ML22144A231
| ML22144A231 | |
| Person / Time | |
|---|---|
| Site: | SHINE Medical Technologies |
| Issue date: | 05/24/2022 |
| From: | Jim Costedio SHINE Medical Technologies |
| To: | Document Control Desk, Office of Nuclear Reactor Regulation |
| References | |
| 2022-SMT-0062 | |
| Download: ML22144A231 (74) | |
Text
May 24, 2022 2022-SMT-0062 10 CFR 50.30 U.S. Nuclear Regulatory Commission ATTN: Document Control Desk Washington, DC 20555
References:
(1) SHINE Medical Technologies, LLC letter to the NRC, SHINE Medical Technologies, LLC Application for an Operating License, dated July 17, 2019 (ML19211C143)
(2) NRC letter to SHINE Medical Technologies, LLC, SHINE Medical Technologies, LLC - Request for Additional Information Related to the Instrumentation and Control Systems (EPID No. L-2019-NEW-0004), dated July 1, 2021 (ML21172A195)
(3) SHINE Medical Technologies, LLC letter to the NRC, SHINE Medical Technologies, LLC Application for an Operating License Supplement No. 8 and Response to Request for Additional Information, dated September 29, 2021 (ML21272A341)
(4) SHINE Medical Technologies, LLC letter to the NRC, SHINE Medical Technologies, LLC Application for an Operating License Response to Request for Additional Information, dated August 27, 2021 (ML21239A049)
SHINE Technologies, LLC Application for an Operating License Supplement No. 22 and Revision 1 of the SHINE Response to Request for Additional Information 7-15 Pursuant to 10 CFR Part 50.30, SHINE Technologies, LLC (SHINE) submitted an application for an operating license for a medical isotope production facility to be located in Janesville, Wisconsin (Reference 1). The NRC staff determined that additional information was required to enable the staffs continued review of the SHINE operating license application (Reference 2).
SHINE responded to the staffs requests for additional information (RAI) via Reference 3and Reference 4.
SHINE has determined that the SHINE Response to RAI 7-10, provided via Reference 4, requires supplemental information, and the SHINE Response to RAI 7-15, provided via Reference 3, requires revision.
Enclosure 1 provides a revision to TECRPT-2018-0028, HIPS Platform Application Specific Action Item Report for the TRPS and ESFAS, to address Open Technical Items identified by the NRC staff during regulatory audits. SHINE previously provided TECRPT-2018-0028 to support the SHINE Response to RAI 7-10 (Reference 4). The SHINE Response to RAI 7-10 does not require revision as a result of the revision to TECRPT-2018-0028.
Enclosure 2 provides Revision 1 of the SHINE Response to RAI 7-15. Revision 1 supersedes the previously provided SHINE Response to RAI 7-15 in its entirety.
If you have any questions, please contact Mr. Jeff Bartelme, Director of Licensing, at 608/210-1735.
3400 Innovation Ct
- Janesville, WI 53546
- 877.512.6554
- info@shinemed.com
- www.SHINEtechnologies.com
Document Control Desk Page 2 I declare under the penalty of perjury that the foregoing is true and correct.
Executed on May 24, 2022.
Very truly yours, James Costedio Vice President of Regulatory Affairs and Quality SHINE Technologies, LLC Docket No. 50-608 Enclosures cc: Project Manager, USNRC SHINE General Counsel Supervisor, Radioactive Materials Program, Wisconsin Division of Public Health
ENCLOSURE 1 SHINE TECHNOLOGIES, LLC SHINE TECHNOLOGIES, LLC APPLICATION FOR AN OPERATING LICENSE SUPPLEMENT NO. 22 AND REVISION 1 OF THE SHINE RESPONSE TO REQUEST FOR ADDITIONAL INFORMATION 7-15 TECHNICAL REPORT NUMBER TECRPT-2018-0028, REVISION 2 HIPS PLATFORM APPLICATION SPECIFIC ACTION ITEM REPORT FOR THE TRPS AND ESFAS 65 pages follow
TECRPT-2018-0028 Revision 2 REVISION LOG Revision Description of Changes Date Number 0 Initial Issue 3/12/2020
- Significant updates for how each ASAI is addressed for nearly all ASAIs in response to NRC requests for addition information as well as to align with the current SHINE facility FSAR subsections and content
- Added Section 5 to identify changes to the HIPS platform (from that described in the HIPS platform 1 topical report) for the TRPS and ESFAS system designs 9/21/2021
- Added Section 6 to provide traceability of conformance of the TRPS and ESFAS with IEEE Std. 7-4.3.2-2003
- Added Section 7 to provide traceability of conformance of the TRPS and ESFAS with DI&C-ISG-04
- Added Section 8 to provide traceability of conformance of the TRPS and ESFAS with SECY-93-087
- Clarified the number of switching outputs for each EIM in Section 5.4
- Added Section 5.7.4 to specify the overlap of self-testing and periodic surveillance tests See Approval 2
- Added Tables 5-1 and 5-2 to specify the changes to Signature HIPS module LEDs compared to the HIPS platform topical report
- Updated multiple reference revisions/dates in Section 9 Page 2 of 66
TECRPT-2018-0028 Revision 2 Table of Contents 1 Objective ........................................................................................................................................ 4 2 Methods.......................................................................................................................................... 4 3 Analysis Results ............................................................................................................................. 5 4 Conclusions .................................................................................................................................. 48 5 HIPS Platform Modifications ......................................................................................................... 48 5.1 Hardwired Module Input Routing............................................................................................ 48 5.2 Use of Fiber Optic Communications ...................................................................................... 48 5.3 Communications Module (CM) Bi-Directional Communications ............................................. 48 5.4 Implementation of EIM Switching Outputs ............................................................................. 48 5.5 Specific Implementation of Communications Modules ........................................................... 49 5.5.1 Scheduling, Bypass, and Voting Modules ....................................................................... 49 5.5.2 Gateway Communications Modules................................................................................ 50 5.6 SBVM Safety Data Bus Frame .............................................................................................. 51 5.7 Self-Testing ........................................................................................................................... 51 5.7.1 Analog to Digital Converter ............................................................................................. 51 5.7.2 EIM Input and Output Testing ......................................................................................... 52 5.7.3 HWM Input Channel Test ............................................................................................... 52 5.7.4 End-to-End Testing ......................................................................................................... 52 5.8 HIPS Module LEDs ................................................................................................................ 52 5.9 Remote Input Submodule (RISM) .......................................................................................... 54 6 IEEE Std. 7-4.3.2-2003 Traceability Matrix ................................................................................... 54 7 Digital I&C Interim Staff Guidance 04 Traceability Matrix .............................................................. 55 8 SRM for SECY-93-087 Traceability Matrix .................................................................................... 64 9 References ................................................................................................................................... 65 List of Tables Table 3-1 HIPS Platform Application Specific Action Item Evaluation for the TRPS and ESFAS........... 5 Table 5-1: HIPS Module LEDs ............................................................................................................. 53 Table 5-2: HIPS Platform Fault Classification ...................................................................................... 53 Table 6-1: TRPS and ESFAS IEEE Std. 7-4.3.2-2003 Traceability Matrix ............................................ 54 Table 7-1: TRPS and ESFAS DI&C-ISG-04 Traceability Matrix ........................................................... 55 Table 8-1: TRPS and ESFAS SECY-93-087 Traceability Matrix .......................................................... 64 Page 3 of 66
TECRPT-2018-0028 Revision 2 1 Objective The target solution vessel (TSV) reactivity protection system (TRPS) and the engineered safety features actuation system (ESFAS) are safety-related instrumentation and control (I&C) systems for the SHINE Medical Isotope Production Facility (the SHINE facility). The design of the TRPS and ESFAS is based upon the Highly Integrated Protection System (HIPS) platform that has a Topical Report (Reference 1) approved by the Nuclear Regulatory Commission (NRC) (Reference 2). The NRCs final safety evaluation report (SE) for the HIPS platform includes a list of application-specific action items (ASAIs) which identify criteria that applicants or licensees referencing the HIPS platform SE should address. The objective of this report is to provide a reference document for how these ASAIs are addressed in the design of the TRPS and ESFAS for the SHINE facility.
2 Methods The method applied in this report was to evaluate each ASAI identified in the SE for the HIPS platform topical report (Reference 1) for applicability to SHINEs licensing application. The applicability was documented, and if the ASAI was determined to be not applicable, justification for why it is not considered applicable is provided. If the ASAI was determined to be applicable, a reference is given for the appropriate sections of the SHINE facility FSAR or for the appropriate design basis document which provides the material that addresses the ASAI. The results of this method are provided in Table 3-1.
It should be noted that some of the standards which were applied to the HIPS topical report (IEEE Std 603, IEEE Std 7-4.3.2, SECY-93-087, and DI&C-ISG-04) are not directly applicable to the SHINE application. Because the SHINE application is for a research and test reactor, NUREG-1537 outlines the criteria by which the SHINE design will be reviewed against.
Page 4 of 66
TECRPT-2018-0028 Revision 2 3 Analysis Results Table 3-1 HIPS Platform Application Specific Action Item Evaluation for the TRPS and ESFAS Applicable SHINE design criteria for ASAI SER Applicability and Description of How the TRPS and ESFAS as Referenced ASAI Description TRPS and ESFAS Design Addresses the stated in Sections 7.4.2 No. Section(s) ASAI and 7.5.2 of SHINEs Final Safety Analysis Report 1 2.0 An applicant or licensee referencing Partially applicable. The SHINE facility Not applicable this SE must establish full licensing application is not anticipated to be compliance with the design criteria reviewed against the guidance of the and regulations identified in NuScale DSRS or the design criteria defined NuScale DSRS Chapter 7, in 10 CFR 50.55a(h). However, Chapter 7 of Table 7.1, or the appropriate plant SHINEs Final Safety Analysis Report design criteria that are relevant to (FSAR) documents the design criteria and the specific application(s) of the regulations identified in NUREG-1537 HIPS platform as a safety-related relevant to the HIPS platform based TRPS I&C system in an NPP as defined in and ESFAS designs and also provides 10 CFR 50.55a(h). evidence of full compliance with those design criteria and regulations.
2 2.0 An applicant or licensee referencing Applicable. Changes to the base HIPS Not applicable this SE must demonstrate that the platform equipment as described in the HIPS 3.0 HIPS platform used to implement platform topical report for the TRPS and the application-specific or plant- ESFAS designs are identified and discussed specific system is unchanged from in Section 5 of this report. A description of the base platform addressed in this how the HIPS platform TRPS and ESFAS Page 5 of 66
TECRPT-2018-0028 Revision 1 Applicable SHINE design criteria for ASAI SER Applicability and Description of How the TRPS and ESFAS as Referenced ASAI Description TRPS and ESFAS Design Addresses the stated in Sections 7.4.2 No. Section(s) ASAI and 7.5.2 of SHINEs Final Safety Analysis Report SE. Otherwise, the applicant or design implementation supports meeting the licensee must clearly and design criteria identified in NUREG-1537 is completely identify any modification provided in Subsection 5.4.5. Descriptions of or addition to the base HIPS the architectural implementation of the HIPS platform as it is employed and platform is provided in the TRPS and ESFAS provide evidence of compliance by System Design Description (SDD) the modified platform with all documents (Reference 6 and 7).
applicable regulations that are affected by the changes.
3 3.6 Although the staff determined that Not applicable. Although the design of the Not applicable the HIPS platform supports TRPS and ESFAS will satisfy many sections satisfying various sections and and clauses of IEEE Std. 603-1991 because clauses of IEEE Std. 603-1991, an they are based upon the base HIPS platform applicant or licensee referencing design, the SHINE facility design basis is not this SE must identify the approach required to conform with IEEE Std. 603. The taken to satisfy each applicable SHINE facility design is required to conform clause of IEEE Std. 603-1991. to the guidance of NUREG-1537.
Because this SE does not address a specific application, establish a definitive safety system or protective action, or identify and analyze the impact of credible events along with their direct and indirect consequences, an applicant or Page 6 of 66
TECRPT-2018-0028 Revision 2 Applicable SHINE design criteria for ASAI SER Applicability and Description of How the TRPS and ESFAS as Referenced ASAI Description TRPS and ESFAS Design Addresses the stated in Sections 7.4.2 No. Section(s) ASAI and 7.5.2 of SHINEs Final Safety Analysis Report licensee should identify its plant-specific design basis for its safety system application and the applicability of each IEEE Std. 603-1991 clause to its application-specific HIPS platform-based safety system or component.
Furthermore, the applicant or licensee must demonstrate that the plant-specific and application-specific use of the HIPS platform satisfies the applicable IEEE Std. 603-1991 clauses in accordance with the plant-specific design basis and safety system application.
4 3.7 Although the staff determined that Applicable. Section 6 of this report provides Not applicable the HIPS platform supports a traceability matrix to support demonstration satisfying various sections and of conformance of the TRPS and ESFAS clauses of IEEE Std. 7-4.3.2-2003, designs with IEEE Std. 7-4.3.2-2003.
an applicant or licensee referencing this SE must identify the approach taken to satisfy each applicable clause of IEEE Std. 7-4.3.2-2003.
Page 7 of 66
TECRPT-2018-0028 Revision 2 Applicable SHINE design criteria for ASAI SER Applicability and Description of How the TRPS and ESFAS as Referenced ASAI Description TRPS and ESFAS Design Addresses the stated in Sections 7.4.2 No. Section(s) ASAI and 7.5.2 of SHINEs Final Safety Analysis Report The applicant or licensee should consider its plant-specific design basis. This SE does not address a specific application, establish a definitive safety system or protective action, or identify and analyze the impact of credible events along with their direct and indirect consequences. The applicant or licensee should identify its plant-specific design basis for its safety system application and the applicability of each IEEE Std. 7-4.3.2-2003 clause to its application-specific HIPS platform-based safety system or component.
Furthermore, the applicant or licensee must demonstrate that the plant-specific and application-specific use of the HIPS platform satisfies the applicable IEEE Std. 7-4.3.2-2003 clauses in accordance with the plant-specific design basis and safety system application.
Page 8 of 66
TECRPT-2018-0028 Revision 2 Applicable SHINE design criteria for ASAI SER Applicability and Description of How the TRPS and ESFAS as Referenced ASAI Description TRPS and ESFAS Design Addresses the stated in Sections 7.4.2 No. Section(s) ASAI and 7.5.2 of SHINEs Final Safety Analysis Report 5 3.8 Although the staff determined that Applicable. Section 7 of this report provides Not applicable the HIPS platform includes features a traceability matrix to support demonstration to support satisfying various of conformance of the TRPS and ESFAS sections and clauses of designs with DI&C-ISG-04.
