 7-4.3.2-2003, as described in Appendix B of TR-1015-18653, and incorporating diagnostic and maintenance test features that test from the sensor inputs of the TRPS and ESFAS through to the actuated equipment, the necessary test coverage is provided in the SHINE application of the HIPS platform.
SHINE previously revised Subsection 7.4.5.5 of the FSAR, via Reference 2, to provide additional description of the diagnostic and maintenance features associated with the HIPS platform for the TRPS and ESFAS.
Page 5 of 6 Figure 7-15-1: TRPS and ESFAS Gateway Communications Architecture
Page 6 of 6 References
Request for Additional Information Related to the Instrumentation and Control Systems (EPID No. L-2019-NEW-0004), dated July 1, 2021 (ML21172A195)
- 2.
SHINE Medical Technologies, LLC letter to the NRC, SHINE Medical Technologies, LLC Application for an Operating License Response to Request for Additional Information, dated August 27, 2021 (ML21239A049)
- 3.
Institute of Electrical and Electronics Engineers, Standard Criteria for Digital Computers in Safety Systems of Nuclear Power Generating Stations, IEEE Standard 7-4.3.2-2003, New York, NY
- 4.
NuScale Power, LLC letter to NRC, NuScale Power, LLC Submittal of the Approved Version of NuScale Topical Report TR-1015018653, Design of the Highly Integrated Protection System Platform, Revision 2 (CAC No. RQ6005), NuScale Power, LLC, September 13, 2017 (ML17256A892)