DI&C-ISG-04, an applicant or licensee referencing this SE must evaluate the HIPS platform-based system for full conformance against this guidance. The applicant or licensee should consider its plant-specific design basis. This SE does not address a specific application, establish a definitive safety system or protective action, or identify and analyze the impact of credible events along with their direct and indirect consequences.
6 3.9 Although the staff determined that Applicable. Section 8 of this report provides Not applicable the HIPS platform includes features a traceability matrix to support demonstration to support satisfying various of conformance of the TRPS and ESFAS sections of the SRM to designs with SECY-93-087.
SECY-93-087, an applicant or licensee referencing this SE must evaluate the HIPS platform-based Page 9 of 66
TECRPT-2018-0028 Revision 2 Applicable SHINE design criteria for ASAI SER Applicability and Description of How the TRPS and ESFAS as Referenced ASAI Description TRPS and ESFAS Design Addresses the stated in Sections 7.4.2 No. Section(s) ASAI and 7.5.2 of SHINEs Final Safety Analysis Report system for full compliance against this requirement. The applicant or licensee should consider its plant-specific design basis. This SE does not address a specific application, establish a definitive safety system or protective action, or identify and analyze the impact of credible events along with their direct and indirect consequences.
7 3.1.4.3 An applicant or licensee referencing Applicable. Sections 3.2.1 and 3.2.2 of the TRPS Criterion 33 and this SE must provide administrative technical specifications of the SHINE facility 37 controls (e.g., procedures, technical operating license application documents the ESFAS Criterion 34 and specifications) to prevent an required facility technical specifications 38 operator from placing the same applicable to placing a TRPS or ESFAS SFM across more than one division safety function module (SFM) into into maintenance bypass concurrent maintenance bypass. SHINE technical with a single failure of a different specification Limiting Conditions for division. Operation (LCO) 3.2.3 and 3.2.4 contain a note that specifies that any single SFM may be bypassed for up to 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> while the variable(s) associated with the SFM is in the condition of applicability for the purpose of performing a Channel Test or Channel Page 10 of 66
TECRPT-2018-0028 Revision 2 Applicable SHINE design criteria for ASAI SER Applicability and Description of How the TRPS and ESFAS as Referenced ASAI Description TRPS and ESFAS Design Addresses the stated in Sections 7.4.2 No. Section(s) ASAI and 7.5.2 of SHINEs Final Safety Analysis Report Calibration. By only allowing a single SFM to by bypassed at one time, SHINE ensures that the same SFM across multiple divisions (which would be more than one SFM) will not be placed into maintenance bypass. By specifying this in the technical specifications, SHINE ensures that administrative controls are in place consistent with the NRC-approved HIPS TR to prevent an operator from placing the same SFM across more than one division into maintenance bypass.
8 3.2 An applicant or licensee referencing Partially applicable. Subsections 7.4.2.2.5 TRPS Criterion 20 and this SE should verify having and 7.5.2.2.5 (Independence) of the SHINE 21 appropriate physical independence facility FSAR describes how the HIPS based ESFAS Criterion 21 and between nonsafety-related and TRPS and ESFAS equipment implements 22 safety-related equipment to satisfy physical, electrical, communications, and the Class 1E to non-Class 1E functional independence between nonsafety-separation requirements, consistent related and safety-related equipment.
with the guidelines of RG 1.75, Revision 3.
Applicable. The TRPS and ESFAS are both 9 3.4 An applicant or licensee referencing Not applicable implemented with 3 redundant divisions.
this SE must provide the basis for Each of the three divisions requires a the allocation of safety functions different type of FPGA to address a potential Page 11 of 66
TECRPT-2018-0028 Revision 2 Applicable SHINE design criteria for ASAI SER Applicability and Description of How the TRPS and ESFAS as Referenced ASAI Description TRPS and ESFAS Design Addresses the stated in Sections 7.4.2 No. Section(s) ASAI and 7.5.2 of SHINEs Final Safety Analysis Report between the two diverse divisions to CCF of one type of FPGA. The three types of mitigate the effects of a postulated FPGAs implemented on the divisional CCF concurrent with Chapter 15 modules is as follows:
events of its final safety analysis report.
- Division A: Microsemi IGLOO2 (FLASH based FPGA)
- Division B: Intel MAX10 (Hybrid Flash and SRAM based FPGA)
- Division C: Altera Artix-7 (SRAM based FPGA)
An assessment of the design and implementation of diversity within the TRPS and ESFAS and the allocation of the safety functions among the diverse divisions to mitigate the effects of SHINE FSAR Chapter 13 events is provided in the Diversity and Defense-in-Depth Assessment of the TRPS and ESFAS (Reference 5).
10 3.4 An applicant or licensee referencing Applicable. An assessment of the design and Not applicable this SE must verify that all diversity implementation of diversity within the TRPS attributes of a HIPS platform and ESFAS and the allocation of the safety (i.e., equipment diversity, design functions among the diverse divisions to diversity, and functional diversity) mitigate the effects of SHINE FSAR Chapter conform to the diversity design 13 events is provided in the Diversity and details provided in the TR.
Page 12 of 66
TECRPT-2018-0028 Revision 2 Applicable SHINE design criteria for ASAI SER Applicability and Description of How the TRPS and ESFAS as Referenced ASAI Description TRPS and ESFAS Design Addresses the stated in Sections 7.4.2 No. Section(s) ASAI and 7.5.2 of SHINEs Final Safety Analysis Report Defense-in-Depth Assessment of the TRPS and ESFAS (Reference 5).
11 3.4 An applicant or licensee referencing Applicable. Subsections 7.4.3.10 and 7.5.3.9 Not applicable this SE must verify that the diverse (Classification and Identification) of the FPGA technologies have unique SHINE facility FSAR respectively describe identification. how the HIPS-based TRPS and ESFAS equipment designs address unique identification.
12 3.6.2.1 An applicant or licensee referencing Applicable. The TRPS and ESFAS Failure TRPS Criterion 16 and this SE should perform a system- Modes and Effects Analysis (Reference 4) 17 3.6.2.5 level FMEA to demonstrate that the evaluates potential single failures and ESFAS Criterion 16, 17 3.6.2.6.3.1 application-specific use of the HIPS determines the effects of each failure for the and 18 3.6.2.6.3.3 platform identifies each potential TRPS and ESFAS. As documented in the failure mode and determines the FMEA (Reference 4), failure modes that can 3.8.1.18 effects of each failure. The FMEA prevent the systems from performing their should demonstrate that single intended functions are detected by design, failures, including those with the built-in system diagnostics, or by periodic potential to cause a nonsafety testing. The results of the FMEA determined system action (i.e., a control that there are no single failures or non-function) resulting in a condition detectable failures that can prevent the requiring protective action (i.e., a TRPS or ESFAS from performing their protection function), cannot required safety functions.
Page 13 of 66
TECRPT-2018-0028 Revision 2 Applicable SHINE design criteria for ASAI SER Applicability and Description of How the TRPS and ESFAS as Referenced ASAI Description TRPS and ESFAS Design Addresses the stated in Sections 7.4.2 No. Section(s) ASAI and 7.5.2 of SHINEs Final Safety Analysis Report adversely affect the protection functions, as applicable.
13 3.6.2.1 An applicant or licensee referencing Applicable. Subsections 7.4.5.2.1 TRPS Criterion 47 this SE should demonstrate that the (Independence) and 7.4.5.2.2 (Redundancy)
ESFAS Criterion 48 application-specific diagnostic, self- of the SHINE facility FSAR describe how the test, and manually initiated test and principles of redundancy and independence calibration features will not are incorporated into the design of the TRPS adversely affect channel and ESFAS. The TRPS and ESFAS Failure independence, system integrity, or Modes and Effects Analysis (Reference 4) the systems ability to meet the evaluates potential single failures and single-failure criterion. determines the effects of each failure for the TRPS and ESFAS.
14 3.6.2.1 An applicant or licensee referencing Partially applicable. Subsections 7.4.4.4 and Not applicable this SE must review the actions to 7.5.4.5 (Testing Capability) and be taken when failures and errors Subsection 7.4.5.5 (System Performance are detected during tests and self- Analysis) of the SHINE facility FSAR tests and ensure that these actions describes the self-testing and diagnostic are consistent with system features of the TRPS and ESFAS design.
requirements. In addition, the The alarm function for the SHINE facility is applicant or licensee should located in the nonsafety-related process describe how errors and failures are integrated control system (PICS), which is indicated and managed after they outside the scope of the systems using the are detected. Finally, the applicant HIPS platform. Section 7.6.4.1 discusses Page 14 of 66
TECRPT-2018-0028 Revision 2 Applicable SHINE design criteria for ASAI SER Applicability and Description of How the TRPS and ESFAS as Referenced ASAI Description TRPS and ESFAS Design Addresses the stated in Sections 7.4.2 No. Section(s) ASAI and 7.5.2 of SHINEs Final Safety Analysis Report or licensee should confirm that this how errors and failures are indicated via the information is provided in the single- PICS after they are detected. The TRPS and failure analysis for the plant-specific ESFAS Failure Modes and Effects Analysis application. (Reference 4) evaluates potential single failures and determines the effects of, and methods of detection, for each failure for the TRPS and ESFAS.
15 3.6.2.2 An applicant or licensee referencing Applicable. Subsections 7.4.3.3 and 7.5.3.2 TRPS Criterion 43, 44, this SE must demonstrate that the (Completion of Protective Actions) and 45 3.6.4.3 application-specific logic satisfies respectively discuss how the TRPS and ESFAS Criterion 44, 45, the completion of protective action ESFAS ensure completion of protective and 46 requirements. actions.
16 3.6.2.3 An applicant or licensee referencing Partially applicable. The overall quality TRPS Criterion 4, 5, 6, 7, this SE must confirm that the HIPS assurance program applied to the design of 8, 9, 10, 11, 12, and 13 3.7.1.3 platform manufacturer is currently the safety-related I&C systems is described ESFAS Criterion 4, 5, 6, on the Nuclear Procurement Issues in SHINEs Quality Assurance Program 7, 8, 9, 10, 11, 12, and Committee list or confirm that the Description (QAPD), 2000-09-01 13 HIPS manufacturing quality (Reference 3). SHINEs QAPD is based upon processes conform to the ANSI/ANS-15.8-1995, which provides an applicants or licensees program acceptable method of complying with the that is compliant with requirements of 10 CFR 50.34 for a 10 CFR Part 50, Appendix B production or utilization facility. Subsections (i.e., vendor is included in the 7.4.2.2.15, 7.5.2.2.15 (Quality), 7.4.3.13 and Page 15 of 66
TECRPT-2018-0028 Revision 2 Applicable SHINE design criteria for ASAI SER Applicability and Description of How the TRPS and ESFAS as Referenced ASAI Description TRPS and ESFAS Design Addresses the stated in Sections 7.4.2 No. Section(s) ASAI and 7.5.2 of SHINEs Final Safety Analysis Report applicants Approved Vendor List). 7.5.3.12 (Design Codes and Standards) of The applicant or licensee will need the SHINE facility FSAR respectively identify to demonstrate that the HIPS the required codes and standards to be used software and associated in the design development of the TRPS and development life cycle conform to ESFAS. Subsection 7.4.5.4 (Software applicable regulatory requirements. Requirements Development) describes the requirements for the TRPS and ESFAS software development life cycle.
17 3.6.2.4 An applicant or licensee referencing Applicable. The overall quality assurance TRPS Criterion 54 and this SE must confirm that the HIPS program applied to the design of the safety- 55 3.6.2.6.2 platform equipment is qualified to related I&C systems is described in SHINEs ESFAS Criterion 55 and 3.7.1.4 the applicable regulatory QAPD, 2000-09-01 (Reference 3). SHINEs 56 3.8.1.17 requirements. QAPD is based upon ANSI/ANS 15.8-1995, which provides an acceptable method of complying with the requirements of 10 CFR 50.34 for a production or utilization facility.
Subsections 7.4.3.13 and 7.5.3.12 (Design Codes and Standards) of the SHINE facility FSAR respectively identify the required codes and standards to be used in qualifying the TRPS and ESFAS equipment.
18 3.6.2.5 An applicant or licensee referencing Applicable. The safe states for TRPS and TRPS Criterion 28 and this SE must identify the safe states ESFAS actuated components are provided in 46 Page 16 of 66
TECRPT-2018-0028 Revision 2 Applicable SHINE design criteria for ASAI SER Applicability and Description of How the TRPS and ESFAS as Referenced ASAI Description TRPS and ESFAS Design Addresses the stated in Sections 7.4.2 No. Section(s) ASAI and 7.5.2 of SHINEs Final Safety Analysis Report 3.7.1.5.1 for protective functions and the Subsection 7.4.3.8 and Table 7.5-2 of the ESFAS Criterion 29 and conditions that require the system to SHINE facility FSAR, respectively. The 47 3.8.1.20 enter a fail-safe state. The conditions that require the TRPS and ESFAS applicant or licensee must also to enter a fail-safe state are provided in demonstrate system qualification for Sections 7.4.3.1 and 7.5.3.1, respectively.
installation and operation in mild A TRPS and ESFAS Failure Modes and environment locations.
Effects Analysis (Reference 4) was conducted for the TRPS and ESFAS, which evaluated each component of the systems, how it may fail, and what the effect of the failure on the systems would be in the presence of a single failure. Effects on the systems include assuming a fail-safe state, only alarm the failure, or assuming a fail-safe state and alarm the failure. Which of these effects occur depends on the mode of failure for each component and is documented in the FMEA.
Subsections 7.4.3.13 and 7.5.3.12 (Design Codes and Standards) of the SHINE facility FSAR respectively identify the required codes, standards, and the conditions to be used in qualifying the TRPS and ESFAS equipment. HIPS platform environmental and seismic qualification testing results are Page 17 of 66
TECRPT-2018-0028 Revision 2 Applicable SHINE design criteria for ASAI SER Applicability and Description of How the TRPS and ESFAS as Referenced ASAI Description TRPS and ESFAS Design Addresses the stated in Sections 7.4.2 No. Section(s) ASAI and 7.5.2 of SHINEs Final Safety Analysis Report documented in Reference 8. HIPS platform electromagnetic and radio frequency interference qualification testing results are documented in Reference 9.
19 3.6.2.5 An applicant or licensee referencing Applicable. Assumed maximum response SHINE Criterion 13 this SE must confirm that system time and response time analysis for the 3.7.1.5.1 TRPS Criterion 14 and real-time performance is adequate TRPS and ESFAS is discussed in 24 3.8.1.19 to ensure completion of protective Subsection 7.4.5.2.3 (Predictability and actions within critical time frames Repeatability) of the SHINE facility FSAR. ESFAS Criterion 14 and 3.8.1.20 required by the plant safety 25 analyses.
20 3.6.2.6.1 An applicant or licensee referencing Applicable. Subsection 7.4.5.2.1 TRPS Criterion 18, 20, this SE must demonstrate that the (Independence) of the SHINE facility FSAR 21, 22, and 23 3.8.1.2 full system design, any use of a describes how the HIPS based TRPS and ESFAS Criterion 19, 3.8.1.16 shared component, the equipments ESFAS equipment implements physical, 21,22, 23, and 24 installation, and the power electrical, communications, and functional distribution architecture provide the independence.
required independence.
Applicable. Division A of both the TRPS and 21 3.6.2.6.1 An applicant or licensee referencing TRPS Criterion 17 ESFAS is powered from Division A of the this SE must provide redundant 3.8.1.2 uninterruptible power supply system (UPSS). ESFAS Criterion 17 power sources to separately supply 3.8.1.16 Division B of both the TRPS and ESFAS is powered from Division B of the UPSS.
Page 18 of 66
TECRPT-2018-0028 Revision 2 Applicable SHINE design criteria for ASAI SER Applicability and Description of How the TRPS and ESFAS as Referenced ASAI Description TRPS and ESFAS Design Addresses the stated in Sections 7.4.2 No. Section(s) ASAI and 7.5.2 of SHINEs Final Safety Analysis Report the redundant power conversion Division C of both the TRPS and ESFAS features within the HIPS platform. receives auctioneered power from Division A and Division B of the UPSS. Both the TRPS and ESFAS require 125 VDC power, which the UPSS provides as described above.
Each TRPS and ESFAS cabinet is provided a single 125 VDC power supply, which is used to power three (3) redundant 125 VDC to 24 VDC converters located at the top of the cabinet. The 24V supply is then distributed to each of three (3) chassis mounting bays as needed, where it is then used to power two (2) redundant 24 VDC to 5 VDC converters located beneath each chassis bay. These provide independent +5V A and +5V B power channels to each chassis.
22 3.2.2 An applicant or licensee referencing Applicable. Subsection 7.4.5.2.1 TRPS Criterion 20, 21 this SE must verify that the safety (Independence) of the SHINE facility FSAR and 22 3.6.2.6.3.1 network provides electrical, describes how the HIPS based TRPS and ESFAS Criterion 21, 22 3.8.1.1 physical, and communications ESFAS equipment implements physical, and 23 3.8.1.2 independence and security electrical, communications, and functional requirements for communication independence.
Page 19 of 66
TECRPT-2018-0028 Revision 2 Applicable SHINE design criteria for ASAI SER Applicability and Description of How the TRPS and ESFAS as Referenced ASAI Description TRPS and ESFAS Design Addresses the stated in Sections 7.4.2 No. Section(s) ASAI and 7.5.2 of SHINEs Final Safety Analysis Report 3.8.1.3 from safety to nonsafety-related systems.
3.8.1.8 3.8.1.16 23 3.6.2.6.3.2 An applicant or licensee referencing Partially applicable. Subsection 7.4.5.2.1 TRPS Criterion 19, 20, this SE must perform isolation (Independence) of the SHINE facility FSAR 21, and 22 3.6.2.6.4 testing on the HIPS platform describes how the HIPS based TRPS and ESFAS Criterion 20, 21, 3.8.1.1 equipment to demonstrate the ESFAS equipment implements physical, 22, and 23 3.8.1.2 capability to satisfy the Class 1E to electrical, communications, and functional non-Class 1E isolation independence.
3.8.1.16 requirements, consistent with the The results of isolation testing of HIPS guidelines of RG 1.75, Revision 3.
platform equipment consistent with the guidelines of RG 1.75, Revision 3 is provided in the HIPS Platform EMI/RFI and Isolation Testing Report (Reference 7).
24 3.6.2.7 An applicant or licensee referencing TRPS Criterion 47 and Applicable. The TRPS and ESFAS are this SE must describe how the HIPS 48 3.6.3.5 designed with the capability for calibration platform equipment is used for and surveillance testing, including channel ESFAS Criterion 48 and testing and calibration of safety- checks, calibration verification, and time 49 related features. response measurements to verify that I&C safety systems perform required safety functions. The TRPS and ESFAS allow systems, structures, and components Page 20 of 66
TECRPT-2018-0028 Revision 2 Applicable SHINE design criteria for ASAI SER Applicability and Description of How the TRPS and ESFAS as Referenced ASAI Description TRPS and ESFAS Design Addresses the stated in Sections 7.4.2 No. Section(s) ASAI and 7.5.2 of SHINEs Final Safety Analysis Report (SSCs) to be tested while retaining the capability to accomplish required safety functions. The TRPS and ESFAS use modules from the HIPS platform which are designed to eliminate non-detectable failures through a combination of built-in self-testing and periodic surveillance testing.
Testing from the sensor inputs of the TRPS and ESFAS through to the actuated equipment is accomplished through a series of overlapping sequential tests, most of which may be performed during normal plant operations. Performance of periodic surveillance testing does not involve disconnecting wires or installation of jumpers for at-power testing. The self-test features maintain division independence by being performed within the division.
The part of TRPS and ESFAS that cannot be tested during normal operations is the actuation priority logic circuit on the equipment interface module (EIM). This includes the manual control room switches and the nonsafety-related interface that provide inputs to the actuation priority logic.
Page 21 of 66
TECRPT-2018-0028 Revision 2 Applicable SHINE design criteria for ASAI SER Applicability and Description of How the TRPS and ESFAS as Referenced ASAI Description TRPS and ESFAS Design Addresses the stated in Sections 7.4.2 No. Section(s) ASAI and 7.5.2 of SHINEs Final Safety Analysis Report The actuation priority logic consists of discrete components and directly causes actuation of field components. The actuation priority logic is a simple circuit that has acceptable reliability to be tested when the irradiation unit is in Mode 0.
While the TRPS and ESFAS is in normal operation, self-tests run without affecting the performance of the safety function, including its response time. TRPS and ESAFS data communications are designed with error detection to enhance data integrity. The protocol features ensure communications are robust and reliable with the ability to detect transmission faults. Similar data integrity features are used to transfer diagnostics data. The TRPS and ESFAS provides a means for checking the operational availability of the sense and command feature input sensors relied upon for a safety function during normal plant operation.
This capability is provided by one of the following methods:
- Perturbing the monitored variable Page 22 of 66
TECRPT-2018-0028 Revision 2 Applicable SHINE design criteria for ASAI SER Applicability and Description of How the TRPS and ESFAS as Referenced ASAI Description TRPS and ESFAS Design Addresses the stated in Sections 7.4.2 No. Section(s) ASAI and 7.5.2 of SHINEs Final Safety Analysis Report
- Cross-checking between channels that have a known relationship (channel check)
- Introducing and varying a substitute input to the sensor Fault detection and indication occurs at the module level, which enables plant personnel to identify the module that needs to be replaced. Built-in self-testing will generate an alarm and report a failure to the operator and place the component (e.g., safety function module (SFM), scheduling, bypass, and voting modules (SBVMs), or EIM components) in a fail-safe state.
The maintenance workstation (MWS) is used to perform modification of configurable variables and setpoints and in-chassis calibration of TRPS and ESFAS equipment.
Prior to using the MWS, the affected SFM must be taken out of service. Physical and logical controls are put in place to prevent modifications to a safety channel when it is being relied upon to perform a safety function.
Page 23 of 66
TECRPT-2018-0028 Revision 2 Applicable SHINE design criteria for ASAI SER Applicability and Description of How the TRPS and ESFAS as Referenced ASAI Description TRPS and ESFAS Design Addresses the stated in Sections 7.4.2 No. Section(s) ASAI and 7.5.2 of SHINEs Final Safety Analysis Report 25 3.6.2.7 An applicant or licensee referencing Applicable. Testing capabilities for the TRPS TRPS Criterion 48 and this SE must provide additional and the ESFAS is described in Subsections 49 3.6.3.5 diagnostics or testing functions 7.4.4.4 and 7.5.4.5 (Testing Capability) of the ESFAS Criterion 49 and (i.e., self-tests or periodic SHINE facility FSAR, respectively. The part 50 surveillance tests) to address any of the TRPS and ESFAS that cannot be system-level failures that are tested during normal operations is the identified as detectable only through actuation priority logic circuit on the periodic surveillance. equipment interface module (EIM). This includes the manual control room switches and the nonsafety-related interface that provide inputs to the actuation priority logic.
The actuation priority logic consists of discrete components and directly causes actuation of field components.
26 3.6.2.7 An applicant or licensee referencing Partially applicable. Required Channel TRPS Criterion 47 this SE must describe how the HIPS Checks are discussed in the SHINE facility 3.6.3.5 ESFAS Criterion 48 platform equipment is used for any technical specifications. The TRPS and automatic sensor cross-check as a ESFAS have redundant gateways which credited surveillance test function gather the output of the monitoring and and the provisions to confirm the indication communications modules (MICMs) continued execution of the for each of the three divisions. The data for automatic tests during plant each of the three divisions are compared and operations. the results are provided to the process integrated control system (PICS). The results Page 24 of 66
TECRPT-2018-0028 Revision 2 Applicable SHINE design criteria for ASAI SER Applicability and Description of How the TRPS and ESFAS as Referenced ASAI Description TRPS and ESFAS Design Addresses the stated in Sections 7.4.2 No. Section(s) ASAI and 7.5.2 of SHINEs Final Safety Analysis Report of the comparison can be used to support performing a channel check.
27 3.6.2.8.1 An applicant or licensee referencing Not applicable. The SHINE facility design Not applicable this SE must describe any manual basis does not include manually controlled controls and associated displays safety actions for which no automatic control used to support manually controlled is provided.
safety actions necessary to accomplish a safety function for which no automatic control is provided.
Applicable. TRPS and ESFAS monitoring 28 3.6.2.8.2 An applicant or licensee referencing SHINE Criterion 6 and indication information is transmitted this SE must describe how the HIPS redundantly from each systems divisional platform safety system status monitoring and indication communications information is used in displays to module (MICM) via one-way isolated RS-485 provide unambiguous, accurate, connections to respective redundant complete, and timely status of nonsafety gateway communications modules safety system protective actions.
(GWCMs), which are located in two redundant gateway chassis. The GWCMs for the TRPS are functionally and logically independent from the GWCMs for the ESFAS and vice versa. They are physically located within two chassis, and the two Page 25 of 66
TECRPT-2018-0028 Revision 2 Applicable SHINE design criteria for ASAI SER Applicability and Description of How the TRPS and ESFAS as Referenced ASAI Description TRPS and ESFAS Design Addresses the stated in Sections 7.4.2 No. Section(s) ASAI and 7.5.2 of SHINEs Final Safety Analysis Report chassis are located in the ESFAS Division C cabinet.
All GWCMs within Gateway Chassis A will utilize the same field programmable gate array (FPGA) type that is utilized in Division A of the TRPS and ESFAS. All GWCMs within Gateway Chassis B will utilize the same FPGA type that is utilized in Division B of the TRPS and ESFAS. This ensures that a software common cause failure for one of these two FPGA types will not disable the function of providing TRPS and ESFAS monitoring and indication information to PICS.
A description of how safety system status is used in displays is provided in Section 7.6 (Control Console and Display Instruments) of the SHINE facility FSAR.
29 3.6.2.8.3 An applicant or licensee referencing Applicable. Subsections 7.4.4.3 and 7.5.4.4 TRPS Criterion 42 this SE must describe how the HIPS (Maintenance Bypass) of the FSAR also ESFAS Criterion 43 platform bypass status information provides a description of the use of manual is used to automatically actuate the switches for placing HIPS modules in bypass indication for bypassed or bypass. A description of how the safety inoperable conditions, when system status is provided to the PICS for Page 26 of 66
TECRPT-2018-0028 Revision 2 Applicable SHINE design criteria for ASAI SER Applicability and Description of How the TRPS and ESFAS as Referenced ASAI Description TRPS and ESFAS Design Addresses the stated in Sections 7.4.2 No. Section(s) ASAI and 7.5.2 of SHINEs Final Safety Analysis Report required, and provide the capability indication to the operators is given above in to manually activate the bypass the response to ASAI 28.
indication from within the control room.
Partially applicable. TRPS and ESFAS 30 3.6.2.8.4 An applicant or licensee referencing SHINE Criterion 6 equipment is not used to display information this SE must describe how the for the operator.
information displays are accessible to the operator and are visible from The TRPS and ESFAS monitoring and the location of any controls used to indication information will be available to the effect a manually controlled operators in the facility control room at the protective action provided by the PICS operator workstations. A subset of the front panel controls of a HIPS-based TRPS and ESFAS monitoring and indication system. information will be displayed at the main control board in the facility control room near where the manual control for actuating TRPS and ESFAS safety functions are located.
SHINE FSAR Subsection 7.4.5.2.4 describes the TRPS and ESFAS information available to the operators in the facility control room.
31 3.6.2.9 An applicant or licensee referencing Applicable. Subsection 7.4.5.3 (Access TRPS Criterion 1, 2, and this SE must provide additional Control and Cyber Security) of the SHINE 3 control of access features to facility FSAR describes how the HIPS based address the system-level aspects Page 27 of 66
TECRPT-2018-0028 Revision 2 Applicable SHINE design criteria for ASAI SER Applicability and Description of How the TRPS and ESFAS as Referenced ASAI Description TRPS and ESFAS Design Addresses the stated in Sections 7.4.2 No. Section(s) ASAI and 7.5.2 of SHINEs Final Safety Analysis Report for a safety system using the HIPS TRPS and ESFAS equipment design ESFAS Criterion 1, 2, platform. addresses the control of access. and 3 32 3.6.2.10 An applicant or licensee referencing Applicable. The self-testing and required TRPS Criterion 48 and this SE must provide additional surveillance testing for the TRPS and the 49 3.8.1.13 diagnostics or testing functions ESFAS are described in Subsections 7.4.4.4 ESFAS Criterion 49 and (self-tests or periodic surveillance and 7.5.4.5 (Testing Capability) of the SHINE 50 tests) to address any system-level facility FSAR. The TRPS and ESFAS Failure failures that are identified as Modes and Effects Analysis (Reference 4) detectable only through periodic identified no nondetectable TRPS or ESFAS surveillance. The applicant or failures.
licensee must also ensure that failures detected by these additional diagnostics or testing functions are consistent with the assumed failure detection methods of the application-specific single-failure analysis.
33 3.6.2.11 An applicant or licensee referencing Applicable. Subsections 7.4.3.10 and 7.5.3.9 TRPS Criterion 50 this SE must establish the (Classification and Identification) of the ESFAS Criterion 51 identification and coding SHINE facility FSAR respectively describes requirements for cabinets and how the TRPS and ESFAS equipment is cabling for a safety system. uniquely identified in accordance with SHINE component numbering guidelines. The Page 28 of 66
TECRPT-2018-0028 Revision 2 Applicable SHINE design criteria for ASAI SER Applicability and Description of How the TRPS and ESFAS as Referenced ASAI Description TRPS and ESFAS Design Addresses the stated in Sections 7.4.2 No. Section(s) ASAI and 7.5.2 of SHINEs Final Safety Analysis Report equipment identification includes, but is not limited to, system designation (code),
equipment train, and division.
34 3.6.2.12 An applicant or licensee referencing Applicable. A supporting feature for the Not applicable this SE must demonstrate that the TRPS and ESFAS which is not a part of the application-specific system design systems is the electrical power provided by implemented with the HIPS platform the uninterruptible power supply system meets the applicable regulatory (UPSS). Section 8a2.2 of the SHINE facility requirements for auxiliary features. FSAR describes the design basis of the UPSS.
Other auxiliary features of the TRPS and ESFAS that are a part of the systems by association (i.e., not isolated from the TRPS or ESFAS) but are not required for the TRPS and ESFAS to perform their safety functions include the following:
- 1) Continuous online self-testing and diagnostics
- 2) Communication from safety-related portions of the TRPS and ESFAS to non-safety related systems
- 3) Capability for control of safety-related components by using non-safety Page 29 of 66
TECRPT-2018-0028 Revision 2 Applicable SHINE design criteria for ASAI SER Applicability and Description of How the TRPS and ESFAS as Referenced ASAI Description TRPS and ESFAS Design Addresses the stated in Sections 7.4.2 No. Section(s) ASAI and 7.5.2 of SHINEs Final Safety Analysis Report related PICS via the APL within the EIM
- 4) Isolation devices and circuitry 35 3.6.2.13 An applicant or licensee referencing Applicable. Subsection 7.1.2 and Figure 7.1- SHINE Criterion 5 this SE must demonstrate that the 1 of the SHINE facility FSAR describes the application-specific system design use of a separate TRPS for each IU Cell.
implemented with the HIPS platform meets the applicable regulatory requirements for shared systems.
36 3.6.2.14 An applicant or licensee referencing Applicable. Subsections 7.4.3.7 and 7.5.3.6 TRPS Criterion 51 this SE must confirm that the HIPS (Human Factors) of the SHINE facility FSAR ESFAS Criterion 52 platform equipment meets any describe how human factors are incorporated specified human factors into the design of the TRPS and ESFAS.
requirements.
37 3.6.2.15 An applicant or licensee referencing Applicable. Reliability characteristics of the TRPS Criterion 23 and this SE must confirm that the HIPS TRPS and ESFAS designs are described in 24 3.7.1.15 platform equipment meets any Subsections 7.4.2.1.3 and 7.5.2.1.3 ESFAS Criterion 24 and specified quantitative or qualitative (Protection System Repeatability and 25 reliability goals. Testability) of the SHINE facility FSAR.
Page 30 of 66
TECRPT-2018-0028 Revision 2 Applicable SHINE design criteria for ASAI SER Applicability and Description of How the TRPS and ESFAS as Referenced ASAI Description TRPS and ESFAS Design Addresses the stated in Sections 7.4.2 No. Section(s) ASAI and 7.5.2 of SHINEs Final Safety Analysis Report 38 3.6.3.1 An applicant or licensee referencing Applicable. The design criteria for the TRPS SHINE Criterion 14 this SE must describe how the HIPS and ESFAS are provided in Subsections 3.6.4.1 platform equipment is used to 7.4.2 and 7.5.2 (Design Criteria) respectively.
provide automatic safety system The design basis for the sense and sense and command features for command features of the TRPS and ESFAS required safety functions. is provided in Subsections 7.4.4 and 7.5.4 (Operation and Performance) respectively for the TRPS and ESFAS of the SHINE facility FSAR.
39 3.6.3.2 An applicant or licensee referencing Applicable. The design basis for the manual TRPS Criterion 15 and this SE must describe how the HIPS sense and command features for the TRPS 52 3.6.4.2 platform equipment is used to and ESFAS is provided in Subsections ESFAS Criterion 15 and provide manual safety system 7.4.3.7 and 7.5.3.6 (Human Factors) 53 sense and command features for respectively for the TRPS and ESFAS of the required safety functions. SHINE facility FSAR.
40 3.6.3.3 An applicant or licensee referencing Applicable. The design basis for the sense TRPS Criterion 27 this SE must describe how the HIPS and command features for the TRPS and ESFAS Criterion 28 platform equipment is used for ESFAS is provided in Subsections 7.4.3.12 sense and command features to and 7.5.3.11 (Prioritization of Functions) provide protection against the respectively for the TRPS and ESFAS of the resulting condition of a nonsafety SHINE facility FSAR.
system action that has been caused by a single credible event, including Page 31 of 66
TECRPT-2018-0028 Revision 2 Applicable SHINE design criteria for ASAI SER Applicability and Description of How the TRPS and ESFAS as Referenced ASAI Description TRPS and ESFAS Design Addresses the stated in Sections 7.4.2 No. Section(s) ASAI and 7.5.2 of SHINEs Final Safety Analysis Report its direct and indirect consequences.
41 3.6.3.4 An applicant or licensee referencing Applicable. The design basis for acquiring SHINE Criterion 13 this SE must describe how the HIPS and conditioning inputs in the TRPS and platform equipment is used to ESFAS is provided in Subsection 7.4.5 acquire and condition field sensor (Highly Integrated Protection System Design) measurements of the required of the SHINE facility FSAR.
variables.
42 3.6.3.6 An applicant or licensee referencing Applicable. Subsection 7.4.4.2 of the SHINE TRPS Criterion 33, 34, this SE must describe how the HIPS facility FSAR describes the use of 35, 36, 37, 38, 39, 40, 3.6.4.4 platform equipment is used for operational bypasses for the TRPS during and 42 operating bypasses. the operation of the irradiation unit (IU) cells.
ESFAS Criterion 34, 35, Automatic operational bypasses are only 36, 37, 38, 39, 40, 41, associated with the TRPS. As stated in and 43 FSAR Subsection 7.5.4.2, automatic operational bypasses are not used in the ESFAS.
Applicable. Subsection 7.4.5 (Highly 43 3.6.3.7 An applicant or licensee referencing TRPS Criterion 41 Integrated Protection System Design) of the this SE must describe how the HIPS SHINE facility FSAR describes how the HIPS ESFAS Criterion 42 platform equipment is used for based TRPS and ESFAS equipment is used maintenance bypasses and provide for maintenance bypasses. For the SHINE application, maintenance bypasses are Page 32 of 66
TECRPT-2018-0028 Revision 2 Applicable SHINE design criteria for ASAI SER Applicability and Description of How the TRPS and ESFAS as Referenced ASAI Description TRPS and ESFAS Design Addresses the stated in Sections 7.4.2 No. Section(s) ASAI and 7.5.2 of SHINEs Final Safety Analysis Report the technical specification associated with the sense and command requirements. features only for the TRPS and ESFAS.
There are no maintenance bypass capabilities associated with execute features in the SHINE application of the HIPS platform.
Channels associated with an SFM of the TRPS and ESFAS can be taken out of service by direct component replacement or the manipulation of manual switches.
Components that are designed to be replaced directly are the scheduling and bypass modules (SBMs), SBVMs, equipment interface modules (EIMs), and HWMs.
Subsections 7.4.4.3 and 7.5.4.4 of the SHINE FSAR describe how the sense and command features can be placed into maintenance bypass for the TRPS and ESFAS, respectively.
Subsections 3.2.1, 3.2.2, 3.2.5 and 3.2.6 of the technical specifications of the SHINE facility operating license application document the required facility technical Page 33 of 66
TECRPT-2018-0028 Revision 2 Applicable SHINE design criteria for ASAI SER Applicability and Description of How the TRPS and ESFAS as Referenced ASAI Description TRPS and ESFAS Design Addresses the stated in Sections 7.4.2 No. Section(s) ASAI and 7.5.2 of SHINEs Final Safety Analysis Report specifications applicable to placing a TRPS or ESFAS SFM into maintenance bypass.
44 3.6.3.8 An applicant or licensee referencing Applicable. Subsections 7.4.3.11 and TRPS Criterion 29, 30 this SE must describe the setpoints, 7.5.3.10 (Setpoints) of the SHINE facility and 32 setpoint methodologies, or HIPS FSAR discusses the setpoints for the TRPS ESFAS Criterion 30, 31 platform module accuracies used for and ESFAS, respectively. Tables 7.4-1 and and 33 a safety system implemented with 7.5-1 respectively provide the accuracies the HIPS platform equipment. required for the TRPS and ESFAS monitored variables.
Applicable. Subsection 7.4.5 (Highly 45 3.6.4.5 An applicant or licensee referencing TRPS Criterion 37 and Integrated Protection System Design) of the this SE must describe how the HIPS 41 SHINE facility FSAR describes how the HIPS platform equipment is used for based TRPS and ESFAS equipment is used ESFAS Criterion 38 and maintenance bypasses.
for maintenance bypasses. 42 For the SHINE application, maintenance bypasses are associated with the sense and command features only for the TRPS and ESFAS. There are no maintenance bypass capabilities associated with execute features in the SHINE application of the HIPS platform.
Subsections 7.4.4.3 and 7.5.4.4 of the SHINE FSAR describe design for Page 34 of 66
TECRPT-2018-0028 Revision 2 Applicable SHINE design criteria for ASAI SER Applicability and Description of How the TRPS and ESFAS as Referenced ASAI Description TRPS and ESFAS Design Addresses the stated in Sections 7.4.2 No. Section(s) ASAI and 7.5.2 of SHINEs Final Safety Analysis Report maintenance bypass in the TRPS and ESFAS, respectively.
46 3.6.5 An applicant or licensee referencing Applicable. The design bases description for SHINE Criterion 27.
this SE must describe power the TRPS and ESFAS power source is sources to the HIPS platform provided in Section 8a2.2 of the SHINE equipment and how they meet facility FSAR.
applicable regulatory requirements.
Division A of both the TRPS and ESFAS is powered from Division A of the uninterruptible power supply system (UPSS).
Division B of both the TRPS and ESFAS is powered from Division B of the UPSS.
Division C of both the TRPS and ESFAS receives auctioneered power from Division A and Division B of the UPSS. Both the TRPS and ESFAS require 125 VDC power, which the UPSS provides as described above.
Each TRPS and ESFAS cabinet is provided a single 125 VDC power supply, which is used to power three (3) redundant 125 VDC to 24 VDC converters located at the top of the cabinet. The 24V supply is then distributed to each of three (3) chassis mounting bays as needed, where it is then Page 35 of 66
TECRPT-2018-0028 Revision 2 Applicable SHINE design criteria for ASAI SER Applicability and Description of How the TRPS and ESFAS as Referenced ASAI Description TRPS and ESFAS Design Addresses the stated in Sections 7.4.2 No. Section(s) ASAI and 7.5.2 of SHINEs Final Safety Analysis Report used to power two (2) redundant 24 VDC to 5 VDC converters located beneath each chassis bay. These provide independent +5V A and +5V B power channels to each chassis.
47 3.7.1.5.2 An applicant or licensee referencing Applicable. The required quality and TRPS Criterion 4, 5, 6, 7, this SE must confirm that the standards of TRPS and ESFAS 8, 9, 10, 11, and 12 manufacturer followed the same programmable logic development processes ESFAS Criterion 4, 5, 6, design, development, and iV&V are described in Subsection 7.4.5.4 7, 8, 9, 10, 11, and 12 processes for test and calibration (Software Requirements Development) of the functions as for all other HIPS SHINE facility FSAR. The calibration features platform functions. of the TRPS and ESFAS are designed, developed, and validated at the same level as the safety related functional logic. The calibration features of the TRPS and ESFAS are implemented independently from the safety functions of the system but are implemented on the same FPGA as the safety functions and are therefore designed, developed, and validated to the same rigor as the safety functions of the systems.
48 3.7.1.5.2 An applicant or licensee referencing Not applicable. A separate computer is not Not applicable this SE that relies on a separate relied upon for the sole verification of test Page 36 of 66
TECRPT-2018-0028 Revision 2 Applicable SHINE design criteria for ASAI SER Applicability and Description of How the TRPS and ESFAS as Referenced ASAI Description TRPS and ESFAS Design Addresses the stated in Sections 7.4.2 No. Section(s) ASAI and 7.5.2 of SHINEs Final Safety Analysis Report computer for the sole verification of and calibration data for the TRPS and test and calibration data should ESFAS.
ensure adequate iV&V, configuration management, and quality assurance for the test and calibration functions of the separate computer.
49 3.7.1.5.3 An applicant or licensee referencing Applicable. The required quality and TRPS Criterion 4, 5, 6, 7, this SE must confirm that the standards of TRPS and ESFAS 8, 9, 10, 11, and 12 manufacturer followed the same programmable logic development processes ESFAS Criterion 4, 5, 6, design, development, and iV&V is described in Subsection 7.4.5.4 (Software 7, 8, 9, 10, 11, and 12 processes for self-diagnostics Requirements Development) of the SHINE functions as for all other HIPS facility FSAR. The self-testing features of the platform functions. TRPS and ESFAS are designed, developed, and validated at the same level as the safety related functional logic. The overlapped self-test features of the TRPS and ESFAS are integral to the operation of the system and are therefore designed, developed, and validated to the same rigor as the safety functions of the systems.
50 3.7.1.5.3 An applicant or licensee referencing Applicable. Subsections 7.4.3.13 and TRPS Criterion 4, 5, 6, 7, this SE must verify that the 7.5.3.12 (Design Codes and Standards) of 8, 9, 10, 11, 12, and 47 Page 37 of 66
TECRPT-2018-0028 Revision 2 Applicable SHINE design criteria for ASAI SER Applicability and Description of How the TRPS and ESFAS as Referenced ASAI Description TRPS and ESFAS Design Addresses the stated in Sections 7.4.2 No. Section(s) ASAI and 7.5.2 of SHINEs Final Safety Analysis Report manufacturer included the the SHINE facility FSAR respectively identify ESFAS Criterion 4, 5, 6, self-diagnostic functions within its the required codes and standards to be used 7, 8, 9, 10, 11, 12, and type testing of the HIPS platform in qualifying the TRPS and ESFAS 48 standardized circuit boards during equipment, respectively. All HIPS self-EQ. diagnostic functions were included within the type testing of the HIPS platform circuit boards during EQ. Evidence of this is provided in the completed testing procedures which are included as part of the HIPS platform EQ testing results reports (References 6 and 7).
Applicable. As described in Subsections 51 3.7.1.5.3 An applicant or licensee referencing TRPS Criterion 47 7.4.4.4 and 7.5.4.5 (Testing Capability) of the this SE must demonstrate that the SHINE facility FSAR, end-to-end testing of ESFAS Criterion 48 combination of HIPS platform self- the entire HIPS platform is performed tests and system surveillance through overlap testing. Individual self-tests testing provide the necessary test in the various components of the TRPS coverage to ensure that there are ensure that the entire component is no undetectable failures that could functioning correctly. Self-test features are adversely affect a required safety provided for components that do not have function. setpoints or tunable parameters. All TRPS and ESFAS components, except the discrete APL of the EIM, have self-testing capabilities that ensure the information passed on to the following step in the safety data path is correct.
Page 38 of 66
TECRPT-2018-0028 Revision 2 Applicable SHINE design criteria for ASAI SER Applicability and Description of How the TRPS and ESFAS as Referenced ASAI Description TRPS and ESFAS Design Addresses the stated in Sections 7.4.2 No. Section(s) ASAI and 7.5.2 of SHINEs Final Safety Analysis Report The TRPS and ESFAS Failure Modes and Effects Analysis (Reference 4) evaluated potential single failures and determined that there are no undetectable failures that could adversely affect the required TRPS and ESFAS safety functions.
52 3.7.1.6 An applicant or licensee referencing Applicable. Subsection 7.4.5.2.1 TRPS Criterion 18, 19, this SE must demonstrate that the (Independence) of the SHINE facility FSAR 20, 21, 22, 23, 24, 25, full system design, any use of a describes how the HIPS based TRPS and and 26 shared component, the equipments ESFAS equipment implements physical, ESFAS Criterion 19, 20, installation, and the communication electrical, communications, and functional 21, 22, 23, 24, 25, 26 bus architecture provide the independence.
and 27 required independence.
53 3.7.1.6 An applicant or licensee referencing Applicable. Subsection 7.4.5.2.1 TRPS Criterion 20 and this SE must verify that the safety (Independence) of the SHINE facility FSAR 22 network provides communications describes how the HIPS based TRPS and ESFAS Criterion 21 and independence and security ESFAS equipment implements physical, 23 requirements for communication electrical, communications, and functional from safety- to nonsafety-related independence.
systems.
Applicable. Subsections 7.4.5.4.6.3, 54 3.7.1.11 An applicant or licensee referencing TRPS Criterion 50 7.4.3.10, and 7.5.3.9 of the FSAR describe this SE must establish the how the HIPS-based TRPS and ESFAS Page 39 of 66
TECRPT-2018-0028 Revision 2 Applicable SHINE design criteria for ASAI SER Applicability and Description of How the TRPS and ESFAS as Referenced ASAI Description TRPS and ESFAS Design Addresses the stated in Sections 7.4.2 No. Section(s) ASAI and 7.5.2 of SHINEs Final Safety Analysis Report identification and coding equipment design addresses equipment ESFAS Criterion 51 requirements for cabinets and identification.
components for a safety system and the methods to verify that the The programmable logic lifecycle process correct firmware or software is includes automatically generating a unique installed in the correct hardware FPGA logic design image number which is component. used as an FPGA logic design identification number. The FPGA logic design image number can be displayed on the MWS and is included on all logic design documentation and within the hardware description language (HDL) code for the image so the user can verify the installed FPGA design against the logic design documentation.
The FPGA logic design identity image number is included in the following logic development workflow outputs:
- Programmable Logic Design Specifications
- Programmable Logic Test Specifications
- Programmable Logic Test Results
- Requirements Traceability Matrix
- The FPGA logic top level HDL code file Page 40 of 66
TECRPT-2018-0028 Revision 2 Applicable SHINE design criteria for ASAI SER Applicability and Description of How the TRPS and ESFAS as Referenced ASAI Description TRPS and ESFAS Design Addresses the stated in Sections 7.4.2 No. Section(s) ASAI and 7.5.2 of SHINEs Final Safety Analysis Report The FPGA logic design image number is used as a system logic design configuration verification tool that verifies the correctness of the current system logic design within a chassis.
55 3.8.1.1 An applicant or licensee referencing Applicable. Subsection 7.4.5.2.1 (Highly TRPS Criterion 18, 20, this SE must demonstrate that a full Integrated Protection System Design) of the and 21 system design does not, with the SHINE facility FSAR describes how the HIPS ESFAS Criterion 19, 21, exception of division voting logic, equipment implements divisional voting logic.
and 22 depend on any information or Other than divisional voting logic, the TRPS resource originating or residing and ESFAS do not depend on any outside its own safety division to information or resource originating or accomplish its safety function. residing outside of each safety division to accomplish their safety functions.
56 3.8.1.5 An applicant or licensee referencing Applicable. A response time analysis for the TRPS Criterion 23 and this SE must confirm that system TRPS and ESFAS is discussed in 24 real-time performance is adequate, Subsection 7.4.5.2.3 (Predictability and ESFAS Criterion 24 and assuming the longest possible Repeatability) of the SHINE facility FSAR.
25 completion time to ensure the completion of protective actions within the critical time frames required by the plant safety analyses.
Page 41 of 66
TECRPT-2018-0028 Revision 2 Applicable SHINE design criteria for ASAI SER Applicability and Description of How the TRPS and ESFAS as Referenced ASAI Description TRPS and ESFAS Design Addresses the stated in Sections 7.4.2 No. Section(s) ASAI and 7.5.2 of SHINEs Final Safety Analysis Report 57 3.8.1.12 An applicant or licensee referencing Applicable. A TRPS and ESFAS Failure TRPS Criterion 48 this SE must configure the slave Modes and Effects Analysis (Reference 4)
ESFAS Criterion 49 modules (e.g., SFMs and EIMs) to was conducted for the TRPS and ESFAS, alarm and assume a fail-safe state. which evaluated each component of the systems, how it may fail, and what the effect of the failure on the systems would be in the presence of a single failure. Effects on the systems include assuming a fail-safe state, only alarm the failure, or assuming a fail-safe state and alarm the failure. Which of these effects occur depends on the mode of failure for each component and is documented in the FMEA.
58 3.8.1.18 An applicant or licensee referencing Applicable. Subsection 7.4.5.3.1 (Secure TRPS Criterion 2, 5, and this SE should verify having Development Operating Environment) and 6 appropriate physical, logical, and 7.4.5.4 (Software Requirements ESFAS Criterion 2, 5, programmatic controls during the Development) of the SHINE facility FSAR and 6 system development phases to describes the Secure Development ensure that unwanted, unneeded, Environment requirements for TRPS and and undocumented functionality is ESFAS system development. As discussed not introduced into digital safety in Subsection 7.4.5.4, the plans and systems. procedures for the design/development, V&V activities, configuration management, and their associated documentation for Page 42 of 66
TECRPT-2018-0028 Revision 2 Applicable SHINE design criteria for ASAI SER Applicability and Description of How the TRPS and ESFAS as Referenced ASAI Description TRPS and ESFAS Design Addresses the stated in Sections 7.4.2 No. Section(s) ASAI and 7.5.2 of SHINEs Final Safety Analysis Report completion of performance are to be provided by the TRPS and ESFAS vendor.
59 3.8.1.19 An applicant or licensee referencing Applicable. TRPS and ESFAS integrity TRPS Criterion 24 this SE must describe how the HIPS characteristics which support a deterministic 3.8.1.20 ESFAS Criterion 25 platform equipment is used to communication structure are discussed in provide a deterministic Subsection 7.4.5.2.3 (Predictability and communication structure for Repeatability) of the SHINE facility FSAR.
required safety functions.
60 3.8.3.1.2 An applicant or licensee referencing Applicable. How communications TRPS Criterion 21 and this SE must demonstrate that the independence is implemented within the 22 full system design supports cross- TRPS and the ESFAS is discussed in ESFAS Criterion 22 and divisional and nonsafety Subsection 7.4.5.2.1 (Independence) of the 23 communication with the appropriate SHINE facility FSAR.
independence and isolation.
61 3.8.3.1.3 An applicant or licensee referencing Applicable. The use of an enable nonsafety Not applicable this SE must demonstrate that the switch and associated priority logic within the application-specific use of an enable TRPS and ESFAS is described in Subsection nonsafety switch and its 7.4.5 (Highly Integrated Protection System configuration details will not Design) of the SHINE facility FSAR. Specific adversely affect the channel logic diagrams for how the enable nonsafety independence nor the operation of switch is implemented in TRPS and ESFAS safety-related equipment when the logic is provided in Figures 7.4-1 and 7.5-1, Page 43 of 66
TECRPT-2018-0028 Revision 2 Applicable SHINE design criteria for ASAI SER Applicability and Description of How the TRPS and ESFAS as Referenced ASAI Description TRPS and ESFAS Design Addresses the stated in Sections 7.4.2 No. Section(s) ASAI and 7.5.2 of SHINEs Final Safety Analysis Report safety-related equipment is respectively. Use of the enable nonsafety performing its safety function. In switch is also discussed in Subsections 7.4.3 addition, the applicant or licensee and 7.5.3 of the SHINE facility FSAR.
must demonstrate that the application-specific use of an enable nonsafety switch should not be able to bring a safety function out of bypass condition unless the affected division has itself determined that such action would be acceptable.
62 3.9.1 An applicant or licensee referencing Partially applicable. Implementation of TRPS Criterion 16 this SE must demonstrate that the diversity within the TRPS and the ESFAS is 3.9.2 ESFAS Criterion 16 HIPS platform equipment is used to discussed in Subsection 7.2.2.4 (Diversity) provide FPGA diversity between and Subsection 7.2.2.5 (Simplicity) of the redundant portions of the systems SHINE facility FSAR. An assessment of the to eliminate HIPS platform digital design and implementation of diversity within CCF vulnerabilities. the TRPS and ESFAS and the allocation of the safety functions among the diverse divisions to mitigate the effects of SHINE FSAR Chapter 13 events is provided in the Diversity and Defense-in-Depth Assessment of the TRPS and ESFAS (Reference 5).
Page 44 of 66
TECRPT-2018-0028 Revision 2 Applicable SHINE design criteria for ASAI SER Applicability and Description of How the TRPS and ESFAS as Referenced ASAI Description TRPS and ESFAS Design Addresses the stated in Sections 7.4.2 No. Section(s) ASAI and 7.5.2 of SHINEs Final Safety Analysis Report 63 3.9.2 An applicant or licensee referencing Applicable. Implementation of diversity within TRPS Criterion 16 this SE must address any other the TRPS and the ESFAS is discussed in 3.9.3 ESFAS Criterion 16 digital CCF vulnerabilities in the Subsection 7.2.2.4 (Diversity) and application-specific D3 analysis. Subsection 7.2.2.5 (Simplicity) of the SHINE facility FSAR. An assessment of the design and implementation of diversity within the TRPS and ESFAS and the allocation of the safety functions among the diverse divisions to mitigate the effects of SHINE FSAR Chapter 13 events is provided in the Diversity and Defense-in-Depth Assessment of the TRPS and ESFAS (Reference 5).
Partially applicable. Implementation of 64 3.9.3 An applicant or licensee referencing TRPS Criterion 16 diversity within the TRPS and the ESFAS is this SE must demonstrate that the discussed in Subsection 7.2.2.4 (Diversity) ESFAS Criterion 16 HIPS platform equipment is used to and Subsection 7.2.2.5 (Simplicity) of the provide FPGA diversity between SHINE facility FSAR. The TRPS and redundant portions of the system ESFAS are both implemented with 3 architecture (e.g., in each of two redundant divisions. Each of the three redundancies in a four-fold divisions requires a different type of FPGA to redundant system or in one address a potential CCF of one type of redundancy in a two-fold redundant FPGA. The three types of FPGAs system) to ensure HIPS platform implemented on the divisional modules is as follows:
safety performance in the presence of a digital CCF.
Page 45 of 66
TECRPT-2018-0028 Revision 2 Applicable SHINE design criteria for ASAI SER Applicability and Description of How the TRPS and ESFAS as Referenced ASAI Description TRPS and ESFAS Design Addresses the stated in Sections 7.4.2 No. Section(s) ASAI and 7.5.2 of SHINEs Final Safety Analysis Report
- Division A: Microsemi IGLOO2 (FLASH based FPGA)
- Division B: Intel MAX10 (Hybrid Flash and SRAM based FPGA)
- Division C: Altera Artix-7 (SRAM based FPGA)
An assessment of the design and implementation of diversity within the TRPS and ESFAS and the allocation of the safety functions among the diverse divisions to mitigate the effects of SHINE FSAR Chapter 13 events is provided in the Diversity and Defense-in-Depth Assessment of the TRPS and ESFAS (Reference 5).
65 3.9.4 An applicant or licensee referencing Partially applicable. Implementation of TRPS Criterion 16 this SE must demonstrate that the diversity within the TRPS and the ESFAS is ESFAS Criterion 16 HIPS platform equipment is used to discussed in Subsection 7.2.2.4 (Diversity) provide diversity for indication and and Subsection 7.2.2.5 (Simplicity) of the component control signals to ensure SHINE facility FSAR. An assessment of the HIPS platform monitoring and design and implementation of diversity within control performance in the presence the TRPS and ESFAS and the allocation of of a digital CCF. the safety functions among the diverse divisions to mitigate the effects of SHINE FSAR Chapter 13 events is provided in the Page 46 of 66
TECRPT-2018-0028 Revision 2 Applicable SHINE design criteria for ASAI SER Applicability and Description of How the TRPS and ESFAS as Referenced ASAI Description TRPS and ESFAS Design Addresses the stated in Sections 7.4.2 No. Section(s) ASAI and 7.5.2 of SHINEs Final Safety Analysis Report Diversity and Defense-in-Depth Assessment of the TRPS and ESFAS (Reference 5).
Page 47 of 66
TECRPT-2018-0028 Revision 2 4 Conclusions Each application specific action item identified in the final safety evaluation report for the HIPS platform topical report (Reference 1) was evaluated for applicability to SHINEs medical isotope production facility licensing application. The resulting applicability determination was documented in Table 3-1, and if the ASAI was determined to be not applicable, justification for why it was not considered applicable was provided. If the ASAI was determined to be applicable, a reference was provided for either the appropriate sections of the SHINE facility FSAR or the appropriate design basis document which provides evidence that the applicable action items have been adequately addressed for the design of the TRPS and ESFAS.
5 HIPS Platform Modifications This section identifies modifications and additions to the fundamental HIPS platform equipment design and functionality described in the HIPS platform topical report (Reference 1) which are to be implemented as part of the TRPS and ESFAS designs. This section does not describe the differences between the representative architecture presented in the topical report and the application specific equipment architectures for the TRPS and ESFAS.
5.1 Hardwired Module Input Routing Section 2.5.2 of the HIPS platform topical report states that Trip/ Bypass inputs to the Hardwired Modules are routed only to the scheduling and bypass modules (SBMs) where it is used. There are two differences for this statement in the TRPS and ESFAS designs. This first is that the inputs to the Hardwired Modules are used at the SBMs (Division C), the SBVMs (Divisions A and B), the MICMs (for monitoring and indication information), and also at the EIMs for manual actuation of protective functions and manual nonsafety functions. The second difference is that the inputs to the Hardwired Modules are made available to all modules in the same chassis. The modules listed above utilize the signals that are made available on the backplane from the Hardwired Modules.
Additionally, discussion of the use of the trip/bypass switches with the SBMs in the topical report applies the same to the use of the trip/bypass switches with the SBVMs in Divisions A and B of the TRPS and ESFAS designs.
5.2 Use of Fiber Optic Communications Sections 2.5.3, 4.3, and 4.6.2 of the HIPS platform topical report describes the use of fiber optic ports for inter-divisional transmit-only or receive-only fiber optic ports. The TRPS and ESFAS designs do not use fiber optic ports for inter-divisional communications. The inter-divisional communications in the TRPS and ESFAS are implemented with transmit-only or receive-only copper RS-485 connections.
5.3 Communications Module (CM) Bi-Directional Communications Section 2.5.3 of the HIPS platform topical report discusses transmit-only or receive-only communications for a CM. The TRPS and ESFAS designs utilize CMs (see discussion of the gateway communications modules in Section 5.5.2 below) in Divisions A and B to communicate bi-directionally with the PICS via the MODBUS protocol. This is justified because the function of these CMs is non-safety related and the information which is provided to the PICS from these CMs is received from each division of the TRPS or ESFAS via transmit-only isolated connections.
5.4 Implementation of EIM Switching Outputs Section 2.5.4.4 of the HIPS Platform topical report states that each EIM can control two groups of field components and each group can have up to two field devices. The HIPS platform has been modified Page 48 of 66
TECRPT-2018-0028 Revision 2 for the TRPS and ESFAS designs such that each EIM can control four groups of field components and each group can have up to two field devices. Also, the redundancy of dual high side and dual low side contacts for each output switch is not implemented in the TRPS and ESFAS EIM designs. This is acceptable because the actuation loads for the SHINE application are small solenoids which does not justify using the dual high side and dual low side arrangement and allows for a higher density of outputs per EIM.
5.5 Specific Implementation of Communications Modules 5.5.1 Scheduling, Bypass, and Voting Modules Throughout the HIPS platform topical report, the use of Scheduling and Bypass Modules (SBM) and Scheduling and Voting Modules (SVM) is discussed as part of a representative architecture which is provided in the topical report to help describe the design principles implemented within the HIPS platform. Both modules are example types of the HIPS Platform Communications Module. The TRPS and ESFAS designs utilize a type of Communications Module that is referred to as a Scheduling, Bypass, and Voting Module (SBVM) in Divisions A and B. The SBVM combines all functions, capabilities, and design principles described in the topical report for a SBM and a SVM into a single module. This was implemented to minimize the total number of HIPS hardware modules necessary for the required TRPS and ESFAS functionality. As such, the use of a SBVM in the TRPS and ESFAS designs does not represent a modification or addition to the HIPS Platform as described in the topical report, however it is identified in this section to explain the apparent use of a different module from that described in the topical report.
Since the SVM functionality on each SBVM will load each of the specific TRPS or ESFAS applications voting registers with the partial trip determination actuation (PTDA) information received by its SBM functionality, Figure 7-8 of the topical report is modified as shown in Figure 5-1 below to add a note that the Wait for Sync is not necessary for the SBVMs. In Figure 5-1, because the TRPS and ESFAS implement 1oo2, 2oo2, or 2oo3 voting, which is different from the 2oo4 voting discussed in the HIPS platform topical report for the representative architecture, the 2oo4s have also been removed from the HIPS platform topical report. This figure has also been modified to show the three TRPS/ESFAS divisions as opposed to the four divisions of the representative architecture in the HIPS platform topical report.
Page 49 of 66
TECRPT-2018-0028 Revision 2 Figure 5-1: SBVM MOD_OK - Loading Voting 5.5.2 Gateway Communications Modules The gateway communications module (GWCM) is a HIPS platform communications module not described in the HIPS platform topical report which performs only nonsafety related monitoring and indication functions. TRPS and ESFAS monitoring and indication information is transmitted redundantly from each systems divisional monitoring and indication communications module (MICM) via one-way isolated RS-485 connections to respective redundant nonsafety GWCMs, which are located in two redundant gateway chassis. The GWCMs for the TRPS are functionally and logically independent from the GWCMs for the ESFAS and vice versa. As described in Section 2.5.3 of HIPS platform topical report, the GWCMs, which are HIPS platform communications modules, have four communications ports, each of which can be configured as receive-only or transmit-only. Three of the four communications ports of each GWCM are configured as receive-only ports for their respective status and diagnostics information input. The fourth communications port of each GWCM is configured for two-way communications with the respective PICS channel using the MODBUS communications protocol. Two-way communication is a departure from the HIPS platform topical Page 50 of 66
TECRPT-2018-0028 Revision 2 report description of a communications module. This is acceptable because the communication from the GWCM is a nonsafety function, and the upstream communication from each MICM to a GWCM is isolated and one-way only.
5.6 SBVM Safety Data Bus Frame As discussed above in Section 5.5, the TRPS and ESFAS utilize an SBVM which performs the functions described in the HIPS platform topical report for both the SBM and the SVM. Sections 7.6.3 through 7.7.1 of the topical report describe the operations and safety data bus frames for the SBM and SVM. The TRPS and ESFAS will incorporate a change to how the SBVM votes on the PTDA and communicates actuation data to the EIMs. Instead of sending separate trip determination actuation (TDA) information for each safety function group (SFG) to the EIMs, all safety function groups are voted on at the same time and the TDA for all SFGs are then transferred to the EIMs at once. For this change, Figure 7-12 of the topical report is modified to show a single transaction below in Figure 5-2 for the TRPS and ESFAS implementation.
Figure 5-2: SBVM HIPS Bus Frame Transaction Time Figure 7-14 of the topical report is modified simply to show the SBM and SVM functionality being performed by the SBVM module (dashed box) as shown below in Figure 5-3.
Figure 5-3: Timing diagram for the TRPS and ESFAS 5.7 Self-Testing 5.7.1 Analog to Digital Converter Sections 7.1.1 and 8.2.1 of the HIPS platform topical report describe the self-testing features for the analog to digital converter (ADC) for an analog input submodule (ISM). The auto-calibration function described included the use of external passive components, whereas the TRPS and ESFAS designs will incorporate the critical passive components onto the ADC chip. This results in very precise values Page 51 of 66
TECRPT-2018-0028 Revision 2 that are factory calibrated and are significantly less prone to drift over time and temperature, therefore the auto-calibration function is not implemented for the TRPS and ESFAS designs.
5.7.2 EIM Input and Output Testing The self-testing described in Sections 8.2.3.2 and 8.2.3.4 of the HIPS platform topical report for discrete input circuitry (open/closed contact tests) and high drive output testing is not being implemented for the TRPS and ESFAS designs. These tests were not implemented as they would require interaction between the FPGA logic and the analog APL circuitry, and it was desired to keep the interface between the FPGA and APL as simple as possible.
5.7.3 HWM Input Channel Test The self-test identified in Section 8.2.7 of the HIPS platform topical report for HWM input signals is not being implemented for the TRPS and ESFAS designs. This test is also not implemented because it would require interaction of the FPGA with the hardwired input circuitry (used for manual protection system actuation) and it was desired to not allow any interface of the FPGA with this capability.
5.7.4 End-to-End Testing Figure 8-2 of the HIPS platform topical report shows the overlap of built-in self-tests and periodic surveillance testing. This figure is updated as shown in Figure 5-4 to add periodic surveillance testing for the following:
- all safety related inputs (to the SFMs and HWMs)
- discrete signals between the TRPS and ESFAS SBVMs
- EIM actuation priority logic and outputs Figure 5-4: TRPS and ESFAS Overlap of Testing 5.8 HIPS Module LEDs Section 8.2.7 of the HIPS platform topical report identifies that LED tests will be performed to identify if an incorrect LED status is being displayed. This test will not be performed on a continuous basis for the TRPS and ESFAS designs for the following reasons:
- Module front panel indication is not a safety function Page 52 of 66
TECRPT-2018-0028 Revision 2
- Correct LED operation will be tested as part of factory and installation testing Section 8.4 of the HIPS platform topical report describes the two LEDs on the front of each HIPS module which are used to indicate the state of the module latches, the operational state of the module, and the presence of any faults for the module. The TRPS and ESFAS designs will include the following changes to the function of the LEDs from that presented in the topical report:
- The ACTIVE LED will turn Red on a vital fault or when the module has one latch open
- The FAULT LED will never flash and not turn Red
- The FAULT LED will turn Yellow for any fault (non-vital or vital)
Table 5-1: HIPS Module LEDs LED Indication type Green Red Yellow Off Name Board power Board is OFF Board powered Board powered ACTIVE indicator N/A Both latches Latches closed One latch open open HIPS module fault Module in FAULT or indicator Solid - module Module in previously in FAULT Module in FAULT not in FAULT FAULT with indication not yet FAULT cleared Table 5-2: HIPS Platform Fault Classification Class of Failure Description Active Fault LED LED Fatal Fatal faults refer to a severe type of fault that Off Off compromises the control function of the HIPS module. The most obvious fatal fault is the complete loss of input power to the HIPS chassis.
The result is a loss of all HIPS module functionality and status indication.
Vital Vital faults refer to the class of errors that Green Red compromise the HIPS module and cause it to become inoperable for the performance of one or more safety functions. The occurrence of a vital fault requires immediate maintenance.
Non-vital Non-vital faults refer to the class of errors that do Green Green not affect the overall HIPS module performance or (flashing) integrity. Following one or more non-vital faults, the HIPS module is still operable and its integrity has not been compromised. Maintenance is required and is performed by the station in accordance with the work management system.
For example, the loss of one redundant power source is regarded as a non-vital failure.
Page 53 of 66
TECRPT-2018-0028 Revision 2 5.9 Remote Input Submodule (RISM)
The RISM is a new module which is not discussed in the HIPS platform topical report. Each RISM directly interfaces with the Neutron Flux Detection System (NFDS) equipment and is directly associated with a single SFM that allows for remotely locating one ISM from its associated SFM. The ISM used on a RISM is the same as described in the HIPS platform topical report for an ISM with the modification described above in Section 5.7. The ISM can be configured for a specific input type and calibrated as described in the HIPS platform topical report for the SFM.
Once an input channel is in digital format on the ISM, the input information is provided by the RISM via an isolated, one-way RS-485 connection to its associated SFM within the division for triplication and trip determination. There is an additional RS-485 connection between the RISM and its associated SFM which independently supports modification of tunable parameters necessary on the RISM.
5.10 SBVM Manual Testing Capability The HIPS platform topical report did not discuss use of the Calibration and Test Bus (CTB) with Communications Modules. Because the TRPS and ESFAS designs include providing discrete signals between the SBVMs of both systems, the capability for manually testing these inputs and outputs using CTB functional logic is being added to the SBVM. Similar to use of the CTB for an SFM, this testing can only be performed when an SBVM is taken out of service (OOS) (i.e., the OOS switch on the front of the SBVM is active). Activating the OOS switch permits initiation of testing of only the discrete output signals from an SBVM.
Similar to modifications of setpoints and other tunable parameters for the SFM, these manual tests are initiated from the MWS, which can only interact with a single module at a time via an MICM, which also must be taken OOS to initiate the test.
6 IEEE Std. 7-4.3.2-2003 Traceability Matrix This section provides a summary of conformance of the TRPS and ESFAS with IEEE Std. 7-4.3.2-2003.
Table 6-1: TRPS and ESFAS IEEE Std. 7-4.3.2-2003 Traceability Matrix IEEE Section TRPS/ESFAS Conformance Std.
Section Number 5.1 Single Failure N/A Criteria 5.2 Completion of N/A Protective Action 5.3 Quality N/A 5.4 Equipment N/A Qualification 5.5 System Integrity 5.5.1 Design for See responses to ASAIs 18 and 19 in Table 3-1 above.
Computer Integrity 5.5.2 Design for Test See responses to ASAIs 47 and 48 in Table 3-1 above.
and Calibration Page 54 of 66
TECRPT-2018-0028 Revision 2 5.5.3 Fault Detection See responses to ASAIs 49, 50, and 51 in Table 3-1 above.
and Self-diagnostics 5.6 Independence See responses to ASAIs 52 and 53 in Table 3-1 above.
5.7 Capability for N/A Test and Calibration 5.8 Information N/A Displays 5.9 Control of N/A Access 5.10 Repair N/A 5.11 Identification N/A 5.12 Auxiliary N/A Features 5.13 Multi-Unit N/A Stations 5.14 Human Factors N/A Consideration 5.15 Reliability N/A 6 Sense and N/A Command Features 7 Execute N/A Features 8 Power Source N/A Requirements 7 Digital I&C Interim Staff Guidance 04 Traceability Matrix This section provides a summary of conformance of the TRPS and ESFAS with DI&C-ISG-04.
Table 7-1: TRPS and ESFAS DI&C-ISG-04 Traceability Matrix ISG-04 Requirement TRPS/ESFAS Conformance Section Number 1 Interdivisional Communications SP 1 A safety channel should not be dependent upon See responses to ASAIs 8, 22, 23, and 55 in any information or resource originating or Table 3-1 above.
residing outside its own safety division to accomplish its safety function. This is a fundamental consequence of the independence requirements of IEEE Std. 603. It is recognized that division voting logic must receive inputs from multiple safety divisions.
SP 2 The safety function of each safety channel See responses to ASAIs 8, 20, 21, 22, and 23 should be protected from adverse influence from in Table 3-1 above.
outside the division of which that channel is a member. Information and signals originating outside the division must not be able to inhibit or Page 55 of 66
TECRPT-2018-0028 Revision 2 delay the safety function. This protection must be implemented within the affected division (rather than in the sources outside the division) and must not itself be affected by any condition or information from outside the affected division.
This protection must be sustained despite any operation, malfunction, design error, communication error, or software error or corruption existing or originating outside the division.
SP 3 A safety channel should not receive any See responses to ASAI 22 in Table 3-1 above.
communication from outside its own safety division unless that communication supports or enhances the performance of the safety function.
Receipt of information that does not support or enhance the safety function would involve the performance of functions that are not directly related to the safety function. Safety systems should be as simple as possible. Functions that are not necessary for safety, even if they enhance reliability, should be executed outside the safety system. A safety system designed to perform functions not directly related to the safety function would be more complex than a system that performs the same safety function but is not designed to perform other functions.
The more complex system would increase the likelihood of failures and software errors. Such a complex design, therefore, should be avoided within the safety system. For example, comparison of readings from sensors in different divisions may provide useful information concerning the behavior of the sensors (for example, on-line monitoring). Such a function executed within a safety system, however, could also result in unacceptable influence of one division over another, or could involve functions not directly related to the safety functions, and should not be executed within the safety system.
Receipt of information from outside the division, and the performance of functions not directly related to the safety function, if used, should be justified. It should be demonstrated that the added system/software complexity associated with the performance of functions not directly related to the safety function and with the receipt of information in support of those functions does not significantly increase the likelihood of software specification or coding errors, including errors that would affect more than one division.
The applicant should justify the definition of significantly used in the demonstration.
SP 4 The communication process itself should be N/A carried out by a communications processor separate from the processor that executes the safety function, so that communications errors Page 56 of 66
TECRPT-2018-0028 Revision 2 and malfunctions will not interfere with the execution of the safety function. The communication and function processors should operate asynchronously, sharing information only by means of dual-ported memory or some other shared memory resource that is dedicated exclusively to this exchange of information. The function processor, the communications processor, and the shared memory, along with all supporting circuits and software, are all considered to be safety related, and must be designed, qualified, fabricated, etc., in accordance with 10 C.F.R. Part 50, Appendix A and B. Access to the shared memory should be controlled in such a manner that the function processor has priority access to the shared memory to complete the safety function in a deterministic manner. For example, if the communication processor is accessing the shared memory at a time when the function processor needs to access it, the function processor should gain access within a timeframe that does not impact the loop cycle time assumed in the plant safety analyses. If the shared memory cannot support unrestricted simultaneous access by both processors, then the access controls should be configured such that the function processor always has precedence. The safety function circuits and program logic should ensure that the safety function will be performed within the timeframe established in the safety analysis, and will be completed successfully without data from the shared memory in the event that the function processor is unable to gain access to the shared memory.
SP 5 The cycle time for the safety function processor See responses to ASAI 56 in Table 3-1 above.
should be determined in consideration of the longest possible completion time for each access to the shared memory. This longest-possible completion time should include the response time of the memory itself and of the circuits associated with it, and should also include the longest possible delay in access to the memory by the function processor assuming worst-case conditions for the transfer of access from the communications processor to the function processor. Failure of the system to meet the limiting cycle time should be detected and alarmed.
SP 6 The safety function processor should perform no N/A communication handshaking and should not accept interrupts from outside its own safety division.
SP 7 Only predefined data sets should be used by the N/A receiving system. Unrecognized messages and data should be identified and dispositioned by Page 57 of 66
TECRPT-2018-0028 Revision 2 the receiving system in accordance with the pre-specified design requirements. Data from unrecognized messages must not be used within the safety logic executed by the safety function processor. Message format and protocol should be pre-determined. Every message should have the same message field structure and sequence, including message identification, status information, data bits, etc. in the same locations in every message. Every datum should be included in every transmit cycle, whether it has changed since the previous transmission or not, to ensure deterministic system behavior.
SP 8 Data exchanged between redundant safety See responses to ASAI 22 in Table 3-1 above.
divisions or between safety and nonsafety divisions should be processed in a manner that does not adversely affect the safety function of the sending divisions, the receiving divisions, or any other independent divisions.
SP 9 Incoming message data should be stored in fixed N/A predetermined locations in the shared memory and in the memory associated with the function processor. These memory locations should not be used for any other purpose. The memory locations should be allocated such that input data and output data are segregated from each other in separate memory devices or in separate pre-specified physical areas within a memory device.
SP 10 Safety division software should be protected from N/A alteration while the safety division is in operation.
On-line changes to safety system software should be prevented by hard-wired interlocks or by physical disconnection of maintenance and monitoring equipment. A workstation (e.g.,
engineer or programmer station) may alter addressable constants, setpoints, parameters, and other settings associated with a safety function only by way of the dual-processor /
shared-memory scheme described in this guidance, or when the associated channel is inoperable. Such a workstation should be physically restricted from making changes in more than one division at a time. The restriction should be by means of physical cable disconnect, or by means of keylock switch that either physically opens the data transmission circuit or interrupts the connection by means of hard-wired logic. Hard-wired logic as used here refers to circuitry that physically interrupts the flow of information, such as an electronic AND gate circuit (that does not use software or firmware) with one input controlled by the hardware switch and the other connected to the information source: the information appears at the output of the gate only when the switch is in a position that applies a TRUE or 1 at the input to which it is connected. Provisions that rely on Page 58 of 66
TECRPT-2018-0028 Revision 2 software to effect the disconnection are not acceptable. It is noted that software may be used in the safety system or in the workstation to accommodate the effects of the open circuit or for status logging or other purposes.
SP 11 Provisions for interdivisional communication N/A should explicitly preclude the ability to send software instructions to a safety function processor unless all safety functions associated with that processor are either bypassed or otherwise not in service. The progress of a safety function processor through its instruction sequence should not be affected by any message from outside its division. For example, a received message should not be able to direct the processor to execute a subroutine or branch to a new instruction sequence.
SP 12 Communication faults should not adversely affect N/A the performance of required safety functions in any way. Faults, including communication faults, originating in nonsafety equipment, do not constitute single failures as described in the single failure criterion of 10 C.F.R. Part 50, Appendix A. Examples of credible communication faults include, but are not limited to, the following:
- Messages may be corrupted due to errors in N/A communications processors, errors introduced in buffer interfaces, errors introduced in the transmission media, or from interference or electrical noise.
- Messages may be repeated at an incorrect N/A point in time.
- Messages may be sent in the incorrect sequence.
- Messages may be lost, which includes both failures to receive an uncorrupted message or to acknowledge receipt of a message.
- Messages may be delayed beyond their permitted arrival time window for several reasons, including errors in the transmission medium, congested transmission lines, interference, or by delay in sending buffered messages.
- Messages may be inserted into the N/A communication medium from unexpected or unknown sources.
- Messages may be sent to the wrong N/A destination, which could treat the message as a valid message.
- Messages may be longer than the receiving N/A buffer, resulting in buffer overflow and memory corruption.
- Messages may contain data that is outside the N/A expected range.
Page 59 of 66
TECRPT-2018-0028 Revision 2
- Messages may appear valid, but data may be N/A placed in incorrect locations within the message.
- Messages may occur at a high rate that N/A degrades or causes the system to fail (i.e.,
broadcast storm).
- Message headers or addresses may be N/A corrupted.
SP 13 Vital communications, such as the sharing of See responses to ASAI 32 in Table 3-1 above.
channel trip decisions for the purpose of voting, should include provisions for ensuring that received messages are correct and are correctly understood. Such communications should employ error-detecting or error-correcting coding along with means for dealing with corrupt, invalid, untimely or otherwise questionable data. The effectiveness of error detection/correction should be demonstrated in the design and proof testing of the associated codes, but once demonstrated is not subject to periodic testing. Error-correcting methods, if used, should be shown to always reconstruct the original message exactly or to designate the message as unrecoverable. None of this activity should affect the operation of the safety-function processor.
SP 14 Vital communications should be point-to-point by N/A means of a dedicated medium (copper or optical cable). In this context, point-to-point means that the message is passed directly from the sending node to the receiving node without the involvement of equipment outside the division of the sending or receiving node. Implementation of other communication strategies should provide the same reliability and should be justified.
SP 15 Communication for safety functions should N/A communicate a fixed set of data (called the "state") at regular intervals, whether data in the set has changed or not.
SP 16 Network connectivity, liveness, and real-time See responses to ASAIs 8, 20, 21, 22, and 23 properties essential to the safety application in Table 3-1 above.
should be verified in the protocol. Liveness, in particular, is taken to mean that no connection to any network outside the division can cause an RPS/ESFAS communication protocol to stall, either deadlock or livelock.
(Note: This is also required by the independence criteria of: (1) 10 C.F.R. Part 50, Appendix A, General Design Criteria (GDC) 24, which states, interconnection of the protection and control systems shall be limited so as to assure that safety is not significantly impaired.; and (2)
IEEE Std. 603-1991 IEEE Standard Criteria for Safety Systems for Nuclear Power Generating Stations.)
SP 17 Pursuant to 10 C.F.R. § 50.49, the medium used See responses to ASAI 17 in Table 3-1 above.
in a vital communications channel should be Page 60 of 66
TECRPT-2018-0028 Revision 2 qualified for the anticipated normal and post-accident environments. For example, some optical fibers and components may be subject to gradual degradation as a result of prolonged exposure to radiation or to heat. In addition, new digital systems may need susceptibility testing for EMI/RFI and power surges, if the environments are significant to the equipment being qualified.
SP 18 Provisions for communications should be See responses to ASAIs 12 and 58 in Table 3-analyzed for hazards and performance deficits 1 above.
posed by unneeded functionality and complication.
SP 19 If data rates exceed the capacity of a See responses to ASAIs 19 and 59 in Table 3-communications link or the ability of nodes to 1 above.
handle traffic, the system will suffer congestion.
All links and nodes should have sufficient capacity to support all functions. The applicant should identify the true data rate, including overhead, to ensure that communication bandwidth is sufficient to ensure proper performance of all safety functions.
Communications throughput thresholds and safety system sensitivity to communications throughput issues should be confirmed by testing.
SP 20 The safety system response time calculations See responses to ASAIs 18, 19, and 59 in should assume a data error rate that is greater Table 3-1 above.
than or equal to the design basis error rate and is supported by the error rate observed in design and qualification testing.
2 Command Prioritization SP 1 A priority module is a safety related device or N/A software function. A priority module must meet all of the 10 C.F.R. Part 50, Appendix A and B requirements (design, qualification, quality, etc.)
applicable to safety-related devices or software.
SP 2 Priority modules used for diverse actuation N/A signals should be independent of the remainder of the digital system, and should function properly regardless of the state or condition of the digital system. If these recommendations are not satisfied, the applicant should show how the diverse actuation requirements are met.
SP 3 Safety-related commands that direct a N/A component to a safe state must always have the highest priority and must override all other commands. Commands that originate in a safety-related channel but which only cancel or enable cancellation of the effect of the safe-state command (that is, a consequence of a common-cause failure in the primary system that erroneously forces the plant equipment to a state that is different from the designated safe state.),
and which do not directly support any safety function, have lower priority and may be overridden by other commands. In some cases, such as a containment isolation valve in an Page 61 of 66
TECRPT-2018-0028 Revision 2 auxiliary feedwater line, there is no universal safe state: the valve must be open under some circumstances and closed under others. The relative priority to be applied to commands from a diverse actuation system, for example, is not obvious in such a case. This is a system operation issue, and priorities should be assigned on the basis of considerations relating to plant system design or other criteria unrelated to the use of digital systems. This issue is outside the scope of this ISG. The reasoning behind the proposed priority ranking should be explained in detail. The reviewer should refer the proposed priority ranking and the explanation to appropriate systems experts for review. The priority module itself should be shown to apply the commands correctly in order of their priority rankings, and should meet all other applicable guidance. It should be shown that the unavailability or spurious operation of the actuated device is accounted for in, or bounded by, the plant safety analysis.
SP 4 A priority module may control one or more N/A components. If a priority module controls more than one component, then all of these provisions apply to each of the actuated components.
SP 5 Communication isolation for each priority module N/A should be as described in the guidance for interdivisional communications.
SP 6 Software used in the design, testing, N/A maintenance, etc. of a priority module is subject to all of the applicable guidance in RG 1.152, which endorses IEEE Std. 7- 4.3.2-2003 (with comments). This includes software applicable to any programmable device used in support of the safety function of a prioritization module, such as programmable logic devices, programmable gate arrays, or other such devices. Section 5.3.2 of IEEE Std. 7-4.3.2-2003 is particularly applicable to this subject. Validation of design tools used for programming a priority module or a component of a priority module is not necessary if the device directly affected by those tools is 100% tested before being released for service.
100% testing means that every possible combination of inputs and every possible sequence of device states is tested, and all outputs are verified for every case. The testing should not involve the use of the design tool itself. Software-based prioritization must meet all requirements (quality requirements, V&V, documentation, etc.) applicable to safety-related software.
SP 7 Any software program that is used in support of N/A the safety function within a priority module is safety-related software. All requirements that apply to safety-related software also apply to Page 62 of 66
TECRPT-2018-0028 Revision 2 prioritization module software. Nonvolatile memory (such as burned-in or reprogrammable gate arrays or random-access memory) should be changeable only through removal and replacement of the memory device. Design provisions should ensure that static memory and programmable logic cannot be altered while installed in the module. The contents and configuration of field programmable memory should be considered to be software, and should be developed, maintained, and controlled accordingly.
SP 8 To minimize the probability of failures due to N/A common software, the priority module design should be fully tested (This refers to proof-of-design testing, not to individual testing of each module and not to surveillance testing.). If the tests are generated by any automatic test generation program then all the test sequences and test results should be manually verified.
Testing should include the application of every possible combination of inputs and the evaluation of all of the outputs that result from each combination of inputs. If a module includes state-based logic (that is, if the response to a particular set of inputs depends upon past conditions), then all possible sequences of input sets should also be tested. If testing of all possible sequences of input sets is not considered practical by an applicant, then the applicant should identify the testing that is excluded and justify that exclusion.
The applicant should show that the testing planned or performed provides adequate assurance of proper operation under all conditions and sequences of conditions. Note that it is possible that logic devices within the priority module include unused inputs: assuming those inputs are forced by the module circuitry to a particular known state, those inputs can be excluded from the all possible combinations criterion. For example, a priority module may include logic executed in a gate array that has more inputs than are necessary. The unused inputs should be forced to either TRUE or FALSE and then can be ignored in the all possible combinations testing.
SP 9 Automatic testing within a priority module, N/A whether initiated from within the module or triggered from outside, and including failure of automatic testing features, should not inhibit the safety function of the module in any way. Failure of automatic testing software could constitute common-cause failure if it were to result in the disabling of the module safety function.
SP 10 The priority module must ensure that the N/A completion of a protective action as required by IEEE Std. 603 is not interrupted by commands, Page 63 of 66
TECRPT-2018-0028 Revision 2 conditions, or failures outside the module's own safety division.
3 Multidivisional Control and Display Systems 3.1 Independence and Isolation SP 1 Nonsafety stations receiving information from N/A one or more safety divisions:
SP 2 Safety-related stations receiving information from See responses to ASAI 60 in Table 3-1 above.
other divisions (safety or nonsafety):
SP 3 Nonsafety stations controlling the operation of See responses to ASAI 61 in Table 3-1 above.
safety-related equipment:
SP 4 Safety-related stations controlling the operation N/A of equipment in other safety-related divisions:
SP 5 Malfunctions and Spurious Actuations N/A 3.2 Various human factors engineering N/A requirements.
3.3 D3 considerations may influence the number and N/A disposition of operator workstations and possibly of backup controls and indications that may or may not be safety-related. The guidance provided herein is not dependent upon such details.
D3 considerations may also impose qualification or other measures or guidelines upon equipment addressed in this ISG. The guidance presented herein does not include such considerations.
Consideration of other aspects of D3 is outside the scope of this guidance. Additional guidance concerning D3 considerations is provided separately.
8 SRM for SECY-93-087 Traceability Matrix This section provides a summary of conformance of the TRPS and ESFAS with SECY-93-087.
Table 8-1: TRPS and ESFAS SECY-93-087 Traceability Matrix SRM Requirement TRPS/ESFAS Conformance Section Number 1 The applicant shall assess the defense-in-depth See responses to ASAIs 9 and 62 in Table 3-1 and diversity of the proposed instrumentation above.
and control system to demonstrate that vulnerabilities to common-mode failures have adequately been addressed. The staff considers software design errors to be credible common-mode failures that must specifically be included in the evaluation. An acceptable method of performing analyses is described in NUREG-0493, "A Defense-In-Depth and Diversity Assessment of the RESAR-414 Integrated Protection System," March 1979. Other methods proposed by an applicant will be reviewed individually.
2 In performing the assessment, the vendor or See responses to ASAIs 9, 10, 62, and 63 in applicant shall analyze each postulated common- Table 3-1 above.
Page 64 of 66
TECRPT-2018-0028 Revision 2 mode failure for each event that is evaluated in the accident analysis section of the safety analysis report (SAR). The vendor or applicant shall demonstrate adequate diversity within the design for each of these events. For events postulated in the plant SAR, an acceptable plant response should not result in a non-coolable geometry of the core, violation of the integrity of the primary coolant pressure boundary, or violation of the integrity of the containment.
3 If a postulated common-mode failure could See responses to ASAIs 9, 10, 63, and 64 in disable a safety function, then a diverse means, Table 3-1 above.
with a documented basis that the diverse means is unlikely to be subject to the same common-mode failure, shall be required to perform either the same function or a different function. The diverse or different function may be performed by a nonsafety system if the system is of sufficient quality to perform the necessary function under the associated event conditions. Diverse digital or nondigital systems are considered acceptable means. Manual actions from the control room are acceptable if adequate time and information are available to the operators. The amount and types of diversity may vary among designs and will be evaluated individually.
4 A set of safety-grade displays and controls See responses to ASAIs 10 and 65 in Table 3-located in the main control room shall be 1 above.
provided for manual, system-level actuation of critical safety functions and monitoring of parameters that support the safety functions. The displays and controls shall be independent and diverse from the safety computer system identified in items I and 3 above. The specific set of equipment shall be evaluated individually, but shall be sufficient to monitor the plant states and actuate systems required by the control room operators to place the nuclear plant in a hot-shutdown condition. In addition, the specific equipment should be intended to control the following critical safety functions: reactivity control, core heat removal, reactor coolant inventory, containment isolation, and containment integrity.
9 References
- 1. NuScale Power, LLC, TR-1015-18653-NP-A, Design of the Highly Integrated Protection System Platform, Revision 2, September 2017, NRC ADAMS Accession No. ML17256A892
- 2. U.S. Nuclear Regulatory Commission Letter, Final Safety Evaluation for NuScale Power, LLC Licensing Topical Report: 1015-18653, Design of the Highly Integrated Protection System Platform, Revision 2, dated June 6, 2017, ADAMS Accession No. ML17116A094.
- 3. SHINE Medical Technologies, 2000-09-01, Quality Assurance Program Description (QAPD).
Page 65 of 66
TECRPT-2018-0028 Revision 2
- 4. Rock Creek Innovations, SMT-016-1000-64012, Failure Modes and Effects Analysis, Revision 3, August 24, 2021 DAA 05/23/22
- 5. SHINE Medical Technologies, TECRPT-2019-0041, Diversity and Defense-in-Depth Assessment of TRPS and ESFAS, Revision 3, September 6, 2021 4 DAA 05/23/22
- 6. SHINE Medical Technologies, TECRPT-2019-0048, TRPS System Design Description, Revision 2, September 6, 2021 6 DAA 05/23/22
- 7. SHINE Medical Technologies, TECRPT-2020-0002, Engineered Safety Features Actuation System Design Description, Revision 4, August 20, 2021 6 DAA 05/23/22
- 8. Rock Creek Innovations, RCI-942-1000-61000, Environmental and Seismic Qualification Report for HIPS Platform EQTS, Revision 2, June 2, 2021 DAA 05/23/22
- 9. Rock Creek Innovations, RCI-942-1000-61001, EMC and Isolation Qualification Report for HIPS Platform EQTS, Revision 0, September 2, 2021 DAA 05/23/22 Page 66 of 66
ENCLOSURE 2 SHINE TECHNOLOGIES, LLC SHINE TECHNOLOGIES, LLC APPLICATION FOR AN OPERATING LICENSE SUPPLEMENT NO. 22 AND REVISION 1 OF THE SHINE RESPONSE TO REQUEST FOR ADDITIONAL INFORMATION 7-15 REVISION 1 OF THE SHINE RESPONSE TO REQUEST FOR ADDITIONAL INFORMATION 7-15 The NRC staff determined that additional information was required to enable the staffs continued review of the SHINE Technologies, LLC (SHINE) operating license application (Reference 1). SHINE provided the response to a portion of the NRC staffs request for additional information (RAI), including the SHINE Response to RAI 7-15, via Reference 2.
SHINE has determined that the SHINE Response to RAI 7-15 requires revision. Revision 1 of the SHINE Response to RAI 7-15 is provided below.
RAI 7-15 NUREG-1537, Part 2, Section 7.4, states, in part, that the protection system besufficiently distinct in function from the [control system] that its unique safety features can be readily tested, verified, and calibrated. In addition, NUREG-1537, Part 2, Section 7.4, also states, in part, that the protection systemfunction and time scale should be readily tested to ensure operability of at least minimum protection for alloperations. Therefore, the TRPS and ESFAS should be designed to be readily tested and calibrated to ensure operability.
Additionally, the TSs, including surveillance tests and intervals, should ensureavailability and operability of these actuation systems.
SHINE Design Criterion 15 requires the TRPS be designed to permit periodic testing, including a capability to test channels independently to determine failuresand losses of redundancy that may have occurred. Section 7.4.4.3 of the SHINEFSAR describes how a channel can be placed in maintenance bypass and its effect on the voting logic. Section 7.4.4.4, Testing Capability, of the SHINE FSAR describes testing capabilities included in the TRPS.
The approved TR for the HIPS platform describes the diagnostic and maintenance features (e.g., built-in self-testing, periodic testing, etc.) available inthe HIPS platform. Because the HIPS platform diagnostic and maintenance features were conceptual designs, the NRC staff identified ASAIs 13, 14, 24, 25, 32 ,49, 50, and 51 as necessary for facility-specific implementation. The ASAIs require an applicant or licensee to describe how diagnostic and maintenance features are implemented in the site-specific application. Specifically, an applicant or licensee should (1) demonstrate diagnostic and maintenance features provide necessary test coverage, and (2) demonstrate that the use of these features wont prevent the system from performing its safety and protectionfunctions. In response to RAI 7-4, SHINE described whether these ASAIs are applicable to SHINE and their dispositions.
The NRC staff generally agrees with the SHINEs stated applicability of these ASAIs to the TRPS and ESFAS. However, the description and information in theSHINE FSAR do not Page 1 of 6
include sufficient detail on the configuration of self-testing and diagnostics to evaluate conformance to the maintenance and testing features described in the HIPS TR and how the SHINE design criteria are met.
Update the SHINE FSAR to describe how diagnostic and maintenance features are implemented in the HIPS equipment for the TRPS and ESFAS. Demonstrate that the features provide necessary test coverage. Also, demonstrate that the use of these features wont prevent the systems from performing their safety andprotection functions.
The NRC staff need this information to verify that testing and maintenance of theTRPS and ESFAS will ensure operability of the equipment and meet the SHINE Design Criterion 15. The information requested above is necessary to support the evaluation findings in Section 7.4 of NUREG-1537, Part 2, including that [t]he design reasonably ensures that the design bases can be achieved, the system will be built of high-quality components using accepted engineering and industrial practices, and the system can be readily tested and maintained in the design operating condition.
The following are examples of the types of information the NRC staff needs to evaluate testing and maintenance features implemented in the TRPS and ESFAS. SHINE should ensure that the response to this RAI addresses these examples. However, the NRC staff notes that these are representative examplesand not an exhaustive list of all information SHINE may determine to be appropriate to include in its RAI response and any FSAR updates:
- Modification of configurable variables and setpoints
- Features and limitations to perform in-chassis calibration
- Surveillance tests using automatic sensor cross-check
- Test and calibration functions of the HIPS platform and compliance withregulatory guidance
- Validation of self-testing functions in HIPS equipment SHINE Response A description of the diagnostic and maintenance test features in the Highly Integrated Protection System (HIPS) platform equipment for the target solution vessel (TSV) reactivity protection system (TRPS) and engineered safety features (ESF) actuation system (ESFAS) follows.
The TRPS and ESFAS are designed with the capability for calibration and surveillance testing, including channel checks, calibration verification, and time response measurements to verify that I&C safety systems perform required safety functions. The TRPS and ESFAS allow systems, structures, and components (SSCs) to be tested while retaining the capability to accomplish required safety functions. The TRPS and ESFAS use modules from the HIPS platform which are designed to eliminate non-detectable failures through a combination of self-testing and periodic surveillance testing.
Testing from the sensor inputs of the TRPS and ESFAS through to the actuated equipment is accomplished through a series of overlapping sequential tests, most of which may be performed during normal plant operations. Performance of periodic surveillance testing does not involve disconnecting wires or installation of jumpers for at-power testing. The self-test features maintain division independence by being performed within the division.
Page 2 of 6
The part of TRPS and ESFAS that cannot be tested during normal operations is the actuation priority logic circuit on the equipment interface module (EIM). This includes the manual control room switches and the nonsafety-related interface that provide inputs to the actuation priority logic. The actuation priority logic consists of discrete components and directly causes actuation of field components. The actuation priority logic is a simple circuit that has acceptable reliability to be tested when the irradiation unit (IU) is in Mode 0.
While the TRPS and ESFAS is in normal operation, self-tests run without affecting the performance of the safety function, including its response time. TRPS and ESFAS data communications are designed with error detection to enhance data integrity. The protocol features ensure communications are robust and reliable with the ability to detect transmission faults. Similar data integrity features are used to transfer diagnostics data. The TRPS and ESFAS provides a means for checking the operational availability of the sense and command feature input sensors relied upon for a safety function during normal plant operation.
This capability is provided by one of the following methods:
- Perturbing the monitored variable
- Cross-checking between channels that have a known relationship (channel check)
- Introducing and varying a substitute input to the sensor The TRPS and ESFAS have redundant gateways which gather the output of the monitoring and indication communications modules (MICMs) for each of the three divisions, as depicted in Figure 7-15-1 Revision 1. The data for each of the three divisions are compared to perform a channel check, and the results are provided to the process integrated control system (PICS).
The TRPS and ESFAS incorporate failure detection and isolation techniques. Fault detection and indication occurs at the module level, which enables plant personnel to identify the module that needs to be replaced. Self-testing will generate an alarm and report a failure to the operator and place the component (e.g., safety function module [SFM]; scheduling, bypass, and voting module [SBVM]; or EIM components) in a fail-safe state.
The self-testing features of the HIPS platform are designed, developed, and validated at the same level as the functional logic. The overlapped self-test features of the HIPS platform are integral to the operation of the system and are therefore designed, developed, and validated to the same rigor as the rest of the platform.
The maintenance workstation (MWS) is used to perform modification of configurable variables and setpoints, as well as in-chassis calibration, of TRPS and ESFAS equipment, as descried in the SHINE Response to RAI 7-18 (Reference 2). A limitation is placed on the use of the MWS in that an SFM will not receive data from the MWS unless it has been placed into out-of-service (OOS), which is further described in the SHINE Response to RAI 7-18.
Diagnostic data for the division of the TRPS and ESFAS are provided to the MWS. Diagnostics data are communicated via the monitoring and indication bus (MIB), which is a physically separate communications path from the safety data path, ensuring the diagnostics functionality is independent of the safety functionality.
The description of the self-testing features and use of the MWS described above satisfies Section 5.5.2 and Section 5.5.3 of Institute of Electrical and Electronics Engineers (IEEE)
Standard 7-4.3.2-2003, Standard Criteria for Digital Computers in Safety Systems of Nuclear Page 3 of 6
Power Generating Stations (Reference 3), as described in Appendix B of NuScale Power, LLC (NuScale) Topical Report TR-1015-18653, Design of the Highly Integrated Protection System Platform Topical Report (Reference 4).
By complying with these sections of IEEE Standard 7-4.3.2-2003, as described in Appendix B of TR-1015-18653, and incorporating diagnostic and maintenance test features that test from the sensor inputs of the TRPS and ESFAS through to the actuated equipment, the necessary test coverage is provided in the SHINE application of the HIPS platform.
SHINE previously revised Subsection 7.4.5.5 of the FSAR, via Reference 2, to provide additional description of the diagnostic and maintenance features associated with the HIPS platform for the TRPS and ESFAS.
Page 4 of 6
Figure 7-15-1: TRPS and ESFAS Gateway Communications Architecture Page 5 of 6
References
Request for Additional Information Related to the Instrumentation and Control Systems (EPID No. L-2019-NEW-0004), dated July 1, 2021 (ML21172A195)
- 2. SHINE Medical Technologies, LLC letter to the NRC, SHINE Medical Technologies, LLC Application for an Operating License Response to Request for Additional Information, dated August 27, 2021 (ML21239A049)
- 3. Institute of Electrical and Electronics Engineers, Standard Criteria for Digital Computers in Safety Systems of Nuclear Power Generating Stations, IEEE Standard 7-4.3.2-2003, New York, NY
- 4. NuScale Power, LLC letter to NRC, NuScale Power, LLC Submittal of the Approved Version of NuScale Topical Report TR-1015018653, Design of the Highly Integrated Protection System Platform, Revision 2 (CAC No. RQ6005), NuScale Power, LLC, September 13, 2017 (ML17256A892)
Page 6 of 6